Background Information

As indicated in the Standards, the internal audit function must be independent, and internal auditors must be objective in performing their work. As indicated in the chapter reading, independence and objectivity together represent one of three pillars supporting effective internal audit services. It is also important to note that independence and objectivity are two distinct, yet interrelated, concepts that are fundamental to providing value-adding internal audit services.

Utilize the KnowledgeLeader website and perform the following:

1. Authenticate to the KnowledgeLeader website using your username and password.
2. Perform research and define what it means for an internal auditor to be independent. Contrast internal auditor independence with auditor objectivity. Why is it important for an internal auditor to be independent and possess objectivity?
3. Submit a brief write-up indicating the results of your research to your instructor.

Helpful KnowledgeLeader Resources:

• Guide to Internal Audit
• The Future Auditor Revisited
• Internal Audit Policy
• Internal Audit Strategic Focus Questionnaire

Background Information

Emphasis in recent years has been placed on control testing to ensure controls are working effectively and efficiently, but emerging thought leadership indicates that the internal audit value proposition can best be accomplished through internal audit consulting services. the term, “trusted Advisor” is being used more frequently to describe internal auditors as they strive to add additional value as they gain management’s confidence through the impactful consulting services they provide.

Utilize the KnowledgeLeader website and perform the following:

1. Authenticate to the KnowledgeLeader website using your username and password.
2. Perform research and identify alternative model(s) of assurance layering other than the “three lines of defense model.” Compare and contrast the(se) models. How do they differ? How are they similar?
3. Submit a brief write-up indicating the results of your research to your instructor.

Helpful KnowledgeLeader Resources:

• Applying The Five Lines of Defense in Managing Risk
• The Five Lines of Defense: A Shareholder’s Perspective

Background Information

In the United States, COSO published its Enterprise Risk Management – Aligning Risk with Strategy and Performance (COSO ERM, or ERM framework) in 2017. In 2004, COSO identified a need for a robust framework to help companies effectively identify, assess, and manage risk. the resulting risk management framework expanded on the previously issued Internal Control – Integrated Framework, incorporating all key aspects of that framework into the broader ERM framework. COSO updated its Internal Control – Integrated Framework in 2013 and released an update to the 2004 ERM framework in 2017. COSO defines ERM as the culture, capabilities, and practices, integrated with strategy-setting and its execution, that organizations rely on to manage risk in creating, preserving, and realizing value.

In 2009, the International Organization for Standardization issued its standard ISO 31000:2009 (ISO 31000), the first globally recognized standard related to risk management. ISO 31000 was developed to provide a globally accepted way of viewing risk management, taking into consideration principles, frameworks, models, and practices that were evolving around the world. ISO 31000 includes three sections—principles, framework, and process.

Utilize the KnowledgeLeader website and perform the following:

1. Authenticate to the KnowledgeLeader website using your username and password.
2. Perform research on these two globally recognized risk management frameworks. Compare and contrast these frameworks. How do they differ? How are they similar?
3. Submit a brief write-up indicating the results of your research to your instructor.

Helpful KnowledgeLeader Resources:

• View all ERM content on KnowledgeLeader
• Guide to Enterprise Risk Management
• View all Board Perspectives: Risk Oversight Newsletters

Background Information

Statement on Standards for Attestation Engagements (SSAE) 16, Reporting on Controls at a Service Organization, is an auditing standard for service organizations. SSAE 16 was issued in April 2010, and became effective in June 2011. SSAE 16 is largely an American standard, but it mirrors International Standards for Assurance Engagements (ISAE) 3402, Assurance Reports on Controls at a Service Organization. SSAE 16 provides guidance to service auditors when assessing the internal control of a service organization and issuing a Service Organization Controls (SOC) report. There are two types of service organization controls reports. A Type I service organization controls report includes the service auditor's opinion on the fairness of the presentation of the service organization's description of controls in operation and the suitability of the design of the controls to achieve the specified control objectives. A Type II service organization controls report includes the information contained in a Type I service report and also includes the service auditor's opinion on whether the specific controls were operating effectively during the period under review (usually six months). SSAE 16 reporting can help service organizations comply with Sarbanes-Oxley’s requirement (section 404) to show effective internal controls covering financial reporting. It can also be applied to data centers or any other service that might be used in the delivery of financial reporting. Examples of service organizations are insurance and medical claims processors, trust companies, hosted data centers, application service providers (ASPs), managed security providers, credit processing organizations and clearinghouses.

Utilize the KnowledgeLeader website and perform the following:

1. Authenticate to the KnowledgeLeader website using your username and password.
2. Perform research and identify the circumstances under which obtaining a SOC report is justified. Explain the differences between a SOC 1 and a SOC 2 report. Determine when it would be appropriate to obtain a SOC 1 report versus a SOC 2 report.
3. Submit a brief write-up indicating the results of your research to your instructor.

Helpful KnowledgeLeader Resources:

• Guide to the Sarbanes-Oxley Act: IT Risks and Controls (Second Edition)
• Guide to the Sarbanes-Oxley Act
• Sarbanes-Oxley Roles and Responsibilities Guide

Background Information

In the United States, the U.S. Sarbanes-Oxley Act of 2002 (SOX) legislation put responsibility for the design, maintenance, and effective operation of internal control squarely on the shoulders of senior management, specifically, the CEO and the chief financial officer (CFO). to comply with this legislation, the U.S. Securities and Exchange Commission (SEC) requires the CEO and CFO of publicly traded companies over a certain size to opine on the design adequacy and operating effectiveness of internal control over financial reporting (ICFR) as part of the annual filing of financial statements with the SEC, as well as report substantial changes in ICFR, if any, on a quarterly basis. Organizations have been able to successfully apply the COSO framework in their efforts to comply with SOX, despite encountering significant unanticipated costs. In an effort to reduce the cost to comply with SOX, many organizations are evaluating and pursuing more cost-effective approaches to validating their system of ICFR.

Utilize the KnowledgeLeader website and perform the following:

1. Authenticate to the KnowledgeLeader website using your username and password.
2. Perform research and identify alternative approaches to more cost-effective approaches to validating an organization's operating effectiveness of their ICFR.
3. Submit a brief write-up indicating the results of your research to your instructor.

Helpful KnowledgeLeader Resources:

• Guide to the Sarbanes-Oxley Act: It Risks and Controls (Second Edition)
• Guide to the Sarbanes-Oxley Act
• Guide to the Sarbanes-Oxley Act: Internal Control Requirements - Frequently Asked Questions Regarding Section 404

Background Information

Cybersecurity is an ever-increasing risk. In fact, leaders in the profession have identified cybersecurity as the number one technology risk, which is consistent with the findings in the IIA’s 2015 Common Body of Knowledge (CBOK) study, “Navigating Technology’s Top 10 Risks”.

The term cybersecurity refers to the technologies, processes, and practices designed to protect an organization’s information assets (computers, networks, programs, and data) from unauthorized access.

The proliferation of technology today enables more user access to an organization’s information than ever before. Third parties are increasingly provided access to organizational information through the supply chain, customers, and service providers. A greater variety of data has become readily available as organizations often store large volumes of sensitive and confidential information in virtualized infrastructure accessible through cloud computing. There is an increasing number of devices that can be connected and always engaged in data exchange. As organizations globalize and the organization’s web of employees, customers, and third-party providers expands, expectations for constant access to the organization’s information also increases.

Cyberattacks are perpetuated for various reasons, including financial fraud, information theft or misuse, activist causes, to render computer systems inoperable, and to disrupt critical infrastructure and vital services of a government or organization. Five common sources of cyber threats include nation-states, cybercriminals, hacktivists, insiders and service providers, and developers of substandard products and services.

Utilize the KnowledgeLeader website and perform the following:

1. Authenticate to the KnowledgeLeader website using your username and password.
2. Perform research and identify/discuss alternative approaches to implementing effective cybersecurity.
3. Submit a brief write-up indicating the results of your research to your instructor.

Helpful KnowledgeLeader Resources:

• Security Management Audit Work Program
• Cybersecurity Audit Report
• IT Governance Review Report
• External Access Risk Key Performance Indicators
• Data Breach Notification Memo
• Intranet and Internet Security Policy
• User Information Security Policy

Background Information

As indicated in Chapter 8, the process of conducting a fraud risk assessment is similar to that of conducting an enterprise risk assessment. The three key steps are:

1. Identify inherent fraud risks.
2. Assess impact and likelihood of the identified risks.
3. Develop responses to those risks that have a sufficiently high impact and likelihood to result in a potential outcome beyond management’s tolerance.

When conducting a fraud risk assessment, it is important to involve individuals with varying knowledge, skills, and perspectives. The risk assessment process can take many different forms, the most common of which are interviews, surveys, and facilitated meetings. Regardless of the approach, it is important for individuals to remain open and creative to ensure the fraud risk universe is sufficiently comprehensive.

Utilize the KnowledgeLeader website and perform the following:

1. Authenticate to the KnowledgeLeader website using your username and password.
2. Perform research and identify alternative models for conducting an effective fraud risk assessment. Compare and contrast these models. How do they differ? How are they similar?
3. Submit a brief write-up indicating the results of your research to your instructor.

Helpful KnowledgeLeader Resources:

• Business Ethics Questionnaire
• Corruption Risk Management Questionnaire
• Foreign Corrupt Practices Act Policy
• Fraud Policy
• Fraud Prevention and Detection Audit Work Program
• Foreign Corrupt Practices Act (FCPA) Audit Work Program

Background Information

As indicated in Chapter 9, many organizations have multiple avenues for ensuring that they operate within their risk appetite. Organizations operating in a highly regulated environment in particular have a need to demonstrate that they have mitigated the many risks that threaten them to a reasonable level. to do so, they implement a technique of assurance layering to get the risk mitigation they need or desire. One common example of this strategy is the “three lines of defense model.” However, the three lines of defense model is not the only model.

Utilize the KnowledgeLeader website and perform the following:

1. Authenticate to the KnowledgeLeader website using your username and password.
2. Perform research and identify alternative model(s) of assurance layering other than the “three lines of defense model.” Compare and contrast the(se) models. How do they differ? How are they similar?
3. Submit a brief write-up indicating the results of your research to your instructor.

Helpful KnowledgeLeader Resources:

• Applying The Five Lines of Defense in Managing Risk
• The Five Lines of Defense: A Shareholder’s Perspective

Background Information

Companies are facing heightened regulatory expectations. One area of particular interest is information or data produced or manipulated by employees or company systems that is relied on by management to perform key controls or to make significant business decisions. Regulators commonly refer to this information or data as Information Produced by Entity (IPE). When IPE is identified, regulators expect management to verify (test) the completeness and accuracy of the information or data used by management to perform key controls or relied on to make significant business decisions.

Utilize the KnowledgeLeader website and perform the following:

1. Authenticate to the KnowledgeLeader website using your username and password.
2. Perform research and identify the most common types or forms of IPE. What are the key risks associated with management’s reliance on IPE? Identify the most common strategies for testing IPE.
3. Submit a brief write-up indicating the results of your research to your instructor.

Helpful KnowledgeLeader Resources:

• Top 10 Lessons Learned From Implementing COSO 2013

Background Information

Data analytics allow internal auditors to focus its resources on high-risk transactions and provide management with a higher level of operational assurance. A process that has been proven as successful includes the following steps:

1. Define the question.
2. Obtain the data.
3. Clean and normalize the data.
4. Analyze the data and understand the results.
5. Communicate the results. 

Utilize the KnowledgeLeader website and perform the following:

1. Authenticate to the KnowledgeLeader website using your username and password.
2. Perform research and identify various effective data analytic technics. Compare and contrast these technics with the model presented above and in the chapter. How do they differ? How are they similar?
3. Submit a brief write-up indicating the results of your research to your instructor.

Helpful KnowledgeLeader Resources:

• Internal Audit Strategic Focus Questionnaire
• Data Analytics and Mining Guide

Background Information

Blending assurance and consulting services into a single engagement is evolving as a way for internal auditors to realize efficiencies that might not exist when these services are performed separately. In fact, some internal audit functions may be conducting “blended engagements” without even realizing it. Internal auditors can follow a principle-based model that offers professional guidance for implementing this approach without violating existing standards of practice.

Utilize the KnowledgeLeader website and perform the following:

1. Authenticate to the KnowledgeLeader website using your username and password.
2. Perform research and identify the primary purpose of an assurance engagement and a consulting engagement. Also, identify elements that are the same or similar. Finally, identify the concerns with combing assurance and consulting services and how a single blended engagement can be performed without jeopardizing audit effectiveness or objectivity.
3. Submit a brief write-up indicating the results of your research to your instructor.

Helpful KnowledgeLeader Resources:

• The Future Auditor Revisited: The Bulletin, Volume 6, Issue 3
• Internal Auditing Around the World: Volume 12
• Internal Auditing Around the World: Volume 11
• Internal Auditing Around the World: Volume 10
• Is Internal Audit Meeting Expectations?
• Emerging Risks: Looking Around the Corner
• Risk Oversight and Risk Management Questionnaire
• Internal Audit Strategic Focus Questionnaire

Background Information

Understanding the detailed tasks in a process is an important step in planning an assurance engagement. However, these tasks describe the way a process is designed to perform, but provide little indication regarding how effectively they are carried out. Performing analytical procedures is one way internal auditors conduct high-level assessments that may reveal process activities that warrant closer attention and, accordingly, more detailed testing during an assurance engagement. Analytical procedures involve reviewing and evaluating existing information, which may be financial or nonfinancial, to determine whether it is consistent with predetermined expectations.

Utilize the KnowledgeLeader website and perform the following:

1. Authenticate to the KnowledgeLeader website using your username and password.
2. Perform research and identify the characteristic of effective analytical procedures used during the planning phase of an assurance engagement.
3. Submit a brief write-up indicating the results of your research to your instructor.

Helpful KnowledgeLeader Resources:

• Assessing Risk: A Strategic Perspective
• Enterprise Risk Assessment Process Questionnaire
• Setting the Audit Committee Agenda Questionnaire
• Sourcing Root Causes Questionnaire
• Risk Oversight and Risk Management Questionnaire
• Enterprise Risk Management Questionnaire

Background Information

As indicated in Chapter 14, if an observation, or a group of observations, is assessed to be material, communication must be formal and include senior management, the organization’s independent outside auditor, and the audit committee. Additionally, for publicly owned companies over a specified size and if the observation concerns internal control over financial reporting and disclosure controls and procedures, the U.S. Sarbanes-Oxley Act of 2002 and financial reporting regulations in other countries require management to qualify their opinion on internal control over financial reporting (and disclosure controls and procedures) and formulate a remediation plan to correct the weakness identified in the controls in question. Management must continue to qualify its opinion on internal control over financial reporting (and disclosure controls and procedures) until the material weakness (observation) is remediated and management has verified through control retesting that the control in question is designed adequately and operating effectively. If management determines it is necessary to qualify its opinion on internal control over financial reporting (and disclosure controls and procedures), this fact must be reported to its stakeholders according to the laws of the country in which it operates.

Utilize the KnowledgeLeader website and perform the following:

1. Authenticate to the KnowledgeLeader website using your username and password.
2. Perform research and determine the reporting requirements for a publicly traded company that has identified a material weakness related to internal control over financial reporting (and disclosure controls and procedures). Identify the various types of control weaknesses as defined by Section 404 of the Sarbanes-Oxley Act of 2002. Identifying the required disclosures and provide an example of management’s report and the independent outside auditor’s report provided to the company’s shareholders (this will require research outside of KnowledgeLeader).
3. Submit a brief write-up indicating the results of your research to your instructor.

Helpful KnowledgeLeader Resources:

• Guide to the Sarbanes-Oxley Act: Internal Control Requirements - Frequently Asked Questions Regarding Section 404

Background Information

Emphasis in recent years has been placed on control testing to ensure controls are working effectively and efficiently, but emerging thought leadership indicates that the internal audit value proposition can best be accomplished through internal audit consulting services. The term, “Trusted Advisor” is being used more frequently to describe internal auditors as they strive to add additional value as they gain management’s confidence through the impactful consulting services they provide.

Utilize the KnowledgeLeader website and perform the following:

1. Authenticate to the KnowledgeLeader website using your username and password.
2. Perform research and define what is means to be a “Trusted Advisor.” What are the best or better practices and/or characteristics that could lead to an internal auditor becoming identified (labeled) as a Trusted Advisor in the eyes of the management they support.
3. Submit a brief write-up indicating the results of your research to your instructor.

Helpful KnowledgeLeader Resources:

• Internal Auditing Around the World, Volume 12
• Internal Auditing Around the World: Volume 11
• The Future Auditor Revisited
• Is Internal Audit Meeting Expectations?
• Risk Culture Assessment Questionnaire
• Internal Audit Strategic Focus Questionnaire
• Audit Committee Responsibilities Questionnaire