Part 2: Internal Audit Practice Remias Cheat Sheet

Section I: Managing the Internal Audit Function

Chapter A - Strategic Role of Internal Audit

The CAEs strategic role is fulfilled by establishing relationships throughout the organization,
understanding the role the activity plays within the organization, and ensuring the activity can
fulfill this role. An example would be developing a system to measure internal audits
effectiveness and efficiency is essential to the activitys performance.
When performing integrated audits the CAE will have to ensure staff expertise in a broader array
of auditing techniques
The interpretation of Standard 2000, Managing the Internal Audit Activity, notes that the
internal audit activity adds value to the organization when it contributes to the effectiveness
and efficiency of governance, risk management, and control processes. The CAE can effectively
fulfill this role by educating the board and senior management on the benefits of risk
management to the organization.
One of the critical skills a chief audit executive must possess in order to lead change in the
organization and the audit activity is organizational awareness. This supports gaining support
for change from management at all levels
The CAE is responsible for coordinating the work of internal and external auditors to avoid
unnecessary (and costly) redundancy.
It is appropriate for the internal audit function to share information generated through a
regulatory compliance review with external auditors since it will support a more efficient
external auditing process and benefit the organization.
Internal auditing should meet with the external auditors to identify controls testing that the
external auditors plan to conduct and thus avoid duplication of effort
Coordinating internal and external audit work helps to prevent duplication in coverage, thereby
improving internal audit efficiency.

Chapter B - Operational Role of Internal Audit

Topic 1: Formulate Policies and Procedures for the Planning, Organizing, Directing, and Monitoring of
Internal Audit Operations (P)

According to Standard 2040, Policies and Procedures, the chief audit executive is responsible
for establishing policies and procedures to guide the internal audit activity. The audit manual
documents these policies (e.g., avoidance of conflict of interest) and procedures (e.g.,
engagement process), as well as the activitys charter, strategic objectives, structure, and annual
audit plan.
Audit Charter defines: PAR (Purpose, Authority, Responsibility)
- Also position in company, access to records and scope of services
- Describes nature of assurance and consulting activities
- Approval by senior management and then the board

Topic 2: Review the Role of Internal Audit Function within the Risk Management Framework (P)

Internal audits involvement in the organizations risk management framework may range from
non-involvement to the full involvement implied in managing and coordinating the risk
management process. Even this role, however, does not allow internal audit to perform

1
Provided courtesy of Lyndon S. Remias
Updated July 2017
 Part 2: Internal Audit Practice Remias Cheat Sheet
managerial responsibilities in this area, such as setting the organizations risk appetite or
implementation control strategies.

Topic 3: Direct Administrative Activities of the Internal Audit Department (P)

Directing the administration of the internal audit function involves leading and motivating
staffby, for example, explaining activity objectives, reinforcing values described in the
activitys charter or manual, and providing positive reinforcement of activity and individual
accomplishments. CAEs cannot delegate or ignore their responsibilities to ensure proper staff
resources or monitor work quality. Meeting with other departments is appropriate but is a
strategic rather than administrative function.

The CAE is responsible for coordinating internal audit activities with regulatory inspections to
exchange information, in whatever manner is appropriate for the particular regulatory body,
with the objective of minimizing duplication of effort.

Topic 4: Interview Candidates for Internal Audit Positions (P)

When interviewing candidates for an internal auditing position, a manager prefers to ask
questions about how the candidate handled challenges in the candidates previous position. This
is an example of Answer: Behavioral interviewing, trying to predict future job performance
based on past behaviors. Situational interviewing is similar, but is based on hypothetical
questions, such as How would you handle the following situation?...
Behavioral = Actual, Situational = Hypothetical

Topic 5: Report on the Effectiveness of Organizational Risk Management Processes to Senior

Management and the Board (P)

The role of the internal auditor is to assist management by providing thorough documentation
and evaluation of controls; assuring regulators that the organization's controls are in compliance
is management's job, with the advice of counsel. The auditor should act neither as a manager
nor a lawyer.
ISO 31000 notes that effective risk management processes are dynamic. They monitor for
changes in the organizations risk picture and attitude, implications of changes in strategy, and
effectiveness of controls. The process should be marked by continuous improvement.

Topic 6: Report on the Effectiveness of the Internal Control and Risk Management Frameworks (P)

ISO 31000 (Risk Management Standards) notes that effective risk management processes are
dynamic. They monitor for changes in the organizations risk picture and attitude, implications
of changes in strategy, and effectiveness of controls. The process should be marked by
continuous improvement. The other characteristics listed would be considered effective

2
Provided courtesy of Lyndon S. Remias
Updated July 2017
 Part 2: Internal Audit Practice Remias Cheat Sheet
Internal audit is responsible for evaluating and reporting all risk exposures relating to
governance, operations, and information systems.

Topic 7: Maintain an Effective Quality Assurance and Improvement Program (P)

QAIP Internal Assessments -Supervision throughout

QAIP External Assessment Peer Review (every 5 years)

Compliance with Core Principles, Definition of Internal Audit, Code of Ethics, Standard - CPDCS
Report mgmnt/board annually

Benefits of QAIP of for the Audit Activity:

Continuous improvement
Assurance audit is compliance to CPDCS
Audit is Effective and Efficient
Audit is Adding Value

How can a QAIP be performed

Self-Assessment w/independent validation

Peer Review

Report results to mgmnt/board

QAIP Example Answers:

One purpose of a quality assurance program is to evaluate the operations of the internal audit
department. Standard 1310 notes that a program must include internal assessments and
external assessments.
Internal audit departments often fulfill this type of periodic review by routinely subjecting
themselves to self-assessment. Practices that internal auditors use in control self-assessment
(CSA) are as useful in assessing problems and inefficiencies in the audit process as they are in
identifying such issues in the operational environment.
According to Standard 2040, Policies and Procedures, the chief audit executive is responsible
for establishing policies and procedures to guide the internal audit activity. The audit manual
documents these policies (e.g., avoidance of conflict of interest) and procedures (e.g.,
engagement process), as well as the activitys charter, strategic objectives, structure, and annual
audit plan.

Chapter C - Establish a Risk Based Internal Audit Plan

Topic 1: Establish a Framework for Assessing Risk (Level P)

3
Provided courtesy of Lyndon S. Remias
Updated July 2017
 Part 2: Internal Audit Practice Remias Cheat Sheet
Standard 2010, "Planning," interpretation tells us: "The chief audit executive takes into account the
organization's risk management framework, including using risk appetite levels set by management
for the different activities or parts of the organization. If a framework does not exist, the chief audit
executive uses his/her own judgment of risks after consultation with senior management and the
board."
As noted in Standard 2010, Planning, the CAE is responsible for developing a risk-based plan. Standard

interpretation states the CAE must establish risk-based plans to determine the priorities of the internal audit activity,

consistent with the organizations goals.

Management owns risk and risk management, but if there is no risk management process in an organization, the
internal audit activity should bring this situation to management's attention and suggest ways to establish such a
process.

Topic 2: Use market, Product and Industry Knowledge to Identify New Internal Audit Engagement
opportunities
Standard 2420 Interpretation states, "Accurate communications are free from errors and distortions and are faithful to

the underlying facts. Objective communications are fair, impartial, and unbiased..." Sawyer (p. 621) states, "Every

categorical statement, every figure, every reference must be based on hard evidence." The size of the audit unit is a

fact, and it is not affected by the auditor's impressions and feelings.

The CAE needs to develop an understanding of organizational risks and internal controls available to mitigate these

risks in order to help management protect the organization from risk exposurespresent and future. Benchmarking is

a useful tool for various aspects of the internal audit activity. However, discussions with external auditors and

interviews with senior management help to surface problems and opportunities that have already been identified in
the organization. Reviewing policies and procedures is of limited value in identifying sources of potential

engagements although policies and procedures do provide a sense of risk areas targeted by the organization.

Topic 3: Use a Risk Framework to identify Sources of Potential Engagements

The foundation of internal audit resource allocation should be the risks and expectations of how
internal audit can add value

Topic 4: Rank and Validate Risk Priorities to Prioritize Engagements in the Audit Plan
Likelihood / Impact (High/High)

The extent of internal audit governance assurance activities depends on the internal audit charter (which specifies the
internal audit functions role in governance assurance) and the specific direction from the board regarding current or
ongoing expectations to perform such activities.

Available resources are a consideration when scheduling audits but should not be a major consideration in

deciding to delay a compliance engagement if one receives a higher risk rating than the other.

4
Provided courtesy of Lyndon S. Remias
Updated July 2017
 Part 2: Internal Audit Practice Remias Cheat Sheet

Topic 5: Identify Internal Resource Requirements for the Annual Internal Audit Plan
After conducting a risk-based assessment and establishing an audit schedule, with appropriate review and approval

the internal audit activity begins work on the high priority audits. The auditors quickly discover that one of the

assurance engagements will require more technical expertise than originally anticipated. The most appropriate

response is to acquire the expertise from an independent source. The least appropriate response is to drop

scheduled engagements, which were selected because of their assessed risks.

Topic 6: Communicate Areas of Significant Risk and Obtain Approval from the Board for the Annual
Engagement Plan

Standard 2020, Communication and Approval, states that the CAE must communicate the
internal audit activitys plans and resource requirements, including significant interim changes, to
senior management and the board for review and approval. CIA Exam Alert: The chief audit
executive must also communicate the impact of resource limitations.

Topic 7: Differentiate between Assurance and Consulting Engagements

Assurance = Audit, involves 3 parties, auditor sets scope

Consulting = 2 parties, client sets the scope

The IIA defines consulting as: advisory and related client service activities, the nature and scope of which are

agreed with the client and which are intended to add value and improve an organization's governance, risk

management, and control processes without the internal auditor assuming management responsibility.

Examples include counsel, advice, facilitation, and training. Often times, consulting engagements are

performed at the request of management to help assure the objectives have been established, risks have

been identified, and controls have been put in place to make the operation successful.

Routine Self Assessment

The purpose of a quality assurance and improvement program (QAIP) is to evaluate the
operations of the internal audit department.
According to Standard 1312, external assessments must be conducted at least once every five
years by a qualified, independent reviewer or review team from outside the organization.
the internal reviews of the quality assurance program primarily benefit the chief audit executive
(CAE).

5
Provided courtesy of Lyndon S. Remias
Updated July 2017
 Part 2: Internal Audit Practice Remias Cheat Sheet
Internal audit departments often fulfill this type of periodic review by routinely subjecting
themselves to self-assessment. Practices that internal auditors use in control self-assessment
(CSA) are as useful in assessing problems and inefficiencies in the audit process as they are in
identifying such issues in the operational environment.
The Standards require that the chief audit executive (CAE) establish and maintain a quality
assurance and improvement program to evaluate the operations of the internal audit
department. All of the following are considered elements of a quality assurance and
improvement program except
- conformance with the Definition of Internal Auditing and the Standards.
- internal reviews of audits completed.
- annual appraisals of individual internal auditors' performance. (Personnel management)
- assessment of the efficiency and effectiveness of the internal audit activity.

Topic 8: Conduct Assurance Engagements

Understand the various assurance (audit) engagements that can be provided by auditors.

Control self-assessment (CSA) is a process which involves employees in assessing the adequacy of
controls and identifying opportunities for improvement within an organization. When employees are
involved with CSA, they tend to be more motivated (I) and provide valuable feedback to managers (IV)

Control self-assessment (CSA):

I. A process which involves employees in assessing the adequacy of controls and identifying
opportunities for improvement within an organization.
II. When employees are involved with CSA, they tend to be more motivated
III. When employees are involved with CSA they tend to buy into the recommendations
IV. Provides valuable feedback to managers

Know forms of a valid contract. Consideration is one element of a valid contract. Other elements
include mutual agreement, competent parties, proper subject matter, and the mutual right to remedy.

Topic 9: Conduct Consulting Engagements

A business process review (BPR) assesses the performance of administrative and financial processes,
such as within procurement and payables. BPR considers process effectiveness and efficiency, including
the presence of appropriate controls, to mitigate business risk. Because the objective is to control
cellular phone costs, BPR is the appropriate tool to use in this area.

6
Provided courtesy of Lyndon S. Remias
Updated July 2017
 Part 2: Internal Audit Practice Remias Cheat Sheet
An example of competitive benchmarking is when an organization attempts to achieve the same
sales numbers as a competitor. The organization uses its competitor's numbers as its benchmark
for success.

Objectives - Risk - Controls - Audit Steps

The process mapping activity should reveal sequences and requirements of each component in
the process, as well as interdependenciesfor example, the need to receive parts from internal
or external suppliers, analyses of purity, or certifications of equipment from external agencies.
Risks will have to be identified for each area and contingency strategies developed that account
for these interdependent tasks.
The lack of a process to report, investigate, and resolve ethical issues could indicate that an
organization is unprepared to maintain an ethical climate
The first step in establishing an effective internal audit performance measurement process is to
define internal audit effectiveness
When an ethics violation in the US involves workplace theft, the appropriate way to respond to
the issue is to Report the issue directly to legal authorities.

7
Provided courtesy of Lyndon S. Remias
Updated July 2017
 Part 2: Internal Audit Practice Remias Cheat Sheet
Section II Managing Individual Engagements
Chapter A Plan Engagements

Topic 1: Establish Engagement Objectives

Engagement objectives may be stated in various ways, but it should be clear what assurances
internal audit will provide.
Audit engagement objectives answer the question, Why are we auditing this activity?
Objectives may be stated in various ways, but it should be clear what assurances the
engagement will provide.
Project review and approval by the audit committee is not a scope limitation. Rather, it is the
audit committee's responsibility to review and approve the planned scope of activities for the
year. Not a Scope limitation: The audit committee reviews the audit plan for the year and
deletes an audit that the chief audit executive (CAE) thought was important to conduct.
The Standards Glossary defines engagement objectives as broad statements developed by
internal auditors that define intended engagement accomplishments.
It may not be feasible to audit everything related to an engagement objective. Exam Alert: Audit
scope statements delineate the boundaries of the engagement, identify activities being
reviewed as well as any related activities that are not included, and specify a time frame for
completion.

Topic 2: Plan Engagement to Identify Risks and Controls

Performance and results are more easily identified and measured than a personal feeling such
as morale.
Research has shown that policies and procedures are referred to by all levels of management on
an as-needed basis.
Auditors need to determine if management has established criteria to discover whether or not
goals and objectives have been accomplished. If the auditor determines such criteria are
inadequate or nonexistent, which of the following actions would be appropriate?
- I.Report the inadequacies to the appropriate level of management, and recommend
appropriate courses of action.
- II.Recommend alternative sources of criteria to management such as acceptable industry
standards.
- III.Formulate criteria the auditor believes to be adequate, and perform the audit and report
in relationship to the alternative criteria.

Topic 3: Complete a Detailed Risk Assessment of Each Audit Area

Generally, risk control matrices allow internal auditing and clients to participate in identifying
risks associated with the clients' objectives and to prioritize those risks according to probability
and significance. The risk/control matrix is one of the processes for validating internal controls

8
Provided courtesy of Lyndon S. Remias
Updated July 2017
 Part 2: Internal Audit Practice Remias Cheat Sheet
that is a recommended activity documented in the Committee of Sponsoring Organizations of
the Treadway Commission's (COSO's) Internal Control Framework.
COSO Components (CRIME)
C = Control Activities
R = Risk Assessment
I = Information and Communication
M = Monitoring
E = Control Environment (Most important of all components sets the Tone at the Top)

Implementation Standard 2210.C1 states that the consulting audit engagement should address
risks to the extent agreed upon by the client. If the client agrees to revise the agreement with
internal auditing, assessing this new risk might be added as an objective.

Topic 4: Determine Engagement Procedures and Prepare Engagement WPs

Exam Alert: Understand what to do first in the Planning Phase.

Exam Alert: Identify which is the best test step. Usually starts with To deterime..
A work program documents all the judgments and conclusions made during the planning phase
and ensures all engagement team members understand what has been completed and what
remains to be performed.
Verifying is the most common technique in testing the accuracy of information maintained by a
system, whether manual or automated.
Internal auditors develop and obtain documented approval of work programs before
commencing the internal audit engagement. The work program includes methodologies to be
used per Practice Advisory 2240-1. Modifications to the audit/work program as the engagement
proceeds are to be expected.

Topic 5: Determine the Level of Staff and resources Needed for the Engagement

Proper planning includes documented determination of resources including consideration of

supplementation. (Performance Standard 223 i.e. consider using external resources to
supplement the needed knowledge, skills, and disciplines and complete the assignment).
The Standards require that the chief audit executive ensures that the audit team consists of
people that can deal with the process being audited, and have the time, expertise, and
knowledge to sufficiently perform the assessment. In some cases, additional personnel or
training will be required before the team is ready to act.
If the internal auditing activity is given the task of environmental audits, the first action that
should be accomplished is training auditors to give them the technical expertise needed to
identify and recommend corrective actions for environmental issues.

9
Provided courtesy of Lyndon S. Remias
Updated July 2017
 Part 2: Internal Audit Practice Remias Cheat Sheet
Chapter B Supervise Engagements

Topic 1: Direct/Supervise Individual Engagements

It is the responsibility of the CAE to ensure engagements are adequately supervised. It may fall
to the individual providing supervision to assemble and train the team, make assignments,
ensure logistical support is in place, and review working papers.
Supervision should occur throughout the audit.
The Standards Glossary defines an engagement work program as a document that lists the
procedures to be followed during an engagement, designed to achieve the engagement plan. A
work program may take several forms. The format will vary from internal audit function to
internal audit function

Topic 2: Nurture Instrumental Relations, Build Bonds, and Work with Others toward Shared Goals

Topic 3: Coordinate Work Assignments among Audit Team members when Serving as the Auditor-In-
Charge (AIC) of a Project

CIA Exam Alert: Understand the Roles of the AIC (Senior Auditor)
- Allocating budgeted engagement hours among assigned staff
- Reviewing the working papers (wps)
- Ensuring wps are properly cross referenced from the findings to the related evidence
- Preparing the critique sheet for the engagement
- Align auditor skills and knowledge with area needs before making assignments.
- Note: An AIC will not sign off on the final audit report. That is the role of the CAE.

Topic 4: Review Work Papers

Review of WPs allow the CAE or Supervisor to:

- Determine engagement has been carried out in accordance with high quality standards and
- Evaluate each internal auditors current skills and future development

Topic 5: Conduct Exit Interviews

CIA Exam Alert: Know the Objective of an Exit Conference: To resolve conflicts, To discuss the
engagement conclusion and recommendations, To identify managements actions and
responses to the engagement observations and recommendations.
Best practices Ensure the right people attend, provide the necessary documents in advance,
set the agenda and manage the meeting.

Topic 6: Complete Performance Appraisals of Engagement Staff

The post-audit interview should focus on all the factors that pertain to the internal auditor's
performance, including "people skills."

10
Provided courtesy of Lyndon S. Remias
Updated July 2017
 Part 2: Internal Audit Practice Remias Cheat Sheet
Beginning the review on a personal note is a valid tactic, but the topic should be carefully
chosen based on the relationship and personalities involved.

11
Provided courtesy of Lyndon S. Remias
Updated July 2017
 Part 2: Internal Audit Practice Remias Cheat Sheet
Chapter C- Engagement Communications as a Process

Topic 1: Initiate Preliminary Communication with Engagement Clients

The first meeting often sets the tone for the upcoming internal audit. In addition to discussing
the purpose and approach of the audit, the initial meeting provides an opportunity for the
internal auditor to gain insights about management in the area being audited. Handled
professionally, the preliminary client contact can encourage positive, open communications for
the duration of the engagement
Bottom line always keep management informed. Treat the client as a willing partner who is on
your side.

Topic 2: Communicate Interim Progress

Practice Advisory 2410-1 provides guidance about interim communication criteria and indicates
that interim reports are written or oral and may be transmitted formally or informally. Different
formats are acceptable: a status meeting, a report, an e-mail, and the like. The guidance
indicates interim reports are used "to communicate information that requires immediate
attention, to communicate a change in engagement scope for the activity under review, or to
keep management informed of engagement progress when engagements extend over a long
period. The use of interim reports does not diminish or eliminate the need for a final report."

Topic 3: Develop Recommendations when Appropriate

A recommendation for corrective action should be the best choice with the least unsatisfactory
side effects. It should also point the way to continued efficacy. A recommendation for corrective
action should not just be technically correct, lowest in cost, or what management wants to hear.
When going over audit findings and recommendations give managers credit and acknowledge
their accomplishments. Discuss deficiencies and note any corrective actions.

Topic 4: Prepare a report of Other Communication

Primary reason of an audit report is to record observations and recommend a course of

action.
After the final report has been issued, the CAE should contact the engagement client, provide a
questionnaire, and request an evaluation. The responses should be an opportunity for
improvement of the audit activity and a chance to enhance the relationship with the client.

Topic 5: Approve the Engagement Report

The CAE should review and approve the final engagement communication before it is issued.

12
Provided courtesy of Lyndon S. Remias
Updated July 2017
 Part 2: Internal Audit Practice Remias Cheat Sheet
Topic 6: Determine Distribution of the Report

Internal audit results are reported to the engagement client. In addition the CAE communicates
to the board the results of internal audit activities or other matters that the CAE determines are
necessary. Such compliance audit results would logically be communicated to the board.

Topic 7: Obtain Management response

Practice Advisory 2440-1 Disseminating Results suggests that internal auditors discuss
conclusions and recommendations with appropriate levels of management before the CAE
issues the final engagement communications.

Topic 8: Report Outcomes to Appropriate Parties

The CAE or a designee should review and approve the final engagement communication before
it is issued and decide who should receive it. Before releasing a report outside the organization,
the CAE should assess risks and obtain approval from senior management, legal counsel, or
both. If substantive corrections must be made to a report after it has been distributed, the CAE
or a designee should issue a new report that highlights the changes and see that it is distributed
to all recipients of the original report.
The IIA's Standards and U.S. laws such as the Foreign Corrupt Practices Act apply to the payment
of bribes wherever it happens. The auditor must report the situation to management and
develop recommendations to bring the organization into compliance with laws and the
Standards.

13
Provided courtesy of Lyndon S. Remias
Updated July 2017
 Part 2: Internal Audit Practice Remias Cheat Sheet
Chapter D Monitor Engagement Outcomes

Topic 1: Identify Appropriate Method to Monitor Engagement Outcomes

Responsibility for follow-up should be defined in the internal auditing department's written
charter. This includes following up on external audit findings as well.
Internal auditing can demonstrate the value of the changes it has recommended by
documenting benefits to the company in terms of the quality of new hires and changes in the
behavior and attitude of employees and managers. The number of employees who have
attended training attests to publicity and management control but not necessarily to changes in
behavior.
Monitoring responsibilities should be defined in the consulting agreement with the client. In this
case, it may have been a good idea for internal auditing to have included follow-up as an
outcome in its agreement, but absent that agreement, internal auditing is not required to
monitor consulting engagement recommendations.

Topic 2: Monitor Engagement Outcomes and Determine Appropriate Follow-Up by the Internal Audit
Activity

Exam Alert: Understand purpose and responsibilities of audit follow-up. The chief audit
executive is responsible for establishing appropriate procedures for monitoring the progress by
management on all internal audit observations and recommendations. This responsibility should
be written into its charter by the audit committee, and progress should be reported at each
audit committee meeting. Managers are responsible for ensuring action on all internal audit
observations and recommendations, but some actions may take time to complete and it is not
practical to expect that all will be resolved when an audit committee meets.
Securing adequate management response is often a matter of negotiation. The
recommendations cannot be imposed on management, and the situation does not yet merit
reporting it to senior management. Alternative solutions may be found that are acceptable to
both auditing and management.

Topic 3: Conduct Follow-Up and report on Managements Response to Internal Audit Recommendations

CIA Exam Alert: Per Standard 2500.A1, it is the responsibility of the chief audit executive to
establish a follow-up process to monitor and ensure that management actions have been
effectively implemented or that senior management has accepted the risk of not taking action.
The internal audit activitys charter should define the follow-up work. The CAE determines the
nature, timing and extent of follow-up, not management. During the follow-up process, internal
auditors determine whether management has taken action or implemented the
recommendation. If progress has not yet been made, internal auditing must first uncover the
reasons why (not just report on findings). It may be possible to resume progress on the
recommendation by talking through issues with management and personnel in the area and, if
necessary, developing alternative approaches for implementing the recommendation. Practice
14
Provided courtesy of Lyndon S. Remias
Updated July 2017
 Part 2: Internal Audit Practice Remias Cheat Sheet
Advisory 2500-1 and 2500.A1-1 provide detailed information as to the CAEs responsibility and
possible reporting of nonaction by management.

Topic 4: Escalate Issues if Auditor-In-Charge Believes Management is accepting too Much Risk

Management may decide to assume the risk of not correcting a reported condition because of
the cost or other considerations.
Management has the responsibility for deciding how to address reported engagement
observations and recommendations in a timely manner. An elevated rating implies prompt
management attention is necessary. It is incumbent on the CAE to follow-up and escalate the
matter. Standard 2600, states: When the chief audit executive believes that senior
management has accepted a level of residual risk that may be unacceptable to the organization,
the chief audit executive must discuss the matter with senior management. If the decision
regarding residual risk is not resolved, the chief audit executive must report the matter to the
board for resolution.

Topic 5: Report Significant Audit Issues Periodically to Senior Management and the Board

The CAE should maintain regular communication with senior management so that senior
management can understand the auditing activity and the value it delivers to the organization.
This includes reporting outcomes of monitoring activities as part of a quarterly summary of
activity. In many organizations, reporting of audit findings to the audit committee is done after
each audit by sending copies of the reports, and status of implementation of recommendations
is reported on a quarterly basis.

15
Provided courtesy of Lyndon S. Remias
Updated July 2017
 Part 2: Internal Audit Practice Remias Cheat Sheet
Section III Fraud Risks and Controls
Chapter A Common Types of Fraud and Fraud Risks per Engagement Area

The primary responsibility for fraud prevention, detection, and investigation rests with
management, which also has the responsibility to manage the risk of fraud. Standard 1210.A2
states, Internal auditors must have sufficient knowledge to evaluate the risk of fraud and the
manner in which it is managed by the organization, but are not expected to have the expertise
of a person whose primary responsibility is detecting and investigating fraud. Two related
Practice Advisories flesh out internal auditings fraud detection and investigation role. Fraud is
an area where the services of outside experts are often retained.
A draft of the proposed report on fraud or conflict-of-interest situations should be submitted to
the chairperson of the audit committee as a next step in light of the CEO's position in the
company
Fraud Triangle Motive, opportunity, and Rationalization

Chapter B Assessing Response to Engagement Area Fraud Risks

To assess fraud risk, internal auditors should use the organizations enterprise risk management
model, if one is available.

Chapter C Determining Need for Fraud Investigation

Internal audits role is to inform senior management and the audit committee of findings and
discuss possible further investigation.
The nature of the communication is highly sensitive and personal. A more personal form of
communication, such as a direct interview, should have been used to elicit the response from
the employees. The auditor is not in a position to detail the allegations against each specific
employee.

Chapter D Process review for Fraud Controls Improvement

While one element of The IIA definition of fraud is deception, and that seems to be missing
here, there are at least two fraud indicators in evidence: 1) lack of effective governance
guidance on the need to support the organization rather than oneselfspecifically in regard to
taking home supplies that belong to the organizationand (2) a casual attitude about the
organization's property. The auditor needs to report the matter, though it isn't directly relevant,
and recommend further investigation to determine the extent of the problem and aid in
management's development of the necessary controls.

Chapter E Detecting Fraud

In enterprise auditing software tools are applied across an integrated enterprise management
system. These enterprise management systems provide the means to coordinate various areas

16
Provided courtesy of Lyndon S. Remias
Updated July 2017
 Part 2: Internal Audit Practice Remias Cheat Sheet
of control, analysis, and information storage throughout what is often a physically decentralized
organization

Chapter F Culture of Fraud Awareness

It is management's responsibility to establish and maintain an effective control system.

Translating an organizations corruption prevention principles across operations would be a
management responsibility

Chapter G Interrogation/investigative Techniques

Understand the differences between an Interview (gathering data) and interrogation (obtaining
confession)
Since this is an interview and not an interrogation, the best way to end the discussion is to
summarize what one has heard and confirm that one's understanding is correct.
Written statements are strong evidence of wrongdoing, can be compared with other criteria,
and may be used by statement analysis experts to detect lies.

Chapter H Forensic Auditing

A forensic auditor gathers evidence suitable for use in court and can present it in court.
A forensic auditor has special skills apart from a knowledge of accounting practices, including
understanding evidence requirements in civil and criminal courts, uncovering evidence, and
assembling the evidence into a convincing narrative. Forensic auditors are not impartial.

Holy Grail

To bring the entire audit process together I have created the Holy Grail which is the very last page of
this document. As you study the Holy Grail study it to teach vs to test. If you can teach it you that
means you truly understand it.

17
Provided courtesy of Lyndon S. Remias
Updated July 2017
 Part 2: Internal Audit Practice Remias Cheat Sheet

Three Lines of Defense (MRI) Not in book

Exam Alert: Know the three lines of defense:

1. Risk ownership (Mgmnt)
2. Risk monitoring (Risk compliance office)
3. Risk assurance (Internal Audit)

Which of the below is not considered one of the three lines of defense for mitigating risk:

A. Business units
B. Risk and Compliance
C. Internal Audit
D. Board of Directors

Risk Maturity Model Not in Book

Exam Alert: The Risk Maturity Model is a valuable tool for your business planning and risk mitigation
approach to generate the requirements to improve your risk management competency. Without an
understanding of the effectiveness of your risk program, you cannot properly plan for uncertainties or
discover ways to strengthen your risk mitigation strategy. The Risk Maturity Model provides
standardized criteria by which organizations can benchmark risk management strategies in order to
identify program maturity levels, strengths and weaknesses, and next steps in the evolution of an ERM
program.

18
Provided courtesy of Lyndon S. Remias
Updated July 2017
 Part 2: Internal Audit Practice Remias Cheat Sheet
Study Tips

1. Study in small short chunks vs. cramming

2. Setup a routine
3. Put cheat sheet to flash cards. Note: Reading is just passive studying, flash cards is active
studying
4. Have a specific goal for each study session
5. Study to teach vs Test
6. Practice - Helps to identify gaps in your knowledge Sometimes the most basic study rules are the
best ones. This old gem is still totally relevant for the CIA exam.
7. Have a designated study spot
8. Put the music away - studies show its detrimental to focus
9. Put your phone away

19
Provided courtesy of Lyndon S. Remias
Updated July 2017
 Part 2: Internal Audit Practice Remias Cheat Sheet
Input from students who passed Part 2:

There were definitely a focus on Organizational Governance with multiple questions asked from
different perspectives. They also focused on internal audit and external audit and working together to
reduce overlap. There were questions on Fraud Governance and targeting Rationalization tone at the
top. It felt very example oriented but I feel once again your class fully covered what I needed to pass.

Thanks and see you in March.

Topics Seen on exam:

- Supervision (a lot on this topic)

- Risk based CSA process
- Engagement procedures for CAE's after final audit report
- Follow up Procedures (a lot on this topic)
- Purpose of Exit Conferences (a lot on this topic)
- Characteristics of a good internal audit team
- Levels of maturity for an internal audit team (I didn't study anything about this)
- IIAs 3 Lines of Defense
- Maturity Model -
- CAEs involvement in QAIP
- Who can conduct external assessments in QAIP
- IAAs involvement in ERM process
- What constitutes as supervisory over an audit team
- What to do if an audit client requests an internal auditor to make a recommendation over an
- Inefficient control?
- A couple questions on ethics.
- Purpose of an exit conference
- A couple questions on followup
- A couple questions on CSAs
- The difference between an interview and interrogation
- The budget is defined by?
- BPR (Business Process Re-Engineering)
- Difference between Criteria, Condition, Cause, and Effect
- Scope statement
- PERT
- Mapping
- Purpose and benefit of an Exit conference
- QAIP and a lot about the CAE responsibilities.

The items that stand out for part 2 are:

1. Knowing the roles of the board, CEO, CAO, Audit Committee, etc
2. Different types of engagements for the auditors
3. Stages of the audit (Planning, fieldwork, and reporting)
4. What kind of report to issue to the various levels of management
20
Provided courtesy of Lyndon S. Remias
Updated July 2017
 Part 2: Internal Audit Practice Remias Cheat Sheet
5. Follow Up Identifying condition, criteria, cause, & effect
Suggestions:

In regards to what to focus more on, I suggest talking a little bit about IT controls for Part 1. For Part 2 I
felt like you and the book covered most of itit seems like there is always one or two questions on the
exam that cover a concept that I have never heard of and its nearly impossible for you to focus on it
(low/low category).

For content:

I think the toughest part for me was that our discussions in class and the quizzes focused a lot
on questions like Which of the following is/is not a benefit of an exit conference?

when the exam questions looked more like, Which of the following is the primary

Objective of an exit conference? In studying, I got sort of lulled to sleep thinking that it would
be as easy as picking out, Oh this is obviously wrong and this clearly wrong/right,

When the exam was not so black and white. (This is an example, but there were others like it.)

Once again, the rationale of the Learning System quiz questions was extremely useful. Probably
more so than the questions. Especially for the aforementioned subjects.

The concepts of what to report to whom in a given situation were pretty heavily used. Lots of
rationales went something like, OK, so this seems like a major breakdown of controls, which means an
interim report is warranted, but not to the board, to management, so its this one. There were a few
tougher questions about a scenario and you had to determine whether the level of fraud/deficiency was
to the point of looking into it, noting it for another engagement, reporting to management, changing the
scope of the audit, or changing the audit plan altogether.

The roles of the board, audit committee, CAE, AIC, internal auditors and other

departments or teams within the internal audit activity in selecting audits for the plan, making
assignments, competence in the subject, remaining independent, working with external auditors,
following up on specific issues, etc. were covered too.

A couple of extra thoughts:

No ratios, formulas, or discussion of sampling really at all. There was one question on discovery
sampling, and thats all I can remember seeing. Framing more examples in the Accounts
Payable/Receivable area would be helpful in the future. Those were the only ones you couldnt really
just turn into a farm example to simplify, which slowed me down a bit.

There was a question on which of the following is an example of strategic sourcing for audit activities. I
am familiar with strategic sourcing, but it was a curveball at first. Fraud was not heavily covered, save

21
Provided courtesy of Lyndon S. Remias
Updated July 2017
 Part 2: Internal Audit Practice Remias Cheat Sheet
for If you find fraud, you would do But most were gimme questions about red flags and stuff from
Part I. (I honestly wished there were more haha.)

22
Provided courtesy of Lyndon S. Remias
Updated July 2017
 Remias Holy Grail
1. Planning Phase
Risk Controls
Objectives Risk-Based
(Events, Vulnerabilities) (COSO)
- Compliance Audit Program Guide (APG)
H,L H,H C R I M E Audit Step Objective and Scope
- Operational

Impact
of engagement
- Financial L,L L,H

Control Activities

Risk Assessment

Info. and Comm.

- To determine

Control Environment
Monitoring
- Strategic - To validate
Likelihood
- Inherent
- Residual - Adequate
COSO ERM integrates Objectives, Risks, and Controls - Effective

2. Fieldwork Phase 3. Reporting Phase 4. Audit Follow-Up

Audit Results Prepare and Distribute Report Monitor implementation of recommendations
- Assurance on controls, Gather Evidence (SRRU) - Exit conference to discuss DRAFT - Perform follow-up procedures
- Identify audit findings - Issue FINAL (Board, Mgmnt,
(non-compliance, effectiveness) other stakeholders)
Condition
Criteria
Cause
Effect
Recommendation Quality Assurance
QAIP Internal Assessments -Supervision throughout Continuous improvement
Self-Assessment w/independent validation
QAIP External Assessment Peer Review (every 5 years) Assurance audit is compliance to CPDCS
Peer Review
Report results to mgmnt/board Compliance with CPDCS Effective and Efficient
Report mgmnt/board annually Adding Value