CIA Part 1 - Section B

CIA Part 1: Internal Audit Basics
Section B: Internal Control and Risk -

Introduction
Study Note # 1: How are controls classified based on when
they occur?
Answer: Feedforward controls identify a problem before it occurs
and attempt to prevent it from occurring.
Concurrent controls operate at the same time as the production
process and make ongoing adjustments to the process based
upon immediate feedback from the system.
Feedback controls identify when something has already gone
wrong.
http://www.zainacademy.us
help@zainacademy.us

Introduction
Study Note # 2: How is the budget a control tool?
Answer: By budgeting the amount of money that is expected to
be made or spent, the company creates a series of ground rules
for people within the organization to follow throughout the year.
help@zainacademy.us

Introduction
Study Note # 3: In order to control a system, what two elements
must be added to the system?
Answer: Control
Feedback
help@zainacademy.us

Introduction
Study Note # 4: In what ways can a company provide control
through personnel?
Answer: Employees should be given training and be reviewed on
a periodic basis. If an individual’s performance is above what is
expected, the employee should be rewarded. If an individual’s
performance is less than expected, the company should find ways
of improving performance or enacting corrective measures. Also,
employees should be given information about the other
components of the business so that they can understand the larger
goals and objectives of the company.
help@zainacademy.us

Introduction
Study Note # 5: What are control activities?
Answer: Control activities ensure that management directives are
carried out. These policies and procedures also outline the
necessary steps to address risks to the organization’s objectives.
help@zainacademy.us

Introduction
Study Note # 6: What are exogenous variables?
Answer: Exogenous variables are those variables that are outside
the control of the decision-maker, such as technological changes,
weather, competitors, and wars. Because they are outside the
control of the company, it is very difficult to plan for them.
help@zainacademy.us

Introduction
Study Note # 7: What are input controls?
Answer: Input controls help to ensure that only valid, authorized
information is entered into a transaction.
help@zainacademy.us

Introduction
Study Note # 8: What are manual and automated controls?
Answer: Manual controls operate through human intervention
Automated controls operate through and within a company’s
information technology system
help@zainacademy.us

Introduction
Study Note # 9: What are output controls?
Answer: Output controls are used to provide reasonable
assurance that input and processing has resulted in valid output.
help@zainacademy.us

Introduction
Study Note # 10: What are planning and controlling?
Answer: Planning is the process of an organization setting forth
its goals and objectives. Through the process of controlling, a
company is able to monitor its progress towards those goals and
objectives. Without planning there is no way to implement a control
system because there is no standard against which to measure
performance.
help@zainacademy.us

Introduction
Study Note # 11: What are procedures?
Answer: Procedures are the actions for carrying out policies, so
all of the guidelines for policies are applicable to procedures.
help@zainacademy.us

Introduction
Study Note # 12: What are processing controls?
Answer: Processing controls ensure that the data and
transmission are valid. Processing controls also include physical
security of the equipment.
help@zainacademy.us

Introduction
Study Note # 13: What are qualitative controls?
Answer: Qualitative controls relate to characteristics or
requirements of job performance or the finished unit (such as job
instructions, quality-control standards, or employment criteria).
help@zainacademy.us

Introduction
Study Note # 14: What are quantitative controls?
Answer: Quantitative controls relate to the number of units
produced, hours worked, defects found, or something similar
(such as budgets, schedules, quotas, and charts).
help@zainacademy.us

Introduction
Study Note # 15: What are soft controls?
Answer: Soft controls are controls that are not specific tasks that
must be done (for example, policy and procedures); rather, they
focus on ideas and expectations of the people in the company (for
example, shared values, expectations, commitment, competence,
and trust).
help@zainacademy.us

Introduction
Study Note # 16: What are the 8 interrelated components of
ERM?
Answer: Internal environment
Setting objectives
Event identification
Risk assessment
Risk response
Control activities
Information and communication
Monitoring
help@zainacademy.us

Introduction
Study Note # 17: What are the characteristics of an effective
control system?
Answer: Economical: There must be a positive cost/benefit ratio,
meaning that the organization saves more than the cost of the
control.
Meaningful: It is important to control only important items.
Appropriate: The control system should actually reflect what the
organization is trying to measure and control (that is, controlling
something that relates to an objective or goal of the company).
Congruent: The result of the system should be useful and in line
with what it is measuring.
Timely: Information must be available in enough time to act upon
it.
Simple: The control must be understandable to the people using
it.
Operational: The control should provide benefit to real operations
and not simply be interesting.
help@zainacademy.us

Introduction
Study Note # 18: What are the five components of internal
control?
Answer: The COSO model includes the following five
components:
Control Environment
Risk Assessment
Control Activities
Information and Communication
Monitoring
help@zainacademy.us

Introduction
Study Note # 19: What are the five components to
the feedback part of a control system?
Answer: A control object is the element or variable (output) that is
being monitored
The detector measures what is happening in the control object
The reference point is the standard that the control object is
measured against
The comparator (analyzer) is the comparison between what is
happening and what should be happening
The activator is the decision-maker
help@zainacademy.us

Introduction
Study Note # 20: What are the five types of controls?
Answer: Preventive
Directive
Detective
Corrective
Compensating
help@zainacademy.us

Introduction
Study Note # 21: What are the four components of control in
the CoCo Model?
Answer: Purpose
Commitment
Capability
Monitoring and Learning
help@zainacademy.us

Introduction
Study Note # 22: What are the key tenets of the Turnbull
Report?
Answer: Board's responsibility for internal controls
Management's responsibility for internal controls
Employees' responsibility for internal controls
Adopting a risk-based approach
Ongoing monitoring of risks and controls
help@zainacademy.us

Introduction
Study Note # 23: What are the objectives of ERM?
Answer: Strategic. Strategic objectives are established at the top
of the organization. They have to be aligned with the
mission and vision of the organization.
Operations. Operational objectives focus on
the effective and efficient use of resources and the safeguarding
of assets.
Reporting. Reporting objectives relate to the reliability of financial
reporting.
Compliance. Compliance objectives are designed to keep the
organization in compliance with applicable laws and regulations.
help@zainacademy.us

Introduction
Study Note # 24: What are the primary functions of ERM?
Answer: To identify potential events that could negatively affect
the company and to manage these risks within the company’s risk
appetite
To be applied when setting strategy, with management
considering risks when developing strategies
To provide reasonable assurance to management and the board
that risk will be identified and managed in a timely manner
To embed risk awareness within the organization so that
employees better understand risks, their responsibilities regarding
risks, and levels of authority they have to deal with risk
help@zainacademy.us

Introduction
Study Note # 25: What are the six elements of a closed control
system?
Answer: Setting performance standards to provide a means of
measuring and comparing events and establishing permissible
variations
Measuring performance or progress to accumulate information on
existing conditions
Analyzing performance or progress and comparing it with
standards to determine variances
Evaluating deviations and bringing them to appropriate attention
to determine causes and effective corrective action
Correcting deviations from standards to see that objectives and
goals will be met
Following up on corrective action to determine its effectiveness
help@zainacademy.us

Introduction
Study Note # 26: What are the three categories of application
controls?
Answer: Input controls
Processing controls
Output controls
help@zainacademy.us

Introduction
Study Note # 27: What are the three elements of a system?
Answer: Input
Processing
Output
help@zainacademy.us

Introduction
Study Note # 28: What are the three main elements of
the control process?
Answer: Setting the objectives that are to be achieved
Measuring the performance against a standard
Evaluating the results and then correcting, or regulating, the
performance as a result of what was measured
help@zainacademy.us

Introduction
Study Note # 29: What are the three main types of fraud?
Answer: Misstatements arising from fraudulent financial
reporting: these are intentional misstatements made to mislead,
including omission of information from the financial statements
and misapplication of accounting principles.
Misstatements arising from the misappropriation of assets: such
acts include theft, embezzlement, and any action that causes the
company to expend cash for goods and services that do not
benefit or provide value to the company.
Corruption: corruption includes illegal gratuities, bribes, kickbacks,
conflict of interest, or economic extortion.
help@zainacademy.us

Introduction
Study Note # 30: What are the three organizational levels of
control?
Answer: Corporate-level (entity level) controls are mostly manual,
which include general policy statements (which establishing the
core culture) and values and overall monitoring procedures (such
as the audit committee and risk management committee).
Operational-level controls include both manual and automated
controls. Operational-level controls encompass planning and
performance monitoring, the system of accountability to superiors,
and risk evaluation.
Transaction-level controls are mostly automated, consisting of
complying with specific control procedures and making sure
financial information is accurate and complete. At this level,
financial information is evaluated for its accuracy and
completeness.
help@zainacademy.us

Introduction
Study Note # 31: What are the three primary ways of classifying
controls?
Answer: The organizational level at which the controls exist (for
example, corporate level, operational level or transactional level)
The type of control
Whether the control is manual or automated
help@zainacademy.us

Introduction
Study Note # 32: What are trait-based decisions?
Answer: Trait-based decisions use subjective rather than
objective criteria.
help@zainacademy.us

Introduction
Study Note # 33: What does COSO say about controls?
Answer: The Committee of Sponsoring Organizations of the
Treadway Commission states that internal controls are “designed
to provide reasonable assurance regarding the achievement of
objectives in the following categories:
Effectiveness and efficiency of operations
Reliability of financial reporting, and
Compliance with applicable laws and regulations.”
help@zainacademy.us

Introduction
Study Note # 34: What does it mean to embed risk
awareness with an organization?
Answer: To ensure the maximum effectiveness of any risk
management process, the awareness of risk must be embedded
within the organization’s processes, culture, structure,
and systems. “Embedding” risk awareness suggests that risk
awareness should be practiced at all levels of the organization and
that it acts as a control foundation for the organization’s control
system.
help@zainacademy.us

Introduction
Study Note # 35: What does the Turnbull Report say
that internal controls should do?
Answer: Be embedded in the operations of the company and form
a part of its culture
Be capable of responding quickly to evolving risks to the business
arising from factors within the company and to changes in the
business environment
Include procedures for reporting immediately to appropriate levels
of management any significant control failings or weaknesses that
are identified together with details of corrective action being
undertaken
help@zainacademy.us

Introduction
Study Note # 36: What duties should
be segregated by segregation of duties?
Answer: Under the segregation of duties, different people must
always do the following functions:
Authorize a transaction
Record the transaction, preparing source documents, maintaining
journals
Keep physical custody of the related asset (for example, receiving
checks in the mail)
Periodically reconcile physical assets to recorded amounts
help@zainacademy.us

Introduction
Study Note # 37: What is a budget?
Answer: A budget is a “realistic plan for the future expressed in
quantitative terms.” Budgets are the most traditional control
devices used by businesses. With a budget, a company
transforms its plans and goals into a quantitative (or number)
format, and thereby links its present conditions with a strategy for
the future.
help@zainacademy.us

Introduction
Study Note # 38: What is a cause-and-effect diagram?
Answer: A cause-and-effect diagram, also known as an Ishikawa
diagram, organizes causes and effects visually to sort out root
causes and identify relationships between causes.
help@zainacademy.us

Introduction
Study Note # 39: What is a closed control system?
Answer: A closed system does not receive any uncontrollable
inputs. Historically, closed systems are rare, but with the general
use of computers they have become much more common.
help@zainacademy.us

Introduction
Study Note # 40: What is a control point?
Answer: A control point is a point in a process where an error or
irregularity is likely to occur, creating a need for control.
help@zainacademy.us

Introduction
Study Note # 41: What is a data flow diagram?
Answer: A data flow diagram is a symbolic illustration of a
system’s processes and data flows. It usually includes the data
source, data flow, transformation processes, data destination, and
data storage.
help@zainacademy.us

Introduction
Study Note # 42: What is a flowchart?
Answer: A flowchart is a pictorial diagram using symbols to
describe operations, data flow, equipment, and so forth.
help@zainacademy.us

Introduction
Study Note # 43: What is a Gantt Chart and how is it used?
Answer: In a Gantt chart, a project is divided into parts, activities,
or tasks, which are plotted on a chart that has tasks listed on the
left side and time across the top or bottom. The tasks are then
placed into the time frame in which they need to be completed.
help@zainacademy.us

Introduction
Study Note # 44: What is a histogram?
Answer: A histogram is a bar graph that represents the frequency
of events in a set of data.
help@zainacademy.us

Introduction
Study Note # 45: What is a Pareto diagram?
Answer: A Pareto diagram is a specific type of histogram. It takes
all the factors the histogram identifies as causing the problem and
ranks them from the highest to lowest frequency.
help@zainacademy.us

Introduction
Study Note # 46: What is a PERT diagram and how is it used?
Answer: Program Evaluation and Review Technique (PERT)
diagrams show every relationship between different activities
using lines. A series of lines show interconnected steps that all
must be completed in order for the task to be done. Activities that
do not have any lines between them are not connected to each
other. In addition to showing these relationships, a PERT diagram
can also show the time that should be required to complete each
individual task. These times of completion can be used to calculate
the critical path.
help@zainacademy.us

Introduction
Study Note # 47: What is a policy?
Answer: A policy is a stated principle that provides guidance for
behavior. It is a directive control that may require certain behavior
or prohibit certain behavior.
help@zainacademy.us

Introduction
Study Note # 48: What is a program (vertical) flowchart?
Answer: A program or vertical flowchart depicts the specific steps
in a process and how they are executed. It does not usually show
the system components as clearly as a horizontal flowchart.
help@zainacademy.us

Introduction
Study Note # 49: What is a red flag?
Answer: A red flag is anything that strongly suggests that an
unethical or suspicious event has taken place. Red flags can often
be difficult to detect, so it is quite possible that a red flag might not
come to the auditor’s attention during the course of a properly
planned and conducted audit.
help@zainacademy.us

Introduction
Study Note # 50: What is a system (horizontal) flowchart?
Answer: A systems or horizontal flowchart shows the different
departments or functions involved in a process, indicated
horizontally across the top. It documents the manual processes as
well as the computer processes and the input, output, and
processing steps.
help@zainacademy.us

Introduction
Study Note # 51: What is a zero-defect program?
Answer: In a program of zero-defect, the goal is to have no
defects in a process or the organization. This is an ambitious yet
achievable objective. Even if a company is currently unable to
produce at a zero-defect level, zero-defects still should be the
target that all employees work together to reach.
help@zainacademy.us

Introduction
Study Note # 52: What is an open control system?
Answer: An open system interacts with its environments, meaning
that it may receive uncontrollable input information from the
outside that will in turn affect the system. Because most systems
get information from outside, most systems are open systems.
help@zainacademy.us

Introduction
Study Note # 53: What is collusion?
Answer: Collusion occurs when two or more individuals work
together to overcome the internal control system and perpetrate a
fraud. When two or more people work together, they are able to
get around the segregation of duties that may have been set out.
help@zainacademy.us

Introduction
Study Note # 54: What is control?
Answer: Control is the process of comparing what was produced
against some criteria or standard.
help@zainacademy.us

Introduction
Study Note # 55: What is correlation analysis?
Answer: Correlation analysis is a method used in internal auditing
to measure the linear relationship between two or more variables.
The correlation between these two variables can be seen by
plotting their values on a graph (such as a scatter diagram). A high
correlation is indicated if the points tend to form a straight line. If
there is little correlation, then there will be a random pattern.
help@zainacademy.us

Introduction
Study Note # 56: What is CPM?
Answer: Critical Path Method (CPM) is similar to PERT. However,
CPM includes costs in the process of planning and
allows crashing, which is a process whereby as many resources
as possible are redirected towards the completion of a project.
help@zainacademy.us

Introduction
Study Note # 57: What is enterprise risk management (ERM)?
Answer: A structured, consistent, and continuous process across
the whole organization for identifying, assessing, deciding on
responses to and reporting on opportunities and threats that affect
the achievement of its objectives.
help@zainacademy.us

Introduction
Study Note # 58: What is event identification in ERM?
Answer: Both internal and external events affecting the
achievement of an organization’s objectives must be identified,
and they must be distinguished between risks and opportunities.
help@zainacademy.us

Introduction
Study Note # 59: What is feedback?
Answer: Feedback compares actual production results with
planned production expectations.
help@zainacademy.us

Introduction
Study Note # 60: What is information and communication?
Answer: These are the systems or processes that support the
identification, capture, and exchange of information in a form and
time frame that enable people to carry out their responsibilities.
help@zainacademy.us

Introduction
Study Note # 61: What is monitoring?
Answer: These are processes used to assess the quality of
internal control performance over time. This objective is
accomplished through ongoing monitoring activities, separate
evaluations, or a combination of the two.
help@zainacademy.us

Introduction
Study Note # 62: What is pervasive risk?
Answer: Pervasive risk is risk that is found throughout the
business environment.
help@zainacademy.us

Introduction
Study Note # 63: What is pure risk?
Answer: Pure risk is the probability that some future event or
action could adversely impact the organization.
help@zainacademy.us

Introduction
Study Note # 64: What is residual risk?
Answer: Residual risk is the risk remaining after management
takes action to reduce the impact and likelihood of an adverse
event, including control activities in responding to a risk.
help@zainacademy.us

Introduction
Study Note # 65: What is risk appetite?
Answer: Risk appetite is the amount of risk an organization is
willing to accept.
help@zainacademy.us

Introduction
Study Note # 66: What is risk assessment?
Answer: Risk assessment is the identification and analysis of
relevant risks to the achievement of objectives, and it forms a
basis for how risks should be managed.
help@zainacademy.us

Introduction
Study Note # 67: What is risk management?
Answer: Risk management is a process to identify, assess,
manage, and control potential events or situations to provide
reasonable assurance regarding the achievement of the
organization’s objectives.
help@zainacademy.us

Introduction
Study Note # 68: What is risk response in ERM?
Answer: Management selects risk responses, such as
“transferring, accepting, reducing, and avoiding." Management
then develops a set of actions to align risks with the organization’s
risk tolerances and risk appetite.
help@zainacademy.us

Introduction
Study Note # 69: What is risk tolerance?
Answer: Risk tolerance is the acceptable level of variation relative
to the achievement of objectives.
help@zainacademy.us

Introduction
Study Note # 70: What is risk?
Answer: Risk is the possibility of an event occurring that will
influence the achievement of objectives.
help@zainacademy.us

Introduction
Study Note # 71: What is slack time?
Answer: Slack time means that the delay of the completion of a
task will not delay the completion of the entire project.
help@zainacademy.us

Introduction
Study Note # 72: What is speculative risk?
Answer: Speculative risk is risk where the outcome may be
positive (gain) or it may be negative (loss).
help@zainacademy.us

Introduction
Study Note # 73: What is the control environment?
Answer: The control environment sets the tone for the
organization, influencing the control consciousness of its people.
The control environment is the foundation for all the other
components of internal control.
help@zainacademy.us

Introduction
Study Note # 74: What is the IIA definition of control?
Answer: The IIA defines control as: "Any action taken by
management, the board, and other parties to manage risk and
increase the likelihood that established objectives and goals will
be achieved. Management plans, organizes, and directs the
performance of sufficient actions to provide reasonable assurance
that objectives and goals will be achieved."
help@zainacademy.us

Introduction
Study Note # 75: What is the purpose
of compensating controls?
Answer: To compensate for weaknesses in the control system
help@zainacademy.us

Introduction
Study Note # 76: What is the purpose of corrective controls?
Answer: To correct undesirable events that occurred
help@zainacademy.us

Introduction
Study Note # 77: What is the purpose of detective controls?
Answer: To detect undesirable events that occurred
help@zainacademy.us

Introduction
Study Note # 78: What is the purpose of directive controls?
Answer: To cause or encourage a desirable event to occur
help@zainacademy.us

Introduction
Study Note # 79: What is the purpose of preventive controls?
Answer: To avoid the occurrence of an unwanted event
help@zainacademy.us

Introduction
Study Note # 80: What is the responsibility of the internal
auditor with respect to fraud?
Answer: The internal auditor’s job is to detect fraud, determine
how it occurred, identify what needs to be fixed in the controls, and
recommend corrections to prevent similar problems in the future.
help@zainacademy.us

Introduction
Study Note # 81: What three conditions need to be present
to commit fraud?
Answer: The person has be motivated to commit the fraud
The person has to have the opportunity to commit the fraud
The person has to have the ability to rationalize the fraud
help@zainacademy.us

CIA Part 1 - Section B

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CIA Part 1 - Section B

Uploaded by

Copyright:

Available Formats

CIA Part 1: Internal Audit Basics

Section B: Internal Control and Risk -

Section B: Internal Control and Risk -

Section B: Internal Control and Risk -

Section B: Internal Control and Risk -

Section B: Internal Control and Risk -

Section B: Internal Control and Risk -

Section B: Internal Control and Risk -

Section B: Internal Control and Risk -

Section B: Internal Control and Risk -

Section B: Internal Control and Risk -

Section B: Internal Control and Risk -

Section B: Internal Control and Risk -

Section B: Internal Control and Risk -

Section B: Internal Control and Risk -

Section B: Internal Control and Risk -

Section B: Internal Control and Risk -

Section B: Internal Control and Risk -

Section B: Internal Control and Risk -

Section B: Internal Control and Risk -

Section B: Internal Control and Risk -

Section B: Internal Control and Risk -

Section B: Internal Control and Risk -

Section B: Internal Control and Risk -

Section B: Internal Control and Risk -

Section B: Internal Control and Risk -

Section B: Internal Control and Risk -

Section B: Internal Control and Risk -

Section B: Internal Control and Risk -

Section B: Internal Control and Risk -

Section B: Internal Control and Risk -

Section B: Internal Control and Risk -

Section B: Internal Control and Risk -

Section B: Internal Control and Risk -

Section B: Internal Control and Risk -

Section B: Internal Control and Risk -

Section B: Internal Control and Risk -

Section B: Internal Control and Risk -

Section B: Internal Control and Risk -

Section B: Internal Control and Risk -

Section B: Internal Control and Risk -

Section B: Internal Control and Risk -

Section B: Internal Control and Risk -

Section B: Internal Control and Risk -

Section B: Internal Control and Risk -

Section B: Internal Control and Risk -

Section B: Internal Control and Risk -

Section B: Internal Control and Risk -

Section B: Internal Control and Risk -

Section B: Internal Control and Risk -

Section B: Internal Control and Risk -

Section B: Internal Control and Risk -

Section B: Internal Control and Risk -

Section B: Internal Control and Risk -

Section B: Internal Control and Risk -

Section B: Internal Control and Risk -

Section B: Internal Control and Risk -

Section B: Internal Control and Risk -

Section B: Internal Control and Risk -

Section B: Internal Control and Risk -

Section B: Internal Control and Risk -

Section B: Internal Control and Risk -

Section B: Internal Control and Risk -

Section B: Internal Control and Risk -