Memorise Flashcards
The types of standards
Attribute
Performance
Implementation
How many overarching standards are there? What about underlying?
11 overarching
42 underlying
List the attribute standards
1000 Purpose, Authority & Responsibility
1100 Independence & objectivity
1200 Proficiency & Due professional care
1300 QA & improvement program
List the performance standards
2000 Managing IA activity
2100 Nature of Work
2200 Engagement planning
2300 Performing the Engagement
2400 Communicating Results
2500 Monitoring Progress
2600 Communicating the Acceptance of risks
What are the key components of the COSO ERM framework? How many principles are underlying?
- Governance and culture
- Strategy and objective-setting
- Performance
- Review and revision
- Monitoring
20 principles
What is ISO31000:2018 Risk management – Guidelines?
a risk management standard designed to be applied to a range of industries and contexts. It provides principles, a framework and a process for managing risk.
What are the 3 components of the ISO 31000:2018?
Risk management process
Risk management framework
Risk management principles
What does the ISO31000:2018 risk management process set out?
Steps for identifying, evaluating and treating risks.
What does the ISO31000:2018 define?
6 distinct areas that should make up the organisation’s risk management framework. At the centre of this is leadership and commitment. Around in circle go: integration, design, implementation, evaluation and improvement
What are the five levels of risk maturity?
- Initial
No formal approach to risk management - Repeatable
Scattered silo-based approach to risk management - Defined
Risk management strategy and policies in place and communicated
Risk appetite and tolerance levels defined. - Managed
Enterprise wide approach to risk management developed and communicated. - Optimised
Risk management fully embedded into processes and systems
What are the four types of controls to address risks?
- Directive controls direct people to perform tasks in the way best designed to mitigate risk. Such as accounting manuals, procedure guides, training, supervision.
- Preventive controls are those that stop those ‘unwanted events’ happening in the first place. So segregation of duties when making payments, for example, will reduce the risk of a staff member creating, reviewing, authorising and processing a fraudulent payment.
- Detective controls do just that – they flag anomalies, ideally in time to stop the actual risk from becoming reality. So if someone unauthorised tries to access the sales database, a detective control would be one that alerts IT support staff, who in turn alert senior management.
- corrective controls are those that stop problems getting worse. In a customer-facing environment, complaints procedures are one example.
What does King IV focus on?
outcomes, placing accountability on the governing body (eg the board) to attain the governance outcomes of an ethical culture, good performance and effective control within the organisation and legitimacy with stakeholders.
What are the main components of King IV?
- Ethical culture
- Good performance
- Effective control
- Legitimacy
Draw COSO Internal Control - Integrated Framework

How many components and principles does the COSO Internal Control framework have?
5 components
17 principles
Write down the 10 core principles.
- Demonstrates integrity.
- Demonstrates competence and due professional care.
- Is objective and free from undue influence (independent).
- Aligns with the strategies, objectives, and risks of the organisation.
- Is appropriately positioned and adequately resourced.
- Demonstrates quality and continuous improvement.
- Communicates effectively.
- Provides risk-based assurance.
- Is insightful, proactive, and future-focused.
- Promotes organisational improvement.
What does integrity mean?
The Integrity of internal auditors establishes trust and thus provides the basis for reliance.
What does objectivity mean?
Internal auditors exhibit the highest level of professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined. Internal auditors make a balanced assessment of all the relevant circumstances and are not unduly influenced by their own interests or by others in forming judgements.
What does confedentiality mean?
Internal auditors respect the value and ownership of information they receive and do not disclose information without appropriate authority unless there is a legal or professional obligation to do so.
What does competency mean?
Internal auditors apply the knowledge, skills and experience needed in the performance of internal auditing services.
What does a risk mean?
The possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact and likelihood.
What is risk management?
What does risk appetite mean?
The level of risk that an organisation is willing to accept.
What are the 3 steps of a risk assessment?
risk identification, risk analysis and risk evaluation.
What is the difference between risk identification, analysis and evaluation?
Risk identification: The process of determining which events might occur to affect the objectives of the organisation and their root causes.
Risk analysis: The systematic use of available information to determine the likelihood of specified events occurring and the magnitude of their consequences ie their impact.
Risk evaluation: The process used to determine risk management priorities by comparing the level of risk against predetermined standards, target risk levels or other criteria.
What is a control?
Any action taken by management, the board and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. Management plans, organises and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved.
What are control processes?
The policies, procedures (both manual and automated) and activities that are part of a control framework, designed and operated to ensure that risks are contained within the level that an organisation is willing to accept.
What is a control environment?
The attitude and actions of the board and management regarding the importance of control within the organisation. The control environment provides the discipline and structure for the achievement of the primary objectives of the system of internal control. The control environment includes the following elements: integrity and ethical value, management’s philosophy and operating style, organisational structure, assignment of authority and responsibility, human resource policies and practices, and competence of personnel.
What are the seven steps of the planning process?
- Understand the context and purpose
- Gather information to understand area or process
- Conduct a preliminary risk assessment
- Establish objectives
- Establish scope
- Allocate resources
- Document work program
What is considered as information in terms of IA?
The facts or knowledge provided or learned. It can be tacit, in people’s heads, or explicit, in documents - electronic or hard copy.
What must an Internal auditors identify in terms of the quality of the information used?
Internal auditors must identify sufficient, reliable, relevant and useful information to achieve the engagement’s objectives.
SURR means
sufficient
useful
reliable
relevant
(identifying information / quality of the information)
What are the different types of evaluation criteria?
- Internal (eg policies and procedures of the organisation)
- External (eg laws and regulations imposed by statutory bodies)
- Leading practices (eg industry and professional guidance)
When evaluating risks, what are the two categories you would look at?
Probability/Likelihood
Impact
What is qualitative information?
Descriptive information, which usually derives from observations, interviews, focus groups or analysis of graphical material such as photographs.
What is quantitative information?
Information based on measurable data. This usually entails mathematical analysis to shed light on the activity or phenomena being investigated.
What is an inquiry?
Getting information from audit clients, process owners and users and other groups.
Examples
Interviewing clients face to face
Gathering information from a focus group
Collecting information from employees using electronic surveys.
What is an observation in terms of information gathering?
This involves observing people, processes and other organisational activities.
Examples
Undertaking inventory counts
Observing an employee undertake part of a process
Observing that certain assets are in place eg fire doors are kept shut, security cameras are in place.
What does substantive testing mean?
To determine whether the controls in place achieve the control objectives
What does compliance testing mean?
To determine whether the prescribed controls are being adhered to
What does governance mean?
The combination of processes and structures implemented by the board to inform, direct, manage and monitor the activities of the organisation toward the achievement of its objectives.
What does CAATTs mean?
Computer assisted audit tools and techniques
What is variance analysis?
Variance analysis compares sets of data to identify and understand any differences between them.
What is trend analysis?
Trend analysis is used to identify patterns in sets of data. Usually we are looking for patterns over periods of time.
What does benchmarking mean?
Benchmarking: The process for comparing two or more items against the benchmark.
Benchmark: The standard or point of reference against which the item is compared.
What is internal benchmarking?
Occurs within an organisation, such as comparing the performance of two or more internal audit teams within the same organisation, or comparing internal audit against another function within the same organisation.
What is competitive benchmarking?
benchmarking against competitors. For instance, comparing the performance of the internal audit function against those of a competitor using ratios of qualified to unqualified auditors and total costs of the internal audit function as the benchmark.
What is generic benchmarking?
benchmarking performance against unrelated industries. For instance, comparing the learning and development of internal auditors with that of management accountants.
What is collaborative benchmarking?
when benchmarking is carried out collaboratively by groups of organisations or by a professional body on behalf of their members. For instance, the Chartered IIA carries out benchmarking surveys of its members’ functions. Chartered IIA members can then compare their own internal audit performance against these benchmarks.
What is best in class benchmarking?
a type of competitive or collaborative benchmarking that involves comparing performance against an organisation or function that is regarded as performing a particular activity best.
Explain the Ishikawa diagram?
Also known as fishbone diagram.
takes you through a process of describing the problem, collecting and analysing data and then through possibly brainstorming identifying potential causes. This should then enable you to analyse and identify the root cause(s) and then advise on possible solutions. It may take a number of steps to trace the problem back to the ‘root cause’ by going through a series of questions:
What happened/What was the problem?
Why did it happen?
How can it be put right to stop it happening again?
What are 3 techniques to do root cause analysis?
Ishikawa/Fishbone diagram
Five whys
Pareto analysis
When is the five whys the best to use?
when problems involve human factors and best for simple to moderately difficult problems with regards to trouble shooting, quality improvements and problem solving.
How does the Pareto analysis work?
By arranging the issues in order according to the impact they have we can resolve roughly 80% of the problem by tackling 20% of the issues. The key point is that we have to apply our limited resources to those areas where we can make the biggest impact.
Draw the following symbols as used in flowcharts:
- process step/task
- pre-defined process
- input/output (or data)
- document
- decision step
- terminal point
- on-page connector
- off-page connector
- stored data
- display
- flow line

What does RACI stand for?
R = Responsible - The person who performs the work.
A = Accountable - The person ultimately accountable for the work or decision being made. We can use this letter where appropriate, but not to excess – only when a key decision or task is at hand.
C = Consulted - Anyone who must be consulted with prior to a decision being made and/or the task being completed.
I = Informed - Anyone who must be informed when a decision is made or work is completed.
What are the two key categories of samples?
Judgmental: the internal auditor uses their knowledge and experience to determine what transactions and records to sample and the number to look at
Statistical sampling: the internal auditor applies statistical (mathematical) methods to select the samples.
What does population size mean?
The entire set of items from which the sample will be drawn. The population size refers to the number of that population.
What does a sample size mean?
The size of the sample in relation to the population.
What does confidence level mean in terms of sampling?
The degree of certainty that the sample is the same as the population, for example, 95% confidence level indicates that 95 times out of 100 the sample will reflect the population and five times out of 100 it will not and we will draw the wrong conclusion.
What does precision or margin of level mean in terms of sampling?
A measure of the possible difference between the sample estimate and the actual population value.
What does variability mean in terms of sampling?
The degree or amount of difference among items in the population.
What are the 5 types of sampling that are all statistical sampling?
- Simple random sampling
- Attribute sampling
- Variable sampling
- Monetary (dollar) unit sampling
- Discovery sampling
What is simple random sampling?
Simple random sampling ensure every item in the population has an equal chance of selection. For example, the internal auditor may randomly select an agreed percentage of items from a large batch of invoices.
What is attribute sampling?
The internal auditor seeks items with particular characteristics. Alternatively, the process may seek to exclude particular items. This may be from the whole population, sub population or a random sample of the whole population. For instance, the internal auditor may use attribute sampling to estimate the number of purchase orders of a particular value range that were not authorised based on a sample.
What is variable sampling?
Variable sampling seeks to provide information on the values associated with a sub population or sample of the population. For instance, the internal auditor will use variable sampling to estimate the total monetary value of orders of a particular value range that were not authorised.
What is monetary (dollar) unit sampling?
Monetary unit sampling is also called probability-proportionate-to-size. It is used to determine the accuracy of financial accounts such as accounts receivable, loans receivable and inventory. Each dollar/pound/euro in a transaction is a separate sampling unit. For example, a transaction of $100 has 100 sampling units.
What is discovery sampling?
Discovery sampling is a type of attribute sampling. It is used to determine the sample size that will provide the desired confidence of finding at least one deviation in the population. Discovery sampling is usually used by internal auditors to calculate the probability of an action or item occurring. This type of sampling is used to identify critical errors and the probability of fraud occurring
What does big data mean in terms of sampling?
Extremely large, complex structured, semi-structured and unstructured data that could potentially be mined for information.
Explain what is meant by data-analytics?
A process of inspecting, cleaning, transforming, and modeling data with the goal of highlighting useful information, suggesting conclusions, and supporting decision-making.
What is data mining?
The process of finding correlations or patterns among dozens of fields in large databases.
What is a balanced scorecard?
It measures four perspectives that result in focusing on the long-term health of organisations: financial, customer, internal business process, learning and growth.
What is a base year?
(Financial analysis)
A year chosen as the ‘start-off’ year for comparison purposes; the initial benchmark that subsequent years are compared to.
What is a cash cycle?
(Financial analysis)
Also referred to as the operating cycle or cash conversion cycle. At a basic level, it is the time taken for an organisation to convert raw materials into cash. More broadly, it refers to the cycle of activities involved - purchasing raw materials, converting them into finished goods, selling those good (usually in credit to other organisations) and then collecting the revenue from them. This equally applies to service organisations, who sell services rather than physical goods.
What is a cost?
(Financial analysis)
In the context of this course, cost refers to the cost per unit of something (raw materials, physical good or services).
What is horizontal analysis?
A sub-set of financial statement analysis, whereby financial statement line items are compared over a number of accounting periods to a base year.Also known as base year analysis.
What is base year analysis?
A sub-set of financial statement analysis, whereby financial statement line items are compared over a number of accounting periods to a base year.Also known as horizontal analysis.
What is ratio analysis?
Analysis of financial data presented in an organisation’s financials statements, in order to assess liquidity, profitability, efficiency, leverage and value. Ratio analysis can be used to review year on year performance for one organisation, or for comparison between different organisations.
What is sensitivity analysis?
Statistical model showing how changes to an independent input variable may affect the behaviour of a dependent variable. Different to scenario planning and usually relates to financial planning, whereas scenario planning is applied strategically. Also known as what-if analysis.
What is what-if analysis?
Also known as sensitivity analysis.
Statistical model showing how changes to an independent input variable may affect the behaviour of a dependent variable. Different to scenario planning and usually relates to financial planning, whereas scenario planning is applied strategically.
What is vertical analysis?
Sub-set of financial statement analysis, whereby each line item within a financial statement is expressed as a percentage of a base figure within the same statement. Also know as common size financial statement analysis.
What is common size financial statement analysis?
Same as vertical analysis.
Sub-set of financial statement analysis, whereby each line item within a financial statement is expressed as a percentage of a base figure within the same statement.
What are accounting ratios used for?
to analyse financial data, namely the financial statements published by organisations. They allow you to express the relationship between one piece of accounting data and another. Accounting ratios are a way of making comparisons, either within the organisation (comparing one department’s performance to another or comparing year on year results) or external comparison to other organisations.
What are the four groups of accounting ratios?
- Profitability ratios
- Liquidity ratios
- Efficiency (or activity) ratios
- Leverage ratios
What do profitability ratios assess?
the organisation’s ability to generate earnings compared to its expenses (thus the focus is performance).
What do liquidity ratios indicate?
What do Efficiency (or activity) ratios analyse?
how well an organisation uses its assets and liabilities.
These types of ratios are used by various stakeholders – management within the organisation, and external parties such as investors or banks and government departments - when assessing an organisation’s declared profits for tax purposes.
What do Leverage ratios compare?
the proportion of debt that an organisation has to its equity/capital. They can be used to answer the question ‘how is the organisation funding its assets - via equity or debt, or in what combination?’
What kind of variances can be analysed by variance analysis?
Cost, usage, revenue
Standard 2420 Quality of communications simply states that ‘Communications must be…”?
accurate, objective, clear, concise, constructive, complete and timely