Memorise

Question 1

The types of standards

Answer 1

Attribute
Performance
Implementation

Question 2

How many overarching standards are there? What about underlying?

Answer 2

11 overarching
42 underlying

Question 3

List the attribute standards

Answer 3

1000 Purpose, Authority & Responsibility
1100 Independence & objectivity
1200 Proficiency & Due professional care
1300 QA & improvement program

Question 4

List the performance standards

Answer 4

2000 Managing IA activity
2100 Nature of Work
2200 Engagement planning
2300 Performing the Engagement
2400 Communicating Results
2500 Monitoring Progress
2600 Communicating the Acceptance of risks

Question 5

What are the key components of the COSO ERM framework? How many principles are underlying?

Answer 5

1. Governance and culture
2. Strategy and objective-setting
3. Performance
4. Review and revision
5. Monitoring

20 principles

Question 6

What is ISO31000:2018 Risk management – Guidelines?

Answer 6

a risk management standard designed to be applied to a range of industries and contexts. It provides principles, a framework and a process for managing risk.

Question 7

What are the 3 components of the ISO 31000:2018?

Answer 7

Risk management process
Risk management framework
Risk management principles

Question 8

What does the ISO31000:2018 risk management process set out?

Answer 8

Steps for identifying, evaluating and treating risks.

Question 9

What does the ISO31000:2018 define?

Answer 9

6 distinct areas that should make up the organisation’s risk management framework. At the centre of this is leadership and commitment. Around in circle go: integration, design, implementation, evaluation and improvement

Question 10

What are the five levels of risk maturity?

Answer 10

1. Initial
   No formal approach to risk management
2. Repeatable
   Scattered silo-based approach to risk management
3. Defined
   Risk management strategy and policies in place and communicated
   Risk appetite and tolerance levels defined.
4. Managed
   Enterprise wide approach to risk management developed and communicated.
5. Optimised
   Risk management fully embedded into processes and systems

Question 11

What are the four types of controls to address risks?

Answer 11

1. Directive controls direct people to perform tasks in the way best designed to mitigate risk. Such as accounting manuals, procedure guides, training, supervision.
2. Preventive controls are those that stop those ‘unwanted events’ happening in the first place. So segregation of duties when making payments, for example, will reduce the risk of a staff member creating, reviewing, authorising and processing a fraudulent payment.
3. Detective controls do just that – they flag anomalies, ideally in time to stop the actual risk from becoming reality. So if someone unauthorised tries to access the sales database, a detective control would be one that alerts IT support staff, who in turn alert senior management.
4. corrective controls are those that stop problems getting worse. In a customer-facing environment, complaints procedures are one example.

Question 12

What does King IV focus on?

Answer 12

outcomes, placing accountability on the governing body (eg the board) to attain the governance outcomes of an ethical culture, good performance and effective control within the organisation and legitimacy with stakeholders.

Question 13

What are the main components of King IV?

Answer 13

1. Ethical culture
2. Good performance
3. Effective control
4. Legitimacy

Question 14

Draw COSO Internal Control - Integrated Framework

Answer 14

Question 15

How many components and principles does the COSO Internal Control framework have?

Answer 15

5 components

17 principles

Question 16

Write down the 10 core principles.

Answer 16

1. Demonstrates integrity.
2. Demonstrates competence and due professional care.
3. Is objective and free from undue influence (independent).
4. Aligns with the strategies, objectives, and risks of the organisation.
5. Is appropriately positioned and adequately resourced.
6. Demonstrates quality and continuous improvement.
7. Communicates effectively.
8. Provides risk-based assurance.
9. Is insightful, proactive, and future-focused.
10. Promotes organisational improvement.

Question 17

What does integrity mean?

Answer 17

The Integrity of internal auditors establishes trust and thus provides the basis for reliance.

Question 18

What does objectivity mean?

Answer 18

Internal auditors exhibit the highest level of professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined. Internal auditors make a balanced assessment of all the relevant circumstances and are not unduly influenced by their own interests or by others in forming judgements.

Question 19

What does confedentiality mean?

Answer 19

Internal auditors respect the value and ownership of information they receive and do not disclose information without appropriate authority unless there is a legal or professional obligation to do so.

Question 20

What does competency mean?

Answer 20

Internal auditors apply the knowledge, skills and experience needed in the performance of internal auditing services.

Question 21

What does a risk mean?

Answer 21

The possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact and likelihood.

Question 22

What is risk management?

Question 23

What does risk appetite mean?

Answer 23

The level of risk that an organisation is willing to accept.

Question 24

What are the 3 steps of a risk assessment?

Answer 24

risk identification, risk analysis and risk evaluation.

Question 25

What is the difference between risk identification, analysis and evaluation?

Answer 25

Risk identification: The process of determining which events might occur to affect the objectives of the organisation and their root causes.

Risk analysis: The systematic use of available information to determine the likelihood of specified events occurring and the magnitude of their consequences ie their impact.

Risk evaluation: The process used to determine risk management priorities by comparing the level of risk against predetermined standards, target risk levels or other criteria.

Question 26

What is a control?

Answer 26

Any action taken by management, the board and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. Management plans, organises and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved.

Question 27

What are control processes?

Answer 27

The policies, procedures (both manual and automated) and activities that are part of a control framework, designed and operated to ensure that risks are contained within the level that an organisation is willing to accept.

Question 28

What is a control environment?

Answer 28

The attitude and actions of the board and management regarding the importance of control within the organisation. The control environment provides the discipline and structure for the achievement of the primary objectives of the system of internal control. The control environment includes the following elements: integrity and ethical value, management’s philosophy and operating style, organisational structure, assignment of authority and responsibility, human resource policies and practices, and competence of personnel.

Question 29

What are the seven steps of the planning process?

Answer 29

1. Understand the context and purpose
2. Gather information to understand area or process
3. Conduct a preliminary risk assessment
4. Establish objectives
5. Establish scope
6. Allocate resources
7. Document work program

Question 30

What is considered as information in terms of IA?

Answer 30

The facts or knowledge provided or learned. It can be tacit, in people’s heads, or explicit, in documents - electronic or hard copy.

Question 31

What must an Internal auditors identify in terms of the quality of the information used?

Answer 31

Internal auditors must identify sufficient, reliable, relevant and useful information to achieve the engagement’s objectives.

Question 32

SURR means

Answer 32

sufficient

useful

reliable

relevant

(identifying information / quality of the information)

Question 33

What are the different types of evaluation criteria?

Answer 33

1. Internal (eg policies and procedures of the organisation)
2. External (eg laws and regulations imposed by statutory bodies)
3. Leading practices (eg industry and professional guidance)

Question 34

When evaluating risks, what are the two categories you would look at?

Answer 34

Probability/Likelihood

Impact

Question 35

What is qualitative information?

Answer 35

Descriptive information, which usually derives from observations, interviews, focus groups or analysis of graphical material such as photographs.

Question 36

What is quantitative information?

Answer 36

Information based on measurable data. This usually entails mathematical analysis to shed light on the activity or phenomena being investigated.

Question 37

What is an inquiry?

Answer 37

Getting information from audit clients, process owners and users and other groups.

Examples

Interviewing clients face to face

Gathering information from a focus group

Collecting information from employees using electronic surveys.

Question 38

What is an observation in terms of information gathering?

Answer 38

This involves observing people, processes and other organisational activities.

Examples

Undertaking inventory counts

Observing an employee undertake part of a process

Observing that certain assets are in place eg fire doors are kept shut, security cameras are in place.

Question 39

What does substantive testing mean?

Answer 39

To determine whether the controls in place achieve the control objectives

Question 40

What does compliance testing mean?

Answer 40

To determine whether the prescribed controls are being adhered to

Question 41

What does governance mean?

Answer 41

The combination of processes and structures implemented by the board to inform, direct, manage and monitor the activities of the organisation toward the achievement of its objectives.

Question 42

What does CAATTs mean?

Answer 42

Computer assisted audit tools and techniques

Question 43

What is variance analysis?

Answer 43

Variance analysis compares sets of data to identify and understand any differences between them.

Question 44

What is trend analysis?

Answer 44

Trend analysis is used to identify patterns in sets of data. Usually we are looking for patterns over periods of time.

Question 45

What does benchmarking mean?

Answer 45

Benchmarking: The process for comparing two or more items against the benchmark.

Benchmark: The standard or point of reference against which the item is compared.

Question 46

What is internal benchmarking?

Answer 46

Occurs within an organisation, such as comparing the performance of two or more internal audit teams within the same organisation, or comparing internal audit against another function within the same organisation.

Question 47

What is competitive benchmarking?

Answer 47

benchmarking against competitors. For instance, comparing the performance of the internal audit function against those of a competitor using ratios of qualified to unqualified auditors and total costs of the internal audit function as the benchmark.

Question 48

What is generic benchmarking?

Answer 48

benchmarking performance against unrelated industries. For instance, comparing the learning and development of internal auditors with that of management accountants.

Question 49

What is collaborative benchmarking?

Answer 49

when benchmarking is carried out collaboratively by groups of organisations or by a professional body on behalf of their members. For instance, the Chartered IIA carries out benchmarking surveys of its members’ functions. Chartered IIA members can then compare their own internal audit performance against these benchmarks.

Question 50

What is best in class benchmarking?

Answer 50

a type of competitive or collaborative benchmarking that involves comparing performance against an organisation or function that is regarded as performing a particular activity best.

Question 51

Explain the Ishikawa diagram?

Answer 51

Also known as fishbone diagram.

takes you through a process of describing the problem, collecting and analysing data and then through possibly brainstorming identifying potential causes. This should then enable you to analyse and identify the root cause(s) and then advise on possible solutions. It may take a number of steps to trace the problem back to the ‘root cause’ by going through a series of questions:

What happened/What was the problem?

Why did it happen?

How can it be put right to stop it happening again?

Question 52

What are 3 techniques to do root cause analysis?

Answer 52

Ishikawa/Fishbone diagram

Five whys

Pareto analysis

Question 53

When is the five whys the best to use?

Answer 53

when problems involve human factors and best for simple to moderately difficult problems with regards to trouble shooting, quality improvements and problem solving.

Question 54

How does the Pareto analysis work?

Answer 54

By arranging the issues in order according to the impact they have we can resolve roughly 80% of the problem by tackling 20% of the issues. The key point is that we have to apply our limited resources to those areas where we can make the biggest impact.

Question 55

Draw the following symbols as used in flowcharts:

• process step/task
• pre-defined process
• input/output (or data)
• document
• decision step
• terminal point
• on-page connector
• off-page connector
• stored data
• display
• flow line

Answer 55

Question 56

What does RACI stand for?

Answer 56

R = Responsible - The person who performs the work.

A = Accountable - The person ultimately accountable for the work or decision being made. We can use this letter where appropriate, but not to excess – only when a key decision or task is at hand.

C = Consulted - Anyone who must be consulted with prior to a decision being made and/or the task being completed.

I = Informed - Anyone who must be informed when a decision is made or work is completed.

Question 57

What are the two key categories of samples?

Answer 57

Judgmental: the internal auditor uses their knowledge and experience to determine what transactions and records to sample and the number to look at

Statistical sampling: the internal auditor applies statistical (mathematical) methods to select the samples.

Question 58

What does population size mean?

Answer 58

The entire set of items from which the sample will be drawn. The population size refers to the number of that population.

Question 59

What does a sample size mean?

Answer 59

The size of the sample in relation to the population.

Question 60

What does confidence level mean in terms of sampling?

Answer 60

The degree of certainty that the sample is the same as the population, for example, 95% confidence level indicates that 95 times out of 100 the sample will reflect the population and five times out of 100 it will not and we will draw the wrong conclusion.

Question 61

What does precision or margin of level mean in terms of sampling?

Answer 61

A measure of the possible difference between the sample estimate and the actual population value.

Question 62

What does variability mean in terms of sampling?

Answer 62

The degree or amount of difference among items in the population.

Question 63

What are the 5 types of sampling that are all statistical sampling?

Answer 63

1. Simple random sampling
2. Attribute sampling
3. Variable sampling
4. Monetary (dollar) unit sampling
5. Discovery sampling

Question 64

What is simple random sampling?

Answer 64

Simple random sampling ensure every item in the population has an equal chance of selection. For example, the internal auditor may randomly select an agreed percentage of items from a large batch of invoices.

Question 65

What is attribute sampling?

Answer 65

The internal auditor seeks items with particular characteristics. Alternatively, the process may seek to exclude particular items. This may be from the whole population, sub population or a random sample of the whole population. For instance, the internal auditor may use attribute sampling to estimate the number of purchase orders of a particular value range that were not authorised based on a sample.

Question 66

What is variable sampling?

Answer 66

Variable sampling seeks to provide information on the values associated with a sub population or sample of the population. For instance, the internal auditor will use variable sampling to estimate the total monetary value of orders of a particular value range that were not authorised.

Question 67

What is monetary (dollar) unit sampling?

Answer 67

Monetary unit sampling is also called probability-proportionate-to-size. It is used to determine the accuracy of financial accounts such as accounts receivable, loans receivable and inventory. Each dollar/pound/euro in a transaction is a separate sampling unit. For example, a transaction of $100 has 100 sampling units.

Question 68

What is discovery sampling?

Answer 68

Discovery sampling is a type of attribute sampling. It is used to determine the sample size that will provide the desired confidence of finding at least one deviation in the population. Discovery sampling is usually used by internal auditors to calculate the probability of an action or item occurring. This type of sampling is used to identify critical errors and the probability of fraud occurring

Question 69

What does big data mean in terms of sampling?

Answer 69

Extremely large, complex structured, semi-structured and unstructured data that could potentially be mined for information.

Question 70

Explain what is meant by data-analytics?

Answer 70

A process of inspecting, cleaning, transforming, and modeling data with the goal of highlighting useful information, suggesting conclusions, and supporting decision-making.

Question 71

What is data mining?

Answer 71

The process of finding correlations or patterns among dozens of fields in large databases.

Question 72

What is a balanced scorecard?

Answer 72

It measures four perspectives that result in focusing on the long-term health of organisations: financial, customer, internal business process, learning and growth.

Question 73

What is a base year?

(Financial analysis)

Answer 73

A year chosen as the ‘start-off’ year for comparison purposes; the initial benchmark that subsequent years are compared to.

Question 74

What is a cash cycle?

(Financial analysis)

Answer 74

Also referred to as the operating cycle or cash conversion cycle. At a basic level, it is the time taken for an organisation to convert raw materials into cash. More broadly, it refers to the cycle of activities involved - purchasing raw materials, converting them into finished goods, selling those good (usually in credit to other organisations) and then collecting the revenue from them. This equally applies to service organisations, who sell services rather than physical goods.

Question 75

What is a cost?

(Financial analysis)

Answer 75

In the context of this course, cost refers to the cost per unit of something (raw materials, physical good or services).

Question 76

What is horizontal analysis?

Answer 76

A sub-set of financial statement analysis, whereby financial statement line items are compared over a number of accounting periods to a base year.Also known as base year analysis.

Question 77

What is base year analysis?

Answer 77

A sub-set of financial statement analysis, whereby financial statement line items are compared over a number of accounting periods to a base year.Also known as horizontal analysis.

Question 78

What is ratio analysis?

Answer 78

Analysis of financial data presented in an organisation’s financials statements, in order to assess liquidity, profitability, efficiency, leverage and value. Ratio analysis can be used to review year on year performance for one organisation, or for comparison between different organisations.

Question 79

What is sensitivity analysis?

Answer 79

Statistical model showing how changes to an independent input variable may affect the behaviour of a dependent variable. Different to scenario planning and usually relates to financial planning, whereas scenario planning is applied strategically. Also known as what-if analysis.

Question 80

What is what-if analysis?

Answer 80

Also known as sensitivity analysis.

Statistical model showing how changes to an independent input variable may affect the behaviour of a dependent variable. Different to scenario planning and usually relates to financial planning, whereas scenario planning is applied strategically.

Question 81

What is vertical analysis?

Answer 81

Sub-set of financial statement analysis, whereby each line item within a financial statement is expressed as a percentage of a base figure within the same statement. Also know as common size financial statement analysis.

Question 82

What is common size financial statement analysis?

Answer 82

Same as vertical analysis.

Sub-set of financial statement analysis, whereby each line item within a financial statement is expressed as a percentage of a base figure within the same statement.

Question 83

What are accounting ratios used for?

Answer 83

to analyse financial data, namely the financial statements published by organisations. They allow you to express the relationship between one piece of accounting data and another. Accounting ratios are a way of making comparisons, either within the organisation (comparing one department’s performance to another or comparing year on year results) or external comparison to other organisations.

Question 84

What are the four groups of accounting ratios?

Answer 84

1. Profitability ratios
2. Liquidity ratios
3. Efficiency (or activity) ratios
4. Leverage ratios

Question 85

What do profitability ratios assess?

Answer 85

the organisation’s ability to generate earnings compared to its expenses (thus the focus is performance).

Question 86

What do liquidity ratios indicate?

Question 87

What do Efficiency (or activity) ratios analyse?

Answer 87

how well an organisation uses its assets and liabilities.

These types of ratios are used by various stakeholders – management within the organisation, and external parties such as investors or banks and government departments - when assessing an organisation’s declared profits for tax purposes.

Question 88

What do Leverage ratios compare?

Answer 88

the proportion of debt that an organisation has to its equity/capital. They can be used to answer the question ‘how is the organisation funding its assets - via equity or debt, or in what combination?’

Question 89

What kind of variances can be analysed by variance analysis?

Answer 89

Cost, usage, revenue

Question 90

Standard 2420 Quality of communications simply states that ‘Communications must be…”?

Answer 90

accurate, objective, clear, concise, constructive, complete and timely