1. S5: Governance, Risk Management, & Control
1.1. TOPIC A: Organizational Governance
1.1.1. Standard
1.1.1.1. 2110: Governance/ IG2110
1.1.1.2. 2110.A1/A2: Governance
1.1.2. Governance Initiatives & Activities
1.1.2.1. Compliance with Legal or Regulatory requirements
1.1.2.2. IC assessment & control
1.1.2.3. ERM
1.1.2.4. Quality initiatives
1.1.2.5. Transparency & Disclosure
1.1.2.6. Governance structure & processes
1.1.3. Corporate Governance Principles
1.1.4. Roles & Resp
1.1.4.1. Board: primary resp for Governance
1.1.4.2. CAE: sets tone at the top, walks the walk
1.1.4.3. SM: set strategic direction, assure risk management as RM process...
1.1.4.4. OM: deploy strategy...
1.1.4.5. IA: assessment & provide assurance that GRC are designed & implemented effectively
1.1.4.6. EA: independent assurance on FS
1.1.5. IA's required role
1.1.5.1. Influenced factors
1.1.5.2. IA's value factors
1.1.5.2.1. Corporate values
1.1.5.2.2. Internal Audit Assurance Activities
1.1.5.2.3. IA Consulting Activities
1.2. TOPIC B: Impact of Org's Culture on Overall Control Environment & Individual Engagement Risks & Control
1.2.1. Impact of Culture on Control Environment
1.2.1.1. Control Environment impacted by
1.2.1.1.1. Leadership
1.2.1.1.2. Ethics
1.2.1.1.3. Values & beliefs
1.2.1.2. Culture & Governance
1.2.2. Impact of Culture on Individual Engagement Risks & Control
1.3. TOPIC C: Ethics & Compliance Issues & Violations
1.3.1. Organizational Compliance
1.3.1.1. act of adhering to or ability to demonstrate adherence to mandated requirements by law, regulation, contractual obligations, Internal policies
1.3.1.2. Compliance Frameworks
1.3.1.2.1. ISO 19600-2014
1.3.1.2.2. U.S. Federal Sentencing Guidelines for Orgs
1.3.1.3. Environmental & Social Compliance
1.3.1.3.1. US Environmental Protection Agency
1.3.1.3.2. US Occupational Safety & Health Administration
1.3.2. Organizational Program
1.3.2.1. Environmental Health & Safety
1.3.2.2. Environmental Monitoring & Reporting
1.3.2.3. Supply Chain Management
1.3.2.4. Facility Management
1.3.2.5. HR management
1.3.2.6. Privacy Management
1.3.2.6.1. Privacy concept
1.3.2.6.2. Privacy Vulnerabilities
1.3.2.6.3. Privacy Laws, Regu, Guidance
1.3.2.6.4. IA & Privacy Compliance
1.3.2.7. Assessing Org's Ethical Climate
1.3.2.7.1. Evaluating Ethics
1.3.2.7.2. IA roles in Assessing Code of Conduct
1.3.2.7.3. Investigation & Disposition of Ethics Violations
1.3.2.7.4. Fostering a Healthy Ethical Climate
1.3.2.7.5. IA roles in Assessing Ethical Climate of the Board
1.4. TOPIC D: CSR
1.4.1. CSR: the way firms integrate social, environmental, economic concerns into their values, culture, decision making...
1.4.2. Risks that CSR address
1.4.2.1. Strategic Risks
1.4.2.2. Reputation Risks
1.4.2.3. Compliance Risks
1.4.2.4. Liability Risks
1.4.2.5. Operational Risks
1.4.2.6. Reporting Risks
1.4.2.7. Staffing Risks
1.4.2.8. Marketing Risks
1.4.2.9. Supplychain Partner Risks
1.4.3. CSR Process
1.4.4. SCR Frameworks
1.4.4.1. ISO 26000:210 Social Responsibility
1.4.4.2. GR Initiative
1.4.5. CSR Reporting
1.4.6. Auditing CSR
1.4.6.1. Audit by Element: ie: governance, health, safety...
1.4.6.2. Audit by Stakeholder
1.4.6.3. Audit by common Subject
1.4.6.4. Audit by IC
1.4.6.5. Audit by risk-management-based priority
1.5. TOPIC E: Risk Management Fundamentals (RM: Process to identify, assess, manage & control potential events or situations to provide reasonable assurance regarding the achievement of org's objectives)
1.5.1. Standard
1.5.1.1. 2100: Nature of work/ IG2100
1.5.1.2. 2120: Risk Management/ IG2120
1.5.1.3. 2120.A1/A2: Assurance Engagements
1.5.1.4. 2120.C1/C2/C3: Consulting Engagements
1.5.2. Risk Terminology
1.5.2.1. Definition: the possibility of an event occuring that will have impact on the achievement of objectives
1.5.2.2. Risks & Control Terms: Acceptable risks, control deficiency, Impact, Event...
1.5.3. Risk Assessment Process
1.5.3.1. OBJ -> Events (Inherent Risk) -> Response (Residual Risk)
1.5.3.2. Assessment Risk Impact vs Likelihood
1.5.4. Establishing a Framework for Assessing Risk
1.6. TOPIC F: Global Accepted RM Frameworks
1.6.1. COSO ERM
1.6.1.1. 5 components
1.6.1.1.1. G&C
1.6.1.1.2. Strategy & Obj setting
1.6.1.1.3. Performance
1.6.1.1.4. Review & Revision
1.6.1.1.5. Information, communication & Reporting
1.6.1.2. 20 principles
1.6.1.3. Roles & Resp
1.6.1.3.1. Board
1.6.1.3.2. Management (3 lines of defenses)
1.6.1.4. Risk Officer (CRM)
1.6.1.5. Financial Executives
1.6.1.6. External Parties
1.6.1.6.1. Ext. auditor
1.6.1.6.2. Legislators & regulators
1.6.1.6.3. Buz Associate
1.6.1.6.4. Outsourcing Provider
1.6.1.6.5. Fin analysts, bond rating agencies & news media
1.6.2. ISO 31000
1.6.2.1. Leadership & Commitment
1.6.2.2. Integration
1.6.2.3. Design
1.6.2.4. Implementation
1.6.2.5. Evaluation
1.6.2.6. Improvement
1.6.3. Turnbull Guidance
1.6.3.1. Focus on Significant Risk
1.6.3.2. Emphasis on risk management
1.6.3.3. Ongoing, continues monitoring of risk and control
1.6.3.4. Engaging all employees
1.6.3.5. Streamlining risk management databases
1.7. TOPIC G: Effectiveness of Risk Management
1.7.1. Risk and Control Implications of Structure
1.7.1.1. Development of Goals & Objectives
1.7.1.2. Risk Identification
1.7.1.3. Risk Response/ Treatment
1.7.1.4. Review & Revision (Monitoring, Review & Improvement)
1.7.1.4.1. Ongoing monitoring
1.7.1.4.2. Separate evaluation
1.7.1.5. Information, Communication & Reporting
1.7.2. Risk Identification & Assessment
1.7.2.1. Risk Identification
1.7.2.1.1. Internal Factors (Infrastructure, Personnel, Process, Technology)
1.7.2.1.2. External Factors ( PESTEL)
1.7.2.1.3. Risk Identification Technique
1.7.2.1.4. Risk Categories
1.7.2.1.5. Risk Interdependencies
1.7.2.1.6. Framing Risk
1.7.2.2. Risk Assessment
1.7.2.2.1. Assessment techniques
1.7.2.2.2. Risk Assessment Pitfalls
1.7.2.3. The Dynamic nature of Risk
1.7.3. Risk Responses
1.7.3.1. Accept/Avoid/Pursue/Reduce/Share
1.7.3.2. Response to diff Risk Types
1.7.3.2.1. Inherent Risk
1.7.3.2.2. Residual Risk
1.7.3.2.3. Control Risk
1.7.4. Risk Monitoring
1.7.4.1. Ongoing
1.7.4.2. Evaluation for Improvements
1.7.4.3. Reporting Deficiencies
1.8. TOPIC H: The IAA's Role in RM Process
1.8.1. Risk Management Roles & Resp
1.8.1.1. IG 2100: Nature of Work: BOM guiding Governance Process & SM accountable for RM&C processes
1.8.1.2. IG 2120: RM: IAA evaluate the effectiveness & contribute to the improvement of RM processes
1.8.1.3. Assurance Roles
1.8.1.4. Consulting Roles
1.8.2. Approaches to Auditing RMProcesses
1.8.2.1. Process Element Approach
1.8.2.2. Key Principles Approach
1.8.2.3. Maturity Model Approach
1.8.2.3.1. People
1.8.2.3.2. Processes
1.8.2.3.3. Technology
1.8.3. Gathering Evidence
1.8.3.1. & Documentation
1.8.4. Audit Challenges
1.8.5. Management's Acceptance of Risk
1.8.6. Unforeseen Risks
1.9. TOPIC I: Type of Controls & Management Control Techniques
1.9.1. Type of Controls
1.9.1.1. Entity (Governance & Management oversight)- Process - Transaction Level Controls
1.9.1.2. Key Controls vs Secondary Controls
1.9.1.3. Control by Function
1.9.1.3.1. Preventive
1.9.1.3.2. Detective
1.9.1.3.3. Corrective
1.9.1.3.4. Directive
1.9.1.3.5. Compensating
1.9.1.3.6. Redundant
1.9.1.4. Active/Manual vs Passive/Automated Controls
1.9.1.5. Hard vs Soft Controls
1.9.1.6. IT Controls
1.9.1.6.1. ITGC
1.9.1.6.2. Application/Technical Controls
1.9.2. Benefits/Limitations of IC
1.10. TOPIC J: IC Frameworks
1.10.1. COSO
1.10.2. The Cadbury Model (Same Coso - 5 components)
1.10.3. CoCo (Criteria of Control)
1.10.3.1. Purpose
1.10.3.2. Commitment
1.10.3.3. Capability
1.10.3.4. Monitoring & Learning
1.10.4. The King Report on Corporate Governance
1.10.4.1. Discipline
1.10.4.2. Transparency
1.10.4.3. Independence
1.10.4.4. Accountability
1.10.4.5. Responsibility
1.10.4.6. Fairness
1.10.4.7. Social responsibility
1.10.5. The COBIT Framework
1.10.5.1. Meeting SH's needs
1.10.5.2. Covering Enterprise end-to-end
1.10.5.3. Applying single integrated framework
1.10.5.4. Enabling a holistic approach
1.10.5.5. Separating governance from management
1.10.6. BASEL III (3 Pillar) for Banking sector
1.11. TOPIC K: The Effectiveness & Efficiency of IC
1.11.1. Standard
1.11.1.1. PS 2130 Control/IG2130
1.11.1.2. IS 2130.A1: Assurance Engagement
1.11.1.3. IS 2210.A3: Assurance Engagement
1.11.2. Evaluating Controls
1.11.2.1. 1.Obj 2.Standard 3.Findings 4.Corrective Action
1.11.3. Evaluating Soft Control Effectiveness
1.11.3.1. CSA
1.11.3.1.1. Valuable Infor on IC
1.11.3.1.2. Positive influence on the control environment
2. S4: Quality Assurance & Improvement Program (QAIP)
2.1. Standard
2.1.1. 1300: Quality Assurance & Improvement Program/ IG1300
2.1.2. 1310: Requirements of the Quality Assurance and Improvement Program/ IG1310
2.1.3. 1311: Internal Assessment/ IG1311
2.1.4. 1312: External Assessments/ IG1312
2.1.5. 1320: Reporting on the Quality Assurance & Improvement Program/ IG1321
2.1.6. 1321: Use of Conforms with the IS for PPIA/ IG1321
2.1.7. 1322: Disclosure of Non-Confornmance/ IG1322
2.2. TOPIC A: Key Elements of QAIP
2.2.1. Internal Assessments
2.2.1.1. Part of day-to-day supervision
2.2.2. External Assessments
2.2.2.1. EA at least 1 every 5 yrs
2.2.3. QAIP Performance Measurements
2.2.3.1. Step1: Define IA effectiveness
2.2.3.2. Step2: Identify key Int & Ext stakeholders
2.2.3.3. Step3: Dev measures, or KPIs of IA effectiveness & efficiency
2.2.3.4. Step4: Monitor & report Results
2.3. TOPIC B: QAIP Reporting Requirements
2.3.1. Assessment Report (2060: Reporting to Senior Management and the Board)
2.3.2. Communication (1320) should incl. scope,
2.4. TOPIC C: Conformance/Nonconformance
2.4.1. Conformance to the Standards
2.4.1.1. Generally conforms
2.4.1.2. Partially conforms
2.4.1.3. Does not conforms
2.4.2. Nonconformance must be disclosed & impact to SM & the Board
3. S6: FRAUD RISK
3.1. TOPIC 1: Fraud Risks & Types of Fraud
3.1.1. Standard
3.1.1.1. 1210.A2
3.1.1.2. 1200: Proficiency & Due professional care
3.1.1.3. 2120: Risk Management
3.1.1.4. 2210: Engagement Objectives
3.1.2. Fraud definition: illegal act characterized by deceit, concealment or violation of trust
3.1.2.1. Fraud Injures Org
3.1.2.1.1. Assest misappropriation: stealing cash or assets
3.1.2.1.2. Skimming: stolen cash before record
3.1.2.1.3. Disbursement fraud: fictitious goods or services
3.1.2.1.4. Exp reimbursement fraud: fictitious or inflated exps
3.1.2.1.5. Payroll fraud
3.1.2.1.6. Conflict of interest
3.1.2.1.7. Diversion of an act: benefit employee or outsider
3.1.2.2. Fraud Benefit Org
3.1.2.2.1. FS fraud
3.1.2.2.2. Infor mispresentation: false infor to outside
3.1.2.2.3. Corruption: misuse of entrusted power for private gain
3.1.2.2.4. Bribery: offer, giving...value to influence outcome
3.1.2.2.5. Related-party activity
3.1.2.2.6. Tax evasion
3.1.3. Assessment of Fraud Risk
3.1.3.1. COSO's Fraud Risk Management Guide (2016)
3.2. TOPIC 2: Control to Prevent/Detect Fraud & Education to Improve Fraud Awareness
3.2.1. Process Review for Fraud Controls
3.2.1.1. Auditing the Fraud Risk Management Program. Key principles for proactively environment to effectively manage an org's fraud risk:
3.2.1.1.1. P1: Fraud Risk Management Program inplaced
3.2.1.1.2. P2: Fraud Risk exposure should be assessed periodically
3.2.1.1.3. P3: Prevention techniques to avoid potential key fraud risk events be established
3.2.1.1.4. P4: Detect techquines should be established
3.2.1.1.5. P5: A reporting process should be inplaced
3.2.1.2. Fraud Risk Management Framework Controls (COSO)
3.2.2. Audit Tests to detect Fraud
3.2.2.1. Trend Analysis/Proportional Analysis
3.2.2.2. Computer Data Analysis
3.2.2.2.1. Numerical Analysis
3.2.2.2.2. Regression Analysis
3.2.2.2.3. Enterprise Auditing
3.2.2.2.4. Continuos Online Auditing
3.2.3. Education & Culture of Fraud Awareness
3.2.3.1. Encouraging Reporting of Improprieties
3.2.3.2. Fraud Training
3.3. TOPIC 3: Forensic Auditing
3.3.1. Fraud Audit Team
3.3.1.1. Skills & Expertise
3.3.1.1.1. Investigating skill
3.3.1.1.2. Ability to collect evidence & prez in court
3.3.2. Interviewing & Interrogation
3.3.2.1. Interview Behaviors might be Red Flags
3.3.2.2. Interview Model: Prepare/ Conduct the interview/ Gain Agreement with interview subject/ Document the interview
3.3.3. Interrogative/Investigative Techniques
3.3.4. Computers as Sources of Evidence
4. S1: Foundation of IA
4.1. TOPIC A: IAA's International Professional Practices Framework/Purpose, Authority, Resp of IAA
4.1.1. IPPF Framework
4.1.1.1. Mandatory Guidance
4.1.1.1.1. Mission
4.1.1.1.2. Core Principles
4.1.1.1.3. Definition of IAA
4.1.1.1.4. IAA Standards
4.1.1.2. Recommended Guidance
4.1.1.2.1. Implementation Guides
4.1.1.2.2. Practice Guides
4.1.2. IAA Purpose, Authority & Resp Characteristics
4.2. TOPIC B: IA Charter (Standard 1000, IG 1000.A1, C1; Standard 2060)
4.2.1. IA Charter
4.2.1.1. Elements of IAC
4.2.1.1.1. Introduction
4.2.1.1.2. Authority
4.2.1.1.3. Organization & reporting structure
4.2.1.1.4. Independence & Obj
4.2.1.1.5. Responsibilities
4.2.1.1.6. Quality Assurance & Improvement
4.2.1.1.7. Signatures
4.2.1.2. Other Key Docs
4.2.1.2.1. Function & Resp (F&R) Statement
4.2.1.2.2. Statement of Policy
4.2.1.2.3. Audit Manual (Policies & Procedures)
4.2.1.2.4. Staff Job Des
4.3. TOPIC C: Assurance & Consulting Service
4.3.1. Assurance Serv
4.3.1.1. Operational
4.3.1.2. Compliance
4.3.1.3. Reporting
4.3.1.4. IT (Part3)
4.3.2. Consulting Serv
4.3.2.1. Advisory Consulting Engagement
4.3.2.2. Training Consulting Engagement
4.3.3. Blended Engagements (ensure no conflicts of independence, objectivity,...)
4.4. TOPIC D: IAA's Code of Ethics
4.4.1. Conflict of Interest
4.4.2. Practical Applications
4.4.2.1. Integrity
4.4.2.2. Objectivity
4.4.2.3. Confidentiality
4.4.2.4. Competency
5. S2: Independence and objectivity
5.1. TOPIC A: Org Independence of the IAA
5.1.1. Independence & Reporting Relationship
5.1.1.1. Functional Reporting: to the Board
5.1.1.2. Administrative Reporting
5.2. TOPIC B: Impairments to Independence
5.2.1. Recognizing Impairment
5.2.2. Mitigate Efforts
5.3. TOPIC C: Auditor Objectivity
5.3.1. Recognizing Impairment
5.3.2. Maintaining Individual Objectivity
5.4. TOPIC D: Promoting Objectivity
5.4.1. Policies that promote Objectivity
5.4.2. Training to reinforcing policies
5.4.3. Ongoing assessment of Individual Objectivity
5.5. Standard
5.5.1. 1100: Independence & Objectivity
5.5.2. 1110: Org independence
5.5.3. IG 1110.A1: Assurance Engagements
5.5.4. 1111: Direct Interaction With the Board
5.5.5. 1112: CAE's roles IA
5.5.6. 1120: Individual Objectivity
5.5.7. 1130: Impairment to Independence or Objectivity
5.5.8. IG 1130.A1/A2/A3: Assurance Engagement
5.5.9. IG 1130.C1/C2: Consulting Engagements
6. S3: Proficiency & Due Professional Care
6.1. Standards
6.1.1. 1200: Proficiency & Due Professional Care
6.1.2. 1210: Proficiency
6.1.3. IG 1210.A1/A2/A3: Assurance Engagement
6.1.4. IG 1210.C1: Consulting Engagement
6.2. TOPIC A: Required Knowledge, Skills & Competencies for IAA
6.2.1. Required IAA's KSC
6.2.1.1. Knowledge
6.2.1.2. Skills
6.2.1.3. Competencies
6.2.1.3.1. Staffing - Proficiency (S 1210)
6.2.2. Availability of KSC
6.2.2.1. In-house
6.2.2.2. Total Out-source
6.2.2.3. Co-source
6.2.2.4. Subcontracting
6.2.2.5. Secondment (Borrow from other dept)
6.2.2.6. CAE's responsibilities for Outside Service Providers
6.2.2.6.1. Special consideration for Detecting/Investigating Fraud
6.2.2.6.2. Special consideration for IT
6.3. TOPIC B: Required Knowledge, Skills & Competencies for Internal Auditor
6.3.1. IIA Global Internal Audit Competency Framework (10)
6.3.1.1. Professional ethics
6.3.1.2. IA Management
6.3.1.3. IPPF
6.3.1.4. GRC
6.3.1.5. Buz Acumen
6.3.1.6. Communication
6.3.1.7. Persuasion & Collaboration
6.3.1.8. Critical Thinking
6.3.1.9. IA delivery
6.3.1.10. Improvement & innovation
6.4. TOPIC C: Due Professional Care
6.4.1. Exercising Due Professional Care
6.4.2. DPC in Assurance Engagements
6.4.3. DPC in Consulting Engagements
6.5. TOPIC D: Continuing Professional Development
6.5.1. Standard: 1230 Continuing Professional Development (IG1230)
6.5.2. Promoting Continuing Professional Development
6.5.3. Training Resources from IIA
6.5.3.1. Seminar
6.5.3.2. Conference
6.5.3.3. Web-based Training
6.5.3.4. Vision University
6.5.4. Certification & Recertification