A.

COMPLY WITH THE IIA''''''''S ATTRIBUTE STANDARDS (15 - 25 percent)

P

1.



2.









3.


4.
5.
6.


7.

Define purpose, authority, and responsibility of the internal audit activity.
a. Determine if purpose, authority, and responsibility of internal audit activity are clearly documented/approved.
b. Determine if purpose, authority, and responsibility of internal audit activity are communicated to engagement clients.
c. Demonstrate an understanding of the purpose, authority, and responsibility of the internal audit activity.
Maintain independence and objectivity.
a. Foster independence
1) Understand organizational independence
2) Recognize the importance of organizational independence
3) Determine if the internal audit activity is properly aligned to achieve organizational independence
b. Foster objectivity
1) Establish policies to promote objectivity
2) Assess individual objectivity
3) Maintain individual objectivity
4) Recognize and mitigate impairments to independence and objectivity
Determine if the required knowledge, skills, and competencies are available.
a. Understand the knowledge, skills, and competencies that an internal auditor needs to possess.
b. Identify the knowledge, skills, and competencies required to fulfill the responsibilities of the internal audit activity
Develop and/or procure necessary knowledge, skills and competencies collectively required by internal audit activity.
Exercise due professional care.
Promote continuing professional development.
a. Develop and implement a plan for continuing rpofessional development for internal audit staff.
b. Enhance individual competency through continuing professional development.
Promote quality assurance and improvement of the internal audit activity.
a. Establish and maintain a qulaity assurance and improvement program.
b. Monitor the effectiveness of the quality assurance and improvement program.
c. Report the results of the quality assurance and improvement program to the board or other governing body.
d. Conduct quality assurance procedures and recommend improvements to the performance of the internal audit activity.

B.

Establish a Risk-based Plan to Determine the Priorities of the Internal Audit Activity (15 - 25 percent)

P

C.

Understand the Internal Audit Activity''''''''s Role in Organizational Governance (10 - 20 percent)

P

Obtain board''''''''s approval of audit charter
Communicate plan of engagements
Report significant audit issues
Communicate key performance indicators to board on a regular basis
Discuss areas of significant risk
Support board in enterprise-wide risk assessment
Review positioning of the internal audit function within the risk management framework within the organization.
Monitor compliance with the corporate code of conduct/business practices
Report on the effectiveness of the control framework
Assist board in assessing the independence of the external auditor
Assess ethical climate of the board
Assess ethical climate of the organization
Assess compliance with policies in specific areas (e.g., derivatives)
Assess organization''''''''s reporting mechanism to the board
Conduct follow-up and report on mgmt response to regulatory body reviews
Conduct follow-up and report on mgmt response to external audit
Assess the adequacy of the performance measurement system, achievement of corporate objective
Support a culture of fraud awareness and encourage the reporting of improprieties

D.

Perform Other Internal Audit Roles and Responsibilities (0 - 10 percent)

P

Ethics/compliance
a. Investigate and recommend resolution for ethics/compliance complaints
b. Determine disposition of ethics violations
c. Foster healthy ethical climate
d. Maintain and administer business conduct policy (e.g., conflict of interest)
e. Report on compliance
Risk management
a. Develop and implement an organization-wide risk and control framework
b. Coordinate enterprise-wide risk assessment
c. Report corporate risk assessment to broad
d. Review business continuity planning process
Privacy
a. Determine privacy vulnerabilities
b. Report on compliance
Information or physical security
a. Determine security vulnerabilities
b. Determine disposition of security violations
c. Report on compliance

E.

Governance, Risk, and Control Knowledge Elements (15 - 25 percent)

Alternative models for corporate governance
Alternative control frameworks
Risk vocabulary and concepts
Risk management techniques
Risk/control implications of different organizational structures
Risk/control implications of different leadership styles
Change management
Conflict management
Management control techniques
Types of control (preventive, detective, input, output)

A
A
P
P
P
A
A
A
P
P

F.

Plan Engagements (15 - 25 percent)

P

Initiate preliminary communication with engagement client
Conduct a preliminary survey of the area of engagement
a. Obtain input from engagement client
b. Perform analytical reviews
c. Perform benchmarking
d. Conduct interviews
e. Review prior audit reports and other relevant documentation
f. Map processes
g. Develop Checklists
Complete a detailed risk assessment of the area (prioritize or evaluate risk/control factors)
Coordinate audit engagement efforts with
a. External auditor
b. Regulatory oversight bodies
Establish/refine engagement objectives and finalize the scope of engagement.
Identify or develop criteria for assurance engagements (criteria against which to audit)
Consider the potential for fraud when planning an engagement
a. Be knowledgeable of the risk factors and red flags of fraud
b. Identify common types of fraud associated with the engagement area.
c. Determine if risk of fraud requires special consideration when conducting an engagement
Determine engagement procedures.
Determine the level of staff and resources needed for the engagement
Establish adequate planning and supervision of the engagement.
Prepare engagement work program.

Level

A.

Conduct Engagements (25 - 35 percent)

P

Research and apply appropriate standards:
a. IIA Professional Practices Framework (e.g., Code of Ethics, Standards, Practice Advisories)
b. Other professional., legal, and regulatory standards
Maintain awareness of potential for fraud when conducting an engagement
a. Notice indicators or symptoms of fraud
b. Design appropriate engagement steps to addres significant risk of fraud
c. Employ audit tests to detect fraud
d. Determine if any suspected fraud merits investigation
Collect data.
Evaluate the relevance, sufficiency, and competence of evidence.
Analyze and interpret data.
Develop workpapers.
Review workpapers.
Communicate interim progress.
Draw conclusions.
Develop recommendations when appropriate.
Report engagement results
a. Conduct exit conference
b. Prepare report or other communication
c. Approve engagement report
d. Determine distribution of report
e. Obtain management response to report
Conduct client satisfaction survey.
Complete performance appraisals of engagement staff.

B.

Conduct Specific Engagements (25 - 35 percent)

P

Conduct assurance engagements.
a. Fraud investigation.
1) Determine appropriate parties to be involved with investiagion
2) Establish facts and extent of fraud (e.g., interviews, interrogations, and data analysis)
3) Report outcomes to apprpriate parties
4) Complete a process review to improve controls to prevent fraud and recommend changes
b. Risk and control self-assessment
1) Facilitated approach
(a) Client-facilitated
(b) Audit-facilitated
2) Questionnaire approach
3) Self-certification approach
c. Audits of third parties.
d. Quality audit engagements.
e. Due diligence audit engagements.
f. Security audit engagements.
g. Privacy audit engagements.
h. Performance (key performance indicators) audit engagements
i. Operational (efficiency and effectiveness) audit engagements
j. Financial audit engagements.
k. Information technology (IT) audit engagements.
1) Operating systems
(a) Mainframe
(b) Workstations
(c) Server
2) Application development
(a) Application authentication
(b) Systems development methodology
(c) Change control
(d) End user computing
3) Data and netowrk communications
4) Voice communications
5) System security (e.g., firewalls, access control)
6) Contingency planning
7) Databases
8) Data center operations
9) Web infrastructure
10) Software licensing
Conduct consulting engagements
a. Internal control training
b. Business process review
c. Benchmarking
d. Information technology (IT) and systems development
e. Design of performance measurement systems

C.

Monitor Engagement Outcomes (5 - 15 percent)

P

Determine appropriate follow-up activity by the internal audit activity
Identify appropriate method to monitor engagement outcomes
Conduct follow-up activity
Communicate monitoring plan and results

D.

Fraud Knowledge Elements (5 - 15 percent)

Discovery sampling
Interrogation techniques
Forensic auditing
Legal hazards
Use of computers in analyzing data
Red flags
Types of fraud

A
A
A
A
P
P
P

E.

Engagement Tools (15 - 25 percent)

Sampling
a. Nonstatistical (judgmental)
b. Statistical
Statistical analyses (process control techniques)
Data gathering tools
a. Interviewing
b. Questionnaires
c. Checklists
Analytical review techniques
a. Ratio estimation
b. Variance analysis (e.g., budget vs. actual)
c. Other reasonableness tests
Observation
Problem solving.
Risk and control self-assessment (CSA)
Computerized audit tools and techniques
a. Embedded audit modules
b. Data extraction techniques
c. Generalized audit software (e.g., ACL, IDEA)
d. Spreadsheet analysis
e. Automated workpapers (e.g., Lotus Notes, Auditor Assistant)
Process mapping including flowcharting

A


A
P



P



P
P
A
P





P

A.

Business Processes (15 - 25 percent)

Quality management (e.g., TQM)
The International Organization for Standardization (ISO) framework
Forecasting
Project management techniques
Business process analysis (e.g., workflow analysis and bottleneck management, theory of constraints)
Inventory management techniques and concepts
Marketing- pricing objectives and policies
Marketing- supply chain management
Human Resources
a. Individual performance management and measurement
b. Supervision
c. Environmental factors that affect performance
d. Facilitation techniques
e. Personnel sourcing/staffing
f. Training and development
g. Safety
Balanced Scorecard

A
A
A
P
P
P
A
A
P







A

B.

Financial Accounting and Finance (15 - 25 percent)

Basic concepts and underlying principles of financial accounting (statements, terminology, relationships)
Intermediate concepts of financial accounting (e.g., bonds, leases, pensions, intangible assets, R&D)
Advanced concepts of financial accounting (e.g., consolidation, partnerships, foreign currency transactions)
Financial statement analysis
Cost of capital evaluation
Types of debt and equity
Financial instruments (e.g., derivatives)
Cash management (treasury functions)
Valuation models
Business development life cycles

P
A
A
P
A
A
A
A
A
A

C.

Managerial Accounting (10 - 20 percent)

Cost concepts (e.g., absorption, variable, fixed)
Capital budgeting
Operating budget
Transfer pricing
Cost-volume-profit analysis
Relevant cost
Costing systems (e.g., activity-based, standard)
Responsibility accounting

P
A
P
A
A
A
A
A

D.

Regulatory, Legal, and Economics (5 - 15 percent)

A

Impact of government legislation and regulation on business
Trade legislation and regulations
Taxation schemes
Contracts
Nature and rules of legal evidence
Key economic indicators

E.

Information Technology (IT) (30 - 40 percent)

A

Control frameworks (e.g., SAC, COBIT)
LAN, VAN, and WAN
Electronic funds transfer (EFT)
e-Commerce
Electronic data interchange (EDI)
Functional areas of IT operations
Encryption
Viruses
Information protection
Evaluate investment in IT (cost of ownership)
Enterprise-wide resource planning (ERP) software (e.g., SAP R/3, Peoplesoft)

Level

A.

Strategic Management (20 - 30 percent)

1. Global analytical techniques
a. Structural analysis of industries
b. Competitive strategies
c. Competitive analysis
d. Market signals
e. Industry evolution
2. Industry environments
a. Competitive strategies related to:
1) Fragmented industries
2) Emerging industries
3) Declining industries
b. Competition in global industries
1) Sources/impediments
2) Evolution of global markets
3) Strategic alternatives
4) Trends affecting competition
3. Strategic decisions
a. Strategic analysis of vertical integration
b. Capacity expansion
c. Entry into new businesses
4. Portfolio techniques of competitive analysis
5. Product life cycles

D.

Global Business Environments (15 - 25 percent)

1. Cultural/legal/political
a. Balancing global requirements and local imperatives
b. Global mindsets (personal characteristics/competencies)
c. Sources & methods for managing complexities and contradictions
d. Managing multicultural teams
2. Economic/financial
a. Global, multinational, international, and multilocal compared and contrasted
b. Requirements for entering the global market place
c. Creating organizational adaptability
d. Managing training and development.

C.

Organizational Behavior (20 - 30 percent)

1. Motivation
a. Relevance and implication of various theories
b. Impact of job design, rewards, work schedules, etc.
2. Communication
a. The process
b. Organizational dynamics
c. Impact of computerization
3. Performance
a. Productivity
b. Effectiveness
4. Structure
a. Centralized/decentralized
b. Departmentalization
c. New configurations (e.g., hourglass, cluster, network)

D.

Management Skills (20 - 30 percent)

1. Group dynamics
a. Traits (cohesiveness, roles, norms, groupthink, etc.)
b. Stages of group development
c. Organizational politics
d. Criteria and determinants of effectiveness
2. Team building
a. Methods used in team building
b. Assessing team performance
3. Leadership skills
a. Theories compared/contrasted
b. Leadership grid (topology of leadership styles)
c. Mentoring
4. Time management
a. Mastering workflow
b. Project planning
c. Key principles

E.

Negotiating (5 - 15 percent)

1. Conflict resolution
a. Competitive/cooperative
b. Compromise, forcing, smoothing, etc.
2. Added-value negotiating
a. Description
b. Specific steps