CIA® Certified Internal Auditor Part 1: Fundamentals of Internal Auditing

* You will complete a self-assessment via the IIA’s Certification Candidate Management System (CCMS). Based on your results, certain parts of the program may be covered briefly or in more detail.

Domain 1: Fundamentals of Internal Auditing

• Objectives of Internal Auditing (according to global standards):
  • Explain the overall objectives of internal auditing (adding value, improving operations) and its benefits (strengthening internal controls, risk management, governance)
  • Identify key factors contributing to the effectiveness of the internal audit function (independence, objectivity, competencies, adequate resources)
     
• Mandate and Responsibilities of the Board of Directors:
  • Describe the authority (access to information, scope of work), role (assessment, advisory), and responsibilities of the internal audit function
  • Explain how the Chief Audit Executive (CAE) assists the board in defining or updating the internal audit mandate (mission, scope, responsibilities)
  • Clarify the role of the board of directors and senior management in defining and approving the authority, role, and responsibilities of internal audit
     
• Requirements for an Internal Audit Charter:
  • Identify essential elements required by global standards for the practice of internal auditing (objective, authority, responsibility, independence, objectivity, etc.)
  • Highlight the importance of discussing and aligning the charter with the board and senior management
  • Emphasize the need for the board’s formal approval of the charter
     
• Differences Between Assurance and Consulting Services:
  • Clearly define assurance services (objective evaluation to provide an opinion)
  • Distinguish limited assurance (negative form conclusion) from reasonable assurance (positive form conclusion)
  • Clearly define consulting services (advisory and related services)
  • Explain how the nature (type of support) and scope (extent of work) of consulting services are determined
  • Identify which type of service (assurance or consulting) is most appropriate depending on the context and organizational needs
• Types of Assurance Services Provided by Internal Audit:
  • Risk assessments (identification and analysis) and control assessments (effectiveness and adequacy)
  • Compliance audits (laws, regulations, contracts), third-party audits (suppliers, partners), and contract reviews
  • IT security audits (systems and data protection) and privacy audits (compliance with regulations)
  • Performance audits (effectiveness, economy, efficiency) and quality audits (compliance with standards)
  • Operational audits (process efficiency and effectiveness), financial audits (reliability of financial information), and regulatory compliance audits (adherence to laws and regulations)
  • Organizational culture audits (values, ethics, behaviors)
  • Audits of management reporting processes (relevance, reliability, communication)
     
• Types of Consulting Services Provided by Internal Audit:
  • Risk and control training (awareness and skill development)
  • Participation in system design and development (process and tool improvement)
  • Due diligence services (evaluating risks and opportunities in transactions)
  • Ensuring data confidentiality (protecting sensitive information)
  • Benchmarking (comparing practices with other organizations)
  • Internal control evaluations (identifying weaknesses and recommending improvements)
  • Process mapping (visualizing and analyzing workflows)
     
• Situations Compromising Internal Audit Independence:
  • Identify situations where the CAE’s functional reporting line (to the highest level of the organization) is inappropriate (e.g., reporting to an operational function)
  • Describe the board’s responsibility to safeguard internal audit independence (support, resources, absence of interference)
  • Describe the CAE’s responsibility to protect and maintain independence (conflict of interest management, reporting to the board on impairments or perceived impairments)
  • Identify situations where budget limitations may restrict internal audit operations (audit scope, staffing)
  • Describe the consequences of scope restrictions (areas excluded from audits) or restricted access (lack of information or cooperation)
     
• Role of Internal Audit in Organizational Risk Management:
  • Describe the IIA’s Three Lines Model (1st line: operational management; 2nd line: risk oversight/compliance functions; 3rd line: internal audit)
  • Identify 1st and 2nd line responsibilities that could impair independence if assumed by internal audit (e.g., implementing controls)
  • Describe safeguards to apply when internal auditors perform or are perceived as performing 1st or 2nd line responsibilities (separation of duties, independent reporting)

Domain 2: Ethics and Professionalism

• Acting with Integrity:
  • Demonstrate honesty and professional courage in ethical dilemmas or difficult situations
  • Explain the importance of legal and professional behavior in all circumstances
     
• Assessing Objectivity Impairments:
  • Evaluate the potential impact of self-review (auditing one’s own prior work) and familiarity bias (close relationships with auditees)
  • Analyze situations involving personal or financial conflicts of interest that may impair objectivity
     
• Analyzing Policies and Safeguards to Preserve Objectivity:
  • Evaluate situations requiring reassignment of internal auditors (team rotation)
  • Assess when outsourcing the execution or supervision of an engagement is appropriate (lack of expertise, bias risk)
  • Determine when disclosure of impairments to objectivity is necessary
  • Identify situations where accepting gifts, rewards, or favors is inappropriate (risk of influence)
     
• Applying Required Knowledge, Skills, and Competencies:
  • Apply written and oral communication skills for effective messages, reports, meetings, and presentations
  • Apply critical thinking and problem-solving skills to complex issues and identify innovative solutions
  • Use research techniques to gather diverse information and deepen knowledge
  • Apply persuasion and negotiation skills to resolve conflicts and collaborate effectively
  • Use relationship-building techniques to gain trust and credibility
  • Apply change management skills to adapt to evolving environments
  • Demonstrate curiosity to discover new information and foster continuous learning
  • Assess situations requiring continuing professional development (new standards, emerging techniques)
     
• Demonstrating Professionalism:
  • Recognize that due professional care includes evaluating strategy and organizational objectives
  • Evaluate the adequacy and effectiveness of governance, risk management, and control processes
  • Weigh the potential cost-benefit of an engagement
  • Assess the likelihood of significant errors, fraud, non-compliance, and other risks
  • Apply professional skepticism by maintaining a questioning mindset and critically evaluating information
     
• Maintaining Confidentiality and Proper Use of Information:
  • Apply organizational policies, procedures, laws, and regulations regarding confidentiality
  • Apply internal audit methodologies for managing and protecting information
  • Demonstrate respect for privacy and ownership of information
  • Use appropriate methods to safeguard confidential information

Domain 3: Governance, Risk Management, and Control

• Organizational Governance Concepts:
  • Describe the roles and responsibilities of the board (oversight), senior management (management), internal audit (assurance and advisory), and other assurance providers (compliance, legal, etc.)
  • Identify governance frameworks (COSO), principles, and models (e.g., OECD principles)
     
• Impact of Organizational Culture:
  • Define organizational culture (values, beliefs, behaviors) and the control environment (tone at the top, organizational structure, integrity)
  • Define risks and controls specific to an audit engagement
  • Recognize how organizational decision-making processes influence governance, risk management, and internal control
     
• Ethics and Compliance Issues:
  • Identify ethical (code of conduct), legal (laws), and compliance (regulations, standards) requirements applicable to the organization
  • Recognize the internal auditor’s role in promoting ethics within the organization (awareness, evaluation of systems)
     
• Fundamental Risk Concepts:
  • Distinguish between strategic risks (achievement of objectives), operational risks (process failures), financial risks (financial losses), compliance risks (non-compliance with laws), reputational risks (damage to image), environmental risks, sustainability risks (long-term viability), and social responsibility risks
  • Compare inherent risks (before controls) and residual risks (after controls)
     
• Fundamentals of Risk Management Processes:
  • Define risk management (identifying, assessing, responding to risks)
  • Recognize risk appetite (level of risk accepted by the organization) and risk tolerance (acceptable deviation from appetite)
  • Assess components of the risk management cycle (identification, assessment, response, monitoring, communication)
  • Evaluate possible organizational risk responses (accept, avoid, mitigate, transfer)
     
• Risk Management in Processes and Functions:
  • Assess the design (adequacy) and effectiveness (operating performance) of risk management processes integrated into organizational activities
  • Describe objectives (structuring approach, improving decision-making) and benefits (better resource allocation, achievement of objectives) of using a risk management framework
     
• Internal Control Concepts and Types of Controls:
  • Describe the purpose of internal controls (mitigate risks, achieve objectives)
  • Define and evaluate types of internal controls: preventive (avoid errors), detective (identify errors), corrective (fix errors)
  • Recommend appropriate controls to address identified risks
• Importance of Internal Control Design, Effectiveness, and Efficiency:
  • Examine the design (is the control well-designed to mitigate the risk?) and effectiveness (does it work as intended?) of financial and non-financial internal controls
  • Explain the purpose (provide reasonable assurance of achieving objectives) and benefit (improved reliability, compliance, efficiency) of using an internal control framework (COSO)

Domain 4: Fraud Risks

• Fraud Risk Concepts and Types of Fraud:
  • Describe the fraud triangle (pressure/motivation, opportunity, rationalization)
  • Identify types of fraud risks (asset misappropriation, corruption, financial statement fraud)
  • Identify common fraud schemes (document falsification, conflicts of interest, misuse of assets)
     
• Determining Whether Fraud Risks Require Special Attention:
  • Recognize the importance of evaluating fraud risks during audit planning
  • Assess processes most exposed to fraud risk (cash management, procurement, sales)
     
• Evaluating Fraud Potential and Managing Detection/Response:
  • Assess the effectiveness of the organization’s fraud risk management processes (anti-fraud policies, training, risk assessments)
  • Detect and assess red flags at the organizational level (weak internal controls, unethical culture) and process level (anomalies, unusual transactions)
  • Recognize the internal auditor’s role in reporting red flags