Table of Contents

3.1 Control Frameworks

CIA REVIEW: PART 1 3.2 Enterprise Risk Management
3.3 Risk Management
Study Unit 3 3.4 Fraud -- Nature, Prevention, and Detection

Control Frameworks 3.5 Fraud -- Indicators

and Fraud

Copyright © 2017 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 1 Copyright © 2017 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 2
CIA 1 SU 3 CIA 1 SU 3

Available Control Frameworks

Several bodies have published control frameworks that provide a
comprehensive means of ensuring that the organization has considered
all relevant aspects of internal control.
o United States: COSO Internal Control Integrated Framework is
widely accepted as the standard for the design and operation of
internal control systems.
o Canada: Guidance on Control (commonly referred to as CoCo based
on its original title Criteria of Control).
o United Kingdom: Internal Control: Guidance for Directors on the

Control Frameworks Combined Code (commonly referred to as the Turnbull Report).

o Control Objectives for Information and Related Technology (COBIT)
is the best-known framework specifically for IT controls.
3.1 COBIT5 is the most recent and covers the VAL IT framework
o Electronic Systems Assurance and Control (eSAC), published by The
Institute of Internal Auditors Research Foundation, is an alternative
control model for IT.

Copyright © 2017 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 3 Copyright © 2017 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 4
CIA 1 SU 3 CIA 1 SU 3
 COSO Components
COSO Control Objectives of Internal Control
Internal control is broadly defined as a process, effected by Supporting the organization in its efforts to achieve objectives are
the following five components of internal control:
personnel, designed to provide reasonable assurance o Control environment
relating to operations, reporting, and compliance. o Risk assessment

The following is a useful memory aid: o Control activities

o Information and communication
o Monitoring

A useful memory aid for the COSO components of internal control

CRIME

Copyright © 2017 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 5 Copyright © 2017 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 6
CIA 1 SU 3 CIA 1 SU 3

COSO Model CoCo Model

The COSO model may be displayed as a cube with rows, The CoCo model is thought to be more suited for internal
slices, and columns. The rows are the five components, the auditing purposes.
slices are the three objectives, and the columns represent It consists of 20 criteria grouped into 4 components:
o Pupose
o Commitment
o Capability
o Monitoring and Learning

Memory aid:

Copyright © 2017 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 7 Copyright © 2017 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 8
CIA 1 SU 3 CIA 1 SU 3
 COBIT 5: Five Key Principles COBIT 5 Goals Cascade
Principle 1 : Meeting Stakeholder Needs
Principle 2: Covering the Enterprise End-to-End
Principle 3: Applying a Single, Integrated Framework
Principle 4: Enabling a Holistic Approach
Principle 5: Separating Governance from Managemenet

Copyright © 2017 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 9 Copyright © 2017 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 10
CIA 1 SU 3 CIA 1 SU 3

VAL IT The eSAC Model

VAL IT is based on, and complements, COBIT. In the eSAC (Electronic Systems Assurance and Control)
Its objective is to establish best practices that contribute to produce outputs.
the process of value creation. o Inputs: Mission, values, strategies, and objectives
The VAL IT framework consists of the following three o Outputs: Results, reputation, and learning
domains: The eSAC
o Value governance the COSO Framework:
o Investment management o Operating effectiveness and efficiency
o Portfolio management o Reporting of financial and other management
information
o Compliance with laws and regulations
o Safeguarding assets

Copyright © 2017 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 11 Copyright © 2017 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 12
CIA 1 SU 3 CIA 1 SU 3
 Guides to the
Assurance Objectives Assessment of IT Risks (GAIT)
Availability. The entity must ensure that information, processes, and GAIT methodology gives management and auditors guidance for
services are available at all times. assessing the scope of IT general controls using a top-down and risk-
Capability. The entity must ensure reliable and timely completion of based approach.
transactions. Principles
Functionality. The entity must ensure that systems are designed to user o The identification of risks and related controls in IT general control
specifications to fulfill business requirements. processes should be a continuation of the top-down and risk-based
Protectability. The entity must ensure that a combination of physical and approach used to identify significant accounts, risks to those
logical controls prevents unauthorized access to system data. accounts, and key controls in the business processes.
o The IT general control process risks that need to be identified are
Accountability. The entity must ensure that transactions are processed those that affect critical IT functionality in financially significant
under firm principles of data ownership, identification, and authentication. applications and related data.
o The IT general control process risks that need to be identified exist,
Memory aid: for example, in application program code, networks, and operating
systems.
o Risks in IT general control processes are mitigated by the
achievement of IT control objectives, not individual controls.

Copyright © 2017 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 13 Copyright © 2017 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 14
CIA 1 SU 3 CIA 1 SU 3

Soft Controls Multiple-Choice Question

The COSO and CoCo models emphasize soft controls.
all play important roles in creating a proper control environment. Senior
One approach to auditing soft controls is control self- management is primarily responsible for
assessment (CSA). It is the involvement of management and
staff in the assessment of internal controls within their A. Establishing a proper organizational culture and specifying a system of
workgroup. internal control.

Hard and soft controls can be associated with particular B. Designing and operating a control system that provides reasonable assurance
that established objectives and goals will be achieved.
risks and measured. The vulnerability addressed can be
C. Ensuring that external and internal auditors adequately monitor the control
stated as the product of the probability of occurrence and environment.
the significance of the occurrence (V = P × S).
D. Implementing and monitoring controls designed by the board of directors.

Copyright © 2017 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 15 Copyright © 2017 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 16
CIA 1 SU 3 CIA 1 SU 3
 Multiple-Choice Answer
all play important roles in creating a proper control environment. Senior
management is primarily responsible for

A. Establishing a proper organizational culture and specifying a system of

internal control. Enterprise Risk
Management
B. Designing and operating a control system that provides reasonable assurance
that established objectives and goals will be achieved.
C. Ensuring that external and internal auditors adequately monitor the control
environment.
D. Implementing and monitoring controls designed by the board of directors. 3.2
Senior management is primarily responsible for establishing a proper
organizational culture and specifying a system of internal control.

Copyright © 2017 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 17 Copyright © 2017 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 18
CIA 1 SU 3 CIA 1 SU 3

The COSO ERM Framework COSO Risk Vocabulary

The COSO Framework defines ERM as follows: Risk is the possibility that an event will occur and adversely
Enterprise risk management is a process, effected by an affect the achievement of objectives.
o Inherent risk is the risk in the absence of a risk response.
personnel, applied in strategy setting and across the o Residual risk is the risk that remains after risk responses
enterprise, designed to identify potential events that may are implemented.
affect the entity, and manage risk to be within its risk o The risk universe consists of all risks that could possibly
appetite, to provide reasonable assurance regarding the affect an entity.
achievement of entity objectives.
The risk appetite is the amount of risk an entity is willing to
accept in pursuit of value.
An opportunity is the possibility that an event will positively
affect the achievement of objectives.

Copyright © 2017 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 19 Copyright © 2017 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 20
CIA 1 SU 3 CIA 1 SU 3
 ERM Components ERM Components
Risk responses are actions taken to reduce the impact or
management philosophy, risk appetite, integrity, ethical likelihood of adverse events.
values, and overall environment. Control activities are policies and procedures to ensure the
Objective setting precedes event identification. effectiveness of risk responses.
Event identification relates to internal and external events The information and communication component identifies,
affecting the organization. captures, and communicates relevant and timely
Risk assessment considers likelihood and impact as a basis information.
for risk management. Monitoring involves ongoing management activities or
separate evaluations.

Copyright © 2017 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 21 Copyright © 2017 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 22
CIA 1 SU 3 CIA 1 SU 3

Four Strategies
for Risk Response
1. Risk avoidance ends the activity associated with the risk. The board of directors has an oversight role. It should
2. Risk acceptance acknowledges the risks of an activity. determine that risk management processes are in place,
adequate, and effective.
3. Risk reduction (mitigation) lowers the level of risk
associated with an activity.
environment. They must possess certain qualities for them
4. Risk sharing transfers some loss potential to another party. to be effective.

Copyright © 2017 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 23 Copyright © 2017 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 24
CIA 1 SU 3 CIA 1 SU 3
 Risk Committee and
Responsibilities CRO Responsibilities
The CEO sets the tone at the top of the entity and has Larger entities may wish to establish a risk committee
ultimate responsibility for ERM. composed of directors that also includes managers, the
Senior management should ensure that sound risk individuals most familiar with entity processes.
management processes are in place and functioning. A chief risk officer (CRO) may be appointed to coordinate

management philosophy.

Copyright © 2017 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 25 Copyright © 2017 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 26
CIA 1 SU 3 CIA 1 SU 3

Internal Auditor Responsibilities COSO ERM Framework

The rows are the eight components, the slices are the four
management processes are effective is a judgment resulting categories of objectives, and the columns are the
from the assessment that organizational units of the entity.
o Entity objectives support and align with its mission.
o Significant risks are identified and assessed.
o Appropriate risk responses are selected.
o Relevant risk information is captured and communicated
in a timely manner.

Copyright © 2017 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 27 Copyright © 2017 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 28
CIA 1 SU 3 CIA 1 SU 3
 ERM Limitations
Limitations of ERM arise from the possibility of
o Faulty human judgment
o Cost-benefit considerations
o Simple errors or mistakes
o Collusion
o Management override of ERM decisions
Risk Management
3.3

Copyright © 2017 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 29 Copyright © 2017 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 30
CIA 1 SU 3 CIA 1 SU 3

Definition
Performance Standard 2120: Risk Management
o The internal audit activity must evaluate the effectiveness and contribute to the
and control potential events or situations to provide improvement of risk management processes.
reasonable assurance regarding the achievement of the Interpretation of Standard 2120
o Determining whether risk management processes are effective is a judgment
(The IIA Glossary).
mission;
Significant risks are identified and assessed;
Appropriate risk responses are selected that align risks with the
Relevant risk information is captured and communicated in a timely
manner across the organization, enabling staff, management, and the
board to carry out their responsibilities.
o The internal audit activity may gather the information to support this
assessment during multiple engagements. The results of these engagements,
management processes and their effectiveness.
o Risk management processes are monitored through ongoing management
activities, separate evaluations, or both.

Copyright © 2017 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 31 Copyright © 2017 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 32
CIA 1 SU 3 CIA 1 SU 3
 Internal Audit of
Implementation Risk Management
Implementation Standard 2120.A1
o The internal audit activity must evaluate risk exposures Risk appetite
o

information systems regarding the: Business missions and objectives

o
o Business strategies
Reliability and integrity of financial and operational o Risks identified by management
information; o Current risk management environment and prior corrective
Effectiveness and efficiency of operations and programs; actions
Safeguarding of assets; and o Means of identifying, assessing, and overseeing risks
Compliance with laws, regulations, policies, procedures,
and contracts. Types of risk
Implementation Standard 2120.A2 o Economic
o The internal audit activity must evaluate the potential for the o Political
occurrence of fraud and how the organization manages fraud o Operational
risk.
o Environmental

Copyright © 2017 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 33 Copyright © 2017 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 34
CIA 1 SU 3 CIA 1 SU 3

Multiple-Choice Question Multiple-Choice Answer

Which of the following goals sets risk management strategies at the optimum Which of the following goals sets risk management strategies at the optimum
level? level?

A. Minimize costs. A. Minimize costs.

B. Maximize market share. B. Maximize market share.
C. Minimize losses. C. Minimize losses.
D. Maximize shareholder value. D. Maximize shareholder value.

management style, and business objectives. These choices should optimize

stakeholder (for example, shareholder) value by coping effectively with uncertainty,
risks, and opportunities. Thus, maximizing shareholder value is a comprehensive
approach that relates to risk management strategies across the organization.

Copyright © 2017 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 35 Copyright © 2017 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 36
CIA 1 SU 3 CIA 1 SU 3
 Fraud
concealment, or violation of trust. These acts are not
dependent upon the threat of violence or physical force.
Frauds are perpetrated by parties and organizations to
Fraud -- Nature, obtain money, property, or services; to avoid payment or
loss of services; or to secure personal or business
Prevention, and Detection
3.4

Copyright © 2017 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 37 Copyright © 2017 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 38
CIA 1 SU 3 CIA 1 SU 3

Effects of Fraud Causative Factors of Fraud

Monetary losses from fraud are significant, but its full cost is Pressure or incentive is the need the fraudster is trying to
immeasurable in terms of time, productivity, and satisfy by committing the fraud.
reputation, including customer relationships.
Thus, an organization should have a fraud program that
includes awareness, prevention, and detection programs. his or her mind.
It also should have a fraud risk assessment process to
identify fraud risks.

Copyright © 2017 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 39 Copyright © 2017 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 40
CIA 1 SU 3 CIA 1 SU 3
 Examples of Fraud Division of Responsibilities
Asset misappropriation Bribery Control is the principal means of preventing fraud.
Skimming Conflict of interest o Management is primarily responsible for establishing
and maintaining control.
Disbursement fraud Diversion
o Internal auditors are primarily responsible for preventing
Expense reimbursement Wrongful use of information fraud by examining and evaluating the adequacy and
Payroll fraud Related party fraud effectiveness of control.
Financial statement Tax evasion Internal auditors are not expected to detect all fraud.
misrepresentation
Information
misrepresentation
Corruption

Copyright © 2017 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 41 Copyright © 2017 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 42
CIA 1 SU 3 CIA 1 SU 3

Components of Components of
Fraud Prevention Fraud Prevention
Fraud prevention involves actions to discourage fraud and The control environment includes such elements as a code
limit the exposure when it occurs. of conduct, ethics policy, or fraud policy.
A strong ethical culture and setting the correct tone at the A fraud risk assessment generally includes the following:
top are essential to prevention. o Identifying and prioritizing fraud risk factors and fraud
Overlapping control elements of a fraud prevention program schemes
are based on the COSO control framework. o Mapping existing controls to potential fraud schemes
and identifying gaps
o Testing operating effectiveness of fraud prevention and
detection controls
o Documenting and reporting the fraud risk assessment

Copyright © 2017 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 43 Copyright © 2017 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 44
CIA 1 SU 3 CIA 1 SU 3
 Components of
Fraud Prevention Responsibility for Detection
Control activities are policies and procedures for business Internal auditors are not responsible for the detection of all
processes that include authority limits and segregation of fraud, but they always must be alert to the possibility of
duties. fraud.
Fraud-related information and communication practices
promote the fraud risk management program and the include evaluating fraud indicators and deciding whether
any additional action is necessary or whether an
Monitoring evaluates antifraud controls through investigation should be recommended.
independent evaluations of the fraud risk management
program and use of it.

Copyright © 2017 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 45 Copyright © 2017 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 46
CIA 1 SU 3 CIA 1 SU 3

Multiple-Choice Question Multiple-Choice Answer

An internal auditor suspects that a mailroom clerk is embezzling funds. In An internal auditor suspects that a mailroom clerk is embezzling funds. In
exercising due professional care, the internal auditor should exercising due professional care, the internal auditor should

A. Reassign the clerk to another department. A. Reassign the clerk to another department.
B. Institute stricter controls over mailroom operations. B. Institute stricter controls over mailroom operations.
C. Evaluate fraud indicators and decide whether further action is necessary. C. Evaluate fraud indicators and decide whether further action is necessary.
D. D.

evaluating fraud indicators and deciding whether any additional action

is necessary or whether an investigation should be recommended.

Copyright © 2017 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 47 Copyright © 2017 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 48
CIA 1 SU 3 CIA 1 SU 3
 Low-Level vs. Executive Fraud
Low-Level Fraud
o Fraud committed by staff or line employees most often
consists of theft of property or embezzlement of cash.
o The incentive might be relief of economic hardship, the
desire for material gain, or a drug or gambling habit.

Fraud -- Indicators Executive Fraud

o Fraud at the executive level is very different. The
incentive is usually either maintaining or increasing the
3.5 stock price, receiving a large bonus, or both.
o This type of fraud consists most often of producing false
or misleading financial statements.

Copyright © 2017 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 49 Copyright © 2017 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 50
CIA 1 SU 3 CIA 1 SU 3

Terminology Procedures for Detection

A document symptom is any kind of tampering with the The nature and extent of the procedures performed to
accounting records to conceal a fraud. detect fraud depend on the circumstances of the
Situational pressure can be personal or organizational. engagement, including the features of the organization and
Opportunity to commit is especially a factor in low-level
employee fraud. Poor controls are enabling factors. Analytical procedures are routinely performed in many
engagements. They may provide an early indication of
fraud.
social status or level of material consumption.
Rationalization occurs when a person attributes his or her
actions to rational and creditable motives without analysis
of the true, and especially unconscious, motives.
A behavioral symptom may indicate the presence of fraud.
Copyright © 2017 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 51 Copyright © 2017 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 52
CIA 1 SU 3 CIA 1 SU 3
 Indicators of Possible Fraud Multiple-Choice Question
Lack of employee rotation in sensitive positions such as cash handling Which of the following is most likely to be considered an indication of possible
Inappropriate combination of job duties fraud?
Unclear lines of responsibility and accountability
Unrealistic sales or production goals A. The replacement of the management team after a hostile takeover.
An employee who refuses to take vacations or refuses promotion B.
Established controls not applied consistently
C. Rapid expansion into new markets.
High reported profits when competitors are suffering from an economic
downturn D.
High turnover among supervisory positions in finance and accounting areas
Excessive or unjustifiable use of sole-source procurement
An increase in sales far out of proportion to the increase in cost of goods
sold
Material contract requirements in the actual contract differ from those in
the request for bids

Copyright © 2017 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 53 Copyright © 2017 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 54
CIA 1 SU 3 CIA 1 SU 3

Multiple-Choice Answer
Which of the following is most likely to be considered an indication of possible
fraud?

A. The replacement of the management team after a hostile takeover.

B.
C. Rapid expansion into new markets.
D.

Even the most effective internal control can sometimes be circumvented, perhaps by
collusion of two or more employees. Thus, an auditor must be sensitive to certain
conditions that might indicate the existence of fraud, including high personnel turnover. In
the case of financial executives, high turnover may suggest a pattern of inflation of profits
to obtain bonuses or other benefits, to secure advantages in the marketplace, or to
conceal incompetence or rash actions.

Copyright © 2017 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected]. 55
CIA 1 SU 3