Newly Released IIA IIA-CIA-Part2 Exam PDF

A consulting engagement in internal auditing involves providing advisory and related client service activities, the nature and scope of which are agreed upon with the client. These are intended to add value and improve an organization's governance, risk management, and control processes. Helping in the design of the risk management program is a consulting activity because it involves advising management on how to establish or improve the processes for identifying, assessing, and managing risks. This is different from assurance engagements, which primarily focus on assessing existing processes.

References:

The Institute of Internal Auditors (IIA) Standard 2010: Planning

IIA Practice Advisory 2010-1: Linking the Audit Plan to Risk and Exposures

In this situation, the internal auditor has identified a significant risk related to the failure to maintain air quality monitoring equipment. Since the CEO and the manager have acknowledged the risk but decided not to take corrective action due to cost concerns, the chief audit executive (CAE) should escalate the issue to the board. This step is necessary to ensure that the board is fully informed of the potential regulatory and reputational risks.

IIA Standard 2600 – Communicating the Acceptance of Risks:

This standard requires the CAE to communicate to senior management and the board when management has accepted a level of risk that the CAE believes is unacceptable. The board needs to be made aware of the situation to ensure they can take appropriate action if needed.

Risk Communication:

The CAE’s responsibility includes ensuring that all significant risks are communicated to the highest level of the organization. In this case, the potential for regulatory sanctions and reputational damage due to inaccurate air quality monitoring is a significant risk that the board should be aware of.

IIA Practice Advisory 2600-1:

The advisory emphasizes that when the CAE believes that management has accepted a level of risk that could be detrimental to the organization, it is the CAE’s duty to escalate the matter to the board.

Option A (Implement corrective actions): It is not the CAE's role to implement corrective actions; this responsibility lies with management.

Option C (Discuss with external auditors): While external auditors can provide additional perspectives, the CAE should directly communicate significant risks to the board.

Option D (Contact the regulatory agency): This is an extreme step that should only be considered if the organization fails to address the issue after internal escalation.

Detailed Explanation:Why Not Other Options?

Step-by-Step Detailed Explanation:

A. The policy for granting, modifying, and deleting user access:Correct. Understanding the policy ensures the auditor knows the framework and controls in place.

B. A sample of change request forms:Useful for testing but not as foundational as reviewing the policy.

C. User access reports reviewed by management:This evaluates monitoring but does not establish a baseline understanding of controls.

D. A current listing of system users and employees:Important for reconciliation but secondary to understanding the control framework.

CIA Exam Syllabus Reference:

Domain V: Performing Internal Audit Services – Preliminary Surveys.

When preparing an internal control questionnaire for the procurement department, referencing relevant procurement laws or regulations ensures that the questions are aligned with the legal and regulatory requirements governing procurement activities. This approach helps to ensure that the questionnaire addresses all necessary compliance issues and identifies potential gaps in the organization's procurement processes that could lead to non-compliance.References:

The Institute of Internal Auditors (IIA) - Standards for the Professional Practice of Internal Auditing, Standard 2201 - Planning Considerations