The IIA Textbook 6th Edition
Internal Auditing: Assurance & Advisory Services, 6th Edition, is a comprehensive textbook designed to teach students the evolving global profession of internal auditing. Written through the collaboration of educators and practitioners, this resource serves as a cornerstone for internal audit education. It covers key fundamentals of internal auditing that can be applied in an ever-changing business world and is long considered an essential addition to every internal auditor’s bookshelf.
The 6th edition features online student and instructor tools, including case studies, videos, editable documents for performing end-of-chapter exercises, and Protiviti’s KnowledgeLeader®. Instructors also have access to supplemental teaching materials upon request.
Source: theiia.org
Internal Auditing: Assurance & Advisory Services, 6th Edition
Use the buttons on the right to expand and read each chapter.
Chapter 1: KnowledgeLeader Introduction and Student & Instructor KnowledgeLeader Access Instructions
KNOWLEDGELEADER BACKGROUND INFORMATION
This is a dedicated section of KnowledgeLeader's University Center, designed to support The IIA Textbook, 6th Edition and provide students with entry-level internal audit and risk management content.
KnowledgeLeader is a subscription-based website that provides audit programs, checklists and other tools, resources and best practices to help busy professionals save time and manage business and technology risks.
STUDENT INSTRUCTIONS
Students will receive a link from their instructors to activate their accounts on KnowledgeLeader. Please note that usernames and passwords must be kept confidential; users may not republish, license, sell, copy or display any portion of the KnowledgeLeader website elsewhere except within the context of appropriately attributed academic coursework.
Each case exercise will be introduced in the Cases section of the pertinent chapter(s).
Read KnowledgeLeader's Internal Audit and Risk Management: The Basics page to obtain an introduction to the internal audit profession.
INSTRUCTOR INSTRUCTIONS
If you do not already have a Professor account on KnowledgeLeader, please visit our University registration page and complete the registration form.
Once your account is created and active, you can navigate to your My Account area to create a unique course link code for each course you are teaching. These will be your links to copy and share with your students. When they follow one of your links, they will be directed to create their own complimentary KnowledgeLeader accounts on our site in a few easy steps.
For your convenience, once your professor account is activated, your access will be active for 10 years, and you will not need to request access again during that period. When a new semester starts, you can create new course links and share them with your new groups of students so that they can sign up.
Learn more about University Accounts and how to create course links on our FAQ page.
Chapter 2: KnowledgeLeader Practice Case: Global Internal Audit Standards (Standards) - Independence & Objectivity
Background Information
As indicated in the Global Internal Audit Standards (Standards), the internal audit function must be independent, and internal auditors must be objective when performing their work. Together, independence and objectivity represent conditions necessary to support effective internal audit services. It is also important to note that independence and objectivity are two distinct yet interrelated concepts that are fundamental to providing value-added internal audit services and achieving the Purpose of Internal Auditing without compromise.
Utilize the KnowledgeLeader website and perform the following:
- Log in to the KnowledgeLeader website with your username and password.
- Perform research and define what it means for an internal auditor to be independent. Contrast internal audit independence with internal auditor objectivity. Why is it important for an internal audit function to be independent and for internal auditors to possess objectivity?
- Submit a brief write-up indicating the results of your research to your instructor.
Helpful KnowledgeLeader Resources:
Chapter 3: KnowledgeLeader Practice Case: Multiple Lines of Defense
Background Information
Many organizations have multiple avenues for ensuring that they operate within their risk appetite. Organizations operating in a highly regulated environment, in particular, need to demonstrate that they have mitigated the many risks that threaten them to a reasonable level. To do so, they implement a technique of assurance layering to get the risk mitigation they need or desire. One common example of this strategy is the IIA’s Three Lines Model. However, this is not the only model.
Utilize the KnowledgeLeader website and perform the following:
- Log in to the KnowledgeLeader website with your username and password.
- Perform research and identify alternative model(s) of assurance layering other than the IIA’s Three Lines Model. Compare and contrast the(se) model(s). How do they differ? How are they similar?
- Submit a brief write-up indicating the results of your research to your instructor.
Helpful KnowledgeLeader Resources:
- Guide to Internal Audit
- Internal Audit Department Key Performance Indicators (KPIs)
- Internal Audit Strategic Focus Questionnaire
- The Updated COSO Internal Control Framework
Chapter 4: KnowledgeLeader Practice Case: Alternative Risk Management Frameworks
Background Information
In the United States, the Committee of Sponsoring Organizations (COSO) published its Enterprise Risk Management – Aligning Risk with Strategy and Performance (COSO ERM, or ERM framework) in 2017. In 2004, COSO identified a need for a robust framework to help companies effectively identify, assess and manage risk. The resulting risk management framework expanded on the previously issued Internal Control – Integrated Framework, incorporating all key aspects of that framework in the broader ERM framework. COSO updated its Internal Control – Integrated Framework in 2013 and released an update to the 2004 ERM framework in 2017. COSO defines ERM as the culture, capabilities and practices, integrated with strategy-setting and its execution, that organizations rely on to manage risk in creating, preserving and realizing value.
In 2009, the International Organization for Standardization issued its standard ISO 31000:2009 (ISO 31000), the first globally recognized standard related to risk management. ISO 31000 was developed to provide a globally accepted way of viewing risk management, taking into consideration principles, frameworks, models and practices that were evolving around the world. Revised in 2018, this standard helps provide principles, frameworks and a common approach to managing an organization's risk. ISO 31000 includes three sections—principles, framework and process.
Utilize the KnowledgeLeader website and perform the following:
- Log in to the KnowledgeLeader website using your username and password.
- Perform research on these two globally recognized risk management frameworks. Compare and contrast these frameworks. How do they differ? How are they similar?
- Submit a brief write-up indicating the results of your research to your instructor.
Helpful KnowledgeLeader Resources:
- Enterprise Risk Management Summary Approach Guide
- Enterprise Risk Management (ERM) Committee Charter
- Enterprise Risk Management Capability Maturity Model (CMM)
- Guide to Enterprise Risk Management
- How COSO Frameworks Improve Organizational Performance and Governance
- The Updated COSO Internal Control Framework
Chapter 5: KnowledgeLeader Practice Case: Reporting on Controls at a Service Organization
Background Information
Statement on Standards for Attestation Engagements (SSAE) 18 updates requirements for reporting on controls of a Service Organization (SOC 1, 2, and 3 reports). SSAE 18 was issued in April 2016 and became effective in May 2017. SSAE 18 is largely an American standard, but it mirrors International Standards for Assurance Engagements (ISAE) 3402, Assurance Reports on Controls at a Service Organization. SSAE 18 provides guidance to service auditors when assessing the internal control of a service organization and issuing a Service Organization Controls (SOC) report.
SOC 1 reports primarily address the internal controls related to financial reports. There are two types of SOC 1 reports. SOC 1 Type I is an attestation on the description of controls provided by management of the service organization and adequacy of their design and implementation. SOC Type II extends this to include an attestation about the operating effectiveness of the controls.
SOC 2 reports focus on information and IT security identified by one or more of the five Trust Services Categories – security, confidentiality, information privacy, processing integrity, and availability. SOC 2 reports can also be Type I or Type II.
SOC 3 reports are similar to SOC 2 reports but for a general audience.
Service organizations include insurance and medical claims processors, trust companies, hosted data centers, application service providers (ASPs), managed security providers, credit processing organizations, and clearinghouses.
Utilize the KnowledgeLeader website and perform the following:
- Log in to the KnowledgeLeader website with your username and password.
- Perform research and identify the circumstances under which obtaining a SOC report is justified. Explain the differences between a SOC 1 Type I and Type II report. Determine when it would be appropriate for a Type I rather than a Type II report.
- Explain the difference between a SOC 1 and a SOC 2 report. When would it be appropriate to obtain a SOC 2?
- What is the difference between a SOC 2 and a SOC 3 report , and when is each appropriate?
- Submit a brief write-up indicating the results of your research to your instructor.
Helpful KnowledgeLeader Resources:
Chapter 6: KnowledgeLeader Practice Case: Adapting Internal Controls Related to Compliance Risks in a Rapidly Changing World
Background Information
Compliance with applicable laws and regulations has always been an important component of every organization’s control environment and the scrutiny over how effectively organizations are managing it has only increased due to the many challenges impacting them today.
Utilize the KnowledgeLeader website and perform the following:
- Log in to the KnowledgeLeader website with your username and password.
- Perform research and identify the various challenges organizations are facing today regarding their ability to leverage existing internal controls to continue to comply with the laws and regulations applicable to them and what changes to their internal controls might be warranted.
- Submit a brief write-up indicating the results of your research to your instructor.
Helpful KnowledgeLeader Resources:
Chapter 7: KnowledgeLeader Practice Case: Internal Audit Mandate
Background Information
As discussed in the chapter, a critical part of demonstrating the independent organizational positioning of the internal audit function is for the board to outline what it expects from the internal audit function. This is done through the internal audit mandate. The internal audit mandate is a new term established in the Standards describing the authority, role, and responsibilities of the internal audit function. It establishes the foundation for the internal audit function’s existence.
Utilize the KnowledgeLeader website and perform the following:
- Log in to the KnowledgeLeader website with your username and password.
- Perform research and identify the Standards addressing this new term: “internal audit mandate.” What are the critical elements of the Standards that relate to the internal audit mandate? Why is it important for the internal audit function to establish and adhere to a mandate? How does the internal audit function demonstrate conformance with these standards? What are some potential consequences of noncompliance with these standards?
- Submit a brief write-up indicating the results of your research to your instructor.
Helpful KnowledgeLeader Resources:
Chapter 8: KnowledgeLeader Practice Case: Board Audit Committee & Internal Audit Charters
Background Information
The board audit committee serves a critical role in ensuring transparency, accuracy, and accountability of an organization’s financial reporting and risk management processes. They provide fiduciary oversight in the areas of financial reporting, risk management, and compliance and ethics. The board audit committee charter defines the purpose, composition, and responsibilities of the board audit committee to ensure these fiduciary oversight responsibilities are achieved.
As indicated in this chapter, the internal audit charter is a formal written document that defines the internal audit function’s purpose, mandate, organizational position, and commitment to adhering to the Global Internal Audit Standards (the Standards). The internal audit function’s charter is subordinate to the audit committee’s charter and must support, not contradict, it.
Utilize the KnowledgeLeader website and perform the following:
- Log in to the KnowledgeLeader website with your username and password.
- Perform research and identify the best or better practices related to the primary responsibilities of the board audit committee and internal audit function. Additionally, delineate the key elements of board audit committee and internal audit function charters. Discuss the role the internal audit function plays in the board audit committee’s discharge of its fiduciary responsibilities.
- Submit a brief write-up indicating the results of your research to your instructor.
Helpful KnowledgeLeader Resources:
- Guide to Internal Audit
- Corporate Audit Department Charter
- Audit Committee Charter
- Risk Management Oversight Committee Charter
Chapter 9: KnowledgeLeader Practice Case: Data Analytics Techniques with a Limited Budget
Background Information
You work as part of a small, but resourceful internal audit team at a major University. Similar to most University internal audit groups, you are faced with a limited budget, no data analytics skills on your staff, and no ability (resources) to outsource data analytics to a third-party service provider (way too expensive). The University’s internal audit function for which you work has an Internal Audit Education Partnership program (IAEP) and teaches internal audit, along with a number of data analytics courses.
Utilize the KnowledgeLeader website and perform the following:
- Log in to the KnowledgeLeader website with your username and password.
- Determine which high-risk areas would benefit the most from leveraging data analytics software and which data analytics techniques could be adopted. How might you go about providing some data analytics support to your internal audit function and what tools would you utilize that are readily available (taught in the various data analytics courses offered in the IAEP program) at your University.
- Submit a brief write-up indicating the results of your research to your instructor.
Helpful KnowledgeLeader Resources:
- Data Analytics and Mining Guide
- Six Elements Infrastructure Data Analytics
- Data Analytics and Audit Coverage Guide
- From Hindsight to Insight to Foresight
Chapter 10: KnowledgeLeader Practice Case: Blending Assurance & Consulting Internal Audit Engagements
Background Information
Blending assurance and advisory services into a single engagement is a way for internal auditors to realize efficiencies that might not exist when these services are performed separately. In fact, some internal audit functions may be conducting “blended engagements” without even realizing it. Internal auditors can follow a principle-based model that offers professional guidance for implementing this approach without violating existing standards of practice.
Utilize the KnowledgeLeader website and perform the following:
- Log in to the KnowledgeLeader website with your username and password.
- Perform research and identify the primary purpose of an assurance engagement and an advisory engagement. Also, identify elements that are the same or similar. Finally, identify the concerns with combining assurance and consulting services and how a single blended engagement can be performed without jeopardizing audit effectiveness or objectivity.
- Submit a brief write-up indicating the results of your research to your instructor.
Helpful KnowledgeLeader Resources:
- Guide to Internal Audit
- Internal Audit Contributing to the Success of Enterprise Risk Management Guide
- Internal Audit’s Role in Mergers and Acquisitions Guide
- Strategic Internal Audit Plan
- Internal Audit Strategic Vision Report
Chapter 11: KnowledgeLeader Practice Case: Performing Effective Analytical Procedures
Background Information
Understanding the detailed tasks in a process is an important step in planning an assurance engagement. However, these tasks describe the way a process is designed to perform, but they provide little indication regarding how effectively they are carried out. Performing analytical procedures is one way internal auditors conduct high-level assessments that may reveal process activities that warrant closer attention and, accordingly, more detailed testing during an assurance engagement. Analytical procedures involve reviewing and evaluating existing information, which may be financial or nonfinancial, to determine whether it is consistent with predetermined expectations.
Utilize the KnowledgeLeader website and perform the following:
- Log in to the KnowledgeLeader website with your username and password.
- Perform research and identify the characteristics of effective analytical procedures used during the planning phase of an assurance engagement.
- Submit a brief write-up indicating the results of your research to your instructor.
Helpful KnowledgeLeader Resources:
- Guide to Internal Audit
- Root Cause Analysis Guide
- Root Cause Analysis Questionnaire
- SWOT Analysis Questionnaire
- Business Process Key Performance Indicators (KPIs)
Chapter 12: KnowledgeLeader Practice Case: Information Produced by Entity
Background Information
Companies are facing heightened regulatory expectations. One area of particular interest is information or data produced or manipulated by employees or company systems that is relied on by management to perform key controls or to make significant business decisions. Regulators commonly refer to this information or data as information produced by the entity (IPE). When IPE is identified, regulators expect management to verify (test) the completeness and accuracy of the information or data used by management to perform key controls or that is relied on to make significant business decisions. There is also an expectation that both external and internal auditors will determine if IPE is appropriately verified prior to management’s reliance on such information or data.
Utilize the KnowledgeLeader website and perform the following:
- Log in to the KnowledgeLeader website with your username and password.
- Perform research and identify the most common types or forms of IPE. What are key risks associated with management’s reliance on IPE? Identify the most common strategies for testing IPE.
- Submit a brief write-up indicating the results of your research to your instructor.
Helpful KnowledgeLeader Resources:
Chapter 13: KnowledgeLeader Practice Case: Reporting Material Weaknesses
Background Information
As indicated in the chapter, if a finding, or a group of findings, is assessed to be material, communication must be formal and include senior management, the organization’s independent outside auditor, and the audit committee. Additionally, for publicly owned companies over a specified size and if the finding concerns internal control over financial reporting and disclosure controls and procedures, the U.S. Sarbanes-Oxley Act of 2002 and financial reporting regulations in other countries require management to qualify their opinion on internal control over financial reporting (and disclosure controls and procedures) and formulate a remediation plan to correct the weakness identified in the controls in question. Management must continue to qualify its opinion on internal control over financial reporting (and disclosure controls and procedures) until the material weakness (finding) is remediated and management has verified through control retesting that the control in question is designed adequately and operating effectively. If management determines it is necessary to qualify its opinion on internal control over financial reporting (and disclosure controls and procedures), this fact must be reported to its stakeholders according to the laws of the country in which it operates.
Utilize the KnowledgeLeader website and perform the following:
- Log in to the KnowledgeLeader website with your username and password.
- Perform research and determine the reporting requirements for a publicly traded company that has identified a material weakness related to internal control over financial reporting (and disclosure controls and procedures). Identify the various types of control weaknesses as defined by Section 404 of the Sarbanes-Oxley Act. Identify the required disclosures and provide an example of management’s report and the independent outside auditor’s report provided to the company’s shareholders (this will require research outside of KnowledgeLeader).
- Submit a brief write-up indicating the results of your research to your instructor.
Helpful KnowledgeLeader Resources:
- Guide to the Sarbanes-Oxley Act: Internal Control Requirements - Frequently Asked Questions Regarding Section 404
- Control Deficiency Assessment Questionnaire
- Evaluation of Control Deficiencies Questionnaire
- IT Infrastructure Control Deficiency Decision Questionnaire
- IT Application Control Deficiency Decision Process Questionnaire
Chapter 14: KnowledgeLeader Practice Case: The Internal Auditor as a Trusted Advisor
Background Information
Emerging internal audit thought leadership indicates that the internal audit value proposition can best be accomplished through internal audit advisory services. The term “trusted advisor” is being used more frequently to describe internal auditors who strive to add additional value as they gain management’s confidence through the impactful advisory services they provide.
Utilize the KnowledgeLeader website and perform the following:
- Log in to the KnowledgeLeader website with your username and password.
- Perform research and define what it means to be a “trusted advisor.” What are the best or better practices and/or characteristics that could lead to an internal auditor becoming identified (labeled) as a trusted advisor in the eyes of the board audit committee or management they support.
- Submit a brief write-up indicating the results of your research to your instructor.
Helpful KnowledgeLeader Resources:
- Guide to Internal Audit
- The Four C's in Overseeing Internal Audit
- Internal Audit Strategic Vision Report
- Internal Audit Strategic Focus Questionnaire
Chapter 15: KnowledgeLeader Practice Case: Internet of Things (IOT) and Smart Cities
Background Information
The internet of things (IoT) has expanded rapidly and provided for new capabilities for many organizations, but as the IoT has provided new business efficiencies it has also created new risks and challenges. You are the head of internal audit for a large city in Canada that is planning to become one of the most advanced smart cities worldwide. One of the areas that significantly changed the business process through automation was eliminating the need for people to manually read meters and check electric usage every month. This is just one example of the many applications the city has already implemented and is looking for additional ones that can improve the efficiency and effectiveness of operations while reducing costs.
The city manager has asked for your help… She would like for you to identify and rank the ten business applications that could be leveraged as a world-class “smart city” to provide the “biggest” benefits to the city and its citizens, along with what potential risks that might be encountered with the implementation of these applications.
Utilize the KnowledgeLeader website and perform the following:
- Log in to the KnowledgeLeader website with your username and password.
- Research KnowledgeLeader, along with the internet, to learn as much about “Smart Cities” and how 5G networks and connectivity can transform the efficiency and information used within a city as you can. For your choice of top ten applications for the IoT, include a description of each, along with a narrative on what risks might be present with the application, if adopted and implemented.
- Submit a brief write-up indicating the results of your research to your instructor.
Helpful KnowledgeLeader Resources:
Chapter 16: KnowledgeLeader Practice Case: Fraud Root Cause Analysis
Background Information
This case involves researching recent corporate frauds utilizing KnowledgeLeader and other internet resources. A typical process after a major fraud has been uncovered and resolved is to perform a post-mortem. Business management, investigators, and internal auditors will partner to perform a root cause analysis. You’ve learned a lot related to risk, controls, ethics, and, in this chapter, more on fraud techniques. You now should understand that fraud is a prevalent activity and that there are many techniques, methods, and motivations to fraud. You also should understand that when a fraud is uncovered it is just a symptom of other issues and problems within the organization.
Utilize the KnowledgeLeader website and perform the following:
- Log in to the KnowledgeLeader website with your username and password.
- Perform research and identify two recent corporate frauds (one from within the US and one outside the US). Examine how internal auditors at those organizations dealt with the frauds, the impact the frauds had on their respective organizations, and the post-mortem efforts that took place within the organizations. Determine the root cause of the frauds and what techniques could have prevented the frauds from occurring and how could similar frauds be prevented in the future.
- Submit a brief write-up indicating the results of your research to your instructor. Your write-up should include, at a minimum, the following content:
- A brief summary of each fraud chosen
- Approximate loss of each fraud chosen
- For each fraud chosen, answer the questions Who, What, When, Where, How and Why (if known)
- Identify the root cause of each fraud chosen
- What preventive or detective controls could have been deployed.