PDF IIA-CIA-Part2 Study Guide

The most beneficial approach for the newly appointed CAE to obtain details of the internal audit activity's collective knowledge, skills, and competencies is to review or establish a documented skills assessment of the internal audit staff and gather information from post-audit surveys. This method provides a comprehensive view of the team's capabilities and identifies any skill gaps that need to be addressed, ensuring that the internal audit function can effectively fulfill its responsibilities. References:

The IIA’s International Standards for the Professional Practice of Internal Auditing (Standards), specifically Standard 1210 - Proficiency.

The IIA’s Practice Guide on Building a Competency Framework for Internal Auditing.

A privacy audit engagement should comprehensively cover all aspects related to the collection, storage, and compliance of personal information. This includes assessing the appropriateness of the information gathered (1), reviewing the methods used to collect the information (2), ensuring the information collected complies with applicable laws (3), and determining how the information is stored (4). This comprehensive approach ensures that the organization adheres to privacy standards and regulations effectively. References: = IIA’s Practice Guide: “Privacy Impact Assessment” and IIA Standard 2110.A2 -

While discussing risks with the audit client can provide useful insights, it is the least structured method compared to using all available information from the risk-based plan, considering client efforts to manage risk, and reviewing prior risk assessments. These latter methods are more systematic and ensure that the audit work program is comprehensive and focused on relevant risks. References: = IIA Standard 2200 - Engagement Planning, IIA Practice Guide: “Developing the Audit Plan”.

When an internal auditor discovers a significant issue, such as a manager’s spouse receiving paychecks without being employed, it’s essential to follow the appropriate protocols for reporting the finding.

IIA Standard 2060 – Reporting to Senior Management and the Board:

This standard mandates that the chief audit executive (CAE) must communicate significant risk exposures and control issues to senior management and the board. Following the normal chain of command ensures that the issue is escalated appropriately without bypassing necessary channels.

Ethical Considerations and Confidentiality:

According to the IIA’s Code of Ethics, internal auditors must respect the confidentiality of the information they handle. Reporting through the established chain of command ensures that sensitive issues are handled discreetly and appropriately.

IIA Standard 2440 – Disseminating Results:

This standard requires that the results of the audit, including significant findings, should be communicated to the appropriate parties. Reporting to senior management first allows for an initial review and appropriate action before escalating to higher levels, if necessary.

Option A (Contacting the external auditor): While external auditors may need to be informed, this step should follow internal reporting protocols, not precede them.

Option C (Meeting with the local manager): This could compromise the investigation, as the local manager may be involved in the issue.

Option D (Bypassing the chain of command): This should only be done in extreme circumstances, such as when senior management is directly involved in the wrongdoing, which is not indicated in this scenario.

Detailed Explanation:Why Not Other Options?