The IIA Textbook 4th Edition

iia textbook thumbnail

Internal Auditing: Assurance & Advisory Services, 4th Edition, is a comprehensive textbook designed to teach students the evolving global profession of internal auditing. Written through the collaboration of educators and practitioners, this resource serves as a cornerstone for internal audit education. It covers key fundamentals of internal auditing that can be applied in an ever-changing business world, and is long considered an essential addition to every internal auditor’s bookshelf.

The updated text completely aligns with The IIA’s Code of Ethics and International Standards for the Professional Practice of Internal Auditing. The fourth edition features online student and instructor tools, including case studies, leading generalized audit software packages, and knowledge content from ACL, CaseWare IDEA, Wolters Kluwer’s TeamMate, and Protiviti’s KnowledgeLeader®. Plus, supplemental teaching materials are available to instructors upon request.

Source: theiia.org

Internal Auditing: Assurance & Advisory Services, 4th Edition

Use the buttons on the right to read more about each chapter and download its associated PDF.

Chapter 1: Introduction

This section of KnowledgeLeader's University Center is designed to support The IIA Textbook, 4th Edition and provide entry-level internal audit and risk management content to students.

Student Instructions:

Students will receive a link from their professors to activate their accounts on KnowledgeLeader. Please note that usernames and passwords must be kept confidential; users may not republish, license, sell, copy or display any portion of the KnowledgeLeader website elsewhere, except within the context of appropriately attributed academic coursework.

Each case exercise will be introduced in the Cases section of the pertinent chapter(s).

Read KnowledgeLeader's Internal Audit and Risk Management: The Basics page to obtain an introduction to the internal audit profession.  

Professor Instructions:

If you do not already have a Professor account on KnowledgeLeader, please click "Sign up as a Professor" on this page and complete the registration form.

Once your account is created and active, you will be able to navigate to your My Account area to access your unique Group Access code.  This is your link to copy and share with your students. When they follow your link, they will be directed to create their own complimentary KnowledgeLeader accounts on our site in a few easy steps.

For your convenience, once you professor account is activated, your access will be active for 10 years, and you will not need to request access again during that period. When a new semester starts, you can share your access link with your new group of students so that they can sign up.

Chapter 2: Internal Auditor Independence and Objectivity

Background Information

As indicated in the Standards, the internal audit function must be independent, and internal auditors must be objective in performing their work. As indicated in the chapter reading, independence and objectivity together represent one of three pillars supporting effective internal audit services. It is also important to note that independence and objectivity are two distinct, yet interrelated, concepts that are fundamental to providing value-adding internal audit services.

Utilize the KnowledgeLeader website and perform the following:

  1. Authenticate to the KnowledgeLeader website using your username and password.
  2. Perform research and define what it means for an internal auditor to be independent. Contrast internal auditor independence with auditor objectivity. Why is it important for an internal auditor to be independent and possess objectivity?
  3. Submit a brief write-up indicating the results of your research to your instructor.

Helpful KnowledgeLeader Resources:

Chapter 3: Multiple Lines of Defense

Background Information

Emphasis in recent years has been placed on control testing to ensure controls are working effectively and efficiently, but emerging thought leadership indicates that the internal audit value proposition can best be accomplished through internal audit consulting services. the term, “trusted Advisor” is being used more frequently to describe internal auditors as they strive to add additional value as they gain management’s confidence through the impactful consulting services they provide.

Utilize the KnowledgeLeader website and perform the following:

  1. Authenticate to the KnowledgeLeader website using your username and password.
  2. Perform research and identify alternative model(s) of assurance layering other than the “three lines of defense model.” Compare and contrast the(se) models. How do they differ? How are they similar?
  3. Submit a brief write-up indicating the results of your research to your instructor.

Helpful KnowledgeLeader Resources:

Chapter 4: Alternative Risk Management Frameworks

Background Information

In the United States, COSO published its Enterprise Risk Management – Aligning Risk with Strategy and Performance (COSO ERM, or ERM framework) in 2017. In 2004, COSO identified a need for a robust framework to help companies effectively identify, assess, and manage risk. the resulting risk management framework expanded on the previously issued Internal Control – Integrated Framework, incorporating all key aspects of that framework into the broader ERM framework. COSO updated its Internal Control – Integrated Framework in 2013 and released an update to the 2004 ERM framework in 2017. COSO defines ERM as the culture, capabilities, and practices, integrated with strategy-setting and its execution, that organizations rely on to manage risk in creating, preserving, and realizing value.

In 2009, the International Organization for Standardization issued its standard ISO 31000:2009 (ISO 31000), the first globally recognized standard related to risk management. ISO 31000 was developed to provide a globally accepted way of viewing risk management, taking into consideration principles, frameworks, models, and practices that were evolving around the world. ISO 31000 includes three sections—principles, framework, and process.

Utilize the KnowledgeLeader website and perform the following:

  1. Authenticate to the KnowledgeLeader website using your username and password.
  2. Perform research on these two globally recognized risk management frameworks. Compare and contrast these frameworks. How do they differ? How are they similar?
  3. Submit a brief write-up indicating the results of your research to your instructor.

Helpful KnowledgeLeader Resources:

Chapter 5: Reporting on Controls at a Service Organization

Background Information

Statement on Standards for Attestation Engagements (SSAE) 16, Reporting on Controls at a Service Organization, is an auditing standard for service organizations. SSAE 16 was issued in April 2010, and became effective in June 2011. SSAE 16 is largely an American standard, but it mirrors International Standards for Assurance Engagements (ISAE) 3402, Assurance Reports on Controls at a Service Organization. SSAE 16 provides guidance to service auditors when assessing the internal control of a service organization and issuing a Service Organization Controls (SOC) report. There are two types of service organization controls reports. A Type I service organization controls report includes the service auditor's opinion on the fairness of the presentation of the service organization's description of controls in operation and the suitability of the design of the controls to achieve the specified control objectives. A Type II service organization controls report includes the information contained in a Type I service report and also includes the service auditor's opinion on whether the specific controls were operating effectively during the period under review (usually six months). SSAE 16 reporting can help service organizations comply with Sarbanes-Oxley’s requirement (section 404) to show effective internal controls covering financial reporting. It can also be applied to data centers or any other service that might be used in the delivery of financial reporting. Examples of service organizations are insurance and medical claims processors, trust companies, hosted data centers, application service providers (ASPs), managed security providers, credit processing organizations and clearinghouses.

Utilize the KnowledgeLeader website and perform the following:

  1. Authenticate to the KnowledgeLeader website using your username and password.
  2. Perform research and identify the circumstances under which obtaining a SOC report is justified. Explain the differences between a SOC 1 and a SOC 2 report. Determine when it would be appropriate to obtain a SOC 1 report versus a SOC 2 report.
  3. Submit a brief write-up indicating the results of your research to your instructor.

Helpful KnowledgeLeader Resources:

Chapter 6: Cost-Effective Approaches to Validating Internal Controls over Financial Reporting (ICFR)

Background Information

In the United States, the U.S. Sarbanes-Oxley Act of 2002 (SOX) legislation put responsibility for the design, maintenance, and effective operation of internal control squarely on the shoulders of senior management, specifically, the CEO and the chief financial officer (CFO). to comply with this legislation, the U.S. Securities and Exchange Commission (SEC) requires the CEO and CFO of publicly traded companies over a certain size to opine on the design adequacy and operating effectiveness of internal control over financial reporting (ICFR) as part of the annual filing of financial statements with the SEC, as well as report substantial changes in ICFR, if any, on a quarterly basis. Organizations have been able to successfully apply the COSO framework in their efforts to comply with SOX, despite encountering significant unanticipated costs. In an effort to reduce the cost to comply with SOX, many organizations are evaluating and pursuing more cost-effective approaches to validating their system of ICFR.

Utilize the KnowledgeLeader website and perform the following:

  1. Authenticate to the KnowledgeLeader website using your username and password.
  2. Perform research and identify alternative approaches to more cost-effective approaches to validating an organization's operating effectiveness of their ICFR.
  3. Submit a brief write-up indicating the results of your research to your instructor.

Helpful KnowledgeLeader Resources:

Chapter 7: Cybersecurity

Background Information

Cybersecurity is an ever-increasing risk. In fact, leaders in the profession have identified cybersecurity as the number one technology risk, which is consistent with the findings in the IIA’s 2015 Common Body of Knowledge (CBOK) study, “Navigating Technology’s Top 10 Risks”.

The term cybersecurity refers to the technologies, processes, and practices designed to protect an organization’s information assets (computers, networks, programs, and data) from unauthorized access.

The proliferation of technology today enables more user access to an organization’s information than ever before. Third parties are increasingly provided access to organizational information through the supply chain, customers, and service providers. A greater variety of data has become readily available as organizations often store large volumes of sensitive and confidential information in virtualized infrastructure accessible through cloud computing. There is an increasing number of devices that can be connected and always engaged in data exchange. As organizations globalize and the organization’s web of employees, customers, and third-party providers expands, expectations for constant access to the organization’s information also increases.

Cyberattacks are perpetuated for various reasons, including financial fraud, information theft or misuse, activist causes, to render computer systems inoperable, and to disrupt critical infrastructure and vital services of a government or organization. Five common sources of cyber threats include nation-states, cybercriminals, hacktivists, insiders and service providers, and developers of substandard products and services.

Utilize the KnowledgeLeader website and perform the following:

  1. Authenticate to the KnowledgeLeader website using your username and password.
  2. Perform research and identify/discuss alternative approaches to implementing effective cybersecurity.
  3. Submit a brief write-up indicating the results of your research to your instructor.

Helpful KnowledgeLeader Resources:

Chapter 8: Fraud Risk Assessment

Background Information

As indicated in Chapter 8, the process of conducting a fraud risk assessment is similar to that of conducting an enterprise risk assessment. The three key steps are:

  1. Identify inherent fraud risks.
  2. Assess impact and likelihood of the identified risks.
  3. Develop responses to those risks that have a sufficiently high impact and likelihood to result in a potential outcome beyond management’s tolerance.

When conducting a fraud risk assessment, it is important to involve individuals with varying knowledge, skills, and perspectives. The risk assessment process can take many different forms, the most common of which are interviews, surveys, and facilitated meetings. Regardless of the approach, it is important for individuals to remain open and creative to ensure the fraud risk universe is sufficiently comprehensive.

Utilize the KnowledgeLeader website and perform the following:

  1. Authenticate to the KnowledgeLeader website using your username and password.
  2. Perform research and identify alternative models for conducting an effective fraud risk assessment. Compare and contrast these models. How do they differ? How are they similar?
  3. Submit a brief write-up indicating the results of your research to your instructor.

Helpful KnowledgeLeader Resources:

Chapter 9: Multiple Lines of Defense

Background Information

As indicated in Chapter 9, many organizations have multiple avenues for ensuring that they operate within their risk appetite. Organizations operating in a highly regulated environment in particular have a need to demonstrate that they have mitigated the many risks that threaten them to a reasonable level. to do so, they implement a technique of assurance layering to get the risk mitigation they need or desire. One common example of this strategy is the “three lines of defense model.” However, the three lines of defense model is not the only model.

Utilize the KnowledgeLeader website and perform the following:

  1. Authenticate to the KnowledgeLeader website using your username and password.
  2. Perform research and identify alternative model(s) of assurance layering other than the “three lines of defense model.” Compare and contrast the(se) models. How do they differ? How are they similar?
  3. Submit a brief write-up indicating the results of your research to your instructor.

Helpful KnowledgeLeader Resources:

Chapter 10: Information Produced by Entity (IPE)

Background Information

Companies are facing heightened regulatory expectations. One area of particular interest is information or data produced or manipulated by employees or company systems that is relied on by management to perform key controls or to make significant business decisions. Regulators commonly refer to this information or data as Information Produced by Entity (IPE). When IPE is identified, regulators expect management to verify (test) the completeness and accuracy of the information or data used by management to perform key controls or relied on to make significant business decisions.

Utilize the KnowledgeLeader website and perform the following:

  1. Authenticate to the KnowledgeLeader website using your username and password.
  2. Perform research and identify the most common types or forms of IPE. What are the key risks associated with management’s reliance on IPE? Identify the most common strategies for testing IPE.
  3. Submit a brief write-up indicating the results of your research to your instructor.

Helpful KnowledgeLeader Resources:

Chapter 11: Performing Effective Data Analytics Techniques

Background Information

Data analytics allow internal auditors to focus its resources on high-risk transactions and provide management with a higher level of operational assurance. A process that has been proven as successful includes the following steps:

  1. Define the question.
  2. Obtain the data.
  3. Clean and normalize the data. 
  4. Analyze the data and understand the results.
  5. Communicate the results. 

Utilize the KnowledgeLeader website and perform the following:

  1. Authenticate to the KnowledgeLeader website using your username and password.
  2. Perform research and identify various effective data analytic technics. Compare and contrast these technics with the model presented above and in the chapter. How do they differ? How are they similar?
  3. Submit a brief write-up indicating the results of your research to your instructor.

Helpful KnowledgeLeader Resources:

Chapter 12: Blending Assurance and Consulting Internal Audit Engagements

Background Information

Blending assurance and consulting services into a single engagement is evolving as a way for internal auditors to realize efficiencies that might not exist when these services are performed separately. In fact, some internal audit functions may be conducting “blended engagements” without even realizing it. Internal auditors can follow a principle-based model that offers professional guidance for implementing this approach without violating existing standards of practice.

Utilize the KnowledgeLeader website and perform the following:

  1. Authenticate to the KnowledgeLeader website using your username and password.
  2. Perform research and identify the primary purpose of an assurance engagement and a consulting engagement. Also, identify elements that are the same or similar. Finally, identify the concerns with combing assurance and consulting services and how a single blended engagement can be performed without jeopardizing audit effectiveness or objectivity.
  3. Submit a brief write-up indicating the results of your research to your instructor.

Helpful KnowledgeLeader Resources:

Chapter 13: Performing Effective Analytical Procedures

Background Information

Understanding the detailed tasks in a process is an important step in planning an assurance engagement. However, these tasks describe the way a process is designed to perform, but provide little indication regarding how effectively they are carried out. Performing analytical procedures is one way internal auditors conduct high-level assessments that may reveal process activities that warrant closer attention and, accordingly, more detailed testing during an assurance engagement. Analytical procedures involve reviewing and evaluating existing information, which may be financial or nonfinancial, to determine whether it is consistent with predetermined expectations.

Utilize the KnowledgeLeader website and perform the following:

  1. Authenticate to the KnowledgeLeader website using your username and password.
  2. Perform research and identify the characteristic of effective analytical procedures used during the planning phase of an assurance engagement.
  3. Submit a brief write-up indicating the results of your research to your instructor.

Helpful KnowledgeLeader Resources:

Chapter 14: Reporting Material Weaknesses

Background Information

As indicated in Chapter 14, if an observation, or a group of observations, is assessed to be material, communication must be formal and include senior management, the organization’s independent outside auditor, and the audit committee. Additionally, for publicly owned companies over a specified size and if the observation concerns internal control over financial reporting and disclosure controls and procedures, the U.S. Sarbanes-Oxley Act of 2002 and financial reporting regulations in other countries require management to qualify their opinion on internal control over financial reporting (and disclosure controls and procedures) and formulate a remediation plan to correct the weakness identified in the controls in question. Management must continue to qualify its opinion on internal control over financial reporting (and disclosure controls and procedures) until the material weakness (observation) is remediated and management has verified through control retesting that the control in question is designed adequately and operating effectively. If management determines it is necessary to qualify its opinion on internal control over financial reporting (and disclosure controls and procedures), this fact must be reported to its stakeholders according to the laws of the country in which it operates.

Utilize the KnowledgeLeader website and perform the following:

  1. Authenticate to the KnowledgeLeader website using your username and password.
  2. Perform research and determine the reporting requirements for a publicly traded company that has identified a material weakness related to internal control over financial reporting (and disclosure controls and procedures). Identify the various types of control weaknesses as defined by Section 404 of the Sarbanes-Oxley Act of 2002. Identifying the required disclosures and provide an example of management’s report and the independent outside auditor’s report provided to the company’s shareholders (this will require research outside of KnowledgeLeader).
  3. Submit a brief write-up indicating the results of your research to your instructor.

Helpful KnowledgeLeader Resources:

Chapter 15: The Internal Auditor as a Trusted Advisor

Background Information

Emphasis in recent years has been placed on control testing to ensure controls are working effectively and efficiently, but emerging thought leadership indicates that the internal audit value proposition can best be accomplished through internal audit consulting services. The term, “Trusted Advisor” is being used more frequently to describe internal auditors as they strive to add additional value as they gain management’s confidence through the impactful consulting services they provide.

Utilize the KnowledgeLeader website and perform the following:

  1. Authenticate to the KnowledgeLeader website using your username and password.
  2. Perform research and define what is means to be a “Trusted Advisor.” What are the best or better practices and/or characteristics that could lead to an internal auditor becoming identified (labeled) as a Trusted Advisor in the eyes of the management they support.
  3. Submit a brief write-up indicating the results of your research to your instructor.

Helpful KnowledgeLeader Resources: