Exam Notecards – ACCT 3233/7233

IIA 2024 Standards — Architecture & Domain I & II Overview 1 / 14

5 Domains · 15 Principles · 52 Standards
Old "Attribute" + "Performance" categories → ELIMINATED

Domain	Focus
I Purpose	Why we exist
II Ethics	How we behave
III Governing	Board & CAE relationship
IV Managing	Strategy & resources
V Performing	The actual work

          Domain I Purpose — 4 Services:

          Assurance – independent evaluation of controls/risk/governance

          Advice – recommendations to improve operations

          Insight – deeper understanding of processes & risks

          Foresight – anticipating emerging risks ⭐ NEW 2024

Goal: create, protect, and sustain value

Domain II — 5 Ethics Principles

P#	Principle	Philosopher
P1	Integrity	Kant — categorical imperative
P2	Objectivity	Husserl — epoché (bracket assumptions)
P3	Competency	Aristotle — phronesis (practical wisdom)
P4	Due Prof. Care	Hume — can't test everything
P5	Confidentiality	Breach once → never candid again

          P1 Integrity Key: Std 1.1 — truthful, accurate, no omissions; CAE must support auditors expressing unfavorable findings. Pressure to "reframe" = integrity test.

          P2 Objectivity Key: Most dangerous bias = confirmation bias — actively seek disconfirming evidence.

          P3 Competency Key: Know what you don't know. Use specialists. Dangerous auditor = "took a webinar."

IIA Standards — Domains III, IV & V 2 / 14

Domain III — Governing (MOST CHANGED)

P6 Authorized by Board — charter = source of authority
P7 Positioned Independently — CAE reports functionally to board; structural (not just attitudinal)
P8 Overseen by Board — board approves plan, budget, resources; they are accountable too

Defines "Essential Conditions" boards must provide.

Domain IV — Managing

P9 Plan Strategically — risk-based, dynamic (no more "audit every 3 years" cyclical)
P10 Manage Resources — document when insufficient
P11 Communicate Effectively — bidirectional; listen as much as inform
P12 Enhance Quality — QAIP required; EQA every 5 years, at least 1 active CIA (Std 12.4)

Domain V — Performing Services

P13 Plan Engagements — understand activity, risk assessment, define scope
P14 Conduct Work — gather evidence, Four C's, recommendations, conclusions
P15 Communicate & Monitor — no surprises; confirm implementation; follow-up

⚠️ New term: "conclusion" replaces "opinion"

⭐ Four C's of Findings:
Condition — what IS (actual situation found)
Criteria — what SHOULD BE (the standard/policy)
Cause — WHY the gap exists (root cause)
Consequence — WHY it matters (risk/impact)

Engagement Effort Split:

Planning20–30%

Fieldwork40–50%

Reporting15–20%

F/UOngoing

Most failures = planning failures. No surprises in final report = you've talked to mgmt first.

Three Lines Model · Assurance vs Advisory · Topical Requirements 3 / 14

Three Lines Model

Line	Who	Role
1st	Management	Owns risk & controls day-to-day
2nd	Risk & Compliance	Supports, monitors, provides expertise
3rd	Internal Audit	Independent assurance → board
Gov	Board	Accountability to stakeholders

IA can rely on 2nd line but must independently verify before reporting conclusions.

Assurance vs Advisory

	Assurance	Advisory
Parties	3 (auditor, auditee, stakeholders)	2 (auditor + client)
Scope	Auditor sets	Client sets
Output	Formal conclusion	Recommendations
Posture	Skepticism	Collaboration

⚠️ Advisory on a process may impair objectivity for future assurance (Std 7.2)

Topical Requirements (New 2024 IPPF)

Mandatory when in scope. Effective 12 months after issuance. Must document which apply + rationale for exclusions.

Topic	Key Focus
Cybersecurity	Governance, risk, controls, incident response
IT Governance	Tech strategy, performance, risk
Privacy Risk Mgmt	GDPR, CCPA, privacy by design
Third-Party Mgmt	Vendor risk, due diligence, monitoring
Sustainability/ESG	Climate, supply chain, DEI metrics

          Heidegger's Aletheia (ἀλήθεια) = un-concealment / truth. An audit finding is an act of unconcealment — bringing hidden things into the open. The auditor's job: make the invisible visible.
        

"The unexamined organization is not worth working for." — with apologies to Socrates

CIA Triad · Why Cyber Risk Is Different · Attack Surface 4 / 14

CIA Triad

Objective	Protects against	Threats
Confidentiality	Unauthorized disclosure	Breaches, eavesdropping, unauthorized access
Integrity	Unauthorized modification	Tampering, malware, MITM attacks
Availability	Disruption	DDoS, ransomware, system failures

Every control should map to ≥1 CIA objective. If it doesn't — question why it exists.

Why Cyber Risk Is Different

AdversarialIntelligent actor actively probes & adapts

AsymmetricAttacker needs 1 weakness; defender must protect ALL

EvolvingThreat changes daily, not annually

InvisibleBreaches often undetected for months

InterconnectedYour security = your vendors' security (supply chain)

Market volatility doesn't try to defeat your hedging strategy. Cyber attackers do.

Modern Enterprise Attack Surfaces

On-Premises — data centers, legacy systems, poorly documented
Cloud — IaaS/PaaS/SaaS; shared responsibility; shadow IT
Endpoints — laptops, mobile, IoT, printers, cameras; each = entry point
Third-Party — vendors, APIs; your security = weakest vendor
Identity & Access — AD, SSO, MFA, privileged accounts; "keys to kingdom"
Invisible Layer — shadow IT, forgotten test systems; what you don't know CAN hurt you

Clausewitz: Defense is stronger — but only if you know where to defend. In cyber, the perimeter is everywhere.
Rumsfeld: Shadow IT = known unknown. Zero-days = unknown unknowns.

Risk-based prioritization: What is most critical? Most exposed? Would hurt most if compromised?

Defense in Depth · 4 Organizational Pathologies 5 / 14

Defense in Depth — Control Types

Type	Examples
Preventive	Firewalls, access controls, encryption, patching, security training
Detective	SIEM, IDS/IPS, log monitoring, anomaly detection, threat hunting
Corrective	Incident response, backup/restore, disaster recovery, forensics

Layers: Network → Endpoint → Application → Data → Human → Governance

Human layer = often weakest AND strongest. Vigilant employees catch what tools miss.

          IIA Cybersecurity Topical Req — 3 Domains:

          Governance — does leadership own cybersecurity?

          Risk Management — do they know what they're protecting?

          Controls — are the controls actually working?

          Released: Feb 5, 2025 · Effective: Feb 5, 2026 · Maps to NIST & COBIT

4 Organizational Pathologies

#	Pathology	Key Example / Audit Q
1	Ownership Gap — unowned systems don't get patched	Target 2013: HVAC vendor. "Show me who owns this system and prove they know it."
2	Security vs. Business — speed vs. control; CISO reporting line matters	"Show me a project where security delayed launch. What happened?"
3	Compliance Trap — compliance ≠ security	Equifax, Target, Capital One all PCI compliant when breached. Attackers don't check compliance status.
4	Learned Helplessness — "if they want in they'll get in" fatalism	Verizon DBIR: stolen credentials + phishing + unpatched systems cause MOST breaches. Fundamentals > exotic attacks.

Stoic wisdom: Focus on what you can control. Can't stop nation-states — but can stop 95% of attacks through fundamentals: patching, MFA, phishing awareness, asset mgmt.

ITGC Testing — Positive/Negative · Test of Design · Design vs OE Failures 6 / 14

Positive vs. Negative Testing

✅ Positive Testing

"Did the control work when it should?"

Testing the happy path

Verify approvals, timelines, documentation

🚫 Negative Testing

"Did the control BLOCK what it should?"

Testing the guardrails

Can terminated users log in? Self-approve? SoD blocked?

          ⚠️ Positive testing ALONE creates false confidence. A control that approves everything correctly is useless if it blocks nothing.
        

Test of Design (TOD) — "The Blueprint Test"

"If everyone followed this perfectly, would it prevent/detect the risk?"

PrecisionSpecific enough? "Manager approval" vs. "Direct mgr via ServiceNow within 24h with justification"

CompletenessAll scenarios? Contractors? Emergency? Transfers?

AuthorityRight people? Clerk approving exec access?

Design Failure vs. OE Failure

	Design Failure	OE Failure
What	Control CAN'T work	Control DIDN'T work
Why	Flawed blueprint: policy gap, wrong approvers, no SLA	Good design, bad execution: approval skipped, SLA breached
Remedy	Process/policy redesign	Training, monitoring, automation

          ⚠️ CRITICAL: Don't prescribe training for a design problem. Classification drives the right recommendation.
        

Tick Marks (must define in legend)

✓ Tested, no exception

✗ Exception identified

T Traced/Tied to source

R Recalculated

I Inquiry (confirmed verbally)

⊙ Inspected original doc

Golden Rule: If you can't point to a specific exhibit/row/doc for every fact → not documented properly.

ITGC Sampling — Methods · Sample Size Table (AICPA/PCAOB) 7 / 14

Sampling Methods

Method	Use When	Limitation
Random	Large, homogeneous populations	May miss high-risk by chance
Stratified	Heterogeneous pop. with risk strata	Must understand risk factors
Haphazard	Small populations; preliminary testing	NOT statistically valid; unconscious bias
Census (100%)	Critical controls; small populations; high-risk	Time-consuming

⭐ Best Practice: Combine methods — Stratified/Random for general pop. + Census (100%) for:

Privileged users
SoD conflicts
Emergency access (break-glass)

Required Sampling Documentation

Population source (where data came from)
Population completeness verification
Selection criteria applied
Sample size rationale (why this number)
Selection method (random seed, every Nth, etc.)
Sample listing with unique identifiers

Reviewer's Test: Could another auditor recreate your exact sample?

⭐ Sample Size Table (AICPA/PCAOB)

Frequency	Low	Mod	High
Annual (1)	1	1	1
Quarterly (4)	2	2–3	4
Monthly (12)	2–3	4–6	8–12
Weekly (52)	5–9	10–15	20–25
Daily (250+)	10–15	20–30	40–60
Per occurrence	25	40	60

          Factors that INCREASE sample size:

          ↑ Risk level · ↑ Expected deviations · ↑ Desired confidence · ↑ Prior year exceptions

Stratification Example (Meridian Case)

Population	Risk	Method	Sample
Privileged users	Critical	Census	100%
SoD conflicts	Critical	Census	100%
New provisioning	High	Stratified	60
Terminations	High	Stratified	52
Modifications	Medium	Random	45

ITGC Risk Ratings · Finding Structure 8 / 14

Risk Ratings — External (SOX/PCAOB)

Rating	Definition	Consequence
Material Weakness	Reasonable possibility material misstatement NOT prevented/detected	Adverse ICFR opinion
Sig. Deficiency	Less than MW but merits oversight attention	Report to Audit Committee
Ctrl Deficiency	Design/operation gap; may not reach SD/MW threshold	Management letter

          Internal (IIA) Remediation Timelines:

          🔴 Critical / High → 30 days  |  🟡 Medium → 60–90 days  |  🟢 Low → 6 months

Finding Structure Comparison

	External (Mgmt Letter)	Internal (IA Finding)
Structure	Condition → Criteria → Cause → Effect → Rec.	Title → Background → Observation → Risk → Rec. + Owner + Due Date + Mgmt Response
Tone	Formal, regulatory	Collaborative, advisory
Specificity	"Certain users" (vague)	Named individuals, specific data points
Audience	Audit Committee / regulators	Management + CAE + Board

Key Distinction: External findings protect the auditor legally — vague by design. Internal findings are actionable by design — specific names, dates, and owners required.

8 Rules for Audit Reporting Excellence 9 / 14

Rule	What It Means
1. Lead with headline	Exception rate goes first — "2 of 60 (3.3%) had exceptions"
2. Quantify everything	Never "several" or "many" → always "3 of 127 (2.4%)"
3. Fact vs. judgment	"16 hrs elapsed" = fact · "deficiency" = judgment · label each clearly
4. Define your population	State the universe: "Of 412 new provisioning events during the test period…"

Rule	What It Means
5. Show your math	"16.75 hrs (Fri 5pm → Sat 9:45am) vs. 4-hr SLA" — never assert without the calculation
6. Compensating controls	Acknowledge them: "No unauthorized access confirmed via sign-in logs" = credibility
7. Actionable recs	Not "improve controls" → "implement real-time Workday-to-Entra sync by Q2"
8. Write for the skeptic	Pre-answer every "how do you know?" — assume the reviewer challenges every assertion

✗ WEAK: "Several users had access issues during the period. Management should improve controls."
✓ STRONG: "1 of 5 (20%) terminations exceeded the 4-hr SLA. jdavis55 was disabled 16.75 hrs after HR termination (Fri 5:00pm → Sat 9:45am). Compensating control: no post-termination logins confirmed via Entra sign-in logs. Root cause: batch sync runs Monday only. Rec: implement real-time Workday-to-Entra sync by Q2."

Solzhenitsyn — "Live Not By Lies" (1974) 10 / 14

Context: Written Moscow, Feb 12, 1974 — the day before his arrest. Circulated as samizdat (underground self-published literature). Written to Soviet citizens under totalitarian rule.

The Central Argument

Totalitarian power sustains itself not through constant overt violence, but through the daily participation of ordinary people in lies.

Violence needs lies to maintain respectability. Lies need violence to be enforced. They are symbiotic.

But violence cannot act on every shoulder every day. All it demands: obedience to lies and daily participation in lies.

The Minimum Path

The "simplest and most accessible key to liberation": personal non-participation in lies.

Not revolution. Not marching into squares. Not hunger strikes. Simply: refuse to say what you do not think.

"The most moderate of all paths of resistance" — easier than Gandhi's civil disobedience. The flames will not touch your body.

          Virus Metaphor: Lies are like a virus — they can survive only in a living organism. When people stop participating, the lies are rendered helpless and subside. Withdrawal of participation is the cure.
        

Key Concepts

Concept	Key Point
Fear hierarchy	People don't fear nuclear war. They fear acts of civil courage — losing white bread, heating gas, Moscow registration.
Spiritual independence vs. servitude	Every day: either truth (spiritual independence) or lies (spiritual servitude). No neutral ground.
The code of conduct	Won't sign/write phrases distorting truth; won't cite out of context to please; will walk out of meetings where lies are told; won't buy publications that distort facts.
Czechoslovakia	Unarmed people with worthy hearts can stand up to tanks. If we are thousands, they cannot stop us all.
Pushkin closing	"What use to the herds the gifts of freedom? The scourge and a yoke with tinkling bells." Those who choose comfort over truth deserve their suffocation.

→ IIA Connection: P1 Integrity / Std 1.1. The auditor pressured to "reframe" a finding is doing exactly what Solzhenitsyn warns against — small daily participation in lies. Kant's categorical imperative: if all auditors did this, the profession collapses.

Didion — "On Self-Respect" (1961) 11 / 14

Context: Originally published in Vogue; collected in Slouching Towards Bethlehem. Uses "negative definition" — defines self-respect largely through what it is NOT.

The Central Argument

Self-respect is an internal standard — entirely independent of others' approval or reputation. Its source is character: the willingness to accept responsibility for one's own life.

Self-deception is the most difficult deception. No winning smiles or lists of good intentions work in the well-lit back alley where one keeps assignations with oneself.

Key Concepts

Concept	What It Means
Self-respect ≠ approval	Has nothing to do with others' approval — who are, after all, deceived easily enough. Rhett Butler: reputation is what people with courage can do without.
Character	"The willingness to accept responsibility for one's own life" — the source of self-respect; sometimes loses ground to more negotiable virtues.
Interminable documentary	Without self-respect: unwilling audience to endless replay of one's failings, broken promises, gifts wasted through sloth/cowardice.

More Key Concepts

Concept	What It Means
Jordan Baker vs. Julian English	Baker (dishonest, Great Gatsby) HAD self-respect — made her own peace. English (suicidal, Appointment in Samarra) did NOT. Self-respect ≠ conventional virtue.
Discipline as habit	Self-respect is "a discipline, a habit of mind that can be developed, trained, coaxed forth." Small disciplines represent larger ones — reminders of who we are.
Alienation from self	Advanced stage: can't say no without drowning in self-reproach. Eventually runs away to find oneself and finds no one home.
Intrinsic worth	To have it = potentially have everything: ability to discriminate, love, remain indifferent. To lack it = locked within oneself, paradoxically incapable of either love or indifference.

→ IIA Connections:
Self-deception → Confirmation bias (P2 Objectivity)
Character/responsibility → P1 Integrity (Std 1.1)
Discipline as habit → P4 Due Professional Care & Husserl's trained attention
Courage of one's mistakes → owning errors in prior work

Milgram — "The Perils of Obedience" (1973) 12 / 14

Context: Stanley Milgram, Yale social psychologist. Published in Harper's Magazine, 1973. Adapted from his book Obedience to Authority. Conducted in response to Hannah Arendt's coverage of the Eichmann trial.

The Experiment — Setup

Role	Who They Are	What Happens
Teacher	Naïve real subject	Administers shocks; the true focus of the study
Learner	Actor / confederate	Receives no real shock; pretends to suffer
Experimenter	Authority figure	Gives prods: "The experiment requires you continue"

Shock generator: 15–450 volts, labeled Slight → Danger: Severe Shock → XXX. Each subject first receives a real 45-volt sample to confirm authenticity.

Key Findings

Predicted: Psychiatrists forecast only a pathological fringe (~1 in 1,000) would reach 450 volts.

Actual: 25 of 40 subjects (62.5%) obeyed to the maximum 450-volt shock. Results replicated across Yale students, New Haven community members, and internationally (Munich: 85% obedient).

          Agentic State: The essence of obedience — person comes to view himself as the instrument of another's will and no longer regards himself as responsible for his actions. Once this shift occurs, all features of obedience follow.
        

What Reduces Obedience

Variation	Effect
Orders given by telephone (not in person)	Obedience drops to ~⅓ of normal
Two experimenters give conflicting orders	No shocks delivered past disagreement point
Two peers disobey first	36 of 40 subjects joined and refused
Subject not ordered directly (subsidiary task)	37 of 40 continued to highest level — "I only administered the test"

Key Concepts for Exam

Concept	Definition / Key Point
Banality of Evil	Arendt: Eichmann not a sadistic monster — an uninspired bureaucrat. Milgram confirms: ordinary people, not sadists, deliver 450 volts out of duty.
Diffusion of responsibility	Subject who only "administers the test" credits responsibility to the person who "actually pulled the switch." Classic in complex organizations.
Physical presence of authority	Experimenter in room → high obedience. Phone orders → obedience drops sharply.
Subjects' motivation	NOT sadism — they derive satisfaction from pleasing authority ("proud of doing a good job"), not from inflicting pain.

→ IIA Connections:
Agentic state → auditor who "just follows the manager's direction" on a finding = P1 Integrity failure
Diffusion of responsibility → "The partner signed off" ≠ absolution for the staff auditor
Peer disobedience variation → speak-up culture / IIA Standard on reporting impairments
Milgram + Solzhenitsyn: both show ordinary people enable evil through compliance, not malice

Cross-Essay Synthesis · Readings → IIA Ethics Connections 13 / 14

What All Three Readings Share

All locate moral failure in ordinary people yielding to structure/authority/approval — not in monsters
Solzhenitsyn & Didion: integrity lives in an internal standard, not external validation
Milgram & Solzhenitsyn: ordinary compliance enables large-scale harm — no malice required
All three argue the individual retains a choice that determines moral identity

Parallel Mapping

Solzhenitsyn	Didion	Milgram	IIA Principle
Non-participation in lies	Character: accept responsibility	Defying the agentic state	P1 Integrity / Std 1.1
Fear of civil courage	Seeking others' approval	Obedience to authority	P2 Objectivity — independence
Spiritual independence	Intrinsic worth	Personal moral agency	P1 + P2 together
"Refuse to say what you don't think"	"Discipline, habit of mind"	Peer who disobeys first	P4 Due Professional Care
Virus needs living host	Interminable documentary	Diffusion of responsibility	Fraud depends on auditor silence

          Heidegger link: Aletheia (unconcealment) = Solzhenitsyn's insistence that truth appear naked before the world. The auditor as agent of unconcealment.
        

Applied to Audit Practice

Solzhenitsyn → Auditor

Softening a finding = daily participation in lies

Audit manager who removes a finding = the living host the lie needs

Didion → Auditor

Seeking management approval for findings = opposite of self-respect

Confirmation bias = self-deception (most difficult deception)

Milgram → Auditor

"I just followed the partner's direction" = agentic state; no absolution

Speak-up culture = Milgram's peer disobedience variation — one voice changes the room

⭐ The Big Picture (likely exam Q):
All three essays describe what an integrated person looks like — refusing lies (Solzhenitsyn), deriving standards from within not others' approval (Didion), and defying the agentic state to remain a moral agent (Milgram). The IIA's five ethics principles describe this same integrated person applied to audit.

"The unexamined organization is not worth working for." — with apologies to Socrates

Master Quick Reference — Everything on One Card 14 / 14

2024 Standards: 5 Domains · 15 Principles · 52 Standards
I Purpose · II Ethics · III Governing (most changed) · IV Managing · V Performing

IIA Ethics Principles & Philosophers
P1 Integrity	Kant's categorical imperative — universal law
P2 Objectivity	Husserl's epoché — bracket assumptions; beware confirmation bias
P3 Competency	Aristotle's phronesis — practical wisdom; use specialists
P4 Due Prof. Care	Hume — can't test everything; sample intelligently
P5 Confidentiality	Breach once = never candid again

Four C's · Engagement · Key Terms
Four C's	Condition · Criteria · Cause · Consequence
Effort split	Planning 20-30% · Fieldwork 40-50% · Reporting 15-20%
EQA	Every 5 years · ≥1 active CIA required (Std 12.4)
Conclusion	New 2024 term — replaces "opinion"
Topical Reqs	Mandatory · Effective 12 months after issuance

CIA Triad
Confidentiality	Unauthorized disclosure → breaches, eavesdropping
Integrity	Unauthorized modification → tampering, MITM, malware
Availability	Disruption → DDoS, ransomware, system failures

ITGC Key Facts
Positive test	Happy path — did it work when it should?
Negative test	Guardrails — did it block what it should?
TOD	Blueprint — can the control work? (Precision/Completeness/Authority)
Design fail	Can't work → redesign (don't prescribe training!)
OE fail	Didn't work → training, monitoring, automation
MW	Reasonable possibility material misstatement → adverse ICFR opinion
Sig. Deficiency	Less than MW → report to Audit Committee
Census	100% — always for privileged users, SoD conflicts
Daily/High	40–60 samples (AICPA/PCAOB)

          Solzhenitsyn: Non-participation in lies = P1 Integrity. Virus metaphor: lies survive only in living host.

          Didion: Self-respect = character (internal). Self-deception = most difficult deception = Confirmation Bias (P2).

          Milgram: 62.5% obeyed to 450V. Agentic state = "I'm just an instrument." Diffusion of responsibility. Peer disobedience drops compliance to ~10%. Banality of evil.

          All Three: Ordinary people enable harm through compliance/lies/approval-seeking — not malice. Integrated person = refuses all three.

Good luck on the exam!