CCSA Exam contents.doc

domain i: csa fundamentalsdomain i - csa fundamentals (5 - 10%)a. code of ethics (p)b. ownership and accountability for control (p)c. reliance on operational expertise (p)d. comparison to traditional techniques of risk and control evaluation (p)e. control awareness and education (p)f. cooperation, participation, and partnership (p) p = candidates must exhibit proficiency (thorough understanding; ability to apply concepts) in these topic areas.a = candidates must exhibit awareness (knowledge of terminology and fundamentals) in these topic areas.domain ii - csa program integration (15 - 25%)a. alternative approaches to csa (a)b. supporting technology alternatives (a) 1. database 2. electronic voting 3. presentation software and hardware 4. project management softwarec. cost/benefit analysis for implementation of the csa process (a)d. organizational theory and behavior (a) 1. structure 2. philosophy 3. culture 4. management style 5. governancee. strategic and operational planning processes (a)f. change management and business process reengineering (a)g. presentation techniques for successful integration (a)h. organizational risk and control processes (a) 1. quality management 2. risk management 3. safety audits 4. environmental audits 5. internal and external auditi. client feedback mechanisms (e.g., interviews, surveys) (a)j. strategic csa program planning methodologies or techniques, including resource allocation (a) domain iii: elements of the csa processdomain iii - elements of the csa process (15 - 25%)a. managements priorities and concerns (p)b. project and logistics management (p)c. business objectives, processes, challenges, and threats for the area under review (p)d. resource identification and allocation (a) 1. participants 2. csa teame. culture of area under review (p)f. question development techniques (p)g. technology supporting the csa process (p)h. facilitation techniques and tools (p)i. group dynamics (p)j. fraud awareness (a) 1. red flags/symptoms of fraud 2. communication and investigation channels 3. responding to evidencek. evaluation/analytical tools and techniques (trend analysis, data synthesis, scenarios) (a)l. formulating recommendations or actions plans (practical, feasible, cost-effective) (p)m. nature of evidence (sufficiency, relevance, adequacy) (a)n. reporting techniques and considerations (types, audience, sensitive issues, access to information) (p)o. motivational techniques (creating support and commitment for recommendations) (a)p. monitoring, tracking, and follow-up techniques (a)q. awareness of legal, regulatory, and ethical considerations (a)r. measuring csa program effectiveness (a)domain iv: business objectives/organizational performancedomain iv - business objectives and organizational performance (10 - 15%)a. strategic and operational planning processes (a)b. objective setting, including alignment to the organizations mission and values (p)c. performance measures (p) 1. financial 2. operational 3. qualitatived. performance management (p) 1. aligning individual, group, and organizational objectives/goals 2. designing congruent incentivese. data collection and validation techniques (e.g., benchmarking, auditing, consensus testing, etc.) (a)domain v: risk identification and assessmentdomain v - risk identification and assessment (15 - 20%)a. risk theory (p) 1. defining risk 2. relationship of risk to strategic, operational, or process objectives 3. risk tolerance, residual risk, and exposure 4. impact assessmentb. risk models/frameworks (including cosos enterprise risk management/ integrated framework) (p)c. understanding the risks inherent in common business processes (p)d. application of risk identification and assessment techniques (p)e. risk management techniques/cost-benefit analysis (p) 1. transfer, manage, or accept 2. impact/cost-benefit analysis f. using csa in enterprise risk management (p)domain vi: control theory and applicationdomain vi - control theory and application (20 - 25%)a. corporate governance, control theory, and models (p) 1. accountability and responsibility for control 2. defining control 3. relationship between risk, control, and objectivesb. methods for judging and communicating the overall effectiveness of the system of internal control (p) 1. using csa to support managements assertion on controlsc. relationship between informal and formal controls (p)d. techniques for evaluating formal controls (manual or automated) (p)e. techniques for evaluating informal controls/control environment (p)f. control documentation techniques (p) 1. flowcharting 2. business process mapping 3. control charts 4. control questionnaires 5. internal control over financial reportingg. control design and application (p) 1. defining control objectives 2. control design (e.g., preventive, detective, corrective; informal, formal) 3. cost/benefitsh. techniques for determining control track record for the organization (e.g., reviews, audits, other assessments) (a)exam preparation resources certification in control self-assessment (ccsa)study guidethe iia publishes a ccsa study guide to assist candidates in preparing for the exam. it is available for order through the iiarfs bookstore. the guide provides a general overview of the topics that will be covered in the exam. however, it is critical that candidates perform additional study in areas where their experience or background dictates the need for additional review. a list of reference materials is included in the study guide to provide additional resources to supplement your studies.other study guidesthe iiarfs bookstore also offers several other general study guides to assist candidates in preparing for the ccsa exam. candidates may use the exam content outline in conjunction with this or other books on csa and related topics to prepare for the ccsa exam. control self-assessment: a practical guide by larry hubbard business risk assessment by david mcnamee internal control - integrated framework*, sponsored by the committee of sponsoring organizations of the treadway commission (coso) and researched and written by coopers & lybrand llp mckeever ccsa study system by john j. mckeeversample exam questionsthe iia includes a limited number of sample ccsa exam questions (with answers) on its web site to give candidates an understanding of the types of questions that typically appear on the exam.iia seminarsthe iia offers the following seminars on csa practices and principles that may assist candidate in preparing for the ccsa exam: enterprise risk management: whats new? whats next? (featuring cosos erm framework) evaluating internal controls: a coso-based approach introduction to control self-assessment sarbanes-oxley act: impact on information technology sox primer - charting your course sox 404 readiness workshop value-added business controls: the right way to manage risk ccsa candidates may also consider taking the iias facilitating results using csa seminar to satisfy the facilitation requirement of the ccsa program.ccsa review coursejohn j. mckeever, ccsa, cfe, cqa, cpc, president of contemporary business concepts, offers a ccsa review course as a third-party independent training consultant. he may be reached by phone, (203) 312-0153, or by e-mail, . the mckeever ccsa study system is now available at the iiarfs bookstore.iia member discountsreminder, iia members receive preferred discount pricing on most of the ccsa study materials available through the iiarfs online bookstore, in additional to hundreds of other internal auditing educational products.for ccsa candidates outside the united states - we recommend you refer to your countrys internal control guidelines (e.g. coco-canada; cadbury-united kingdom; vienot-france; king-south africa) to prepare for the ccsa exam.1. which is a basic philosophy underlying facilitated workshop approaches to csa?a. effective control should be a shared responsibility involving all employees.b. internal control should be solely the responsibility of senior management. c. operational personnel should be independently assessing internal control. d. the internal audit department should be primarily responsible for internal control evaluations.question from domain i(a) correct. employees at all levels are responsible for internal control and getting together to discuss it in a facilitated workshop reinforces employees responsibility.(b) incorrect. internal control is a responsibility of senior management, but not solely their responsibility. while senior management is ultimately responsible for overall internal control, choice a is better because it is an underlying philosophy of csa. (c) incorrect. while operational personnel will assess internal control in csa, their assessments are not considered independent since they perform the work. internal auditors are often called upon to provide independent assessment of internal control through validation or follow-up of csa results. (d) incorrect. this is not an underlying philosophy of csa. possible reference: control self-assessment: a practical guide. by larry hubbard. pp. 5-7. control self-assessment: experience, current thinking, and best practices. prepared by arthur andersen llp for the iia-ottawa chapter. p. 2.2. which phrase best describes a control-based csa process?a. evaluating, updating, and streamlining selected control processes.b. examining how well controls are working in managing key risks.c. analyzing the gap between control design and control frameworks .d. determining the cost-effectiveness of controls.question from domain ii(a) incorrect. this phrase best describes a process-based approach, although control processes are not the only processes reviewed in this approach.(b) correct. a control-based approach concentrates on how well controls are working to manage risks. the key risks and controls are generally identified before the workshop. (c) incorrect. while control design could be compared to control frameworks in a control-based approach, this does not adequately describe the process. a control-based process is more likely to examine the gap between control design and control effectiveness in managing risks. (d) incorrect. cost-effectiveness could be discussed in a control-based csa workshop, but it is not the primary focus of this process. possible reference: control self-assessment: a practical guide. by larry hubbard. pp. 15-17, 94-95 (from iia ppp 98-2).3. during a meeting prior to a csa workshop, the unit manager tells the facilitator that previous attempts at group discussion have met with staff resistance. how should the facilitator respond?a. agree that a csa workshop would be inappropriate.b. discuss the reasons for previous resistance and ways to prevent or reduce it.c. explain how open participants were in csa workshops conducted elsewhere in the company. d. reassure the manager that csa overcomes resistance.question from domain ii(a) incorrect. canceling the workshop would not be appropriate based solely on a possibility of staff resistance to group discussions. (b) correct. preparation through pre-workshop interviews and meetings allows the facilitator to discuss potential problems or culture issues with management or attendees. the facilitator can then be prepared to address these issues in the workshop. (c) incorrect. while successes in other departments may be used in marketing csa, they would only be relevant in this situation if the other participants had been originally resistant to group discussion as well. choice b is a better response. (d) incorrect. although csa may often overcome resistance to group discussion, it is not guaranteed. choice b is a better response because it addresses the need to prepare for possible resistance. possible reference: control self-assessment: a practical guide. by larry hubbard. pp. 45-46.v4. which is least likely to impair the implementation of csa in an organization?a. using inadequate facilitators.b. neglecting to use voting software.c. lacking management support.d. selecting a complex project for the pilot.question from domain ii(a) incorrect. this is a major pitfall that can impair the implementation of csa. use of inadequate or untrained facilitators can ruin an otherwise well-planned csa session. (b) correct. while voting software can add significantly to the workshop process, it is not an absolute requirement for successful csa implementation. for example, many smaller organizations or organizations with an open culture can have successful csa workshops without voting software. (c) incorrect. this is a major pitfall that can impair the implementation of csa. it is important to get managements agreement, commitment, and conviction that they will make the process work. (d) incorrect. this is a major pitfall that can impair the implementation of csa. starting small is the best way to proceed with an initial project. starting with a complex project greatly increases the likelihood of failure. possible reference: control self-assessment: a practical guide. by larry hubbard. pp. 8, 47-49, 73, 87-89. control self-assessment: experience, current thinking, and best practices. prepared by arthur andersen llp for the iia-ottawa chapter. p. 47.5. how does electronic voting technology contribute to the csa process?a. by reducing reliance on facilitators.b. by automating the csa process.c. by promoting anonymity to gather and quantify data.d. by limiting candidate discussion to topics being voted uponquestion from domain iii(a) incorrect. electronic voting is only a tool. facilitators are still required to run the workshop and promote discussion. (b) incorrect. voting technology is only a tool within the csa process. it does not automate the whole csa process. (c) correct. electronic voting allows individual participants to secretly register their beliefs/perceptions on issues being discussed. in addition, it can accumulate and quantify their votes in graphic feedback. (d) incorrect. electronic voting does not limit discussion. if other topics are presented by attendees, the facilitator may broaden the discussion to include these topics, as appropriate. possible reference: control self-assessment: a practical guide. by larry hubbard. pp. 47-49. control self-assessment: experience, current thinking, and best practices. prepared by arthur andersen llp for the iia-ottawa chapter. pp. 83-85.6. which is not an appropriate action for a csa facilitator to take?a. keep track of time ensuring the group remains on schedule.b. concentrate on group dynamics and help the group remain focused.c. conduct interviews to gather background information prior to the workshop.d. provide the solutions to address control problems identified by the group.question from domain iii(a) incorrect. this is an appropriate role of the facilitator. (b) incorrect. this is an appropriate role of the facilitator. (c) incorrect. this is an appropriate role of the facilitator. (d) correct. facilitators should not offer solutions to control problems identified by the group or force their views on control on the group. the facilitator helps the group create its own solutions. possible reference: control self-assessment workshop facilitators guide (world bank). the iias csa library series 97-1. pp. 45-47. control self-assessment: a practical guide. by larry hubbard. pp. 38-46.v7. how should a csa workshop facilitator deal with shy or quiet individuals who are not participating in discussions?a. encourage them to leave if they are uncomfortable participating.b. ask their opinion on a neutral subject to encourage their participation.c. go around the room requiring each persons input.d. contact them after the workshop to obtain their input.question from domain iii(a) incorrect. although excluding individuals from a workshop is an option, it is usually based on the need to have some staff remain at operating functions or to remove individuals who may inhibit the team analysis and cooperation. this type of individual poses little risk, and encouraging them to leave a workshop that is in session might send a negative message to other participants. (b) correct. the facilitator must make an additional effort to have such individuals provide input and should validate their contributions in order to build up confidence. allowing participants to provide opinions on neutral subjects could draw them out. however, the facilitator should avoid forcing a quiet participant to provide input and should allow the participant to pass if necessary. (c) incorrect. while going around the room and asking each individual to speak on a topic may provide a level of comfort for the individual to voice an opinion, requiring input may have a negative effect. (d) incorrect. contacting them after the workshop to obtain their input is counter to the fundamental idea that a csa workshop is built on group discussion. possible reference: control self-assessment: a practical guide. by larry hubbard. pp. 40-45.8. which statement is true regarding strategies?a. strategies describe how a company will achieve its objectives.b. strategies apply only to higher-level, broad, corporate initiatives.c. strategies are usually de