Part 1: Essentials of Internal Auditing Welcome to Part 1 of The IIA’s CIA Learning System®. The self-study text for the learning system includes the content addressed in The IIA’s CIA syllabus. (You can download the syllabus from the online Resource Center or from The IIA’s website.) However, in some cases, the content has been reorganized to facilitate instruction and understanding. Refer to the Table of Contents for an outline of the content. To get the most out of the course materials, complete the course in this order: 1. Begin by accessing the course at www.learncia.com. 2. Read the overview and return to the menu. Select Part 1 from the menu. 3. Complete the pre-test and view the report to help focus your study efforts. 4. Read each section and follow the Next Steps directions included at the end of the section. 5. Complete Part 1 as outlined in the online overview. Note that Part 1 of the CIA exam will consist of 125 multiple-choice questions and test takers are given 150 minutes to complete this portion of the exam. You can go to https://na.theiia.org/certification/CIACertification/Pages/CIA-Certification.aspx to register for the exam separately. Study Support The IIA’s CIA Learning System includes online tools to support your study. These tools may be accessed from the menu at any time. • Glossary—Refer to the glossary for definitions of terms used in all three parts of The IIA’s CIA syllabus. • Reports—Refer to the reports to review your most recent test scores and progress through the learning system. • Resource Center—Refer to the Resource Center to access information about The IIA’s International Professional Practices Framework, updates, test-taking tips, printable flashcards, related links, and reference material and to provide feedback to The IIA regarding the learning system. The IIA’s CIA Learning System® The IIA’s CIA Learning System® is based on the Certified Internal Auditor® (CIA®) syllabus developed by The IIA. However, program developers do not have access to the exam questions. Therefore, while the learning system is a good tool for study, reading the text does not guarantee a passing score on the CIA exam. Every effort has been made to ensure that all information is current and correct. However, laws and regulations change, and these materials are not intended to offer legal or professional services or advice. This material is consistent with the revised Standards of the International Professional Practices Framework (IPPF) introduced in July 2015, effective in 2017. Copyright These materials are copyrighted; it is unlawful to copy all or any portion. Sharing your materials with someone else will limit the program’s usefulness. The IIA invests significant resources to create quality professional opportunities for its members. Please do not violate the copyright. Acknowledgments The IIA would like to thank the following dedicated subject matter experts who shared their time, experience, and insights during the development and subsequent updates of The IIA’s CIA Learning System. Pat Adams, CIA Al Marcella, PhD, CISA, CCSA Terry Bingham, CIA, CISA, CCSA Markus Mayer, CIA Raven Catlin, CIA, CPA, CFSA Vicki A. McIntyre, CIA, CFSA, CRMA, CPA Patrick Copeland, CIA, CRMA, CISA, CPA Gary Mitten, CIA, CCSA Don Espersen, CIA Michael J. Fucilli, CIA, QIAL, CRMA, CGAP, CFE Lynn Morley, CIA, CGA James D. Hallinan, CIA, CPA, CFSA, CBA James Roth, PhD, CIA, CCSA Larry Hubbard, CIA, CCSA, CPA, CISA Brad Schwieger, CPA, DBA Jim Key, CIA Doug Ziegenfuss, PhD, CIA, CCSA, CPA, CMA, CFE, CISA, CGFM, CR.FA., CITP David Mancina, CIA, CPA Lyndon Remias, CIA Part 1 Overview Internal auditing is a discipline that works on behalf of management, the board of directors, and other stakeholders of public and private entities to improve and add value to governance, risk management, and control procedures. This is in contrast to external auditing, which serves third parties who require reliable financial information based on reliable supporting records. Instead, internal auditors typically have a broader focus (based on their approved internal audit activity charter) that requires them to examine and appraise controls, financial performance, compliance with laws and regulations, and operational performance for their effectiveness. Rather than primarily focusing on historical events as external auditors do, internal auditors also help the board and management make current as well as future-oriented decisions. For example, internal auditors may be asked to assess whether planned operations have the proper controls in place to be likely to achieve organizational goals and objectives. Drawing further distinctions between internal and external auditors as well as other related review functions can help clarify what internal auditing is and what it is not. These distinctions are described below: • External auditors/financial auditors. These auditors provide an attestation solely based on the financial reports and statements generated by an organization. While these auditors focus on the accuracy of reported information, they also review the records supporting the statements and the related controls over the financial information. The work of external and financial auditors is historical in nature and is critical to allowing investors and other third parties to make informed decisions (e.g., investing, approving debt issuance) about an organization based on its financial statements when taken as a whole. In the U.S., audits of private companies are governed by the Generally Accepted Auditing Standards (GAAS) of the American Institute of Certified Public Accountants (AICPA) and audits of public companies are governed by the Auditing Standards (AS) of the U.S. Public Company Accounting Oversight Board (PCAOB). The International Federation of Accountants (through its International Auditing and Assurance Standards Board) also promulgates International Auditing Standards (IAS), and these may be in use or adapted for use in various jurisdictions. For example, the U.K. uses a derivative of IAS. • Compliance. Compliance reviews typically serve to determine whether or not an organization is adhering to a specified law, regulation, standard, policy, or procedure, and the results are reported as such. Compliance audits do not necessarily consider the effectiveness and efficiency of business processes but rather primarily whether the process is—or is not—in compliance. Typically, specialized individuals, some with legal or compliance backgrounds, conduct these reviews. • Regulators. These auditors work for regulating bodies (in the U.S., for example, the Financial Industry Regulatory Authority [FINRA], the Securities and Exchange Commission [SEC], and the Office of the Comptroller of the Currency [OCC]), and they review compliance with specific regulations as well as the overall safety and soundness of the organizations being examined. These auditors perform compliance reviews of corporations or agencies that are regulated by the specified regulating body. • Government auditors. Government auditors typically work for departments, ministries, or agencies of a government and provide assurance regarding program requirements, performance audits, budget reviews, and management audits. A few more contrasting points between the internal and external auditing professions will round out this overview of internal auditing: • First, individuals employed in an internal audit activity are typically employees of an organization. However, there are alternative arrangements to staff an internal audit department through out-sourcing, co-sourcing, and secondment arrangements. By contrast, external auditors are always independent contractors. • Second, internal auditors provide assurance, compliance, and consulting services and are also concerned with detecting patterns of errors, inefficiencies, and irregularities, including fraud, that impact an organization’s ability to accomplish its objectives, with limited regard for financial materiality. Internal auditors are primarily future-focused, and they play a strong role in helping management improve the organization’s control structure. External auditors are primarily concerned with preventing or detecting fraud when it may have a material effect on the financial statements, though they are still concerned with the potential indicators of fraud overall. • Third, internal auditors must be independent from the internal organizational functions that they audit, meaning that they exercise no management duties over the areas being audited. Internal audit activities also achieve organizational independence through their direct functional reporting to the board of directors (or a designated audit committee of the board). In general, they remain ready to respond to requests from the board and all management constituents. In contrast, external auditors are independent of both the board and management in fact and in mental attitude. Part 1 of The IIA’s CIA Learning System looks at a number of the essentials of internal auditing. • Section I covers the foundations of internal auditing—The IIA’s International Professional Practices Framework; the purpose, authority, and responsibility of the internal audit activity; the requirements of the audit charter; the difference between assurance and consulting services. • Section II looks at the concepts of independence and objectivity. • Section III looks at the concepts of proficiency and due professional care. • Section IV describes aspects of a quality assurance and improvement program. • Section V covers organizational governance, risk, and controls and corporate social responsibility, and it looks at risk management within an audit activity charter. • Section VI focuses on fraud risks—the types of these risks, the potential for such risks occurring, and controls to prevent and detect fraud. Section I: Foundations of Internal Auditing This section is designed to help you: • Identify and apply relevant ethical, practical, and legal standards to audit practice, including The IIA’s Code of Ethics, International Standards, and Practice Advisories and relevant laws. • Explain the International Professional Practices Framework categories of guidance. • • • • • Explain the Mission of Internal Audit. • List the Core Principles for the Professional Practice of Internal Auditing. Define internal auditing. Describe compliance with The IIA’s Code of Ethics. Explain how the purpose, authority, and responsibility for an internal audit activity are documented, communicated, and approved. Understand the importance of securing the board’s approval of the internal audit activity charter and audit plan. The Certified Internal Auditor (CIA) exam questions based on content from this section make up approximately 15% of the total number of questions for Part 1. One of the topics is covered at the “B—Basic” level, meaning that you are responsible for comprehension and recall of information. (Note that this refers to the difficulty level of questions you may see on the exam; the content in these areas may still be complex.) The other topics are covered at the “P—Proficient” level, meaning that you are responsible not only for comprehension and recall of information but also for higher-level mastery, including application, analysis, synthesis, and evaluation. Section Introduction The profession of auditing has a rich and storied past. The earliest accounts of auditing date back to Mesopotamia, where marks were used to record ship cargos and verify financial transactions. In ancient Rome, the Latin word auditus (the precursor to our term audit) referred to the hearing of oral evidence as one official would verify records with those of another. Internal auditing has evolved through the years, gaining recognition from executives and organization leaders and altering the focus of audit efforts to respond to the changing needs of the global environment. Today, it focuses heavily on integrated audits, where auditors provide assurance related to any combination of the following engagement types: • Controls assurance. Providing assurance related to the design and operating effectiveness of key control activities; controls may be operations-, reporting-, or compliance-related. • Information technology (IT). Providing assurance related to the design and operating effectiveness of general IT or specific application control activities. • Compliance. Providing assurance related to the design and operating effectiveness of control activities and procedures in place to assure compliance with laws, regulations, policies, etc. • Operations. Providing assurance related to the effectiveness and efficiency of an organization’s operations, including performance and profitability goals and safeguarding resources against loss. • Financial assurance. Providing assurance related to the achievement of one or more financial statement assertions (also called management assertions): • Existence or occurrence • Completeness • Valuation and allocation • Rights and obligations • Presentation and disclosure Throughout the centuries, auditors have continued to pursue the truth, control transactions, and prevent or detect fraudulent acts. Today, internal audits are independent, unbiased fact-finding exercises that provide verifiable information to a board of directors (especially its audit committee), management, or outside interests. Note that, according to The IIA, a board is: The highest level of governing body charged with the responsibility to direct and/or oversee the activities and management of the organization. Typically, this includes an independent group of directors (e.g., a board of directors, a supervisory board, or a board of governors or trustees). If such a group does not exist, the “board” may refer to the head of the organization. “Board” may refer to an audit committee to which the governing body has delegated certain functions (e.g., an audit committee). Topic A: The IIA’s International Professional Practices Framework/Purpose, Authority, and Responsibility of the Internal Audit Activity (Level P) The Framework The Institute of Internal Auditors (The IIA) provides internal audit practitioners with an International Professional Practices Framework (IPPF). This framework contains many components, as described below, but one key component is referred to as “the Standards.” The IPPF exists to guide internal auditors’ professional practice and ensure the highest-quality internal audit results. In The IIA’s own words, “The purpose of the . . . IPPF is to organize The Institute of Internal Auditor’s . . . authoritative guidance in a manner that is readily accessible on a timely basis while strengthening the position of The IIA as the standard-setting body for the internal audit profession globally.” Furthermore, by reflecting the evolution of current practice, the framework aims “to assist practitioners and stakeholders throughout the world in being responsive to the expanding market for high quality internal auditing.” In general, a framework like the IPPF provides a structural blueprint of how a body of knowledge and its related guidance fit together. As a coherent system, a framework facilitates consistent development, interpretation, and application of concepts, methodologies, and techniques useful to a discipline or profession. Throughout the world, internal auditing is performed in diverse environments and within organizations that vary in purpose, size, and structure (e.g., publicly traded, privately owned, not-for-profit, governmental, etc.). In addition, the laws and customs of various countries differ. These differences may affect the practice of internal auditing in each environment. The implementation of the IPPF, therefore, will be governed by the environment in which the internal audit activity carries out its assigned responsibilities. No information contained within the IPPF should be construed in a manner that conflicts with applicable laws or regulations. If a situation arises where information contained in the IPPF is in conflict with legislation or regulation, internal auditors are encouraged to contact The IIA or legal counsel for further guidance. The IPPF is the compass that provides internal auditors with direction to keep up with the rate of business change. The framework is regularly updated by the International Internal Auditing Standards Board and related IIA international committees. The current IPPF was introduced in July 2015 and became effective in 2017. The International Professional Practices Framework is shown in Exhibit I-1. Exhibit I-1: International Professional Practices Framework The IPPF consists of: • The Mission of Internal Audit. • The Core Principles for the Professional Practice of Internal Auditing. • The Definition of Internal Auditing. • The Code of Ethics. • The International Standards for the Professional Practice of Internal Auditing (the Standards). • Implementation Guidance. • Supplemental Guidance. The Mission of Internal Audit, the Core Principles, the Definition of Internal Auditing, the Code of Ethics, and the Standards are available to be read or downloaded from The IIA’s website (www.theiia.org), along with a great deal of other material relevant to internal auditors, whether or not they are IIA members. (Other materials that may be available to the public for reading or downloading from the website include the monthly newsletters, IIA Global SmartBrief and Tone at the Top, and the Internal Auditor magazine, all of which will be cited as authoritative sources in these study materials.) These materials enhance the knowledge and skills of internal auditors. The Implementation Guidance and the Supplemental Guidance are intended for the use of IIA members and are password-protected. The full International Professional Practices Framework is available, however, in printed and e-book versions, known familiarly, and for reasons obvious to those who have seen it, as the “Red Book.” It can be ordered online. While the book includes all aspects of the framework, it is not necessarily as up-to-date as the online version, which is subject to continuous review, revision, and addition. Internal auditors should be sure they are familiar with the most current version of the framework available at The IIA’s website. As the auditing environment evolves, so will the recommended guidance materials and, at a more deliberate pace, the Standards. For example, the 2017 edition of the Standards includes two new standards, alignment of the Standards to the Core Principles, and updates to existing standards. Note that this learning system is consistent with the revision of the Standards effective January 1, 2017, which can be viewed at global.theiia.org/standards-guidance/mandatoryguidance/Pages/Standards.aspx. Authoritative Guidance in the IPPF As shown above in Exhibit I-1, the authoritative guidance in the IPPF comprises two categories: mandatory and recommended. The Mission of Internal Audit, the Core Principles, the Definition of Internal Auditing, the Code of Ethics, and the Standards make up the core of the IPPF, and abiding by them is mandatory for IIA members, practicing internal audit professionals, and Certified Internal Auditors. Mandatory guidance is denoted within the Standards by the use of the terms must and should. The IPPF Standards Glossary (in the IPPF “Red Book”) defines these words in the following manner: • The word must specifies an unconditional requirement. • The word should is used where conformance is expected unless, when applying professional judgment, circumstances justify deviation. The introduction to the Standards goes on to clarify what is meant by mandatory guidance: The Standards apply to individual internal auditors and internal audit activities. All internal auditors are accountable for conforming with the Standards related to individual objectivity, proficiency, and due professional care. In addition, internal auditors are accountable for conforming with the Standards, which are relevant to the performance of their job responsibilities. Chief audit executives [CAEs] are accountable for overall conformance with the Standards. (Note: Adherence to the Standards is required even for those who are not IIA members or CIAs if the statement “conformance with the standards” is used in their work.) The IPPF’s recommended forms of guidance support the mandatory components. Each standard, for example, is supported by a corresponding Implementation Guide. There are also links, in some cases, to the growing collection of Practice Guides, including the Global Technology Audit Guides (GTAGs) and other supplemental guidance documents. The Implementation Guidance and the Supplemental Guidance are optional, not mandatory. They are The IIA’s version of “best practices.” They provide detailed guidance for conducting internal audit activities, including topical areas, sector-specific issues, processes and procedures, tools and techniques, programs, step-by-step approaches, and examples of deliverables. Recommended guidance is endorsed by The IIA and was developed using due process by an IIA international guidance committee and/or institute. Rather than providing definitive answers, supplemental guidance contains a wide range of possible solutions and methods of implementing the mandatory guidance. A description of each of the IPPF components is included next. Note, however, that The IIA’s Code of Ethics is not covered in this topic. It is covered later, in Topic D of this section. The Mission of Internal Audit The Mission of Internal Audit in the IIA’s International Professional Practices Framework articulates what internal audit aspires to accomplish in an organization: To enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight. Its place in the IPPF is deliberate, demonstrating how practitioners should leverage the entire framework to facilitate their ability to achieve the mission. The Core Principles The IIA describes its Core Principles for the Professional Practice of Internal Auditing, which are included in the IPPF, as follows: The Core Principles, taken as a whole, articulate internal audit effectiveness. For an internal audit function to be considered effective, all Principles should be present and operating effectively. How an internal auditor, as well as an internal audit activity, demonstrates achievement of the Core Principles may be quite different from organization to organization, but failure to achieve any of the Principles would imply that an internal audit activity was not as effective as it could be in achieving internal audit’s mission. The Core Principles include: • • • • • • • • • • Demonstrates integrity. Demonstrates competence and due professional care. Is objective and free from undue influence (independent). Aligns with the strategies, objectives, and risks of the organization. Is appropriately positioned and adequately resourced. Demonstrates quality and continuous improvement. Communicates effectively. Provides risk-based assurance. Is insightful, proactive, and future-focused. Promotes organizational improvement. The Definition of Internal Auditing According to The IIA’s Definition of Internal Auditing: Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. As defined in the Standards Glossary, an internal audit activity is “a department, division, team of consultants, or other practitioner(s) that provides independent, objective assurance and consulting services designed to add value and improve an organization’s operations.” Internal auditing activities are often referred to in relation to the acronym GRC (governance, risk, and control) due to the value-adding services internal auditing provides in assurance and consulting engagements to evaluate and help improve GRC effectiveness. Internal auditing is performed by professionals with an in-depth understanding of the culture, systems, and processes of the business. Internal audit activities may be performed by people from within the organization and/or outside the organization (i.e., co-sourced or outsourced). Effective internal auditors serve as an organization’s corporate conscience and advisors for governance, risk, and control operational efficiency and effectiveness. They also educate and make recommendations to management and the board of directors (and/or other governance oversight bodies) to support the organization in meeting its goals and objectives. In fulfilling these responsibilities, internal auditors must demonstrate professionalism, objectivity, knowledge, integrity, and leadership. Key Terms in the Definition The following text defines and breaks down some key terms from the Definition of Internal Auditing. Independent and Objective The first part of the definition is that internal auditing is an “. . . independent, objective assurance and consulting activity . . .” Organizational independence and individual objectivity form the foundation of internal auditing; all stakeholder confidence in auditors’ work rests on this foundation. IIA Standard 1110 states that the chief audit executive (CAE) “must confirm to the board, at least annually, the organizational independence of the internal audit activity.” (The Standards Glossary defines the chief audit executive as “a person in a senior position responsible for effectively managing the internal audit activity in accordance with the internal audit charter and the Definition of Internal Auditing, the Code of Ethics, and the Standards.”) What does organizational independence look like for an internal auditor, who is, after all, usually an employee of that organization? Organizational independence exists if the CAE: • Reports functionally to the board. • Has direct and unrestricted access to the board. • Reports administratively to the chief executive officer (CEO) or a similar head of the organization or to some other organizational level so long as the internal audit activity controls the scope of work, the performance of the work, and the reporting of results without interference. Stakeholders need to know that internal auditors can review any area of the organization without being biased themselves or unduly influenced by others. Internal auditors must have access to any and all records and all employees (including management and persons represented by unions or works councils) as deemed necessary to fulfill their duties. Objectivity requires internal auditors to avoid a conflict of interest or the appearance thereof, meaning that a situation that could be perceived as a conflict of interest could harm the internal auditor’s credibility. Independence and objectivity are discussed more in Section II. Consulting Consulting has been part of the Definition of Internal Auditing since 1999. Consulting expands the role of internal auditing into the areas of other value-added services and suggestions related to future-oriented decisions. Auditors can provide insight to decision makers as processes are being developed so that the proper controls are built into a new project or process from the start. So long as internal auditors make it clear that they are not making any decisions themselves, it does not compromise independence when they perform such work and/or provide advice or suggestions. Management should formally acknowledge or confirm that internal auditors will not play a decision-making role on such engagements. Risk Management, Control, and Governance The last part of the Definition of Internal Auditing addresses evaluating and improving the effectiveness of governance, risk management, and control. While the original definition of internal auditing referred only to control, if senior management and the board are so willing (through approval of the annual audit plan including its priorities and resource constraints), internal auditing can, and should, provide a more comprehensive evaluation of the organization’s risk management and governance processes. Internal auditors were and often are the first champions of a comprehensive enterprise risk management process, and many have helped build up this function in the organization. To prevent a loss of independence and objectivity, some organizations have created a chief risk officer position. The Standards Glossary defines governance as the “combination of processes and structures implemented by the board to inform, direct, manage, and monitor the activities of the organization toward the achievement of its objectives.” Organizations that get involved in financial scandals often have sophisticated and mature risk management processes but a common pattern is that they also have governance structures that ignore the risk assessments in favor of high profits. Internal auditors can help ensure that the organization has the proper “tone at the top,” management and operating methodology, and ethics and integrity. Internal auditors can also provide assurance that risk taking is truly within the organization’s risk appetite both in terms of the organization’s ability to take risk (e.g., worthwhile strategic initiatives such as new products or new goals, plus sufficient financial health) and the board’s stated willingness to assume risks in specific areas. Governance, risk, and control are defining activities for an enterprise. Successful organizations don’t champion one over another; rather, they recognize the powerful interplay and benefits of all three. Collectively, governance, risk, and control largely determine an organization’s ability to succeed in its marketplace. Well-conceived and well-executed, these three activities also support healthy interactions with the organization’s stakeholders. Internal auditors must be proficient in each of the three activities. In discussing the requirements of Standard 2100, “Nature of Work,” Implementing the Professional Practices Framework, second edition, succinctly summarizes how internal auditors must evaluate and contribute to the improvement of governance, risk management, and control systems. These points are shown in Exhibit I-2. Exhibit I-2: Nature of Work for Internal Audit Activity Nature of Work for Internal Audit Activity Governance Help an organization assess and make recommendations for improving governance in its accomplishment of the following objectives: • • Promoting appropriate ethics and values in the organization Ensuring effective organizational performance management and accountability • Effectively communicating risk and control information to appropriate areas of the organization • Effectively coordinating the activities of and communicating information among the board, management, and external and internal auditors • Clearly establishing, communicating, and monitoring organizational objectives Risk Help an organization manage risk by: • • • Control Identifying and evaluating significant exposures to risk. Contributing to the improvement of risk management and control systems. Monitoring and evaluating the risk management system. Help an organization maintain effective controls by: • • Evaluating the effectiveness and efficiency of controls. Promoting the continuous improvement of the control environment and related control activities. Source: Implementing the Professional Practices Framework, second edition, by Urton Anderson and Andrew J. Dahle. The internal audit activity must determine the best way to accomplish the activities in these three areas. Factors such as the organizational culture, the role of the internal audit group in the organization, and stakeholder expectations will shape specific internal auditing practices. Section V of this part examines exactly what constitutes effective governance, risk management and control, in accordance with The IIA’s Part 1 exam syllabus. The IIA’s View of “Modern Internal Auditing” The IIA’s framework contains—and implicitly incorporates—the Institute’s definition of the profession of internal auditing. The definition makes clear The IIA’s commitment to a broad view of internal auditing that includes assurance as well as consulting and that focuses on helping management meet organizational objectives rather than solely focusing on traditional matters such as attesting to the accuracy of financial statements and compliance with laws and regulations. As Sawyer, et al., write in their definitive Sawyer’s Internal Auditing (published by The IIA Research Foundation): “Financial matters represent only one aspect of internal auditing’s purview. Once perceived as the client’s adversary, internal auditors now pursue cooperative, productive working relationships with clients through value-adding activities.” Sawyer accurately names this view of the profession as “modern internal auditing.” The IIA’s International Standards The IIA recognizes that defining a set of global standards for a profession practiced in a wide variety of environments poses challenges. As the Introduction to the Standards states, “Internal auditing is conducted in diverse legal and cultural environments; within organizations that vary in purpose, size, complexity, and structure; and by persons within or outside the organization.” Nevertheless, the Introduction continues, “Compliance with The IIA’s International Standards for the Professional Practice of Internal Auditing (Standards) is essential.” The purpose of the Standards can be broken down as follows: • To guide adherence to the mandatory elements of the International Professional Practices Framework • To provide a framework for performing and promoting a broad range of value-added internal auditing • To establish the basis for the evaluation of internal audit performance • To foster improved organizational processes and operations Many internal audit functions—of private, nonprofit, and government organizations as well as public companies—have adopted the Standards into their charters (consistent with the language in Attribute Standard 1000, described below). The Standards have also received the imprimatur of the Treadway Commission, which states, in the Treadway Commission Report: The professionalism of internal auditors has been enhanced in recent years by the efforts of The Institute of Internal Auditors (IIA), the professional organization for internal auditors. Standards of The IIA offer excellent guidance for effective internal auditing and reflect some of the most advanced thinking on fraud prevention and detection. The Commission encourages public companies that have not done so to consider adopting The IIA Standards. The Standards are principles-based mandatory guidance rather than a detailed set of rules and regulations. Some Standards include “interpretation” text to further explain the guidance description. This italicized text should not be overlooked, as it is part of the standard. The Standards employ terms that have been given specific meanings; these are defined in the Standards Glossary. Whenever these terms are defined in this learning system, they are identified as being from the Standards Glossary. Types of Standards There are three types of Standards: Attribute Standards, Performance Standards, and Implementation Standards. Attribute Standards The Attribute Standards address the characteristics of organizations and parties performing internal audit activities. Attribute Standards apply to all internal audit services and internal auditors individually. Attribute Standards are numbered in the 1000s range. The major sections of Attribute Standards are as follows: The following are examples of two of the Attribute Standards. • Attribute Standard 1000—“Purpose, Authority, and Responsibility” The purpose, authority, and responsibility of the internal audit activity must be formally defined in an internal audit charter, consistent with the Mission of Internal Audit and the mandatory elements of the International Professional Practices Framework (the Core Principles for the Professional Practice of Internal Auditing, the Code of Ethics, the Standards, and the Definition of Internal Auditing). The chief audit executive must periodically review the internal audit charter and present it to senior management and the board for approval. • Attribute Standard 1100—“Independence and Objectivity” The internal audit activity must be independent, and internal auditors must be objective in performing their work. Each of the sections of Attribute Standards can have multiple subsections. For example, Standard 1100’s subsections (1110, 1120, etc.) all deal with some aspect of independence and objectivity. Similarly, Standard 1300 on quality assurance and improvement contains a subsection 1310, “Requirements of the Quality Assurance and Improvement Program,” which in turn contains two subsections, 1311, “Internal Assessments,” and 1312, “External Assessments.” The numbering system leaves room for additions in the future, recognizing that the standards will continue to evolve. Performance Standards Performance Standards describe the nature of internal auditing and provide quality criteria for evaluating audit performance. Similar to Attribute Standards, Performance Standards apply to all internal audit services as well as internal auditors. Performance Standards are numbered in the 2000s range. The major sections of the Performance Standards are as follows: The following are examples of two of the Performance Standards. • Performance Standard 2000—“Managing the Internal Audit Activity” The chief audit executive must effectively manage the internal audit activity to ensure that it adds value to the organization. • Performance Standard 2100—“Nature of Work” The internal audit activity must evaluate and contribute to the improvement of the organization’s governance, risk management, and control processes using a systematic, disciplined, and risk-based approach. Internal audit credibility and value are enhanced when auditors are proactive and their evaluations offer new insights and consider future impact. As you can see, the Performance Standards at this highest level address topics of general applicability; from 2200 through 2600, they trace the course of the well-constructed audit. Performance Standards also have more detailed subsections. As the framework evolves over time, these standards and subsections are also updated. Implementation Standards Implementation Standards expand upon Attribute and Performance Standards; they provide separate mandatory instructions for implementing the Attribute and Performance Standards depending on whether the engagement is to be for assurance or consulting. (The Standards Glossary defines an engagement as “a specific internal audit assignment, task, or review activity, such as an internal audit, control self-assessment review, fraud examination, or consultancy.”) Assurance and consulting services are described further in Topic C of this section. Exceptions to Mandatory Guidance of Standards If laws or regulations prohibit internal auditors from complying with certain parts of the Standards, appropriate disclosures should be made. Internal auditors should comply with all other parts of the Standards. The IIA’s IIASB The Standards, as we have seen, are continuously evolving. The IIA’s International Internal Auditing Standards Board (IIASB), the party responsible for the issuance and publication of the Standards, bases each new standard on consultations with authorities around the world, including select members of the global IIA board of directors and persons representing major global organizations or regulators external to the IIA. The International Professional Practices Framework, in all its parts, incorporates the idea that internal auditing is, truly, a global profession. The intent of the IIASB is to propose changes to the Standards when they will substantively improve the practice of internal auditing. The IIASB is a group of practicing professionals, independent of The IIA’s certification group of The IIA’s CIA Learning System. Recommended Guidance As noted at the beginning of this topic, the IPPF’s recommended forms of guidance support the mandatory components (the Mission, the Core Principles, the Definition, the Code of Ethics, and the Standards.) Recommended guidance includes Implementation Guides and Practice Guides. Implementation Guides Implementation Guides provide concise and timely guidance to assist internal auditors in interpreting and applying the Code of Ethics and the Standards and promoting best practices. They include practices relating to international or country- or industry-specific issues; specific types of engagements; and legal or regulatory issues. Some Implementation Guides are applicable to all internal auditors; others have a more specific focus. Implementation Guides address approach, methodology, and considerations but not detailed processes and procedures. All internal auditors and other interested parties are welcome to submit suggestions to The IIA’s Standards Board to help in the continued development of the guides. Implementation Guides have ongoing updates and changes to provide new best practices to conform with the requirements of the Standards. All Implementation Guides are submitted to a formal review process by the Standards Board or other group designated by the Professional Practices Advisory Council. The most upto-date versions of these and other parts of the framework appear at The IIA’s website (www.theiia.org). The Implementation Guides are intended for the use of IIA members and are therefore password-protected on the website. Implementation Guides will form the background of the presentation of many topics in this course. As an example of how the Implementation Guides function, recall Standard 1110, “Organizational Independence,” which contains this mandate: The chief audit executive must report to a level within the organization that allows the internal audit activity to fulfill its responsibilities. The chief audit executive must confirm to the board, at least annually, the organizational independence of the internal audit activity. How to put that into practice may not be immediately obvious to an organization’s CAE. To get clarification, the CAE can bring up the Contents section of the online framework (assuming that he or she is an IIA member), go to the section listing Implementation Guides, find an entry for Implementation Guides 1110, “Organizational Independence,” and read the further guidance provided there. Even with the guidance of the Implementation Guides, the auditor will inevitably encounter challenging situations that aren’t specifically covered. When this happens, the auditor is still responsible for making decisions that are guided by the principles underlying the specific Standards and Rules of Conduct in the Code of Ethics. For The IIA’s members, these principles—and their animating spirit—cannot be overruled by a manager’s instructions or an organization’s contrary practices, policies, or culture. Only the law overrides the Code and the Standards. However, CAE and/or internal auditor judgment and experience are crucial to applying the standards, rules, and ethics in the best way possible and there can be differences of opinion on the best way to apply them. Practice Guides Practice Guides are another form of guidance provided by The IIA to help internal auditors incorporate the Standards into their practice. According to the Preface to the IPPF, the Practice Guides provide “detailed guidance for conducting internal audit activities” and include “detailed processes and procedures, such as tools and techniques, programs, and step-by-step approaches, including examples of deliverables.” Like the Implementation Guides, these materials are listed only in the sections of The IIA’s website that require a password for access. Purpose, Authority, and Responsibility of the Internal Audit Activity The IIA asserts that an effective internal audit activity is a valuable resource for management and the board (or its equivalent) and the audit committee due to the activity’s understanding of the organization and its culture, operations, and risk profile. The objectivity, skills, and knowledge of competent internal auditors can significantly add value to an organization’s governance, risk management, and internal control processes. Similarly, an effective internal audit activity can provide assurance to other stakeholders such as regulators, employees, providers of finance, and shareholders. Purpose, Authority, Responsibility Characteristics Internal auditors need a clear mandate that provides the authority they need and supports their independence and objectivity if they are to deliver this level of value in an organization. For an internal audit activity to best support executive management and boards of directors in accomplishing overall organizational goals and objectives and strengthen internal controls and corporate governance, the purpose, authority, and responsibility of the internal audit activity must be understood. Exhibit I-3 reviews the key elements characterizing internal audit activity purpose, authority, and responsibility. Exhibit I-3: Purpose, Authority, and Responsibility Characteristics for Internal Audit Activity Purpose, Authority, and Responsibility Characteristics for Internal Audit Activity Purpose Authority • • Provide an independent, objective assurance and consulting activity. Support organizational objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of governance, risk management, and control processes. • Determine if organizational governance, risk management, and control processes are in place and functioning properly. • Communicate any opportunities for improvement or risk exposures to the appropriate management level (and the board/audit committee as appropriate). • Add value and improve an organization’s operations. • Provide appropriate unfettered access to records, personnel, and physical properties. Responsibility • Maintain full and open access with the audit committee, board of directors, or other appropriate governing authority. • Secure necessary internal and external resources to accomplish audit activity objectives as planned. • Document the objectives and scope of the engagement as well as the methodology to be used. • Ensure that internal audit activity staff have sufficient knowledge, skills, experience, and/or professional certifications to fulfill the engagement charter. • Communicate the results of the internal audit activity or other matters that the CAE determines necessary to senior management, the audit committee, the board, or other governing body of the organization. • Consider the coordination of internal and external audit work to increase economy, efficiency, and effectiveness of the overall audit process. • Do not perform management activities. Supporting Endeavors Internal auditors perform ongoing internal quality assessments of the function’s activities and are required to undergo independent external quality assessments to validate conformance to the Standards. These processes answer the question “Who audits the auditors?” The answer cannot be that nobody does. Individuals may also receive auditor certifications. There are many reasons to obtain an official IIA certification designation such as the Certified Internal Auditor® (CIA®) certification. Obtaining a certification such as this is professionalism defined. The IIA’s CIA Learning System, which you are now reading, is an example of IIA certification preparation materials. Used in combination, all of these professional endeavors help individual auditors and the organizations they serve to succeed together. Topic B: Requirements of the Internal Audit Charter (Level B) An internal auditing activity will be of the highest value when clients view engagements positively and are open to accepting results. An organization’s audit committee, chief executive officer, and senior-level management team need to establish a “tone at the top” that supports the credibility of the internal audit function. Without this critical top-down support, the internal audit activity becomes vulnerable to client biases, defensiveness, and other human shortcomings. A primary way to do this is to formally document and secure approval by the board and acceptance by management for an internal audit charter. The charter and several other documents should be in place to support the purpose, authority, and responsibility of the internal audit department and internal audit activities. Related Standards and Implementation Guides The Standards and Implementation Guides related to the internal audit charter’s role in defining the purpose, authority, and responsibility of the internal audit activity are listed in Exhibit I-4. Exhibit I-4: Internal Audit Charter Standards and Related Guidance Standard Attribute Standard 1000, “Purpose, Authority, and Responsibility” The purpose, authority, and responsibility of the internal audit activity must be formally defined in an internal audit charter, consistent with the Mission of Internal Audit and the mandatory elements of the International Professional Practices Framework (the Core Principles for the Professional Practice of Internal Auditing, the Code of Ethics, the Standards, and the Definition of Internal Auditing). The chief audit Related Guidance Implementation Guide 1000, “Purpose, Authority, and Responsibility” executive must periodically review the internal audit charter and present it to senior management and the board for approval. Implementation Standard 1000.A1 (Assurance Engagements) The nature of assurance services provided to the organization must be defined in the internal audit charter. If assurances are to be provided to parties outside the organization, the nature of these assurances must also be defined in the internal audit charter. Implementation Standard 1000.C1 (Consulting Engagements) The nature of consulting services must be defined in the internal audit charter. Performance Standard 2060, “Reporting to Senior Management and the Board” The chief audit executive must report periodically to senior management and the board on the internal audit activity’s purpose, authority, responsibility, and performance relative to its plan and on its conformance with the Code of Ethics and the Standards. Reporting must also include significant risk and control issues, including fraud risks, governance issues, and other matters that require the attention of senior management and/or the board. Implementation Guide 2060, “Reporting to Senior Management and the Board” The Internal Audit Charter According to the Standards Glossary, the internal audit charter is: A formal document that defines the internal audit activity’s purpose, authority, and responsibility. The internal audit charter establishes the internal audit activity’s position within the organization; authorizes access to records, personnel, and physical properties relevant to the performance of engagements; and defines the scope of internal audit activities. The internal audit charter provides a road map for the internal audit activity and provides the vehicle for the internal audit activity to carry out its mission. It defines what the board and senior management can expect from the internal audit activity and directs the efforts of internal audit staff. It also defines the nature of services for assurance and consulting engagements. A written charter may be distributed to other stakeholders, such as process owners and outside parties (suppliers and joint venture partners), to make others aware of the kinds of work internal auditors are performing. To create the internal audit charter, the CAE must understand the Mission of Internal Audit and the mandatory elements of the IPPF. Implementation Guide 1000, “Purpose, Authority, and Responsibility,” states: This understanding provides the foundation for a discussion among the CAE, senior management, and the board to mutually agree upon: • • • • Internal audit objectives and responsibilities. The expectations for the internal audit activity. The CAE’s functional and administrative reporting lines. The level of authority (including access to records, physical property, and personnel) required for the internal audit activity to perform engagements and fulfill its agreed-upon objectives and responsibilities. The charter must be consistent with the Standards. Implementation Guide 1000 tells us that providing a formal, written internal audit charter is critical in managing the internal audit activity. The internal audit charter provides a recognized statement for review and acceptance by management and for approval, as documented in the minutes, by the board. It also facilitates a periodic assessment of the adequacy of the internal audit activity’s purpose, authority, and responsibility, which establishes the role of the internal audit activity. If a question should arise, the internal audit charter provides a formal, written agreement with management and the board about the organization’s internal audit activity. Elements of the Internal Audit Charter Although internal audit charters may vary by organization, they typically include the following sections, some of which may include aspects of the IPPF: • Introduction. This section explains the overall role and professionalism of the internal audit activity. Relevant elements of the IPPF are often cited in the introduction. • Authority. This section affirms the internal audit activity’s full access to the records, physical property, and personnel required to perform engagements and declares internal auditors’ accountability for safeguarding assets and confidentiality. • Organization and reporting structure. This part of the charter documents the reporting structure for the CAE position. The CAE should report functionally to the board and administratively to a level in the organization that allows the internal audit activity to fulfill its responsibilities. This section may delve into specific functional responsibilities, such as approving the charter and internal audit plan and hiring, compensating, and terminating the CAE. It may also describe administrative responsibilities, such as supporting information flow in the organization or approving the internal audit activity’s human resource administration and budgets. • Independence and objectivity. This section describes the importance of internal audit independence and objectivity and how these will be maintained, such as prohibiting internal auditors from having operational responsibility or authority over areas audited. • Responsibilities. This section lays out major areas of ongoing responsibility, such as defining the scope of assessments, conducting an organization-wide risk assessment at least annually, writing an internal audit plan, submitting the plan to the board for approval, performing engagements, communicating results of engagements, and monitoring corrective actions taken by management. • Quality assurance and improvement. This part of the charter describes the expectations for developing, maintaining, evaluating, and communicating the results of a quality assurance and improvement program that covers all aspects of the internal audit activity. • Signatures. The signatures document agreement between the CAE, a designated board representative (for example, the audit committee chair), and the individual to whom the CAE reports. This section includes the date, names, and titles of signatories. A sample internal audit charter is shown below. Keep in mind that no sample is all-encompassing for every internal audit organization. Likewise, all items shown in this sample charter may not be relevant to every engagement. A charter must be tailored to each internal audit activity and the governing rules of the organization. Exhibit I-5: Sample Internal Audit Charter Source: “Model Internal Audit Activity Charter,” The Institute of Internal Auditors, https://na.theiia.org/standards-guidance/Public Documents/Model Internal Audit Activity Charter.pdf. The IIA has another internal audit charter template that may be used as a guide. It is available to IIA members for download and can be found under “Other Supplemental Guidance” on the IIA website. Communications of the Charter Significant deviations from the internal audit charter must be communicated. The CAE cannot change the nature of the audit function without consulting the audit committee or modifying the internal audit charter. Other Key Documents Other key documents related to the audit charter include the following: • Function and responsibility (F and R) statement. This statement establishes the authority and responsibility of the audit staff and delineates appropriate types of auditing activities and access necessary to execute the functions outlined in the charter. The F and R statement may be included in the form of a matrix, where staff roles and assigned activities are identified. • Statement of policy (also referred to as corporate audit policy or policy statement missions). This policy statement identifies the different missions of the audit activity and assists management and the board in the effective discharge of their responsibilities. The scope and status of internal auditing in the organization is covered, along with its objective to add value and contribute to improved risk management and governance. A policy statement also describes the internal audit department’s authority to carry out audits, issue reports, make recommendations, and evaluate corrective actions. • Audit manual (policies and procedures). This document includes written policies and procedures intended to provide guidance to the audit staff as they perform their duties. Policies and procedures should be appropriate for the size of the organization and the structure and complexity of the activity. Generally, a larger enterprise would have more formal and detailed communications while written memos might be sufficient in a small organization. • Staff job descriptions. Job descriptions should identify requirements of exceptional performance—the knowledge and skills necessary to effectively and efficiently complete a wide range of audit assignments such as staff auditors, auditor-in-charge, audit manager, and unique audit positions. Topic C: Assurance and Consulting Services (Level P) Internal auditors no longer only perform compliance-oriented audit engagements; they also provide a variety of assurance and consulting (advisory) services. The Standards Glossary defines assurance services as follows: An objective examination of evidence for the purpose of providing an independent assessment on governance, risk management, and control processes for the organization. Examples may include financial, performance, compliance, system security, and due diligence engagements. The Glossary defines consulting services as: Advisory and related client services activities, the nature and scope of which are agreed with the client, are intended to add value and improve an organization’s governance, risk management, and control processes without the internal auditor assuming management responsibility. Examples include counsel, advice, facilitation, and training. Implementation Standards and Assurance/Consulting Services Guidance for assurance and consulting services is provided in the IPPF’s Implementation Standards. These expand upon the Attribute and Performance Standards by providing the requirements applicable to assurance or consulting services, as noted by the use of A or C in the standard’s number. For example, 1000.A1 and 1000.C1 are the Implementation Standards related to Attribute Standard 1000, “Purpose, Authority, and Responsibility.” Implementation Standard 1000.A1, an assurance engagement standard, tells us: The nature of assurance services provided to the organization must be defined in the internal audit charter. If assurances are to be provided to parties outside the organization, the nature of these assurances must also be defined in the internal audit charter. Implementation Standard 1000.C1, a consulting engagement standard, states, in similar language: The nature of consulting services must be defined in the internal audit charter. The Standards also state that when performing assurance or consulting services, the internal auditor should maintain objectivity and not assume management responsibility. Now we’ll look at the key differences between assurance and consulting and some examples of the different types of services internal auditors may provide. Assurance Services Assurance services involve the internal auditor’s objective assessment of evidence to provide an independent opinion or conclusion regarding an entity, operation, function, process, system, or other subject matter. Three parties are generally involved in assurance services: • The person or group directly involved with the entity, operation, function, process, system, or other subject matter—the process owner • The person or group making the assessment—the internal auditor • The person or group using the assessment—the user The nature and the scope of the assurance engagement are determined by the internal auditor. Assurance services are at the core of internal auditing. While others can provide consulting services, internal audit has the knowledge of the organization and the independence to provide the board with the information, facts, and conclusions they need to make appropriate decisions. Assurance work makes up the majority of internal audit activities and is most frequently one or a combination of the following services: • Operational. Reviewing a process or function to determine effectiveness and efficiency to achieve organizational objectives. • Compliance. Reviewing financial and operating controls to assess conformance to laws, regulations, standards, policies, and processes. • Reporting. Reviewing internal controls to provide assurance around the integrity, completeness, and timeliness of internal and/or external financial and non-financial reporting and testing the effectiveness of internal controls over financial reporting (ICFR). Testing ICFR is an important aspect of assurance services for publicly traded companies subject to U.S. Sarbanes-Oxley Act (SOX) requirements. • IT. Reviewing technology infrastructure to assure integrity of information. The internal audit activity could also provide assurance services in these areas: • Due diligence for potential acquisition • Contract reviews • Third-party provider audits • Joint-venture audits • Performance audits • Construction projects • Entity-level reviews • System implementations • Continuous auditing (versus periodic audit engagements) Consulting Services Consulting services are advisory in nature and are generally performed at the specific request of an engagement client. They generally involve two parties: • The person or group offering the advice—the internal auditor • The person or group seeking and receiving the advice—the engagement client The nature and the scope of a consulting engagement are subject to agreement with the engagement client. Such agreements should be formalized in writing. Consulting services can include any advisory activity that improves the organization’s governance, risk management, controls, and compliance. The following are examples of different types of consulting services. • Advisory consulting engagements. These engagements are designed to offer advice and might include: • Advising on control design. • Advising during development of policies and procedures. • Participating in an advisory role for high-risk projects. • Advising on certain enterprise risk management activities. • Recommending solutions to key issues or challenges facing the organization. • Training consulting engagements. These engagements are educational in nature and might include: • Training on governance, risk management, and internal control. • Benchmarking internal areas with comparable areas of similar organizations to identify best practices. • Post mortem analysis—that is, determining lessons learned from a project after it is completed. • Facilitative consulting engagements. These engagements might include: • Facilitating an organization’s risk assessment process. • Facilitating management’s control self-assessment. • Facilitating a task force charged with redesigning controls and procedures for a new or changed area. • Acting as a liaison between management and independent outside auditors, government agencies, vendors, and contractors on control issues. Consulting may range from formal engagements, defined by written agreements, to informal activities, such as participating in standing or temporary management committees or project teams. Internal auditors may be requested to help in special consulting engagements, such as participation in a merger or acquisition project or in an emergency engagement (for example, a review of disaster recovery activities). These may require departure from normal or established procedures for conducting consulting engagements. The following are common examples of consulting activities: • Business process improvement • Risk and control self-assessment • Continuous monitoring of controls • Internal control review • Forensic audits • Operational readiness (product launch, new service or system) • Governance principles and practices • Ethics training • Internal control training • Participation on committees In all situations, a consulting engagement should not be conducted in an attempt to circumvent assurance engagement requirements such as the need to provide an opinion at the end of an engagement. This is consistent with The IIA’s Code of Ethics. On the flip side, services once conducted as an assurance engagement may be performed as a consulting engagement—if deemed appropriate. However, such consulting activities should be coordinated with other internal audit assurance activities as well as external audit activities to minimize redundancy. (See Standard 2050, “Coordination and Reliance.”) “Blended” Engagements Assurance and consulting services are not mutually exclusive, so an audit activity can have both assurance and consulting components. A “blended” engagement may consolidate elements of assurance and consulting activities. In other instances, individual components of an engagement may be specified as assurance or consulting. This blending of the two types of services can add value and create efficiencies. However, if assurance and consulting services are blended, it must be ensured that there are no conflicts of independence, objectivity, or otherwise with regard to roles and responsibilities. And it is often necessary to communicate the outcomes separately, since the purpose and the scope will differ between the assurance and consulting components of an engagement. Topic D: The IIA’s Code of Ethics (Level P) It is improbable that professionals in any field or organization would dispute the aspirations set forth in a code of ethics. Well-developed codes of ethics help to foster ethical behavior, affirm core values, deter unethical actions, and cope with ethical dilemmas. For internal auditors, a formal code of ethics provides a window into generally accepted standards of conduct useful to an organization and its customers. It sets forth a uniform approach to guide conduct. Ethical conduct depends upon a commitment to “do the right thing,” of course, but it also requires a clear vision of what the right thing is. Seeing clearly in ethical matters can be challenging. The conflicts of interest that arise almost inevitably in any profession that has multiple responsibilities—to the profession itself, to colleagues, to customers, to employers, and to the community—sometimes cast a shadow across the line that separates the right thing from the usual thing or the easy thing or the profitable thing to do. A well-founded code of ethics should spell out the standards for acceptable and expected behavior or conduct as well as what constitutes unacceptable behavior or conduct. The IIA maintains its Code of Ethics “to promote an ethical culture in the profession of internal auditing.” The Code: States the principles and expectations governing behavior of individuals and organizations in the conduct of internal auditing. It describes the minimum requirements for conduct, and behavioral expectations rather than specific activities. The Standards Glossary defines The IIA’s Code of Ethics as follows: Principles relevant to the profession and practice of internal auditing, and Rules of Conduct that describe behavior expected of internal auditors. The Code of Ethics applies to both parties and entities that provide internal audit services. The IIA bases its Code of Ethics on four fundamental principles of professional conduct: integrity, objectivity, confidentiality, and competency. The Code interprets each of these four principles by describing what each means and by specifying related Rules of Conduct that provide guidance in how to put the principles into practice. The Code does more than simply demand ethical conduct; it defines that conduct in detail. All CIAs (regardless of whether they are currently practicing or are working in different functional areas) must abide by the IIA’s Code of Ethics, which is shown in Exhibit I-6. Exhibit I-6: The IIA’s Code of Ethics Conflicts of Interest It isn’t difficult to spot places in the Code of Ethics that identify potential conflicts of interest. For example, under the first principle, integrity, the auditor is required to make disclosures expected by the law and the profession. Under confidentiality, the auditor is mandated to respect the confidentiality of the information unless legally or professionally required to disclose it. Objectivity may be compromised if the internal auditor is assigned to audit an area in which he or she has worked in the preceding 12 months or plans to work in the near future. Standard 1130.A1, “Impairment to Independence and Objectivity,” provides specific guidance on such conflicts, stating: Internal auditors must refrain from assessing specific operations for which they were previously responsible. Objectivity is presumed to be impaired if an internal auditor provides assurance services for an activity for which the internal auditor had responsibility within the previous year. A perhaps more subtle conflict arises under competency. Determining at the outset of an engagement whether one is or is not competent to complete it may not be so simple—especially when one’s professional pride or the possibility of a promotion seems to be at stake. There is generally very little support for saying “I can’t do that.” Nevertheless, the principles of the Code and the Rules of Conduct are mandatory in all instances that don’t conflict with legal principles. It is situations of conflict of interest that make ethical conduct a challenge—and that make codes of conduct necessary. In any situation not directly covered by the Rules of Conduct, the auditor should apply the principles to determine the ethical course of action. Seeking advice from those who may have greater objectivity or more experience is also helpful. Practical Applications Exhibit I-7 describes some practical applications of the four principles in The IIA’s Code of Ethics. Exhibit I-7: Examples of The IIA’s Code of Ethics Principles Examples of The IIA’s Code of Ethics Principles Integrity The internal auditor should have knowledge of the requirements for the Code of Ethics and perform all activities according to the Code. Integrity includes honesty, diligence, and responsibility; observance of laws; not performing illegal activity; and contributing to the legitimate and ethical objectives of the organization. Objectivity The internal auditor should not perform audits where the assessment would be biased or professional judgment may be impaired. All facts must be disclosed. If an auditor does not feel comfortable in doing an audit, he or she should ask to be removed from the team. Confidentiality Information obtained while performing an audit must be protected and used only as appropriate in the engagement. Information should be used only in conformance to laws or regulations and never used for personal gain. Competency The necessary knowledge, skills, and experience are important requirements for providing internal auditing services. Each internal auditor should have a plan to receive knowledge or training to enhance future performance. Next Steps You have completed Part 1, Section I, of The IIA’s CIA Learning System®. Next, check your understanding by completing the online section-specific test(s) to help you identify any content that needs additional study. Once you have completed the section-specific test(s), a best practice is to reread content in areas you feel you need to understand better. Then you should advance to studying Section II. You may want to return to earlier section-specific tests periodically as you progress through your studies; this practice will help you absorb the content more effectively than taking a single test multiple times in a row. Index The numbers after each term are links to where the term is indexed and indicate how many times the term is referenced. advisory consulting engagements 1, 2 assessments of audit activities 1 assurance engagements 1 Attribute Standards 1 audit manual 1 auditors external 1 financial 1 internal 1 authoritative guidance in International Professional Practices Framework 1 authority of internal audit activity 1 board of directors 1 CAE (chief audit executive) 1 certification 1 charter. See internal audit charter chief audit executive 1 Code of Ethics 1 competency 1 compliance 1, 2 confidentiality 1 conflicts of interest 1 consulting engagements 1, 2, 3 control(s) 1, 2 Core Principles for the Professional Practice of Internal Auditing 1 Definition of Internal Auditing 1 documentation 1 engagements 1 assurance 1 consulting 1, 2, 3 “blended” 1 external auditing 1 external auditors 1 F and R (function and responsibility) statement 1 facilitative consulting engagements 1 financial auditors 1 financial audits 1 function and responsibility statement 1 governance 1 government auditors 1 IIASB (International Internal Auditing Standards Board) 1 Implementation Guides 1 1000 1 Implementation Standards 1, 2 independence 1 information technology 1 integrity 1 internal audit activity 1 internal audit charter 1 communications 1 elements 1 internal auditing 1, 2 internal auditors 1 International Internal Auditing Standards Board 1 International Professional Practices Framework 1 authoritative guidance 1 Code of Ethics 1 Core Principles for the Professional Practice of 1 Definition of Internal Auditing 1 mandatory guidance 1, 2 Mission of Internal Audit 1 recommended guidance 1, 2 International Professional Practices Framework_Standards. See International Standards for the International Standards for the Professional Practice of Internal Auditing 1 1000, “Purpose, 1, 2, 3 1000.A1 1, 2 1000.C1 1, 2 1100, “Independence and 1 1110, “Organizational 1, 2 1130.A1 1 2000, “Managing the 1 2060, “Reporting to 1 2100, “Nature of Work” 1, 2 Attribute Standards 1 Implementation Standards 1, 2 Performance Standards 1 IPPF. See International Professional Practices Framework IT (information technology) 1 job descriptions 1 mandatory guidance in International Professional Practices Framework 1, 2 Mission of Internal Audit 1 objectivity 1, 2 operations 1 Performance Standards 1 policies and procedures 1 Practice Guides 1 purpose of internal audit activity 1 recommended guidance in International Professional Practices Framework 1, 2 Implementation Guides 1 Practice Guides 1 regulatory bodies 1 responsibility of internal audit activity 1 risk management 1 staff job descriptions 1 statement of policy 1 training consulting engagements 1 “blended” engagements 1 “modern internal auditing” 1 Build 08/24/2018 15:39 p.m. Contents Part 1: Essentials of Internal Auditing The IIA’s CIA Learning System® Part 1 Overview Section I: Foundations of Internal Auditing Topic A: The IIA’s International Professional Practices Framework/Purpose, Authority, and Topic B: Requirements of the Internal Audit Charter (Level B) Topic C: Assurance and Consulting Services (Level P) Topic D: The IIA’s Code of Ethics (Level P) Index