Add to collection(s) Add to saved
  1. No category
Uploaded by mcleishrhea

Section I Foundations of Internal Auditing 15 .pdf

advertisement 
Part 1: Essentials of Internal
Auditing
Welcome to Part 1 of The IIA’s CIA Learning System®.
The self-study text for the learning system includes the content addressed
in The IIA’s CIA syllabus. (You can download the syllabus from the
online Resource Center or from The IIA’s website.) However, in some
cases, the content has been reorganized to facilitate instruction and
understanding. Refer to the Table of Contents for an outline of the
content.
To get the most out of the course materials, complete the course in this
order:
1. Begin by accessing the course at www.learncia.com.
2. Read the overview and return to the menu. Select Part 1 from the
menu.
3. Complete the pre-test and view the report to help focus your study
efforts.
4. Read each section and follow the Next Steps directions included at the
end of the section.
5. Complete Part 1 as outlined in the online overview.
Note that Part 1 of the CIA exam will consist of 125 multiple-choice
questions and test takers are given 150 minutes to complete this portion
of the exam. You can go to https://na.theiia.org/certification/CIACertification/Pages/CIA-Certification.aspx to register for the exam
separately.
Study Support
The IIA’s CIA Learning System includes online tools to support
your study. These tools may be accessed from the menu at any
time.
•
Glossary—Refer to the glossary for definitions of terms used in
all three parts of The IIA’s CIA syllabus.
•
Reports—Refer to the reports to review your most recent test
scores and progress through the learning system.
•
Resource Center—Refer to the Resource Center to access
information about The IIA’s International Professional Practices
Framework, updates, test-taking tips, printable flashcards,
related links, and reference material and to provide feedback to
The IIA regarding the learning system.
The IIA’s CIA Learning System®
The IIA’s CIA Learning System® is based on the Certified Internal
Auditor® (CIA®) syllabus developed by The IIA. However, program
developers do not have access to the exam questions. Therefore, while
the learning system is a good tool for study, reading the text does not
guarantee a passing score on the CIA exam.
Every effort has been made to ensure that all information is current and
correct. However, laws and regulations change, and these materials are
not intended to offer legal or professional services or advice. This
material is consistent with the revised Standards of the International
Professional Practices Framework (IPPF) introduced in July 2015,
effective in 2017.
Copyright
These materials are copyrighted; it is unlawful to copy all or any
portion. Sharing your materials with someone else will limit the
program’s usefulness. The IIA invests significant resources to create
quality professional opportunities for its members. Please do not violate
the copyright.
Acknowledgments
The IIA would like to thank the following dedicated subject matter
experts who shared their time, experience, and insights during the
development and subsequent updates of The IIA’s CIA Learning System.
Pat Adams, CIA
Al Marcella, PhD, CISA, CCSA
Terry Bingham, CIA, CISA, CCSA
Markus Mayer, CIA
Raven Catlin, CIA, CPA, CFSA
Vicki A. McIntyre, CIA, CFSA, CRMA, CPA
Patrick Copeland, CIA, CRMA, CISA, CPA
Gary Mitten, CIA, CCSA
Don Espersen, CIA
Michael J. Fucilli, CIA, QIAL, CRMA,
CGAP, CFE
Lynn Morley, CIA, CGA
James D. Hallinan, CIA, CPA, CFSA, CBA
James Roth, PhD, CIA, CCSA
Larry Hubbard, CIA, CCSA, CPA, CISA
Brad Schwieger, CPA, DBA
Jim Key, CIA
Doug Ziegenfuss, PhD, CIA, CCSA, CPA,
CMA, CFE, CISA, CGFM, CR.FA., CITP
David Mancina, CIA, CPA
Lyndon Remias, CIA
Part 1 Overview
Internal auditing is a discipline that works on behalf of management,
the board of directors, and other stakeholders of public and private
entities to improve and add value to governance, risk management, and
control procedures. This is in contrast to external auditing, which serves
third parties who require reliable financial information based on reliable
supporting records. Instead, internal auditors typically have a broader
focus (based on their approved internal audit activity charter) that
requires them to examine and appraise controls, financial performance,
compliance with laws and regulations, and operational performance for
their effectiveness. Rather than primarily focusing on historical events as
external auditors do, internal auditors also help the board and
management make current as well as future-oriented decisions. For
example, internal auditors may be asked to assess whether planned
operations have the proper controls in place to be likely to achieve
organizational goals and objectives.
Drawing further distinctions between internal and external auditors as
well as other related review functions can help clarify what internal
auditing is and what it is not. These distinctions are described below:
• External auditors/financial auditors. These auditors provide an
attestation solely based on the financial reports and statements
generated by an organization. While these auditors focus on the
accuracy of reported information, they also review the records
supporting the statements and the related controls over the financial
information. The work of external and financial auditors is historical in
nature and is critical to allowing investors and other third parties to
make informed decisions (e.g., investing, approving debt issuance)
about an organization based on its financial statements when taken as a
whole. In the U.S., audits of private companies are governed by the
Generally Accepted Auditing Standards (GAAS) of the American
Institute of Certified Public Accountants (AICPA) and audits of public
companies are governed by the Auditing Standards (AS) of the U.S.
Public Company Accounting Oversight Board (PCAOB). The
International Federation of Accountants (through its International
Auditing and Assurance Standards Board) also promulgates
International Auditing Standards (IAS), and these may be in use or
adapted for use in various jurisdictions. For example, the U.K. uses a
derivative of IAS.
• Compliance. Compliance reviews typically serve to determine whether
or not an organization is adhering to a specified law, regulation,
standard, policy, or procedure, and the results are reported as such.
Compliance audits do not necessarily consider the effectiveness and
efficiency of business processes but rather primarily whether the
process is—or is not—in compliance. Typically, specialized individuals,
some with legal or compliance backgrounds, conduct these reviews.
• Regulators. These auditors work for regulating bodies (in the U.S., for
example, the Financial Industry Regulatory Authority [FINRA], the
Securities and Exchange Commission [SEC], and the Office of the
Comptroller of the Currency [OCC]), and they review compliance with
specific regulations as well as the overall safety and soundness of the
organizations being examined. These auditors perform compliance
reviews of corporations or agencies that are regulated by the specified
regulating body.
• Government auditors. Government auditors typically work for
departments, ministries, or agencies of a government and provide
assurance regarding program requirements, performance audits, budget
reviews, and management audits.
A few more contrasting points between the internal and external auditing
professions will round out this overview of internal auditing:
• First, individuals employed in an internal audit activity are typically
employees of an organization. However, there are alternative
arrangements to staff an internal audit department through out-sourcing,
co-sourcing, and secondment arrangements. By contrast, external
auditors are always independent contractors.
• Second, internal auditors provide assurance, compliance, and consulting
services and are also concerned with detecting patterns of errors,
inefficiencies, and irregularities, including fraud, that impact an
organization’s ability to accomplish its objectives, with limited regard
for financial materiality. Internal auditors are primarily future-focused,
and they play a strong role in helping management improve the
organization’s control structure. External auditors are primarily
concerned with preventing or detecting fraud when it may have a
material effect on the financial statements, though they are still
concerned with the potential indicators of fraud overall.
• Third, internal auditors must be independent from the internal
organizational functions that they audit, meaning that they exercise no
management duties over the areas being audited. Internal audit
activities also achieve organizational independence through their direct
functional reporting to the board of directors (or a designated audit
committee of the board). In general, they remain ready to respond to
requests from the board and all management constituents. In contrast,
external auditors are independent of both the board and management in
fact and in mental attitude.
Part 1 of The IIA’s CIA Learning System looks at a number of the
essentials of internal auditing.
• Section I covers the foundations of internal auditing—The IIA’s
International Professional Practices Framework; the purpose, authority,
and responsibility of the internal audit activity; the requirements of the
audit charter; the difference between assurance and consulting services.
• Section II looks at the concepts of independence and objectivity.
• Section III looks at the concepts of proficiency and due professional
care.
• Section IV describes aspects of a quality assurance and improvement
program.
• Section V covers organizational governance, risk, and controls and
corporate social responsibility, and it looks at risk management within
an audit activity charter.
• Section VI focuses on fraud risks—the types of these risks, the
potential for such risks occurring, and controls to prevent and detect
fraud.
Section I: Foundations of
Internal Auditing
This section is designed to help you:
•
Identify and apply relevant ethical, practical, and legal standards to audit
practice, including The IIA’s Code of Ethics, International Standards, and
Practice Advisories and relevant laws.
•
Explain the International Professional Practices Framework categories of
guidance.
•
•
•
•
•
Explain the Mission of Internal Audit.
•
List the Core Principles for the Professional Practice of Internal Auditing.
Define internal auditing.
Describe compliance with The IIA’s Code of Ethics.
Explain how the purpose, authority, and responsibility for an internal audit
activity are documented, communicated, and approved.
Understand the importance of securing the board’s approval of the internal
audit activity charter and audit plan.
The Certified Internal Auditor (CIA) exam questions based on content from this
section make up approximately 15% of the total number of questions for Part 1.
One of the topics is covered at the “B—Basic” level, meaning that you are
responsible for comprehension and recall of information. (Note that this refers to the
difficulty level of questions you may see on the exam; the content in these areas
may still be complex.) The other topics are covered at the “P—Proficient” level,
meaning that you are responsible not only for comprehension and recall of
information but also for higher-level mastery, including application, analysis,
synthesis, and evaluation.
Section Introduction
The profession of auditing has a rich and storied past. The earliest
accounts of auditing date back to Mesopotamia, where marks were used
to record ship cargos and verify financial transactions. In ancient Rome,
the Latin word auditus (the precursor to our term audit) referred to the
hearing of oral evidence as one official would verify records with those
of another.
Internal auditing has evolved through the years, gaining recognition from
executives and organization leaders and altering the focus of audit efforts
to respond to the changing needs of the global environment. Today, it
focuses heavily on integrated audits, where auditors provide assurance
related to any combination of the following engagement types:
• Controls assurance. Providing assurance related to the design and
operating effectiveness of key control activities; controls may be
operations-, reporting-, or compliance-related.
• Information technology (IT). Providing assurance related to the
design and operating effectiveness of general IT or specific application
control activities.
• Compliance. Providing assurance related to the design and operating
effectiveness of control activities and procedures in place to assure
compliance with laws, regulations, policies, etc.
• Operations. Providing assurance related to the effectiveness and
efficiency of an organization’s operations, including performance and
profitability goals and safeguarding resources against loss.
• Financial assurance. Providing assurance related to the achievement of
one or more financial statement assertions (also called management
assertions):
• Existence or occurrence
• Completeness
• Valuation and allocation
• Rights and obligations
• Presentation and disclosure
Throughout the centuries, auditors have continued to pursue the truth,
control transactions, and prevent or detect fraudulent acts. Today,
internal audits are independent, unbiased fact-finding exercises that
provide verifiable information to a board of directors (especially its audit
committee), management, or outside interests. Note that, according to
The IIA, a board is:
The highest level of governing body charged with the responsibility to direct
and/or oversee the activities and management of the organization. Typically, this
includes an independent group of directors (e.g., a board of directors, a
supervisory board, or a board of governors or trustees). If such a group does not
exist, the “board” may refer to the head of the organization. “Board” may refer
to an audit committee to which the governing body has delegated certain
functions (e.g., an audit committee).
Topic A: The IIA’s International Professional
Practices Framework/Purpose, Authority, and
Responsibility of the Internal Audit Activity
(Level P)
The Framework
The Institute of Internal Auditors (The IIA) provides internal audit
practitioners with an International Professional Practices
Framework (IPPF). This framework contains many components, as
described below, but one key component is referred to as “the
Standards.” The IPPF exists to guide internal auditors’ professional
practice and ensure the highest-quality internal audit results.
In The IIA’s own words, “The purpose of the . . . IPPF is to organize
The Institute of Internal Auditor’s . . . authoritative guidance in a
manner that is readily accessible on a timely basis while strengthening
the position of The IIA as the standard-setting body for the internal audit
profession globally.” Furthermore, by reflecting the evolution of current
practice, the framework aims “to assist practitioners and stakeholders
throughout the world in being responsive to the expanding market for
high quality internal auditing.”
In general, a framework like the IPPF provides a structural blueprint of
how a body of knowledge and its related guidance fit together. As a
coherent system, a framework facilitates consistent development,
interpretation, and application of concepts, methodologies, and techniques
useful to a discipline or profession.
Throughout the world, internal auditing is performed in diverse
environments and within organizations that vary in purpose, size, and
structure (e.g., publicly traded, privately owned, not-for-profit,
governmental, etc.). In addition, the laws and customs of various
countries differ. These differences may affect the practice of internal
auditing in each environment. The implementation of the IPPF, therefore,
will be governed by the environment in which the internal audit activity
carries out its assigned responsibilities. No information contained within
the IPPF should be construed in a manner that conflicts with applicable
laws or regulations. If a situation arises where information contained in
the IPPF is in conflict with legislation or regulation, internal auditors are
encouraged to contact The IIA or legal counsel for further guidance.
The IPPF is the compass that provides internal auditors with direction to
keep up with the rate of business change. The framework is regularly
updated by the International Internal Auditing Standards Board and
related IIA international committees. The current IPPF was introduced in
July 2015 and became effective in 2017.
The International Professional Practices Framework is shown in Exhibit
I-1.
Exhibit I-1: International Professional Practices Framework
The IPPF consists of:
• The Mission of Internal Audit.
• The Core Principles for the Professional Practice of Internal Auditing.
• The Definition of Internal Auditing.
• The Code of Ethics.
• The International Standards for the Professional Practice of Internal
Auditing (the Standards).
• Implementation Guidance.
• Supplemental Guidance.
The Mission of Internal Audit, the Core Principles, the Definition of
Internal Auditing, the Code of Ethics, and the Standards are available to
be read or downloaded from The IIA’s website (www.theiia.org), along
with a great deal of other material relevant to internal auditors, whether
or not they are IIA members. (Other materials that may be available to
the public for reading or downloading from the website include the
monthly newsletters, IIA Global SmartBrief and Tone at the Top, and the
Internal Auditor magazine, all of which will be cited as authoritative
sources in these study materials.) These materials enhance the knowledge
and skills of internal auditors.
The Implementation Guidance and the Supplemental Guidance are
intended for the use of IIA members and are password-protected.
The full International Professional Practices Framework is available,
however, in printed and e-book versions, known familiarly, and for
reasons obvious to those who have seen it, as the “Red Book.” It can be
ordered online. While the book includes all aspects of the framework, it
is not necessarily as up-to-date as the online version, which is subject to
continuous review, revision, and addition. Internal auditors should be
sure they are familiar with the most current version of the framework
available at The IIA’s website. As the auditing environment evolves, so
will the recommended guidance materials and, at a more deliberate pace,
the Standards. For example, the 2017 edition of the Standards includes
two new standards, alignment of the Standards to the Core Principles,
and updates to existing standards.
Note that this learning system is consistent with the revision of the
Standards effective January 1, 2017, which can be viewed at
global.theiia.org/standards-guidance/mandatoryguidance/Pages/Standards.aspx.
Authoritative Guidance in the IPPF
As shown above in Exhibit I-1, the authoritative guidance in the IPPF
comprises two categories: mandatory and recommended.
The Mission of Internal Audit, the Core Principles, the Definition of
Internal Auditing, the Code of Ethics, and the Standards make up the
core of the IPPF, and abiding by them is mandatory for IIA members,
practicing internal audit professionals, and Certified Internal Auditors.
Mandatory guidance is denoted within the Standards by the use of the
terms must and should. The IPPF Standards Glossary (in the IPPF “Red
Book”) defines these words in the following manner:
• The word must specifies an unconditional requirement.
• The word should is used where conformance is expected unless, when
applying professional judgment, circumstances justify deviation.
The introduction to the Standards goes on to clarify what is meant by
mandatory guidance:
The Standards apply to individual internal auditors and internal audit activities.
All internal auditors are accountable for conforming with the Standards related
to individual objectivity, proficiency, and due professional care. In addition,
internal auditors are accountable for conforming with the Standards, which are
relevant to the performance of their job responsibilities. Chief audit executives
[CAEs] are accountable for overall conformance with the Standards.
(Note: Adherence to the Standards is required even for those who are
not IIA members or CIAs if the statement “conformance with the
standards” is used in their work.)
The IPPF’s recommended forms of guidance support the mandatory
components. Each standard, for example, is supported by a
corresponding Implementation Guide. There are also links, in some
cases, to the growing collection of Practice Guides, including the Global
Technology Audit Guides (GTAGs) and other supplemental guidance
documents. The Implementation Guidance and the Supplemental
Guidance are optional, not mandatory. They are The IIA’s version of
“best practices.” They provide detailed guidance for conducting internal
audit activities, including topical areas, sector-specific issues, processes
and procedures, tools and techniques, programs, step-by-step approaches,
and examples of deliverables.
Recommended guidance is endorsed by The IIA and was developed
using due process by an IIA international guidance committee and/or
institute. Rather than providing definitive answers, supplemental guidance
contains a wide range of possible solutions and methods of implementing
the mandatory guidance.
A description of each of the IPPF components is included next. Note,
however, that The IIA’s Code of Ethics is not covered in this topic. It is
covered later, in Topic D of this section.
The Mission of Internal Audit
The Mission of Internal Audit in the IIA’s International Professional
Practices Framework articulates what internal audit aspires to accomplish
in an organization:
To enhance and protect organizational value by providing risk-based and
objective assurance, advice, and insight.
Its place in the IPPF is deliberate, demonstrating how practitioners
should leverage the entire framework to facilitate their ability to achieve
the mission.
The Core Principles
The IIA describes its Core Principles for the Professional Practice of
Internal Auditing, which are included in the IPPF, as follows:
The Core Principles, taken as a whole, articulate internal audit effectiveness. For
an internal audit function to be considered effective, all Principles should be
present and operating effectively. How an internal auditor, as well as an internal
audit activity, demonstrates achievement of the Core Principles may be quite
different from organization to organization, but failure to achieve any of the
Principles would imply that an internal audit activity was not as effective as it
could be in achieving internal audit’s mission.
The Core Principles include:
•
•
•
•
•
•
•
•
•
•
Demonstrates integrity.
Demonstrates competence and due professional care.
Is objective and free from undue influence (independent).
Aligns with the strategies, objectives, and risks of the organization.
Is appropriately positioned and adequately resourced.
Demonstrates quality and continuous improvement.
Communicates effectively.
Provides risk-based assurance.
Is insightful, proactive, and future-focused.
Promotes organizational improvement.
The Definition of Internal Auditing
According to The IIA’s Definition of Internal Auditing:
Internal auditing is an independent, objective assurance and consulting activity
designed to add value and improve an organization’s operations. It helps an
organization accomplish its objectives by bringing a systematic, disciplined
approach to evaluate and improve the effectiveness of risk management, control,
and governance processes.
As defined in the Standards Glossary, an internal audit activity is “a
department, division, team of consultants, or other practitioner(s) that
provides independent, objective assurance and consulting services
designed to add value and improve an organization’s operations.”
Internal auditing activities are often referred to in relation to the
acronym GRC (governance, risk, and control) due to the value-adding
services internal auditing provides in assurance and consulting
engagements to evaluate and help improve GRC effectiveness.
Internal auditing is performed by professionals with an in-depth
understanding of the culture, systems, and processes of the business.
Internal audit activities may be performed by people from within the
organization and/or outside the organization (i.e., co-sourced or outsourced).
Effective internal auditors serve as an organization’s corporate
conscience and advisors for governance, risk, and control operational
efficiency and effectiveness. They also educate and make
recommendations to management and the board of directors (and/or other
governance oversight bodies) to support the organization in meeting its
goals and objectives. In fulfilling these responsibilities, internal auditors
must demonstrate professionalism, objectivity, knowledge, integrity, and
leadership.
Key Terms in the Definition
The following text defines and breaks down some key terms from the
Definition of Internal Auditing.
Independent and Objective
The first part of the definition is that internal auditing is an “. . .
independent, objective assurance and consulting activity . . .”
Organizational independence and individual objectivity form the
foundation of internal auditing; all stakeholder confidence in auditors’
work rests on this foundation.
IIA Standard 1110 states that the chief audit executive (CAE) “must
confirm to the board, at least annually, the organizational independence
of the internal audit activity.” (The Standards Glossary defines the chief
audit executive as “a person in a senior position responsible for
effectively managing the internal audit activity in accordance with the
internal audit charter and the Definition of Internal Auditing, the Code of
Ethics, and the Standards.”) What does organizational independence look
like for an internal auditor, who is, after all, usually an employee of that
organization? Organizational independence exists if the CAE:
• Reports functionally to the board.
• Has direct and unrestricted access to the board.
• Reports administratively to the chief executive officer (CEO) or a
similar head of the organization or to some other organizational level
so long as the internal audit activity controls the scope of work, the
performance of the work, and the reporting of results without
interference.
Stakeholders need to know that internal auditors can review any area of
the organization without being biased themselves or unduly influenced
by others. Internal auditors must have access to any and all records and
all employees (including management and persons represented by unions
or works councils) as deemed necessary to fulfill their duties.
Objectivity requires internal auditors to avoid a conflict of interest or the
appearance thereof, meaning that a situation that could be perceived as a
conflict of interest could harm the internal auditor’s credibility.
Independence and objectivity are discussed more in Section II.
Consulting
Consulting has been part of the Definition of Internal Auditing since
1999. Consulting expands the role of internal auditing into the areas of
other value-added services and suggestions related to future-oriented
decisions. Auditors can provide insight to decision makers as processes
are being developed so that the proper controls are built into a new
project or process from the start. So long as internal auditors make it
clear that they are not making any decisions themselves, it does not
compromise independence when they perform such work and/or provide
advice or suggestions. Management should formally acknowledge or
confirm that internal auditors will not play a decision-making role on
such engagements.
Risk Management, Control, and Governance
The last part of the Definition of Internal Auditing addresses evaluating
and improving the effectiveness of governance, risk management, and
control. While the original definition of internal auditing referred only to
control, if senior management and the board are so willing (through
approval of the annual audit plan including its priorities and resource
constraints), internal auditing can, and should, provide a more
comprehensive evaluation of the organization’s risk management and
governance processes.
Internal auditors were and often are the first champions of a
comprehensive enterprise risk management process, and many have
helped build up this function in the organization. To prevent a loss of
independence and objectivity, some organizations have created a chief
risk officer position.
The Standards Glossary defines governance as the “combination of
processes and structures implemented by the board to inform, direct,
manage, and monitor the activities of the organization toward the
achievement of its objectives.” Organizations that get involved in
financial scandals often have sophisticated and mature risk management
processes but a common pattern is that they also have governance
structures that ignore the risk assessments in favor of high profits.
Internal auditors can help ensure that the organization has the proper
“tone at the top,” management and operating methodology, and ethics
and integrity. Internal auditors can also provide assurance that risk taking
is truly within the organization’s risk appetite both in terms of the
organization’s ability to take risk (e.g., worthwhile strategic initiatives
such as new products or new goals, plus sufficient financial health) and
the board’s stated willingness to assume risks in specific areas.
Governance, risk, and control are defining activities for an enterprise.
Successful organizations don’t champion one over another; rather, they
recognize the powerful interplay and benefits of all three.
Collectively, governance, risk, and control largely determine an
organization’s ability to succeed in its marketplace. Well-conceived and
well-executed, these three activities also support healthy interactions with
the organization’s stakeholders.
Internal auditors must be proficient in each of the three activities. In
discussing the requirements of Standard 2100, “Nature of Work,”
Implementing the Professional Practices Framework, second edition,
succinctly summarizes how internal auditors must evaluate and contribute
to the improvement of governance, risk management, and control
systems. These points are shown in Exhibit I-2.
Exhibit I-2: Nature of Work for Internal Audit Activity
Nature of Work for Internal Audit Activity
Governance
Help an organization assess and make recommendations for
improving governance in its accomplishment of the following
objectives:
•
•
Promoting appropriate ethics and values in the organization
Ensuring effective organizational performance management and
accountability
•
Effectively communicating risk and control information to
appropriate areas of the organization
•
Effectively coordinating the activities of and communicating
information among the board, management, and external and
internal auditors
•
Clearly establishing, communicating, and monitoring organizational
objectives
Risk
Help an organization manage risk by:
•
•
•
Control
Identifying and evaluating significant exposures to risk.
Contributing to the improvement of risk management and control
systems.
Monitoring and evaluating the risk management system.
Help an organization maintain effective controls by:
•
•
Evaluating the effectiveness and efficiency of controls.
Promoting the continuous improvement of the control environment
and related control activities.
Source: Implementing the Professional Practices Framework, second edition, by Urton
Anderson and Andrew J. Dahle.
The internal audit activity must determine the best way to accomplish
the activities in these three areas. Factors such as the organizational
culture, the role of the internal audit group in the organization, and
stakeholder expectations will shape specific internal auditing practices.
Section V of this part examines exactly what constitutes effective
governance, risk management and control, in accordance with The IIA’s
Part 1 exam syllabus.
The IIA’s View of “Modern Internal Auditing”
The IIA’s framework contains—and implicitly incorporates—the
Institute’s definition of the profession of internal auditing. The definition
makes clear The IIA’s commitment to a broad view of internal auditing
that includes assurance as well as consulting and that focuses on helping
management meet organizational objectives rather than solely focusing
on traditional matters such as attesting to the accuracy of financial
statements and compliance with laws and regulations.
As Sawyer, et al., write in their definitive Sawyer’s Internal
Auditing (published by The IIA Research Foundation): “Financial matters
represent only one aspect of internal auditing’s purview. Once perceived
as the client’s adversary, internal auditors now pursue cooperative,
productive working relationships with clients through value-adding
activities.”
Sawyer accurately names this view of the profession as “modern internal
auditing.”
The IIA’s International Standards
The IIA recognizes that defining a set of global standards for a
profession practiced in a wide variety of environments poses challenges.
As the Introduction to the Standards states, “Internal auditing is
conducted in diverse legal and cultural environments; within
organizations that vary in purpose, size, complexity, and structure; and
by persons within or outside the organization.” Nevertheless, the
Introduction continues, “Compliance with The IIA’s International
Standards for the Professional Practice of Internal Auditing (Standards)
is essential.”
The purpose of the Standards can be broken down as follows:
• To guide adherence to the mandatory elements of the International
Professional Practices Framework
• To provide a framework for performing and promoting a broad range
of value-added internal auditing
• To establish the basis for the evaluation of internal audit performance
• To foster improved organizational processes and operations
Many internal audit functions—of private, nonprofit, and government
organizations as well as public companies—have adopted the
Standards into their charters (consistent with the language in Attribute
Standard 1000, described below). The Standards have also received the
imprimatur of the Treadway Commission, which states, in the Treadway
Commission Report:
The professionalism of internal auditors has been enhanced in recent years by
the efforts of The Institute of Internal Auditors (IIA), the professional
organization for internal auditors. Standards of The IIA offer excellent guidance
for effective internal auditing and reflect some of the most advanced thinking on
fraud prevention and detection. The Commission encourages public companies
that have not done so to consider adopting The IIA Standards.
The Standards are principles-based mandatory guidance rather than a
detailed set of rules and regulations. Some Standards include
“interpretation” text to further explain the guidance description. This
italicized text should not be overlooked, as it is part of the standard.
The Standards employ terms that have been given specific meanings;
these are defined in the Standards Glossary. Whenever these terms are
defined in this learning system, they are identified as being from the
Standards Glossary.
Types of Standards
There are three types of Standards: Attribute Standards, Performance
Standards, and Implementation Standards.
Attribute Standards
The Attribute Standards address the characteristics of organizations and
parties performing internal audit activities. Attribute Standards apply to
all internal audit services and internal auditors individually.
Attribute Standards are numbered in the 1000s range. The major sections
of Attribute Standards are as follows:
The following are examples of two of the Attribute Standards.
• Attribute Standard 1000—“Purpose, Authority, and Responsibility”
The purpose, authority, and responsibility of the internal audit activity must be
formally defined in an internal audit charter, consistent with the Mission of
Internal Audit and the mandatory elements of the International Professional
Practices Framework (the Core Principles for the Professional Practice of Internal
Auditing, the Code of Ethics, the Standards, and the Definition of Internal
Auditing). The chief audit executive must periodically review the internal audit
charter and present it to senior management and the board for approval.
• Attribute Standard 1100—“Independence and Objectivity”
The internal audit activity must be independent, and internal auditors must be
objective in performing their work.
Each of the sections of Attribute Standards can have multiple
subsections. For example, Standard 1100’s subsections (1110, 1120, etc.)
all deal with some aspect of independence and objectivity. Similarly,
Standard 1300 on quality assurance and improvement contains a
subsection 1310, “Requirements of the Quality Assurance and
Improvement Program,” which in turn contains two subsections, 1311,
“Internal Assessments,” and 1312, “External Assessments.” The
numbering system leaves room for additions in the future, recognizing
that the standards will continue to evolve.
Performance Standards
Performance Standards describe the nature of internal auditing and
provide quality criteria for evaluating audit performance. Similar to
Attribute Standards, Performance Standards apply to all internal audit
services as well as internal auditors.
Performance Standards are numbered in the 2000s range. The major
sections of the Performance Standards are as follows:
The following are examples of two of the Performance Standards.
• Performance Standard 2000—“Managing the Internal Audit
Activity”
The chief audit executive must effectively manage the internal audit activity to
ensure that it adds value to the organization.
• Performance Standard 2100—“Nature of Work”
The internal audit activity must evaluate and contribute to the improvement of
the organization’s governance, risk management, and control processes using a
systematic, disciplined, and risk-based approach. Internal audit credibility and
value are enhanced when auditors are proactive and their evaluations offer new
insights and consider future impact.
As you can see, the Performance Standards at this highest level address
topics of general applicability; from 2200 through 2600, they trace the
course of the well-constructed audit. Performance Standards also have
more detailed subsections. As the framework evolves over time, these
standards and subsections are also updated.
Implementation Standards
Implementation Standards expand upon Attribute and Performance
Standards; they provide separate mandatory instructions for implementing
the Attribute and Performance Standards depending on whether the
engagement is to be for assurance or consulting. (The
Standards Glossary defines an engagement as “a specific internal audit
assignment, task, or review activity, such as an internal audit, control
self-assessment review, fraud examination, or consultancy.”) Assurance
and consulting services are described further in Topic C of this section.
Exceptions to Mandatory Guidance of Standards
If laws or regulations prohibit internal auditors from complying with
certain parts of the Standards, appropriate disclosures should be made.
Internal auditors should comply with all other parts of the Standards.
The IIA’s IIASB
The Standards, as we have seen, are continuously evolving. The IIA’s
International Internal Auditing Standards Board (IIASB), the party
responsible for the issuance and publication of the Standards, bases each
new standard on consultations with authorities around the world,
including select members of the global IIA board of directors and
persons representing major global organizations or regulators external to
the IIA. The International Professional Practices Framework, in all its
parts, incorporates the idea that internal auditing is, truly, a global
profession. The intent of the IIASB is to propose changes to the
Standards when they will substantively improve the practice of internal
auditing. The IIASB is a group of practicing professionals, independent
of The IIA’s certification group of The IIA’s CIA Learning System.
Recommended Guidance
As noted at the beginning of this topic, the IPPF’s recommended forms
of guidance support the mandatory components (the Mission, the Core
Principles, the Definition, the Code of Ethics, and the Standards.)
Recommended guidance includes Implementation Guides and Practice
Guides.
Implementation Guides
Implementation Guides provide concise and timely guidance to assist
internal auditors in interpreting and applying the Code of Ethics and the
Standards and promoting best practices. They include practices relating
to international or country- or industry-specific issues; specific types of
engagements; and legal or regulatory issues. Some Implementation
Guides are applicable to all internal auditors; others have a more specific
focus.
Implementation Guides address approach, methodology, and
considerations but not detailed processes and procedures.
All internal auditors and other interested parties are welcome to submit
suggestions to The IIA’s Standards Board to help in the continued
development of the guides. Implementation Guides have ongoing updates
and changes to provide new best practices to conform with the
requirements of the Standards. All Implementation Guides are submitted
to a formal review process by the Standards Board or other group
designated by the Professional Practices Advisory Council. The most upto-date versions of these and other parts of the framework appear at The
IIA’s website (www.theiia.org). The Implementation Guides are intended
for the use of IIA members and are therefore password-protected on the
website.
Implementation Guides will form the background of the presentation of
many topics in this course.
As an example of how the Implementation Guides function, recall
Standard 1110, “Organizational Independence,” which contains this
mandate:
The chief audit executive must report to a level within the organization that
allows the internal audit activity to fulfill its responsibilities. The chief audit
executive must confirm to the board, at least annually, the organizational
independence of the internal audit activity.
How to put that into practice may not be immediately obvious to an
organization’s CAE. To get clarification, the CAE can bring up the
Contents section of the online framework (assuming that he or she is an
IIA member), go to the section listing Implementation Guides, find an
entry for Implementation Guides 1110, “Organizational Independence,”
and read the further guidance provided there.
Even with the guidance of the Implementation Guides, the auditor will
inevitably encounter challenging situations that aren’t specifically
covered. When this happens, the auditor is still responsible for making
decisions that are guided by the principles underlying the specific
Standards and Rules of Conduct in the Code of Ethics. For The IIA’s
members, these principles—and their animating spirit—cannot be
overruled by a manager’s instructions or an organization’s contrary
practices, policies, or culture. Only the law overrides the Code and the
Standards. However, CAE and/or internal auditor judgment and
experience are crucial to applying the standards, rules, and ethics in the
best way possible and there can be differences of opinion on the best
way to apply them.
Practice Guides
Practice Guides are another form of guidance provided by The IIA to
help internal auditors incorporate the Standards into their practice.
According to the Preface to the IPPF, the Practice Guides provide
“detailed guidance for conducting internal audit activities” and include
“detailed processes and procedures, such as tools and techniques,
programs, and step-by-step approaches, including examples of
deliverables.”
Like the Implementation Guides, these materials are listed only in the
sections of The IIA’s website that require a password for access.
Purpose, Authority, and Responsibility of the
Internal Audit Activity
The IIA asserts that an effective internal audit activity is a valuable
resource for management and the board (or its equivalent) and the audit
committee due to the activity’s understanding of the organization and its
culture, operations, and risk profile. The objectivity, skills, and
knowledge of competent internal auditors can significantly add value to
an organization’s governance, risk management, and internal control
processes. Similarly, an effective internal audit activity can provide
assurance to other stakeholders such as regulators, employees, providers
of finance, and shareholders.
Purpose, Authority, Responsibility Characteristics
Internal auditors need a clear mandate that provides the authority they
need and supports their independence and objectivity if they are to
deliver this level of value in an organization. For an internal audit
activity to best support executive management and boards of directors in
accomplishing overall organizational goals and objectives and strengthen
internal controls and corporate governance, the purpose, authority, and
responsibility of the internal audit activity must be understood.
Exhibit I-3 reviews the key elements characterizing internal audit activity
purpose, authority, and responsibility.
Exhibit I-3: Purpose, Authority, and Responsibility Characteristics for Internal Audit Activity
Purpose, Authority, and Responsibility Characteristics for Internal Audit Activity
Purpose
Authority
•
•
Provide an independent, objective assurance and consulting activity.
Support organizational objectives by bringing a systematic,
disciplined approach to evaluate and improve the effectiveness of
governance, risk management, and control processes.
•
Determine if organizational governance, risk management, and
control processes are in place and functioning properly.
•
Communicate any opportunities for improvement or risk exposures
to the appropriate management level (and the board/audit
committee as appropriate).
•
Add value and improve an organization’s operations.
•
Provide appropriate unfettered access to records, personnel, and
physical properties.
Responsibility
•
Maintain full and open access with the audit committee, board of
directors, or other appropriate governing authority.
•
Secure necessary internal and external resources to accomplish
audit activity objectives as planned.
•
Document the objectives and scope of the engagement as well as
the methodology to be used.
•
Ensure that internal audit activity staff have sufficient knowledge,
skills, experience, and/or professional certifications to fulfill the
engagement charter.
•
Communicate the results of the internal audit activity or other
matters that the CAE determines necessary to senior management,
the audit committee, the board, or other governing body of the
organization.
•
Consider the coordination of internal and external audit work to
increase economy, efficiency, and effectiveness of the overall audit
process.
•
Do not perform management activities.
Supporting Endeavors
Internal auditors perform ongoing internal quality assessments of the
function’s activities and are required to undergo independent external
quality assessments to validate conformance to the Standards. These
processes answer the question “Who audits the auditors?” The answer
cannot be that nobody does.
Individuals may also receive auditor certifications. There are many
reasons to obtain an official IIA certification designation such as the
Certified Internal Auditor® (CIA®) certification. Obtaining a certification
such as this is professionalism defined. The IIA’s CIA Learning System,
which you are now reading, is an example of IIA certification
preparation materials.
Used in combination, all of these professional endeavors help individual
auditors and the organizations they serve to succeed together.
Topic B: Requirements of the Internal Audit
Charter (Level B)
An internal auditing activity will be of the highest value when clients
view engagements positively and are open to accepting results. An
organization’s audit committee, chief executive officer, and senior-level
management team need to establish a “tone at the top” that supports the
credibility of the internal audit function. Without this critical top-down
support, the internal audit activity becomes vulnerable to client biases,
defensiveness, and other human shortcomings. A primary way to do this
is to formally document and secure approval by the board and
acceptance by management for an internal audit charter. The charter and
several other documents should be in place to support the purpose,
authority, and responsibility of the internal audit department and internal
audit activities.
Related Standards and Implementation
Guides
The Standards and Implementation Guides related to the internal audit
charter’s role in defining the purpose, authority, and responsibility of the
internal audit activity are listed in Exhibit I-4.
Exhibit I-4: Internal Audit Charter Standards and Related Guidance
Standard
Attribute Standard 1000, “Purpose, Authority, and
Responsibility”
The purpose, authority, and responsibility of the internal audit activity
must be formally defined in an internal audit charter, consistent with
the Mission of Internal Audit and the mandatory elements of the
International Professional Practices Framework (the Core Principles
for the Professional Practice of Internal Auditing, the Code of Ethics,
the Standards, and the Definition of Internal Auditing). The chief audit
Related
Guidance
Implementation
Guide 1000,
“Purpose,
Authority, and
Responsibility”
executive must periodically review the internal audit charter and
present it to senior management and the board for approval.
Implementation Standard 1000.A1 (Assurance Engagements)
The nature of assurance services provided to the organization must
be defined in the internal audit charter. If assurances are to be
provided to parties outside the organization, the nature of these
assurances must also be defined in the internal audit charter.
Implementation Standard 1000.C1 (Consulting Engagements)
The nature of consulting services must be defined in the internal
audit charter.
Performance Standard 2060, “Reporting to Senior Management
and the Board”
The chief audit executive must report periodically to senior
management and the board on the internal audit activity’s purpose,
authority, responsibility, and performance relative to its plan and on
its conformance with the Code of Ethics and the Standards.
Reporting must also include significant risk and control issues,
including fraud risks, governance issues, and other matters that
require the attention of senior management and/or the board.
Implementation
Guide 2060,
“Reporting to
Senior
Management
and the Board”
The Internal Audit Charter
According to the Standards Glossary, the internal audit charter is:
A formal document that defines the internal audit activity’s purpose, authority,
and responsibility. The internal audit charter establishes the internal audit
activity’s position within the organization; authorizes access to records,
personnel, and physical properties relevant to the performance of engagements;
and defines the scope of internal audit activities.
The internal audit charter provides a road map for the internal audit
activity and provides the vehicle for the internal audit activity to carry
out its mission. It defines what the board and senior management can
expect from the internal audit activity and directs the efforts of internal
audit staff. It also defines the nature of services for assurance and
consulting engagements. A written charter may be distributed to other
stakeholders, such as process owners and outside parties (suppliers and
joint venture partners), to make others aware of the kinds of work
internal auditors are performing.
To create the internal audit charter, the CAE must understand the
Mission of Internal Audit and the mandatory elements of the IPPF.
Implementation Guide 1000, “Purpose, Authority, and Responsibility,”
states:
This understanding provides the foundation for a discussion among the CAE,
senior management, and the board to mutually agree upon:
•
•
•
•
Internal audit objectives and responsibilities.
The expectations for the internal audit activity.
The CAE’s functional and administrative reporting lines.
The level of authority (including access to records, physical property, and
personnel) required for the internal audit activity to perform engagements and
fulfill its agreed-upon objectives and responsibilities.
The charter must be consistent with the Standards.
Implementation Guide 1000 tells us that providing a formal, written
internal audit charter is critical in managing the internal audit activity.
The internal audit charter provides a recognized statement for review and
acceptance by management and for approval, as documented in the
minutes, by the board. It also facilitates a periodic assessment of the
adequacy of the internal audit activity’s purpose, authority, and
responsibility, which establishes the role of the internal audit activity. If
a question should arise, the internal audit charter provides a formal,
written agreement with management and the board about the
organization’s internal audit activity.
Elements of the Internal Audit Charter
Although internal audit charters may vary by organization, they typically
include the following sections, some of which may include aspects of the
IPPF:
• Introduction. This section explains the overall role and
professionalism of the internal audit activity. Relevant elements of the
IPPF are often cited in the introduction.
• Authority. This section affirms the internal audit activity’s full access
to the records, physical property, and personnel required to perform
engagements and declares internal auditors’ accountability for
safeguarding assets and confidentiality.
• Organization and reporting structure. This part of the charter
documents the reporting structure for the CAE position. The CAE
should report functionally to the board and administratively to a level
in the organization that allows the internal audit activity to fulfill its
responsibilities. This section may delve into specific functional
responsibilities, such as approving the charter and internal audit plan
and hiring, compensating, and terminating the CAE. It may also
describe administrative responsibilities, such as supporting information
flow in the organization or approving the internal audit activity’s
human resource administration and budgets.
• Independence and objectivity. This section describes the importance
of internal audit independence and objectivity and how these will be
maintained, such as prohibiting internal auditors from having
operational responsibility or authority over areas audited.
• Responsibilities. This section lays out major areas of ongoing
responsibility, such as defining the scope of assessments, conducting an
organization-wide risk assessment at least annually, writing an internal
audit plan, submitting the plan to the board for approval, performing
engagements, communicating results of engagements, and monitoring
corrective actions taken by management.
• Quality assurance and improvement. This part of the charter
describes the expectations for developing, maintaining, evaluating, and
communicating the results of a quality assurance and improvement
program that covers all aspects of the internal audit activity.
• Signatures. The signatures document agreement between the CAE, a
designated board representative (for example, the audit committee
chair), and the individual to whom the CAE reports. This section
includes the date, names, and titles of signatories.
A sample internal audit charter is shown below. Keep in mind that no
sample is all-encompassing for every internal audit organization.
Likewise, all items shown in this sample charter may not be relevant to
every engagement. A charter must be tailored to each internal audit
activity and the governing rules of the organization.
Exhibit I-5: Sample Internal Audit Charter
Source: “Model Internal Audit Activity Charter,” The Institute of Internal Auditors,
https://na.theiia.org/standards-guidance/Public Documents/Model Internal Audit Activity
Charter.pdf.
The IIA has another internal audit charter template that may be used as
a guide. It is available to IIA members for download and can be found
under “Other Supplemental Guidance” on the IIA website.
Communications of the Charter
Significant deviations from the internal audit charter must be
communicated. The CAE cannot change the nature of the audit function
without consulting the audit committee or modifying the internal audit
charter.
Other Key Documents
Other key documents related to the audit charter include the following:
• Function and responsibility (F and R) statement. This statement
establishes the authority and responsibility of the audit staff and
delineates appropriate types of auditing activities and access necessary
to execute the functions outlined in the charter. The F and R statement
may be included in the form of a matrix, where staff roles and
assigned activities are identified.
• Statement of policy (also referred to as corporate audit policy or
policy statement missions). This policy statement identifies the different
missions of the audit activity and assists management and the board in
the effective discharge of their responsibilities. The scope and status of
internal auditing in the organization is covered, along with its objective
to add value and contribute to improved risk management and
governance. A policy statement also describes the internal audit
department’s authority to carry out audits, issue reports, make
recommendations, and evaluate corrective actions.
• Audit manual (policies and procedures). This document includes
written policies and procedures intended to provide guidance to the
audit staff as they perform their duties. Policies and procedures should
be appropriate for the size of the organization and the structure and
complexity of the activity. Generally, a larger enterprise would have
more formal and detailed communications while written memos might
be sufficient in a small organization.
• Staff job descriptions. Job descriptions should identify requirements of
exceptional performance—the knowledge and skills necessary to
effectively and efficiently complete a wide range of audit assignments
such as staff auditors, auditor-in-charge, audit manager, and unique
audit positions.
Topic C: Assurance and Consulting Services
(Level P)
Internal auditors no longer only perform compliance-oriented audit
engagements; they also provide a variety of assurance and consulting
(advisory) services.
The Standards Glossary defines assurance services as follows:
An objective examination of evidence for the purpose of providing an
independent assessment on governance, risk management, and control processes
for the organization. Examples may include financial, performance, compliance,
system security, and due diligence engagements.
The Glossary defines consulting services as:
Advisory and related client services activities, the nature and scope of which are
agreed with the client, are intended to add value and improve an organization’s
governance, risk management, and control processes without the internal auditor
assuming management responsibility. Examples include counsel, advice,
facilitation, and training.
Implementation Standards and
Assurance/Consulting Services
Guidance for assurance and consulting services is provided in the IPPF’s
Implementation Standards. These expand upon the Attribute and
Performance Standards by providing the requirements applicable to
assurance or consulting services, as noted by the use of A or C in the
standard’s number.
For example, 1000.A1 and 1000.C1 are the Implementation Standards
related to Attribute Standard 1000, “Purpose, Authority, and
Responsibility.” Implementation Standard 1000.A1, an assurance
engagement standard, tells us:
The nature of assurance services provided to the organization must be defined in
the internal audit charter. If assurances are to be provided to parties outside the
organization, the nature of these assurances must also be defined in the internal
audit charter.
Implementation Standard 1000.C1, a consulting engagement standard,
states, in similar language:
The nature of consulting services must be defined in the internal audit charter.
The Standards also state that when performing assurance or consulting
services, the internal auditor should maintain objectivity and not assume
management responsibility.
Now we’ll look at the key differences between assurance and consulting
and some examples of the different types of services internal auditors
may provide.
Assurance Services
Assurance services involve the internal auditor’s objective assessment of
evidence to provide an independent opinion or conclusion regarding an
entity, operation, function, process, system, or other subject matter. Three
parties are generally involved in assurance services:
• The person or group directly involved with the entity, operation,
function, process, system, or other subject matter—the process owner
• The person or group making the assessment—the internal auditor
• The person or group using the assessment—the user
The nature and the scope of the assurance engagement are determined by
the internal auditor.
Assurance services are at the core of internal auditing. While others can
provide consulting services, internal audit has the knowledge of the
organization and the independence to provide the board with the
information, facts, and conclusions they need to make appropriate
decisions. Assurance work makes up the majority of internal audit
activities and is most frequently one or a combination of the following
services:
• Operational. Reviewing a process or function to determine
effectiveness and efficiency to achieve organizational objectives.
• Compliance. Reviewing financial and operating controls to assess
conformance to laws, regulations, standards, policies, and processes.
• Reporting. Reviewing internal controls to provide assurance around the
integrity, completeness, and timeliness of internal and/or external
financial and non-financial reporting and testing the effectiveness of
internal controls over financial reporting (ICFR). Testing ICFR is an
important aspect of assurance services for publicly traded companies
subject to U.S. Sarbanes-Oxley Act (SOX) requirements.
• IT. Reviewing technology infrastructure to assure integrity of
information.
The internal audit activity could also provide assurance services in these
areas:
• Due diligence for potential acquisition
• Contract reviews
• Third-party provider audits
• Joint-venture audits
• Performance audits
• Construction projects
• Entity-level reviews
• System implementations
• Continuous auditing (versus periodic audit engagements)
Consulting Services
Consulting services are advisory in nature and are generally performed at
the specific request of an engagement client. They generally involve two
parties:
• The person or group offering the advice—the internal auditor
• The person or group seeking and receiving the advice—the engagement
client
The nature and the scope of a consulting engagement are subject to
agreement with the engagement client. Such agreements should be
formalized in writing.
Consulting services can include any advisory activity that improves the
organization’s governance, risk management, controls, and compliance.
The following are examples of different types of consulting services.
• Advisory consulting engagements. These engagements are designed to
offer advice and might include:
• Advising on control design.
• Advising during development of policies and procedures.
• Participating in an advisory role for high-risk projects.
• Advising on certain enterprise risk management activities.
• Recommending solutions to key issues or challenges facing the
organization.
• Training consulting engagements. These engagements are educational
in nature and might include:
• Training on governance, risk management, and internal control.
• Benchmarking internal areas with comparable areas of similar
organizations to identify best practices.
• Post mortem analysis—that is, determining lessons learned from a
project after it is completed.
• Facilitative consulting engagements. These engagements might
include:
• Facilitating an organization’s risk assessment process.
• Facilitating management’s control self-assessment.
• Facilitating a task force charged with redesigning controls and
procedures for a new or changed area.
• Acting as a liaison between management and independent outside
auditors, government agencies, vendors, and contractors on control
issues.
Consulting may range from formal engagements, defined by written
agreements, to informal activities, such as participating in standing or
temporary management committees or project teams. Internal auditors
may be requested to help in special consulting engagements, such as
participation in a merger or acquisition project or in an emergency
engagement (for example, a review of disaster recovery activities). These
may require departure from normal or established procedures for
conducting consulting engagements.
The following are common examples of consulting activities:
• Business process improvement
• Risk and control self-assessment
• Continuous monitoring of controls
• Internal control review
• Forensic audits
• Operational readiness (product launch, new service or system)
• Governance principles and practices
• Ethics training
• Internal control training
• Participation on committees
In all situations, a consulting engagement should not be conducted in an
attempt to circumvent assurance engagement requirements such as the
need to provide an opinion at the end of an engagement. This is
consistent with The IIA’s Code of Ethics. On the flip side, services once
conducted as an assurance engagement may be performed as a consulting
engagement—if deemed appropriate. However, such consulting activities
should be coordinated with other internal audit assurance activities as
well as external audit activities to minimize redundancy. (See Standard
2050, “Coordination and Reliance.”)
“Blended” Engagements
Assurance and consulting services are not mutually exclusive, so an audit
activity can have both assurance and consulting components. A
“blended” engagement may consolidate elements of assurance and
consulting activities. In other instances, individual components of an
engagement may be specified as assurance or consulting. This blending
of the two types of services can add value and create efficiencies.
However, if assurance and consulting services are blended, it must be
ensured that there are no conflicts of independence, objectivity, or
otherwise with regard to roles and responsibilities. And it is often
necessary to communicate the outcomes separately, since the purpose
and the scope will differ between the assurance and consulting
components of an engagement.
Topic D: The IIA’s Code of Ethics (Level P)
It is improbable that professionals in any field or organization would
dispute the aspirations set forth in a code of ethics. Well-developed
codes of ethics help to foster ethical behavior, affirm core values, deter
unethical actions, and cope with ethical dilemmas.
For internal auditors, a formal code of ethics provides a window into
generally accepted standards of conduct useful to an organization and its
customers. It sets forth a uniform approach to guide conduct. Ethical
conduct depends upon a commitment to “do the right thing,” of course,
but it also requires a clear vision of what the right thing is. Seeing
clearly in ethical matters can be challenging. The conflicts of interest
that arise almost inevitably in any profession that has multiple
responsibilities—to the profession itself, to colleagues, to customers, to
employers, and to the community—sometimes cast a shadow across the
line that separates the right thing from the usual thing or the easy thing
or the profitable thing to do. A well-founded code of ethics should spell
out the standards for acceptable and expected behavior or conduct as
well as what constitutes unacceptable behavior or conduct.
The IIA maintains its Code of Ethics “to promote an ethical culture in
the profession of internal auditing.” The Code:
States the principles and expectations governing behavior of individuals and
organizations in the conduct of internal auditing. It describes the minimum
requirements for conduct, and behavioral expectations rather than specific
activities.
The Standards Glossary defines The IIA’s Code of Ethics as follows:
Principles relevant to the profession and practice of internal auditing, and Rules
of Conduct that describe behavior expected of internal auditors. The Code of
Ethics applies to both parties and entities that provide internal audit services.
The IIA bases its Code of Ethics on four fundamental principles of
professional conduct: integrity, objectivity, confidentiality, and
competency. The Code interprets each of these four principles by
describing what each means and by specifying related Rules of Conduct
that provide guidance in how to put the principles into practice.
The Code does more than simply demand ethical conduct; it defines that
conduct in detail.
All CIAs (regardless of whether they are currently practicing or are
working in different functional areas) must abide by the IIA’s Code of
Ethics, which is shown in Exhibit I-6.
Exhibit I-6: The IIA’s Code of Ethics
Conflicts of Interest
It isn’t difficult to spot places in the Code of Ethics that identify
potential conflicts of interest. For example, under the first principle,
integrity, the auditor is required to make disclosures expected by the law
and the profession. Under confidentiality, the auditor is mandated to
respect the confidentiality of the information unless legally or
professionally required to disclose it.
Objectivity may be compromised if the internal auditor is assigned to
audit an area in which he or she has worked in the preceding 12 months
or plans to work in the near future. Standard 1130.A1, “Impairment to
Independence and Objectivity,” provides specific guidance on such
conflicts, stating:
Internal auditors must refrain from assessing specific operations for which they
were previously responsible. Objectivity is presumed to be impaired if an internal
auditor provides assurance services for an activity for which the internal auditor
had responsibility within the previous year.
A perhaps more subtle conflict arises under competency. Determining at
the outset of an engagement whether one is or is not competent to
complete it may not be so simple—especially when one’s professional
pride or the possibility of a promotion seems to be at stake. There is
generally very little support for saying “I can’t do that.” Nevertheless,
the principles of the Code and the Rules of Conduct are mandatory in all
instances that don’t conflict with legal principles.
It is situations of conflict of interest that make ethical conduct a
challenge—and that make codes of conduct necessary. In any situation
not directly covered by the Rules of Conduct, the auditor should apply
the principles to determine the ethical course of action. Seeking advice
from those who may have greater objectivity or more experience is also
helpful.
Practical Applications
Exhibit I-7 describes some practical applications of the four principles in
The IIA’s Code of Ethics.
Exhibit I-7: Examples of The IIA’s Code of Ethics Principles
Examples of The IIA’s Code of Ethics Principles
Integrity
The internal auditor should have knowledge of the requirements for
the Code of Ethics and perform all activities according to the Code.
Integrity includes honesty, diligence, and responsibility; observance of
laws; not performing illegal activity; and contributing to the legitimate
and ethical objectives of the organization.
Objectivity
The internal auditor should not perform audits where the assessment
would be biased or professional judgment may be impaired. All facts
must be disclosed. If an auditor does not feel comfortable in doing an
audit, he or she should ask to be removed from the team.
Confidentiality
Information obtained while performing an audit must be protected and
used only as appropriate in the engagement. Information should be
used only in conformance to laws or regulations and never used for
personal gain.
Competency
The necessary knowledge, skills, and experience are important
requirements for providing internal auditing services. Each internal
auditor should have a plan to receive knowledge or training to
enhance future performance.
Next Steps
You have completed Part 1, Section I, of The IIA’s CIA Learning
System®. Next, check your understanding by completing the
online section-specific test(s) to help you identify any content that
needs additional study.
Once you have completed the section-specific test(s), a best
practice is to reread content in areas you feel you need to
understand better. Then you should advance to studying Section
II.
You may want to return to earlier section-specific tests
periodically as you progress through your studies; this practice
will help you absorb the content more effectively than taking a
single test multiple times in a row.
Index
The numbers after each term are links to where the term is indexed and
indicate how many times the term is referenced.
advisory consulting engagements 1, 2
assessments
of audit activities 1
assurance engagements 1
Attribute Standards 1
audit manual 1
auditors
external 1
financial 1
internal 1
authoritative guidance in International Professional Practices Framework
1
authority of internal audit activity 1
board of directors 1
CAE (chief audit executive) 1
certification 1
charter. See internal audit charter
chief audit executive 1
Code of Ethics 1
competency 1
compliance 1, 2
confidentiality 1
conflicts of interest 1
consulting engagements 1, 2, 3
control(s) 1, 2
Core Principles for the Professional Practice of Internal Auditing 1
Definition of Internal Auditing 1
documentation 1
engagements 1
assurance 1
consulting 1, 2, 3
“blended” 1
external auditing 1
external auditors 1
F and R (function and responsibility) statement 1
facilitative consulting engagements 1
financial auditors 1
financial audits 1
function and responsibility statement 1
governance 1
government auditors 1
IIASB (International Internal Auditing Standards Board) 1
Implementation Guides 1
1000 1
Implementation Standards 1, 2
independence 1
information technology 1
integrity 1
internal audit activity 1
internal audit charter 1
communications 1
elements 1
internal auditing 1, 2
internal auditors 1
International Internal Auditing Standards Board 1
International Professional Practices Framework 1
authoritative guidance 1
Code of Ethics 1
Core Principles for the Professional Practice of 1
Definition of Internal Auditing 1
mandatory guidance 1, 2
Mission of Internal Audit 1
recommended guidance 1, 2
International Professional Practices Framework_Standards. See
International Standards for the
International Standards for the Professional Practice of Internal Auditing
1
1000, “Purpose, 1, 2, 3
1000.A1 1, 2
1000.C1 1, 2
1100, “Independence and 1
1110, “Organizational 1, 2
1130.A1 1
2000, “Managing the 1
2060, “Reporting to 1
2100, “Nature of Work” 1, 2
Attribute Standards 1
Implementation Standards 1, 2
Performance Standards 1
IPPF. See International Professional Practices Framework
IT (information technology) 1
job descriptions 1
mandatory guidance in International Professional Practices Framework
1, 2
Mission of Internal Audit 1
objectivity 1, 2
operations 1
Performance Standards 1
policies and procedures 1
Practice Guides 1
purpose of internal audit activity 1
recommended guidance in International Professional Practices
Framework 1, 2
Implementation Guides 1
Practice Guides 1
regulatory bodies 1
responsibility of internal audit activity 1
risk
management 1
staff job descriptions 1
statement of policy 1
training
consulting engagements 1
“blended” engagements 1
“modern internal auditing” 1
Build 08/24/2018 15:39 p.m.
Contents
Part 1: Essentials of Internal Auditing
The IIA’s CIA Learning System®
Part 1 Overview
Section I: Foundations of Internal Auditing
Topic A: The IIA’s International Professional Practices
Framework/Purpose, Authority, and
Topic B: Requirements of the Internal Audit Charter (Level B)
Topic C: Assurance and Consulting Services (Level P)
Topic D: The IIA’s Code of Ethics (Level P)
Index
Related documents
Evolution of an Automated Internal Audit Management System
Evolution of an Automated Internal Audit Management System
Download
advertisement