Course Name: Internal Auditing & Controls
Module: 2
Module Title: Internal auditing standards
Lecture and handouts prepared by:
Chuck Campbell
Internal auditing standards
Module 2
In this module, you will be introduced to general standards
for the practice of internal auditing, including some detail
about the standards on independence, objectivity,
proficiency and due professional care. The module
concludes with a consideration of outsourcing some of
the internal audit functions and the standards dealing
with management of the internal audit activity.
MU1 2007-08 Module 2 Part 1 Slide 2
Internal Auditing & Controls
Module 2
Part 1 Topic 2.1 Overview of internal auditing standards
Topic 2.2 Purpose, authority and responsibility
Part 2 Topic 2.3 Independence and objectivity
Topic 2.4 Proficiency and due professional care
Part 3 Topic 2.5 The outsourcing alternative
Part 4 Topic 2.6 Managing the internal audit department
Part 5 Module summary – Learning objectives
Recent examination questions
Assignment hints
MU1 2007-08 Module 2 Part 1 Slide 3
1
Internal Auditing & Controls
Module 2
Part 1
Topic 2.1
Topic 2.2
Overview of internal auditing
standards
Purpose, authority and responsibility
MU1 2007-08 Module 2 Part 1 Slide 4
Purpose of internal auditing
standards
The purpose of the International Standards for the
Professional Practice of Internal Auditing is to:

delineate basic principles that represent
practice of internal auditing as it should be
the
MU1 2007-08 Module 2 Part 1 Slide 5
Purpose of internal auditing
standards
The purpose of the International Standards for the
Professional Practice of Internal Auditing is to:


delineate basic principles that represent the
practice of internal auditing as it should be
provide a framework for performing and promoting
a broad range of value-added internal audit
activities
MU1 2007-08 Module 2 Part 1 Slide 6
2
Purpose of internal auditing
standards
The purpose of the International Standards for the
Professional Practice of Internal Auditing is to:



delineate basic principles that represent the
practice of internal auditing as it should be
provide a framework for performing and promoting
a broad range of value-added internal audit
activities
establish the basis for the evaluation of internal
audit performance
MU1 2007-08 Module 2 Part 1 Slide 7
Purpose of internal auditing
standards
The purpose of the International Standards for the
Professional Practice of Internal Auditing is to:




delineate basic principles that represent the
practice of internal auditing as it should be.
provide a framework for performing and promoting
a broad range of value-added internal audit
activities.
establish the basis for the evaluation of internal
audit performance.
foster improved organizational processes and
operations.
MU1 2007-08 Module 2 Part 1 Slide 8
The Professional Practices
Framework
1.
2.
3.
The Definition of Internal Auditing
The IIA Code of Ethics
The International Standards for the Professional
Practice of Internal Auditing



4.
Attribute standards
Performance standards
Implementation standards
 Assurance engagements
 Consulting engagements
Other guidance (including Practice Advisories)
MU1 2007-08 Module 2 Part 1 Slide 9
3
Attribute standards
There are four attribute standards:
1.
The purpose, authority and responsibility of the internal
audit activity should be formally defined in a charter,
consistent with the Standards, and approved by the board.
MU1 2007-08 Module 2 Part 1 Slide 10
Attribute standards (cont’d)
There are four attribute standards:
1.
The purpose, authority and responsibility of the internal
audit activity should be formally defined in a charter,
consistent with the Standards, and approved by the board.
2.
The internal audit activity should be independent and
internal auditors should be objective in performing their
work.
MU1 2007-08 Module 2 Part 1 Slide 11
Attribute standards (cont’d)
There are four attribute standards:
1. The purpose, authority and responsibility of the internal
audit activity should be formally defined in a charter,
consistent with the Standards, and approved by the board.
2. The internal audit activity should be independent and
internal auditors should be objective in performing their work.
3. Engagements should be performed with proficiency and due
professional care.
MU1 2007-08 Module 2 Part 1 Slide 12
4
Attribute standards (cont’d)
There are four attribute standards:
1. The purpose, authority and responsibility of the internal
audit activity should be formally defined in a charter and
approved by the board.
2. The internal audit activity should be independent and
internal auditors should be objective in performing their work.
3. Engagements should be performed with proficiency and due
professional care.
4. The chief audit executive should develop and maintain a
quality assurance and improvement program that covers all
aspects of the internal audit activity and continuously
monitors its effectiveness.
MU1 2007-08 Module 2 Part 1 Slide 13
Performance standards
There are seven performance standards:
1.
The chief audit executive should effectively manage the
internal audit activity to ensure that it adds value to the
organization.
MU1 2007-08 Module 2 Part 1 Slide 14
Performance standards (cont’d)
There are seven performance standards:
1.
The chief audit executive should effectively manage the
internal audit activity to ensure that it adds value to the
organization.
2.
The internal audit activity should evaluate and contribute to
the improvement of risk management, control and
governance processes using a systematic and disciplined
approach.
MU1 2007-08 Module 2 Part 1 Slide 15
5
Performance standards (cont’d)
There are seven performance standards:
1.
The chief audit executive should effectively manage the
internal audit activity to ensure that it adds value to the
organization.
2.
The internal audit activity should evaluate and contribute to
the improvement of risk management, control and
governance processes using a systematic and disciplined
approach.
3.
Internal auditors should develop and record a plan for each
engagement, including the scope, objectives, timing and
resource allocations.
MU1 2007-08 Module 2 Part 1 Slide 16
Performance standards (cont’d)
There are seven performance standards:
1. The chief audit executive should effectively manage the
internal audit activity to ensure that it adds value to the
organization.
2. The internal audit activity should evaluate and contribute to
the improvement of risk management, control and
governance processes through a systematic and disciplined
approach.
3. Internal auditors should develop and record a plan for each
engagement, including the scope, objectives, timing and
resource allocations.
4. Internal auditors should identify, analyze, evaluate and
record sufficient information to achieve the engagement’s
objectives.
MU1 2007-08 Module 2 Part 1 Slide 17
Performance standards (cont’d)
There are seven performance standards:
5.
Internal auditors should communicate the engagement
results.
MU1 2007-08 Module 2 Part 1 Slide 18
6
Performance standards (cont’d)
There are seven performance standards:
5.
Internal auditors should communicate the engagement
results.
6.
The chief audit executive should establish and maintain a
system to monitor the disposition of results communicated
to management.
MU1 2007-08 Module 2 Part 1 Slide 19
Performance standards (cont’d)
There are seven performance standards:
5.
Internal auditors should communicate the engagement
results.
6.
The chief audit executive should establish and maintain a
system to monitor the disposition of results communicated
to management.
7.
When the chief audit executive believes that senior
management has accepted a level of residual risk that may
be unacceptable to the organization, the chief audit
executive should discuss the matter with senior
management and, if necessary, the board.
MU1 2007-08 Module 2 Part 1 Slide 20
The audit charter



Organizations should have a formal audit charter to define
and communicate the purpose, authority and responsibility of
the internal audit department.
The charter should be approved by senior management and
the board.
The charter should establish the position of the management
audit activity within the organization, set out the scope of its
activities and guarantee access to personnel and records.
MU1 2007-08 Module 2 Part 1 Slide 21
7
The audit charter – an example

Contents of the sample internal
department charter (from Exhibit 2-1)






audit
Mission and scope of work
Accountability
Independence
Responsibility
Authority
Standards of audit practice
MU1 2007-08 Module 2 Part 1 Slide 22
Consulting activities
Practice Advisory 1000.C1-1 sets out principles to guide
internal
auditors
when
performing
consulting
engagements within their organizations. Consulting
activities should be empowered through the Internal
Audit Charter and organizations must have ground
rules for the performance of consulting services that
are understood by all members of the organization.
Consulting activities are generally characterized by a
principal responsibility to report to the management of
the operating unit, in contrast to assurance
engagements where the principal responsibility is to
senior management and the board of directors.
MU1 2007-08 Module 2 Part 1 Slide 23
Internal Auditing & Controls
Module 2
Part 2
Topic 2.3 Independence and objectivity
Topic 2.4 Proficiency and due professional care
MU1 2007-08 Module 2 Part 2 Slide 1
8
Independence and objectivity
The standards for the practice of internal
auditing require that the auditor be
independent of the activities audited and
be objective in issuing an opinion on
those activities.
MU1 2007-08 Module 2 Part 2 Slide 2
Independence and objectivity (cont’d)
The independence and objectivity of the internal
auditor are enhanced by:

the organizational status of the internal audit
department
MU1 2007-08 Module 2 Part 2 Slide 3
Independence and objectivity (cont’d)
The independence and objectivity of the internal
auditor are enhanced by:

the organizational status of the internal audit
department

the authority and responsibility given to internal
auditors
MU1 2007-08 Module 2 Part 2 Slide 4
9
Independence and objectivity (cont’d)
The independence and objectivity of the internal
auditor are enhanced by:

the organizational status of the internal audit
department

the authority and responsibility given to internal
auditors

the degree of objectivity maintained by internal
auditors.
MU1 2007-08 Module 2 Part 2 Slide 5
Organizational independence
Practice Advisory 1110-1 recommends that:



The chief audit executive should be responsible to
an individual in the organization with sufficient
authority to promote independence and to ensure
broad audit coverage, adequate consideration of
engagement communications, and appropriate
action on engagement recommendations.
Ideally, the chief audit executive should report
functionally to the board and administratively to the
chief executive officer of the organization.
The chief audit executive should have direct
communication with the board of directors.
MU1 2007-08 Module 2 Part 2 Slide 6
Impairments to objectivity
If independence or objectivity is impaired in fact or
appearance, the details of the impairment should be
disclosed to appropriate parties.
A scope limitation is a restriction placed upon the internal
audit activity that precludes the audit activity form
accomplishing its objectives and plans. Among other
things, a scope limitation may restrict audit scope,
access to records and personnel, the engagement
work schedule, and/or the performance of necessary
procedures.
A scope limitation, along with its potential effect, should be
communicated, preferably in writing, to the board.
MU1 2007-08 Module 2 Part 2 Slide 7
10
Proficiency and due professional
care
1.
Internal auditors and internal audit departments should
possess the knowledge, skills and competencies needed to
perform their individual responsibilities.
MU1 2007-08 Module 2 Part 2 Slide 8
Proficiency and due professional
care (cont’d)
1. Internal auditors and internal audit departments should
possess the knowledge, skills and competencies needed to
perform their individual responsibilities.
2. Internal auditors should apply the care and skills expected of
a reasonably prudent and competent internal auditor.
MU1 2007-08 Module 2 Part 2 Slide 9
Proficiency and due professional
care (cont’d)
1. Internal auditors and internal audit departments should
possess the knowledge, skills and competencies needed to
perform their individual responsibilities.
2. Internal auditors should apply the care and skills expected of
a reasonably prudent and competent internal auditor.
3. Internal auditors should enhance their knowledge, skills and
competencies through continuing professional development.
MU1 2007-08 Module 2 Part 2 Slide 10
11
Proficiency and due professional
care (cont’d)
Individual internal auditors should:

Comply with the Code of Ethics of the IIA.
MU1 2007-08 Module 2 Part 2 Slide 11
Proficiency and due professional
care (cont’d)
Individual internal auditors should:


Comply with the Code of Ethics of the IIA.
Have the knowledge and skills to perform internal audits
in an efficient and effective manner, including sufficient
oral and written communication skills.
MU1 2007-08 Module 2 Part 2 Slide 12
Proficiency and due professional
care (cont’d)
Individual internal auditors should:



Comply with the Code of Ethics of the IIA.
Have the knowledge and skills to perform internal audits
in an efficient and effective manner, including sufficient
oral and written communication skills.
Understand human relations and maintain satisfactory
relationships with auditees.
MU1 2007-08 Module 2 Part 2 Slide 13
12
Proficiency and due professional
care (cont’d)
Individual internal auditors should:




Comply with the Code of Ethics of the IIA.
Have the knowledge and skills to perform internal audits
in an efficient and effective manner, including sufficient
oral and written communication skills.
Understand human relations and maintain satisfactory
relationships with auditees.
Maintain their technical competence through continuing
education.
MU1 2007-08 Module 2 Part 2 Slide 14
Proficiency and due professional
care (cont’d)
Individual internal auditors should:





Comply with the Code of Ethics of the IIA.
Have the knowledge and skills to perform internal audits in an
efficient and effective manner, including sufficient oral and
written communication skills.
Understand human relations and maintain satisfactory
relationships with auditees.
Maintain their technical competence through continuing
education.
Exercise due professional care in performing their audits.
MU1 2007-08 Module 2 Part 2 Slide 15
Internal Auditing & Controls
Module 2
Part 3
Topic 2.5 The outsourcing alternative
MU1 2007-08 Module 2 Part 3 Slide 1
13
Use of outsourced resources
Outsourced resources may be used:



to provide services to remote locations;
to provide subject matter expertise for specific
engagements;
To replace the existing internal audit function or
provide a part-time internal audit resource for
organizations which cannot justify a full-time
internal audit department.
MU1 2007-08 Module 2 Part 3 Slide 2
Advantages of outsourcing
internal audit activities
These include:

obtaining expertise not available in-house
MU1 2007-08 Module 2 Part 3 Slide 3
Advantages of outsourcing internal
audit activities (cont’d)
These include:

obtaining expertise not available in-house

access to leading edge practices
MU1 2007-08 Module 2 Part 3 Slide 4
14
Advantages of outsourcing internal
audit activities (cont’d)
These include:

obtaining expertise not available in-house

access to leading edge practices

increased
coverage
subject
matter
and
geographical
MU1 2007-08 Module 2 Part 3 Slide 5
Advantages of outsourcing internal
audit activities (cont’d)
These include:

obtaining expertise not available in-house

access to leading edge practices

increased
coverage

potential cost savings
subject
matter
and
geographical
MU1 2007-08 Module 2 Part 3 Slide 6
Advantages of outsourcing internal
audit activities (cont’d)
These include:

obtaining expertise not available in-house

access to leading edge practices

increased
coverage

potential cost savings

greater flexibility
subject
matter
and
geographical
MU1 2007-08 Module 2 Part 3 Slide 7
15
Disadvantages of outsourcing
internal audit activities
These include:

lack of familiarity with the industry, the company
and its culture
MU1 2007-08 Module 2 Part 3 Slide 8
Disadvantages of outsourcing
internal audit activities (cont’d)
These include:

lack of familiarity with the industry, the company
and its culture

costs may be greater (if used for relatively routine
work)
MU1 2007-08 Module 2 Part 3 Slide 9
Disadvantages of outsourcing
internal audit activities (cont’d)
These include:

lack of familiarity with the industry, the company
and its culture

costs may be greater (if used for relatively routine
work)

may require increased supervision
MU1 2007-08 Module 2 Part 3 Slide 10
16
Disadvantages of outsourcing
internal audit activities (cont’d)
These include:

lack of familiarity with the industry, the company
and its culture

costs may be greater (if used for relatively routine
work)

may require increased supervision

resources may not always be available when
required
MU1 2007-08 Module 2 Part 3 Slide 11
Disadvantages of outsourcing
internal audit activities (cont’d)
These include:

lack of familiarity with the industry, the company and its
culture

costs may be greater (if used for relatively routine work)

may require increased supervision

resources may not always be available when required

loss of potential training ground for future managers
MU1 2007-08 Module 2 Part 3 Slide 12
Disadvantages of outsourcing
internal audit activities (cont’d)
These include:

lack of familiarity with the industry, the company and its
culture

costs may be greater (if used for relatively routine work)

may require increased supervision

resources may not always be available when required

loss of potential training ground for future managers

potential loss of a source of information if provider is
also external auditor (no longer permitted for public
companies)
MU1 2007-08 Module 2 Part 3 Slide 13
17
Requirements when outsourcing
internal auditing activities



When outside service providers are used, the chief audit
executive should assess their competency, independence
and objectivity in relationship to the specific engagement to
be performed.
The chief audit executive should agree on the scope of work
with the outside service provider before work commences.
The chief audit executive should ensure that the work done
by the outside service provider complies with the appropriate
professional standards.
MU1 2007-08 Module 2 Part 3 Slide 14
Characteristics of successful
outsourcing arrangements







A well-defined role in the organization
Formal performance evaluations
Effective communications
An integrated risk analysis approach
A flexible audit plan with an ability to react when
immediate demands arise
Experienced personnel
A willingness to bring in outside assistance
when necessary
MU1 2007-08 Module 2 Part 3 Slide 15
Internal Auditing & Controls
Module 2
Part 4
Topic 2.6 Managing the internal audit department
MU1 2007-08 Module 2 Part 4 Slide 1
18
Standards for the management of
the internal audit department
The chief audit executive should:

Establish risk-based plans to determine priorities for the
internal audit activity that are consistent with the
organization’s goals.
MU1 2007-08 Module 2 Part 4 Slide 2
Standards for the management of
the internal audit department (cont’d)
The chief audit executive should:


Establish risk-based plans to determine priorities for the
internal audit activity that are consistent with the
organization’s goals.
Communicate the department’s plans and resource
requirements to senior management and the board for review
and approval.
MU1 2007-08 Module 2 Part 4 Slide 3
Standards for the management of
the internal audit department (cont’d)
The chief audit executive should:

Establish risk-based plans to determine priorities for the
internal audit activity that are consistent with the
organization’s goals.

Communicate the department’s plans and resource
requirements to senior management and the board for
review and approval.

Ensure that the resources are appropriate, sufficient and
effectively deployed to achieve the approved plan.
MU1 2007-08 Module 2 Part 4 Slide 4
19
Standards for the management of
the internal audit department (cont’d)
The chief audit executive should:




Establish risk-based plans to determine priorities for the
internal audit activity that are consistent with the
organization’s goals.
Communicate the department’s plans and resource
requirements to senior management and the board for review
and approval.
Ensure that the resources are appropriate, sufficient and
effectively deployed to achieve the approved plan.
Establish policies and procedures to guide the internal audit
activity.
MU1 2007-08 Module 2 Part 4 Slide 5
Standards for the management of
the internal audit department (cont’d)
The chief audit executive should:

Share information and co-ordinate activities with other
providers of assurance and consulting activities to avoid
duplication.
MU1 2007-08 Module 2 Part 4 Slide 6
Standards for the management of
the internal audit department (cont’d)
The chief audit executive should:

Share information and co-ordinate activities with other
providers of assurance and consulting activities to avoid
duplication.

Report periodically to the board relative to the approved
plan.
MU1 2007-08 Module 2 Part 4 Slide 7
20
Standards for the management of
the internal audit department (cont’d)
The chief audit executive should:



Share information and co-ordinate activities with other
providers of assurance and consulting activities to avoid
duplication.
Report periodically to the board relative to the approved plan.
Establish a quality assurance and improvement program
including both internal and external assessments.
MU1 2007-08 Module 2 Part 4 Slide 8
Standards for the management of
the internal audit department (cont’d)
The chief audit executive should:




Share information and co-ordinate activities with other
providers of assurance and consulting activities to avoid
duplication.
Report periodically to the board relative to the approved plan.
Establish a quality assurance and improvement program
including both internal and external assessments.
Communicate the results of external assessments to the
board.
MU1 2007-08 Module 2 Part 4 Slide 9
Quality assurance and improvement
program
The internal audit activity should:




Adopt a process to monitor and assess the overall
effectiveness of its quality programs
Provide for internal assessments performed both by
members of the department and by others in the organization
Arrange for external quality assurance reviews to be
conducted at least once every five years
Report the result of the external assessment to the board
If (and only if) the external assessment concludes that the
“activities are in full compliance with the Standards,” this may
be indicated in the reports issued by the department.
MU1 2007-08 Module 2 Part 4 Slide 10
21
Internal Auditing & Controls
Module 2
Part 5
Module summary – Learning objectives
Recent examination questions
Assignment hints
MU1 2007-08 Module 2 Part 5 Slide 1
Module 2 Learning Objectives
1.
Describe the four attribute standards and the
seven performance standards governing
internal auditing. (Level 1)
MU1 2007-08 Module 2 Part 5 Slide 2
Module 2 Learning Objectives
2.
Describe the purposes and content of an
internal audit charter. (Level 1)
MU1 2007-08 Module 2 Part 5 Slide 3
22
Module 2 Learning Objectives
3.
Explain the importance of independence and
objectivity in internal auditing and how they
are achieved. (Level 1)
MU1 2007-08 Module 2 Part 5 Slide 4
Module 2 Learning Objectives
4.
Identify and apply the main standards for
proficiency and due professional care in
internal auditing. (Level 1)
MU1 2007-08 Module 2 Part 5 Slide 5
Module 2 Learning Objectives
5.
Outline
the
main
advantages
and
disadvantages of using outsourced resources
in internal auditing and the requirements for
using outside service providers. (Level 2)
MU1 2007-08 Module 2 Part 5 Slide 6
23
Module 2 Learning Objectives
6.
Outline the standards for the proper
management of the internal audit department,
including quality assurance. (Level 2)
MU1 2007-08 Module 2 Part 5 Slide 7
Recent examination questions
Multiple choice questions:
December 2005, Question 1(b)
MU1 2007-08 Module 2 Part 5 Slide 8
Recent examination questions
Multiple choice questions:
March 2006, Question 1(c)
MU1 2007-08 Module 2 Part 5 Slide 9
24
Recent examination questions
Multiple choice questions:
June 2006, Question 1(b)
MU1 2007-08 Module 2 Part 5 Slide 10
Recent examination questions
Multiple choice questions:
December 2006, Questions 1(a), 1(b) and 1(c)
MU1 2007-08 Module 2 Part 5 Slide 11
Recent examination questions
Multiple choice questions:
March 2007, Question 1(h), 1(i) and 1(j)
MU1 2007-08 Module 2 Part 5 Slide 12
25
Assignment hints – Assignment 1
Question 2 – The most important thing to remember when
answering this question is to base your answer on the
IIA Standards by applying the relevant sub-standards
and Practice Advisories to the circumstances of
Newlands Networks Corporation.
Question 3 – Your answer should address the issues of
independence and of objectivity. Again, the question is
set to test your knowledge of the IIA Standards and your
ability to apply the Standards so your answer must be
based on specific IIA Standards and Practice Advisories.
Question 4 – Remember to provide references to the IIA
Standards wherever possible.
MU1 2007-08 Module 2 Part 5 Slide 13
26