SlideShare a Scribd company logo

CIA part 1 essentials of internal auditing

A
ariundalai1

The document outlines the foundations of internal auditing, including its mission, core principles, and the role of the International Professional Practices Framework (IPPF) in standardizing auditing practices. It emphasizes the importance of internal auditors to provide risk-based assurance, advisory, and insight services while maintaining integrity, objectivity, and effective communication. The internal audit charter is also highlighted as a critical document that defines the purpose, authority, and responsibilities of internal audit activities within organizations.

Business
1 of 103
Downloaded 31 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
Most read
62
63
64
Most read
65
66
67
68
69
70
71
72
73
74
75
76
77
Most read
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
Part 1: Essentials of Internal Auditing
Section A: Foundations of Internal Auditing
CIA part 1 essentials of internal auditing
Topic 1: Mission, Definition, and Core Principles • This topic discusses The IIA’s Mission of Internal Audit, Definition of Internal Auditing, and Core Principles for the Professional Practice of Internal Auditing and the purpose, authority, and responsibility of the internal audit activity.
The Framework • The Institute of Internal Auditors (The IIA) uses the International Professional Practices Framework (IPPF) to organize its authoritative guidance in a manner that is readily accessible. The IPPF, sometimes called the “Red Book,” is intended to help practitioners and stakeholders throughout the world respond to the expanding market for high-quality internal auditing.
• The IPPF contains both mandatory and recommended guidance. The Mission of Internal Audit, the Core Principles for the Professional Practice of Internal Auditing, the Definition of Internal Auditing, the Code of Ethics, and the International Standards for the Professional Practice of Internal Auditing (the Standards) comprise the mandatory guidance. Recommended guidance in the IPPF includes Implementation Guidance and Supplemental Guidance. All of the guidance sources listed above will be discussed throughout this product. The IPPF is shown in Exhibit 1-1.
***
Mission of Internal Audit* • To enhance and protect organizational value by providing risk based and objective assurance, advice, and insight. • By requiring that the services provided by internal audit be risk-based and objective, the Mission aligns directly with the expectations of stakeholders. Each requirement serves a different function. The risk basis supports the goal to protect organizational value, and objectivity is one of the main strategic success enablers of the internal audit activity.
The Mission makes it clear that internal audit must be focused on increasing the organization’s value and that there are three general types of risk-based and objective activities through which internal audit increases and protects this value: • Assurance • Advice • Insight
- Assurance Assurance work makes up the majority of internal audit activities. It is designed to communicate to the main stakeholders that management: • Has deployed appropriate activities to achieve its objectives. • Is appropriately managing the risks to those objectives. • Has agreed to implement required additional risk mitigation and improvement measures.
- Advice • Advice can be provided through advisory engagements, which are often referred to as consulting engagements. These are designed to provide advice and insight to the organization in a proactive, customer-driven approach.
- Insight Insight can be provided in a variety of formats, which may include but are not limited to: • Assurance engagement reports. • Advisory engagement reports. • Participation on committees and task forces. • Personal meetings. • Board reporting. • Progress reporting.
Core Principles* • Demonstrates integrity. • Demonstrates competence and due professional care. • Is objective and free from undue influence (independent). • Aligns with the strategies, objectives, and risks of the organization. • Is appropriately positioned and adequately resourced. • Demonstrates quality and continuous improvement. • Communicates effectively. • Provides risk-based assurance. • Is insightful, proactive, and future-focused. • Promotes organizational improvement.
• Each Principle may apply to the individual auditor, the audit activity, or both. Though internal audit activities may demonstrate achievement of principles in various ways, each of the Principles must be present and successfully operating for the audit activity to be considered effective. Failure to achieve any one of the Principles suggests that the activity is not as effective as it could be.
Consequences of Not Demonstrating Core Principles • Demonstrates integrity. The internal audit activity may lose the trust placed in it and consequently its credibility to provide independent and objective assurance and advice. • Demonstrates competence and due professional care. Internal audit risk assessments, the activity’s plan of engagements, and the scope and objectives of engagements may not be sufficient,accurate, or complete.
• Is objective and free from undue influence (independent). Management and the board are unlikely to trust internal audit observations as accurate and complete. • Aligns with the strategies, objectives, and risks of the organization. The internal audit activity risks wasting resources on assessing areas, processes, or issues that do not help the organization manage its key risks and achieve its objectives.
• Is appropriately positioned and adequately resourced. The results and conclusions of internal audit work may not be treated with sufficient importance to prompt action from management, and independent reporting may be difficult. • Demonstrates quality and continuous improvement. Errors may occur in internal audit work, or there may be a perception that the work is not reliable. The internal audit activity may fail to keep up with innovations in technology, methodology, and audit techniques.
• Communicates effectively. The internal audit activity may be unable to obtain the position, resources, and information it needs to conduct engagements and to effectively express its results, conclusions, and opinions to management and the board. • Provides risk-based assurance. Management and the board will not have independent validation that its controls are designed properly and are working as expected to mitigate risks.
• Is insightful, proactive, and future-focused. The internal audit activity is likely to miss emerging risks, and the value it adds will be limited. • Promotes organizational improvement. The value that internal audit adds may be limited, as it may miss opportunities to recommend ways the organization could increase efficiency.
Definition of Internal Auditing* • Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
• The strategic focus of internal audit is clearly aligned with the expectations of key organizational stakeholders. The Definition of Internal Auditing focuses the image of internal auditing in six significant ways.
1 • It describes internal auditing as an independent, objective activity. Independence refers to a structure that allows for the audit activity’s freedom to determine audit or assurance scope, to perform the work judged necessary to achieve engagement objectives, and to communicate the results. Objectivity refers to the personal ability to be non-biased, which allows auditors to be responsive to their customers and to add value through their objective analyses and recommendations for improvement.
2 • The definition explicitly recognizes the consulting role of internal audit in providing advice to the organization, in addition to assurance activities. This conveys a proactive, customer-driven approach where internal audit plays a role in organizational governance, risk management, and control activities.
3 • By stating that internal auditing is designed to “add value and improve an organization’s operations,” the definition articulates the expectation that the internal audit activity will add value to the organization.
4 • By referring to the organization’s objectives, the definition focuses on the whole organization. This requires auditors to understand the strategic objectives of the organization and the goals and objectives that support it and to view problems and solutions from a broad perspective.
5 • The definition recognizes internal auditing’s legacy of delivering services with a tried-and-true, systematic, and disciplined approach that results from being a standards-based profession.
6 • The definition charges internal auditors with a broad and involved role to play in the organization’s governance and risk management processes. Underlying the terminology is the understanding that controls exist to help the organization manage risk and promote effective governance processes.
• Internal auditing differs from external auditing, which serves third parties who require reliable financial information based on reliable supporting records. Drawing further distinctions between internal and external auditors as well as other related review functions can help clarify what internal auditing is and what it is not. These distinctions are described below:
External auditors/financial auditors. • These auditors provide an attestation solely based on the financial reports and statements generated by an organization. The work of external and financial auditors is historical in nature and is critical to allowing investors and other third parties to make informed decisions (e.g., investing, approving debt issuance) about an organization based on its financial statements when taken as a whole.
Compliance • Compliance reviews typically serve to determine whether or not an organization is adhering to a specified law, regulation, standard, policy, or procedure, and the results are reported as such.
Regulators • These auditors work for regulating bodies that review compliance with specific regulations as well as the overall safety and soundness of the organizations being examined. These auditors perform compliance reviews of corporations or agencies that are regulated by the specified regulating body.
Government auditors • Government auditors typically work for departments, ministries, or agencies of a government and provide assurance regarding program requirements, performance audits, budget reviews, and management audits.
The Standards* The Standards comprise two main categories: • Attribute Standards address the attributes of organizations and individuals performing internal auditing. • Performance Standards describe the nature of internal auditing and provide quality criteria against which the performance of these services can be measured.
• Attribute and Performance Standards apply to all internal audit services. • Implementation Standards expand upon existing Attribute and Performance Standards by providing the requirements specifically applicable to assurance (.A) or consulting (.C) services. These requirements are discussed as applicable throughout the text.
Attribute Standard 1000, “Purpose, Authority, and Responsibility” • The purpose, authority, and responsibility of the internal audit activity must be formally defined in an internal audit charter, consistent with the Mission of Internal Audit and the mandatory elements of the International Professional Practices Framework (the Core Principles for the Professional Practice of Internal Auditing, the Code of Ethics, the Standards, and the Definition of Internal Auditing). The chief audit executive must periodically review the internal audit charter and present it to senior management and the board for approval.
CIA part 1 essentials of internal auditing
CIA part 1 essentials of internal auditing
CIA part 1 essentials of internal auditing
• The internal audit charter is a critical document that records the agreed-upon purpose, authority, independence and objectivity, reporting structure, and responsibility of an organization’s internal audit activity. It establishes the internal audit activity’s position within the organization; authorizes access to records, personnel, and physical properties; and defines the scope of internal audit activities.
• The chief audit executive (CAE) is defined in the IPPF glossary as “a person in a senior position responsible for effectively managing the internal audit activity....” This person is charged with the creation of the internal audit charter and with the task of reviewing and presenting the audit charter for board approval periodically. The specific job title and/or responsibilities of the CAE may vary across organizations, and the position may be outsourced as well.
• The board is defined in the IPPF glossary as “the highest level governing body (e.g., a board of directors, a supervisory board, or a board of governors or trustees) charged with the responsibility to direct and/or oversee the organization’s activities and hold senior management accountable.” It may refer to an audit committee, which is a subset of the broader board to oversee certain functions (e.g., internal audit, external auditors, financial concerns). If a board or audit committee does not exist, the term may refer to the head of an organization.
Topic 2: Internal Audit Charter Requirements • In addition to reviewing the contents of this topic, students can review the following IIA materials: • IIA Model Charter Model Internal Audit Activity Charter (theiia.org) • Implementation Guidance for Standards 1000 and 1010 Implementation Guidance (theiia.org)
Audit Charter and Approval • The internal audit charter provides a recognized statement of the purpose, authority, and responsibility of internal audit for review and acceptance by management and for approval by the board. If a question should arise, the internal audit charter provides a formal, written agreement with management and the board.
• Before writing or revising the internal audit charter, the CAE typically reviews the IPPF to refresh his or her understanding of the Mission of Internal Audit and the elements that must be included in the charter, which are governed by Standard 1010.
*** • Attribute Standard 1010, “Recognizing Mandatory Guidance in the Internal Audit Charter” The mandatory nature of the Core Principles for the Professional Practice of Internal Auditing, the Code of Ethics, the Standards, and the Definition of Internal Auditing must be recognized in the internal audit charter. The chief audit executive should discuss the Mission of Internal Audit and the mandatory elements of the International Professional Practices Framework with senior management and the board.
• To recognize the mandatory elements of the IPPF in the internal audit charter, the CAE may make specific statements that use language from applicable standards, such as Standard 1010, directly. • Alternatively, the CAE may use language and content throughout the internal audit charter that require conformance with Mandatory Guidance.
Key point • Once the charter is adopted, it is important for the CAE to monitor the IIA’s Mandatory Guidance and discuss any changes that may be warranted during the next charter review with senior management • and the board.
Elements of the Internal Charter • See IIA Model charter
Topic 3: Assurance versus Consulting
Assurance and Consulting Services • Internal auditors provide a variety of assurance and consulting (advisory) services. • The IPPF glossary defines assurance services as: • An objective examination of evidence for the purpose of providing an independent assessment on governance, risk management, and control processes for the organization. Examples may include financial, performance, compliance, system security, and due diligence engagements.
• The glossary defines consulting services as: • Advisory and related client services activities, the nature and scope of which are agreed with the client, are intended to add value and improve an organization’s governance, risk management, and control processes without the internal auditor assuming management responsibility. Examples include counsel, advice, facilitation, and training.
*** • Implementation Standard 1000.A1 (Assurance Engagements) The nature of assurance services provided to the organization must be defined in the internal audit charter. If assurances are to be provided to parties outside the organization, the nature of these assurances must also be defined in the internal audit charter.
*** • Implementation Standard 1000.C1 (Consulting Engagements) The nature of consulting services must be defined in the internal audit charter.
Assurance Services • Assurance services involve the internal auditor’s objective assessment of evidence to provide an independent opinion or conclusion regarding an entity, operation, function, process, system, or other subject matter. Three parties are generally involved in assurance services: • The person or group directly involved with the entity, operation, function, process, system, or other subject matter—the client • The person or group making the assessment—the internal auditor • The person or group using the assessment—the user or stakeholder
Examples of assurance services may include: • Financial. • Performance. • Compliance. • System security. • Due diligence. • Strategic.
Consulting Services • Consulting services are advisory in nature and are generally performed at the specific request of an engagement client. They generally involve two parties: • The person or group offering the advice—the internal auditor • The person or group seeking and receiving the advice—the engagement client
Advisory consulting engagements. • These engagements are designed to offer advice and might include: • Advising on control design. • Advising during development of policies and procedures. • Participating in an advisory role for high-risk projects. • Advising on certain enterprise risk management activities. • Recommending solutions to key issues or challenges facing the organization.
Training consulting engagements. These engagements are educational in nature and might include: • Training on governance, risk management, and internal control. • Benchmarking internal areas with comparable areas of similar organizations to identify best practices. • Post-mortem analysis—that is, determining lessons learned from a project after it is completed.
Facilitative consulting engagements. • Facilitating an organization’s risk assessment process. • Facilitating management’s control self-assessment. • Facilitating a task force charged with redesigning controls and procedures for a new or changed area. • Acting as a liaison between management and independent outside auditors, government agencies, vendors, and contractors on control issues.
• Consulting may range from formal engagements, defined by written agreements, to informal activities, such as participating in standing or temporary management committees or project teams. Internal auditors may be requested to help in special consulting engagements, such as participation in a merger or acquisition project or in an emergency engagement. These may require departure from normal • or established procedures for conducting consulting engagements.
The following are common examples of consulting activities: • Business process improvement • Risk and control self-assessment • Continuous monitoring of controls • Internal control review • Forensic audits • Operational readiness (product launch, new service or system) • Governance principles and practices • Ethics training Internal control training • Participation on committees
• Consistent with the IIA’s Code of Ethics, a consulting engagement should never be conducted in an attempt to circumvent assurance engagement requirements such as the need to provide an opinion at the end of an engagement. Services once conducted as an assurance engagement may be performed as a consulting engagement—if deemed appropriate.
Blended Engagements • Assurance and consulting services are not mutually exclusive, so an audit activity can have both assurance and consulting components. A blended engagement may consolidate elements of assurance and consulting activities. A blended engagement may take the form of a due diligence engagement to provide assurance and consulting services in support of management's evaluation of an acquisition candidate, for example. In other instances, individual components of an engagement may be specified as assurance or consulting. This blending of the two types of services can add value and create efficiencies.
Topic 4: IIA Code of Ethics Conformance • This topic discusses the IIA’s Code of Ethics, including its four key components: • Integrity • Objectivity • Confidentiality • Competency
Purpose of the Code of Ethics
• The purpose of the IIA's Code of Ethics is to promote an ethical culture in the profession of internal auditing. It is necessary and appropriate for the profession of internal auditing.
• The Code of Ethics extends beyond the Definition of Internal Auditing to include two essential components: • Principles that are relevant to the profession and practice of internal auditing. • Rules of Conduct that describe behavior norms expected of internal auditors. These rules are an aid to interpreting the Principles into practical applications and are intended to guide the ethical conduct of internal auditors
• The Code of Ethics applies to both entities and individuals that perform internal audit services. The placement of the Code of Ethics within the IPPF is shown in Exhibit 1-13.
Code of Ethics • Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. • It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
*** • It is especially important for the CAE to uphold the Code of Ethics, thereby setting the tone for the value of ethics among the team.
Integrity The integrity of internal auditors establishestrust and thus provides the basis for reliance on their judgment. The Rules of Conduct specify that internal auditors: • 1. Shall perform their work with honesty, diligence, and responsibility. • 2. Shall observe the law and make disclosures expected by the law and the profession. • 3. Shall not knowingly be a party to any illegal activity or engage in acts that are discreditable to the profession of internal auditing or to the organization. • 4. Shall respect and contribute to the legitimate and ethical objectives of the organization.
• As the leader of the internal audit activity, the CAE should cultivate a culture of integrity by acting with integrity and adhering to the Code of Ethics. In order to assist in cultivating that culture, the CAE may: • - Require internal auditors to agree in writing to follow the IIA’s Code of Ethics and any additional ethics-related policies • Emphasize the importance of integrity by providing training that demonstrates integrity and other ethical principles.
• The CAE should also maintain a working environment in which internal auditors feel supported when expressing legitimate, evidence-based observations, conclusions, and opinions, even if they are not favorable. • For the individual auditor, integrity may be considered primarily a personal attribute, making it difficult to measure, enforce, or guarantee. In simple terms, internal auditors are expected to tell the truth and do the right thing, even when it is uncomfortable or difficult to do so.
Objectivity • Internal auditors exhibit the highest level of professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined. Internal auditors make a balanced assessment of all the relevant circumstances and are not unduly influenced by their own interests or by others in forming judgments
Objectivity is defined in the IPPF glossary as: • An unbiased mental attitude that allows internal auditors to perform engagements in such a manner that they believe in their work product and that no quality compromises are made. Objectivity requires that internal auditors do not subordinate their judgment on audit matters to others.
The Rules of Conduct specify that internal auditors: • 1. Shall not participate in any activity or relationship that may impair or be presumed to impair their unbiased assessment. This participation includes those activities or relationships that may be in conflict with the interests of the organization. • 2. Shall not accept anything that may impair or be presumed to impair their professional judgment. • 3. Shall disclose all material facts known to them that, if not disclosed, may distort the reporting of activities under review.
Confidentiality • Internal auditors respect the value and ownership of information they receive and do not disclose information without appropriate authority unless there is a legal or professional obligation to do so.
• The Rules of Conduct specify that internal auditors: • 1. Shall be prudent in the use and protection of information acquired in the course of their duties. • 2. Shall not use information for any personal gain or in any manner that would be contrary to the law or detrimental to the legitimate and ethical objectives of the organization.
• To properly follow confidentiality laws and regulations, organizations usually issue information security policies. To better understand the impact of legal and regulatory requirements and protections, the CAE should consult with legal counsel. Organizational policies and procedures may require that specific authorities, such as legal counsel, review and approve business information before external release
Competency • Internal auditors apply the knowledge, skills, and experience needed in the performance of internal audit services. • The Rules of Conduct specify that internal auditors: • 1. Shall engage only in those services for which they have the necessary knowledge, skills, and experience. • 2. Shall perform internal audit services in accordance with the InternationalStandards for the ProfessionalPractice of Internal Auditing. • 3. Shall continually improve their proficiency and the effectiveness and quality of their services.
• To ensure the competency of the internal audit activity as a whole, the CAE should inventory the skills and experience of individual auditors, align them with the competencies needed to fulfill the internal audit plan, and identify any gaps in coverage. The CAE may address deficiencies by: • Providing training and mentorship. • Rotating internal audit staff. • Bringing in guest auditors. • Hiring external service providers.
• Individual internal auditors are responsible for taking the necessary actions to obtain any continuing professional education and development hours they may need. They should be aware of the current requirements for maintaining the active status of any credentials they hold. Most certifications require the completion of ethics training and continuing professional development
Section B: Independence and Objectivity
• This section is designed to help you: • Define independence and objectivity in terms of internal audit. • Interpret organizational independence of the internal audit activity. • Explain the importance of independence in an internal audit activity. • Explain the reporting relationships for internal auditors. • Identify whether the internal audit activity has any impairments to its independence. • Assess and maintain an individual internal auditor’s objectivity, including determining whether an individual internal auditor has any impairments to his/her objectivity. • Analyze policies that promote objectivity.
• The IIA’s guidance referenced in the Challenge Exam Study Guide may be accessed using the links below. Access to specific pages and documents varies for the public and The IIA members. • Attribute Standards: www.theiia.org/Attribute-standards • Performance Standards: www.theiia.org/Performancestandards • Standards and Guidance: www.theiia.org/Guidance • Position Papers: www.theiia.org/Position-papers • Implementation Guidance: www.theiia.org/Practiceadvisories • Practice Guides and GTAGs: www.theiia.org/Practiceguides
Topic 1: Organizational Independence • According to The IIA • Attribute Standard 1110, “Organizational Independence” • The chief audit executive must report to a level within the organization that allows the internal audit activity to fulfill its responsibilities. The chief audit executive must confirm to the board, at least annually, the organizational independence of the internal audit activity.
• Independence is defined in the IPPF glossary as “the freedom from conditions that threaten the ability of the internal audit activity to carry out internal audit responsibilities in an unbiased manner.” These conditions often stem from the organizational placement and assigned responsibilities of internal audit.
The assigned roles and responsibilities for internal audit vary from organization to organization based on factors such as: • Organizational size. • Type of operations. • Capital structure. • Legal and regulatory environment.
• Standard 1110 is effectively achieved when the CAE reports functionally to the board. Some examples of this functional reporting involve the board: • Approving the internal audit charter. • Approving the risk-based internal audit plan. • Approving the internal audit budget and resource plan. • Receiving communications from the CAE on the internal audit activity’s performance relative to its plan and other matters. • Evaluation and compensation of the CAE. • Appointment and removal of the CAE.
• According to The IIA Implementation Standard 1110.A1 (Assurance Engagements) The internal audit activity must be free from interference in determining the scope of internal auditing, performing work, and communicating results. The chief audit executive must disclose such interference to the board and discuss the implications.
• The IIA recommends that the CAE report administratively to the CEO, indicating that the CAE is in a senior position with the authority to perform duties unimpeded. However, in some cases, the CAE has an administrative reporting line to a member of senior management, which enables the requisite stature and authority of internal audit to fulfill responsibilities. The essential point is that the CAE will have unrestricted access to report sensitive matters to the highest level of governance in the organization.
• Generally, the CAE, the board, and senior management discuss and agree upon internal audit's responsibility, authority, and expectations as well as the necessary organizational placement of internal audit and CAE reporting relationships to enable internal audit to fulfill its duties. The internal audit charter will reflect the decisions reached during those discussions.
CIA part 1 essentials of internal auditing
CIA part 1 essentials of internal auditing
CIA part 1 essentials of internal auditing
CIA part 1 essentials of internal auditing
CIA part 1 essentials of internal auditing
CIA part 1 essentials of internal auditing
CIA part 1 essentials of internal auditing
CIA part 1 essentials of internal auditing
CIA part 1 essentials of internal auditing
CIA part 1 essentials of internal auditing
CIA part 1 essentials of internal auditing

More Related Content

PDF
CIA Exam Part 1 - Summary Notes Handouts.pdf
Manna Mahadi
 
PDF
Revenue assurance 101
ntel
 
PPT
Internal Control & Risk Management Framework
Treasury Consulting LLP
 
PPTX
COSO Internal Control - Integrated Framework
Aziz Fataliyev, Internal Audit Practitioner
 
PPT
Audit of it infrastructure
pramod_kmr73
 
PDF
Internal control and Control Self Assessment
Manoj Agarwal
 
PPTX
Data Analytics Strategy Toolkit and Templates
Aurelien Domont, MBA
 
PPT
Risk Assessment For Internal Auditors
minkhollow
 
CIA Exam Part 1 - Summary Notes Handouts.pdf
Manna Mahadi
 
Revenue assurance 101
ntel
 
Internal Control & Risk Management Framework
Treasury Consulting LLP
 
COSO Internal Control - Integrated Framework
Aziz Fataliyev, Internal Audit Practitioner
 
Audit of it infrastructure
pramod_kmr73
 
Internal control and Control Self Assessment
Manoj Agarwal
 
Data Analytics Strategy Toolkit and Templates
Aurelien Domont, MBA
 
Risk Assessment For Internal Auditors
minkhollow
 

What's hot (20)

PPTX
Introduction to internal auditing
David Griffiths
 
PPTX
Standards of Internal Audit
Karan Puri
 
PDF
Certified Internal Auditor certification manual
Joel C. Font
 
PPTX
The Role of Internal Audit
ArmeniaFED
 
PPTX
Basic Internal Auditing Presentation
Vernon Benjamin
 
PPTX
Internal audit
Rahul Mithia
 
PPTX
Internal Audit Reporting
SALIH AHMED ISLAM
 
PPTX
Process Audit and ISO
Sadafhazel
 
PPTX
Risk based auditing
Tunde Elijah Kelani
 
PPTX
Internal Audit
Jami Martin
 
PPTX
Continuous Transaction Monitoring Detect and analyze anomalous transactions t...
Genpact Ltd
 
PPTX
Internal Audit
Ahmad Tariq Bhatti
 
PDF
Evolving role of internal auditing function
Debashis Gupta
 
PDF
Internal audit ppt
Letzconsult.com
 
PPTX
Internal Audit Plan 2015
Mohammad Kashif
 
PDF
Fraud Risk Assessment- detection and prevention- Part- 2,
Tahir Abbas
 
PPTX
The Internal Audit Framework
Ahmad Tariq Bhatti
 
PPTX
Annual Internal Audit Plan.pptx
OlabanjoShefiuOlamij
 
PDF
Basic Internal Auditing Presentation
Vernon Benjamin
 
PDF
Risk based internal auditing
Frederick Altum Pokoo-Aikins
 
Introduction to internal auditing
David Griffiths
 
Standards of Internal Audit
Karan Puri
 
Certified Internal Auditor certification manual
Joel C. Font
 
The Role of Internal Audit
ArmeniaFED
 
Basic Internal Auditing Presentation
Vernon Benjamin
 
Internal audit
Rahul Mithia
 
Internal Audit Reporting
SALIH AHMED ISLAM
 
Process Audit and ISO
Sadafhazel
 
Risk based auditing
Tunde Elijah Kelani
 
Internal Audit
Jami Martin
 
Continuous Transaction Monitoring Detect and analyze anomalous transactions t...
Genpact Ltd
 
Internal Audit
Ahmad Tariq Bhatti
 
Evolving role of internal auditing function
Debashis Gupta
 
Internal audit ppt
Letzconsult.com
 
Internal Audit Plan 2015
Mohammad Kashif
 
Fraud Risk Assessment- detection and prevention- Part- 2,
Tahir Abbas
 
The Internal Audit Framework
Ahmad Tariq Bhatti
 
Annual Internal Audit Plan.pptx
OlabanjoShefiuOlamij
 
Basic Internal Auditing Presentation
Vernon Benjamin
 
Risk based internal auditing
Frederick Altum Pokoo-Aikins
 
Ad

Similar to CIA part 1 essentials of internal auditing (20)

PDF
Internal auditing for “one & all” (second edition)
Mohammad Wahid Abdullah Khan
 
PPTX
internal audit and its characteristic and features .pptx
Anshuman Parashar
 
PDF
319155985-project-report-on-a-CA-firm (1).pdf
InfantRagulD
 
PPTX
Audit Interview: Commonly Asked Questions & Expert Answers | Academy Tax4wealth
Academy Tax4wealth
 
PDF
Internal Audit Project
Soumeet Sarkar
 
PPTX
AUDITING-PPT.pptx introduction to auditing
sadiariasat10
 
PPTX
Internal audit
S.M. Towhidul Islam
 
PDF
prof-elec-3-OPERATIONS-AUDITING-FULL.pdf
depozi1218
 
PPTX
Internal Auditing in accounting- explained detailed.pptx
audit9181
 
PPTX
Internal audit
iPleaders - Re-engineering Legal education, New Delhi
 
PDF
Solution Manual for Internal Auditing Assurance and Consulting Services 2nd E...
bizotaleiya
 
PDF
Auditing activities of microfinance institutions
Frank Kabuye, CPA
 
PDF
Solution Manual for Internal Auditing Assurance and Consulting Services 2nd E...
xopanargiz
 
PPTX
2019_SOU_Internal_Audit.pptx
BingkyAresiaLandaric2
 
PPTX
TOPIC 4 INTERNAL AUDIT CHARTER-H.T.DƯƠNG.pptx
PhmThyDng20
 
PDF
The Objectives Of Internal Audit
Sonia Sanchez
 
PDF
Value based internal auditing - Nilai Dasar Internal Audit
Dr. Zar Rdj
 
PPTX
Advanced auditing lecture lecture 1.pptx
kwame Oduro Amoako (PhD)
 
PPTX
Frequently asked questions on auditing in dubai
Maneesha35
 
DOCX
ISO 19001ISO 19001Student’s NameUniversity Name.docx
priestmanmable
 
Internal auditing for “one & all” (second edition)
Mohammad Wahid Abdullah Khan
 
internal audit and its characteristic and features .pptx
Anshuman Parashar
 
319155985-project-report-on-a-CA-firm (1).pdf
InfantRagulD
 
Audit Interview: Commonly Asked Questions & Expert Answers | Academy Tax4wealth
Academy Tax4wealth
 
Internal Audit Project
Soumeet Sarkar
 
AUDITING-PPT.pptx introduction to auditing
sadiariasat10
 
Internal audit
S.M. Towhidul Islam
 
prof-elec-3-OPERATIONS-AUDITING-FULL.pdf
depozi1218
 
Internal Auditing in accounting- explained detailed.pptx
audit9181
 
Internal audit
iPleaders - Re-engineering Legal education, New Delhi
 
Solution Manual for Internal Auditing Assurance and Consulting Services 2nd E...
bizotaleiya
 
Auditing activities of microfinance institutions
Frank Kabuye, CPA
 
Solution Manual for Internal Auditing Assurance and Consulting Services 2nd E...
xopanargiz
 
2019_SOU_Internal_Audit.pptx
BingkyAresiaLandaric2
 
TOPIC 4 INTERNAL AUDIT CHARTER-H.T.DƯƠNG.pptx
PhmThyDng20
 
The Objectives Of Internal Audit
Sonia Sanchez
 
Value based internal auditing - Nilai Dasar Internal Audit
Dr. Zar Rdj
 
Advanced auditing lecture lecture 1.pptx
kwame Oduro Amoako (PhD)
 
Frequently asked questions on auditing in dubai
Maneesha35
 
ISO 19001ISO 19001Student’s NameUniversity Name.docx
priestmanmable
 
Ad

Recently uploaded (20)

PPT
Data mining for business intelligence ch04 sharda
salmaalsaeed3
 
PDF
BsN 7th Sem Course GridNNNNNNNN CCN.pdf
ZAMANYousufzai1
 
DOCX
Euro SEO Services 1st 3 General Updates.docx
AmirNazir49
 
PDF
Types of control:Qualitative vs Quantitative
reshmaaslm06
 
PDF
20250805_A. Stotz All Weather Strategy - Performance review July 2025.pdf
FINNOMENAMarketing
 
DOCX
unit 2 cost accounting- Tender and Quotation & Reconciliation Statement
MANJU N
 
PPTX
The Marketing Journey - Tracey Phillips - Marketing Matters 7-2025.pptx
shannonzipoy2
 
PDF
Power and position in leadershipDOC-20250808-WA0011..pdf
meghavinikumar2006
 
PDF
MSPs in 10 Words - Created by US MSP Network
Mayur Gudka
 
PDF
Katrina Stoneking: Shaking Up the Alcohol Beverage Industry
CIO WOMEN MAGAIZNE CIO WOMEN MAGAIZNE
 
PPT
340036916-American-Literature-Literary-Period-Overview.ppt
carinaherdiles611
 
PPTX
Lecture (1)-Introduction.pptx business communication
HamzaGhani10
 
PDF
DOC-20250806-WA0002._20250806_112011_0000.pdf
dhanusriss08
 
PPTX
HR Introduction Slide (1).pptx on hr intro
suhanidwivedi227
 
PPTX
AI-assistance in Knowledge Collection and Curation supporting Safe and Sustai...
Barry Hardy
 
PDF
Dr. Enrique Segura Ense Group - A Self-Made Entrepreneur And Executive
Dr. Enrique Segura Ense Group
 
PDF
pdfcoffee.com-opt-b1plus-sb-answers.pdfvi
thaoonguyenn2311
 
PDF
WRN_Investor_Presentation_August 2025.pdf
cmagee4
 
PDF
Elevate Cleaning Efficiency Using Tallfly Hair Remover Roller Factory Expertise
farsookmon97766765
 
PPTX
Amazon (Business Studies) management studies
AbhirupVerma
 
Data mining for business intelligence ch04 sharda
salmaalsaeed3
 
BsN 7th Sem Course GridNNNNNNNN CCN.pdf
ZAMANYousufzai1
 
Euro SEO Services 1st 3 General Updates.docx
AmirNazir49
 
Types of control:Qualitative vs Quantitative
reshmaaslm06
 
20250805_A. Stotz All Weather Strategy - Performance review July 2025.pdf
FINNOMENAMarketing
 
unit 2 cost accounting- Tender and Quotation & Reconciliation Statement
MANJU N
 
The Marketing Journey - Tracey Phillips - Marketing Matters 7-2025.pptx
shannonzipoy2
 
Power and position in leadershipDOC-20250808-WA0011..pdf
meghavinikumar2006
 
MSPs in 10 Words - Created by US MSP Network
Mayur Gudka
 
Katrina Stoneking: Shaking Up the Alcohol Beverage Industry
CIO WOMEN MAGAIZNE CIO WOMEN MAGAIZNE
 
340036916-American-Literature-Literary-Period-Overview.ppt
carinaherdiles611
 
Lecture (1)-Introduction.pptx business communication
HamzaGhani10
 
DOC-20250806-WA0002._20250806_112011_0000.pdf
dhanusriss08
 
HR Introduction Slide (1).pptx on hr intro
suhanidwivedi227
 
AI-assistance in Knowledge Collection and Curation supporting Safe and Sustai...
Barry Hardy
 
Dr. Enrique Segura Ense Group - A Self-Made Entrepreneur And Executive
Dr. Enrique Segura Ense Group
 
pdfcoffee.com-opt-b1plus-sb-answers.pdfvi
thaoonguyenn2311
 
WRN_Investor_Presentation_August 2025.pdf
cmagee4
 
Elevate Cleaning Efficiency Using Tallfly Hair Remover Roller Factory Expertise
farsookmon97766765
 
Amazon (Business Studies) management studies
AbhirupVerma
 

CIA part 1 essentials of internal auditing

  • 1. Part 1: Essentials of Internal Auditing
  • 2. Section A: Foundations of Internal Auditing
  • 4. Topic 1: Mission, Definition, and Core Principles • This topic discusses The IIA’s Mission of Internal Audit, Definition of Internal Auditing, and Core Principles for the Professional Practice of Internal Auditing and the purpose, authority, and responsibility of the internal audit activity.
  • 5. The Framework • The Institute of Internal Auditors (The IIA) uses the International Professional Practices Framework (IPPF) to organize its authoritative guidance in a manner that is readily accessible. The IPPF, sometimes called the “Red Book,” is intended to help practitioners and stakeholders throughout the world respond to the expanding market for high-quality internal auditing.
  • 6. • The IPPF contains both mandatory and recommended guidance. The Mission of Internal Audit, the Core Principles for the Professional Practice of Internal Auditing, the Definition of Internal Auditing, the Code of Ethics, and the International Standards for the Professional Practice of Internal Auditing (the Standards) comprise the mandatory guidance. Recommended guidance in the IPPF includes Implementation Guidance and Supplemental Guidance. All of the guidance sources listed above will be discussed throughout this product. The IPPF is shown in Exhibit 1-1.
  • 7. ***
  • 8. Mission of Internal Audit* • To enhance and protect organizational value by providing risk based and objective assurance, advice, and insight. • By requiring that the services provided by internal audit be risk-based and objective, the Mission aligns directly with the expectations of stakeholders. Each requirement serves a different function. The risk basis supports the goal to protect organizational value, and objectivity is one of the main strategic success enablers of the internal audit activity.
  • 9. The Mission makes it clear that internal audit must be focused on increasing the organization’s value and that there are three general types of risk-based and objective activities through which internal audit increases and protects this value: • Assurance • Advice • Insight
  • 10. - Assurance Assurance work makes up the majority of internal audit activities. It is designed to communicate to the main stakeholders that management: • Has deployed appropriate activities to achieve its objectives. • Is appropriately managing the risks to those objectives. • Has agreed to implement required additional risk mitigation and improvement measures.
  • 11. - Advice • Advice can be provided through advisory engagements, which are often referred to as consulting engagements. These are designed to provide advice and insight to the organization in a proactive, customer-driven approach.
  • 12. - Insight Insight can be provided in a variety of formats, which may include but are not limited to: • Assurance engagement reports. • Advisory engagement reports. • Participation on committees and task forces. • Personal meetings. • Board reporting. • Progress reporting.
  • 13. Core Principles* • Demonstrates integrity. • Demonstrates competence and due professional care. • Is objective and free from undue influence (independent). • Aligns with the strategies, objectives, and risks of the organization. • Is appropriately positioned and adequately resourced. • Demonstrates quality and continuous improvement. • Communicates effectively. • Provides risk-based assurance. • Is insightful, proactive, and future-focused. • Promotes organizational improvement.
  • 14. • Each Principle may apply to the individual auditor, the audit activity, or both. Though internal audit activities may demonstrate achievement of principles in various ways, each of the Principles must be present and successfully operating for the audit activity to be considered effective. Failure to achieve any one of the Principles suggests that the activity is not as effective as it could be.
  • 15. Consequences of Not Demonstrating Core Principles • Demonstrates integrity. The internal audit activity may lose the trust placed in it and consequently its credibility to provide independent and objective assurance and advice. • Demonstrates competence and due professional care. Internal audit risk assessments, the activity’s plan of engagements, and the scope and objectives of engagements may not be sufficient,accurate, or complete.
  • 16. • Is objective and free from undue influence (independent). Management and the board are unlikely to trust internal audit observations as accurate and complete. • Aligns with the strategies, objectives, and risks of the organization. The internal audit activity risks wasting resources on assessing areas, processes, or issues that do not help the organization manage its key risks and achieve its objectives.
  • 17. • Is appropriately positioned and adequately resourced. The results and conclusions of internal audit work may not be treated with sufficient importance to prompt action from management, and independent reporting may be difficult. • Demonstrates quality and continuous improvement. Errors may occur in internal audit work, or there may be a perception that the work is not reliable. The internal audit activity may fail to keep up with innovations in technology, methodology, and audit techniques.
  • 18. • Communicates effectively. The internal audit activity may be unable to obtain the position, resources, and information it needs to conduct engagements and to effectively express its results, conclusions, and opinions to management and the board. • Provides risk-based assurance. Management and the board will not have independent validation that its controls are designed properly and are working as expected to mitigate risks.
  • 19. • Is insightful, proactive, and future-focused. The internal audit activity is likely to miss emerging risks, and the value it adds will be limited. • Promotes organizational improvement. The value that internal audit adds may be limited, as it may miss opportunities to recommend ways the organization could increase efficiency.
  • 20. Definition of Internal Auditing* • Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
  • 21. • The strategic focus of internal audit is clearly aligned with the expectations of key organizational stakeholders. The Definition of Internal Auditing focuses the image of internal auditing in six significant ways.
  • 22. 1 • It describes internal auditing as an independent, objective activity. Independence refers to a structure that allows for the audit activity’s freedom to determine audit or assurance scope, to perform the work judged necessary to achieve engagement objectives, and to communicate the results. Objectivity refers to the personal ability to be non-biased, which allows auditors to be responsive to their customers and to add value through their objective analyses and recommendations for improvement.
  • 23. 2 • The definition explicitly recognizes the consulting role of internal audit in providing advice to the organization, in addition to assurance activities. This conveys a proactive, customer-driven approach where internal audit plays a role in organizational governance, risk management, and control activities.
  • 24. 3 • By stating that internal auditing is designed to “add value and improve an organization’s operations,” the definition articulates the expectation that the internal audit activity will add value to the organization.
  • 25. 4 • By referring to the organization’s objectives, the definition focuses on the whole organization. This requires auditors to understand the strategic objectives of the organization and the goals and objectives that support it and to view problems and solutions from a broad perspective.
  • 26. 5 • The definition recognizes internal auditing’s legacy of delivering services with a tried-and-true, systematic, and disciplined approach that results from being a standards-based profession.
  • 27. 6 • The definition charges internal auditors with a broad and involved role to play in the organization’s governance and risk management processes. Underlying the terminology is the understanding that controls exist to help the organization manage risk and promote effective governance processes.
  • 28. • Internal auditing differs from external auditing, which serves third parties who require reliable financial information based on reliable supporting records. Drawing further distinctions between internal and external auditors as well as other related review functions can help clarify what internal auditing is and what it is not. These distinctions are described below:
  • 29. External auditors/financial auditors. • These auditors provide an attestation solely based on the financial reports and statements generated by an organization. The work of external and financial auditors is historical in nature and is critical to allowing investors and other third parties to make informed decisions (e.g., investing, approving debt issuance) about an organization based on its financial statements when taken as a whole.
  • 30. Compliance • Compliance reviews typically serve to determine whether or not an organization is adhering to a specified law, regulation, standard, policy, or procedure, and the results are reported as such.
  • 31. Regulators • These auditors work for regulating bodies that review compliance with specific regulations as well as the overall safety and soundness of the organizations being examined. These auditors perform compliance reviews of corporations or agencies that are regulated by the specified regulating body.
  • 32. Government auditors • Government auditors typically work for departments, ministries, or agencies of a government and provide assurance regarding program requirements, performance audits, budget reviews, and management audits.
  • 33. The Standards* The Standards comprise two main categories: • Attribute Standards address the attributes of organizations and individuals performing internal auditing. • Performance Standards describe the nature of internal auditing and provide quality criteria against which the performance of these services can be measured.
  • 34. • Attribute and Performance Standards apply to all internal audit services. • Implementation Standards expand upon existing Attribute and Performance Standards by providing the requirements specifically applicable to assurance (.A) or consulting (.C) services. These requirements are discussed as applicable throughout the text.
  • 35. Attribute Standard 1000, “Purpose, Authority, and Responsibility” • The purpose, authority, and responsibility of the internal audit activity must be formally defined in an internal audit charter, consistent with the Mission of Internal Audit and the mandatory elements of the International Professional Practices Framework (the Core Principles for the Professional Practice of Internal Auditing, the Code of Ethics, the Standards, and the Definition of Internal Auditing). The chief audit executive must periodically review the internal audit charter and present it to senior management and the board for approval.
  • 39. • The internal audit charter is a critical document that records the agreed-upon purpose, authority, independence and objectivity, reporting structure, and responsibility of an organization’s internal audit activity. It establishes the internal audit activity’s position within the organization; authorizes access to records, personnel, and physical properties; and defines the scope of internal audit activities.
  • 40. • The chief audit executive (CAE) is defined in the IPPF glossary as “a person in a senior position responsible for effectively managing the internal audit activity....” This person is charged with the creation of the internal audit charter and with the task of reviewing and presenting the audit charter for board approval periodically. The specific job title and/or responsibilities of the CAE may vary across organizations, and the position may be outsourced as well.
  • 41. • The board is defined in the IPPF glossary as “the highest level governing body (e.g., a board of directors, a supervisory board, or a board of governors or trustees) charged with the responsibility to direct and/or oversee the organization’s activities and hold senior management accountable.” It may refer to an audit committee, which is a subset of the broader board to oversee certain functions (e.g., internal audit, external auditors, financial concerns). If a board or audit committee does not exist, the term may refer to the head of an organization.
  • 42. Topic 2: Internal Audit Charter Requirements • In addition to reviewing the contents of this topic, students can review the following IIA materials: • IIA Model Charter Model Internal Audit Activity Charter (theiia.org) • Implementation Guidance for Standards 1000 and 1010 Implementation Guidance (theiia.org)
  • 43. Audit Charter and Approval • The internal audit charter provides a recognized statement of the purpose, authority, and responsibility of internal audit for review and acceptance by management and for approval by the board. If a question should arise, the internal audit charter provides a formal, written agreement with management and the board.
  • 44. • Before writing or revising the internal audit charter, the CAE typically reviews the IPPF to refresh his or her understanding of the Mission of Internal Audit and the elements that must be included in the charter, which are governed by Standard 1010.
  • 45. *** • Attribute Standard 1010, “Recognizing Mandatory Guidance in the Internal Audit Charter” The mandatory nature of the Core Principles for the Professional Practice of Internal Auditing, the Code of Ethics, the Standards, and the Definition of Internal Auditing must be recognized in the internal audit charter. The chief audit executive should discuss the Mission of Internal Audit and the mandatory elements of the International Professional Practices Framework with senior management and the board.
  • 46. • To recognize the mandatory elements of the IPPF in the internal audit charter, the CAE may make specific statements that use language from applicable standards, such as Standard 1010, directly. • Alternatively, the CAE may use language and content throughout the internal audit charter that require conformance with Mandatory Guidance.
  • 47. Key point • Once the charter is adopted, it is important for the CAE to monitor the IIA’s Mandatory Guidance and discuss any changes that may be warranted during the next charter review with senior management • and the board.
  • 48. Elements of the Internal Charter • See IIA Model charter
  • 49. Topic 3: Assurance versus Consulting
  • 50. Assurance and Consulting Services • Internal auditors provide a variety of assurance and consulting (advisory) services. • The IPPF glossary defines assurance services as: • An objective examination of evidence for the purpose of providing an independent assessment on governance, risk management, and control processes for the organization. Examples may include financial, performance, compliance, system security, and due diligence engagements.
  • 51. • The glossary defines consulting services as: • Advisory and related client services activities, the nature and scope of which are agreed with the client, are intended to add value and improve an organization’s governance, risk management, and control processes without the internal auditor assuming management responsibility. Examples include counsel, advice, facilitation, and training.
  • 52. *** • Implementation Standard 1000.A1 (Assurance Engagements) The nature of assurance services provided to the organization must be defined in the internal audit charter. If assurances are to be provided to parties outside the organization, the nature of these assurances must also be defined in the internal audit charter.
  • 53. *** • Implementation Standard 1000.C1 (Consulting Engagements) The nature of consulting services must be defined in the internal audit charter.
  • 54. Assurance Services • Assurance services involve the internal auditor’s objective assessment of evidence to provide an independent opinion or conclusion regarding an entity, operation, function, process, system, or other subject matter. Three parties are generally involved in assurance services: • The person or group directly involved with the entity, operation, function, process, system, or other subject matter—the client • The person or group making the assessment—the internal auditor • The person or group using the assessment—the user or stakeholder
  • 55. Examples of assurance services may include: • Financial. • Performance. • Compliance. • System security. • Due diligence. • Strategic.
  • 56. Consulting Services • Consulting services are advisory in nature and are generally performed at the specific request of an engagement client. They generally involve two parties: • The person or group offering the advice—the internal auditor • The person or group seeking and receiving the advice—the engagement client
  • 57. Advisory consulting engagements. • These engagements are designed to offer advice and might include: • Advising on control design. • Advising during development of policies and procedures. • Participating in an advisory role for high-risk projects. • Advising on certain enterprise risk management activities. • Recommending solutions to key issues or challenges facing the organization.
  • 58. Training consulting engagements. These engagements are educational in nature and might include: • Training on governance, risk management, and internal control. • Benchmarking internal areas with comparable areas of similar organizations to identify best practices. • Post-mortem analysis—that is, determining lessons learned from a project after it is completed.
  • 59. Facilitative consulting engagements. • Facilitating an organization’s risk assessment process. • Facilitating management’s control self-assessment. • Facilitating a task force charged with redesigning controls and procedures for a new or changed area. • Acting as a liaison between management and independent outside auditors, government agencies, vendors, and contractors on control issues.
  • 60. • Consulting may range from formal engagements, defined by written agreements, to informal activities, such as participating in standing or temporary management committees or project teams. Internal auditors may be requested to help in special consulting engagements, such as participation in a merger or acquisition project or in an emergency engagement. These may require departure from normal • or established procedures for conducting consulting engagements.
  • 61. The following are common examples of consulting activities: • Business process improvement • Risk and control self-assessment • Continuous monitoring of controls • Internal control review • Forensic audits • Operational readiness (product launch, new service or system) • Governance principles and practices • Ethics training Internal control training • Participation on committees
  • 62. • Consistent with the IIA’s Code of Ethics, a consulting engagement should never be conducted in an attempt to circumvent assurance engagement requirements such as the need to provide an opinion at the end of an engagement. Services once conducted as an assurance engagement may be performed as a consulting engagement—if deemed appropriate.
  • 63. Blended Engagements • Assurance and consulting services are not mutually exclusive, so an audit activity can have both assurance and consulting components. A blended engagement may consolidate elements of assurance and consulting activities. A blended engagement may take the form of a due diligence engagement to provide assurance and consulting services in support of management's evaluation of an acquisition candidate, for example. In other instances, individual components of an engagement may be specified as assurance or consulting. This blending of the two types of services can add value and create efficiencies.
  • 64. Topic 4: IIA Code of Ethics Conformance • This topic discusses the IIA’s Code of Ethics, including its four key components: • Integrity • Objectivity • Confidentiality • Competency
  • 65. Purpose of the Code of Ethics
  • 66. • The purpose of the IIA's Code of Ethics is to promote an ethical culture in the profession of internal auditing. It is necessary and appropriate for the profession of internal auditing.
  • 67. • The Code of Ethics extends beyond the Definition of Internal Auditing to include two essential components: • Principles that are relevant to the profession and practice of internal auditing. • Rules of Conduct that describe behavior norms expected of internal auditors. These rules are an aid to interpreting the Principles into practical applications and are intended to guide the ethical conduct of internal auditors
  • 68. • The Code of Ethics applies to both entities and individuals that perform internal audit services. The placement of the Code of Ethics within the IPPF is shown in Exhibit 1-13.
  • 69. Code of Ethics • Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. • It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
  • 70. *** • It is especially important for the CAE to uphold the Code of Ethics, thereby setting the tone for the value of ethics among the team.
  • 71. Integrity The integrity of internal auditors establishestrust and thus provides the basis for reliance on their judgment. The Rules of Conduct specify that internal auditors: • 1. Shall perform their work with honesty, diligence, and responsibility. • 2. Shall observe the law and make disclosures expected by the law and the profession. • 3. Shall not knowingly be a party to any illegal activity or engage in acts that are discreditable to the profession of internal auditing or to the organization. • 4. Shall respect and contribute to the legitimate and ethical objectives of the organization.
  • 72. • As the leader of the internal audit activity, the CAE should cultivate a culture of integrity by acting with integrity and adhering to the Code of Ethics. In order to assist in cultivating that culture, the CAE may: • - Require internal auditors to agree in writing to follow the IIA’s Code of Ethics and any additional ethics-related policies • Emphasize the importance of integrity by providing training that demonstrates integrity and other ethical principles.
  • 73. • The CAE should also maintain a working environment in which internal auditors feel supported when expressing legitimate, evidence-based observations, conclusions, and opinions, even if they are not favorable. • For the individual auditor, integrity may be considered primarily a personal attribute, making it difficult to measure, enforce, or guarantee. In simple terms, internal auditors are expected to tell the truth and do the right thing, even when it is uncomfortable or difficult to do so.
  • 74. Objectivity • Internal auditors exhibit the highest level of professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined. Internal auditors make a balanced assessment of all the relevant circumstances and are not unduly influenced by their own interests or by others in forming judgments
  • 75. Objectivity is defined in the IPPF glossary as: • An unbiased mental attitude that allows internal auditors to perform engagements in such a manner that they believe in their work product and that no quality compromises are made. Objectivity requires that internal auditors do not subordinate their judgment on audit matters to others.
  • 76. The Rules of Conduct specify that internal auditors: • 1. Shall not participate in any activity or relationship that may impair or be presumed to impair their unbiased assessment. This participation includes those activities or relationships that may be in conflict with the interests of the organization. • 2. Shall not accept anything that may impair or be presumed to impair their professional judgment. • 3. Shall disclose all material facts known to them that, if not disclosed, may distort the reporting of activities under review.
  • 77. Confidentiality • Internal auditors respect the value and ownership of information they receive and do not disclose information without appropriate authority unless there is a legal or professional obligation to do so.
  • 78. • The Rules of Conduct specify that internal auditors: • 1. Shall be prudent in the use and protection of information acquired in the course of their duties. • 2. Shall not use information for any personal gain or in any manner that would be contrary to the law or detrimental to the legitimate and ethical objectives of the organization.
  • 79. • To properly follow confidentiality laws and regulations, organizations usually issue information security policies. To better understand the impact of legal and regulatory requirements and protections, the CAE should consult with legal counsel. Organizational policies and procedures may require that specific authorities, such as legal counsel, review and approve business information before external release
  • 80. Competency • Internal auditors apply the knowledge, skills, and experience needed in the performance of internal audit services. • The Rules of Conduct specify that internal auditors: • 1. Shall engage only in those services for which they have the necessary knowledge, skills, and experience. • 2. Shall perform internal audit services in accordance with the InternationalStandards for the ProfessionalPractice of Internal Auditing. • 3. Shall continually improve their proficiency and the effectiveness and quality of their services.
  • 81. • To ensure the competency of the internal audit activity as a whole, the CAE should inventory the skills and experience of individual auditors, align them with the competencies needed to fulfill the internal audit plan, and identify any gaps in coverage. The CAE may address deficiencies by: • Providing training and mentorship. • Rotating internal audit staff. • Bringing in guest auditors. • Hiring external service providers.
  • 82. • Individual internal auditors are responsible for taking the necessary actions to obtain any continuing professional education and development hours they may need. They should be aware of the current requirements for maintaining the active status of any credentials they hold. Most certifications require the completion of ethics training and continuing professional development
  • 83. Section B: Independence and Objectivity
  • 84. • This section is designed to help you: • Define independence and objectivity in terms of internal audit. • Interpret organizational independence of the internal audit activity. • Explain the importance of independence in an internal audit activity. • Explain the reporting relationships for internal auditors. • Identify whether the internal audit activity has any impairments to its independence. • Assess and maintain an individual internal auditor’s objectivity, including determining whether an individual internal auditor has any impairments to his/her objectivity. • Analyze policies that promote objectivity.
  • 85. • The IIA’s guidance referenced in the Challenge Exam Study Guide may be accessed using the links below. Access to specific pages and documents varies for the public and The IIA members. • Attribute Standards: www.theiia.org/Attribute-standards • Performance Standards: www.theiia.org/Performancestandards • Standards and Guidance: www.theiia.org/Guidance • Position Papers: www.theiia.org/Position-papers • Implementation Guidance: www.theiia.org/Practiceadvisories • Practice Guides and GTAGs: www.theiia.org/Practiceguides
  • 86. Topic 1: Organizational Independence • According to The IIA • Attribute Standard 1110, “Organizational Independence” • The chief audit executive must report to a level within the organization that allows the internal audit activity to fulfill its responsibilities. The chief audit executive must confirm to the board, at least annually, the organizational independence of the internal audit activity.
  • 87. • Independence is defined in the IPPF glossary as “the freedom from conditions that threaten the ability of the internal audit activity to carry out internal audit responsibilities in an unbiased manner.” These conditions often stem from the organizational placement and assigned responsibilities of internal audit.
  • 88. The assigned roles and responsibilities for internal audit vary from organization to organization based on factors such as: • Organizational size. • Type of operations. • Capital structure. • Legal and regulatory environment.
  • 89. • Standard 1110 is effectively achieved when the CAE reports functionally to the board. Some examples of this functional reporting involve the board: • Approving the internal audit charter. • Approving the risk-based internal audit plan. • Approving the internal audit budget and resource plan. • Receiving communications from the CAE on the internal audit activity’s performance relative to its plan and other matters. • Evaluation and compensation of the CAE. • Appointment and removal of the CAE.
  • 90. • According to The IIA Implementation Standard 1110.A1 (Assurance Engagements) The internal audit activity must be free from interference in determining the scope of internal auditing, performing work, and communicating results. The chief audit executive must disclose such interference to the board and discuss the implications.
  • 91. • The IIA recommends that the CAE report administratively to the CEO, indicating that the CAE is in a senior position with the authority to perform duties unimpeded. However, in some cases, the CAE has an administrative reporting line to a member of senior management, which enables the requisite stature and authority of internal audit to fulfill responsibilities. The essential point is that the CAE will have unrestricted access to report sensitive matters to the highest level of governance in the organization.
  • 92. • Generally, the CAE, the board, and senior management discuss and agree upon internal audit's responsibility, authority, and expectations as well as the necessary organizational placement of internal audit and CAE reporting relationships to enable internal audit to fulfill its duties. The internal audit charter will reflect the decisions reached during those discussions.

Editor's Notes

  • #9: The Mission of Internal Audit articulates what internal audit aspires to accomplish in an organization. It demonstrates how practitioners should leverage the entire IPPF to facilitate their ability to achieve the Mission.
  • #14: The Principles set out the basic elements that describe internal audit effectiveness with respect to the aspirations expressed in the Mission of Internal Audit. They serve as fundamental propositions that form the basis for the Code of Ethics and the Standards. The placement of the Core Principles within the IPPF is shown in Exhibit 1-3.
  • #16: The consequences that may result from not demonstrating the Core Principles help reinforce the importance of each Principle. For each Principle listed below, an example is given describing a potential negative consequence.
  • #21: The Definition of Internal Auditing is mandatory guidance from the IIA and is key to understanding the role and depth of internal auditing. The placement of the Definition within the IPPF is shown in Exhibit 1- 4.
  • #34: The Standards are a set of principles-based, mandatory requirements consisting of: Statements of core requirements for the professional practice of internal auditing and the evaluation of performance effectiveness that are internationally applicable at organizational and individual levels. Interpretations that clarify terms or concepts within the Standards. The placement of the Standards within the IPPF is shown in Exhibit 1- 5.
  • #35: Many of the Standards use the words “must” or “should.” These terms have specific meaning within the IPPF. The word “must” specifies an unconditional requirement; the word “should” is used where conformance is expected unless, when applying professional judgment, circumstances justify deviation.
  • #36: Standard 1000 requires that the purpose, authority, and responsibility of the internal audit activity be clearly defined and approved by senior management and the board. Creating an understanding of the purpose, authority, and responsibility allows the internal audit activity to best support overall organizational goals and objectives and to strengthen internal controls and corporate governance. Exhibit 1-6 reviews the key elements characterizing internal audit activity purpose, authority, and responsibility.
  • #40: Standard 1000 introduces several concepts that are crucial to understand when following the mandatory and recommended guidance contained within the IPPF.
  • #41: For example, in organizations with smaller audit activities, the CAE may also be responsible for conducting engagements. It should be understood that the duties of the CAE are the duties of the internal audit activity as a whole, with these duties typically being managed by the CAE. The CAE should report to the board, which helps maintain internal audit independence.
  • #45: This topic discusses the required information, approval requirements, and typical components of an internal audit charter.
  • #55: The nature and the scope of the assurance engagement are determined by the internal auditor. Assurance services are at the core of internal auditing. While others can provide consulting services, internal audit has the knowledge of the organization and the independence to provide the board with the information, facts, and conclusions they need to make appropriate decisions. Assurance work makes up the majority of internal audit activities.
  • #58: The nature and the scope of a formal consulting engagement are subject to agreement with the engagement client. Such agreements should be formalized in writing. Consulting services can include any advisory activity that improves the organization’s governance, risk management, controls, and compliance. The following are examples of different types of consulting services.
  • #59: Mortem – death, corpse, anahilation
  • #63: Circumvent - avoid
  • #64: However, if assurance and consulting services are blended, it must be ensured that there are no conflicts of independence, objectivity, or otherwise with regard to roles and responsibilities.
  • #71: The fact that a particular conduct is not mentioned in the Rules of Conduct does not prevent it from being unacceptable or discreditable and, therefore, the member, certification holder, or candidate can be liable for disciplinary action.
  • #72: While the principle of integrity applies to all auditors, it may be implemented differently from the perspective of the CAE compared to the perspective of the individual auditor.
  • #73: Effectively managing the internal audit activity includes proper engagement supervision and periodic reviews of internal auditors’ performance, which provide opportunities to discuss how integrity may be challenged and applied in real situations.
  • #77: The CAE may create relevant policies and procedures, for example, regarding gifts or requiring internal auditors to complete a form disclosing potential conflicts of interest and impairments to objectivity. For internal auditors, objectivity can be best pursued by providing a balanced assessment, ensuring that they are not unduly influenced in forming judgments, and avoiding conflicts of interest and impairments. The Standards provide a systematic and disciplined internal audit approach that can assist with ensuring objectivity.
  • #79: Information includes data in physical form and in electronic form. Confidentiality involves protecting information from being disclosed to unauthorized individuals, both within and outside the organization. Internal auditors should understand laws and regulations related to confidentiality and information security as well as any policies specific to their organization or the internal audit activity
  • #80: The CAE may implement additional policies, processes, and procedures for the internal audit activity and external consultants to follow, typically closely aligned with the IPPF’s Mandatory Guidance. During meetings or training of the internal audit activity, the CAE may discuss principles, rules, policies, and expectations related to confidentiality. Ultimately, internal auditors are responsible for practicing confidentiality, which may be most evident when receiving confidential, proprietary, or personally identifiable information during the course of an audit engagement. To comply with the Rules of Conduct related to the confidentiality principle, internal auditors must follow established procedures for disclosure. Internal auditors should not use insider financial, strategic, or operational knowledge to bring about personal financial gain
  • #81: The CAE is responsible for ensuring the competency of the internal audit activity as a whole. However, individual internal auditors are responsible for their own conformance with the competency principle, the Rules of Conduct, and the relevant standards and for obtaining the knowledge, skills, and experience needed to perform their responsibilities and to continually improve their proficiency and quality of service.
  • #82: The CAE should also develop polices and procedures that include regularly reviewing individual performance and should encourage educational and training opportunities when possible. To gain insight into their level of competency, proficiency, and effectiveness and to find areas for potential growth, internal auditors should regularly assess themselves. Internal auditors should also seek constructive feedback from peers, supervisors, and the CAE. Internal auditors may build their competencies by pursuing educational and mentorship opportunities and supervised work experiences that enable them to expand their skills. Properly supervised internal audit engagements play a large role in facilitating the development of internal auditors, because most internal audit activities have limited resources
  • #86: This section covers the crucial requirements for the internal audit activity to be independent and individual internal auditors to be objective. Lacking either of these crucial traits can render the results of engagements and the recommendations of internal audit unreliable and inaccurate, to the detriment of the organization.
  • #87: In addition to reviewing the contents of this topic, students can review the following IIA materials: Implementation Guidance for Standards 1100, 1110, 1111, 1112
  • #89: If the internal audit activity does not have sufficient organizational status and autonomy, the ability to effectively manage the independence of its work and reports is subject to question.
  • #91: Functional oversight requires the board to create the right working conditions to permit the operation of an independent and effective internal audit activity. The board monitors the ability of the internal audit activity to operate independently.