2. International Professional Practices Framework
The IIA (The Institute of Internal Auditors) provides for
internal audit professionals all around the world
authoritative guidance organized in the International
Professional Practices Framework
as mandatory and strongly recommended guidance.
2
3. Mandatory Guidance
Conformance with the principles set forth in mandatory guidance is
required and essential for the professional practice of internal auditing
Element
⢠Definition
The Definition of Internal Auditing states the fundamental
purpose, nature, and scope of internal auditing.
⢠Code of Ethics
The Code of Ethics states the principles and expectations governing
behavior of individuals and organizations in the conduct of internal
auditing. It describes the minimum requirements for conduct, and
behavioral expectations rather than specific activities.
⢠International Standards
⢠Standards are principle-focused and provide a framework for performing
and promoting internal auditing. The Standards are mandatory
requirements consisting of:
⢠Statements of basic requirements for the professional practice of internal
auditing and for evaluating the effectiveness of its performance. The
requirements are internationally applicable at organizational and
individual levels.
⢠Interpretations, which clarify terms or concepts within the statements.
3
4. Strongly Recommended Guidance
Strongly recommended guidance is endorsed by The IIA through a formal
approval processes. It describes practices for effective implementation of The
IIA's Definition of Internal Auditing, Code of Ethics, and Standards
Element
⢠Position Papers
Position Papers assist a wide range of interested parties, including those not in
the internal auditprofession, in understanding significant governance, risk, or
control issues and delineating(outline) related roles and responsibilities of
internal auditing.
⢠Practice Advisories
Practice Advisories assist internal auditors in applying the Definition of Internal
Auditing, the Code of Ethics, and the Standards and promoting good practices.
Practice Advisories address internal auditing's approach, methodologies, and
consideration, but not detail processes or procedures. They include practices
relating to: international, country, or industry-specific issues; specific types of
engagements; and legal or regulatory issues.
⢠Practice Guides
Practice Guides provide detailed guidance for conducting internal audit
activities. They include detailed processes and procedures, such as tools and
techniques, programs, and step-by-step approaches, as well as examples of 4
deliverables.
5. (1) Definition of Internal Auditing
Internal auditing is an independent, objective
assurance and consulting activity designed to add
value and improve an organization's operations. It
helps an organization accomplish its objectives by
bringing a systematic, disciplined approach to
evaluate and improve the effectiveness of risk
management, control, and governance processes.
5
6. (2) Code of Ethics
⢠Principles
Internal auditors are expected to apply and uphold( Support) the following
principles:
⢠1. Integrity
The integrity of internal auditors establishes trust and thus provides the basis
for reliance on their judgment.
⢠2. Objectivity
Internal auditors Display the highest level of professional objectivity in
gathering, evaluating, and communicating information about the activity or
process being examined. Internal auditors make a balanced assessment of all
the relevant circumstances and are not unduly influenced by their own
interests or by others in forming judgments
⢠3. Confidentiality
Internal auditors respect the value and ownership of information they receive
and do not disclose information without appropriate authority unless there is a
legal or professional obligation to do so.
⢠4. Competency
Internal auditors apply the knowledge, skills, and experience needed in the
performance of internal audit services.
6
7. ⢠Rules of Conduct
1. Integrity
Internal auditors:
1.1. Shall perform their work with honesty(truthfulness), diligence, and
responsibility.
1.2. Shall observe the law and make disclosures expected by the law and the
profession.
1.3. Shall not knowingly be a party to any illegal activity, or engage in acts that are
discreditable to the profession of internal auditing or to the organization.
1.4. Shall respect and contribute to the legitimate and ethical objectives of the
organization.
2. Objectivity
Internal auditors:
2.1. Shall not participate in any activity or relationship that may impair or be
presumed to impair their unbiased assessment. This participation includes
those activities or relationships that may be in conflict with the interests of the
organization.
2.2. Shall not accept anything that may impair or be presumed to impair their
professional judgment.
2.3. Shall disclose all material facts known to them that, if not disclosed, may
distort (misrepresent) the reporting of activities under review. 7
8. 3. Confidentiality
Internal auditors:
3.1. Shall be prudent (careful) in the use and protection of information acquired in
the course of their duties.
3.2. Shall not use information for any personal gain or in any manner that would
be contrary to the law or detrimental to the legitimate and ethical objectives
of the organization.
4. Competency
Internal auditors:
4.1. Shall engage only in those services for which they have the necessary
knowledge, skills, and experience.
4.2. Shall perform internal audit services in accordance with
the International Standards for the Professional Practice of Internal Auditing.
4.3. Shall continually improve their proficiency and the effectiveness and quality
of their services.
8
9. (3) International Standards for the Professional
Practice of Internal Auditing
⢠Internal auditing is conducted in diverse legal and cultural
environments; within organizations that vary in
purpose, size, complexity, and structure; and by persons within or
outside the organization. While differences may affect the practice
of internal auditing in each environment, conformance with The
IIA's International Standards for the Professional Practice of
Internal Auditing (Standards) is essential in meeting the
responsibilities of internal auditors and the internal audit activity.
⢠If internal auditors or the internal audit activity is prohibited
by law or regulation from conformance with certain parts of
the Standards, conformance with all other parts of the
Standards and appropriate disclosures are needed.
9
10. ⢠If the Standards are used in conjunction with standards
issued by other authoritative bodies, internal audit
communications may also cite( name) the use of other
standards, as appropriate. In such a case, if inconsistencies
exist between the Standards and other standards, internal
auditors and the internal audit activity must conform with
the Standards, and may conform with the other standards if
they are more restrictive.
10
11. The purpose of the Standards is to:
1. Delineate basic principles that represent the practice of
internal auditing.
2. Provide a framework for performing and promoting a broad
range of value-added internal auditing.
3. Establish the basis for the evaluation of internal audit
performance.
4. Foster improved organizational processes and operations.
11
12. The structure of the Standards is divided between Attribute
and Performance Standards.
⢠Attribute Standards address the attributes of organizations
and individuals performing internal auditing.
⢠The Performance Standards describe the nature of internal
auditing and provide quality criteria against which the
performance of these services can be measured.
The Attribute and Performance Standards are also provided to
apply to all internal audit services.
⢠Implementation Standards are also provided to expand upon
the Attribute and Performance standards, by providing the
requirements applicable to assurance (A) or consulting (C)
activities.
12
13. Assurance services:
⢠Involve the internal auditor's objective assessment of
evidence to provide an independent opinion or
conclusions regarding an
entity, operation, function, process, system, or other
subject matter.
⢠The nature and scope of the assurance engagement
are determined by the internal auditor.
There are generally three parties involved in assurance
services:
(1) the person or group directly involved with the
entity, operation, function, process, system, or other
subject matter - the process owner,
(2) the person or group making the assessment - the
internal auditor,
(3) the person or group using the assessment - the user.
13
14. Consulting services:
⢠are advisory in nature, and are generally performed at the
specific request of an engagement client.
⢠The nature and scope of the consulting engagement are
subject to agreement with the engagement client.
⢠Consulting services generally involve two parties:
(1) the person or group offering the advice - the internal auditor,
(2) the person or group seeking and receiving the advice - the
engagement client. When performing consulting services the
internal auditor should maintain objectivity and not assume
management responsibility.
⢠The review and development of the Standards is an ongoing
process. The Internal Audit Standards Board engages in
extensive consultation and discussion prior to issuing the
Standards. This includes worldwide solicitation for public
comment through the exposure draft process. All exposure
drafts are posted on The IIA's Web site as well as being
distributed to all IIA institutes.
14
16. ⢠1210-Proficiency
Internal auditors must possess the knowledge, skills, and
other competencies needed to perform their individual
responsibilities. The internal audit activity collectively must
possess or obtain the knowledge, skills, and other
competencies needed to perform its responsibilities.
⢠Interpretation:
Knowledge, skills, and other competencies is a collective
term that refers to the professional proficiency required of
internal auditors to effectively carry out their professional
responsibilities. Internal auditors are encouraged to
demonstrate their proficiency by obtaining appropriate
professional certifications and qualifications, such as the
Certified Internal Auditor designation and other
designations offered by The Institute of Internal Auditors
and other appropriate professional organizations.
16
17. 1210-Proficiency
⢠1210.A1 - The chief audit executive must obtain competent advice and
assistance if the internal auditors lack the knowledge, skills, or other
competencies needed to perform all or part of the engagement.
⢠1210.A2 - Internal auditors must have sufficient knowledge to evaluate
the risk of fraud and the manner in which it is managed by the
organization, but are not expected to have the expertise of a person
whose primary responsibility is detecting and investigating fraud.
⢠1210.A3 - Internal auditors must have sufficient knowledge of key
information technology risks and controls and available technology-based
audit techniques to perform their assigned work. However, not all internal
auditors are expected to have the expertise of an internal auditor whose
primary responsibility is information technology auditing.
⢠1210.C1 - The chief audit executive must decline the consulting
engagement or obtain competent advice and assistance if the internal
auditors lack the knowledge, skills, or other competencies needed to
perform all or part of the engagement.
17
18. The knowledge, skills, and other competencies referred to in the standard include:
Proficiency in applying internal audit standards, procedures, and techniques in
performing engagements.
⢠Proficiency means the ability to apply knowledge to situations likely to be encountered
and to deal with them appropriately without extensive recourse to technical research
and assistance.
Example: Proficiency in accounting principles and techniques if internal auditors work
extensively with financial records and reports ,Knowledge to identify the indicators of
fraud. Knowledge of key information technology risks and controls and available
technology based audit techniques.
⢠An understanding of management principles to recognize and evaluate the materiality
and significance of deviations from good business practices. An understanding means
the ability to apply broad knowledge to situations likely to be encountered, to recognize
significant deviations, and to be able to carry out the research necessary to arrive at
reasonable solutions.
⢠An appreciation of the fundamentals of business subjects such as
accounting, economics, commercial law, taxation, finance, quantitative
methods, information technology, risk management, and fraud. An appreciation means
the ability to recognize the existence of problems or potential problems and to identify
the additional research to be undertaken or the assistance to be obtained.
⢠Skills in dealing with people, understanding human relations, and maintaining
satisfactory relationships with engagement clients. Skills in oral and written
communications to clearly and effectively convey such matters as engagement
objectives, evaluations, conclusions, and recommendations.
18
19. ⢠Suitable criteria of education and experience for filling internal
audit positions is established by the chief audit executive (CAE)
who gives due consideration to the scope of work and level of
responsibility and obtains reasonable assurance as to each
prospective auditorâs qualifications and proficiency.
⢠The internal audit activity needs to collectively possess the
knowledge, skills, and other competencies essential to the
practice of the profession within the organization. Performing an
annual analysis of an internal audit activityâs
knowledge, skills, and other competencies helps identify areas
of opportunity that can be addressed by continuing professional
development, recruiting, or co-sourcing.
⢠Continuing professional development is essential to help
ensure internal audit staff remains proficient.
⢠The CAE may obtain assistance from experts outside the
internal audit activity to support or complement areas where
the internal audit activity is not sufficiently proficient.
19
20. External service provider
⢠An external service provider is a person or firm, independent of the
organization, who has special knowledge, skill, and experience in a
particular discipline. External service providers include
actuaries, accountants, appraisers, culture or language
experts, environmental specialists, fraud
investigators, lawyers, engineers, geologists, security
specialists, statisticians, information technology specialists, the
organizationâs external auditors, and other audit organizations.
⢠An external service provider may be engaged by the board, senior
management, or the chief audit executive (CAE).
⢠External service providers may be used by the internal audit activity
in connection with :
ď Achievement of the objectives in the engagement work
schedule.
ď Audit activities where a specialized skill and knowledge are
needed such as information technology, statistics, taxes, or
language translations.
ď Valuations of assets ( page âŚ) 20
21. ⢠When the CAE intends to use and rely on the work of an external service
provider, the CAE needs to consider the competence, independence, and
objectivity of the external service provider as it relates to the particular
assignment to be performed.
⢠The assessment of competency, independence, and objectivity is also needed
when the external service provider is selected by senior management or the
board,
⢠and the CAE intends to use and rely on the external service providerâs work.
When the selection is made by others and the CAEâs assessment determines
that he or she should not use and rely on the work of the external service
provider, communication of such results is needed to senior management or
the board, as appropriate.
⢠The CAE needs to assess the relationship of the external service provider
to the organization and to the internal audit activity to ensure that
independence and objectivity are maintained throughout the
engagement. In performing the assessment, the CAE verifies that there
are no financial, organizational, or personal relationships that will prevent
the external service provider from rendering impartial and unbiased
judgments and opinions when performing or reporting on the
engagement.
21
22. The CAE assesses the independence and objectivity of the external service
provider by considering:
⢠The financial interest the external service provider may have in the organization.
⢠The personal or professional relationship the external service provider may have to
the board, senior management, or others within the organization.
⢠The relationship the external service provider may have had with the organization
or the activities being reviewed.
⢠The extent of other ongoing services the external service provider may be
performing for the organization. Compensation or other incentives that the
external service provider may have.
⢠the external service provider is also the organizationâs external auditor and the
nature of the engagement is extended audit services, the CAE needs to ascertain
that work performed does not impair the external auditorâs independence.
Extended audit services refer to those services beyond the requirements of audit
standards generally accepted by external auditors. If the organizationâs external
auditors act or appear to act as members of senior management, management, or
as employees of the organization, then their independence is impaired.
Additionally, external auditors may provide the organization with other services
such as tax and consulting. Independence needs to be assessed in relation to the
full range of services provided to the organization.
22
23. To ascertain that the scope of work is adequate for the purposes of the internal
audit activity, the CAE obtains sufficient information regarding the scope of the
external service providerâs work ,It may be prudent to document these and other
matters in an engagement letter or contract. To accomplish this, the CAE reviews
the following with the external service provider:
⢠Objectives and scope of work including deliverables and time frames.
⢠Specific matters expected to be covered in the engagement communications.
⢠Access to relevant records, personnel, and physical properties.
⢠Information regarding assumptions and procedures to be employed.
⢠Ownership and custody of engagement working papers, if applicable.
⢠Confidentiality and restrictions on information obtained during the engagement.
⢠Where applicable, conformance with the Standards and the internal audit
activityâs standards for working practices.
In reviewing the work of an external service provider, the CAE evaluates the
adequacy of work performed, which includes sufficiency of information obtained
to afford a reasonable basis for the conclusions reached and the resolution of
exceptions or other unusual matters.
23
24. 1220-Due Professional Care
Internal auditors must apply the care and skill expected of a reasonably prudent
(careful) and competent internal auditor. Due professional care does not imply
infallibility.
1220.A1- Internal auditors must exercise due professional care by considering the:
⢠Extent of work needed to achieve the engagement's objectives;
⢠Relative complexity, materiality, or significance of matters to which assurance
procedures are applied;
⢠Adequacy and effectiveness of governance, risk management, and control
processes;
⢠Probability of significant errors, fraud, or noncompliance; and
⢠Cost of assurance in relation to potential benefits.
1220.A2 - In exercising due professional care internal auditors must consider the
use of technology-based audit and other data analysis techniques.
1220.A3- Internal auditors must be alert to the significant risks that might affect
objectives, operations, or resources. However, assurance procedures alone, even
when performed with due professional care, do not guarantee that all significant
risks will be identified.
24
25. 1220.C1- Internal auditors must exercise due professional care during a consulting
engagement by considering the:
⢠Needs and expectations of clients, including the nature, timing, and
communication of engagement results;
⢠Relative complexity and extent of work needed to achieve the engagement's
objectives; and
⢠Cost of the consulting engagement in relation to potential benefits.
25
26. 1230 â Continuing Professional Development
Internal auditors must enhance their knowledge, skills, and other competencies
through continuing professional development.
⢠Internal auditors are responsible for continuing their education to enhance and
maintain their proficiency. Internal auditors need to stay informed about
improvements and current developments in internal audit
standards, procedures, and techniques, including The IIAâs International
Professional Practices Framework guidance. Continuing professional education
(CPE) may be obtained through membership, participation, and volunteering in
professional organizations such as The IIA; attendance at
conferences, seminars, and in-house training programs; completion of college and
self-study courses; and involvement in research projects.
⢠Internal auditors are encouraged to demonstrate their proficiency by obtaining
appropriate professional certification, such as the Certified Internal Auditor
designation, other designations offered by The IIA, and additional designations
related to internal auditing.
26
27. ⢠Internal auditors are encouraged to pursue CPE (related to their organizationâs
activities and industry) to maintain their proficiency with regard to the
governance, risk, and control processes of their unique organization.
⢠Internal auditors who perform specialized audit and consulting work â such as
information technology, tax, actuarial, or systems design â may undertake
specialized CPE to allow them to perform their internal audit work with
proficiency.
⢠Internal auditors with professional certifications are responsible for obtaining
sufficient CPE to satisfy requirements related to the professional certification held.
⢠Internal auditors not presently holding appropriate certifications are encouraged
to pursue an educational program and/or individual study to obtain professional
certification.
27