Chapter 2 The International Professional Practices Framework: Authoritative Guidance for the Internal Audit Profession

Chapter 2 Learning Objectives Know the history behind the current professional guidance for the practice of internal auditing. Describe the structure of the International Professional Practices Framework (IPPF) and the categories of authoritative guidance it provides. Understand the relationship between the Value Proposition of Internal Auditing for Stakeholders and the IPPF. Understand the mandatory IPPF guidance: the Definition of Internal Auditing, the Code of Ethics, and the International Standards for the Professional Practice of Internal Auditing (Standards). Understand the strongly recommended IPPF guidance: Practice Advisories, Position Papers, and Practice Guides. Describe how the IPPF is kept current. Understand how the authoritative guidance promulgated by other professional organizations affects the practice of internal auditing. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

History Institute of Internal Auditors (IIA) - 1941 The Statement of the Responsibilities of the Internal Auditor was issued in 1947 The statement was revised in 70’s, 80’s and ’90. The PPF was approved in 1999 and revised in 2008 and renamed the International Professional Practices Framework (IPPF). IIA Leader in certification, education, research, and technology guidance IA began to take shape as management became more distanced from operations. Need for formalized activities. (Statement of Responsibilities) defined objectives and scope of internal audit. (mostly financial matters) A vision for the future, professional practices framework (PPF) for Internal Audit. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

International Professional Practices Framework (IPPF) Contains what is considered to be the essential elements of the effective delivery of internal audit services Includes attributes of the individual internal auditor, the characteristics of the function or organization providing these services, the nature of internal audit activities, and their performance criteria The PPF provides guidance to the profession and sets expectations for its customers regarding performance of internal audit services See Ex 2-1 Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

Exhibit 2-1 Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

RQ2: Six Components of the IPPF: Definition of internal auditing - mandatory Code of Ethics - mandatory Standards - mandatory Practice Advisories – (strongly recommended) provide concise and timely guidance as to how the Standards might be implemented Practice Guides - (strongly recommended) provide detailed guidance on internal audit tools and techniques Position papers – (strongly recommended) provide guidance on issues that extend beyond the specifics of how the CAE, IA function, and individual internal auditors should conduct their work. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

1) Defn of Internal Auditing (CH1) Internal auditing is an independent, objective, assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve effectiveness of risk management, control, and governance processes. IIA Board of Directors 1999 Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

2) Code of Ethics To promote ethical culture Integrity – trust, internal auditors will perform their work with diligence and truthfulness and in accordance with the law and ethical values (i.e., the price of admission) Objectivity – unbiased mental attitude Confidentiality – keep safe client information and not use it for personal gain Competency – possess necessary knowledge and skills 12 Rules of Conduct provide more guidance. https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Code-of-Ethics.aspx Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

DQ 2 Why is it important for the internal audit profession to have a code of ethics? How are Principles different than Rules of Conduct? Who must abide by the Code of Ethics? What are the ramifications of breaching the Code of Ethics? The purpose of the Code of Ethics “is to promote an ethical culture in the profession of internal auditing.” “A code of ethics is necessary and appropriate to the profession of internal auditing, founded as it is on the trust placed in its objective assurance about governance, risk management, and control.” 2) As described in the chapter text, the Principles express the four ideals internal auditors should aspire to maintain in conducting their work and represent the core values that internal auditors must uphold to earn the trust of those who rely on their services. The Rules of Conduct “describe behavior norms expected of internal auditors. These rules are an aid to interpreting the Principles into practical applications and are intended to guide the ethical conduct of internal auditors. 3) The “Code of Ethics applies to both entities and individuals that perform internal audit services. 4) For IIA members and recipients of or candidates for IIA professional certifications, breaches of the Code of Ethics will be evaluated and administered according to The Institute’s Bylaws and Administrative Directives. The fact that a particular conduct is not mentioned in the Rules of Conduct does not prevent it from being unacceptable or discreditable, and therefore, the member, certification holder, or candidate can be liable for disciplinary action. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

3) International Standards for the Professional Practice of Internal Auditing is the foundation of the IA profession and the core of the IPPF. The standards are principles-focused mandatory requirements consisting of Standards and Interpretations. https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Standards.aspx Also Appendix A Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

(RQ5) Objectives of the Standards: Outline basic principles that represent the practice of internal audit as it should be Provide a framework for performing and promoting internal audit activities Establish the basis for the evaluation of IA performance Foster improved organizational processes & operations “The purpose of the Standards is to: 1) Delineate basic principles that represent the practice of internal auditing. 2) Provide a framework for performing and promoting a broad range of value-added internal auditing. 3) Establish the basis for the evaluation of internal audit performance. 4) Foster improved organizational processes and operations.” (Introduction to the Standards) Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

Three types of standards Attribute- address the characteristics of organizations and individuals performing internal audit activities (1000) Performance- describe the nature of internal audit activities and provide quality criteria against which the performance of these services can be measured. (2000) Implementation – these are embedded within the Attribute & Performance Standards and relate specifically to Assurance OR Consulting activities (e.g., 1210.A1 or 1210.C1) The Attribute Standards address the characteristics of organizations and individuals performing internal audit activities. The Performance Standards describe the nature of internal audit activities and provide quality criteria against which the performance of these services can be measured. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

1210.A1 – The chief audit executive must obtain competent advice and assistance if the internal auditors lack the knowledge, skills, or other competencies needed to perform all or part of the engagement. 1210.C1 – The chief audit executive must decline the consulting engagement or obtain competent advice and assistance if the internal auditors lack the knowledge, skills, or other competencies needed to perform all or part of the engagement. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

Exhibit 2-2 Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

Question 1 A primary purpose of the standards is to: a. Promote coordination of internal and external audit efforts b. Establish a basis for evaluating internal audit performance c. Develop consistency in internal audit practices d. Provide a codification of existing practices B is the best answer. The introduction to the Standards states that the purpose of the Standards is to provide the basis for measurement of internal audit performance. The Standards are not designed primarily to promote coordination between external and internal audit, although they do require the chief audit executive (CAE) to share information and coordinate activities with other internal and external providers of relevant assurance and consulting services (Standard 2050). The Standards also do not codify existing practice. Instead, they describe internal audit practice as it should be. The Standards do not attempt to establish consistency in internal audit practices but do describe what is necessary to be effective. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

Question 2 Which of the following is/are “mandatory guidance” in the IIA’s IPPF? (RQ2) I. Practice Advisories II. The Code of Ethics III. The Definition of Internal Auditing IV. The Standards a. I,II, and IV b. II and IV c. II, III, and IV d. I, II, III, and IV C is the best answer. The Code, Definition, and Standards are mandatory; the Practice Advisories are not. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

Question 3 An internal auditor provides income tax services during the tax season. For which of the following activities would the auditor most likely be considered in violation of the Code of Ethics? a. Preparing for a fee a division manager’s personal tax returns. b. Appearing on a local radio show to discuss retirement planning and tax issues. c. Receiving a stipend for teaching an evening tax class at the local junior college. d. Working on weekends for a friend who has a small CPA firm. A is the best answer. Preparation of a divisional manager’s tax return for a fee would be considered a conflict of interest for an internal auditor and thus impair objectivity (rule 2.1). The other activities are permitted under the Code. 2.1. Shall not participate in any activity or relationship that may impair or be presumed to impair their unbiased assessment. This participation includes those activities or relationships that may be in conflict with the interests of the organization. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

Question 4 An internal auditor is auditing a division in which the division’s CFO is a close personal friend. The auditor learns that the friend is to be replaced after a series of critical contract negotiations with the Department of Defense. The auditor relays this information to the friend. Which principle of The Code of Ethics has been violated? a. Integrity b. Objectivity c. Confidentiality d. Privacy C is the best answer. This situation would not be a prudent use of the information acquired in the course of the internal auditor’s duties or work and could be detrimental to the legitimate and ethical objectives of the company, thus impairing confidentiality (rule 3.1). The situation does not apply to the principles of integrity or objectivity. Privacy is not one of the principles of the Code. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

(RQ6) The Nature of Audit Services and the Standards Assurance – objective examination of evidence for the purpose of providing an independent assessment; 3 parties (auditee, auditor, 3rd party) Consulting – advisory activities which are intended to add value; 2 parties (auditee, auditor) Covered in chapter 1 Standards more stringent for assurance Interests of IA and 3rd party user aligned Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

Exhibit 2-3 Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

Attribute Standards Purpose, Authority, Responsibility (1000 series) Independence and Objectivity (1100 series) Proficiency and Due Professional Care (1200 series) Quality Assurance and Improvement Programs (1300 series) Address the characteristics that the internal audit function and individual IA must possess to perform effective assurance and consulting services are divided into 4 main sections Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

Attribute Standards (See IPPF or App B) Purpose, Authority, Responsibility (1000 series) 1000 and 1010 The nature of services must be defined in an audit charter Why is it important for an internal audit function to have a charter? What information should an internal audit charter contain? Providing a formal, written internal audit charter is critical in managing the internal audit activity. The internal audit charter provides a recognized statement for review and acceptance by management and for approval, as documented in the minutes, by the board. It also facilitates a periodic assessment of the adequacy of the internal audit activity’s purpose, authority, and responsibility, which establishes the role of the internal audit activity. If a question should arise, the internal audit charter provides a formal, written agreement with management and the board about the organization’s internal audit activity.” The internal audit charter should clearly define the internal audit activity’s purpose, authority, and responsibility. Charter: Purpose, authority and responsibility and nature of services provided. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

1000 – Purpose, Authority, and Responsibility The purpose, authority, and responsibility of the internal audit activity must be formally defined in an internal audit charter, consistent with the Definition of Internal Auditing, the Code of Ethics, and the Standards. The chief audit executive must periodically review the internal audit charter and present it to senior management and the board for approval. Interpretation: The internal audit charter is a formal document that defines the internal audit activity's purpose, authority, and responsibility. The internal audit charter establishes the internal audit activity's position within the organization, including the nature of the chief audit executive’s functional reporting relationship with the board; authorizes access to records, personnel, and physical properties relevant to the performance of engagements; and defines the scope of internal audit activities. Final approval of the internal audit charter resides with the board. 1000.A1 – The nature of assurance services provided to the organization must be defined in the internal audit charter. If assurances are to be provided to parties outside the organization, the nature of these assurances must also be defined in the internal audit charter. 1000.C1 – The nature of consulting services must be defined in the internal audit charter. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

1010 – Recognition of the Definition of Internal Auditing, the Code of Ethics, and the Standards in the Internal Audit Charter The mandatory nature of the Definition of Internal Auditing, the Code of Ethics, and the Standards must be recognized in the internal audit charter. The chief audit executive should discuss the Definition of Internal Auditing, the Code of Ethics, and the Standards with senior management and the board. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

Attribute Standards 2) Independence and Objectivity (1100 series) RQ7 (1100-1130) 1100 – Independence and Objectivity The internal audit activity must be independent, and internal auditors must be objective in performing their work. Independence attribute of IA function Objectivity attribute of individual auditor Independence is the freedom from conditions that threaten the ability of the internal audit activity to carry out internal audit responsibilities in an unbiased manner. To achieve the degree of independence necessary to effectively carry out the responsibilities of the internal audit activity, the chief audit executive has direct and unrestricted access to senior management and the board. This can be achieved through a dual-reporting relationship. Threats to independence must be managed at the individual auditor, engagement, functional, and organizational levels. Objectivity is an unbiased mental attitude that allows internal auditors to perform engagements in such a manner that they believe in their work product and that no quality compromises are made. Objectivity requires that internal auditors do not subordinate their judgment on audit matters to others. Threats to objectivity must be managed at the individual auditor, engagement, functional, and organizational levels. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

1110 – Organizational Independence The chief audit executive must report to a level within the organization that allows the internal audit activity to fulfill its responsibilities. The chief audit executive must confirm to the board, at least annually, the organizational independence of the internal audit activity. Interpretation: Organizational independence is effectively achieved when the chief audit executive reports functionally to the board. Examples of functional reporting to the board involve the board:  Approving the internal audit charter;  Approving the risk based internal audit plan;  Approving the internal audit budget and resource plan;  Receiving communications from the chief audit executive on the internal audit activity’s performance relative to its plan and other matters;  Approving decisions regarding the appointment and removal of the chief audit executive;  Approving the remuneration of the chief audit executive; and  Making appropriate inquiries of management and the chief audit executive to determine whether there are inappropriate scope or resource limitations. 1110.A1 – The internal audit activity must be free from interference in determining the scope of internal auditing, performing work, and communicating results. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

1111 – Direct Interaction with the Board The chief audit executive must communicate and interact directly with the board. 1120 – Individual Objectivity Internal auditors must have an impartial, unbiased attitude and avoid any conflict of interest. Interpretation: Conflict of interest is a situation in which an internal auditor, who is in a position of trust, has a competing professional or personal interest. Such competing interests can make it difficult to fulfill his or her duties impartially. A conflict of interest exists even if no unethical or improper act results. A conflict of interest can create an appearance of impropriety that can undermine confidence in the internal auditor, the internal audit activity, and the profession. A conflict of interest could impair an individual's ability to perform his or her duties and responsibilities objectively. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

1130 – Impairment to Independence or Objectivity If independence or objectivity is impaired in fact or appearance, the details of the impairment must be disclosed to appropriate parties. The nature of the disclosure will depend upon the impairment. Interpretation: Impairment to organizational independence and individual objectivity may include, but is not limited to, personal conflict of interest, scope limitations, restrictions on access to records, personnel, and properties, and resource limitations, such as funding. The determination of appropriate parties to which the details of an impairment to independence or objectivity must be disclosed is dependent upon the expectations of the internal audit activity’s and the chief audit executive’s responsibilities to senior management and the board as described in the internal audit charter, as well as the nature of the impairment. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

1130.A1 – Internal auditors must refrain from assessing specific operations for which they were previously responsible. Objectivity is presumed to be impaired if an internal auditor provides assurance services for an activity for which the internal auditor had responsibility within the previous year. 1130.A2 – Assurance engagements for functions over which the chief audit executive has responsibility must be overseen by a party outside the internal audit activity. 1130.C1 – Internal auditors may provide consulting services relating to operations for which they had previous responsibilities. 1130.C2 – If internal auditors have potential impairments to independence or objectivity relating to proposed consulting services, disclosure must be made to the engagement client prior to accepting the engagement. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

Independence freedom from conditions that threaten objectivity or the appearance thereof. Established through the organizational structure dual reporting is suggested – administrative reporting to the CEO & functional reporting to the BOD Independence is the freedom from conditions that threaten the ability of the internal audit activity to carry out internal audit responsibilities in an unbiased manner. To achieve the degree of independence necessary to effectively carry out the responsibilities of the internal audit activity, the chief audit executive has direct and unrestricted access to senior management and the board. This can be achieved through a dual-reporting relationship. Threats to independence must be managed at the individual auditor, engagement, functional, and organizational levels. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

Objectivity Objectivity can be threatened by many things that fall into 3 basic categories: Incentives (offer of job in operations or a bonus tied to report findings) Personal relationships Task-related threats (audit work you did in operations). According to Attribute Standard 1130A.1 how long before an auditor can audit an area in which he or she previously worked?_____________________ OB- Unbiased mental attitude Objectivity is an unbiased mental attitude that allows internal auditors to perform engagements in such a manner that they believe in their work product and that no quality compromises are made. Objectivity requires that internal auditors do not subordinate their judgment on audit matters to others. Threats to objectivity must be managed at the individual auditor, engagement, functional, and organizational levels. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

DQ 5: The CAE for Sargon Products reports administratively to the CFO and functionally to the audit committee. The scope of the internal audit function audit function assurance services includes financial, operational, and compliance engagements. Is the internal auditors’ objectivity regarding accounting-related matters impaired in each of the situations below? The internal auditors are frequently asked to make accounting entries for complex transactions that the company’s accountants do not have the expertise to handle. A staff accountant reconciles the company’s monthly bank statements. An internal auditor reviews the bank reconciliations to make sure they are completed properly. In this situation, the internal auditors are performing the actual accounting function for the organization. Making the accounting entries should be the responsibility of accounting. In doing this work, the internal auditor’s objectivity would be considered impaired. The internal auditor is not performing the independent verification control of reconciling the monthly bank statements; this is being done by a staff accountant. The internal auditor is testing whether the control is operating effectively, which is an appropriate internal audit task. Accordingly, the internal auditor’s objectivity would not be considered impaired. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

Attribute Standards 3) Proficiency and Due Professional Care (1200 series) Proficiency in applying internal audit standards, procedures and techniques as well as an understanding of management principles. Due Professional Care-applying the care and skill expected of a reasonably prudent, competent internal auditor. Continuing professional development – 80 hours CPE every 2 years; obtained through training and professional meetings Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

1200 – Proficiency and Due Professional Care Engagements must be performed with proficiency and due professional care. 1210 – Proficiency Internal auditors must possess the knowledge, skills, and other competencies needed to perform their individual responsibilities. The internal audit activity collectively must possess or obtain the knowledge, skills, and other competencies needed to perform its responsibilities. Interpretation: Knowledge, skills, and other competencies is a collective term that refers to the professional proficiency required of internal auditors to effectively carry out their professional responsibilities. Internal auditors are encouraged to demonstrate their proficiency by obtaining appropriate professional certifications and qualifications, such as the Certified Internal Auditor designation and other designations offered by The Institute of Internal Auditors and other appropriate professional organizations. 1210.A1 – The chief audit executive must obtain competent advice and assistance if the internal auditors lack the knowledge, skills, or other competencies needed to perform all or part of the engagement. 1210.A2 – Internal auditors must have sufficient knowledge to evaluate the risk of fraud and the manner in which it is managed by the organization, but are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud. 1210.A3 – Internal auditors must have sufficient knowledge of key information technology risks and controls and available technology-based audit techniques to perform their assigned work. However, not all internal auditors are expected to have the expertise of an internal auditor whose primary responsibility is information technology auditing. 1210.C1 – The chief audit executive must decline the consulting engagement or obtain competent advice and assistance if the internal auditors lack the knowledge, skills, or other competencies needed to perform all or part of the engagement. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

1220 – Due Professional Care Internal auditors must apply the care and skill expected of a reasonably prudent and competent internal auditor. Due professional care does not imply infallibility. 1220.A1 – Internal auditors must exercise due professional care by considering the:  Extent of work needed to achieve the engagement’s objectives;  Relative complexity, materiality, or significance of matters to which assurance procedures are applied;  Adequacy and effectiveness of governance, risk management, and control processes;  Probability of significant errors, fraud, or noncompliance; and  Cost of assurance in relation to potential benefits. 1220.A2 – In exercising due professional care internal auditors must consider the use of technology-based audit and other data analysis techniques. 1220.A3 – Internal auditors must be alert to the significant risks that might affect objectives, operations, or resources. However, assurance procedures alone, even when performed with due professional care, do not guarantee that all significant risks will be identified. 1220.C1 – Internal auditors must exercise due professional care during a consulting engagement by considering the:  Needs and expectations of clients, including the nature, timing, and communication of engagement results;  Relative complexity and extent of work needed to achieve the engagement’s objectives; and  Cost of the consulting engagement in relation to potential benefits. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

DQ7: You are part of a three-person internal audit function that was asked by your company’s CEO to conduct an audit of the internal controls over the company’s commodities trading and hedging activities. No member of the internal audit function has any training or experience in auditing trading and hedging activities. Refer to the Standards, which standard would you consult for guidance regarding the situation described above? 1210: Proficiency. This standard states that “Internal auditors must possess the knowledge, skills, and other competencies needed to perform their individual responsibilities. The internal audit activity collectively must possess or obtain the knowledge, skills, and other competencies needed to perform its responsibilities.” 1210.A1. This standard states that “The chief audit executive must obtain competent advice and assistance if the internal auditors lack the knowledge, skills, or other competencies needed to perform all or part of the engagement.” Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

Attribute Standards 4) Quality Assurance and Improvement Programs (1300 Series) Quality assurance – providing reasonable assurance that IA carries out its responsibilities competently and in conformance with the standards and Code of Ethics See Exhibit 2-5 for a framework Instills confidence that product or service possesses features and characteristics it is intended to have Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

Exhibit 2-5 Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

Performance Standards Managing the IA Activity (2000 series) – sets out the responsibility of the CAE Nature of work (2100 series) – evaluating and improving the effectiveness of governance, risk management, and control Engagement Planning (2200 series) – develop and record a plan Performing the Engagement (2300 series) Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

Performance Standards Communicating Results (2400 Series) Monitoring Progress (2500 series) Resolution of Management’s Acceptance of Risk (2600 series) Residual risk – risk after management implements its risk responses (i.e., controls) If the CAE believes that residual risk exists that may be unacceptable to the organization, the CAE is required to discuss it with senior management and if it is not resolved, communicate it to the audit committee. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

How the IPPF is Kept Current: The Professional Practices Advisory Council is responsible for coordinating the initiation, development, issuance and maintenance of the authoritative guidance that makes up the IPPF. All existing guidance is reviewed every three years. The Ethics Committee maintains the Code of Ethics and completes a formal review of the code every 3 years. Any proposed change requires a 90-day exposure period for public comment. The Internal Audit Standards Board reviews the existing Standards every 3 years. New standards or modifications require a 90-day comment period. Professional Issues Committee develops, maintains and reviews Practice Advisories (every 3 years). The development process is outlined in Exhibit 2-8. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

Exhibit 2-8 Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

Question 5 The IIA’s standards require internal auditors to exercise due professional care while conducting assurance engagements. Which of the following is NOT something an internal auditor is required to consider in determining what constitutes the exercise of due care in an assurance engagement of treasury operations? a. The audit committee has requested assurance on the treasury function’s compliance with a new policy on use of financial instruments. b. Treasure management has not instituted any risk management policies. c. The independent outside auditors have requested to see the engagement report and working papers. d. The treasury function just completed implementation of a new real-time investment tracking system. C is the best answer. Due care does not vary because the independent outside auditor is going to look at the workpapers. The factors in the other choices would all be part of what needs to be considered to determine due care (see 1220.A1). Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

Question 6 In which of the following situations does the internal auditor potentially lack objectivity? a. A payroll accounting employee assists an internal auditor in verifying the physical inventory of small motors. b. An internal auditor discusses a significant issue with the vice president to whom the auditee reports prior to drafting the audit report. c. An internal auditor recommends standards of control and performance measures for a contract with a service organization for the processing of payroll and employee benefits. d. A former purchasing assistant performs a review of internal controls over purchasing four months after being transferred to the internal auditing department. D is the best answer. Standard 1130.A1 states that objectivity is presumed to be impaired if an internal auditor provides assurance services for an activity for which the auditor was responsible within the previous year. The actions depicted in the other choices do not impair the internal auditor’s objectivity. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

Question 8 According to the Standards, which of the following must the internal audit manager think about when considering appropriate due care while planning an assurance engagement? a. The opportunity to cross train internal audit staff b. The cost of assurance in relationship to potential benefits c. Job openings in the area that may be of interest to internal auditors assigned to the engagement. d. The potential to deliver consulting services to the auditee. B is the best answer. Standard 1220.A1 states that “Internal auditors must exercise due professional care by considering the: Extent of work needed to achieve the engagement’s objectives; Relative complexity, materiality, or significance of matters to which assurance procedures are applied; Adequacy and effectiveness of governance, risk management, and control processes; Probability of significant errors, fraud, or noncompliance; and Cost of assurance in relation to potential benefits.” Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

Question 9 Which of the following types of IPPF guidance require(s) an exposure to the various IIA national institutes prior to its issuance? I. A new Practice Advisory II. A new Standards III. A new Position Paper IV. A new definition in the Standards glossary. a. III only b. II and IV c. II, III, and IV d. I, II, III, and IV A is the best answer. A new Position Paper requires a 30-day exposure period to local IIA institutes. A new Practice Advisory requires no exposure period. A new standard requires a 90-day public exposure period. A new definition in the Standards glossary is considered part of the Standards and requires a 90-day exposure period. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

Question 10 Which of the following are required of the internal audit function per the Standards? a. Evaluate annually the effectiveness of the audit committee. b. Issue annually an overall opinion on the adequacy of the organization’s system of internal controls. c. Obtain an annual representation from management acknowledging management’s responsibility for the design and implementation of internal controls to prevent illegal acts. d. Assess whether the information technology governance of the organization sustains and supports the organization’s strategies and objectives. D is the best answer. Standard 2110.A2 states that “The internal audit activity must assess whether the information technology governance of the organization sustains and supports the organization’s strategies and objectives.” Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

Other Standards The Government Accounting Office (GAO) has issued standards for governmental audits in the US. “The Yellow Book” recognizes that the IIA’s Standards as relevant for internal audit work in governmental entities. ISACA issues Standards, Guidelines, and Procedures for conducting IS audits. The Board of Environmental, Health, and Safety Auditor Certifications (BEAC) has developed standards for performing environmental, health and safety audits. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

The PCAOB and the AICPA currently set the standards for audits of companies’ financial statements in the US. These standards have bearing on internal audit work, especially pertaining to the coordination of work between internal audit functions and the outside independent auditors. International Standards Organization – an international standard setting body composed of representatives from various national standards bodies Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

Mark Hobson/Gail Wu/Comstock Industries Case Who is Mark? How old do you assume that he is? How much experience do you assume that he possesses? What is an “observation”? What two observations did Mark find? Are you concerned that Brenda Wilson does the aging of A/R? Are you concerned that the division accountant won’t talk to Mark? Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

What do you think of Gail’s qualifications? Brenda is pressuring Mark to “let it ride” until after the financials come out. What do you think? The numbers “passed muster” with the independent outside auditors. How can that be? Mark tries to intimidate Mark? Do you think that really happens in practice?   What do you think of Gail’s qualifications? Gail is worried about building goodwill for the internal audit department with the rest of the company. Is this a valid concern? Gail insists that Mark submit a report that Hal agrees to and has signed. What do you think? Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

Exhibit 2-2 Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

Exhibit 2-5 Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

Exhibit 2-7 Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

Exhibit 2-8 Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.

Exhibit 2-9 Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A.