CIA Part 1

Unit 1
The mission of Internal Audit

“To enhance and protect organizational value by providing risk-based and objective assurance, advice
and insight”

Facilitating the achievement of this mission is the Internal Professional Practice Framework (IPPF)

2
Adherence to the mandatory guidance is essential for the professional practice of internal auditing

3
 Core Principals
“are the basis for internal audit effectiveness. The internal audit
function is effective if all principles are present and operating
effectively. The following are the Core Principles:
a) Demonstrates integrity.
b) Demonstrates competence and due professional care.
c) Is objective and free from undue influence (independent).
d) Aligns with the strategies, objectives, and risks of the
organization.
e) Is appropriately positioned and adequately resourced.
f) Demonstrates quality and continuous improvement. g)
Communicates effectively.
g) Provides risk-based assurance.
h) Is insightful, proactive, and future-focused.
i) Promotes organizational improvement.”

4
Definition of Internal Audit

“Internal auditing is an independent, objective assurance and

consulting activity designed to add value and improve an organization’s
operations. It helps an organization accomplish its objectives by
bringing a systematic, disciplined approach to evaluate and improve
the effectiveness of risk management, control, and governance
processes.”

The only thing that should be memorized

5
Code of Ethics

a. The primary purpose of a code of ethical conduct for a professional

organization is to promote an ethical culture among professionals
who serve others.
b. Additional functions of a code of ethical conduct for a professional
organization include

1) Communicating acceptable values to all members,

2) Establishing objective standards against which individual can
measure their own performance, and
3) Communicating the organization’s values to outsiders.

6
Aspects of Codes of Ethical
Conduct
1. The mere existence of a code of ethical conduct does not ensure that its principles are followed or that
those outside the organization will believe that it is trustworthy. A measure of the cohesion and
professionalism of an organization is the degree of voluntary compliance with its adopted code.

2. A code of ethical conduct can help establish minimum standards of competence, but it is impossible to
require equality of competence by all members of a profession.

3. To enhance its effectiveness, the code should provide for disciplinary action for violators.

7
Code Principles

Integrity. The integrity of internal auditors establishes trust and thus provides the basis for reliance on their judgment.

Objectivity. Internal auditors exhibit the highest level of professional objectivity in gathering, evaluating, and
communicating information about the activity or process being examined. Internal auditors make a balanced assessment
of all the relevant circumstances and are not unduly influenced by their own interests or by others in forming
judgments.

Confidentiality. Internal auditors respect the value and ownership of information they receive and do not disclose
information without appropriate authority unless there is a legal or professional obligation to do so.

Competency. Internal auditors apply the knowledge, skills, and experience needed in the performance of internal audit
services.

8
Integrity

Internal auditors:

1. Shall perform their work with honesty, diligence, and responsibility.

2. Shall observe the law and make disclosures expected by the law and the profession.

3. Shall not knowingly be a party to any illegal activity, or engage in acts that are discreditable to the profession of
internal auditing or to the organization.

4. Shall respect and contribute to the legitimate and ethical objectives of the organization.

9
Objectivity

Internal auditors:

1. Shall not participate in any activity or relationship that may impair or be presumed to impair their
unbiased assessment. This participation includes those activities or relationships that may be in conflict with
the interests of the organization.

2. Shall not accept anything that may impair or be presumed to impair their professional judgment.

3. Shall disclose all material facts known to them that, if not disclosed, may distort the reporting of
activities under review.

10
Confidentiality

Internal auditors:

1. Shall be prudent in the use and protection of information acquired in the course of their duties.

2. Shall not use information for any personal gain or in any manner that would be contrary to the law or
detrimental to the legitimate and ethical objectives of the organization.

11
COMPETENCY

Internal auditors:
1. Shall engage only in those services for which they have the necessary knowledge, skills, and experience.

2. Shall perform internal audit services in accordance with the International Standards for the Professional
Practice of Internal Auditing (Standards).

3. Shall continually improve their proficiency and the effectiveness and quality of their services.

12
Standards of Internal Audit
InternationalProfessionalPracticeframework
(IPPF)

Purpose of the Standards

1. Guide adherence with the mandatory elements of the

International Professional Practices Framework.
2. Provide a framework for performing and promoting a
broad range of value-added internal auditing services.
3. Establish the basis for the evaluation of internal audit
performance.
4. Foster improved organizational processes and
operations.
N.B: The Standards are vital to the practice of internal auditing, but CIA candidates need not memorize
them. However, the principles they establish should be thoroughly understood and appropriately applied.

13
 Standards of Internal Audit
InternationalProfessionalPracticeframework(IPPF)

Attribute standards Performance standards

“govern the responsibilities, attitudes, and actions of the “govern the nature of internal auditing and provide quality
organization’s internal audit activity and the people who serve criteria for evaluating the internal audit function’s
as internal auditors” performance”
2000 Managing the Internal Audit Activity
1000 Purpose , Authority , and responsibility
2100 Nature of Work
1100 Independence and Objectivity
2200 Engagement Planning
1200 Proficiency and Due professional Care
2300 Performing the Engagement
1300 Quality Assurance and Improvement Program
2400 Communicating Results
2500 Monitoring Progress
2600 Management‘s Acceptance of Risks
Interpretations
Are provided by The IIA to clarify terms and concepts referred to in Attribute or Performance Standards

Implementation Standards
Expand upon the individual Attribute or Performance Standards by providing the requirements applicable to assurance (A) or consulting (C) services

N.B The Core Principles and the Definition of Internal Auditing are encompassed in the Code of Ethics and the Standards. Thus, conformance with the
Code and the Standards demonstrates conformance with all mandatory elements of the IPPF.

14
Purpose, Authority, and Responsibility of the Internal Audit Activity

Purpose
As defined in The IIA Glossary, the purpose of the internal audit activity is to provide “independent, objective assurance
and consulting services designed to add value and improve an organization’s operations. The internal audit activity helps
an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the
effectiveness of governance, risk management and control processes.

Assurance services involve the internal auditor’s objective assessment of evidence to provide opinions or conclusions
regarding an entity, operation, function, process, system, or other subject matters
a) The nature and scope of an assurance engagement are determined by the internal auditor.
b) Generally, three parties are participants in assurance services: (1) the process owner (i.e., the person or group
directly involved with the entity, operation, function, process, system, or other subject matter), (2) the internal
auditor (i.e., the person or group making the assessment), and (3) the user (i.e., the person or group using the
assessment).
c) Assurance services include performing financial, performance, compliance, system security, and due diligence
engagements.

15
Purpose, Authority, and Responsibility of the Internal Audit Activity
(Continued)
Purpose (continued)
Consulting services Are advisory in nature and are generally performed at the specific request of an engagement client.
Accordingly, The IIA Glossary defines consulting services as activities intended to add value and improve an
organization’s governance, risk management, and control processes without the internal auditor assuming management
responsibility.
a) The nature and scope of the consulting engagement are subject to agreement with the engagement client.
b) Generally, two parties are participants in consulting services: (1) the internal auditor (i.e., the person or group
offering the advice), and (2) the engagement client (i.e., the person or group seeking and receiving the advice).
When performing consulting services the internal auditor should maintain objectivity and not assume
management responsibility.
c) Consulting services include providing counsel, advice, facilitation, and training.

16
Purpose, Authority, and Responsibility of the Internal Audit Activity
(Continued)
Authority
The support of management and the board is crucial when inevitable conflicts arise between the internal audit activity
and the department or function under review. Thus, the internal audit activity should be empowered to require auditees
to grant access to all records, personnel, and physical properties relevant to the performance of every engagement.

A formal charter for the internal audit activity that defines the internal audit activity’s purpose, authority, and
responsibility must be adopted, and it should contain a grant of sufficient authority. Final approval of the charter resides
with the board.

17
Purpose, Authority, and Responsibility of the Internal Audit Activity
(Continued)
Responsibility
The internal audit activity’s responsibility is to provide the organization with assurance and consulting services that will
add value and improve the organization’s operations. Specifically, the internal audit activity must evaluate and improve
the effectiveness of the organization’s governance, risk management, and control processes.

18
Question

The types of services provided by the internal audit activity can best be described as

A. Auditing and consulting.

B. Auditing and assurance.
C. Assurance and consulting.
D. Auditing and engagement.

19
INTERNAL AUDIT CHARTER (Attribute Standard 1000)

The purpose, authority, and responsibility of the internal audit activity must be formally defined in an
internal audit charter, consistent with the Mission of Internal Audit and the mandatory elements of the
International Professional Practices Framework (the Core Principles for the Professional Practice of Internal
Auditing, the Code of Ethics, the Standards, and the Definition of Internal Auditing). The chief audit
executive must periodically review the internal audit charter and present it to senior management and the
board for approval.

Interpretation of Standard 1000

The internal audit charter is a formal document that defines the internal audit activity’s purpose, authority,
and responsibility. The internal audit charter establishes the internal audit activity’s position within the
organization, including the nature of the chief audit executive’s functional reporting relationship with the
board; authorizes access to records, personnel, and physical properties relevant to the performance of
engagements; and defines the scope of internal audit activities. Final approval of the internal audit charter
resides with the board.
20
INTERNAL AUDIT CHARTER (Attribute Standard 1000)
(Continued)
1) An auditee must not be able to place a scope limitation on the internal audit activity by refusing to
make relevant records, personnel, and physical properties available to the internal auditors.

2) Engagement clients must be informed of the internal audit activity’s purpose, authority, and
responsibility to prevent misunderstandings about access to records and personnel.

3) The chief audit executive (CAE) must understand the Mission of Internal Audit and the mandatory
elements of The IIA’s International Professional Practices Framework (IPPF) — including the Core
Principles for the Professional Practice of Internal Auditing, the Code of Ethics, the International
Standards for the Professional Practice of Internal Auditing, and the Definition of Internal Auditing.

21
INTERNAL AUDIT CHARTER (Attribute Standard 1000)
(Continued)
4) This understanding provides the foundation for a discussion among the CAE, senior management, and
the board to mutually agree upon:
a) Internal audit objectives and responsibilities
b) The expectations for the internal audit activity
c) The CAE’s functional and administrative reporting lines
d) The level of authority (including access to records, physical property, and personnel) required for the
internal audit activity to perform engagements and fulfill its agreed-upon objectives and
responsibilities.

22
INTERNAL AUDIT CHARTER (Attribute Standard 1000)
(Continued)
5) Once drafted, the proposed internal audit charter should be discussed with senior management and the
board to confirm that it accurately describes the agreed-upon role and expectations or to identify desired
changes. Once the draft has been accepted, the CAE formally presents it during a board meeting to be
discussed and approve.
6) The minutes of the board meetings during which the CAE initially discusses and then formally presents
the internal audit charter provide documentation of conformance. In addition, the CAE retains the approved
charter.

7) The charter must define the nature of assurance and consulting services provided by the internal audit
activity.

23
INTERNAL AUDIT CHARTER (Attribute Standard 1000)
(Continued)
Implementation Standard 1000.A1
The nature of assurance services provided to the organization must be defined in the internal audit charter.
If assurances are to be provided to parties outside the organization, the nature of these assurances must
also be defined in the internal audit charter.
Implementation Standard 1000.C1
The nature of consulting services must be defined in the internal audit charter.
Attribute Standard 1010
Recognizing Mandatory Guidance in the Internal Audit Charter
The mandatory nature of the Core Principles for the Professional Practice of Internal Auditing, the Code of
Ethics, the Standards, and the Definition of Internal Auditing must be recognized in the internal audit
charter. The chief audit executive should discuss the Mission of Internal Audit and the mandatory elements
of the International Professional Practices Framework with senior management and the board.

24
Question

The board of an organization has charged the chief audit executive (CAE) with upgrading
the internal audit activity. The CAE’s first task is to develop a charter. What item should be
included in the statement of objectives?

A. Report all engagement results to the board every quarter.

B. Notify governmental regulatory agencies of unethical business practices by organization
management.
C. Evaluate the adequacy and effectiveness of the organization’s controls.
D. Submit budget variance reports to management every month.

25
Question

During an engagement to evaluate the organization’s accounts payable function, an

internal auditor plans to confirm balances with suppliers. What is the source of authority
for such contacts with units outside the organization?

A. The internal audit activity’s charter.

B. The Standards.
C. Internal audit activity policies and procedures.
D. The Code of Ethics.

26
Question

The proper organizational role of internal auditing is to

A. Assist the external auditor to reduce external audit fees.

B. Perform studies to assist in the attainment of more efficient operations.
C. Serve as the investigative arm of the board.
D. Serve as an independent, objective assurance and consulting activity that adds value
to operations.

27
Question

A major reason for establishing an internal audit activity is to Relieve overburdened

management of the responsibility for establishing effective controls.

A. Relieve overburdened management of the responsibility for establishing effective

controls.
B. Safeguard resources entrusted to the organization.
C. Ensure the reliability and integrity of financial and operational information.
D. Evaluate and improve the effectiveness of control processes.

28
Question
An internal auditor often faces special problems when performing an engagement at a
foreign subsidiary. Which of the following statements is false with respect to the conduct
of international engagements?

A. The IIA Standards do not apply outside of the United States.

B. The internal auditor should determine whether managers are in compliance with local
laws.
C. There may be justification for having different organizational policies in force in foreign
branches.
D. It is preferable to have multilingual internal auditors conduct engagements at branches
in foreign nations.

29
Question
The purpose of the internal audit activity can be best described as

A. Adding value to the organization.

B. Providing additional assurance regarding fair presentation of financial statements.
C. Expressing an opinion on the adequate design and functioning of the system of
internal control.
D. Assuring the absence of any fraud that would materially affect the financial
statements.

30
Question
The internal audit activity’s scope of responsibilities includes

A. Eliminating risk.
B. Managing risk.
C. Evaluating risk.
D. Controlling risk.

31
Question
Which one of the following must be included in the internal audit charter?

A. Internal audit scope.

B. Internal audit responsibility.
C. Chief audit executive’s compensation plan.
D. Number of full-time internal audit employees deemed to be the necessary minimum.

32
Question
Which one of the following is not included in the internal audit charter?

A. Risk assessment of the internal audit activity.

B. Responsibility of the internal audit activity.
C. Purpose of the internal audit activity.
D. Authority of the internal audit activity.

33
Question
Which of the following is not appropriate for inclusion in the internal audit charter?

A. The nature of the chief audit executive’s functional reporting relationship with the
board.
B. Authorization of internal audit access to records, personnel, and physical properties.
C. Definition of the scope of internal audit activities.
D. Authorization of the board to approve the charter.

34
 ThankYou
Ahmed Saeed
01098028880
[email protected]

35