CIA part 1: essentials of internal auditing

Internal audit External audit

Compliance+ operational+ financial Financial
CIA CA, CPA, ACCA
Voluntary Compulsory
Outsourcing or employees Outside people- third part-independent
Assurance and consulting Assurance
IPPF (international professional practices IASs (International auditing standards)
framework)
Given by the IIA-USA Given by IASB
Chapter 1: foundation of IA

Sub-unit 1 applicable guidance

The mission of internal audit as follows:

“To enhance and protect organizational value by providing risk-based and objective assurance, advice, and
insight.”

To achieve the IA Mission, we need to follow the IPPF.

The IPPF contains mandatory and recommended guidance.

 1. Mandatory Guidance
It must be adhered by all internal auditors. And contains four elements.

1) The Core Principles are the basis for internal audit effectiveness.
The following are the Core Principles:

a) Demonstrates integrity.
b) Demonstrates competence and due professional care.
c) Is objective and free from undue influence (independent).
d) Aligns with the strategies, objectives, and risks of the organization.
e) Is appropriately positioned and adequately resourced.
f) Demonstrates quality and continuous improvement.
g) Communicates effectively.
h) Provides risk-based assurance.
i) Is insightful, proactive, and future-focused.
j) Promotes organizational improvement.
2) Definition of Internal Auditing
“Internal auditing is an independent, objective assurance and consulting activity designed to add value and
improve an organization’s operations.

It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and
improve the effectiveness of risk management, control, and governance processes.”

internal audit activity is “a department, division, team of consultants, or other practitioner(s) that provides
independent, objective assurance and consulting services designed to add value and improve an organization’s
operations.”

3) Code of ethics
Definition of code of ethics is: “The Code of Ethics states the principles and expectations governing the behavior of
individuals and organizations in the conduct of internal auditing. It describes the minimum requirements for
conduct and behavioral expectations rather than specific activities.”
The purpose of The Institute’s Code of Ethics is to promote an ethical culture in the profession of internal
auditing.
The principles are:
 Integrity
 Objectivity
 Confidentiality
 Competency
4) The Standards
Known formally as the International Standards for the Professional Practice of Internal Auditing) serve the
following four purposes described by the IIA:

a) Guide adherence with the mandatory elements of the International Professional Practices
Framework.
b) Provide a framework for performing and promoting a broad range of value- added internal
auditing services.
c) Establish the basis for the evaluation of internal audit performance.
d) Foster improved organizational processes and operations.”
 Standards contains:

1) Attribute Standards(quality) numbered in the 1000s, govern the responsibilities, attitudes, and actions of
the organization’s internal audit activity and the people who serve as internal auditors.
2) Performance Standards, numbered in the 2000s, govern the nature of internal auditing and provide
quality criteria for evaluating the internal audit function’s performance.
3) Interpretations are provided by The IIA to clarify terms and concepts referred to in Attribute or
Performance Standards
4) Implementation Standards expand upon the individual Attribute or Performance Standards by providing
the requirements applicable to assurance (. A) or consulting (.C) services.
2. Recommended Guidance
They describe practices for effective implementation of the Core Principles, the Definition of Internal
auditing, the Code of Ethics, and the Standards.

The two recommended elements of the IPPF are

 Implementation Guidance (IG): It assists in applying standards

 Supplemental Guidance: It details process and procedures
conformance with the Code and the Standards demonstrates conformance with all mandatory elements of the
IPPF.

Purpose, Authority, and Responsibility of the Internal Audit Activity

I. Purpose
the purpose of the internal audit activity is to provide “independent, objective assurance and consulting
services designed to add value and improve an organization’s operations. The internal audit activity
helps an organization accomplish its objectives by bringing a systematic, disciplined approach to
evaluate and improve the effectiveness of governance, risk management and control processes.”

There are two services conducted by the Internal Auditor:

 Assurance services
 Consulting services
# Assurance
Definition assurance services are an objective
examination of evidence for the purpose of
providing an independent assessment on
governance, risk management, and control
processes for the organization.
Main purpose To offer an independent audit opinion based on
an objective assessment of evidence, from
which assurance may be gained
Parties
 Internal auditor
 Process owner
 User
Objective, scope, and approach Determined by the internal auditor
Objectives Must be based on risk assessment and take into
consideration error, fraud and noncompliance
Consulting
consulting services is activities intended to add
value and improve an organization’s governance,
risk management, and control processes without
the internal auditor assuming management
responsibility.
To offer advice, usually at the request of
management
 Internal auditor
 Engagement client
Agreed between the client and the internal
auditor
Must be consistent with the organization’s
strategic aims
Governance, risk management Must be included within the scope and May be included within the scope and addressed
and control processes addressed by the objectives by the objectives as required by the client
Skills If the skills are not available within the internal If the skills are not available within the internal
audit activity, the CAE must obtain the audit activity, the CAE must either obtain the
necessary skills to deliver the engagement necessary skills to deliver the engagement or
decline the engagement
Examples include Perform the following: providing the following:
 financial,  counsel,
 performance,  advice,
 compliance,  facilitation, and
 system security, and  training
 due diligence engagements.
2. Authority
A formal charter for the internal audit activity that defines the internal audit activity’s purpose, authority, and
responsibility must be adopted, and it should contain a grant of sufficient authority. Final approval of the charter
resides with the board.

2. Responsibility
The internal audit activity’s responsibility is to provide the organization with assurance and consulting services
that will add value and improve the organization’s operations. Specifically, the internal audit activity must
evaluate and improve the effectiveness of the organization’s governance, risk management, and control
processes.

Sub-unit 2- Ethics- introduction and principles

Definition of code of ethics is: “The Code of Ethics states the principles and expectations governing the behavior of
individuals and organizations in the conduct of internal auditing. It describes the minimum requirements for
conduct and behavioral expectations rather than specific activities.”
The purpose of The Institute’s Code of Ethics is to promote an ethical culture in the profession of internal
auditing.
The Institute’s Code of Ethics extends beyond the Definition of Internal Auditing to include two essential
components:
1)Principles that are relevant to the profession and practice of internal auditing.

2)Rules of Conduct that describe behavior norms expected of internal auditors. These rules are an aid to
interpreting the principles into practical applications and are intended to guide the ethical conduct of internal
auditors.

This Code of Ethics applies to both entities and individuals that perform internal audit services.
The provisions of the Code are applied broadly to all organizations and persons who perform internal
audit services, not just CIAs and members of the IIA.Violations of rules of ethics should be reported to
The IIA’s board of directors.

For IIA members and recipients of or candidates for IIA professional certifications, breaches of the Code of
Ethics will be evaluated and administered according to The Institute’s Bylaws and Administrative Directives.
The fact that a particular conduct is not mentioned in the Rules of Conduct does not prevent it from being
unacceptable or discreditable, and therefore, the member, certification holder, or candidate can be liable for
disciplinary action.
# Principles Meaning
1 Integrity
The integrity of internal auditors establishes
(trust,
trust and thus provides the basis for reliance
reliance)
on their judgment.
2 Objectivity
Internal auditors make a balanced
(Fact and
assessment of all the relevant circumstances
figures)
and are not unduly influenced by their own
interests or by others in forming judgments.
3 Confidentiality
Internal auditors respect the value and
ownership of information they receive and
do not disclose information without
appropriate authority unless there is a legal
or professional obligation to do so.
4 Competency Internal auditors apply the knowledge, skills, and
experience needed in the performance of internal
audit services
Rules of conduct
 Shall perform their work with honesty, diligence,
and responsibility.
 Shall observe the law and make disclosures
expected by the law and the profession.
 Shall not knowingly be a party
to any illegal activity, or engage
in acts that are discreditable to
the profession of internal
auditing or to the organization.
 Shall respect and contribute to the legitimate and
ethical objectives of the organization
 Shall not participate in any activity or
relationship that may impair or be
presumed to impair their unbiased
assessment. This participation includes
those activities or relationships that
may be in conflict with the interests of
the organization.
 Shall not accept anything that may
impair or be presumed to impair their
professional judgment.
 Shall disclose all material facts known to
them that, if not disclosed, may distort
the reporting of activities under review.
 Shall be prudent in the use and
protection of information acquired in
the course of their duties.
 Shall not use information for any
personal gain or in any manner that
would be contrary to the law or
detrimental to the legitimate and
ethical objectives of the organization.
 Shall engage only in those services for
which they have the necessary
knowledge, skills, and experience.
 Shall perform internal audit services in
accordance with the International
Standards for the Professional Practice
of Internal Auditing.
 Shall continually improve their
proficiency and the effectiveness and
quality of their services
 Sub-unit 3: integrity

Integrity is the foundation of the other three principles in The IIA’s Code of Ethics; objectivity, confidentiality, and
competency all depends on integrity. Integrity also underpins the Standard.

# Principles Meaning Rules of conduct

1 Integrity
The integrity of internal auditors establishes
trust and thus provides the basis for reliance
on their judgment.
The chief audit executive’s (CAE’s) responsibility for implementing integrity includes the following:
 Shall perform their work with honesty, diligence,
and responsibility.
 Shall observe the law and make disclosures
expected by the law and the profession.
 Shall not knowingly be a party
to any illegal activity, or engage
in acts that are discreditable to
the profession of internal
auditing or to the organization.
 Shall respect and contribute to the legitimate and
ethical objectives of the organization

 the CAE should cultivate a culture of integrity by acting with integrity and adhering to the Code of
Ethics (leading by example).
 The CAE also establishes policies and procedures to guide the internal audit activity to show diligence
and responsibility.
 The CAE may also emphasize the importance of integrity by providing training that demonstrates
integrity and other ethical principles in action
For internal auditors, behaviors that may not be illegal but may be discreditable include:

 Behavior that may be considered bullying, harassing, or discriminatory.

 Failing to accept responsibility for making mistakes.
 Issuing false reports or permitting others to do so.
 Lying.
 Making claims about one’s competency in a manner that is deceptive, false, or misleading.
 Making disparaging comments about the organization, fellow employees, or its stakeholders, either in
person or via media (e.g., in publications or social media posts).
 Minimizing, concealing, or omitting observations or unsatisfactory conclusions and ratings from
engagement reports or overall assessments.
 Noncompliance with the Standards and other IPPF Mandatory Guidance.
 Performing internal audit services for which one is not competent.
 Performing internal audit services with undeclared impairments to independence and objectivity.
 Soliciting or disclosing confidential information without proper authorization.
 Stating that the internal audit activity is operating in conformance with the Standards when the
assertion is not supported by the results of the quality assurance and improvement program.
 Overlooking illegal activities that the organization may tolerate or condone.
 Using the CIA designation or other credentials after they have expired or been revoked.
 Conformance with integrity may be demonstrated by:

 quality assurance and improvement program maintained by the CAE.

 the organization’s ethics policy or code of conduct
 relevant laws and regulations
 The IIA’s Code of Ethics
 IPPF Mandatory Guidance.
 Diligent supervision of engagements and performance of the self- assessments required by the Standards
to demonstrate the integrity of the internal audit activity as a whole.
Sub—unit 4 objectivity

Principle Meaning Rule of conduct Examples

Objectivity Internal auditors
 Shall not  Excessive individual fraternizing
make a balanced
participate in outside of work with the
assessment of all
any activity or organization’s employees,
the relevant
relationship that management, third-party suppliers,
circumstances and
are not unduly may impair or and vendors.
influenced by their be presumed to  Certain dealings in commercial properties
own interests or by impair their (excluding rental activity).
others in forming unbiased
assessment.  Sales of services or products by the
judgments. internal auditor to the organization.
This means based This
on facts and figures participation  Participation in non-public service
includes those organizations may not be allowed,
activities or for example, serving as a consultant
relationships to third parties (vendors, suppliers,
that may be in etc.) with which the organization
conflict with the conducts business.
interests of the  Performing an audit in a department
organization. managed by a family member.
 Accepting a bonus based on work
accomplished during an audit.
 Assuming management responsibilities
and auditing an area in which the
auditor had such responsibilities within
1 year.
 Shall not accept  Accepting gifts, meals, trips, and
anything that may special treatment that exceed
impair or be policy limits or are not disclosed
presumed to and approved
impair their
 Working in a non-audit position and
professional
accepting gifts not permitted by IIA
judgment.
code of conduct
 Shall disclose all  Intentional omission of
material facts disclosures of illegal
known to them activity from final
that, if not engagement
 disclosed, may communications
distort the  Withholding pertinent information
reporting of
activities under  Not communicating pertinent
review. information to the chief audit executive
 Distorting facts reported in final
engagement communications
A conflict-of-interest policy should prohibit the transfer of benefits between an employee and those with whom
the organization deals.

An internal auditor cannot assure anonymity.

Disclosure is not required when the internal auditor gathers sufficient information to dispel the suspicion of
fraud.

The CAE should share information and coordinate activities with other internal and external providers
of relevant assurance and consulting services.

Conformance with objectivity is demonstrated by the following:

a) The CAE provides evidence of relevant policies and procedures for the internal audit activity,
b) the CAE requires internal auditors to attend meetings or trainings about objectivity (for example
CPE)
c) The CAE documents the rationale for allocating resources to the internal audit plan, including
consideration of potential impairments.
d) Additional evidence may include documentation of research into potential conflicts of interest
related to outsourced and co-sourced activities for which the CAE has responsibility,
e) approval of the CAE or a designated engagement supervisor of engagement workpapers may
evidence that internal auditors have conducted a balanced assessment.
f) Feedback from post-engagement surveys and supervisory reviews of engagements may provide
additional evidence that the internal auditors’ work appeared to be performed objectively.
g) Assessments as part of the internal audit activity’s quality assurance and improvement program also
lend support that appropriate objectivity was used in arriving at internal audit conclusions and
opinions.
N.b: material ownership in a competitor is allowable

Sub-unit 5 confidentiality

Principle
Definition Rule of conduct Examples
Confidentiality
Internal auditors  Shall be prudent in  internal auditors should
do not disclose the use and not use insider financial,
information protection of strategic, or operational
without information knowledge of an
appropriate acquired in the organization to bring
authority unless course of their about personal financial
there is a legal or duties. gain by purchasing or
professional selling shares in the
 Shall not use
obligation to do organization.
information for any
so.
 personal gain or in  is releasing insider
any manner that knowledge to journalists
would be contrary or via other media
to the law or without proper
detrimental to the authorization
legitimate and
 internal auditors should
ethical objectives
not abuse their privilege
of the organization.
to access information,
such as using access to
customer records to
look up a neighbor’s
recent purchases or to
view the health records
of a celebrity
Using insider information to develop a competitive product or selling proprietary information to a competitor
also violates this confidentiality rule.

issuing information security policies is to protect the data they acquire, use, and produce and to ensure
compliance with the laws and regulations that pertain to the industry and jurisdiction within which they
operate.

To protect proprietary information, policies and procedures may require internal auditors to take the following
precautions, even when handling information internally:

1) Collect only the data required to perform the assigned engagement and use this information only for
the engagement’s intended purposes.
2) Protect information from intentional or unintentional disclosure through the use of controls such as
data encryption, email distribution restrictions, and restriction of physical access to the information.
3) Eliminate copies of or access to such data when it is no longer needed
To better understand the impact of legal and regulatory requirements and protections (e.g., legal privilege or
attorney-client privilege), the chief audit executive (CAE) should consult with legal counsel. The organization’s
policies and procedures may require that specific authorities review and approve business information before
external release.

Conformance with confidentiality is demonstrated as follows:

 evidence of policies, processes, procedures, and training materials implemented to cover

confidentiality.
 documenting and retaining records of disclosures approved by legal counsel, if applicable, and by
senior management and the board.
 documenting distribution restrictions in engagement workpapers and reports and by retaining
authorizations of all disclosures and approved distribution lists.
 If there are no reports or investigations of individual auditors violating policies, procedures, and rules
related to confidentiality, then it is likely that the internal audit activity as a whole is in conformance
with the principle.”
 Sub-unit 6 competency

Competency Internal auditors apply the knowledge, skills, and

 Shall engage only in those services for
experience needed in the performance of internal
which they have the necessary knowledge,
audit services
skills, and experience.
 Shall perform internal audit services in
accordance with the International
Standards for the Professional Practice of
Internal Auditing.
 Shall continually improve their proficiency
and the effectiveness and quality of their
services
Conformance with competency is demonstrated by the following:

 Engagements have been properly resourced and supervised.

 Feedback has been solicited from internal audit stakeholders and sufficiently considered.
 Performance reviews of internal auditors have been conducted regularly.
 Opportunities for training, mentoring, and professional education have been provided.
 A quality assurance and improvement program are active.
 Internal audit services are performed in conformance with the IPPF’s Mandatory Guidance.
 The knowledge, skills, and experience of individual internal auditors may be evidenced, in part, through
credentialed qualifications
 internal auditors may maintain documentation of a skills self- assessment, a plan for professional
development, and the completion of continuing professional education/development courses or trainings
 Internal auditors also may provide evidence of experiences undertaken or volunteering in professional
organizations.
Sub-unit 7 IA charter
The internal audit charter is a formal document that defines the internal audit activity’s purpose, authority, and
responsibility.

The chief audit executive must periodically review the internal audit charter and present it to senior management
and the board for approval.

The purpose, authority, and responsibility of the internal audit activity must be formally defined in an
internal audit charter, consistent with the Mission of Internal Audit and the mandatory elements of the
International Professional Practices Framework.
The internal audit charter establishes the internal audit activity’s position within the organization,
including the nature of the chief audit executive’s functional reporting relationship with the board;
authorizes access to records, personnel, and physical properties relevant to the performance of
engagements; and defines the scope of internal audit activities.
Final approval of the internal audit charter resides with the board.

scope limitation on the internal audit activity can be refusing to make relevant records, personnel, and physical
properties available to the internal auditors.
Engagement clients must be informed of the internal audit activity’s purpose, authority, and responsibility to
prevent misunderstandings about access to records and personnel.

the CAE, senior management, and the board to mutually agree upon:

 Internal audit objectives and responsibilities

 The expectations for the internal audit activity
 The CAE’s functional and administrative reporting lines
 The level of authority (including access to records, physical property, and personnel) required for the
internal audit activity to perform engagements and fulfill its agreed-upon objectives and responsibilities
The minutes of the board meetings during which the CAE initially discusses and then formally presents the
internal audit charter provide documentation of conformance. In addition, the CAE retains the approved
charter.

The charter must define the nature of assurance and consulting services provided by the internal audit activity.

If assurances are to be provided to parties outside the organization, the nature of these assurances must
also be defined in the internal audit charter.
The mandatory nature of the Core Principles for the Professional Practice of Internal Auditing, the Code of
Ethics, the Standards, and the Definition of Internal Auditing must be recognized in the internal audit
charter.
The CAE should discuss the Mission of Internal Audit and the mandatory elements of the IPPF with senior
management and the board.