Download as pdf or txt
Download as pdf or txt
You are on page 1of 2



The internal audit profession is founded on the trust placed in its Add Value Compliance External Service Provider Must
Statement of internal auditing’s Help a wide range of interested Value is provided by improving opportunities to achieve Adherence to policies, plans, procedures, laws, A person or firm outside of the organization that The Standards use the word “must” to specify an
objective assurance about governance, risk management, and control. fundamental purpose, nature, parties — including those not in organizational objectives, identifying operational regulations, contracts, or other requirements. has special knowledge, skill, and experience in a unconditional requirement.
As such, The IIA’s Code of Ethics, comprising Principles and Rules and scope: the internal audit profession — to: improvement, and/or reducing risk exposure through particular discipline.

Position • Understand significant both assurance and consulting services. Conflict of Interest Objectivity

International Professional
of Conduct, is necessary and appropriate. Its purpose is to promote Internal auditing is an governance, risk, and Any relationship that is, or appears to be, not in the Fraud An unbiased mental attitude that allows internal
an ethical culture in the profession of internal auditing. It extends independent, objective Papers control issues. Adequate Control
Present if management has planned and organized
best interest of the organization. A conflict of interest
would prejudice an individual’s ability to perform his
Any illegal act characterized by deceit, concealment,
or violation of trust. These acts are not dependent
auditors to perform engagements in such a
manner that they have an honest belief in their
assurance and consulting • Delineate internal
beyond the definition of internal auditing to include principles that
are relevant to the profession and practice of internal auditing and Definition
activity designed to add value
and improve an organization’s
audit-related roles and
(designed) in a manner that provides reasonable
assurance that the organization’s risks have been
managed effectively and that the organization’s
or her duties and responsibilities objectively.

Consulting Services
upon the threat of violence or physical force. Frauds
are perpetrated by parties and organizations to
obtain money, property, or services; to avoid
work product and that no significant quality
compromises are made. Objectivity requires
internal auditors not to subordinate their judgment
Practices Framework
operations. It helps an goals and objectives will be achieved efficiently payment or loss of services; or to secure personal on audit matters to others.
rules of conduct that describe behavior norms and provide practical Advisory and related client service activities, the
organization accomplish • Address approach, methodology, and economically. nature and scope of which are agreed with the or business advantage.
applications to guide the ethical conduct of internal auditors. its objectives by bringing and considerations, but client, are intended to add value and improve an Residual Risk
a systematic, disciplined not detailed processes Assurance Services organization’s governance, risk management, and Governance The risk remaining after management takes
Breaches of The IIA’s Code of Ethics by members and certification approach to evaluate and and procedures. An objective examination of evidence for the control processes without the internal auditor The combination of processes and structures action to reduce the impact and likelihood of an
improve the effectiveness of purpose of providing an independent assessment assuming management responsibility. Examples implemented by the board to inform, direct, manage, adverse event.
candidates or holders are evaluated and administered according to The • Provide concise and timely on governance, risk management, and control include counsel, advice, facilitation, and training. and monitor the activities of the organization toward
risk management, control,
IIA’s Bylaws and Administrative Directives. The fact that a particular and governance processes. Practice assistance to internal auditors
in conforming to the Code
processes for the organization. Examples may
include financial, performance, compliance, Control
the achievement of its objectives. Risk
The possibility of an event occurring that will have
conduct is not mentioned in the Rules of Conduct does not prevent it
• Principles and expectations Advisories of Ethics and Standards and system security, and due diligence engagements. Any action taken by management, the board, and
other parties to manage risk and increase the
Impairment to organizational independence
an impact on the achievement of objectives. Risk
is measured in terms of impact and likelihood.
from being unacceptable or discreditable, resulting in disciplinary action. promoting good practices.
governing behavior of individuals Board likelihood that established objectives and goals and individual objectivity may include personal
and organizations in the conduct • Relate to international-, country-, A board is an organization’s governing body, such will be achieved. Management plans, organizes, conflicts of interest, scope limitations, restrictions Risk Appetite
Professional internal auditors are expected to apply and uphold the
Code of of internal auditing. or industry-specific issues; as a board of directors, supervisory board, head of and directs the performance of sufficient actions on access to records, personnel, and properties; The level of risk that an organization is willing
principles of integrity, objectivity, confidentiality, and competency. specific types of engagements; an agency or legislative body, board of governors to provide reasonable assurance that objectives and resource limitations (funding). to accept.
Integrity establishes trust and thus provides the basis for reliance Ethics • Minimum requirements for
conduct and behavioral
and legal or regulatory issues. or trustees of a nonprofit organization, or any other
designated body of the organization, including the
and goals will be achieved.
Independence Risk Management
expectations, rather than audit committee to whom the chief audit executive Control Environment The freedom from conditions that threaten
on internal auditors’ judgment. They exhibit the highest level of Provide information on how to may functionally report.
A process to identify, assess, manage, and
specific activities. The attitude and actions of the board and management objectivity or the appearance of objectivity. Such control potential events or situations to provide
professional objectivity in gathering, evaluating, and communicating conduct internal audit activities, regarding the significance of control within the threats to objectivity must be managed at the reasonable assurance regarding the achievement
including detailed: Charter
information about the activity or process being examined. Internal • Basic requirements for the
professional practice of internal
Practice • Processes and procedures. The internal audit charter is a formal document
organization. The control environment provides the
discipline and structure for the achievement of the
individual auditor, engagement, functional, and
organizational levels.
of the organization’s objectives.

auditors make a balanced assessment of all the relevant circumstances auditing and for evaluating Guides • Tools and techniques.
• Programs.
that defines the internal audit activity’s purpose,
authority, and responsibility. The internal audit
primary objectives of the system of internal control. The
control environment includes the following elements: Information Technology (IT) Controls
The Standards use the word “should” where
and are not unduly influenced by their own interests or by others in effectiveness of performance.
• Step-by-step approaches. charter establishes the internal audit activity’s • I ntegrity and ethical values Controls that support business management conformance is expected unless, when applying
position within the organization; authorizes access •M  anagement’s philosophy and governance as well as provide general and
forming judgments. They • Internationally applicable • Examples of deliverables. professional judgment, circumstances justify
to records, personnel, and physical properties and operating style technical controls over information technology
at both individual and relevant to the performance of engagements; and •O  rganizational structure
respect the value and organization levels. infrastructures such as applications, information,
defines the scope of internal audit activities. •A  ssignment of authority infrastructure, and people.
ownership of information Significance
Mandatory Guidance International • Principle-focused guidance
Chief Audit Executive (CAE) •H
and responsibility
 uman resource policies and practices The relative importance of a matter within the
they receive and do not for performing and promoting Information Technology (IT) Governance context in which it is being considered, including
Developed following the
disclose information
Standards internal auditing: A chief audit executive is a senior position within
the organization responsible for internal audit
• C ompetence of personnel
Consists of the leadership, organizational structures, quantitative and qualitative factors, such as
appropriate due process, and processes that ensure that the enterprise’s magnitude, nature, effect, relevance, and impact.
−− Attribute standards. activities. Normally, this would be the internal Control Processes information technology sustains and supports the
without appropriate audit director. In the case where internal audit The policies, procedures, and activities that are
Professional judgment assists internal auditors
including public exposure. Conformance −− Performance standards. Online Resources activities are obtained from external service part of a control framework, designed to ensure
organization’s strategies and objectives. when evaluating the significance of matters within
with the principles set forth in mandatory authority unless there   the context of the relevant objectives.
−− Implementation standards. All of the International Standards for providers, the chief audit executive is the person that risks are contained within the risk tolerances
Internal Audit Activity  
guidance is essential for the professional is a legal or professional responsible for overseeing the service contract and established by the risk management process.
A department, division, team of consultants, or
−− Interpretations that clarify the Professional Practice of Internal the overall quality assurance of these activities, Standard
practice of internal auditing. obligation to do so. They terms or concepts within reporting to senior management and the board
other practitioner(s) that provides independent, A professional pronouncement promulgated by
Auditing, the other mandatory guidance, Engagement objective assurance and consulting services the Internal Audit Standards Board that delineates
apply the knowledge, the statements. regarding internal audit activities, and follow-up of A specific internal audit assignment, task, or designed to add value and improve an organization’s the requirements for performing a broad range of
and an ever-growing repository of strongly engagement results. The term also includes titles review activity, such as an internal audit, control
Strongly Recommended Guidance skills, and experience such as general auditor, head of internal audit, chief self-assessment review, fraud examination, or
operations. The internal audit activity helps an internal audit activities, and for evaluating internal
recommended guidance are available online. organization accomplish its objectives by bringing audit performance.
Describes practices for the ef fective internal auditor, and inspector general. consultancy. An engagement may include multiple
needed in the performance a systematic, disciplined approach to evaluate
For more information, visit the Professional tasks or activities designed to accomplish a specific and improve the effectiveness of governance, risk
implementation of T he IIA’s Code Technology-based Audit Techniques
of internal audit services. Code of Ethics set of related objectives. management, and control processes.
of Ethics, the Definition of Internal Guidance section of The IIA’s Web site or The Code of Ethics of The Institute of Internal Any automated audit tool, such as generalized
Auditors (IIA) comprises Principles relevant to the audit software, test data generators, computerized
Auditing, and the International For the complete Code e-mail To purchase Engagement Objectives International Professional Practices audit programs, specialized audit utilities, and
profession and practice of internal auditing, and Broad statements developed by internal auditors that
Standards for the Professional Practice of Ethics, refer to the hard copies of the entire IPPF, visit Rules of Conduct that describe behavior expected define intended engagement accomplishments.
Framework (IPPF) computer-assisted audit techniques (CAATs).
of internal auditors. The Code of Ethics applies to The conceptual framework that organizes the
of Internal Auditing (Standards). The Professional Guidance The IIA Research Foundation’s online both parties and entities that provide internal audit authoritative guidance promulgated by The
Engagement Work Program IIA. Authoritative Guidance comprises two
guidance is endorsed by The IIA, and section of The IIA’s Web services. The purpose of the Code of Ethics is to
Bookstore or e-mail promote an ethical culture in the global profession
A document that lists the procedures to be followed categories – (1) mandatory and (2) endorsed

conformance is strongly recommended. site at of internal auditing.
during an engagement, designed to achieve the
engagement plan.
and strongly recommended.
AuthorItAtive Guidance
AUTHORITATIVE GUIDANCE FOR The International Standards for the Professional Practice of Internal Auditing
A trustworthy, global guidance-setting body, The Insitute of Internal
1200 Proficiency and Due Professional Care 2200 Engagement Planning 2400 Communicating Results
Auditors (IIA) provides for internal audit professionals all around ATTRIBUTE STANDARDS PERFORMANCE STANDARDS
the world authoritative guidance organized in the International 2201 Planning Considerations 2410 Criteria for Communicating
1210 Proficiency
Professional Practices Framework (IPPF) as mandatory and strongly 1000 Purpose, Authority, and Responsibility 2000 Managing the Internal Audit Activity Planning engagements Final communication of
2201.A1 2410.A1
CAE acquiring necessary competencies with external parties engagement results
recommended guidance. Purpose, authority, and 1210.A1 2010 Planning
1000.A1 for assurance engagements
responsibility for assurance Agreement with clients on Acknowledgement of
2010.A1 Annual risk assessment 2201.C1 2410.A2
engagement scope and objectives satisfactory performance
1210.A2 Identification of fraud indicators
Purpose, authority, and 2010.C1 Acceptance of consulting engagements 2210 Engagement Objectives Releasing results to parties
1000.C1 2410.A3
responsibility for consulting Information technology risk outside the organization
1210.A3 2020 Communication and Approval 2210.A1 Preliminary assessment of risks
controls and tools
Recognition of the Definition of Internal Communicating results of
2030 Resource Management Probability of significant errors 2410.C1
1010 Auditing, the Code of Ethics, and the 2210.A2 consulting engagements
CAE acquiring necessary competencies and other exposures
Standards in the Internal Audit Charter 1210.C1 2040 Policies and Procedures
for consulting engagements 2420 Quality of Communications
2050 Coordination 2210.A3 Setting criteria to evaluate controls
1100 Independence & Objectivity 1220 Due Professional Care 2421 Errors and Omissions
Reporting to Senior Management Focusing consulting engagements
2060 2210.C1 on governance, risk management, Use of “Conforms to (or in conformance
1110 Organizational Independence 1220.A1 Scoping for assurance engagements and the Board
and control with) the International Standards
2100 Nature of Work for the Professional Practice of
1110.A1 Interference Use of technology-based 2220 Engagement Scope Internal Auditing.”
audit techniques 2110 Governance
1111 Direct Interaction with the Board 2220.A1 Scope of assurance engagement Engagement Disclosure of
2110.A1 Evaluation of ethics programs 2431
1220.A3 Risk identification Consulting opportunities during Nonconformance
1120 Individual Objectivity 2220.A2
2110.A2 Assessing information technology governance assurance engagement 2440 Disseminating Results
1220.C1 Scoping for consulting engagements
Impairment to Independence Consistency with organization’s 2220.C1 Scope of consulting engagement CAE responsibility for
1130 2110.C1 2440.A1
or Objectivity 1230 Continuing Professional Development values and goals when consulting communication of results
2230 Engagement Resource Allocation
2120 Risk Management Assessment of conditions for releasing
Impairment due to former Quality Assurance and 2240 Engagement Work Program 2440.A2
1130.A1 1300 results outside the organization
responsibilities Improvement Program 2120.A1 Evaluating organization’s risk exposure
2240.A1 Procedure for managing information
CAE responsibility for communication
Audit of functions for which 2120.A2 Evaluating fraud risks 2440.C1
1130.A2 Requirement for the Quality Assurance Work program for consulting of results for consulting engagements
CAE is responsible 1310 2240.C1
and Improvement Program 2120.C1 Reviewing risk during consulting engagements
To ensure clarity about the IPPF and elevate the importance of Communication of significant issues
1130.C1 Scope of impairment for consulting 2120.C2 Risk knowledge gained during consulting 2300 Performing the Engagement identified when consulting
conforming to the International Standards for the Professional Practice 1311 Internal Assessment
of Internal Auditing (Standards), this document depicts the comprehensive Limitation of involvement 2310 Identifying Information 2500 Monitoring Progress
Disclosure of impairment 1312 External Assessment 2120.C3
1130.C2 in risk management
guidance hierarchy for the internal audit profession, specifically when consulting 2320 Analysis and Evaluation 2500.A1 Establishing a follow-up process
Reporting on the Quality Assurance 2130 Control
providing an overview of the mandatory components of the framework. 1320 2330 Documenting Information Monitoring disposition of results
and Improvement Program 2500.C1
Evaluating adequacy and for consulting engagements
The document has been developed primarily for internal auditors — 2130.A1 Controlling access to
effectiveness of controls 2330.A1
IIA members, candidates for or holders of IIA professional certifications, Use of “Conforms to (or in conformance engagement records Resolution of Senior Management’s
with) the International Standards Assessing achievement of Acceptance of Risks
such as the Certified Internal Auditor® (CIA®); and other individuals 1321 2130.A2 2330.A2 Retention requirements
for the Professional Practice of goals and objectives
and entities — who provide internal audit work as defined by the LEGEND Internal Auditing.” Information retention and release
Assessing consistency of results 2330.C1
2130.A3 policies for consulting engagements
definition of internal auditing. However, it should prove useful STANDARD* with goals and objectives
1322 Disclosure of Nonconformance
and informative to oversight entities, executive management, and ASSURANCE IMPLEMENTATION STANDARD 2130.C1 Reviewing controls when consulting 2340 Engagement Supervision

other stakeholders of professional internal auditing and effective CONSULTING IMPLEMENTATION STANDARD Knowledge of controls gained
organizational governance. *Black and red in this chart are used to identify each series and its related Standards.
from consulting engagements

You might also like