2

| aa CHAPTER.

International Professional Practices

Framework (IPPF)

__| LEARNING OBJECTIVES

After going through this chapter, you should be able to:

. Understand the Code of Ethics and International Standards for the Professional
Practice
of Internal Auditing.

+ Integrate the Code of Ethics and International Standards for the Professional
Practice of
Internal Auditing into the roles of internal auditors.

Introduction

The International Professional Practices Framework (IPPF) provides a structural

blueprint that facilitates consistent development, interpretation and application
of
concepts, methodologies and techniques useful to the internal audit profession.
Spe-
cifically, the purpose of IPPF is to organize the authoritative guidance of the
Institute
of Internal Auditors (IIA) in a manner that is readily accessible on a timely
basis,
while strengthening the position of the ITA as a standard-setting body for the
internal
audit profession globally. The main components of IPPF are:

1. Code of Ethics: The Code of Ethics states the principles and expectations gov-
erning the behavior of individuals and organizations in the conduct of internal
auditing. It describes the minimum requirements for conduct, and behavioral
expectations rather than specific activities.

2. International Standards for the Professional Practice of Internal Auditing (ISP-

PIA) (the Standards): Standards are principle-focused and provide a framework
for performing and promoting internal auditing. ®

Code of Ethics

The purpose of The Institute's Code of Ethics is to promote an ethical culture in

the
profession of internal auditing. A code of ethics is necessary and appropriate for
the
profession of internal auditing, founded as it is on the trust placed in its
objective
assurance about governance, risk management, and control.

The Institute's Code of Ethics extends beyond the Definition of Internal Audit-

ing to include two essential components:

1. Principles that are relevant to the profession and practice of internal
auditing.

2. Rules of Conduct that describe behavior norms expected of internal auditors.

These rules are an aid to interpreting the principles into practical applications i

and are intended to guide the ethical conduct of internal auditors. i

noe

CamScanner
12 Part One Introduction to Internal Auditing

53 candidates for II,

“Internal auditors” refers to Institute members, ee of Pa se dées within : A
professional certifications, and those who perform internal auc" Be

Definition of Internal Auditing. --

de of Ethics

forcement of the Co
ndividuals that perform interna]

Applicability and En :
lies to both entities and i

This Code of Ethics app

ae didates for IIA professional certifica-
d administered according

For IJA mem Sica

tions, breaches of the Code of Ethics wl Juate I
to The Institute’s Bylaws and Administrative Directives. The fact that a particular
he Rulevof Conduct does not prevent it from being

certification holder, or

conduct is not mentioned in t :

r discreditable, and therefore, the member,

e liable for disciplinary action.

or can

d recipients of
bers and recip: I be evaluated an

unacceptable 0
candidate can b

Principles ie
Internal auditors are expected to apply and uphold the following principles:

1, Integrity |The integrity of «aternal auditors establishes trust and thus

provides

the basis for reliance on their judgment.

exhibit the highest level of professional objec-

tivity in gathering, evaluating and communicating information about the activity

d. Internal auditors make a balanced assessment of all the

_or process being examine

relevant circumstances and are not unduly influenced by their own interests or by

2. Objectivity Internal auditors

3. Confideritiality Internal auditors respect the value and ownership of

information
| do not disclose informatior

they receive and » without appropriate authority unless there

is a legal or professional obligation to do so.

4. Competency Internal auditors apply the knowledge, skills, and experience

needed in the performance of internal audit services.

Rules of Conduct
1. Integrity Internal auditors:

1.1. Shall perform their work with honesty, diligence,

, and responsibility

1.2. Shall observe the law and make di .

profession. nd make disclosures expected by the law and the

1,3. i
iat mnowingly be a party to any i ivity, or engage in acts that
iscreditable to the profession of internal auditing or to the organization

1.4. Shall respect and contri

tribute t iti :
stguiteation. € to the legitimate and ethical objectives of the

2. Objectivi
ett Internal auditors:
wh. not particj : —
presumed " “ipate in any activity or relationship that may impair or be
. This participation includes

those activiti
vities or relationshi
the organization, O™Ships that may be in’conilict'with thelinterests of

CamScanner
a
—

Chapter2 International Professional Practices Framework (IPPF) 13

2.2.

2. Shall hat may impair or be presumed to impair their

professional judgment.
2.3.
it 3 small acts known to them that, if not disclosed, may
4 Istort the reporting of activities under review. :
ro 3. Confidentiality Internal auditors:

Q. . %1. Shall be prudent in the use and protection of information acquired in the

Course of their duties,

3.2, se not use information for Leal or in any manner that would
€ contrary to the law or detrimental to the egitimate and ethical objectives

of the organization,

4. Competency Internal auditors:

4.1, Shall engage only in those services for which they have the necessary knowl-

4.2. Shall perform internal audit services in accordance with the International
Standards for the Professional Practice of Internal Auditing (Standards).

4.3, Shall centinually improve their proficiency and the effectiveness and quality

International Standards for the Professional

Practice of Internal Auditing

Internal auditing is conducted in diverse legal and cultural environments; within

organizations that vary in purpose, size, complexity and structure; and by persons
within or outside the organization. While differences may affect the practice of
internal auditing in each environment, conformance with the ITA’s International
Standards for the Professional Practice of Internal Auditing (Standards) is
essential
in meeting the responsibilities of internal auditors and the internal audit
activity.

If internal auditors or the internal audit activity is prohibited by law or regula-

tion from conformance with certain parts of the Standards, conformance with all
other parts of the Standards and appropriate disclosures are needed,

If the Standards are used in conjunction with standards issued by other authori-
tative bodies, internal audit communications may also cite the use of other
standards,
as appropriate. In such a case, if inconsistencies exist between the Standards and
other standards, internal auditors and the internal audit activity must conform to
the
Standards, and may conform with the other standards if they are more restrictive.

The purpose of the Standards is to:

1. Delineate basic principles that represent the practice of internal auditing,

2. Provide a framework for performing and promoting a broad range of value-added

internal auditing.
3. Establish the basis for the evaluation of internal audit performance.

4, Foster improved organizational processes and operations.

The Standards are principle-focused and provide a framework for performing and
promnoting internal auditing. The Standards are mandatory requirements consisting
of:

+ Statements of basic requirements for the professional practice of internal audit-

ing and for evaluating the effectiveness of its performance. The requirements are
internationally applicable at organizational and individual levels.

+ Interpretations, which clarify terms or concepts within the statements.

CamScanner
14

Part One Jn

troduction to Internal Auditing |

been given specific meanings. Specifical

" ve eget . s

s that ha fy an unconditional requirement and 1),

rm :
cted unless, when applying professions

d “must” to spec!
formaice is expe

stify deviation. | d between Attribute and Performance,

5 divide ndards are provided to apply to ll

The Standards employ te

the Standards use the wor
word “should” where con

} ircumstances jul
udgment, circun ol
The structure of the Standar

mance Sta
Standards. The Attribute and Perfor

internal audit services. sganiaifons tnd <

ibutes of 0
Attribute Standards address the attrib
. os al auditing. internal auditing and proy:
forming internal St dards describe the nature of Pe ctbg au : Sa
a Pe agaist which the performance of these s
i iteria a "
quality criter! ided to expand upon the Attribute anq
also provide
‘on Standards are a
Implementation

e s y . assurance ( A)
Per forma e sta dards. TOV. d n h requirements a pl a

b Pp vid gt e P. iC, ble to

ne n 9

or consulting (C) activities.

7 ha ° . ye assess t of evi
rvices involve the internal auditor s objectiv m
Assurance Se en f Vi

dent opinion or conclusions regarding an entity, opera-

aah er subject matter. The nature and scope of the
d by the internal auditor. There are generally
three parties involved in assurance services: (1) the person or group vette

ith the entity, operation, function, process, system, OF iets ae

procdse owner, (2) the person or group making the assessment the internal auditor,
and (3) the person or group using the assessmuent—the user.

Consulting services are advisory in nature, and are generally performed at

the specific request of an engagement client. The nature and scope of the consult.
ing engagement are subject to agreement with the engagement client. Consulting
services generally involve two parties: (1) the person or group offering the advice
—the
internal auditor, and (2) the person or group seeking and receiving the advice—
the engagement client. When performing consulting services the internal auditor
should maintain objectivity and not assume management responsibility.

The Standards apply to individual internal auditors and internal audit activities.
All internal auditors are accountable for conforming with the Standards related to
individual objectivity, proficiency, and due professional care. In addition,
internal
auditors are accountable for conforming with the Standards, which are relevant to

the performance of their job responsibilities. Chief audit executives are

accountable
for overall conformance with the Standards.

dence to provide an indep ”

tion, function, process, system Or ©
assurance engagement are determine

Attribute Standards

1000 - Purpose, Authori a

’ ority, and Res 5 |
responsibility of the vient activi tr: The Purpose, authority, and

audit charter, consistent with i ; an internal

> the Definiti es
and the Standards. The neon Of Interna Auditing, the Code of Ethics,

must Periodically
nd the board for approval.

rand

Interpretation: The internal q

; . udit ¢ ;
internal audit activity’s purpose harter is

authority, and a formal document that defines the

t activity’ “ "esponsibility. The internal audit char-
UYS Position within the organization, includ-

| reporti ; ee

ds, perso a" Teporting relationship with the

, P rsonnel, and Physicai Properties relevant ta the

efines the Scop :

e of i pbb ida)
Garter resides with the boat audit activities, Final

Performance of engagements. an
2

4pproval of the internal audit ch

CamScanner
Chapter2 International Professional Practices Framework (IPPF) 15

1000.A1—"
be def r he nature of assurance services provided to the organization must
=n ined in the internal audit charter. If assurances are to be provided to
. es outside the organization, the nature of these assurances must also be
elined in the internal audit charter.

1000.C1— Teh i
C1 The nature of consulting services must be defined in the internal
audit charter.

x amnion of the Definition of Internal Auditing, the Code of Ethics and

of Intern TA a th e Internal Audit Charter The mandatory nature of the Definition
internal . di uditing, the Code of Ethics and the Standards must be recognized in
the
Auditi ae charter. The chief audit executive should discuss the Definition of
Internal

nating, the Code of Ethics, and the Standards with senior management and the board.

ey . Independence and Objectivity The internal audit activity must be

independent, and internal auditors must be objective in performing their work.

Interpretation: Independence ’is the freedom from conditions oni ye

of the internal audit activity to carry out internal man

. To achieve the degree of independence necessary to cffectively carry out the

responsibilities of the internal audit activity, the chief audit executive has
direct and

his can be achieved through

a dual-reporting relationship. Threats to independence must be managed at the indi-
vidual auditor, engagement, functional and organizational levels,

Objectivity is an unbiased mental attitude that allows internal auditors to

perform engagements in such a manner that they product and that
SS, made, Objectivity requires that internal auditors do not

on audit matters to others. Threats to objectivity must be

managed at the individual auditor, engagement, functional, and organizational

levels.

27 1110 - Organizational Independence ‘The chief audit executive must report

Loiecs to a level within the organization that allows the :nternal audit activity
to fulfill its
oe responsibilities. The chief audit executive must confirm to the board, at least
annu-
Ot oats dae! : I . . oo.
ally, the organizational independence of the internal audit activity.
chucjuee Interpretation: Organizatioral independence is effectively achieved when
the chief,

audit executive reports functionally tothe board. Examples of functional reporting

to
the board involve the board:

+ Approving the internal audit charter;

+ Approving the risk based internal audit plan;

Approving the internal audit budget and resource plan;

Receiving communications from the chief audit executive on the internal

audit activity’s performance relative to its plan and other matters;
Approving decisions regarding the appointinent and removal of the chief
audit executive;

Approving the remunerotion of the chief audit executive; and

Making appropriate inquiries of management and the chief audit executive

to determine whether there are inappropriate scopes or resource limitations.

1110.A1—The internal audit activity must be free from interference in determin-

ing the scope of internal auditing, performing work, and communicating results.

CamScanner
al Auditing

Part One Introduction to Intern

audit executive must

16
e Board The chief

ct Interaction with th
the board.

directly with

1111 - Dire
communicale and interact
; . an im artial, unbi-
1120 - Individual Objectivity Internal auditors must-have P
ased altitude and avoid any conflict of interest.
lauditor, who isin
» Such competing
tially. A conflict of inter-
st can create

asituation inwhichen interna

Interpretation: Co nflict of interest és

0 vol a position of trust, has a Tui his or her

° intere it difficult to flfile mt
4 interests can make it diffi Foper act rel its

Lyaa ost exists even if no unethical Hf imp °

an appearance 0, ‘
| it and the profession. A conflic

the internal audit activity, ? ‘pilities

individual's ability to perform his or her duties and respons!

or
duties wnpar

npodtta |
A conflict of intere

t of interest could impair an

or Objectivi i dence or objec-

- Impai ondence or Objectivity Ifindepen

130. pense the details of the impairment must be disclosed
on the impairment.

din fact or appearance,

j of the disclosure will depend up

tivity is impaire
to appropriate parties. The nature
ce and individual objectiv-
interest, Scope limitations,
and resource limitations,

nizational independen
, personal conflict of i
J, and properties,

Interpretation: Impairment to orga

ity may include, but is not limited to,
restrictions on access to records, personne

such as funding.
The determination of appropriate parties

to independence or objectivity must he disclose

of the internal audit activity’s and the chief audit
management and the board as described in the internal audit charter,

nature of the impairment.

1130.A1—Internal auditors must refrain from assessing specific operations
. for which they Wer gee SP Objectivity is presumed to be
impaired if an internal auditor provides assurance services for an activity for
which the internal auditor had responsibility within the previous year.
1130.A2— i
30.A2—Assurance engagements for functions over which the chief audit

ey cuti has esponsibility must b verseen by a par y out e e

Xe ve I eo
a t side th int ral

to which the details of an impairment

d is dependent upon the expectations
executive's responsibilities to senior
as well as the

Te ac em auditors may provide i ices relati

ds an or which they had previous responsibilities ee tec
.C2—If inte i
objectivity retin sudiors have potential impairments to independ
w theeneesem > proposed consulting services, disclo rast be cide
gement client prior to accepting the engag oon nee
ement.

1200 - Proficien
cy and Due Professi
; 9
formed with proficiency and due poten Engagements must be per-

1210 - Proficie
ncy Internal audi
other comspietenci auditors must Posse
les needed to perform their individual reac ome
onsibilities. The inter-

nal audit activity :

collectively m
. ust
competen y Possess or obtaj
petencies needed to perform its responsibilities the knowledge, skills, and other
(10 Meso ren eeceeaemene

Chopter 2 International Professional Practices Framework OUPPF)

out their professional responsibilities. Internal auditors are encouraged to dem-

onstrate their proficiency by obtaining appropriate professional certifications and
qualifications, such as the Certified Internal Auditor designation and other
designa-
tions offered by The Institute of Internal Auditors and other appropriate
professional

organizations,

1210.A1—The chief audit executive must obtain competent advice and assis-
tance if the internal auditors lack the knowledge, skills, or other competencies
needed to perform all or part of the engagement.

1210.A2—Internal auditors must have sufficient knowledge to evaluate the risk

of fraud and the manner in which it is managed by the organization, but are
not expected to have the expertise of a person whose primary respoasibility is
___ detecting and investigating fraud.

1210.A3—Internal auditors must have sufficient knowledge of key information

technology risks and controls and available technology-based audit tech-
niques to perform their assigned work. However, not all internal auditors are
expected to have the expertise of an internal anditor whose primary responsi-
bility is information technology auditing.

1210.C1—The chief audit executive must

or obtain competent advice and assistance if the internal auditors lack the

knowledge, skills, or other competencies needed to perform all or part of the

engagement.

1220 - Due Professional Care Internal auditors must apply the care and skill
expected of a reasonably prudent and competent internal auditor. Due professional

care does not imply infallibility.

1220.A1—Internal auditors must exercise due professional care by considering
* the: “
+ Extent of work needed to achieve the engagement’s objectives;
Rélative complexity, materiality, or significance of matters to which assur-

ance procedures are applied;

Adequacy and effectiveness of governance, risk management, and control

processes;
Probability of significant errors, fraud, or noncompliance; and

Cost of assurance in relation to potential benefits.

1220.A2—In exercising due professional care internal auditors must consider

the use of technology-based audit and other data analysis techniques.

1220.A3—Internal auditors must be alert to the significant risks that might

affect objectives, operations, or resources. However, assurance procedures
alone, even when performed with due professional care, do not guarantee
that all significant risks will be identified.
1220.C1—Internal auditors must exercise due professional care during a con-
sulting engagement by considering the:

Needs and expectations of clients, including the nature, timing and com-

munication of engagement results;

Relative complexity and extent of work needed to achieve the engage-

ment'’s objectives; and

Cost of the consulting engagement in relation to potential benefits.

CamScanner
Part One Introduction to Internal Auditing

18
auditors must enhance

Internal
al

- al Development
ssi r through

2 inui ofe
1230 - Continuing Pr mpetencie

their knowledge, skills, and other co

e chief audit exec-

t
ent program that

ram Th

“ovement Prog
improvem

ance and Imp!

na assurance and

1300 - Quality As 7
utive must develop and maintain a que ity *
covers all aspects of the internal audit activity.
rovement program is designed oe
fi inition of inter-
it activity’ ance with the Definitio
an evaluation of the internal audit activity $ confor i oreapety

f whether internal a
nal Auditing and the Standards a an ee i t ip int octven othe
f ethics. | o assesses
the Code of Ethics. The program @ s

identi “rine for improvement.

internal audit activily and identifies opportunstics for imp

Interpretation: A quality assurance and imp

Improvement

Assurance and
st include both

ent program mu

ts of the -Quality

ovem

1310 - Requiremen
Program = The quality
internal and external assessments.

assurance and impr

ments must include:

performance of the internal audit activity; and

ssments by other persons within the organi-
] audit practices.

1311 - Internal Assessments Internal assess

« Ongoing monitoring of the

» Periodic self-assessments or asse

zation with sufficient knowledge of interna

rt of the day-to-day supervi-

the internal audit activity. Ongoing monitoring is
practices used to manage the internal audit
idered necessary to evaluate
the Code of Ethics, and the

Interpretation: Ongoing monitoring is an integral pa

sion, review, and measurement of

incorporated into the routine policies and

rocesses, tools, and information cons

activity and uses p

conformance with the Definition of Internal Auditing,

Standards.
Periodic assessments are conducted to evaluate conformance with the Definition

of Internal Auditing, the Code of Etitics, and the Standards.

Sufficient knowledge of internal audit practices requires at least an understanding

of all elements of the International Professional Practices Framework.

! 312 - External Assessments External assessments must be conducted at least

ener ty ive years by a qualified, independent assessor or assessment team from
utside the organization. The chief audit executive must discuss with the board:

+ The form and frequency of external assessment; and

« The qualificati i
beg i and independence of the external assessor or a
, Including any potential conflict of interest ssessment

Interpretation: Ex
Pdhadanon ent ae can be in the form of a full external assessment,
A qualified assessor or oan team es on ;
rofesona i i emonstrates compe, | :
ue _ peal a mal auditing and the external Gcenea orbeess Co
Hsperience gined in ovomnleatiee a mixture of experience and theoretical lamin
technical sues b more 7 of similar size, complexity, sector or industr id
mgt teas, Rab allsnerbe ¢ than less relevant experience. In the case asses
1s of the team need to have all the sompetences itis the
; é

CamScanner
a

re

eamipeontee sles asthase

Chapter 2 hiternational Professional Practices Framework (IPPF) 19

team as a whole that is qualified. The chief audit executive uses professional
judgment
when assessing whether an assessor or assessment team demonstrates sufficient com-

petence to be qualified.
An independent assessor or assessment team means not having either a real or an

apparent conflict of interest and not being a part of, or under the control of, the
orga-
nization to which the internal audit activity belongs.

1320 - Reporting on the Quality Assurance and Improvement Program

The chief audit executive must communicate the results of the quality assurance and

Improvement program to senior management and the board.

Interpretation: |The form, content, and frequency of communicating the results of

the
quality assurance and improvement program is established through discussions with
senior management and the board and considers the responsibilities of the inter nal

audit activity and chief audit executive as contained in the internal audit
charter. To
demonstrate conformance with the Definition of Internal Auditing, the Code of
Ethics,
and the Standards, the results of external and periodic internal assessments are
com
municated upon completion of such assessments and the results of ongoing monitoring
are communicated at least annually. The results include the assessor's or
assessment

, : .
team's evaluation with respect to the degree of conformance.

1321 - Use of “Conforms with the International Standards for the

Professional Practice of Internal Auditing” ‘The chief avdit executive may

state that the internal audit activity conforms with the International Standards
for the

Professional Practice of Internal Auditing only if the results of the quality

assurance
and improvement program support this statement.

Interpretation: The interna! audit activity conforms with the Standards when
it achieves the outcomes described in the Definition of Internal Auditing, Code of
Ethics, and Standards, The results of the qtiality assurance and improvement
program

include the results of both internal and external assessments, All internal audit
activi-
ties will have the results of internal assessments. Internal audit activities in
existence

for at least five years will also have the results of external assessments.

1322 - Disclosure of Nonconformance When nonconformance with the

Definition of Internal Auditing, the Code of Ethics, or the Standards impacts the
overall scope or operation of the internal audit activity, the chief audit
executive must
disclose the nonconformance and the impact to senior management and the board.

Performance Standards
2000 - Managing the Internal Audit Activity The chief audit executive

must effectively manage the internal audit activity to ensure it adds value to the
organization.
Interpretation: The internal audit activity is effectively managed when:

+ The results of ihe internal audit activity’s work achieve the purpose and respon-

sibility included in the internal audit charter;

The internal audit activity conforms with the Definition of Internal Auditing

and the Standards; and

+ The individuals who are pari of the internal audit activity demonstrate confor-

mance with the Code of Ethics and the Standards.

CamScanner
uditing
stakeholders) when

n (and its
putes to the effectiveness and
cesses.

Part One Introduction to Internal A

20
to the organizatio

and contri

The internal audit activity adds value

d control pr'

it provides objective and relevant assurance,

n
efficiency of governance, risk management, 4

The chief audit exe

f the internal audit ac

based plan to

establish a risk-
he organiza-

2010 - Planning consistent with t

determine the priorilies ©

tion’s goals.

ing a risk-based

ive ii ble for developing

Interpretation: The chief audit executive IS for a ee isk: mmariage-

plan. The chief audit executive takes into ae tt ee By ari ent fo hg aie

ment framework, including using — enews nenict, the chief

ivitt ization. ‘ :
ferent activities or parts of the organiza Paks pin er ideration sfinput from
must review and adjust

audit executive uses his/her own iden ; Ce aii Vcaitve

ig : 2
senior management an ec tion’s business, Tis ks,

d the board. Th bh
j é
the plan, as necessary, 1 §'

response toc
operations, programs, systems, and controls. :
2010.A1—The internal audit activity’s plan of engagements must be base ae
2 documented risk assessment, undertaken at least annually. The input 0
senior management and the board must be considered in this process.
2010.A2—The chief audit executive must identify and consider the expectations
of senior management, the board, and other stakeholders for internal audit
opinions and other conclusions.
2010.C1—The chief audit executive should consider accepting proposed con-
sulting engagements based on the engagement’s potential to improve manage-
ment of risks, add value, and improve the organization's operations. Accepted
engagements must be included in the plan.

cutive must
tivity,

ro

anges in th

2020 - Communication and Approval The chief audit executive must communi-
cate the internal audit activity’s plans and resource requiremerts, including
significant
interim changes, to senior management and the board for review and approval. The

chief audit executive must also communicate the impact of resource limitations

2030 -
2030 - Resource Management The chief audit executive must ensure that
resources are appropriate, sufficient, and effectively deployed ,
Oo

achieve the approved plan.

° . .
P . Pp opri te refe Ss fo the ow p aa
fencies needed fo per for 7 the plan. Sufficient refers to the quantity of r esour
d

' : . Ou ces a e ti
that optimizes the achievement of the appr oved ph
an,

2040 - Policie P
s and Pro dure Th 1
cies and procedures to giide theme al , Fok it executive must b]
ermal audit activity ‘ o—_ polls
Chapter 2 International Professional Practices Framework (IPPF) 21

e Board The chief audit

board on the inter-
mance relative to
d control issues,

d by

2060 - Reporting to Senior Management and th

executive must report periodically to senior management and the
nal audit activity’s purpose, authority, responsibility, and perfor
its plan. Reporting must also include significant risk exposures an
including fraud risks, governance issues, and other matters needed or requeste
senior management and the board.

ermined in discussion

tance of the informa-

be taken by senior

Interpretation: The frequency and content of reporting are det

with senior management and the board and depend on the impor
tion to be communicated and the urgency of the related actions to
management or the board.

2070 - External Service Provider and Organizational Responsibility for

Internal Auditing When an external service provider serves as the internal audit
activity, the provider must make the organization aware that the organization has
the responsibility for maintaining an effective internal audit activity.

e quality assurance

Interpretation: This responsibility is demonstrated through th

nition of Internal

and improvement program which assesses conformance with the Defi

Auditing, the Code of Ethics, and the Standards.

2100 - Nature of Work The internal audit activity must evaluate and contrib-
ute to the improvement of governance, risk management, and control processes

using a systematic and disciplined approach.

2110 - Governance The internal audit activity must assess and make appropri-
ate recommendations for improving the governance process in its accomplishment

of the following objectives:

Promoting appropriate ethics and values within the organization;

Ensuring effective organizational performance management and accountability;

Communicating risk and control information to appropriate areas of the
organization; and

Coordinating the activities of and communicating information among the

board, external and internal auditors, and management.
2110.A1—The internal audit activity must evaluate the design, implementation,
and effectiveness of the organization's ethics-related objectives, programs,

and activities.
2110.A2—The internal audit activity must assess whether the information tech-

nology governance of the organization supports the organization's strategies

and objectives.

2120 - Risk Management The internal audit activity must e the effec=)
itivenessand contribute to the gement processes.

Interpretation: Determining whether risk management processes are effective is a

judgment resulting from the internal auditor's assessment that:

+ Organizational objectives support and align with the organization's mission;

« Significant risks are identified and assessed;

CamScanner
iting
he organizations

Introduction 0 Internal At
ign risks with

1a timely manner
board to carry out

22 Part On

» Appropriate risk responses are selected that al

risk appetites and

is captured and cunt
agement a

or ie nd
. Reles ant risk ny mat )
zation, enabling staff man

across the organi

their responsibilities.

ion to st
it activity may gail ation to SUPP
ments. The rest ts e .
nding of the orge szation’s risk management P

nicated it
nd the

this assessment dur-

d together,
d their

ort
The internal aud when viewe
cesses an

ing multiple engage

provide an understa
effectiveness.

Risk management
ties, separate evaluations, oF both.
ate risk exposures

i it activity must evalu

2120.A1—The internal audit actv!
organization’s go operations, and information systems
f the organization's strategic objectives:
f financial and operational info
f operations and programs;

tored through ongoing management activi-

processes are moti

relating to the
regarding the:

vernance,
» Achievement o
« Reliability and integrity 0 rmation;
Effectiveness and efficiency ©
Safeguarding of assets; and
Compliance with laws, regulations, policies, procedures, and contracts.
e the potential for the occur-

°
.

2120.A2—The internal audit activity must evaluat

rence of fraud and how the organization manages fraud risk.
internal auditors must address risk

2120.C1—During consulting engagements,

consistent with the engagement's objectives and be alert to the existence of

other significant risks.

knowledge of risks gained from

2120.C2—Internal auditors must incorporate

consulting engagements into their evaluation of the organization's risk man-

agement processes.
2120.C3—When assisti
0.C3—When assisting management in establishing or improving risk

ma , :
nagement processes, internal auditors must refrain from assumi
management responsibility by actually managing risks ee

2130 - Cont: i
rol The internai audit activi
udit activit i
taining effectiv i y must assist the organization i ;
8 e controls by evaluating their effectiveness and ficiency and by ova:
cy an y¥ pro-

moting continuous improvement

2130.A1—The int
ernal audit activi

ness of controls i netivaty must evaluate the adequ .

operations, and ine ronting to risks within the ania a meg

, Jon systems regardin S governance,

g the: ,

S}

» Reliability and integrj

: niet integrity of financial and operational i

oe ness and efficiency of operations information;

afeguarding of assets; and and programs;

» Compliance wi
e with law: i
s, regulations, policies, procedures, and
» and contracts

gal

from Cc *
onsulting e.
ngage .
Processes, gagements into evaluation of the o
rganization’
$ control

CamScanner
Chapter 2 International Professional Practices Framework (IPPF) 23

2200 - Engagement Planning _ Internal auditors must develop and documenta

plan for each engagement, including the engagement’s objectives, scope, timing, -
resource allocations,

2201 - Planning Considerations In planning the engagement, internal audi-

tors must consider:

The objectives of the activity being reviewed and the means by which the
i activily controls its performance;

The significant risks to the activity, its objectives, resources, and operations,

and the means by which the potential impact of risk is kept to an acceptable
level;

The adequacy and effectiveness of the activity’s governance, risk manage-

ment and control processes compared to a relevant framework or model; and
The opportunities for making significant improvements to the activity’s gov-
ernance, risk management and control processes.

2201.A1—When planning an engagement for parties outside the organization,

internal auditors must establish a written understanding with them about
objectives, scope, respective responsibilities, and other expectations, includ-
ing restrictions on distribution of the results of the engagement and access to
engagement records.

2201.C1—Internal auditors must establish an understanding with consulting

engagement clients about objectives, scope, respective responsibilities and

other client expectations. For significant engagements, this understanding

must be documented.

2210 - Engagement Objectives Objectives must be established for each

engagement.

2210.A1—Internal auditors must conduct a preliminary assessment of the risks

relevant to the activity under review. Engagement objectives mus’ reflect the
results of this assessment.

2219.A2—Internal auditors must consider the probability of significant errors,

fraud, noncompliance, and other exposures when developing the engagement
objectives.

2210.A3— Adequate criteria are needed to evaluate governance, risk manage-

ment, and controls. Internal auditors must ascertain the extent to which
management and/or the board has established adequate criteria to determine
whether objectives and goals have been accomplished. If adequate, internal
auditors must use such criteria in their evaluation, If inadequate, internal

auditors must work with management and/or the board to develop appropri-
ate evaluation criteria.

2210.C1—Consulting engagement objectives must address governance, risk

management, and control processes to the extent agreed upon with the client.

2210.C2—Consulting engagement objectives must be consistent with the orga-

nization’s values, strategies, and objectives.

2220 - Engagement Scope The established scope must be sufficient to achieve

the objectives of the engagement.

CamScanner
24 Part One Introduction to Internal Auditing f rel
tion of relevant

sidera
must include con cluding those under
2220.A1—The scope of the ¢ ical proper jes, }

d phys
systems, records, personnel ane? during an assurance

i i uring 4"
the control of third part © e objectives, scope,

sign f ca iti ar ise

i ortunities
.A2 Tf sig ifi ant consulting opP ' fn t ; r
gagement, a specific wl itte s and 1B as

nun 55 ol

tion dance with con-

expecta in accorea
oLidie n other . ate L
respective response vagernent communic
tae .

results of the consulting 5 inte auditors must ensure

ene ass the agreed-upon

ngagement

sulting standards. ona engage addr

9220.C1—In performing const! 8 i sufficient to about the scope during
. f the engaee servations * lient to deter-
that the scope © rors develop TSC" og with the cen
bjectives. I internal audi tions must be discuss
ob) . ervatl t
t, thes : agement 7
the engagemen? continue with the €n8 Bt gl auditors must address con
mine whether t ‘ engagement’, jntern nd be alert to significant
. in » 5 j a ie
2220.C2—Duting cor he engagement’ objectives
istent W!
trols consisten
control issues. ors must determine

Internal audit
gement obj
gement, tim

ectives based on an

e Allocation
e constraints, and

es to achieve enga
2230 - Engagement Resourc
Jexity of each enga

and sufficient resourc

appropriate
craation of the nature and comp

vailable resources.
: d doc-

nal auditors must develop an

Work Program Inter dito’

2240 - Engagement Tat ic chgaadiient objectives.

nt work programs an s,
ia include the procedures for identifying, analyz-

2240.A1—Work programs must ae aemtdion during the engagement. me

ing, evaluating, and documenting 11 ormati ein acid any adjust:
work program must be approved prior to its ¢mplementation, ai y adj
ments approved promptly.

2240.C1—Work programs for consulting engagemen

content depending upon the nature of the engagement.

ts may vary in form and

2300 - Performing the Engagement Internal auditors must identify, ana-

lyze, evaluate, and document sufficient information to achieve the engagement’s

objectives.

2310 - Identifying Information Internal auditors must identify sufficient, reli-

able, relevant, and useful information to achieve the engagement’s objectives.

pacer Suficient information is factual, adequate, and convincing so that

» Informed person would reach the same conclusi i

apn form | clusions as the auditor. Reli-

a . information is the best attainable information through the use of appropriate

gagement techniques. Relevant information supports engagement observations and

recommendations and is consi i

istent with the objecti f
mation helps the organization meet its goals, Ne Se orgegernent mee

2320 - Analysis and Evaluation

engagement results on appropriate ana

2330 -D,
~~ ocumenting Inf, .
information to J 'nformation Int i
su ernal au
Pport the conclusions and engegement vats, Secusent releraal
ent results,
pnternal auditors must base conclusions and
yses and evaluations.

CamScanner
Chapter 2 International Professional Practices Framework (IPPF) 25

2330.A1—The chief audit executive must control access to engagement records.

The chief audit executive must obtain the approval of senior management

and/or legal counsel prior to releasing such records to external parties, as

appropriate. - i

2330.A2—The chief audit executive must develop retention requirements for

engagement records, regardless of the medium in which each record is stored.

These retention requirements must be consistent with the organization's

guidelines and any pertinent regulatory or other requirements.

2330.C1—The chief audit executive must develop policies governing the cus-

tody and retention of consulting engagement records, as well as their release

to internal and external parties. These policies must be consistent with the

organization's guidelines and any pertinent regulatory or other requirements.

2340 - Engagement Supervision Engagements must be properly supervised to

ensure objectives are achieved, quality is assured, and staff is developed.

Interpretation: The extent of supervision required will depend on the proficiency

and
experience of internal auditors and the complexity of the engagement. The chief
audit
executive has overall responsibility for supervising the engagement, whether
performed
by or for the internal audit activity, but may designate appropriately experienced
members of the internal audit activity to perform the review. Appropriate evidence
of
supervision is documented and retained.

2400 - Communicating Results Internal auditors must communicate the

results of engagements.

2410 - Criteria for Communicating Communications must include the

engagements objectives and scope as well as applicable conclusions, recommenda-
tions, and action plans.
2410.A1--Final communication of engagement results must, where appropri-
ate, contain the internal auditors’ opinion and/or conclusions. When issued,
an opinion or conclusion must take into account the expectations of senior
management, the board, and other stakeholders and must be supported by
sufficient, reliable, relevant, and useful information.

Interpretation: Opinions at the engagement level may be ratings, conclusicns, or

other descriptions of the results. Such an engagement may be in relation to
controls
around a specific process, risk, or business unit. The formulation of such opinions
requires consideration of the engagement results and their significance.

2410.A2—Internal auditors are encouraged to acknowledge satisfactory perfor-

mance in engagement communications.

2410.A3—When releasing engagement results to parties outside the organiza-

tion, the communication must include limitations on distribution and use of

the results.

2410.C1—Communication of the progress and results of consulting engage-

ments will vary in form and content depending upon the nature of the
engagement and the needs of the client.

2420 - Quality of Communications Communications must be accurate, objec-

tive, clear, concise, constructive, complete, and timely.

CamScanner
26 Part One Introduction to Internal Auditing
1 errors and distortions and

ications are free fron . impartial, and

clive communications are fait, of ire ivaht

ar, and assessment Of aN;

unbiased and are the result of a fair-minded and balanced a eilted and logical,

facts and circumstances. Clear communications are Oe sienfica and relevant

i. : roviding alt S18

avoiding unnecessary technical language and providing elabo-

y
com muni ation r , P tana avoid unnecessal
if ( ¢ atte sare lo the om

- t ton.
onstt uctive communical
' f ¢ rf tous le tail, edundancy, and WwW ordiness. C j p ‘
ig at lient nt 1Z. tio t 1 rovemen Ss
emer € a Niza n and ead to wn

are helpful to the enga, is essential to the target

where needed. Comple ions to sup-

Interpretation: Accurate commit

are faithful to the underlying facts. Obje

te communications lac 1 at
7 nand observ

audience and include all significant and weet ifr eatin pene ip

port recommendations and conclusions. Timely ret a

oe i ying man
expedient, depending on the significance of the issue, allowing

appropriate corrective action.

sa significant

ommunication contain
ted informa-

Ifa final c
e correc

ecutive must communicat

2421 - Errors and Omissions

| communication.

nission, the chief audit ex

error or OF ect
ho received the origina

tion to all parties W

onformance with the International
ctice of Internal Auditing” Internal
are “conducted in conformance with the
Practice of Internal Auditing,” only if the
t program support the statement.

Use of “Conducted in C
Professional Pra
at their engagements

for the Professional

e and improvemen

2430 -
Standards for the

auditors may report th

International Standards

results of the quality assuranc

nconformance When nonconfor-

the Code of Ethics or the Standards
st disclose the:

2431 - Engagement Disclosure of No.

mance with the Definition of Internal Auditing,

impacts a specific engagement, communication of the results mu

+ Principle or rule of conduct of the Code of Ethics or Standard(s) with which

full conformance was not achieved;

+ Reason(s) for nonconformance; and

+ Impact of nonconformance
on the engagement and th i
( z e
engagement results. SE:

2440 - Disseminati
inating Results The chi :
e chief a i .
results to the appropriate parties. udit executive must communicate

Interpretation: The chi i h

ren erat me chief audit executive is responsible for reviewing and f

ee 8 men communication before issuance and for dec ‘din 10 whom art
’ isseminated. When the chief audit executive d set hecé Tattle

or she retains overall responsibility. rr poeae Nevediies he

2440.A1—The chief audi ‘ve i

results to partie f re executive is responsible for communicatj
who can ensure that the results are given es ee final

ue consideration,

2440.A2—If not i
otherwise mandated by legal, statutory, or regulat
; atory require-

ments, prior to releasin

g results to parti i
woth netic tan arties outside the organization the chief

+ Assess the potential risk to the organization;

® Cons It ith sent Pp. p ’

B! /
u " Or mana: ement and. or legal Cc unsel asa ro riat e€} ar id
° Contr ol dissemination by restricting the use of the result
Ss.

CamScanner
Chapter 2 International Professional Practices Framework (IPPF) a7

2440.C1—The chief audit executive is responsible for communicating the final

results of consulting engagements to clients.

2440.C2—During consulting engagements, governance,

control issues may be identified. Whenever these issues are sign
organization, they must be communicated to senior management an
board.

risk raanagement, and

ificant to the
d the

2450 - Overall Opinions When an overall opin

account the expectations of senior management, the
and must be supported by sufficient, reliable, relevant, and useful information.

ion is issued, it must take into

board, and other stakeholders

Interpretation: ~The communication will identify:

+ The scope, including the time period to which the opinion pertains;

+ Scope limitations;

+ Consideration of all related projects including the reliance on other assurance

providers;

+ The risk or control framework or other criteria used as a basis for the ov
opinion; and

« The overall opinion, judgment, or conclusion reached.

erall

The reasons for an unfavorable overall opinion must be stated.

2500-Monitoring Progress The chiefaudit executive must establish and inain-

tain a system to monitor the disposition of results communicated to management.

2500.A1—The chief audit executive must establish a follow-up process to moni-

tor and ensure that management actions have been effectively implemented

or that senior management has accepted the risk of not taking action.
2500.C1—The internal audit activity must monitor the disposition of results of
consulting engagements to the extent agreed upon with the client.

2600 - Communicating the Acceptance of Risks When the chief audit

executive concludes that management has accepted a level of risk that may be unac-
ceptable to the organization, the chief audit executive must discuss the matter
with
senior management. If the chief audit executive determines that the matter has not
been resolved, the chief audit executive must communicate the matter to the board.

Interpretation: The identification of risk accepted by management may be observed

through an assurance or consulting engagement, monitoring progress on actions taken
by management as a result of prior engagements, or other means. It is not the
respon-

sibility of the chief audit executive to resolve the risk.