Professional Documents
Culture Documents
Ethics
Ethics
| aa CHAPTER.
. Understand the Code of Ethics and International Standards for the Professional
Practice
of Internal Auditing.
+ Integrate the Code of Ethics and International Standards for the Professional
Practice of
Internal Auditing into the roles of internal auditors.
Introduction
1. Code of Ethics: The Code of Ethics states the principles and expectations gov-
erning the behavior of individuals and organizations in the conduct of internal
auditing. It describes the minimum requirements for conduct, and behavioral
expectations rather than specific activities.
Code of Ethics
The Institute's Code of Ethics extends beyond the Definition of Internal Audit-
CamScanner
12 Part One Introduction to Internal Auditing
de of Ethics
forcement of the Co
ndividuals that perform interna]
Applicability and En :
lies to both entities and i
certification holder, or
or can
d recipients of
bers and recip: I be evaluated an
unacceptable 0
candidate can b
Principles ie
Internal auditors are expected to apply and uphold the following principles:
Rules of Conduct
1. Integrity Internal auditors:
1,3. i
iat mnowingly be a party to any i ivity, or engage in acts that
iscreditable to the profession of internal auditing or to the organization
2. Objectivi
ett Internal auditors:
wh. not particj : —
presumed " “ipate in any activity or relationship that may impair or be
. This participation includes
those activiti
vities or relationshi
the organization, O™Ships that may be in’conilict'with thelinterests of
CamScanner
a
—
2.2.
Q. . %1. Shall be prudent in the use and protection of information acquired in the
of the organization,
4.2. Shall perform internal audit services in accordance with the International
Standards for the Professional Practice of Internal Auditing (Standards).
4.3, Shall centinually improve their proficiency and the effectiveness and quality
If the Standards are used in conjunction with standards issued by other authori-
tative bodies, internal audit communications may also cite the use of other
standards,
as appropriate. In such a case, if inconsistencies exist between the Standards and
other standards, internal auditors and the internal audit activity must conform to
the
Standards, and may conform with the other standards if they are more restrictive.
internal auditing.
3. Establish the basis for the evaluation of internal audit performance.
The Standards are principle-focused and provide a framework for performing and
promnoting internal auditing. The Standards are mandatory requirements consisting
of:
CamScanner
14
Part One Jn
" ve eget . s
rm :
cted unless, when applying professions
d “must” to spec!
formaice is expe
} ircumstances jul
udgment, circun ol
The structure of the Standar
mance Sta
Standards. The Attribute and Perfor
ibutes of 0
Attribute Standards address the attrib
. os al auditing. internal auditing and proy:
forming internal St dards describe the nature of Pe ctbg au : Sa
a Pe agaist which the performance of these s
i iteria a "
quality criter! ided to expand upon the Attribute anq
also provide
‘on Standards are a
Implementation
e s y . assurance ( A)
Per forma e sta dards. TOV. d n h requirements a pl a
7 ha ° . ye assess t of evi
rvices involve the internal auditor s objectiv m
Assurance Se en f Vi
The Standards apply to individual internal auditors and internal audit activities.
All internal auditors are accountable for conforming with the Standards related to
individual objectivity, proficiency, and due professional care. In addition,
internal
auditors are accountable for conforming with the Standards, which are relevant to
Attribute Standards
must Periodically
nd the board for approval.
rand
; . udit ¢ ;
internal audit activity’s purpose harter is
| reporti ; ee
e of i pbb ida)
Garter resides with the boat audit activities, Final
Performance of engagements. an
2
CamScanner
Chapter2 International Professional Practices Framework (IPPF) 15
1000.A1—"
be def r he nature of assurance services provided to the organization must
=n ined in the internal audit charter. If assurances are to be provided to
. es outside the organization, the nature of these assurances must also be
elined in the internal audit charter.
1000.C1— Teh i
C1 The nature of consulting services must be defined in the internal
audit charter.
nating, the Code of Ethics, and the Standards with senior management and the board.
responsibilities of the internal audit activity, the chief audit executive has
direct and
Loiecs to a level within the organization that allows the :nternal audit activity
to fulfill its
oe responsibilities. The chief audit executive must confirm to the board, at least
annu-
Ot oats dae! : I . . oo.
ally, the organizational independence of the internal audit activity.
chucjuee Interpretation: Organizatioral independence is effectively achieved when
the chief,
CamScanner
al Auditing
16
e Board The chief
ct Interaction with th
the board.
directly with
1111 - Dire
communicale and interact
; . an im artial, unbi-
1120 - Individual Objectivity Internal auditors must-have P
ased altitude and avoid any conflict of interest.
lauditor, who isin
» Such competing
tially. A conflict of inter-
st can create
or
duties wnpar
npodtta |
A conflict of intere
tivity is impaire
to appropriate parties. The nature
ce and individual objectiv-
interest, Scope limitations,
and resource limitations,
nizational independen
, personal conflict of i
J, and properties,
such as funding.
The determination of appropriate parties
1200 - Proficien
cy and Due Professi
; 9
formed with proficiency and due poten Engagements must be per-
1210 - Proficie
ncy Internal audi
other comspietenci auditors must Posse
les needed to perform their individual reac ome
onsibilities. The inter-
organizations,
1210.A1—The chief audit executive must obtain competent advice and assis-
tance if the internal auditors lack the knowledge, skills, or other competencies
needed to perform all or part of the engagement.
of fraud and the manner in which it is managed by the organization, but are
not expected to have the expertise of a person whose primary respoasibility is
___ detecting and investigating fraud.
1220 - Due Professional Care Internal auditors must apply the care and skill
expected of a reasonably prudent and competent internal auditor. Due professional
processes;
Probability of significant errors, fraud, or noncompliance; and
Needs and expectations of clients, including the nature, timing and com-
CamScanner
Part One Introduction to Internal Auditing
18
auditors must enhance
Internal
al
- al Development
ssi r through
2 inui ofe
1230 - Continuing Pr mpetencie
t
ent program that
ram Th
“ovement Prog
improvem
1300 - Quality As 7
utive must develop and maintain a que ity *
covers all aspects of the internal audit activity.
rovement program is designed oe
fi inition of inter-
it activity’ ance with the Definitio
an evaluation of the internal audit activity $ confor i oreapety
f whether internal a
nal Auditing and the Standards a an ee i t ip int octven othe
f ethics. | o assesses
the Code of Ethics. The program @ s
Improvement
Assurance and
st include both
ent program mu
ts of the -Quality
ovem
1310 - Requiremen
Program = The quality
internal and external assessments.
Standards.
Periodic assessments are conducted to evaluate conformance with the Definition
« The qualificati i
beg i and independence of the external assessor or a
, Including any potential conflict of interest ssessment
Interpretation: Ex
Pdhadanon ent ae can be in the form of a full external assessment,
A qualified assessor or oan team es on ;
rofesona i i emonstrates compe, | :
ue _ peal a mal auditing and the external Gcenea orbeess Co
Hsperience gined in ovomnleatiee a mixture of experience and theoretical lamin
technical sues b more 7 of similar size, complexity, sector or industr id
mgt teas, Rab allsnerbe ¢ than less relevant experience. In the case asses
1s of the team need to have all the sompetences itis the
; é
CamScanner
a
re
team as a whole that is qualified. The chief audit executive uses professional
judgment
when assessing whether an assessor or assessment team demonstrates sufficient com-
petence to be qualified.
An independent assessor or assessment team means not having either a real or an
apparent conflict of interest and not being a part of, or under the control of, the
orga-
nization to which the internal audit activity belongs.
audit activity and chief audit executive as contained in the internal audit
charter. To
demonstrate conformance with the Definition of Internal Auditing, the Code of
Ethics,
and the Standards, the results of external and periodic internal assessments are
com
municated upon completion of such assessments and the results of ongoing monitoring
are communicated at least annually. The results include the assessor's or
assessment
, : .
team's evaluation with respect to the degree of conformance.
Interpretation: The interna! audit activity conforms with the Standards when
it achieves the outcomes described in the Definition of Internal Auditing, Code of
Ethics, and Standards, The results of the qtiality assurance and improvement
program
include the results of both internal and external assessments, All internal audit
activi-
ties will have the results of internal assessments. Internal audit activities in
existence
for at least five years will also have the results of external assessments.
Performance Standards
2000 - Managing the Internal Audit Activity The chief audit executive
must effectively manage the internal audit activity to ensure it adds value to the
organization.
Interpretation: The internal audit activity is effectively managed when:
+ The results of ihe internal audit activity’s work achieve the purpose and respon-
CamScanner
uditing
stakeholders) when
n (and its
putes to the effectiveness and
cesses.
20
to the organizatio
and contri
based plan to
establish a risk-
he organiza-
ing a risk-based
plan. The chief audit executive takes into ae tt ee By ari ent fo hg aie
ivitt ization. ‘ :
ferent activities or parts of the organiza Paks pin er ideration sfinput from
must review and adjust
d the board. Th bh
j é
the plan, as necessary, 1 §'
response toc
operations, programs, systems, and controls. :
2010.A1—The internal audit activity’s plan of engagements must be base ae
2 documented risk assessment, undertaken at least annually. The input 0
senior management and the board must be considered in this process.
2010.A2—The chief audit executive must identify and consider the expectations
of senior management, the board, and other stakeholders for internal audit
opinions and other conclusions.
2010.C1—The chief audit executive should consider accepting proposed con-
sulting engagements based on the engagement’s potential to improve manage-
ment of risks, add value, and improve the organization's operations. Accepted
engagements must be included in the plan.
cutive must
tivity,
ro
anges in th
2020 - Communication and Approval The chief audit executive must communi-
cate the internal audit activity’s plans and resource requiremerts, including
significant
interim changes, to senior management and the board for review and approval. The
chief audit executive must also communicate the impact of resource limitations
2030 -
2030 - Resource Management The chief audit executive must ensure that
resources are appropriate, sufficient, and effectively deployed ,
Oo
° . .
P . Pp opri te refe Ss fo the ow p aa
fencies needed fo per for 7 the plan. Sufficient refers to the quantity of r esour
d
' : . Ou ces a e ti
that optimizes the achievement of the appr oved ph
an,
2040 - Policie P
s and Pro dure Th 1
cies and procedures to giide theme al , Fok it executive must b]
ermal audit activity ‘ o—_ polls
Chapter 2 International Professional Practices Framework (IPPF) 21
d by
ermined in discussion
Internal Auditing When an external service provider serves as the internal audit
activity, the provider must make the organization aware that the organization has
the responsibility for maintaining an effective internal audit activity.
e quality assurance
2100 - Nature of Work The internal audit activity must evaluate and contrib-
ute to the improvement of governance, risk management, and control processes
2110 - Governance The internal audit activity must assess and make appropri-
ate recommendations for improving the governance process in its accomplishment
and activities.
2110.A2—The internal audit activity must assess whether the information tech-
and objectives.
2120 - Risk Management The internal audit activity must e the effec=)
itivenessand contribute to the gement processes.
CamScanner
iting
he organizations
Introduction 0 Internal At
ign risks with
1a timely manner
board to carry out
22 Part On
or ie nd
. Reles ant risk ny mat )
zation, enabling staff man
ion to st
it activity may gail ation to SUPP
ments. The rest ts e .
nding of the orge szation’s risk management P
nicated it
nd the
ort
The internal aud when viewe
cesses an
Risk management
ties, separate evaluations, oF both.
ate risk exposures
vernance,
» Achievement o
« Reliability and integrity 0 rmation;
Effectiveness and efficiency ©
Safeguarding of assets; and
Compliance with laws, regulations, policies, procedures, and contracts.
e the potential for the occur-
°
.
agement processes.
2120.C3—When assisti
0.C3—When assisting management in establishing or improving risk
ma , :
nagement processes, internal auditors must refrain from assumi
management responsibility by actually managing risks ee
2130 - Cont: i
rol The internai audit activi
udit activit i
taining effectiv i y must assist the organization i ;
8 e controls by evaluating their effectiveness and ficiency and by ova:
cy an y¥ pro-
2130.A1—The int
ernal audit activi
g the: ,
S}
» Compliance wi
e with law: i
s, regulations, policies, procedures, and
» and contracts
gal
from Cc *
onsulting e.
ngage .
Processes, gagements into evaluation of the o
rganization’
$ control
CamScanner
Chapter 2 International Professional Practices Framework (IPPF) 23
plan for each engagement, including the engagement’s objectives, scope, timing, -
resource allocations,
The objectives of the activity being reviewed and the means by which the
i activily controls its performance;
The significant risks to the activity, its objectives, resources, and operations,
and the means by which the potential impact of risk is kept to an acceptable
level;
auditors must work with management and/or the board to develop appropri-
ate evaluation criteria.
CamScanner
24 Part One Introduction to Internal Auditing f rel
tion of relevant
sidera
must include con cluding those under
2220.A1—The scope of the ¢ ical proper jes, }
d phys
systems, records, personnel ane? during an assurance
i i uring 4"
the control of third part © e objectives, scope,
i ortunities
.A2 Tf sig ifi ant consulting opP ' fn t ; r
gagement, a specific wl itte s and 1B as
nun 55 ol
expecta in accorea
oLidie n other . ate L
respective response vagernent communic
tae .
ngagement
Internal audit
gement obj
gement, tim
ectives based on an
e Allocation
e constraints, and
es to achieve enga
2230 - Engagement Resourc
Jexity of each enga
appropriate
craation of the nature and comp
vailable resources.
: d doc-
nt work programs an s,
ia include the procedures for identifying, analyz-
objectives.
CamScanner
Chapter 2 International Professional Practices Framework (IPPF) 25
The chief audit executive must obtain the approval of senior management
appropriate. - i
2330.C1—The chief audit executive must develop policies governing the cus-
to internal and external parties. These policies must be consistent with the
the results.
CamScanner
26 Part One Introduction to Internal Auditing
1 errors and distortions and
unbiased and are the result of a fair-minded and balanced a eilted and logical,
y
com muni ation r , P tana avoid unnecessal
if ( ¢ atte sare lo the om
- t ton.
onstt uctive communical
' f ¢ rf tous le tail, edundancy, and WwW ordiness. C j p ‘
ig at lient nt 1Z. tio t 1 rovemen Ss
emer € a Niza n and ead to wn
te communications lac 1 at
7 nand observ
audience and include all significant and weet ifr eatin pene ip
oe i ying man
expedient, depending on the significance of the issue, allowing
ommunication contain
ted informa-
Ifa final c
e correc
Use of “Conducted in C
Professional Pra
at their engagements
2430 -
Standards for the
2440 - Disseminati
inating Results The chi :
e chief a i .
results to the appropriate parties. udit executive must communicate
ee 8 men communication before issuance and for dec ‘din 10 whom art
’ isseminated. When the chief audit executive d set hecé Tattle
ue consideration,
2440.A2—If not i
otherwise mandated by legal, statutory, or regulat
; atory require-
CamScanner
Chapter 2 International Professional Practices Framework (IPPF) a7
+ Scope limitations;
+ The risk or control framework or other criteria used as a basis for the ov
opinion; and
erall
or that senior management has accepted the risk of not taking action.
2500.C1—The internal audit activity must monitor the disposition of results of
consulting engagements to the extent agreed upon with the client.