events or situations to provide

Introduction to reasonable assurance regarding the

achievement of the
Internal Auditing organization's objectives.
CONTROL — Any action taken by
management, the board, and other
The Definition of Internal Auditing parties to
states the fundamental purpose, manage risk and increase the
nature, and scope of internal likelihood that established objectives
auditing. and goals will be
achieved. Management plans,
- Internal auditing is an organizes, and directs the
independent, objective assurance performance of sufficient
and consulting activity designed actions to provide reasonable
to add value and improve an assurance that objectives and goals
organization's operations. It helps will be achieved.
an organization accomplish its CONTROL PROCESSES — The
objectives by bringing a policies, procedures (both manual
systematic, disciplined approach and automated),
to evaluate and improve the and activities that are part of a
effectiveness of risk control framework, designed and
management, control, and operated to ensure
governance processes. that risks are contained within the
level that an organization is willing to
ADD VALUE — The internal audit accept.
activity adds value to the GOVERNANCE — The combination
organization (and its of processes and structures
stakeholders) when it provides implemented by the
objective and relevant assurance, board to inform, direct, manage, and
and contributes to monitor the activities of the
the effectiveness and efficiency of organization toward
governance, risk management, and the achievement of its objectives.
control
processes. Assurance services involve the
RISK MANAGEMENT — A process internal auditor’s objective
to identify, assess, manage, and assessment of
control potential evidence to provide opinions or
conclusions regarding an entity,
operation,

AAPRINCIPLES – Fundamentals of Assurance Services

This study source was downloaded by 100000855388555 from CourseHero.com on 11-09-2022 19:38:00 GMT -06:00

https://www.coursehero.com/file/127430488/AAPRINCPLES-Introduction-to-Internal-Auditingdocxpdf/
 function, process, system, or other
subject matters. - When performing consulting
services the internal auditor should
-The nature and scope of an maintain objectivity and not assume
assurance engagement are management responsibility.
determined by
the internal auditor. Internal auditing is conducted in diverse
- Generally, three parties are legal and cultural environments; for
participants in assurance services: organizations that
1.The process owner — The person vary in purpose, size, complexity, and
or group directly involved structure; and by persons within or
with the entity, operation, function, outside the
process, system, or other organization. While differences may
subject matter. affect the practice of internal auditing in
each
2. The internal auditor — the person environment, conformance with The
or group making the IIA’s International Standards for the
assessment. Professional Practice
of Internal Auditing (Standards) is
3. The user — the person or group essential in meeting the responsibilities
using the assessment. of internal auditors
and the internal audit activity.
Consulting services are advisory in
nature and are generally performed at The purpose of the Standards is to:
the 1. Guide adherence with the
specific request of an engagement mandatory elements of the
client. International Professional
- The nature and scope of the Practices Framework.
consulting engagement are subject to 2. Provide a framework for
agreement with the engagement performing and promoting a
client. broad range of value-added
- Consulting services generally internal auditing services.
involve two parties: 3. Establish the basis for the
evaluation of internal audit
1. The Internal Auditor — the performance.
person or group offering the advice. 4. Foster improved organizational
2. The Engagement Client — the processes and operations.
person or group seeking and
receiving the advice.

AAPRINCIPLES – Fundamentals of Assurance Services

This study source was downloaded by 100000855388555 from CourseHero.com on 11-09-2022 19:38:00 GMT -06:00

https://www.coursehero.com/file/127430488/AAPRINCPLES-Introduction-to-Internal-Auditingdocxpdf/
 The Standards are a set of Attribute and Performance
principles-based, mandatory Standards apply to all internal audit
requirements consisting of: services.

● Statements of core requirements for - Implementation Standards

the professional practice of internal expand upon the Attribute and
auditing and Performance Standards
for evaluating the effectiveness of by providing the requirements
performance that are internationally applicable to assurance or
applicable at consulting services.
organizational and individual levels.
● Interpretations clarifying terms or The Standards apply to individual
concepts within the Standards. internal auditors and the internal audit
activity. All internal
The Standards, together with the Code auditors are accountable for
of Ethics, encompass all mandatory conforming with the standards related to
elements of the individual objectivity,
International Professional Practices proficiency, and due professional
Framework; therefore, conformance with care and the standards relevant to the
the Code of performance of their
Ethics and the Standards demonstrates job responsibilities. Chief audit
conformance with all mandatory executives are additionally accountable
elements of the for the internal audit
International Professional Practices activity’s overall conformance with
Framework. the Standards.

The Standards comprise two main Standard 1100 — Independence

categories: and Objectivity
A. Attribute Standards- Address the
attributes of organizations and The internal audit activity must be
individuals performing internal independent, and internal auditors
auditing. must be objective in performing their
B. Performance Standards- Describe work.
the nature of internal auditing and
provide quality criteria against Internal Audit Activity — A
which the performance of these services department, division, team of
can be measured. consultants, or other practitioner(s)
that provide independent, objective
assurance and consulting services

AAPRINCIPLES – Fundamentals of Assurance Services

This study source was downloaded by 100000855388555 from CourseHero.com on 11-09-2022 19:38:00 GMT -06:00

https://www.coursehero.com/file/127430488/AAPRINCPLES-Introduction-to-Internal-Auditingdocxpdf/
 designed to add value and improve responsibilities broader than internal
organization’s operations. audit, such as risk management or
compliance, internal audit is not
Independence — is the freedom from independent of these additional
conditions that threaten the ability of the functions,
internal audit which are also subject to audit.
activity to carry out internal audit - However, the CAE cannot solely
responsibilities in an unbiased manner. determine the organizational
● To achieve the degree of independence
independence necessary to effectively and placement for internal audit; the
carry out the CAE needs help from the board and
responsibilities of the internal audit senior management to address
activity, the chief audit executive has independence effectively. Typically, the
direct and CAE, the board, and senior
unrestricted access to senior management reach a shared
management and the board. understanding of
● This can be achieved through a internal audit’s responsibility, authority,
dual-reporting relationship. and expectations, which lays the
- The internal audit reports both to the groundwork for a discussion on
Board and the CEO. The internal audit independence and organizational
report directly (reportial function) to the placement.
organization’s Board of Directors
through the internal audit committee Standard 1110 – Organizational
(IAC) and at the same time coordinates Independence
(administrative function) with the CEO.
The chief audit executive must report to
● Threats to independence must be a level within the organization that
managed at the individual auditor, allows the
engagement, internal audit activity to fulfill its
functional, and organizational levels. responsibilities. The chief audit
executive must confirm
-For example, when internal audit to the board, at least annually, the
reports within other functions in organizational independence of the
an internal audit activity.
organization, it is not considered
independent of that function, which is Organizational independence is
subject effectively achieved when the chief audit
to audit. Similarly, if the chief audit executive
executive (CAE) has functional

AAPRINCIPLES – Fundamentals of Assurance Services

This study source was downloaded by 100000855388555 from CourseHero.com on 11-09-2022 19:38:00 GMT -06:00

https://www.coursehero.com/file/127430488/AAPRINCPLES-Introduction-to-Internal-Auditingdocxpdf/
 reports functionally to the board. ● Threats to objectivity must be
Examples of functional reporting to the managed at the individual
board involve auditor, engagement, functional,
the board: and organizational levels.
● Approving the internal audit -To implement this standard, the
charter. CAE will want to understand policies
● Approving the risk-based or
internal audit plan. activities within the organization and
● Approving the internal audit within internal audit that could
budget and resource plan. enhance or
● Receiving communications hinder such a mindset.
from the chief audit executive on - For example, many organizations
the internal audit have standard performance
activity’s performance relative to evaluation and
its plan and other matters. compensation policies, as well as
Approving employee conflict of interest policies.
decisions regarding the The
appointment and removal of the CAE will want to understand the
chief audit executive. nature of relevant policies identified
● Approving the remuneration of and
the chief audit executive. consider their potential impact on
● Making appropriate inquiries of internal audit objectivity. Internal
management and the chief audit audit will
executive to often customize these organization
determine whether there are wide policies to address internal
inappropriate scope or resource audit roles
limitations. specifically and may develop other
relevant policies specifically for
Objectivity — is an unbiased mental internal
attitude that allows internal auditors to audit, such as policies pertaining to
perform training requirements.
engagements in such a manner that
they believe in their work product and Standard 1120 – Individual
that no quality compromises are made. Objectivity

● Objectivity requires that internal Internal auditors must have an impartial,

auditors do not subordinate their unbiased attitude and avoid any conflict
judgment on audit matters to of interest.
others.

AAPRINCIPLES – Fundamentals of Assurance Services

This study source was downloaded by 100000855388555 from CourseHero.com on 11-09-2022 19:38:00 GMT -06:00

https://www.coursehero.com/file/127430488/AAPRINCPLES-Introduction-to-Internal-Auditingdocxpdf/
 Conflict of interest is a situation in which status, as well as authority to perform
an internal auditor, who is in a position duties without impediment and to
of trust, has a competing professional or address
personal interest. Such competing difficult issues with other senior leaders.
interests can make it difficult to fulfill his - The IIA recommends that the
or her duties impartially. A conflict of CAE report administratively to the
interest exists even if no unethical or chief executive officer
improper act results. A conflict of interest (CEO), both so that the CAE is clearly a
can create an appearance of impropriety senior position and so that internal audit
that can undermine confidence in the is not
internal auditor, the internal audit activity, positioned within an operation that is
and the profession. A conflict of interest subject to audit.
could impair an individual's ability to - It is also recommended that the
perform his or her duties and CAE not have operational
responsibilities objectively. When responsibilities beyond
assigning internal auditors to specific internal audit, as these other
engagements, the CAE (or delegate) will responsibilities may, themselves, be
consider potential objectivity subject to audit.
impairments and avoid assigning team
members who Standard 1111 – Direct Interaction
may have a conflict, as described with the Board
above.
The chief audit executive must
The CAE has a direct functional communicate and interact directly with
reporting line to the board and an the board.
administrative reporting line to a
member of senior management. If the CAE has a direct functional
reporting relationship with the board,
- The reporting line to the board then the board
provides the CAE with direct assumes responsibility for approving the
board access for sensitive internal audit charter, internal audit plan,
matters and enables sufficient internal audit budget and resource plan,
organizational status. Administrative evaluation and compensation of the
reporting to a CAE, and appointment and removal of
member of senior management also the CAE. Further, the board monitors the
provides the CAE with sufficient ability of internal audit to operate
organizational independently and fulfill its charter.

AAPRINCIPLES – Fundamentals of Assurance Services

This study source was downloaded by 100000855388555 from CourseHero.com on 11-09-2022 19:38:00 GMT -06:00

https://www.coursehero.com/file/127430488/AAPRINCPLES-Introduction-to-Internal-Auditingdocxpdf/
 To reinforce the importance of these
policies and help ensure all internal
auditors internalize
their importance, some CAEs will hold
routine workshops or training on these
fundamental concepts. Such training
sessions will often allow internal auditors
to better understand objectivity by
considering objectivity-impairing
scenarios and how best to address
them. Further, when assigning internal
auditors to specific engagements, the
CAE will consider potential objectivity
impairments and avoid assigning team
members who may have a conflict.
Standard 1130 – Impairment
Independence or Objectivity
If independence or objectivity is
impaired in fact or appearance, the
details of the impairment must be
disclosed to appropriate parties. The
nature of the disclosure will depend
upon the impairment.
- Impairment to organizational
independence and individual
objectivity may include, but
is not limited to, personal conflict of
interest; scope limitations; restrictions on
access
to records, personnel, and properties;
and resource limitations, such as
funding.
- The determination of appropriate
parties to which the details of an
impairment to
AAPRINCIPLES – Fundamentals of Assurance Services
This study source was downloaded by 100000855388555 from CourseHero.com on 11-09-2022 19:38:00 GMT -06:00
https://www.coursehero.com/file/127430488/AAPRINCPLES-Introduction-to-Internal-Auditingdocxpdf/
independence or objectivity must be
disclosed is dependent upon the
expectations of
the internal audit activity’s and the chief
audit executive’s responsibilities to
senior
management and the board as
described in the internal audit charter, as
well as the
nature of the impairment.
To effectively manage independence
and objectivity, including impairments,
many CAEs have an internal audit policy
manual or handbook that describes the
related expectations and requirements.
to In addition to defining independence and
objectivity, such a manual may identify
the specific related standards; describe
the types of situations that could create,
or appear to create, impairments; and
specify the expected actions the internal
auditor should undertake if faced with a
potential impairment.
Impairment situations generally include
self-interest, self-review, familiarity, bias,
or undue influence. These situations can
lead to personal conflicts of interest,
scope limitations, resource limitations, or
restrictions on access to records,
personnel, or properties. Internal audit
examples of organizational
independence impairments include the
following, which, if in effect, can also
undermine internal auditor objectivity:
 ● The CAE has broader functional effectively mitigated risks based solely
responsibility than internal audit and on a prior positive audit or personal
executes an audit experiences
of a functional area that is also under (e.g., a lack of professional skepticism).
the CAE’s oversight. - An internal auditor modifies the
● The CAE’s supervisor has broader planned approach or results based on
responsibility than internal audit, and the the undue
CAE executes an audit within his or her influence of another person, often
supervisor’s functional responsibility. someone senior to the internal auditor,
● The CAE does not have direct without
communication or interaction with the appropriate justification.
board.
● The budget for the internal audit
activity is reduced to the point that
internal audit cannot fulfill its
responsibilities as outlined in the charter.
(Standard 2020 –Communication and
Approval, provides further guidance on
communicating the impact of resource
limitations.

Examples of objectivity impairments

include:

- An internal auditor audits an area in

which he or she recently worked, such
as when
an employee transfers into internal audit
from a different functional area of the
organization and then is assigned to an
audit of that function.
- An internal auditor audits an area
where a relative or close friend is
employed.
- An internal auditor assumes, without
evidence, that an area being audited
has

AAPRINCIPLES – Fundamentals of Assurance Services

This study source was downloaded by 100000855388555 from CourseHero.com on 11-09-2022 19:38:00 GMT -06:00

https://www.coursehero.com/file/127430488/AAPRINCPLES-Introduction-to-Internal-Auditingdocxpdf/
 AAPRINCIPLES – Fundamentals of Assurance Services
This study source was downloaded by 100000855388555 from CourseHero.com on 11-09-2022 19:38:00 GMT -06:00

https://www.coursehero.com/file/127430488/AAPRINCPLES-Introduction-to-Internal-Auditingdocxpdf/
Powered by TCPDF (www.tcpdf.org)
 PIA-HAU
- People undertake risk
Overview of management activities to identify,
assess, manage, and control
Internal Audit all kinds of events or situations.
These can range from single
Roles projects or narrowly
defined types of risk, e.g. market
An IIA Position Paper titled The risk, to the threats and opportunities
Role of Internal Auditing in facing the
Enterprise-wide Risk Management organization as a whole. The
discusses a range of risk principles presented in this paper
management activities and can be used to guide
indicates which roles an effective the involvement of internal auditing
professional internal audit activity in all forms of risk management but
should and, equally importantly, we are
should not undertake.
particularly interested in enterprise-
The importance to strong corporate wide risk management because
governance of managing risk has this is likely to
been improve an organization’s
increasingly acknowledged. governance processes.
Organizations are under pressure to
identify all the Is a structured, consistent and
business risks they face; social, continuous process across the
ethical and environmental as well as whole
financial and organization for identifying,
operational, and to explain how they assessing, deciding on
manage them to an acceptable level. responses to and reporting
Meanwhile, on opportunities and threats that
the use of enterprise-wide risk affect the achievement of its
management frameworks has objectives.
expanded, as
organizations recognize their
advantages over less coordinated Responsibility for ERM
approaches to risk
management. Internal auditing, in both - The board has overall
its assurance and its consulting roles, responsibility for ensuring that risks
contributes to the management of risk are managed. In practice,
in a variety of ways. the board will delegate the
operation of the risk management
Enterprise-wide Risk Management framework to the

AAPRINCIPLES – Fundamentals of Assurance Services

This study source was downloaded by 100000855388555 from CourseHero.com on 11-13-2022 02:08:37 GMT -06:00

https://www.coursehero.com/file/117483366/FINALSAAPRINCPLES-Overview-of-Internal-Audit-Rolesdocx/
 PIA-HAU
management team, who will be internal audit roles described in the
responsible for completing the position paper. Each of these areas is
activities below. There critical to the success of risk
may be a separate function that co- management. The audit committee and
ordinates and project-manages these management will find comfort in
activities and knowing these areas are operating
brings to bear specialist skills and effectively, and if not, will want to
knowledge. understand what the gaps are and the
- Everyone in the organization plays a potential actions to close those gaps.
role in ensuring successful enterprise- services can be measured.
wide risk
management but the primary LIMITED INTERNAL AUDIT ROLE
responsibility for identifying risks and WITH SAFEGUARDS
managing them lies - CAEs should seek opportunities to
with management. perform as many of the consulting
services as possible and formally
The role of internal auditing in ERM communicate the results of those
Internal auditing is an independent, consulting services. Many internal
objective assurance and consulting audit activities have the skills to
activity. Its conduct these activities. Proper
core role with regard to ERM is to safeguards, which typically ensure that
provide objective assurance to the responsibility, accountability, and
board on the
authority rest with management and
effectiveness of risk management.
not the internal audit activity, are not
Indeed, research has shown that
board directors that difficult to put in place. However, it
and internal auditors agree that the is important to ensure that these
two most important ways that internal safeguards are well understood by the
auditing audit committee and management.

provides value to the organization are Consulting roles

in providing objective assurance that - In general, the further to the right of
the major the dial that internal auditing ventures,
business risks are being managed the
appropriately and providing assurance greater are the safeguards that are
that the risk required to ensure that its
management and internal control
independence
framework is operating effectively.
and objectivity are maintained. Some
CORE INTERNAL AUDIT ROLES of the consulting roles that the internal
audit activity may undertake are:
- Internal audit activities should provide
assurance on many, if not all, of the core

AAPRINCIPLES – Fundamentals of Assurance Services

This study source was downloaded by 100000855388555 from CourseHero.com on 11-13-2022 02:08:37 GMT -06:00

https://www.coursehero.com/file/117483366/FINALSAAPRINCPLES-Overview-of-Internal-Audit-Rolesdocx/

a. Making available
management tools and techniques
used by internal
auditing to analyze risks and controls;
b. Being a champion for
introducing ERM into the
organization, leveraging its
expertise in risk management and
control and its overall knowledge of
the organization;
c. Providing advice, facilitating
workshops, coaching the
organization on risk and control
and promoting the development of
a common language, framework
and understanding;
d. Acting as the central point for
coordinating, monitoring and
reporting on risks; and
e. Supporting managers as they
work to identify the best way to
mitigate a risk.
The key factor in deciding whether
consulting services are compatible with
the assurance role is to determine
whether the internal auditor is assuming
any
management responsibility.
Safeguards
Internal auditing may extend its
involvement in ERM, certain conditions
apply. The conditions are:
● It should be clear that management
remains responsible for risk management.
● The nature of internal auditor’s
responsibilities should be documented in
the internal audit charter and approved by
the audit committee.
PIA-HAU
to ● Internal auditing should not manage
any of the risks on behalf of
management.
● Internal auditing should provide
advice, challenge and support to
management’s decision making, as
opposed to taking risk management
decisions themselves.
ROLES INTERNAL AUDITING
SHOULD NOT UNDERTAKE
- While there are good reasons why
the last group of roles should not be
undertaken by inter- nal auditors, there
may be appropriate times to do so
anyway. If the organization has a
significant need related to risk
management, and nobody else has the
experience to fill that need, it may be
better if an internal auditor fills that role
rather than nobody at all. The auditor’s
objectivity will be impaired for a period
of time, and this may impair the
objectivity of the entire internal audit
activity, but independent assurance
could still be obtained from some other
source (typically an outside specialist),
which may provide the audit committee
and management with the comfort
they need.
Definition of terms
● Assurance Services: An objective
examination of evidence for the
purpose of
providing an independent assessment
on governance, risk management, and
control
processes for the organization.
Examples may include financial,
performance,

AAPRINCIPLES – Fundamentals of Assurance Services

This study source was downloaded by 100000855388555 from CourseHero.com on 11-13-2022 02:08:37 GMT -06:00

https://www.coursehero.com/file/117483366/FINALSAAPRINCPLES-Overview-of-Internal-Audit-Rolesdocx/

compliance, system security, and due
diligence engagements.
● Board: A board is an organization’s
governing body, such as a board of
directors,
supervisory board, head of an agency or
legislative body, board of governors or
trustees of a non profit organization, or
any other designated body of the
organization,
including the audit committee to whom
the chief audit executive may functionally
report.
● Champion: Someone who supports and
defends a person or cause. Therefore, a
champion of risk management will
promote its benefits, educate an
organization’s
management and staff in the actions they
need to take to implement it and will
encourage them and support them in
taking those actions.
● Consulting Services: Advisory and
related client service activities, the nature
and
scope of which are agreed with the client,
are intended to add value and improve an
organization’s governance,
management, and control processes
without the
internal auditor assuming management
responsibility. Examples include counsel,
advice, facilitation, and training.
● Control: Any action taken by
management, the board, and other
parties to manage
risk and increase the likelihood that
established objectives and goals will be
achieved.
PIA-HAU
Management plans, organizes, and
directs the performance of sufficient
actions to
provide reasonable assurance that
objectives and goals will be achieved.
● Enterprise: Any organization
established to achieve a set of
objectives.
● Enterprise-wide risk management
(ERM): A structured, consistent and
continuous
process across the whole organization
for identifying, assessing, deciding on
responses to and reporting on
opportunities and threats that affect the
achievement of
its objectives.
● Facilitating: Working with a group (or
individual) to make it easier for that
group (or
individual) to achieve the objectives
that the group has agreed for the
meeting or
activity. This involves listening,
challenging, observing, questioning
and supporting the
risk group and its members. It does not
involve doing the work or taking
decisions.
● Risk: The possibility of an event
occurring that will have an impact on
the achievement
of objectives. Risk is measured in
terms of impact and likelihood.
● Risk Appetite: The level of risk that
an organization is willing to accept.
● Risk Management Framework: The
totality of the structures, methodology,

AAPRINCIPLES – Fundamentals of Assurance Services

This study source was downloaded by 100000855388555 from CourseHero.com on 11-13-2022 02:08:37 GMT -06:00

https://www.coursehero.com/file/117483366/FINALSAAPRINCPLES-Overview-of-Internal-Audit-Rolesdocx/
 PIA-HAU
procedures and definitions that an
organization has chosen to use to
implement its risk
management processes.
● Risk Management Processes:
Processes to identify, assess, manage,
and control
potential events or situations, to provide
reasonable assurance regarding the
achievement of the organization’s
objectives.
● Risk Maturity: The extent to which a
robust risk management approach has
been
adopted and applied, as planned, by
management across the organization to
identify,
assess, decide on responses to and
report on opportunities and threats that
affect the
achievement of the organization’s
objectives.
● Risk Responses: The means by which
an organization elects to manage
individual
risks. The main categories are to tolerate
the risk; to treat it by reducing its impact
or
likelihood; to transfer it to another
organization or to terminate the activity
creating it.
Internal controls are one way of treating a
risk.

AAPRINCIPLES – Fundamentals of Assurance Services

This study source was downloaded by 100000855388555 from CourseHero.com on 11-13-2022 02:08:37 GMT -06:00

https://www.coursehero.com/file/117483366/FINALSAAPRINCPLES-Overview-of-Internal-Audit-Rolesdocx/
Powered by TCPDF (www.tcpdf.org)
 The Internal Audit internal audit activity to fulfill its
responsibilities
Committee and Charter, d) Independence and objectivity-
Independence and describes its importance in the internal
audit activity and how these will be
Objectivity maintained.
AAPRINCIPLES e) Responsibilities- lay out major areas of
ongoing responsibility, such as scope of
PURPOSE, AUTHORITY, AND assessments, internal audit plan, plan to
RESPONSIBILITY the board for approval, performing
engagements, communicating the
● must be formally defined in an internal
results, providing a written engagement
audit charter, consistent with the
report, and monitoring corrective
Mission of Internal Audit and the
actions taken by management.
mandatory elements of the
f) Quality assurance and improvement-
International Professional Practices
describe the expectations for
Framework
developing, maintaining, evaluating,
● The chief audit executive must
and communicating the results of a
periodically review the internal audit
quality assurance and improvement
charter and present it to senior
program that covers all aspects of the
management and the board for
internal audit activity.
approval
g) Signatures- document agreement
● internal audit charter- formal
among the CAE, a designated board
document that defines the internal
representative, and the individual to
audit activity's purpose, authority, and
whom the CAE reports. This section
responsibility
includes the date, names, and titles of
CONTENTS OF THE CHARTER signatories.

a) Introduction- explain the overall role

and professionalism of the internal RECOGNIZING MANDATORY GUIDANCE
audit activity. Relevant elements of the IN THE INTERNAL AUDIT CHARTER
● The mandatory nature of the Core
IPPF are often cited in the introduction.
Principles for the Professional Practice
b) Authority- specify the internal audit
of Internal Auditing, the Code of Ethics,
activity’s full access to the records,
the Standards, and the Definition of
physical property, and personnel
Internal Auditing must be recognized in
required to perform engagements and
the internal audit charter. The chief
to declare internal auditors’
audit executive should discuss the
accountability for safeguarding assets
Mission of Internal Audit and the
and confidentiality
mandatory elements of the
c) Organization and reporting structure-
International Professional Practices
document the CAE’s reporting structure.
Framework with senior management
The CAE should report functionally to
and the board.
the board and administratively to a level
within the organization that allows the INDEPENDENCE AND OBJECTIVITY

This study source was downloaded by 100000855388555 from CourseHero.com on 11-09-2022 19:38:13 GMT -06:00

https://www.coursehero.com/file/127430552/AAPRINCIPLES-The-Internal-Audit-Committee-and-Charter-Independence-and-Objectivitydocxpdf/
 ● The internal audit activity must be
independent, and internal auditors
must be objective in performing their
work
Organizational Independence
✔ The chief audit executive must
report to a level within the
organization that allows the
internal audit activity to fulfill
its responsibilities. The chief
audit executive must confirm to
the board, at least annually, the
organizational independence of
the internal audit activity.
Direct Interaction with the Board
✔ The chief audit executive must
communicate and interact
directly with the board.
Individual Objectivity
✔ The chief audit executive must
communicate and interact
directly with the board
Impairment to Independence or
Objectivity
✔ If independence or objectivity is
impaired in fact or appearance,
the details of the impairment
must be disclosed to
appropriate parties. The nature
of the disclosure will depend
upon the impairment.
✔ Internal auditors must refrain
from assessing specific
operations for which they were
previously responsible.
Objectivity is presumed to be
impaired if an internal auditor
provides assurance services for
an activity for which the
internal auditor had
responsibility within the
previous year.
This study source was downloaded by 100000855388555 from CourseHero.com on 11-09-2022 19:38:13 GMT -06:00
https://www.coursehero.com/file/127430552/AAPRINCIPLES-The-Internal-Audit-Committee-and-Charter-Independence-and-Objectivitydocxpdf/
✔ Assurance engagements for
functions over which the chief
audit executive has
responsibility must be overseen
by a party outside the internal
audit activity.
✔ Internal auditors may provide
consulting services relating to
operations for which they had
previous responsibilities.
✔ If internal auditors have
potential impairments to
independence or objectivity
relating to proposed consulting
services, disclosure must be
made to the engagement client
prior to accepting the
engagement.
THE INTERNAL AUDIT COMMITTEE
● refers to the governance body that is
charged with oversight of the
organization’s audit and control
functions.
● Under the foregoing practice advisory,
the term is also intended to apply to
other oversight groups with equivalents
and responsibilities such as trustees,
legislative bodies, owners of
owner-managed entities, internal
control committees or full boards of
directors.
Functions:
1. The audit committee engages in an
open, transparent relationship with the
chief audit executive (CAE).
2. The audit committee reviews and
approves the internal audit charter
annually.
3. As a result of discussions with the CAE,
the audit committee has a clear
understanding of the strengths and
weaknesses of the organization’s
 internal control and risk management ● Advocating and promoting the value
systems internal audit professionals add to their
4. The internal audit activity is sufficiently organizations.
resourced with competent, objective ● Providing comprehensive professional
internal audit professionals to carry out educational and development
the internal audit plan, which has been opportunities, standards and other
reviewed and approved by the audit professional practice guidance, and
committee. certification programs.
5. The internal audit activity is empowered ● Researching, disseminating, and
to be independent by its appropriate promoting knowledge concerning
reporting relationships to executive internal auditing and its appropriate
management and the audit committee. role in control, risk management, and
6. The audit committee addresses with the governance to practitioners and
CAE all issues related to internal audit stakeholders.
independence and objectivity. ● Educating practitioners and other
7. The internal audit activity is quality
relevant audiences on best practices in
oriented, and has in place a Quality
internal auditing.
Assurance and Improvement Program
● Bringing together internal auditors from
(QAIP).
all countries to share information and
8. The audit committee regularly
experiences
communicated with the CAE about the
performance and improvement of the
internal audit as a whole.
REPORTING TO SENIOR
9. Internal audit reports are actionable, MANAGEMENT AND THE BOARD
and audit recommendations and/or ● The chief audit executive must report
other improvements are satisfactorily periodically to senior management and
implemented by management. the board on the internal audit activity’s
10. The audit committee meets periodically purpose, authority, responsibility, and
with the CAE without the presence of performance relative to its plan and on
management its conformance with the Code of Ethics
and the Standards. Reporting must also
THE INSTITUTE OF INTERNAL include significant risk and control
AUDITORS issues, including fraud risks, governance
issues, and other matters that require
● is the internal audit profession's global
the attention of senior management
voice, recognized authority,
and/or the board
acknowledged leader, chief advocate,
and principal educator. Generally, Internal Audit Charter
members work in internal auditing, risk
management, governance, internal ● internal audit activity’s
control, information technology audit, purpose, authority, and
education, and security. responsibility must be
formally defined in the
Mission internal audit charter. The
CAE is responsible for
periodically reviewing the

This study source was downloaded by 100000855388555 from CourseHero.com on 11-09-2022 19:38:13 GMT -06:00

https://www.coursehero.com/file/127430552/AAPRINCIPLES-The-Internal-Audit-Committee-and-Charter-Independence-and-Objectivitydocxpdf/
 charter and presenting it to the assessments are
senior management and completed. However, the
the board for approval. results of ongoing
Organizational monitoring of the internal
Independence of the audit activity’s
Internal Audit Activity performance, which is part
● must be confirmed to the of the internal assessment
process, must be reported
board annually
at least annually
● In addition, any
Conformance With
interference in determining
the scope of internal the Code of Ethics
auditing, performing work, and Standards
or communicating results — ● “When nonconformance
as well as the implications with the Code of Ethics or
of such interference — the Standards impacts the
must be disclosed to the overall scope or operation
board of the internal audit activity,
● An independent reporting the chief audit executive
relationship is essential to must disclose the
facilitate the CAE’s ability to nonconformance and the
communicate directly with impact to senior
the board management and the
board.”
Results of Audit
● Engagement Disclosure of
Engagements
Nonconformance stipulates
● the information that the information that must
engagement be disclosed when
communications must nonconformance impacts a
contain, the quality of that specific engagement.
information, and the ● In addition, Standard 2060
protocol in the case of calls for the CAE to
errors and omissions or communicate action plans
nonconformance with the to address any significant
Code of Ethics or Standards issues related to
that affects a specific conformance.
engagement Significant Risk and
Quality Assurance Control Issues and
and Improvement Management’s
Program Acceptance of Risk
● lists the requirements of
● A primary purpose of CAE
the CAE’s communication to
reporting is to provide
senior management and
assurance and advice to
the board, including that
senior management and
this reporting must occur as

This study source was downloaded by 100000855388555 from CourseHero.com on 11-09-2022 19:38:13 GMT -06:00

https://www.coursehero.com/file/127430552/AAPRINCIPLES-The-Internal-Audit-Committee-and-Charter-Independence-and-Objectivitydocxpdf/
 the board regarding the to review and adjust the internal audit
organization’s governance, plan.
risk management, and
controls

THEORIES
REPORTABLE CONDITIONS
1. A formal document that defines
● as matters coming to an
the internal audit’s purpose,
auditor's attention that
represent significant authority, and responsibility
deficiencies in the design or a. Authority
operation of internal b. Sanction
control that could adversely c. Charter
affect the entity's ability to d. Covenant
initiate, record, process, 2. The freedom from conditions
and report financial data
that threaten the ability of the
consistent with the
internal audit activity to carry
assertions of management
in the financial statements. out internal audit
responsibilities in an unbiased
Communication and Approval manner
- The chief audit executive must a. Self- government
communicate the internal audit b. independence
activity’s plans and resource c. objectivity
requirements, including significant
interim changes, to senior management
d. impairment
and the board for review and approval. 3. An unbiased mental attitude
The chief audit executive must also that allows internal auditors to
communicate the impact of resource perform engagements in such a
limitations. manner that they believe in
- The chief audit executive (CAE) should
their work product and that no
submit annually to senior management
quality compromises are made.
for approval, and to the board for its
information, a summary of the internal a. Independence
audit activity’s work schedule, staffing b. Objectivity
plan, and financial budget.
- The CAE must review significant c. Engagement
changes to the audit plan, related d. Control environment
rationale, and potential impact with the
board and senior management to 4. A specific internal audit
obtain their approval. Regularly assignment, task, or review
scheduled quarterly or semiannual activity, such as an internal
board meetings provide opportunities audit, control self-assessment

This study source was downloaded by 100000855388555 from CourseHero.com on 11-09-2022 19:38:13 GMT -06:00

https://www.coursehero.com/file/127430552/AAPRINCIPLES-The-Internal-Audit-Committee-and-Charter-Independence-and-Objectivitydocxpdf/
 review, fraud examination, or
consultancy
a. Independence
b. Objectivity
c. Engagement
d. Control environment
5. Describes a person in a senior
position responsible for
effectively managing the
internal audit activity in
accordance with the internal
audit charter and the Definition
of Internal Auditing, the Code of
Ethics, and the Standards.
a. Chief Audit Executive
b. IPPF
c. Senior Management
d. Board of Directors

This study source was downloaded by 100000855388555 from CourseHero.com on 11-09-2022 19:38:13 GMT -06:00

https://www.coursehero.com/file/127430552/AAPRINCIPLES-The-Internal-Audit-Committee-and-Charter-Independence-and-Objectivitydocxpdf/
Powered by TCPDF (www.tcpdf.org)
 The International auditor. Due professional care does not
imply infallibility
Professional Practices
Continuing Professional
Framework Development
AAPRINCIPLES-MODULE 14
● Internal auditors must enhance their
Proficiency and Due knowledge, skills, and other
competencies through continuing
Professional Care professional development.
● Engagements must be performed with ● In order to enhance their competencies
proficiency and due professional care- and continue their professional
Performing engagements with development, internal auditors may
proficiency and due professional care is want to reflect on their job
the responsibility of every internal requirements, including the training
auditor policies and the professional education
● Usually develop proficiency via requirements of their profession,
education, experience, professional organization, industry, and any
development opportunities, and certifications or areas of specialization.
qualifications such as the internal audit
Managing the Internal Audit
profession’s most relevant certification,
the Certified Internal Auditor granted by Activity
The IIA.
● The chief audit executive must
Proficiency effectively manage the internal
● Internal auditors must possess the audit activity to ensure it adds
knowledge, skills, and other value to the organization.
competencies needed to perform their
Internal Audit activity is effectively
individual responsibilities. The internal
managed when:
audit activity collectively must possess
or obtain the knowledge, skills, and - It achieves the purpose and
other competencies needed to perform responsibility included in the internal
its responsibilities. audit charter.
● Proficiency is a collective term that - It conforms with the Standards.
refers to the knowledge, skills, and
other competencies required of internal
- Its individual members conform with
auditors to effectively carry out their the Code of Ethics and the Standards.
professional responsibilities - It considers trends and emerging issues
that could impact the organization.
Due Professional Care
The specific responsibilities of the
● Internal auditors must apply the care Chief Audit Executive in managing
and skill expected of a reasonably the internal audit activity were laid
prudent and competent internal down in IIA Standard 2000 and its

This study source was downloaded by 100000855388555 from CourseHero.com on 11-09-2022 19:38:32 GMT -06:00

https://www.coursehero.com/file/127430444/AAPRINCIPLES-The-International-Professional-Practices-Frameworkdocxpdf/
 related practice advisories as 3. Appreciative Skills often in situations of
follows: ambiguity.
Behavioral Skills Handling oneself well
1. Planning 1. Personal in situations of
Skills challenge, stress,
- The chief audit executive must conflict, time
establish a risk-based plan to pressure, and
determine the priorities of the change.
internal audit activity,
consistent with the Securing outcomes
2. Interpersonal Skills through
organization’s goals.
interpersonal
2. Communication and Approval interactions.

- The chief audit executive must

communicate the internal audit
Securing outcomes
activity’s plans and resource 3. Organizations through the use of
requirements, including Skills organizational
significant interim changes, to
networks
senior management and the
board for review and approval.
The chief audit executive must
also communicate the impact of
resource limitations 4.Policies and Procedures

3. Resource Management - The chief audit executive must

establish policies and
- The chief audit executive must procedures to guide the internal
audit activity.
ensure that internal audit
resources are appropriate, 5.Coordination
sufficient, and effectively
deployed to achieve the - The chief audit executive should
approved plan share information, coordinate
activities, and consider relying
Cognitive Skills Following defined upon the work of other internal
1. Technical routines with some and external assurance and
Skills mastery. consulting service providers to
ensure proper coverage and
Problem minimize duplication of efforts.
2. Analytical identification or task
Skills definition and the 6. Reporting to the board and Senior
structuring of Management
prototype solutions
or performances. - The chief audit executive must
Making complex and report periodically to senior
creative judgments, management and the board on

This study source was downloaded by 100000855388555 from CourseHero.com on 11-09-2022 19:38:32 GMT -06:00

https://www.coursehero.com/file/127430444/AAPRINCIPLES-The-International-Professional-Practices-Frameworkdocxpdf/
 the internal audit activity’s
purpose, authority, ● Standard 1311 – Internal
responsibility, and performance Assessments- states that the
relative to its plan and on its mandatory internal assessments must
conformance with the Code of include both ongoing monitoring and
Ethics and the Standards. periodic self-assessments.
Reporting must also include
significant risk and control ● Standard 1312 – External
issues, including fraud risks, Assessments- explains the
governance issues, and other requirements for external assessments,
matters that require the including their form and frequency (at
attention of senior least once every five years) as well as the
management and/or the board. qualification and independence
requirements for the external assessor
or assessment team.
External Service Provider and
Organizational Responsibility for ● Standard 1320 – Reporting on the
Internal Auditing Quality Assurance and Improvement
Program- outlines the CAE’s
● When an external service provider responsibilities for communicating the
serves as the internal audit activity, the results of the QAIP to senior
provider must make the organization management and the board.
aware that the organization has the ● Standard 1321 – Use of “Conforms with
responsibility for maintaining an the International Standards for the
effective internal audit activity. Professional Practice of Internal
● Standard 1210.A1- The chief audit Auditing”- indicates that internal audit
executive must obtain competent advice activity may only communicate — in
and assistance if the internal auditors writing or verbally — conformance with
lack the knowledge, skills, or other the Standards if results of the QAIP
competencies needed to perform all or (including internal and external
part of the engagement. assessments) support such a statement.
● Standard 1322 – Disclosure of
● Standard 1300 – Quality Nonconformance requires the CAE- the
Assurance and Improvement external service provider hired to serve
Program- explains that the CAE must as CAE — to disclose to senior
develop and maintain a QAIP that management and the board any
encompasses all aspects of the internal instances where the internal audit
audit activity. activity does not conform with the
Standards or the Code of Ethics and how
● Standard 1310 – Requirements the lack of conformance impacts the
of the Quality Assurance and overall scope or operation of the internal
Improvement Program- stipulates audit activity.
that the QAIP must include both internal
and external assessments.

This study source was downloaded by 100000855388555 from CourseHero.com on 11-09-2022 19:38:32 GMT -06:00

https://www.coursehero.com/file/127430444/AAPRINCIPLES-The-International-Professional-Practices-Frameworkdocxpdf/
 and relevant audit evidence. The
CAE determines whether
it is essential that the CAE establish
additional work or testing is
a consistent process and set of
needed to obtain sufficient
criteria to determine whether the
evidence to support or increase
internal audit activity may rely on the
the level of reliance desired. If
work of another provider. In this
additional work is needed, the
process, the CAE may:
internal audit activity may retest
● Evaluate objectivity by considering the results of the other provider
whether the provider has, or may
THEORIES
appear to have, any conflicts of
interest and whether they have 1. The chief audit executive must
been disclosed. establish a risk-based plan to
● Consider independence by determine the priorities of the internal
examining the provider’s reporting audit activity, consistent with the
relationships and the impact of organization’s goals.
this arrangement. a. Communication and approval
● Confirm competency by verifying b. Planning
whether the provider’s c. Resource Management
professional experience, d. Policies and procedures
qualifications, certifications, and 2. The chief audit executive must
communicate the internal audit
affiliations are appropriate and
activity’s plans and resource
current. requirements, including significant
● Assess due professional care by interim changes, to senior
examining elements of the management and the board for review
practice the provider applies to and approval.
complete the work (i.e., the a. Communication and approval
provider’s methodology and b. Planning
whether the work was c. Resource Management
appropriately planned, supervised, d. Policies and procedures
documented, and reviewed). 3. The chief audit executive must ensure
● The CAE may also seek to gain that internal audit resources are
an understanding of the scope, appropriate, sufficient, and effectively
objectives, and results of the deployed to achieve the approved
actual work performed to plan.
determine the extent of reliance a. Communication and approval
that may be placed on the b. Planning
provider’s work. The CAE typically c. Resource Management
considers whether the provider’s d. Policies and procedures
findings appear reasonable and
are based on sufficient, reliable,

This study source was downloaded by 100000855388555 from CourseHero.com on 11-09-2022 19:38:32 GMT -06:00

https://www.coursehero.com/file/127430444/AAPRINCIPLES-The-International-Professional-Practices-Frameworkdocxpdf/
 4. Handling oneself well in situations of
challenge, stress, conflict, time
pressure, and change.
a. Interpersonal skills
b. Organizational skills
c. Personal skills
d. Technical skills
5. The chief audit executive must
establish this to guide the internal
audit activity
a. Communication and approval
b. Planning
c. Resource Management
d. Policies and procedures

This study source was downloaded by 100000855388555 from CourseHero.com on 11-09-2022 19:38:32 GMT -06:00

https://www.coursehero.com/file/127430444/AAPRINCIPLES-The-International-Professional-Practices-Frameworkdocxpdf/
Powered by TCPDF (www.tcpdf.org)