PART 1

Professional guidance for managing the

internal audit activity

Contents
TOPIC 1: International Professional Practice Framework (IPPF) 2

TOPIC 2: Regulatory Frameworks 16

1 AUI4861/SG
TOPIC 1
International Professional Practice
Framework (IPPF)

Contents
LEARNING UNIT 1: Theory and application of the IPPF 4 2

INTRODUCTION TO AND PURPOSE OF THE TOPIC

The Institute of Internal Auditors (IIA) has a membership of over 190 000 internal auditors globally
in 170 countries and is faced with the challenge of ensuring that internal auditing is practiced by
all its members in a professional and consistent way.

The International Professional Practice Framework (IPPF) has been developed by the IIA to ensure
professionalism and consistency in the practice of internal auditing. According to the preface to
the IPPF, internal auditing is performed throughout the world, in diverse environments and within
organisations that vary in purpose, size and structure. While differences may affect the practice of
internal auditing in each environment, conformance with the IPPF is essential in meeting the
responsibilities of internal auditors and the internal audit activity (IAA) (2009:xv). Internal
auditors, therefore, demonstrate their professionalism by adhering to the IPPF.

The IIA first introduced professional guidance for internal auditors in 1978 to be used around the
world in order to provide international consistency and also as a measurement tool for audit
quality assurance. Through its research foundation, the IIA ensured that the professional guidance
provided to its members remained current and in touch with developing internal audit practices.
In 2016, the IIA implemented its latest revision of the professional guidance in the form of the IPPF.

2 AUI4861/SG
The purpose of this topic is firstly to guide you in understanding the nature of the IPPF and the
effect that the IPPF has on the practice of internal auditing, and secondly, to guide you in
becoming proficient in the practical application of the IPPF.

MULTIMEDIA

Click on the hyperlinks below to view the following YouTube video about the IPPF and
Internal Audit:
https://www.youtube.com/watch?v=G5a5vchrIh8

LEARNING OUTCOMES

After you have studied this topic, you should be able to

● explain the purpose of the International Professional Practices Framework (IPPF)
including the Core Principles, the Standards, the Code of Ethics and the
recommended guidance;
● demonstrate a solid knowledge and understanding of the IPPF; and
● apply the IPPF in practical situations

3 AUI4861/SG
Learning unit 1
Theory and application of the IPPF

Contents
1.1 INTRODUCTION 4
1.2 TYPES OF GUIDANCE PROVIDED IN THE IPPF 5
1.3 MANDATORY GUIDANCE 7
1.4 RECOMMENDED GUIDANCE 10

1.1 INTRODUCTION

The IIA Inc. was formed in 1941. Initially, it was based in New York and was confined to the USA.
Its role then was to provide a clearing house for ideas and education, and generally to unite the
developing profession. By the 1960s the IIA had grown and flourished, and had become the
acknowledged international leader of the internal auditing profession. The IIA's motto of
"Progress Through Sharing" defined its role as a non-elitist coming together of like-minded
individuals to offer mutual support and advancement through the propagation of knowledge. As
stated earlier, the IIA first introduced the Guidance for the Professional Practice of Internal
Auditing in 1978 with the intention that it would provide international consistency and be a
measurement tool to measure audit quality assurance around the world.

As the business processes developed and became more complicated, it became evident that the
role of internal auditing had to be redefined. In 1999, the IIA undertook a research project, called
the Competency Framework for Internal Auditing (CFIA), with the intention to compile a common
body of knowledge for internal auditors. The project also addressed the future role of internal

4 AUI4861/SG
auditing, the competencies that internal auditors should possess, and the ways by which these
competencies should be evaluated.
The IIA then summated an international group of professional internal auditors, known as the
Guidance Task Force, to study the needs of the profession and to formulate a framework of
guidance for the future practice of internal auditing.

The report of this task force in 1999 led to a total revision of the definition of internal auditing, the
Standards for the Professional Practice of Internal Auditing (Standards), the guidelines for
internal audit practice and the activities of the IIA. The Professional Practices Framework (PPF)
that developed from this was adopted in 2002 and laid the foundation for internal auditing as it
is practiced today. It became mandatory guidance for all IIA members and Certified Internal
Auditors (CIA's) on January 1, 2004.

The global development of internal auditing and the demands placed on the profession, however,
require constant revision of internal audit practices. In 2015, the IIA published updated guidance
for the profession, now referred to as the International Professional Practice Framework (IPPF),
upon which your study of this module will be based.

The IPPF plays a crucial role in the practice of internal auditing and supports the concept of
internal auditing as a professionally based discipline. It is the compendium of authoritative
guidance promulgated by the IIA. In general, it provides a structural blueprint of how a body of
knowledge and guidance fit together.

MULTIMEDIA

Click on the hyperlink below to view the following YouTube video, which provides a
summary on the updated IPPF, the changes and what has remained the same.
http://www.iia.org.au/sf_docs/default-source/quality/iia-global-new-ippf-
2015.pdf?sfvrsn=2

1.2 TYPES OF GUIDANCE PROVIDED IN THE IPPF

As indicated in figure 1.1 below, the guidance in the IPPF is classified as either
mandatory guidance or strongly recommended guidance.
Mandatory - Compliance with the principles set forth in mandatory guidance is
required and essential for the professional practice of internal auditing. The guidance
is developed following due processes, which includes public exposure.

Recommended - The guidance is endorsed by the IIA through a formal review and
approval process. It describes practices to implement the Core Principles, Definition of
Internal Auditing, Code of Ethics and Standards effectively. Compliance is
recommended.

5 AUI4861/SG
Figure 1.1: The International Professional Practices Framework (IPPF) www.theiia.org

The IPPF guidance includes:

Mandatory guidance Recommended guidance

Core Principles for the Professional Practice Implementation Guidance
of Internal Auditing
Definition of Internal Auditing Supplemental Guidance
Code of Ethics
International Standards for the Professional
Practice of Internal Auditing (Standards)

Firstly, the Mission of Internal Audit was introduced by the IIA in 2015 to demonstrate
how internal audit practitioners should use the IPPF to achieve the Mission.

To enhance and protect organizational value by providing risk-

based and objective assurance, advice, and insight

6 AUI4861/SG
 1.3 MANDATORY GUIDANCE
CORE PRINCIPLES FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING

The Core Principles, taken as a whole, articulates internal audit effectiveness. The method in
achieving these Principles may differ from organisation to organisation. However, failure to
achieve any of these Principles would indicate that the IAA was not as effective as it could have
been in achieving the internal audit's mission.

STUDY

Study the Core Principles for the Professional Practice of Internal Auditing. Available at
https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Core-
Principles-for-the-Professional-Practice-of-Internal-Auditing.aspx

THE DEFINITION OF INTERNAL AUDITING

The IPPF defines internal auditing as follows:

Internal auditing is an independent, objective assurance and consulting activity

designed to add value and improve an organisation’s operations. It helps an
organisation accomplish its objectives by bringing a systematic, disciplined
approach to evaluate and improve the effectiveness of risk management, control,
and governance processes.

THE CODE OF ETHICS

The purpose of the IIA's Code of Ethics is to promote an ethical culture in the profession of internal
auditing. A code of ethics is necessary and appropriate for the profession of internal auditing,
founded as it is on the trust placed in its objective assurance regarding governance, risk
management and control. The IIA's Code of Ethics extends beyond the Definition of Internal
Auditing to include two essential components:
1. Firstly, it contains Principles that are relevant to the profession and practice of
internal auditing.
2. Secondly, Rules of Conduct are included, which describe the behavioural norms
expected of internal auditors. These rules are an aid to interpreting the Principles
into practical applications and are intended to guide the ethical conduct of internal
auditors.

7 AUI4861/SG
 STUDY
Study the following sections in Internal Auditing: An Introduction, Chapter 3, Section 3.4

INTERNATIONAL STANDARDS FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING

(STANDARDS)

INTRODUCTION
The Standards are principle-focused and provide a framework for performing and promoting
internal auditing. They are mandatory requirements consisting of
• statements of basic requirements for the professional practice of internal auditing and for
evaluating the effectiveness of its performance, which are internationally applicable at
organisational and individual levels
• interpretations, which clarify terms or concepts within the statements

It is necessary to consider both the statements and their interpretations to understand and apply
the Standards correctly.

The Standards embody the best in internal auditing practice and principles world-wide. They
provide the basis for the measurement of internal auditing performance and the potential of
internal audit to improve management processes and operations.
The purpose of the Standards is to
• delineate basic principles that represent the practice of internal auditing
• provide a framework for performing and promoting a broad range of value-added internal
auditing
• establish the basis for the evaluation of internal audit performance
• foster improved organisational processes and operations

The review and development of the Standards is an ongoing process. The International Internal
Audit Standards Board (IIASB) engages in extensive consultation and discussion prior to issuing the
Standards. This includes worldwide solicitation for public comment through the exposure draft
process. All exposure drafts are posted on the IIA's website and are also distributed to all IIA
Institutes.

ATTRIBUTE STANDARDS
Attribute Standards address the attributes (characteristics) of organisations and individuals
performing internal audit services.
The following attribute standards are included in the IPPF:
1000 - Purpose, Authority and Responsibility
1100 - Independence and Objectivity
1200 - Proficiency and Due Professional Care
1300 - Quality Assurance and Improvement Program

PERFORMANCE STANDARDS
Performance Standards describe the nature of internal audit services and provide quality criteria
against which to measure performance.

Performance Standards provide guidance on the nature of audit work and planning, conducting,

8 AUI4861/SG
managing, communicating, and reporting throughout the audit activity; they also address aspects
such as resource and risk management, policies and procedures, control, and governance.

The following Performance Standards are included in the IPPF:

2000 - Managing the Internal Audit Activity
2100 - Nature of Work
2200 - Engagement Planning
2300 - Performing the Engagement
2400 - Communicating Results
2500 - Monitoring Progress
2600 - Resolution of Senior Management's Acceptance of Risks
Implementation Standards are also provided to expand upon the Attribute and Performance
standards, by providing the requirements applicable to assurance (A) or consulting (C) activities.

Assurance services involve the internal auditor's objective assessment of evidence to provide an
independent opinion or conclusions regarding an entity, operation, function, process, system, or
other subject matter. The nature and scope of the assurance engagement are determined by the
internal auditor. There are generally three parties involved in assurance services:
(1) the person or group directly involved with the entity, operation, function, process, system, or
other subject matter — the process owner,
(2) the person or group making the assessment — the internal auditor, and
(3) the person or group using the assessment — the user.

Consulting services are advisory in nature and are generally performed at the specific request of
an engagement client. The nature and scope of the consulting engagement are subject to
agreement with the engagement client.
Consulting services generally involve two parties:
(1) the person or group offering the advice — the internal auditor, and
(2) the person or group seeking and receiving the advice — the engagement client.

When performing consulting services, the internal auditor should maintain objectivity and not
assume management responsibility.

STUDY
Study the following sections in Internal Auditing: An Introduction, Chapter 2: Section
2.7.5
Study the IPPF, that is, all Attribute and Performance standards (a thorough knowledge
of all the Standards is required). Available at https://na.theiia.org/standards-
guidance/mandatory-guidance/Pages/Standards.aspx

INTERNET SOURCE

Read the following:

Brody, RG & Lowe, DJ. 2000. The New Role of the Internal Auditor: Implications for Internal
Auditor Objectivity. International Journal of Auditing, Vol 4:169-176. Available from: http://0-
onlinelibrary.wiley.com.oasis.unisa.ac.za/doi/10.1111/1099-1123.00311/pdf

9 AUI4861/SG
 The evolution of the role of the internal auditor, with more emphasis on consulting activities, has
resulted in questions and concerns regarding the independence and objectivity of the internal
auditor in accepting these services.

As a postgraduate student you should research more articles related to the topic to enhance your
knowledge and understanding of the subject.

1.4 RECOMMENDED GUIDANCE

1.4.1 IMPLEMENTATION GUIDANCE

The Implementation Guides provides guidance to internal auditors in applying the

Standards. The Implementation Guides replaced the previous Practice Advisories.

1.4.2 SUPPLEMENTAL GUIDANCE

The Supplemental Guidance provides guidance on internal audit activities and services.
Topics on sector-specific issues, processes and procedures, and examples of deliverables
are just some of the issues where guidance is offered in the Supplemental Guidance.
As of July 2015, the Supplemental Guidance incorporated the previous Practice Guides,
Global Technology Audit Guides (GTAGS) and Guides to the Assessment of IT Risks (GAIT).

ACTIVITY 1.1

Consider the scenarios that follow below. For each of the scenarios, with reference to
the IPPF, indicate the Standards and/or the principles of the Code of Ethics that have
been violated. Support your answer by explaining the violation and indicating the
requirements that must be met.

1. John has just been appointed as an internal auditor at Moonlight (Pty) Ltd. When he asks
the Chief Audit Executive (CAE) about the internal audit charter, the CAE informs John that
he does not see the need for an internal audit charter, as every staff member has a job
description. The CAE informs John that he has been the CAE for five years and although they
never had a charter, the internal audit activity (IAA) has always been able to deliver
according to the audit plan. While going through some documents John realises that the
CAE was the company's Financial Director in the previous financial year and that he is also
the cousin of the Chief Executive Officer (CEO) of Moonlight (Pty) Ltd. John further realises
that the IAA was recently established (i.e. in the current financial year) and consists mainly
of former employees of the finance department. None of the internal audit staff has had
prior exposure to internal auditing except for John himself. John came across a recent
internal audit report of the Finance Department that was issued by his team. He was not
satisfied with how the report was compiled and sent the report to his former mentor for his
review and advice on how he should go about discussing his concerns with the CAE.

10 AUI4861/SG
2. Peter Brown is a newly appointed internal auditor at Arthur and Sons Accountants and
Auditors. During the audit at one of the company's key clients, Pro King Electronics, Peter
discovers a fraudulent transaction that implicates the CEO of the auditee. He raises the
matter with the audit manager for direction. Excited about his discovery, Peter informs
family and friends about what has transpired and tells them that the CEO may go to jail. As
he continues the audit he comes across major findings that may cause people to lose jobs.
He decides that his conscience will not allow him to report such findings because many
families may suffer as a result. He therefore decides to shred the working papers. The
supervisor on site notices that Peter acts strangely and probes the matter, only to find that
Peter did not raise the issues that he should have raised. The supervisor then writes a report
on those findings that Peter did not want to raise, and issues the report to the management
of Pro King Electronics. Indeed, three managers were fired with immediate effect

11 AUI4861/SG
 FEEDBACK
# Component violated
1 Standard 1000: Purpose,
authority and responsibility
Standard 1100: Independence
and objectivity
Standard 1200: Proficiency and
Due Professional Care and Code
of Ethics: Principle 4 and Rule
4.1 on Competency
Code of Ethics: Principle 3 and
Rule 3.1 on Confidentiality
Explain the violation IPPF requirements
The IAA is operating without a charter to guide its The purpose, authority and responsibility of the IAA must
activities. be formally defined in an internal audit charter and must
be consistent with the Definition of Internal Auditing, the
Code of Ethics, and the Standards. The CAE must
periodically review the internal audit charter and present
it to senior management and the board for approval.
The CAE is the former financial director and not The IAA must be independent, and internal auditors must
more than 24 months has lapsed since he be objective in performing their work.
occupied that position. The IAA has recently issued Internal auditors must have an impartial, unbiased
the internal audit report relating to the Finance attitude and avoid any conflict of interest.
Department. This means that the CAE and the If independence or objectivity is impaired in fact or
audit team that was involved in the audit may have appearance, the details of the impairment must be
compromised Standards 1100, 1120 and 1130 disclosed to appropriate parties. The nature of the
(1130.A1). The CAE is the cousin of the CEO. disclosure will depend upon the impairment.
The IAA is staffed by people who have never been Internal auditors shall engage only in those services for
exposed to internal auditing before. As such they which they have the necessary knowledge, skills and
do not have the proficiency required to effectively experience.
discharge the audit responsibility. Internal auditors must possess the knowledge, skills, and
other competencies needed to perform their individual
responsibilities. The IAA collectively must possess or
obtain the knowledge, skills and other competencies
needed to perform its responsibilities.
John sent an internal document (i.e. the report) Internal auditors shall be prudent in the use and
to an outsider (i.e. former mentor) in order to get protection of information acquired in the course of their
advice on how he should deal with his challenge. duties.
Even though John wants to assist the company he
is not justified in sending a report to an individual
outside the organisation.
12 AUI4861/SG
 Component
# violated
Code of2 Ethics: Principle 3 and
Rule 3.1 on Confidentiality
Code of Ethics: Principle 1 and
Rule 1.4 on Integrity
Code of Ethics: Principle 2 and
Rule 2.3 on Objectivity
Standard 2440: Disseminating
Results
Explain the violation
Peter Brown disclosed sensitive audit information
to family and friends about the possibility of the
CEO going to jail.
Peter should report anything that may seem to
undermine the legitimate and ethical
responsibility of the organisation.
Peter should have raised the matter himself in the
working paper so that it would eventually be
reported to management.
The supervisor should not have communicated
the findings to management of Pro King
Electronics prior to the CAE reviewing the file to
ensure that all the necessary supporting
documents were in place prior to issuing a report
of such a sensitive nature.
13
IPPF requirements
Internal auditors shall be prudent in the use and
protection of information acquired in the course of their
duties.
Internal auditors shall perform their work with honesty,
diligence and responsibility; shall observe the law and
make disclosures expected by the law and the
profession; and shall respect and contribute to the
legitimate and ethical objectives of the organisation.
Internal auditors shall disclose all material facts known
to them that, if not disclosed, may distort the reporting
of activities under review.
The CAE must communicate results to the appropriate
parties.
The CAE or designee reviews and approves the final
engagement communication before issuance and
decides to whom and how it will be disseminated.
AUI4861/SG
 REFLECTION

Have you identified any other violations, not mentioned in the feedback above?

SELF-ASSESSMENT QUESTIONS

Do the MCQs on the Self-Assessments tab on myUnisa.

TOPIC SUMMARY

This topic discussed how professional guidance for internal auditing has developed over
the years and guided you to understand a detailed study of the The topics end with an
activity that is aimed at testing your ability to apply your integrated knowledge of the
theory you have learned in this topic in a practical situation.

REFLECTION

After having studied this topic, you should be able to:

explain the purpose of the International Professional Practices Framework
• and the recommended guidance.
• demonstrate a solid knowledge and understanding of the IPPF.
• apply the IPPF in practical situations.

14
AUI4861/SG
 NOTES

Make your own notes here:

___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________

15
AUI4861/SG