Definition of Internal Auditing

Internal auditing is an independent, objective assurance and consulting activity designed to add value
And improve an organizations operations. It helps an organization accomplish its objectives by bringing a
systematic, disciplined approach to evaluate and improve the Accuracy+ effectiveness of risk management,
control, and governance processes. (So the internal audit activity can best be described as Assurance and
consulting)
The review for adequacy determines whether control processes exist that are properly planned and
designed.
The review for effectiveness determines whether management has directed processes to provide
reasonable assurance that goals and objectives will be achieved.

Code of Ethics

Gleim 21: 87

page 9:47

Outlines the principles and expectations governing the behavior of individuals and organizations in the conduct
of internal auditing.( Promote an ethical culture among professionals who serve others).
An organizations code of ethical conduct is the established general value system the organization wishes to
apply to its members activities by communicating organizational purposes and beliefs and establishing
uniform ethical guidelines for members, which include guidance on behavior for members in making decisions.
The code of conduct should contain Provisions for disciplinary action in the event of violations to enhance its
effectiveness.
The absence of a formal code of ethics does not preclude a successful review of ethical behavior in an
organization. Policies and procedure may provide the criteria for such an engagement.
If a particular conduct is not mentioned in the Rules of Conduct so it does not prevent it from being
unacceptable or discreditable. Consequently, reasonable inferences that individual judgment is necessary in
the application of the principles and Take action that consistent with the principles embodied in The IIAs Code
of Ethics.
Rules of Conduct

Rule of Conduct 1.2 under the integrity principal states, Internal auditors shall observe the law and make
disclosures expected by the law and the profession. Thus, auditors must comply with subpoenas.
When apparent violations of antitrust statutes by officers come to the internal auditors attention, (s) he
should report to the board of directors rather than directly to the government regulators.

Rule of Conduct 2.1 Serving as a consultant to (competitors OR suppliers) might create a conflict of interest.
But Relationships with professional organizations are not likely to create a conflict of interest.
Rule of Conduct 2.2 under the objectivity principle, preparing a personal tax return for a division manager for a
fee falls under this prohibition.
Writing a tax guide for sale to the general public is unlikely to impair the internal auditors professional
judgment.
Teaching an evening tax seminar is unlikely to impair the internal auditors professional judgment.
Engaging in a public service separate from the interests and activities of the organization is unlikely to
impair professional judgment.
Rule of Conduct 2.3 under the objectivity principle states, Shall disclose all material facts known to them..

For ex: the management override of an important control over approval of transaction X created a
material risk exposure. The internal auditor is ethically obligated to report the matter to senior
officials charged with performing the governance function.

For ex: An engagement at a foreign subsidiary disclosed payments to local government officials in
Return for orders The IIAs Code of Ethics suggest for an internal auditor in such a case to Inform
appropriate organizational officials.
If any employee asks the internal auditor to do not mention his name -An internal auditor
cannot guarantee anonymity . Information communicated to an internal auditor
is not deemed to be privileged. (Gleim #56 page 27)
Example 1 The chief audit executive is aware of a material inventory shortage
caused by internal Control deficiencies at one manufacturing plant. The shortage and
related causes are of sufficient magnitude to affect the external auditors report.
Based on The IIAs Code of Ethics, the CAEs most appropriate course of action to
discuss the issue with management and take appropriate action to ensure that the
external auditors are informed. The CAE should share information and coordinate
activities with the external auditors.
Example 2 Through an engagement performed at the credit department, the chief
audit executive (CAE) became aware of a material misstatement of the year-end
accounts receivable balance. The external auditors have completed their engagement
without detecting the misstatement. The CAE should inform the external auditors of
the misstatement (share information and coordinate activities with the external
auditors).
The internal auditor should inform the appropriate authorities in the organization if the indicators of the
commission of a fraud are sufficient to recommend an investigation. Hence, the internal auditor has a duty to
act even though the available facts do not prove that an irregularity has occurred. Moreover, Rule of Conduct
2.3 states, Internal auditors shall disclose all material facts known to them that, if not disclosed, may distort
the reporting of activities under review.

Discussion of sensitive matters with an unauthorized party is the situation most likely to be considered a Code
violation.
It permissible to Disclosing confidential, engagement-related information that is potentially damaging to the
organization in response to a court order.
If staff internal auditor has violated Rule of Conduct 3.2 regarding use of information most appropriate way for
the CAE to deal with this problem is to inform the IIAs Board of Directors and take the personnel action
Required by organizational policy.
If senior management permits the omission, the internal auditor is not guilty of failing to disclose material
facts.

Rule of Conduct 4.1, internal auditors may not have, and are not expected to have, knowledge equivalent to
that of a person whose primary responsibility is to detect and investigate fraud.
All internal auditors need not be proficient in all areas. The internal audit activity as a whole should
have an appropriate mix of skills.
Rule of Conduct 4.2, the internal auditors that are members of The Institute, The IIAs Code of Ethics is
enforceable against them even though they are not CIAs.
Why does The IIAs Code of Ethics in Rule of Conduct 4.2 require that due professional care be used in
obtaining information to support an engagement opinion???
Coz, Sufficient, reliable, relevant, and useful information lend credibility to the opinion.
Rule of Conduct 4.3, Both the IIAs Code of Ethics and the Standards are violated by failing to earn continuing
education credits.

The IIA has identified four purposes of the Standards. They are to:
Outline basic principles that represent the practice
of internal auditing,
Promoting a broad range of value-added internal audit activities.
For the evaluation of internal audit performance.
Foster (support) improved organizational processes and operations.

Attribute Standards (1000 to 1322)

Purpose, Authority, and Responsibility (1000)
Independence and Objectivity (1100)
Proficiency and Due Professional Care (1200)
Quality Assurance and Improvement Program (1300)

Standard 1000: Purpose, Authority, and Responsibility

The purpose, authority, and responsibility of the internal audit activity must be formally defined in an
internal audit charter, consistent with the Definition of Internal Auditing, the Code of Ethics, and the
Standards. The chief audit executive must periodically review the internal audit charter and present it to
senior management and the board for approval.
The objective of internal audit is to promote effective control at a reasonable cost.
The internal auditors responsibilities with respect to the internal control system include:
Testing individuals compliance with controls to determine whether policies and procedures established by
management are being followed.
Examining and evaluating the adequacy and effectiveness of the control system
Examining and evaluating the reliability and integrity of financial and operating information
Examining and evaluating the effective and efficient use of an entitys resources.
Reviewing the means used to safeguard assets and verifying the existence of those assets.

Organizational Status of the Internal Audit Activity

The internal audit function must report to the board of directors through the audit committee.
Need to be supported by both the audit committee and the board in order to make sure that those who are
audited cooperate with them.
The internal audit department must have organizational independence (not have any direct relationships with the
departments it will be auditing).

The Internal Audit Charter

The charter establishes the internal audit activitys position within the organization, including the nature of the
chief audit executives functional reporting relationship with the board; authorizes access to records, personnel,
and physical properties relevant to the performance of engagements; and defines the scope of internal audit
activities (Inter. Std. 1000). Thus, the charter prescribes the internal audit activitys relationships with other units
within the organization and with those outside.
This charter should be written by (and periodically reviewed by) the Chief Audit Executive (CAE), approved by
senior management and the board or audit committee, and communicated to engagement clients.
The charter should define the following items in respect to the IAA:
The scope of the services and work to be performed
The objectives of the internal audit activity
The authority that the internal audit activity has to access records, personnel, and physical
properties in the organization
The accountability
!
of the internal audit activity
The responsibility of the internal audit activity
The director of the internal audit department (the Chief Audit Executive, or CAE) should report to the Chief
Executive Officer (CEO) or board of directors.( The accounting department, chief accountant, or finance director
would not normally be an appropriate level to report to).
The CAE should review the document at least annually (and more often as circumstances may
Require) to ensure that it continues to address the needs and issues facing the organization.

The Audit Committee

The audit committee is normally a subcommittee of the board of directors. The audit committee receives reports
and communications from both the external auditors and internal auditors, and it should promote their views to
the board as a whole.
The members of the Audit Committee should be independent non-executive directors (do not have a role in the
day-to-day running of the company and do not have any financial interest or other relationship of the company).
A written charter, approved by the board of directors, should detail the audit committees powers, duties, and
responsibilities.
duties and responsibilities of the audit committee are:
To ensure that the external auditors are completely independent of the company
To review and discuss with management and the external auditor the effects of changes in accounting standards.
To appoint or replace the external auditor, who shall report directly to the Audit Committee?
Reviewing the strategy, activity, and work plan of the internal audit activity, ensuring that it has sufficient staff
and resources to function as planned.
Reviewing evaluations of risk management, control, and corporate governance reported by auditors
Receiving copies of all external and internal audit reports and communications, and also managements
responses to them.
To act as a mediator between management and auditors when there is a difference of opinion.
To ensure that the company complies with all laws and regulations.

Standard 1100: Independence and Objectivity

Gleim 102: 163

page 54:47

Confidence in the internal audit activity derives from independence (an attribute of the internal audit activity as a whole),
and objectivity (an attribute of individual internal auditors).
Organizational Independence

Direct Interaction with the Board

The chief audit executive must communicate and interact directly with the board.
Direct interaction with the board occurs when the CAE:
Regularly attends and participates in board meetings that relate the boards oversight responsibilities for
auditing, financial reporting, organizational governance and control, or
Meets privately with the board, at least annually (without management present).
Individual Objectivity
Internal auditors must have an impartial, unbiased attitude and avoid any conflict of interest.

The timing of assessments + Maintain (not Manage or Maximize or Prioritize) of individual objectivity on the part of
internal auditors at the discretion
of the CAE not annually.(by Internal auditors avoiding conflicts of interest).

Impairments to Independence or Objectivity

If independence or objectivity is impaired in fact or appearance, the details of the impairment must be disclosed to
appropriate parties. The nature of the disclosure will depend upon the impairment.

If impairment arises during an engagement, it must be reported immediately to the manager of the engagement so that the
situation can be addressed or eliminated (needs to be communicated, preferably in writing, to the board).
The internal auditors must be able to distinguish carefully between a scope limitation and other limitations.
Its also important to remember that the internal auditors objectivity is not considered impaired when the auditor
Recommends standards of control or areas for consideration.
Reviewing procedures before they are implemented.
Determining whether the process has senior managements
Developing audit plans for the new system.
support.
Evaluate risk exposures of systems.
However, objectivity is considered to be impaired if the auditor
Designs, installs, drafts procedures for, or operates (implement) the redesigned process.

The following activities undertaken by the internal auditor or facts, by themselves, might be In conflict with
the standard of independence
The CEO accused the new auditor of not operating in the best interests of the organization.
The majority of audit committee members come from within the organization.
The internal audit activitys charter has not been approved by the board.

The following activities undertaken by the internal auditor or facts, by themselves, might be not In conflict
with the standard of independence
Risk management consultant.
Ethics advocate.
External audit liaison.

The following factors have the amount of influence when judging an internal audit activitys independence?
Criteria used in making internal auditors assignments.
Relationship between engagement records and engagement communications.
Impartial and unbiased judgments.

A formal document (charter) approved by the board that defines the internal audit activitys purpose,
authority, and responsibility enhances its Independence.

Standard 1200: Proficiency and Due Professional Care

Proficiency

Gleim Q 164:195

Internal auditors must possess the knowledge, skills, and other competencies needed to perform their
individual responsibilities.
The internal audit activity collectively must possess or obtain certain competencies, including proficiency in
internal audit procedures and techniques. (Only if internal auditors work extensively with financial records
and reports must they have proficiency in accounting principles and techniques.)
The internal audit activity collectively must possess or obtain certain competencies, including an
understanding of Management principles to recognize and evaluate the materiality and significance of
deviations from good business practice.
The internal audit activity collectively must possess or obtain certain competencies, including an appreciation
of the fundamentals of business subjects, such as accounting, economics, commercial law, taxation, finance,
quantitative methods, and information.
technology, risk management, and fraud

Internal auditors must also be skilled in oral and written communications skills so that they can clearly and
effectively convey such matters as engagement objectives, evaluations, conclusions, and recommendations (PA
1210-1, Para. 1).
The risk assessment used in selecting the area for investigation is not necessarily a matter that must
be communicated to engagement client.
The most appropriate preventive measure for staff communication problems with engagement clients
by Provide staff with sufficient training to enhance communication skills not by Avoid unnecessary
communication with engagement clients.
Obtaining Services to Support or Complement the Internal Audit Activity
If the internal audit staff does not have the needed skills and competencies to perform an engagement, the
CAE must either decline the engagement or go outside the IAA (External service providers) or organization to
get those skills.
The catalog of engagements for which the organizations may use outside service providers
Valuations of assets (both tangible and intangible)
Determination of physical amounts (oil reserves)
Mergers and acquisitions
Various audit engagements that require specialist knowledge (such as tax questions & Fraud )
assessment of the external party, the CAE should consider, among many things, the following:
The relevant professional certifications
Membership in a professional organization
Experience in similar situations
Reputation
Education and training in the area that they will be engaged in
Knowledge of the business and industry
Contacting others familiar with the ESPs work.
The CAE also needs to consider the independence and objectivity of the expert in respect to the engagement.
Note: Experts that work directly for the engagement client should almost never be used because of the
lack of objectivity of that party in the performance of their work.

If the expert is the external auditor, the CAE will need to be certain that this work that is not part of
the financial statement audit, so that it will not impair the external auditors independence for the
financial statement audit.
Any tasks performed by an outside expert must be reviewed by either the CAE or other internal person.
The CAE does not need to be able to perform the technical work of the expert, but the CAE should assess
whether or Not the work done and conclusions drawn were reasonable, unbiased, and address all of the issues
of the engagement.
Each member of the internal audit activity need not be qualified in all disciplines.

Due Professional Care

Gleim Q 196:213

Internal auditors must apply the care and skill expected of a reasonably prudent and competent internal
auditor. Due professional care does not imply infallibility

or extraordinary performance.
Internal auditors are not expected to perform a detailed review of every statement or document they receive,
but they are expected to examine and verify the documents as appropriate (This means that the more material
items will be examined and tested in more detail than immaterial items.)
It requires the internal auditor to conduct examinations and verifications to a reasonable extent.
Internal auditors cannot give absolute assurance that noncompliance or irregularities do not exist.
As part of assessing documents and information, internal auditors should always consider the possibility of
intentional errors on the part of others (such as fraud), inefficiencies, waste, and conflicts of interest.
= Considering the possibility of nonconformance or material irregularities at all times during an engagement
If an internal auditor judged an item to be immaterial when planning an assurance engagement.
However, the assurance engagement may still include the item if it is subsequently determined that
Adverse effects related to the item are likely to occur.
To ensure that they are exercising due professional care, internal auditors should:
Understand the complexity, materiality, and significance of matters that they will be addressing in the
engagement.
Extent of work needed to achieve the engagements objectives.
Understand the adequacy and effectiveness of risk management, control, and governance processes.
Assess the probability of significant errors, irregularities, or noncompliance.
Seeking advice from engagement manager of the suspicions and asking for advice on how to proceed.
Alertness to conditions most likely indicative of irregularities.
Balance the costs of the work and the benefits of the work.
o To prevent or detect significant fraud, the internal auditor should review
Large, abnormal, or unexplained expenditures.
Sensitive expenses.
Unusual contributions.
But not Review every control feature pertaining to for ex: petty cash receipts.
If an internal auditor has some suspicion of, but no information about, potential misstatement of financial
statements. The internal auditor fails to exercise due professional care by not testing for possible
misstatement because the engagement work program had already been approved by engagement management.
The internal auditor does not need the engagement clients approval to expand the engagement work
program.
For consulting services, the internal auditor should consider the following:
The needs and expectations of clients including the nature, timing, and communications of engagement
results.
The relative complexity and extent of work needed to achieve the engagements objectives
(professional skills and resources)
Cost/benefit analysis of the engagement

Standard 1300: Quality Assurance and Improvement Program

Gleim Q 213: 231 page118

The Chief Audit Executive = CAE must develop and maintain a quality assurance and improvement program
that covers all aspects of the internal audit activity.
The quality assurance and improvement program must include both internal and external assessments.
These internal and external assessments reassure the company stakeholders (that is, top management, audit
committee, and external auditors) about the competency of the services the IAA is providing to the
organization.
assessments should include evaluations of:
Compliance with: Definition of Internal Auditing, the Code of Ethics, and the Standards and applicable
laws, regulations or industry standards.
Adequacy of the IAAs charter, objectives, policies, and procedures.
The extent to which the internal auditing activity adds value and improves the organizations
operations (= Contribution to the organizations governance processes).
The results of these assessments are provided to the stakeholders of the activity (such as senior management,
the board, and external auditors).

Internal Assessments
Carried out periodically (Annually) to assure the CAE that subordinates are complying with the
Standards and other applicable criteria.
The internal audit assessment must include an ongoing review of performance of the internal audit
activity, as well as a periodic review of the program through self-assessment or from an independent
person within the organization who is familiar with the internal auditing program.
o Ongoing Reviews are the conclusions and follow-up actions that should be taken to assure that
appropriate improvements are implemented. (Supervision of an internal auditors work is performed
throughout each audit engagement- tools used in ongoing internal assessments.
*Ongoing reviews may be conducted through (The processes and tools used)
Supervision of the internal auditors work.
Checklists to provide assurance that processes adopted by the audit activity are being
followed.
Analyses of performance metrics (for example, cycle time and recommendations accepted).
Feedback from audit customers and other stakeholders,
Project budgets, timekeeping systems, audit plan completion, cost recoveries.

*To evaluate the quality of engagement planning the team will Examine written engagement work
programs (selective peer reviews of working papers by staff not involved in the respective audits).
*The results of ongoing monitoring are communicated at least annually to senior management and
the board.
Periodic Reviews should be designed to assess compliance with the activitys charter, the Definition of
Internal Auditing, the Code of Ethics, and the Standards.
Periodic internal assessment may
Include more in-depth interviews and surveys of stakeholder groups
Be performed by members of the IAA (that is, self-assessment)
Include benchmarking of the IAA practices
Encompass a combination of self-assessment and preparation of materials subsequently
reviewed by CIAs, or other competent audit professionals, from elsewhere in the organization

The results of periodic internal assessments are communicated upon their completion
(not annually).
Ordinarily, those conducting internal quality program assessments report to the CAE

External Assessments
External assessments must be conducted at least once every five years by a qualified, independent
reviewer or review team from outside the organization.
An external assessment will probably not be able to look at all of the cost/benefit analyses necessary
to determine if the IAA is in fact profitable to the company.
During the review, an external assessor will tend to focus on:

The objectives, policies and procedures of the IAA.

The methods and work programs of the IAA
The skills and work performed by the individuals in the IAA
The expectations of the internal audit activity expressed by the board, senior management, and
operational managers
o Whether or not the IAA adds value and improves the operations of the organization.
Practice Advisory 1312-1 (External Assessments) lays out two approaches for conducting an external
assessment. The first approach is to have a full external assessment conducted by an external assessor
or review team.
The second approach Self-assessment with Independent Validation
o Full external review might not be appropriate or necessary. For example, the
o
o
o
o

IAA may be in a business or industry that is subjected to strict regulations and supervision.
IAA may have been recently subjected to an external review or consulting.
may be otherwise subject to extensive external oversight and direction relating to governance
And internal controls.
After the self-assessment has been completed under the direction of the CAE, a draft report, similar
to that for an external assessment, is prepared that should include the CAEs assessment of its
conformance with the Standards.
The external assessor then performs sufficient tests of the self-assessment to validate the results and
express an opinion on the level of the activitys conformance with the Definition of Internal Auditing,
the Code of Ethics, and the Standards.

As part of the independent validation, the external assessor will do the following:
Review the draft report and attempt to reconcile unresolved issues (if any).
If the external assessor agrees with the evaluation, he or she might include additional wording
to the report (if needed)
If the external assessor disagrees with the evaluation, he or she would add dissenting wording to
the report, specifying the points of disagreement with it and, to the extent appropriate.

The chief audit executive must communicate the results of the quality assurance and improvement
program to senior management and the board.
The Quality Assurance and Improvement Program (QAIP) analyze the work of the IAA and makes
recommendations for improvement, if appropriate.
External assessments of an internal audit activity contain an expressed opinion as to the entire
spectrum of assurance and consulting work performed (or that should have been performed under its
charter), including (but not limited to) conformance with the Definition of Internal Auditing, the Code
of Ethics, and the Standards. An external assessment also includes, as appropriate, recommendations
for improvement
The chief audit executive may state that the internal audit activity conforms with the International
Standards for the Professional Practice of Internal Auditing only if the results of the quality assurance
and improvement program support this statement.
When nonconformance with the Definition of Internal Auditing, the Code of Ethics, or the Standards impacts the
overall scope or operation of the internal audit activity, the chief audit executive must disclose the
nonconformance and the impact to senior management and the board.

The results of external assessments are communicated upon their completion.

Note
The chief audit executive should develop and maintain a quality assurance and improvement
program (his responsibility) that covers all aspects of the internal audit activity and continuously
monitors its effectiveness included.
Periodic internal assessment.+ Supervision.+ Periodic external assessments
But not include
o
Annual appraisals of individual internal auditors performance.
o Evaluation of Adequacy of the oversight of the work of external auditors.
If theres a complaining that one of the internal auditors is taking up an excessive amount of
client time on an engagement that seems to be lacking a clear purpose so The CAE should
examine departmental procedures and the conduct of the specific engagement mentioned to
ascertain that proper planning and quality assurance procedures are in place and are being
followed.
Initial use of the conformance phrase by internal auditors appropriate after an external review
completed within the past 5 years.
Quality program assessments may be performed internally or externally. A distinguishing feature
of an external assessment is its objective to Provide independent assurance.