INTERNATIONAL Professional

Practices Framework (IPPF)

Disclosure

Copyright © 2009 by The Institute of Internal Auditors Research

Foundation (IIARF), 247 Maitland Avenue, Altamonte Springs,
Florida 32701-4201. All rights reserved. Printed in the United States
of America. No part of this publication may be reproduced, stored
in a retrieval system, or transmitted in any form by any means
— electronic, mechanical, photocopying, recording, or otherwise —
without prior written permission of the publisher.

The IIARF publishes this document for informational and educational

purposes. This document is intended to provide information, but
is not a substitute for legal or accounting advice. The IIARF does
not provide such advice and makes no warranty as to any legal or
accounting results through its publication of this document. When
legal or accounting issues arise, professional assistance should be
sought and retained.

The mission of The IIARF is to expand knowledge and understanding

of internal auditing by providing relevant research and educational
products to advance the profession globally.

The Institute of Internal Auditors (IIA) International Professional

Practices Framework (IPPF) comprises the full range of authoritative
guidance for the profession. The IPPF provides mandatory and
strongly recommended guidance to internal auditors globally, and
paves the way to world-class internal auditing.

The Institute of Internal Auditors

247 Maitland Avenue
Altamonte Springs, FL 32701-4201 USA

Phone: +1-407-937-1362
FAX: +1-407-937-1101
E-mail: guidance@theiia.org

ISBN: 978-0-89413-639-9
01/09 First Printing
Table of
Contents
What’s New.................................................................................................................................iii

Acknowledgments......................................................................................................................vi

Preface....................................................................................................................................... xv

Definition of Internal Auditing. ......................................................................................... 2

Code of Ethics. ....................................................................................................................... 4
Principles................................................................................................................................ 5
Rules of Conduct.................................................................................................................... 6

International Standards for the Professional Practice of

Internal Auditing (Standards)
Introduction......................................................................................................................... 11
Attribute Standards
1000 – Purpose, Authority, and Responsibility.................................................................. 15
1010 – Recognition of the Definition of Internal Auditing,
the Code of Ethics, and the Standards in the
Internal Audit Charter............................................................................................ 15
1100 – Independence and Objectivity................................................................................ 16
1110 – Organizational Independence................................................................................. 16
1111 – Direct Interaction With the Board......................................................................... 17
1120 – Individual Objectivity.............................................................................................. 17
1130 – Impairment to Independence or Objectivity.......................................................... 17
1200 – Proficiency and Due Professional Care.................................................................. 18
1210 – Proficiency................................................................................................................ 18

Table of Contents vii

Table of
Contents
1220 – Due Professional Care............................................................................................. 20
1230 – Continuing Professional Development................................................................... 21
1300 – Quality Assurance and Improvement Program..................................................... 21
1310 – Requirements of the Quality Assurance and Improvement Program.................. 21
1311 – Internal Assessments.............................................................................................. 21
1312 – External Assessments............................................................................................. 22
1320 – Reporting on the Quality Assurance and Improvement Program........................ 23
1321 – Use of “Conforms with the International Standards for the
Professional Practice of Internal Auditing”............................................................ 23
1322 – Disclosure of Nonconformance............................................................................... 24

Performance Standards
2000 – Managing the Internal Audit Activity................................................................... 25
2010 – Planning.................................................................................................................. 25
2020 – Communication and Approval................................................................................ 26
2030 – Resource Management............................................................................................ 26
2040 – Policies and Procedures.......................................................................................... 26
2050 – Coordination............................................................................................................ 27
2060 – Reporting to Senior Management and the Board.................................................. 27
2100 – Nature of Work........................................................................................................ 27
2110 – Governance.............................................................................................................. 27
2120 – Risk Management................................................................................................... 28
2130 – Control..................................................................................................................... 30
2200 – Engagement Planning............................................................................................ 31
2201 – Planning Considerations........................................................................................ 31
2210 – Engagement Objectives.......................................................................................... 31
2220 – Engagement Scope.................................................................................................. 32

viii International Professional Practices Framework

 2230 – Engagement Resource Allocation........................................................................... 33
2240 – Engagement Work Program................................................................................... 33
2300 – Performing the Engagement................................................................................... 33
2310 – Identifying Information.......................................................................................... 33
2320 – Analysis and Evaluation......................................................................................... 34
2330 – Documenting Information...................................................................................... 34
2340 – Engagement Supervision........................................................................................ 35
2400 – Communicating Results.......................................................................................... 35
2410 – Criteria for Communicating................................................................................... 35
2420 – Quality of Communications.................................................................................... 36
2421 – Errors and Omissions............................................................................................. 36
2430 – Use of “Conducted in Conformance with the International
Standards for the Professional Practice of Internal Auditing”.............................. 36
2431 – Engagement Disclosure of Nonconformance......................................................... 37
2440 – Disseminating Results............................................................................................ 37
2500 – Monitoring Progress................................................................................................ 38
2600 – Resolution of Senior Management’s Acceptance of Risks..................................... 38

Glossary................................................................................................................................ 40

Practice Advisories
Attribute Standards
PA 1000-1 Internal Audit Charter............................................................................... 45
PA 1110-1 Organizational Independence..................................................................... 47
PA 1111-1 Board Interaction........................................................................................ 49
PA 1120-1 Individual Objectivity................................................................................. 51
PA 1130-1 Impairment to Independence or Objectivity.............................................. 53

Table of Contents ix
Table of
Contents
PA 1130.A1-1 Assessing Operations for Which Internal Auditors Were
Previously Responsible............................................................................... 55
PA 1130.A2-1 Internal Audit’s Responsibility for Other (Non-audit) Functions............ 57
PA 1200-1 Proficiency and Due Professional Care...................................................... 61
PA 1210-1 Proficiency................................................................................................... 63
PA 1210.A1-1 Obtaining External Service Providers to Support or Complement
the Internal Audit Activity......................................................................... 65
PA 1220-1 Due Professional Care................................................................................. 71
PA 1230-1 Continuing Professional Development....................................................... 73
PA 1300-1 Quality Assurance and Improvement Program......................................... 75
PA 1310-1 Requirements of the Quality Assurance and
Improvement Program................................................................................ 77
PA 1311-1 Internal Assessments.................................................................................. 79
PA 1312-1 External Assessments................................................................................. 81
PA 1312-2 External Assessments: Self-assessment With Independent
Validation..................................................................................................... 87
PA 1321-1 Use of “Conforms with the International Standards for the
Professional Practice of Internal Auditing”................................................ 91

Performance Standards
PA 2010-1 Linking the Audit Plan to Risk and Exporsures....................................... 93
PA 2020-1 Communication and Approval.................................................................... 95
PA 2030-1 Resource Management................................................................................ 97
PA 2040-1 Policies and Procedures.............................................................................. 99
PA 2050-1 Coordination.............................................................................................. 101
PA 2060-1 Reporting to Senior Management and the Board.................................... 105
PA 2120-1 Assessing the Adequacy of Risk Management Processes....................... 107

x International Professional Practices Framework

 PA 2130-1 Assessing the Adequacy of Control Processes......................................... 111
PA 2130.A1-1 Information Reliability and Integrity...................................................... 115
PA 2130.A1-2 Evaluating an Organization’s Privacy Framework................................. 117
PA 2200-1 Engagement Planning.............................................................................. 121
PA 2210-1 Engagement Objectives............................................................................ 123
PA 2210.A1-1 Risk Assessment in Engagement Planning............................................. 125
PA 2230-1 Engagement Resource Allocation............................................................. 127
PA 2240-1 Engagement Work Program..................................................................... 129
PA 2330-1 Documenting Information........................................................................ 131
PA 2330.A1-1 Control of Engagement Records............................................................... 133
PA 2330.A2-1 Retention of Records................................................................................. 135
PA 2340-1 Engagement Supervision.......................................................................... 137
PA 2410-1 Communication Criteria........................................................................... 141
PA 2420-1 Quality of Communications...................................................................... 145
PA 2440-1 Disseminating Results.............................................................................. 147
PA 2500-1 Monitoring Progress.................................................................................. 149
PA 2500.A1-1 Follow-up Process...................................................................................... 151

Translation or Adaptation of the International Professional Practices Framework

and its Related Guidance (Administrative Directive No. 2)................................................. 154

Table of Contents xi
Table of
Contents
CD-ROM Table of Contents

Definition of Internal Auditing

Code of Ethics
International Standards for the Professional Practice of
Internal Auditing
Position Papers
The Role of Internal Auditing in Enterprise-wide Risk Management
The Role of Internal Auditing in Resourcing the Internal Audit Activity

Practice Advisories

Practice Guides
Global Technology Audit Guides (GTAG®)
GTAG 1 – Information Technology Controls

GTAG 2 – Change and Patch Management Controls: Critical for

Organizational Success

GTAG 3 – Continuous Auditing: Implications for Assurance, Monitoring,

and Risk Assessment

xii International Professional Practices Framework

 CD-ROM

GTAG 4 – Management of IT Auditing

GTAG 5 – Managing and Auditing Privacy Risks

GTAG 6 – Managing and Auditing IT Vulnerabilities

GTAG 7 – Information Technology Outsourcing

GTAG 8 – Auditing Application Controls

GTAG 9 – Identity and Access Management

GTAG 10 – Business Continuity Management

GTAG 11 – Developing the IT Audit Plan

Guide to the Assessment of IT Risk (GAIT)

The GAIT Methodology
GAIT for IT General Control Deficiency Assessment
GAIT for Business and IT Risk (GAIT-R)
Case Studies Using GAIT-R to Scope PCI Compliance

CD-ROM Table of Contents xiii