Lesson 2 - Attribute Standards For Handouts
Lesson 2 - Attribute Standards For Handouts
Lesson 2 - Attribute Standards For Handouts
Page 2
IPPF
Page 3
IPPF
Page 4
Page 5
IPPF
Page 6
IPPF
Page 7
IPPF
Standards use the word “must” to specify an unconditional requirement and the word
“should” where conformance is expected unless, when applying professional judgment,
circumstances justify deviation
Page 8
ASSURANCE SERVICES
Page 9
Consulting Services
Page 10
IPPF
Page 11
IPPF
Page 12
IPPF
- If the internal audit activity indicates conformance with the Standards and
inconsistencies exist between the Standards and other requirements, internal
auditors and the internal audit activity must conform with the Standards and may
conform with the other requirements if such requirements are more restrictive.
Page 13
IPPF
- This includes worldwide solicitation for public comment through the exposure draft
process.
- All exposure drafts are posted on The IIA’s website as well as being distributed to
all IIA institutes.
Page 14
ISPPIA
Structures of Statements
1. Attribute Standards - address the characteristics of organizations and individuals
performing internal audit.
2. Performance Standards - describe the nature of internal auditing and provide
quality criteria against which the performance of these services can be
measured
3. Implementation Standards - providing the requirements applicable to assurance
(A) or consulting (C) activities
Page 15
ISPPIA
IA Governance
1000 – Purpose, authority, and responsibility
1100 – Independence and objectivity
1300 – Quality Assurance and Improvement Program
IA Staff
1200 – Proficiency and due professional care
IA Management
2000 – Managing the IA activity
2100 – Nature of work
2600 – Communicating the acceptance of risks
IA Process
2200 – Engagement planning
2300 – Performing the engagement
2400 – Communicating results
2500 – Monitoring progress
Page 16
ISPPIA
Attribute Standards
1000 Purpose, Authority, and Responsibility
1010 Recognizing Mandatory Guidance in the Internal Audit Charter
1100 Independence and Objectivity
1110 Organizational Independence
1111 Direct Interaction with the Board
1112 Chief Audit Executive Roles Beyond Internal Auditing
1120 Individual Objectivity
1130 Impairment to Independence or Objectivity
1200 Proficiency and Due Professional Care
1210 Proficiency
1220 Due Professional Care
1230 Continuing Professional Development
1300 Quality Assurance and Improvement Program
1310 Requirements of the Quality Assurance and Improvement Program
1311 Internal Assessments
1312 External Assessments
1320 Reporting on the Quality Assurance and Improvement Program
Use of “Conforms with the International Standards for the Professional Practice of Internal
1321
Auditing”
1322 Disclosure of Nonconformance
Page 17
ISPPIA
Performance Standards
2000 Managing the Internal Audit Activity
2010 Planning
2020 Communication and Approval
2030 Resource Management
2040 Policies and Procedures
2050 Coordination and Reliance
2060 Reporting to Senior Management and the Board
2070 External Service Provider and Organizational Responsibility for Internal Auditing
2100 Nature of Work
2110 Governance
2120 Risk Management
2130 Control
2200 Engagement Planning
2201 Planning Considerations
2210 Engagement Objectives
2220 Engagement Scope
2230 Engagement Resource Allocation
2240 Engagement Work Program
Page 18
ISPPIA
Performance Standards
2300 Performing the Engagement
2310 Identifying Information
2320 Analysis and Evaluation
2330 Documenting Information
2340 Engagement Supervision
2400 Communicating Results
2410 Criteria for Communicating
2420 Quality of Communications
2421 Errors and Omissions
Use of “Conducted in Conformance with the International Standards for the Professional
2430
Practice of Internal Auditing”
2431 Engagement Disclosure of Nonconformance
2440 Disseminating Results
2450 Overall Opinions
2500 Monitoring Progress
2600 Communicating the Acceptance of Risks
Page 19
Attribute Standards
Page 20
ISPPIA
Page 21
ISPPIA
Page 22
ISPPIA
Page 23
ISPPIA
1000.C1 – The nature of consulting services must be defined in the internal audit
charter.
Page 24
Attribute Standards
The mandatory nature of the Core Principles for the Professional Practice of Internal
Auditing, the Code of Ethics, the Standards, and the Definition of Internal Auditing
must be recognized in the internal audit charter. The chief audit executive should
discuss the Mission of Internal Audit and the mandatory elements of the
International Professional Practices Framework with senior management and the
board.
Page 25
THE CORRECT ANSWER IS..
Page 26
THE CORRECT ANSWER IS..
Page 27
THE CORRECT ANSWER IS..
Page 28
Page 29
ISPPIA
Page 30
ISPPIA
Page 31
ISPPIA
Page 32
ISPPIA
Page 33
ISPPIA
Audit
Board
Committee
Internal
Audit
President/CEO
Page 34
Attribute Standards
Page 35
ISPPIA
Page 36
ISPPIA
Page 37
ISPPIA
Page 38
Attribute Standards
Where the chief audit executive has or is expected to have roles and/or
responsibilities that fall outside of internal auditing, safeguards must be in place to
limit impairments to independence or objectivity.
Page 41
ISPPIA
Page 42
Attribute Standards
Page 43
ISPPIA
Page 44
➢Internal auditors should not be placed in situations that could impair
their ability to make objective professional judgments.
➢CAE should:
i.) Organize staff assignments that prevent potential and actual conflict of interests
and bias
Page 46
ISPPIA
Page 47
ISPPIA
Needs to be communicated
preferably in writing to the board
Page 48
➢Internal auditors are to report if they have doubt or questions about
whether a situation constitutes an impairment to objectivity or
independence
➢If CAE determines that impairment exists- the CAE needs to reassign
the auditors
➢Scope Limitation – potential effect
▪ Needs to be communicated, preferably in writing, to the board
▪ CAE needs to consider whether it is appropriate to inform the board previously
communicated and accepted scope limitation by the Board.
ATTRIBUTE STANDARDS
It is unethical for an internal auditor to accept
a fee or gift from an employee, client,
customer, supplier or business associate
▪ Accepting a fee or gift may create an
appearance that the auditors objectivity has
been impaired
▪ The appearance that objectivity has been
impaired may apply to current and future
engagements conducted by the auditor.
▪ The status of the engagement should not be
considered as justification for receiving fees
or gifts.
▪ The receipt of promotional items (such as
pens, calendars, or samples) that are
available to the general public and have
minimal value should not hinder internal
auditors professional judgment.
▪ Internal auditors should report the offer of
all material fees or gifts immediately to their
supervisors.
ISPPIA
Page 52
ISPPIA
Page 53
ISPPIA
Page 54
1130 – Impairment to
Independence or Objectivity
Page 58
ISPPIA
Page 59
• Internal audit charter – silent – consider the following:
Impairment to
Independence or
Objectivity
• Impairment disclosure –
does not negate –
assurance engagements
need to be overseen by
party outside of the
Internal audit activity.
ISPPIA
Practice Question
According to the International Professional Practices Framework, the independence of
the internal audit activity is achieved through:
Page 63
ISPPIA
Practice Question
Ms. Wala Laging Time Sa Kaniya, an internal auditor, is assigned to an operations audit to assess the
efficiency of recently introduced "just-in-time" manufacturing procedures. The auditor finds out that the
external consultant who is on site managing the implementation of the new system was the adviser on his
master's thesis and was instrumental in getting the auditor his first job. Which of the following responses by
the auditor would be most consistent with The IIA's International Professional Practices Framework?
A. The internal auditor need not disclose the relationship but should be certain that he has no contact, such
as audit interview, with the professor/consultant during the course of the audit
B. The internal auditor should disclose the relationship to the CAE, and the CAE should assign a different
internal auditor
C. The potential conflict should be disclosed to the engagement client before accepting the engagement
D. The internal auditor should disclose the potential conflict of interest to the Board or audit committee,
preferably in writing
THE CORRECT
ANSWER IS..
Page 64
ISPPIA
Practice Question
Internal auditors must be objective in performing their work. Assume that Ms. Bes
Mong Ahas, a CAE, received an annual bonus as part of that individual's compensation
package. The bonus may impair the CAE's objectivity if
Practice Question
An organization is planning to develop and implement a new computerized purchase order system in
one of its manufacturing subsidiaries. The VP of manufacturing has requested that internal auditors
participate on a team consisting of representatives from finance, manufacturing, purchasing, and
marketing. This team will be responsible for the implementation effort. Eager to take on this high
profile project, Ms. Ambisyosang Froglet, the CAE, assigns a senior internal auditor to the project to
assist "as needed". Assuming the senior internal auditor performed all of the following activities,
which one will impair objectivity if the internal auditor is asked to review the purchase order system
on a post-engagement basis?
THE CORRECT
ANSWER IS..
Page 66
ISPPIA
Practice Question
An auditor’s objectivity could be compromised in all of the following situations except
A. A conflict of interest
B. Auditee familiarity with auditor due to lack of rotation in assignments
C. Auditor assumption of operational duties on a temporary basis
D. Reliance on a outside expert opinion when appropriate
THE CORRECT
ANSWER IS..
Page 67
ISPPIA
Practice Question
While performing an operations audit in a supplier's wholesale outlets, Mr. Nakatali Parin
Sa Nakaraan, an internal auditor, comments favorably on a calendar provided free to
favored customers illustrated with the organization's products. The department manager
offers the auditor several calendars to keep and distribute in the auditor's office. Which of
the following responses best reflects the Standard's views of objectivity?
A. The auditor may accept the gift but must immediately disclose the fact of the audit
committee
B. The auditor must refuse the gift and report the offer to the audit committee
C. The auditor should refuse the gift and warn the client against any future attempts to
curry favor with the internal audit activity
D. The auditor may accept the gift with no required disclosure
THE CORRECT
ANSWER IS..
Page 68
ISPPIA
Practice Question
An internal audit activity is currently undergoing its first external quality assurance review since its formation three years
ago. From interviews, the review team is informed of certain internal auditor activities over the past year. Which of the
following activities could affect the quality assurance review team's evaluation of the objectivity of the internal auditors?
A. One internal auditor told the review team that, during an engagement to review the payroll function, he was approached
by the payroll manager. The manager indicated he was looking for an accountant to prepare his financial statements for his
part-time business. The internal auditor agreed to perform this work for a reduced fee during non-work hours
B. During an engagement to review the construction of a building addition to the organization's headquarters, the VP of
facilities management gave the internal auditor a commemorative mug with the organization's logo. These mugs were
distributed to all employees present at the ground-breaking ceremony
C. After reviewing the installation of a data processing system, the internal auditor made recommendations on standards of
control. Three months after completion of the engagement, the engagement client requested the internal auditor's review
of certain procedures for adequacy. The internal auditor agreed and performed this review
D. An internal auditor's participation was requested on a task force to reduce the organization's inventory losses from theft
and shrinkage. This is the first consulting assignment undertaken by the internal audit activity. The internal auditor's role is
to advise the task force on appropriate control techniques
THE CORRECT
ANSWER IS..
Page 69
ISPPIA
Page 70
1200 – Proficiency and Due Professional Care
➢ Proficiency/Due Professional
care – responsibility of the
CAE/internal auditor
➢ CAE ensures – person
assigned in the audit
engagement- collectively
possess the necessary
knowledge, skills, and other
competencies.
Page 71
ISPPIA
1210 – Proficiency
Internal auditors must possess the knowledge, skills, and other competencies needed to
perform their individual responsibilities. The internal audit activity collectively must possess
or obtain the knowledge, skills, and other competencies needed to perform its
responsibilities.
Page 72
➢ Knowledge, skills and other
competencies - collective term –
refers to professional proficiency
required of internal auditors
1210 – Proficiency
Proficiency – apply knowledge to situations likely to be encountered without extensive
recourse to technical research and assistance
Appreciation – recognize the existence of problems, identify the additional research, and the
assistance to be obtained
Page 74
PROFICIENCY KNOWLEDGE UNDERSTANDING APPRECIATION SKILLS
1210 – Proficiency
Proficiency
- Internal audit standards, procedures and techniques
- Accounting principles (If financial audit)
Knowledge
- Indicators of fraud – intentional illegal act characterized by deceit, concealment, or
violation of trust
- Key IT risks and controls
- Technology audit techniques
Understanding
- Management principles
Page 79
ISPPIA
1210 – Proficiency
Appreciation
- Accounting
- Economics
- Law
- Taxation
- Finance
- Quantitative Methods
- Fraud
- Risk Management
- IT
Skills
- People skills
- Oral and written communications
Page 80
Page 81
ISPPIA
1210 – Proficiency
Interpretation:
Knowledge, skills, and other competencies is a collective term that refers to the professional
proficiency required of internal auditors to effectively carry out their professional
responsibilities. Internal auditors are encouraged to demonstrate their proficiency by obtaining
appropriate professional certifications and qualifications, such as the Certified Internal Auditor
designation and other designations offered by The Institute of Internal Auditors and other
appropriate professional organizations.
Page 82
ISPPIA
1210 – Proficiency
CAE ensures IAA is able to fulfill its responsibilities:
- Hiring to consider education, experience and specialization
- Periodic staff performance appraisals
- Continuing professional development
Page 83
ISPPIA
1210 – Proficiency
1210.A1 – The chief audit executive must obtain competent advice and assistance if the
internal auditors lack the knowledge, skills, or other competencies needed to perform all or
part of the engagement.
Page 84
CAE – needs to establish -suitable criteria of
education/experience for filling Internal Audit
position.
1210 – Proficiency
CAE determines external service providers considering:
- Professional certification
- Appropriate professional membership
- Reputation
- Experience
- Education and training
- Knowledge, skills and experience in the industry
Page 86
Proficiency
• Each member of the internal audit activity need not be
qualified in all discipline
➢CAE/Senior Management/Board
– intends to use and rely – ESP –
the CAE needs to consider:
i.) competence
ii.) independence
iii.) objectivity
➢CAE – assessment about ESP –
is not reliable – communication
of such results is needed to
SM/Board
EXTERNAL SERVICE PROVIDER
Judgment
➢CAE – verifies that – no
i.) financial
ii.) organizational
iii.) personal
RELATIONSHIP
EXTERNAL SERVICE PROVIDER
EXTERNAL SERVICE PROVIDER
1210 – Proficiency
1210.A2 – Internal auditors must have sufficient knowledge to evaluate the risk of fraud and
the manner in which it is managed by the organization but are not expected to have the
expertise of a person whose primary responsibility is detecting and investigating fraud.
Page 94
ISPPIA
1210 – Proficiency
1210.A3 – Internal auditors must have sufficient knowledge of key information technology
risks and controls and available technology-based audit techniques to perform their assigned
work. However, not all internal auditors are expected to have the expertise of an internal
auditor whose primary responsibility is information technology auditing.
Page 95
ISPPIA
1210 – Proficiency
1210.C1 – The chief audit executive must decline the consulting engagement or obtain
competent advice and assistance if the internal auditors lack the knowledge, skills, or other
competencies needed to perform all or part of the engagement.
Page 96
ISPPIA
Extraordinary performance
Page 97
1220 – Due Professional Care
➢Due professional care – implies
reasonable care and
competence – not infallibility or
extraordinary performance
Page 99
ISPPIA
Page 100
ISPPIA
1220.A3 – Internal auditors must be alert to the significant risks that might affect objectives,
operations, or resources. However, assurance procedures alone, even when performed with
due professional care, do not guarantee that all significant risks will be identified.
Reasonable assurance
Page 101
Attribute Standards
Page 102
ISPPIA
Page 103
ISPPIA
Page 104
➢Internal Auditors – responsible for continuing their education to enhance and
maintain their proficiency.
➢Internal auditors – who perform specialized audit and consulting work – may
undertake specialized CPE to allow them to perform their Internal audit work
with proficiency.
➢Internal Auditors – with professional certifications are responsible for
obtaining sufficient CPE
➢Internal Auditors – with no professional certifications are encouraged to
pursue an educational program to obtain professional certification.
QUESTION ?
Page 107
ISPPIA
Page 108
ISPPIA
Objectives
Page 109
➢CAE – accountable for implementing processes – designed to provide
reasonable assurance to various stakeholders that the IA activity:
Ongoing Monitoring
Periodic Internal Assessment
Full External Assessment
Self-Assessment with Independent Validation
Page 111
ISPPIA
Page 112
Attribute Standards
Periodic Self-Assessments
• In-depth interviews and surveys
• Self-assessment
• By CIA within the company (full or verification)
• Benchmarking / performance metrics
Page 113
ISPPIA
- Supervision - Feedback
- Checklist and procedures - Peer reviews
- Performance metrics
Page 114
ISPPIA
Page 115
ISPPIA
Page 116
➢External Assessment should include:
✓Benchmarking
✓Identification and reporting of leading practices
An independent reviewer or review team means not having either a real or an apparent conflict
of interest and not being a part of, or under the control of, the organization to which the
internal audit activity belongs.
Page 118
ISPPIA
Page 119
➢External Assessment may contain an expressed opinion of assurance and
consulting work performed/or that should have been performed.
➢
➢Individuals – who perform external assessment must be independent and
objective. Consideration relation to independence of the external reviewer:
✓
➢
➢ Leaders of independent review team / external reviewer who
independently validates the results of the self assessments – should have
additional level of competence and experience gained from:
✓ working previously as a team member on external quality
assessment
✓Successful completion of the IIA quality assessment training
course/similar training
✓ CAE or comparable senior internal auditor management experience
Page 130
ISPPIA
Page 131
ISPPIA
Page 132
ISPPIA
Page 133
ISPPIA
Page 134
ISPPIA
Page 135
ISPPIA
Page 136