Lesson 2 - Attribute Standards For Handouts

Download as pdf or txt
Download as pdf or txt
You are on page 1of 136

Page 1

Page 2
IPPF

Page 3
IPPF

Page 4
Page 5
IPPF

Page 6
IPPF

International Standards for the Professional Practice of Internal Auditing


(The Standards)
The purpose of the Standards is to:
1. Guide adherence with the mandatory elements of the International
Professional Practices Framework.
2. Provide a framework for performing and promoting a broad range
of value-added internal auditing services.
3. Establish the basis for the evaluation of internal audit performance.
4. Foster improved organizational processes and operations.

Page 7
IPPF

International Standards for the Professional Practice of Internal Auditing


(The Standards)

Standards use the word “must” to specify an unconditional requirement and the word
“should” where conformance is expected unless, when applying professional judgment,
circumstances justify deviation

Page 8
ASSURANCE SERVICES

► Assurance services - involve the internal


auditor’s objective assessment of evidence
to provide opinions or conclusions
regarding an entity, operation, function,
process, system, or other subject matters.

3 Parties in an Assurance services:

1. the person or group directly involved with the


entity, operation, function, process, system, or
other subject matter — the process owner
2. the person or group making the assessment —
the internal auditor,
3. the person or group using the assessment —
the user

Page 9
Consulting Services

► Consulting services are advisory in nature


and are generally performed at the
specific request of an engagement client.
► The nature and scope of the consulting
engagement are subject to agreement
with the engagement client.
► 2 parties
A. the person or group offering the
advice — the internal auditor
B. the person or group seeking and
receiving the advice — the
engagement client

► When performing consulting services


the internal auditor should maintain
objectivity and not assume management
responsibility.

Page 10
IPPF

International Standards for the Professional Practice of Internal Auditing


(The Standards)
The Standards are a set of principles-
based, mandatory requirements
consisting of:
- Statements of core requirements
for the professional practice of
internal auditing and for evaluating
the effectiveness of performance
that are internationally applicable
at organizational and individual
levels.
- Interpretations clarifying terms or
concepts within the Standards.

Page 11
IPPF

International Standards for the Professional Practice of Internal Auditing


(The Standards)
- Applies to individual internal auditors and the internal audit activity.

- Chief audit executives are additionally accountable for the internal


audit activity’s overall conformance with the Standards.

- If prohibited by law or regulation from conformance with certain


parts of the Standards, conformance with all other parts of the
Standards and appropriate disclosures are needed.

Page 12
IPPF

International Standards for the Professional Practice of Internal Auditing


(The Standards)
- If the Standards are used in conjunction with requirements issued by other
authoritative bodies, internal audit communications may also cite the use of other
requirements, as appropriate

- If the internal audit activity indicates conformance with the Standards and
inconsistencies exist between the Standards and other requirements, internal
auditors and the internal audit activity must conform with the Standards and may
conform with the other requirements if such requirements are more restrictive.

- The review and development of the Standards is an ongoing process.

Page 13
IPPF

International Standards for the Professional Practice of Internal Auditing


(The Standards)
- The International Internal Audit Standards Board engages in extensive consultation
and discussion before issuing the Standards.

- This includes worldwide solicitation for public comment through the exposure draft
process.

- All exposure drafts are posted on The IIA’s website as well as being distributed to
all IIA institutes.

Page 14
ISPPIA

Structures of Statements
1. Attribute Standards - address the characteristics of organizations and individuals
performing internal audit.
2. Performance Standards - describe the nature of internal auditing and provide
quality criteria against which the performance of these services can be
measured
3. Implementation Standards - providing the requirements applicable to assurance
(A) or consulting (C) activities

Page 15
ISPPIA

IA Governance
1000 – Purpose, authority, and responsibility
1100 – Independence and objectivity
1300 – Quality Assurance and Improvement Program
IA Staff
1200 – Proficiency and due professional care
IA Management
2000 – Managing the IA activity
2100 – Nature of work
2600 – Communicating the acceptance of risks
IA Process
2200 – Engagement planning
2300 – Performing the engagement
2400 – Communicating results
2500 – Monitoring progress

Page 16
ISPPIA

Attribute Standards
1000 Purpose, Authority, and Responsibility
1010 Recognizing Mandatory Guidance in the Internal Audit Charter
1100 Independence and Objectivity
1110 Organizational Independence
1111 Direct Interaction with the Board
1112 Chief Audit Executive Roles Beyond Internal Auditing
1120 Individual Objectivity
1130 Impairment to Independence or Objectivity
1200 Proficiency and Due Professional Care
1210 Proficiency
1220 Due Professional Care
1230 Continuing Professional Development
1300 Quality Assurance and Improvement Program
1310 Requirements of the Quality Assurance and Improvement Program
1311 Internal Assessments
1312 External Assessments
1320 Reporting on the Quality Assurance and Improvement Program
Use of “Conforms with the International Standards for the Professional Practice of Internal
1321
Auditing”
1322 Disclosure of Nonconformance

Page 17
ISPPIA

Performance Standards
2000 Managing the Internal Audit Activity
2010 Planning
2020 Communication and Approval
2030 Resource Management
2040 Policies and Procedures
2050 Coordination and Reliance
2060 Reporting to Senior Management and the Board
2070 External Service Provider and Organizational Responsibility for Internal Auditing
2100 Nature of Work
2110 Governance
2120 Risk Management
2130 Control
2200 Engagement Planning
2201 Planning Considerations
2210 Engagement Objectives
2220 Engagement Scope
2230 Engagement Resource Allocation
2240 Engagement Work Program

Page 18
ISPPIA

Performance Standards
2300 Performing the Engagement
2310 Identifying Information
2320 Analysis and Evaluation
2330 Documenting Information
2340 Engagement Supervision
2400 Communicating Results
2410 Criteria for Communicating
2420 Quality of Communications
2421 Errors and Omissions
Use of “Conducted in Conformance with the International Standards for the Professional
2430
Practice of Internal Auditing”
2431 Engagement Disclosure of Nonconformance
2440 Disseminating Results
2450 Overall Opinions
2500 Monitoring Progress
2600 Communicating the Acceptance of Risks

Page 19
Attribute Standards

Page 20
ISPPIA

1000 – Purpose, Authority, and Responsibility


The purpose, authority, and responsibility of the internal audit activity must be
formally defined in an internal audit charter, consistent with the Mission of Definition
of Internal Auditing and the mandatory elements of the International Professional
Practices Framework (the Core Principles for the Professional Practice of Internal
Auditing , the Code of Ethics, and the Standards, Definition of Internal Auditing. The
chief audit executive must periodically review the internal audit charter and present
it to senior management and the board for approval.
board’s expectation,
scope, position
competence,
access, allocation of
(assurance,
resources, deliverables
consulting and non-
assistance
audit)

Page 21
ISPPIA

Page 22
ISPPIA

1000 – Purpose, Authority, and Responsibility


Interpretation:
The internal audit charter is a formal document that defines the internal audit
activity's purpose, authority, and responsibility. The internal audit charter establishes
the internal audit activity's position within the organization, including the nature of
the chief audit executive’s functional reporting relationship with the board; authorizes
access to records, personnel, and physical properties relevant to the performance of
engagements; and defines the scope of internal audit activities. Final approval of the
internal audit charter resides with the board.

Page 23
ISPPIA

1000 – Purpose, Authority, and Responsibility


1000.A1 – The nature of assurance services provided to the organization must be
defined in the internal audit charter. If assurances are to be provided to parties
outside the organization, the nature of these assurances must also be defined in
the internal audit charter.

1000.C1 – The nature of consulting services must be defined in the internal audit
charter.

Charter should be amended if there is changes


on the scope

Page 24
Attribute Standards

1000 – Purpose, Authority, and Responsibility


1010 – Recognizing Mandatory Guidance in the Internal Audit Charter

The mandatory nature of the Core Principles for the Professional Practice of Internal
Auditing, the Code of Ethics, the Standards, and the Definition of Internal Auditing
must be recognized in the internal audit charter. The chief audit executive should
discuss the Mission of Internal Audit and the mandatory elements of the
International Professional Practices Framework with senior management and the
board.

Page 25
THE CORRECT ANSWER IS..

During an engagement to evaluate the Agik Co.’s


accounts payable function, Mr. Ginagawa Mue, an
internal auditor, plans to confirm balances with suppliers.
What is the source of authority for such contacts with
units outside the organization?
A. Internal audit activity policies and procedures
B. The Standards
C. The Code of Ethics
D. The internal audit activity’s charter

Page 26
THE CORRECT ANSWER IS..

An element of authority that must be included in the


charter of the internal audit activity is
A. Identification of the organizational unit where
engagements are to be performed
B. Identification of the types of disclosures that should
be made to the board
C. Access to records, personnel, and physical properties
relevant to the performance of engagements
D. Access to the external auditor’s engagement records

Page 27
THE CORRECT ANSWER IS..

An IA charter is one of the more important factors


positively affecting the internal audit activity’s
independence. Which of the following is least likely to be
part of the charter?
A. Signoffs by the CEO and Audit Committee Chairman
B. Scope of internal audit activities
C. Length of tenure of the chief audit executive
D. Access to personnel within the organization

Page 28
Page 29
ISPPIA

1100 – Independence and Objectivity


The internal audit activity must be independent, and internal auditors must be
objective in performing their work.

Page 30
ISPPIA

1100 – Independence and Objectivity


Interpretation:
Independence is the freedom from conditions that threaten the ability of the internal
audit activity to carry out internal audit responsibilities in an unbiased manner. To
achieve the degree of independence necessary to effectively carry out the
responsibilities of the internal audit activity, the chief audit executive has direct and
unrestricted access to senior management and the board. This can be achieved
through a dual-reporting relationship. Threats to independence must be managed at
the individual auditor, engagement, functional, and organizational levels.

Restrictions Objectivity As a group

Page 31
ISPPIA

1100 – Independence and Objectivity


Interpretation:
Objectivity is an unbiased mental attitude that allows internal auditors to perform
engagements in such a manner that they believe in their work product and that no
quality compromises are made. Objectivity requires that internal auditors do not
subordinate their judgment on audit matters to others. Threats to objectivity must be
managed at the individual auditor, engagement, functional, and organizational levels.

To protect your objectivity, you should be


independent

Page 32
ISPPIA

1110 – Organizational Independence


The chief audit executive must report to a level within the organization that allows
the internal audit activity to fulfill its responsibilities. The chief audit executive
must confirm to the board, at least annually, the organizational independence of
the internal audit activity.

Ensures independence of the IAA

Page 33
ISPPIA

1110 – Organizational Independence


Dual reporting

Audit
Board
Committee

Internal
Audit

President/CEO

COO CFO CIO

Page 34
Attribute Standards

1100 – Independence and Objectivity


Organizational independence is effectively achieved when the chief audit executive
reports functionally to the board. Examples of functional reporting to the board
involve the board:
- Approving the internal audit charter.
- Approving the risk-based internal audit plan.
- Approving the internal audit budget and resource plan.
- Receiving communications from the chief audit executive on the internal audit
activity’s performance relative to its plan and other matters.
- Approving decisions regarding the appointment and removal of the chief audit
executive.
- Approving the remuneration of the chief audit executive.
- Making appropriate inquiries of management and the chief audit executive to
determine whether there are inappropriate scope or resource limitations.

Page 35
ISPPIA

1110 – Organizational Independence


Administrative Reporting:
- Budgeting / management accounting
- HR administrations: evaluations and compensations
- Internal communications
- Policies and procedures

Page 36
ISPPIA

1110 – Organizational Independence


1110.A1 – The internal audit activity must be free from interference in determining the scope
of internal auditing, performing work, and communicating results.

Cooperation with Senior Management and the Board

Page 37
ISPPIA

1111 – Direct Interaction with the Board


The chief audit executive must communicate and interact directly with the board.

- Regularly attends and participates in board meetings


- Meets privately with the Board, at least annually

Page 38
Attribute Standards

1100 – Independence and Objectivity


1112 – Chief Audit Executive Roles Beyond Internal Auditing

Where the chief audit executive has or is expected to have roles and/or
responsibilities that fall outside of internal auditing, safeguards must be in place to
limit impairments to independence or objectivity.

Oversight activities, often undertaken by the board, such


activities as:
- Periodically evaluating reporting lines and responsibilities
- Developing alternative processes to obtain assurance related to
the areas of additional responsibility.

Page 41
ISPPIA

1120 – Individual Objectivity


Internal auditors must have an impartial, unbiased attitude and avoid any conflict of interest.

CAE has the responsibility to


maintain objectivity of IAA

Page 42
Attribute Standards

1100 – Independence and Objectivity


Conflict of interest is a situation in which an internal auditor, who is in a position of
trust, has a competing professional or personal interest. A conflict of interest could
impair an individual's ability to perform his or her duties and responsibilities
objectively.

Page 43
ISPPIA

1120 – Individual Objectivity


Not adversely affected when:
- Recommends standards of control for system
- Reviews procedures before implementation
- Occasional performance of non-audit work with full disclosure in the reporting process;
requires careful consideration by management and IAA

Objectivity is impaired when:


- Designs
- Installs
- Drafts procedures
- Operates

Page 44
➢Internal auditors should not be placed in situations that could impair
their ability to make objective professional judgments.

➢CAE should:
i.) Organize staff assignments that prevent potential and actual conflict of interests
and bias

ii.)Periodically obtaining information from the internal audit staff concerning


potential conflict of interest and bias

iii.) Rotating internal audit staff assignments periodically when practicable.


ISPPIA

1130 – Impairment to Independence or Objectivity


If independence or objectivity is impaired in fact or appearance, the details of the
impairment must be disclosed to appropriate parties. The nature of the disclosure will
depend upon the impairment.

Page 46
ISPPIA

1130 – Impairment to Independence or Objectivity


Interpretation:
Impairment to organizational independence and individual objectivity may include, but is not
limited to, personal conflict of interest, scope limitations, restrictions on access to records,
personnel, and properties, and resource limitations, such as funding.

The determination of appropriate parties to which the details of an impairment to


independence or objectivity must be disclosed is dependent upon the expectations of the
internal audit activity’s and the chief audit executive’s responsibilities to senior management
and the board as described in the internal audit charter, as well as the nature of the
impairment.

Page 47
ISPPIA

1130 – Impairment to Independence or Objectivity


Scope limitation may restrict:
- Scope defined in IA charter
- Access to records
- Work schedule
- Engagement procedures
- Staffing plan and financial budget

Needs to be communicated
preferably in writing to the board

Page 48
➢Internal auditors are to report if they have doubt or questions about
whether a situation constitutes an impairment to objectivity or
independence

➢If CAE determines that impairment exists- the CAE needs to reassign
the auditors
➢Scope Limitation – potential effect
▪ Needs to be communicated, preferably in writing, to the board
▪ CAE needs to consider whether it is appropriate to inform the board previously
communicated and accepted scope limitation by the Board.
ATTRIBUTE STANDARDS
It is unethical for an internal auditor to accept
a fee or gift from an employee, client,
customer, supplier or business associate
▪ Accepting a fee or gift may create an
appearance that the auditors objectivity has
been impaired
▪ The appearance that objectivity has been
impaired may apply to current and future
engagements conducted by the auditor.
▪ The status of the engagement should not be
considered as justification for receiving fees
or gifts.
▪ The receipt of promotional items (such as
pens, calendars, or samples) that are
available to the general public and have
minimal value should not hinder internal
auditors professional judgment.
▪ Internal auditors should report the offer of
all material fees or gifts immediately to their
supervisors.
ISPPIA

1130 – Impairment to Independence or Objectivity


1130.A1 – Internal auditors must refrain from assessing specific operations for which they
were previously responsible. Objectivity is presumed to be impaired if an internal auditor
provides assurance services for an activity for which the internal auditor had responsibility
within the previous year.

- At least one year has elapsed


- Additional consideration should be
exercised when supervising

Page 52
ISPPIA

1130 – Impairment to Independence or Objectivity


1130.A2 – Assurance engagements for functions over which the chief audit executive has
responsibility must be overseen by a party outside the internal audit activity.

Page 53
ISPPIA

1130 – Impairment to Independence or Objectivity


Acceptance of operational responsibilities with remedies:
- Using contracted third-party entity or external auditors
- Confirmation from each staff
- Supervised by, and report the results of the assessment to senior management and the
Board
- Disclosure

Need to be disclosed in the related


audit report

Page 54
1130 – Impairment to
Independence or Objectivity

• Internal Auditors are not to accept


responsibility for Non-audit functions or
duties that are subject to internal audit
assessments.
• - If they accept this responsibility – they
are not functioning as Internal auditors

• Objectivity is impaired – Internal audit
activity, CAE, Internal audit staff are
responsible for operational responsibility/
management is considering to assign
auditor in an operational responsibility
Impairment to Independence or
Objectivity
• CAE needs to consider the
following factors in assessing
the impact on independence
and objectivity:
Impairment to Independence or Objectivity

• Internal audit charter – specific


restrictions – regarding the assignment
of non-audit functions – discussion and
disclosure to management is
necessary.
ISPPIA

1130 – Impairment to Independence or Objectivity


1130.C1 – Internal auditors may provide consulting services relating to operations for which
they had previous responsibilities.

Page 58
ISPPIA

1130 – Impairment to Independence or Objectivity


1130.C2 – If internal auditors have potential impairments to independence or objectivity
relating to proposed consulting services, disclosure must be made to the engagement client
prior to accepting the engagement.

Page 59
• Internal audit charter – silent – consider the following:
Impairment to
Independence or
Objectivity

• Impairment disclosure –
does not negate –
assurance engagements
need to be overseen by
party outside of the
Internal audit activity.
ISPPIA

Practice Question
According to the International Professional Practices Framework, the independence of
the internal audit activity is achieved through:

A. Staffing and supervision


B. Continuing professional development and due professional care
C. Human relations and communications
D. Organizational status and objectivity
THE CORRECT
ANSWER IS..

Page 63
ISPPIA

Practice Question
Ms. Wala Laging Time Sa Kaniya, an internal auditor, is assigned to an operations audit to assess the
efficiency of recently introduced "just-in-time" manufacturing procedures. The auditor finds out that the
external consultant who is on site managing the implementation of the new system was the adviser on his
master's thesis and was instrumental in getting the auditor his first job. Which of the following responses by
the auditor would be most consistent with The IIA's International Professional Practices Framework?

A. The internal auditor need not disclose the relationship but should be certain that he has no contact, such
as audit interview, with the professor/consultant during the course of the audit
B. The internal auditor should disclose the relationship to the CAE, and the CAE should assign a different
internal auditor
C. The potential conflict should be disclosed to the engagement client before accepting the engagement
D. The internal auditor should disclose the potential conflict of interest to the Board or audit committee,
preferably in writing

THE CORRECT
ANSWER IS..
Page 64
ISPPIA

Practice Question
Internal auditors must be objective in performing their work. Assume that Ms. Bes
Mong Ahas, a CAE, received an annual bonus as part of that individual's compensation
package. The bonus may impair the CAE's objectivity if

A. The bonus is administered by the board of directors or its salary administration


committee
B. The bonus is based on monetary amounts recovered or recommended future
savings as a result of engagements
C. The scope of internal auditing work is evaluating control rather than account
balances
D. All of the answers are correct THE CORRECT
ANSWER IS..
Page 65
ISPPIA

Practice Question
An organization is planning to develop and implement a new computerized purchase order system in
one of its manufacturing subsidiaries. The VP of manufacturing has requested that internal auditors
participate on a team consisting of representatives from finance, manufacturing, purchasing, and
marketing. This team will be responsible for the implementation effort. Eager to take on this high
profile project, Ms. Ambisyosang Froglet, the CAE, assigns a senior internal auditor to the project to
assist "as needed". Assuming the senior internal auditor performed all of the following activities,
which one will impair objectivity if the internal auditor is asked to review the purchase order system
on a post-engagement basis?

A. Helping to identify and define control objectives


B. Testing for compliance with system development standards
C. Reviewing the adequacy of systems and programming standards
D. Drafting operating procedures for the new system

THE CORRECT
ANSWER IS..
Page 66
ISPPIA

Practice Question
An auditor’s objectivity could be compromised in all of the following situations except

A. A conflict of interest
B. Auditee familiarity with auditor due to lack of rotation in assignments
C. Auditor assumption of operational duties on a temporary basis
D. Reliance on a outside expert opinion when appropriate

THE CORRECT
ANSWER IS..
Page 67
ISPPIA

Practice Question
While performing an operations audit in a supplier's wholesale outlets, Mr. Nakatali Parin
Sa Nakaraan, an internal auditor, comments favorably on a calendar provided free to
favored customers illustrated with the organization's products. The department manager
offers the auditor several calendars to keep and distribute in the auditor's office. Which of
the following responses best reflects the Standard's views of objectivity?

A. The auditor may accept the gift but must immediately disclose the fact of the audit
committee
B. The auditor must refuse the gift and report the offer to the audit committee
C. The auditor should refuse the gift and warn the client against any future attempts to
curry favor with the internal audit activity
D. The auditor may accept the gift with no required disclosure

THE CORRECT
ANSWER IS..
Page 68
ISPPIA

Practice Question
An internal audit activity is currently undergoing its first external quality assurance review since its formation three years
ago. From interviews, the review team is informed of certain internal auditor activities over the past year. Which of the
following activities could affect the quality assurance review team's evaluation of the objectivity of the internal auditors?

A. One internal auditor told the review team that, during an engagement to review the payroll function, he was approached
by the payroll manager. The manager indicated he was looking for an accountant to prepare his financial statements for his
part-time business. The internal auditor agreed to perform this work for a reduced fee during non-work hours
B. During an engagement to review the construction of a building addition to the organization's headquarters, the VP of
facilities management gave the internal auditor a commemorative mug with the organization's logo. These mugs were
distributed to all employees present at the ground-breaking ceremony
C. After reviewing the installation of a data processing system, the internal auditor made recommendations on standards of
control. Three months after completion of the engagement, the engagement client requested the internal auditor's review
of certain procedures for adequacy. The internal auditor agreed and performed this review
D. An internal auditor's participation was requested on a task force to reduce the organization's inventory losses from theft
and shrinkage. This is the first consulting assignment undertaken by the internal audit activity. The internal auditor's role is
to advise the task force on appropriate control techniques

THE CORRECT
ANSWER IS..
Page 69
ISPPIA

1200 – Proficiency and Due Professional Care


Engagements must be performed with proficiency and due professional care.

Page 70
1200 – Proficiency and Due Professional Care

➢ Proficiency/Due Professional
care – responsibility of the
CAE/internal auditor
➢ CAE ensures – person
assigned in the audit
engagement- collectively
possess the necessary
knowledge, skills, and other
competencies.

Page 71
ISPPIA

1210 – Proficiency
Internal auditors must possess the knowledge, skills, and other competencies needed to
perform their individual responsibilities. The internal audit activity collectively must possess
or obtain the knowledge, skills, and other competencies needed to perform its
responsibilities.

Page 72
➢ Knowledge, skills and other
competencies - collective term –
refers to professional proficiency
required of internal auditors

ATTRIBUTE ➢Internal auditors – are


STANDARDS encouraged to demonstrate –
proficiency – by obtaining
professional certifications such
as CIA other certifications
offered by IIA.
ISPPIA

1210 – Proficiency
Proficiency – apply knowledge to situations likely to be encountered without extensive
recourse to technical research and assistance

Knowledge – familiarity, awareness or understanding of which is acquired through experience


and education

Understanding – apply broad knowledge to recognize significant deviations, and to research


reasonable solutions

Appreciation – recognize the existence of problems, identify the additional research, and the
assistance to be obtained

Skills – expected to all internal auditors

Page 74
PROFICIENCY KNOWLEDGE UNDERSTANDING APPRECIATION SKILLS

Applying internal To identify Management principles Fundamentals of Dealing with people


audit standards, indicators of fraud to recognize deviations Accounting, Understanding
procedures, and from good business Economics, human relations
techniques practice Commercial Law, Maintaining
Taxation, Finance, satisfactory
Quantitative, IT, Risk relationship with
management, Fraud clients

Accounting Key information Oral and written


principles and technology risks communications to
techniques if and controls and clearly convey
internal auditor available engagement
works intensively technology based objectives,
with financial audit techniques evaluation and
reporting recommendation
ISPPIA

1210 – Proficiency
Proficiency
- Internal audit standards, procedures and techniques
- Accounting principles (If financial audit)

Knowledge
- Indicators of fraud – intentional illegal act characterized by deceit, concealment, or
violation of trust
- Key IT risks and controls
- Technology audit techniques

Understanding
- Management principles

Page 79
ISPPIA

1210 – Proficiency
Appreciation
- Accounting
- Economics
- Law
- Taxation
- Finance
- Quantitative Methods
- Fraud
- Risk Management
- IT

Skills
- People skills
- Oral and written communications

Page 80
Page 81
ISPPIA

1210 – Proficiency
Interpretation:
Knowledge, skills, and other competencies is a collective term that refers to the professional
proficiency required of internal auditors to effectively carry out their professional
responsibilities. Internal auditors are encouraged to demonstrate their proficiency by obtaining
appropriate professional certifications and qualifications, such as the Certified Internal Auditor
designation and other designations offered by The Institute of Internal Auditors and other
appropriate professional organizations.

Page 82
ISPPIA

1210 – Proficiency
CAE ensures IAA is able to fulfill its responsibilities:
- Hiring to consider education, experience and specialization
- Periodic staff performance appraisals
- Continuing professional development

Page 83
ISPPIA

1210 – Proficiency
1210.A1 – The chief audit executive must obtain competent advice and assistance if the
internal auditors lack the knowledge, skills, or other competencies needed to perform all or
part of the engagement.

Page 84
CAE – needs to establish -suitable criteria of
education/experience for filling Internal Audit
position.

Performing annual analysis of Internal Audit


Activity – helps identify areas of opportunity
– that can be addressed by CPD,
ATTRIBUTE recruiting/co-sourcing
STANDARDS CPD helps to ensure internal audit staff
remains proficient

CAE may obtain assistance from


experts outside the internal audit activity to
support areas – that are not sufficiently
proficient.
ISPPIA

1210 – Proficiency
CAE determines external service providers considering:
- Professional certification
- Appropriate professional membership
- Reputation
- Experience
- Education and training
- Knowledge, skills and experience in the industry

Page 86
Proficiency
• Each member of the internal audit activity need not be
qualified in all discipline

• Internal audit activity may use external service


providers for internal resources that are qualified in
disciplines such as accounting, auditing, economics,
finance, IT, taxation etc.

• External service provider – person/firm, independent


of the Organization who has special knowledge, skill in
particular discipline. Example: actuaries, appraisers,
language experts, fraud investigator, lawyers.

• An external service provider may be engaged by the


board, senior management, CAE.
EXTERNAL SERVICE PROVIDER

➢CAE/Senior Management/Board
– intends to use and rely – ESP –
the CAE needs to consider:
i.) competence
ii.) independence
iii.) objectivity
➢CAE – assessment about ESP –
is not reliable – communication
of such results is needed to
SM/Board
EXTERNAL SERVICE PROVIDER

➢CAE – assess the relationship of


ESP to the Organization/Internal
Audit activity- to ensure
independence/objectivity are
maintained Impartial/Unbiased

Judgment
➢CAE – verifies that – no
i.) financial
ii.) organizational
iii.) personal
RELATIONSHIP
EXTERNAL SERVICE PROVIDER
EXTERNAL SERVICE PROVIDER

• ESP – is also the External Auditor – CAE


needs to ascertain that work performed
does not impair EA independence.

• EA – act/appear to act as members of


senior management, management or as
employee of the organization –
independence is impaired.

• EA – may provide the organization with


other services such as tax and consulting.
In reviewing the work of – ESP –
CAE evaluates the adequacy of
work performed – which includes
sufficiency of information obtained
to afford a reasonable basis for the
conclusion

CAE – issues engagement


communications – ESP was used –
CAE may refer to such services
provided.

ESP – needs to be informed and


concurrence should be obtained –
before making such reference in
engagement communications.
ISPPIA

1210 – Proficiency
1210.A2 – Internal auditors must have sufficient knowledge to evaluate the risk of fraud and
the manner in which it is managed by the organization but are not expected to have the
expertise of a person whose primary responsibility is detecting and investigating fraud.

Page 94
ISPPIA

1210 – Proficiency
1210.A3 – Internal auditors must have sufficient knowledge of key information technology
risks and controls and available technology-based audit techniques to perform their assigned
work. However, not all internal auditors are expected to have the expertise of an internal
auditor whose primary responsibility is information technology auditing.

Page 95
ISPPIA

1210 – Proficiency
1210.C1 – The chief audit executive must decline the consulting engagement or obtain
competent advice and assistance if the internal auditors lack the knowledge, skills, or other
competencies needed to perform all or part of the engagement.

Page 96
ISPPIA

1220 – Due Professional Care


Internal auditors must apply the care and skill expected of a reasonably prudent and
competent internal auditor. Due professional care does not imply infallibility.

Appropriate to the complexities of


the engagement
Reasonable care and competence

Extraordinary performance

Page 97
1220 – Due Professional Care
➢Due professional care – implies
reasonable care and
competence – not infallibility or
extraordinary performance

➢Due professional care – requires


internal auditor to conduct
examinations and verifications –
to a reasonable extent.

➢Internal auditors – cannot give


absolute assurance that
noncompliance or irregularities
do not exist
ISPPIA

1220 – Due Professional Care


Alert to possibility of:
- Fraud
- Intentional wrongdoing
- Errors and omissions
- Inefficiency Opportunity to identify inadequate
- Waste controls and recommend
- Ineffectiveness
- Conflicts of interest improvements
- Irregularities

Page 99
ISPPIA

1220 – Due Professional Care


1220.A1 – Internal auditors must exercise due professional care by considering the:
• Extent of work needed to achieve the engagement’s objectives;
• Relative complexity, materiality, or significance of matters to which assurance
procedures are applied;
• Adequacy and effectiveness of governance, risk management, and control
processes;
• Probability of significant errors, fraud, or noncompliance; and
• Cost of assurance in relation to potential benefits.

Page 100
ISPPIA

1220 – Due Professional Care


1220.A2 – In exercising due professional care internal auditors must consider the use of
technology-based audit and other data analysis techniques.

1220.A3 – Internal auditors must be alert to the significant risks that might affect objectives,
operations, or resources. However, assurance procedures alone, even when performed with
due professional care, do not guarantee that all significant risks will be identified.

Reasonable assurance

Page 101
Attribute Standards

1200 – Proficiency and Due Professional Care


1220.C1 – Internal auditors must exercise due professional care during a consulting
engagement by considering the:

• Needs and expectations of clients, including the nature, timing, and


communication of engagement results.
• Relative complexity and extent of work needed to achieve the engagement’s
objectives.
• Cost of the consulting engagement in relation to potential benefits.

Page 102
ISPPIA

1230 – Continuing Professional Development


Internal auditors must enhance their knowledge, skills, and other competencies through
continuing professional development.

Page 103
ISPPIA

1230 – Continuing Professional Development


Continuing Professional Education (CPE) may be obtained:
- Membership, participation and volunteering
- Attendance at conferences, seminars and in-house training programs
- Completion of college and self-study courses
- Involvement in research projects

Page 104
➢Internal Auditors – responsible for continuing their education to enhance and
maintain their proficiency.

➢Internal auditors – need to stay informed about improvements and current


developments in the internal audit standards, procedures, and techniques,
including The IIA’s International Professional Practices Framework guidance.

➢CPE – may be obtained through membership, participation, and volunteering


in professional organizations such as The IIA

➢Internal auditors – who perform specialized audit and consulting work – may
undertake specialized CPE to allow them to perform their Internal audit work
with proficiency.
➢Internal Auditors – with professional certifications are responsible for
obtaining sufficient CPE
➢Internal Auditors – with no professional certifications are encouraged to
pursue an educational program to obtain professional certification.
QUESTION ?

WHO IS GOING TO AUDIT THE


INTERNAL AUDITORS OR THE
INTERNAL AUDIT
DEPARTMENT?

Page 107
ISPPIA

1300 – Quality Assurance and Improvement Program


The chief audit executive must develop and maintain a quality assurance and improvement
program that covers all aspects of the internal audit activity.
All aspects of operations and
management of IAA
Entire spectrum of audit and
consulting
Evaluate and conclude on
the quality of IAA
Recommendations for
improvements

Page 108
ISPPIA

1300 – Quality Assurance and Improvement Program


Interpretation:
A quality assurance and improvement program is designed to enable an evaluation of the
internal audit activity’s conformance with the Definition of Internal Auditing and the Standards
and an evaluation of whether internal auditors apply the Code of Ethics. The program also
assesses the efficiency and effectiveness of the internal audit activity and identifies
opportunities for improvement.

Objectives

Page 109
➢CAE – accountable for implementing processes – designed to provide
reasonable assurance to various stakeholders that the IA activity:

✓ These processes include:


i.) Supervision
ii.) Periodic Internal Assessment
iii.) Periodic External Assessment
ISPPIA

1310 – Requirements of the Quality Assurance and


Improvement Program
The quality assurance and improvement program must include both internal and external
assessments.

Ongoing Monitoring
Periodic Internal Assessment
Full External Assessment
Self-Assessment with Independent Validation

Page 111
ISPPIA

1311 – Internal Assessments


Internal assessments must include:
• Ongoing monitoring of the performance of the internal audit activity; and
• Periodic reviews performed through self-assessment or by other persons within
the organization with sufficient knowledge of internal audit practices.

Page 112
Attribute Standards

1300 – Quality Assurance and Improvement Program


Ongoing Monitoring
• Supervision
• Checklist and procedures
• Feedback
• Peer reviews
• Performance metrics

Periodic Self-Assessments
• In-depth interviews and surveys
• Self-assessment
• By CIA within the company (full or verification)
• Benchmarking / performance metrics

Page 113
ISPPIA

1311 – Internal Assessments


Interpretation:
Ongoing monitoring is an integral part of the day-to-day supervision, review, and measurement
of the internal audit activity. Ongoing monitoring is incorporated into the routine policies and
practices used to manage the internal audit activity and uses processes, tools, and information
considered necessary to evaluate conformance with the Definition of Internal Auditing, the
Code of Ethics, and the Standards.

- Supervision - Feedback
- Checklist and procedures - Peer reviews
- Performance metrics

Page 114
ISPPIA

1311 – Internal Assessments


Interpretation:
Periodic reviews are assessments conducted to evaluate conformance with the Definition of
Internal Auditing, the Code of Ethics, and the Standards.

Sufficient knowledge of internal audit practices requires at least an understanding of all


elements of the International Professional Practices Framework.

- In-depth interviews - By CIA within the company (full or


and surveys verification)
- Self-assessment - Benchmarking / performance metrics

Page 115
ISPPIA

1312 – External Assessments


External assessments must be conducted at least once every five years by a qualified,
independent reviewer or review team from outside the organization. The chief audit
executive must discuss with the board:
• The need for more frequent external assessments; and
• The qualifications and independence of the external reviewer or review team,
including any potential conflict of interest.
Qualified reviewer/ review team - consists of individuals who are competent in the
professional practice of internal auditing
✓Independent reviewer/ review team means not having either a real or an
apparent conflict of interests and
✓ Not being part of or under the control of - the Organization to which the IA
activity belongs.

Page 116
➢External Assessment should include:
✓Benchmarking
✓Identification and reporting of leading practices

➢External Assessment can be done either:


✓Full external assessment by a qualified, independent external
reviewer/review team
✓Comprehensive internal assessment with independent validation by
a qualified, independent external reviewer or review team.
ISPPIA

1312 – External Assessments


Interpretation:
A qualified reviewer or review team demonstrates competence in two areas: the professional
practice of internal auditing and the external assessment process. Competence can be
demonstrated through a mixture of experience and theoretical learning. Experience gained in
organizations of similar size, complexity, sector or industry, and technical issues is more
valuable than less relevant experience. In the case of a review team, not all members of the
team need to have all the competencies; it is the team as a whole that is qualified. The chief
audit executive uses professional judgment when assessing whether a reviewer or review team
demonstrates sufficient competence to be qualified.

An independent reviewer or review team means not having either a real or an apparent conflict
of interest and not being a part of, or under the control of, the organization to which the
internal audit activity belongs.

Page 118
ISPPIA

1312 – External Assessments


External reviewer should:
- Competent, CIA professional, in-depth knowledge of the Standards
- Well versed in the best practices (technical expertise and industry experience)
- At least 3 years experience in practice of IA at a management level
- Successful completion of The IIA’s quality assessment training course

Conflict of interest due to current or past relationship:


- Former employees: financial audit, consulting services and assistance
- Parent or affiliate
- Peer review between two related Company

Page 119
➢External Assessment may contain an expressed opinion of assurance and
consulting work performed/or that should have been performed.


➢Individuals – who perform external assessment must be independent and
objective. Consideration relation to independence of the external reviewer:

✓ Conflict of interest of former employees who would perform the


assessment - consideration should be given to the length of time the
individual has been independent.

➢Individuals in the other department of the subject organization/related


organization – not considered independent for purposes of conducting
external assessment.
➢ Peer reviews between two organizations – would not pass the
independence tests – It should be three or more but with care to ensure
independence issues would be corrected.


➢ Leaders of independent review team / external reviewer who
independently validates the results of the self assessments – should have
additional level of competence and experience gained from:
✓ working previously as a team member on external quality
assessment
✓Successful completion of the IIA quality assessment training
course/similar training
✓ CAE or comparable senior internal auditor management experience

➢The reviewer(s) – should possess relevant technical expertise/industry


experience
➢ CAE – involves – SM/BOARD – in determining the approach/ selection of
external quality assessment provider.
➢ The preliminary results are discussed with - CAE- during/conclusion of the
assessment process
➢Final results - are communicated – CAE – preferably with copies sent
directly to appropriate members of SM/Board.
➢Communication includes:
✓ An opinion on the conformance of IA activity with the 3 Mandatory
Guidance

➢CAE communicates the results of external quality assessments – to provide
accountability and transparency
➢External Assessment by a independent reviewer - may be troublesome
smaller internal audit activities. Circumstances wherein full external
assessment is not necessary
✓IA activity is in the industry subject to extensive
regulation/supervision
✓Subject to extensive external oversight and direction relating to
governance/internal controls
✓Have been recently subject to external review
✓The costs outweigh the benefits

➢ Same guidance as full assessment would apply with Self Assessment with
independent validation
➢A team under the direction of the CAE – performs and fully documents the
self assessment process – draft report similar to external assessment is
prepared including CAE Judgment on conformance of IA activity.
➢A qualified/Independent reviewer – performs sufficient test of the self
assessment - so as to validate the results
ISPPIA

Page 130
ISPPIA

1320 – Reporting on the Quality Assurance and


Improvement Program
The chief audit executive must communicate the results of the quality assurance and
improvement program to senior management and the board.

Page 131
ISPPIA

1321 – Use of “Conforms with the International Standards for


the Professional Practice of Internal Auditing”
The chief audit executive may state that the internal audit activity conforms with the
International Standards for the Professional Practice of Internal Auditing only if the results of
the quality assurance and improvement program support this statement.

Page 132
ISPPIA

1321 – Use of “Conforms with the International Standards for


the Professional Practice of Internal Auditing”
Interpretation:
The internal audit activity conforms with the Standards when it achieves the outcomes
described in the Definition of Internal Auditing, Code of Ethics, and Standards. The results of
the quality assurance and improvement program include the results of both internal and
external assessments. All internal audit activities will have the results of internal assessments.
Internal audit activities in existence for at least five years will also have the results of external
assessments.

Page 133
ISPPIA

1322 – Disclosure of Nonconformance


When nonconformance with the Definition of Internal Auditing, the Code of Ethics, or the
Standards impacts the overall scope or operation of the internal audit activity, the chief audit
executive must disclose the nonconformance and the impact to senior management and the
board.

Page 134
ISPPIA

QAIP External Assessment Sample

Page 135
ISPPIA

QAIP External Assessment Sample

Page 136

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy