Lesson one: IPPF

The International Professional Practices Framework (IPPF) is the conceptual

framework that organizes authoritative guidance promulgated by The Institute
of Internal Auditors
IPPF guidance can be divided into:
1) Mandatory guidance
 Core principles for the professional practice of internal auditing
The Core Principles, taken as a whole, articulate internal audit
effectiveness. The core principles are:
 Demonstrates integrity.
 Demonstrates competence and due professional care.
 Is objective and free from undue influence (independent).
 Aligns with the strategies, objectives, and risks of the organization.
 Is appropriately positioned and adequately resourced.
 Demonstrates quality and continuous improvement.
 Communicates effectively.
 Provides risk-based assurance.
 Is insightful, proactive, and future-focused.
 Promotes organizational improvement.
 Definition of internal audit
Internal audit is an independent objective assurance and consulting
activity design to add value and to improve an organizations’ operation, it
helps the organization to accomplish its objective by bringing a
systematic, disciplined approach to evaluate and to improve the
effectiveness of risk management, control and governance process.
 Code of ethics
It have the following implementation guides:
 Integrity
 Objectivity
 Confidentiality
 Competency
 The standards
The purpose of the Standards is to:
 Guide adherence with the mandatory elements of the International
Professional Practices Framework.
 Provide a framework for performing and promoting a broad range
of value-added internal auditing services.
 Establish the basis for the evaluation of internal audit
performance.
 Foster improved organizational processes and operations
The standards categorized into:

 Attributed standards
These standards series into the number of 1000, and it covers the
following areas:
 Purpose, Authority, and Responsibility
 Internal Audit Charter
 Independence and Objectivity
 Organizational Independence
 Direct Interaction with the Board
 Chief Audit Executive Roles Beyond Internal Auditing
 Individual Objectivity
 Impairment to Independence or Objectivity
 Proficiency and Due Professional Care
 Continuing Professional Development
 Quality Assurance and Improvement Program
 Internal Assessments
 External Assessments
 Reporting on the Quality Assurance and Improvement Program
 Performance standards
 It describe the nature of internal audit and it provides a criteria to
measure the performance of internal audit. This standard is more
on the operational side, and covers the following areas:
 Managing the Internal Audit Activity
 Planning
 Communication and Approval
 Resource Management
 Policies and Procedures
 Coordination and Reliance
 Reporting to Senior Management and the Board
 External Service Provider and Organizational Responsibility for
Internal Auditing
 Risk Management
 Control
 Engagement Planning
 Engagement Objective
 Engagement scope
 Engagement Resource Allocation
 Engagement Supervision
 Communicating Results
2) Recommended guidance
Recommended guidance is endorsed by The IIA through a formal approval
process. It describes practices for effective implementation of The IIA's Core
Principles, Definition of Internal Auditing, Code of Ethics, and Standards. The
recommended elements of the IPPF are:
 Implementation guide
Assist internal auditors in applying the Standards.
They collectively address internal auditing's approach, methodologies,
and consideration, but do not detail processes or procedures.
 Supplemental guide
Provide detailed processes and procedures for internal audit
practitioners.
These include topical areas, sector-specific issues, as well as processes
and procedures, tools and techniques, programs, step-by-step
approaches, and examples of deliverables.
The mission of internal audit is to enhance and to protect organizational value
by providing risk based objective assurance, advice and insight.

Lesson 2: attributes and performance overview

The Standards are a set of principles-based, mandatory requirements
consisting of:
 Statements of core requirements for the professional practice of internal
auditing and for evaluating the effectiveness of performance that are
internationally applicable at organizational and individual levels.
 Interpretations clarifying terms or concepts within the Standards.
The purpose of the Standards is to:
1. Mandatory elements
Guide adherence with the mandatory elements of the International Professional
Practices Framework.
2. Value added IA services
Provide a framework for performing and promoting a broad range of value-
added internal auditing services.
3. Evaluation of performance
Establish the basis for the evaluation of internal audit performance.
4. Improved process
Foster improved organizational processes and operations.
Attributes standards address the attributes of organizations and individuals
performing internal auditing.
e.g. independence, objectivity, proficiency, due professional care.
Performance standards describe the nature of internal auditing and provide
quality criteria against which the performance of these services can be
measured.
e.g. managing IA, planning, resource management, communication, reporting.
IPPF

Mission of internal audit

Mandatory guidance recommended guidance

Core principle implementation guidance
The standards supplemental guidance
Code of ethics
Definition of internal auditing

a) Attribute standards:
19 standards distributed in 4 sections:
1) Standard series 1000
Purpose, authority and responsibility.

 1000 – Purpose, Authority, and Responsibility

 1010 – Recognizing Mandatory Guidance in the Internal Audit Charter
 2) Standard series 1100
Independence and objectivity
 Standard 1110 Organizational Independence
 Standard 1111 Direct Interaction with the Board
 Standard 1112 Chief Audit Executive Roles Beyond Internal Auditing
 Standard 1120 Individual Objectivity
 Standard 1130 Impairment to Independence or Objectivity
3) Standard series 1200
Proficiency and due professional care.
 Standard 1210 proficiency
 Standard 1220 due professional care
 Standard 1230 continuing professional development (CPD)
4) Standard series 1300
Quality assurance and improvement program (QAIP)
 Standard 1310 requirements of the QAIP
 Standard 1311 internal assessments
 Standard 1312 internal assessments
 Standard 1320 reporting on the QAIP
 Standard 1321 use of conforms with the international standards for the
professional practice of internal auditing
 Standard 1322 disclosure of non-conformance
b) Performance standards
33 standards distributed in 7 sections
1) Standard series 2000- managing internal audit activity
 Standard 2010 planning
 Standard 2020 communication and approval
 Standard 2030 resource management
 Standard 2040 policies and procedures
 Standard 2050 coordination and reliance
 Standard 2060 reporting to senior management
 Standard 2070 external service provider and organizational responsibility
for internal auditing
2) Standard series 2100 nature of work
 Standard 2110 governance
 Standard 2120 risk management
 Standard 2130 control
3) Standard series 2200 engagement planning
 Standard 2201 planning consideration
  Standard 2210 engagement objectives
 Standard 2220 engagement scope
 Standard 2230 engagement resource allocation
 Standard 2240 engagement working papers
4) Standard series 2300 performing the engagement
 Standard 2310 identifying information
 Standard 2320 analysis& evaluation
 Standard 2330 documenting information
 Standard 2340 engagement supervision
5) Standard series 2400 communicating results
 Standard 2410 criteria for communicating
 Standard 2420 quality of communication
 Standard 2421 errors& omissions
 Standard 2430 use of conducted in conformance with the
international standards for the professional practice of internal
auditing
 Standard 2440 disseminating results
 Standard 2450 overall opinion
6) Standard series 2500 monitoring progress
7) Standard series 2600 communicating the acceptance of risk

Lesson 3: standards 1000& 1010

Standard 1000- purpose, authority, and responsibility of the internal
audit activity
The purpose, authority, and responsibility of the internal audit activity must be
formally defined in an internal audit charter. The chief audit executive must
periodically review the internal audit charter and present it to senior
management and the board for approval.
Audit committee is sub-committee of the board of directors.
Internal audit charter:
 Defines the internal audit activity's purpose, authority, and
responsibility.
 Establishes the internal audit activity's position within the organization
 Nature of the chief audit executive’s functional reporting relationship
with the board;
 Authorizes access to records, personnel, and physical properties relevant
to the performance of engagements;
 Defines the scope of internal audit activities.
  The nature of assurance services provided to within or outside the
organization must be defined in the internal audit charter.
 The nature of consulting services must be defined in the internal audit
charter
Standard 1010 – Recognizing Mandatory Guidance in the Internal Audit
Charter
The mandatory elements are:
 The core principles
 Code of ethics
 The standards
 Definition of IA
The standard has at least two keys:
 The charter must recognize the mandatory guidance.
 The chief audit executive should discuss the Mission of Internal Audit
and the mandatory elements of the International Professional Practices
Framework with senior management and the board.
The elements of IA charter:
 Introduction.
 Authority.
 Organization & structural reporting
 Functional & administrative responsibilities
 Independence& objectivity
 Responsibility (defining the different sore of activities and roles)
 Quality assurance and improvement plan
 Sign of with the titles, names, and dates.
Important points to keep in mind:
 Should keep the minutes of approving the charter with the approved
charter.
 The CAE should review annually the charter (whether there is a change
or not) and present it to the board.
 The CAE should do periodically review the charter and it should
documented in the form of minutes.
 Languages.
Tips when reviewing the charter:
 You need to see the changes in the IIA in the IPPF and to document
those changes and compared to the charter.
  If there changes in the organizational structure, reporting lines, the
philosophy and mandate of the organization, roles of the internal
audit, you need to add it to the charter to make it look like current.
Lesson4: standard 1100 independence and objectivity
The standard states that:
 Internal audit activity must be independent,
 Internal auditors must be objective in performing their work.
Independence is the freedom from conditions that threaten the ability of the
internal audit activity to carry out internal audit responsibilities in an
unbiased manner.
Threats to independence must be managed at the:
 individual auditor,
 Engagement,
 Functional, and
 Organizational levels.
Objectivity is an unbiased mental attitude that allows internal auditors to
perform engagements in such a manner that they believe in their work product
and that no quality compromises are made.
Objectivity requires that internal auditors do not subordinate their judgment
on audit matters to others.
Threats to objectivity must be managed at the:
 individual auditor,
 engagement,
 functional, and
 Organizational levels.
The CAE works with the board and senior management to avoid conditions that
would affect internal audit’s ability to perform its responsibilities in an
unbiased manner
The CAE has:
 A direct functional reporting line to the board.
 A direct administrative reporting line to the senior management.
The CAE must avoid to have functional responsibilities such as risk
management and compliance.
The board can implement safeguards to limit impairment impact.
Safeguards are oversight activities, generally undertaken by the board, to
monitor and address independence conflicts. Examples are:
 Periodically evaluating CAE responsivities.
 Developing alternate processes to obtain assurance related to the
additional areas of responsibility.
 Being aware of the potential objectivity impairment when considering
internal audit risk assessments.
Multiple items may indicate conformance with the standard, including:
 The internal audit charter itself;
 An organization chart with reporting responsibilities;
 An internal audit policy manual that includes:
 Policies on independence.
 Objectivity.
 Addressing conflicts.
 Performance evaluation.
 Training records.
 Conflict of interest disclosure forms
Lesson 5: standard 1110 organizational independence
The standard requires that:
 The chief audit executive must report to a level within the organization
that allows the internal audit activity to fulfill its responsibilities.
 The chief audit executive must confirm to the board, at least annually,
the organizational independence of the internal audit activity.
Organizational independence is effectively achieved when the chief audit
executive reports functionally to the board.
Examples of functional reporting to the board involve the board:
 Approving the internal audit charter.
 Approving the risk-based internal audit plan.
 Approving the internal audit budget and resource plan.
 Receiving communications from the chief audit executive on the internal
audit activity’s performance relative to its plan and other matters.
 Approving decisions regarding the appointment and removal of the chief
audit executive.
 Approving the remuneration of the chief audit executive.
 Making appropriate inquiries of management and the chief audit
executive to determine whether there are inappropriate scope or resource
limitations.
As per standard 1110.A1 – The internal audit activity must be free from
interference in determining the scope of internal auditing, performing work,
and communicating results.
If there is any interference, the chief audit executive must disclose such
interference to the board and discuss the implications.
To ensure organizational independence, it is necessary to consider the
organizational placement (positioning of internal audit) and supervisory
oversight/ reporting lines of internal audit.
The CAE, the board, and senior management reach a shared understanding of
internal’ audit’s responsibility, authority, and expectations, as well as the role
of the board and senior management in overseeing internal audit.
Consideration of the implementation of the standard:
 Organizational placement.
 CAE’s direct function reporting
 Dotted reporting line.
 Unrestricted access to the board.
The functional oversight required the following:
 Right working conditions.
 Independent & effective IAA.
 Board assumes responsibility for:
 Charter
 Audit plan
 Budget and resource plan
 Compensation
 Appointment/removal of CAE
 Ability to operate independently.
The CAE should share standard 1110 and recommend governance practices
with board responsibilities to provide performance updates e.g. key findings,
emerging risks, implementation plans, critical areas needs board’s attention.
Several demonstrating conformance with the standard, including:
 For board/Audit committee: IA& AC charter.
 For reporting line: CAE job description and performance evaluation.
 For hiring decision: CAE hiring documentation.
 For policies that addresses areas like independencies, and board
communication requirements: internal audit policy manual.
 For functional reporting responsibilities: an organization chart, board
reports, meeting minutes, agendas.
  For appropriate communication with board: IA plan, budget,
performance and the state of organizational independence.
Lesson 6: standard 1111 direct interaction with the board
The chief audit executive must communicate and interact directly with the
board.
To enable IA to fulfil its duties, the CAE the board and senior management
have to discuss and agree IA’s:
 Responsivity.
 Authority.
 Expectations.
 Placement.
 Reporting.
Consideration for the implementation of the standard:
if the CAE has a direct functional reporting relationship with the board, then
board assumes the responsibility of approving of IA charter, IA plan, budget ,
resource plan, evaluation and compensation of CAE, appoint and removable of
CAE, and further the AI to operate independently and fulfil its charter.
With such a reporting relationship, the CAE will have many opportunity to
communicate and interact directly with the board. Examples are:
 Participate in board Audit committee meetings.
 To communicate audit plan, budget.
 Ability to contract the board on sensitive matters.
 Private meeting with the board A/C annually at least.
 One-on-one meetings/ phone calls with the board/AC members.
Without direct access to board, the CAE can:
 Share standard 1111, 1100 and 1110.
 Recommended governance practice.
 Board A/C best practice studies.
 Consider written communications to the board.
Consideration for demonstrating conformance:
To demonstrate the conformance of the standard, the CAE can keep:
 Board meeting and agendas and minutes are often sufficient evidence of
the demonstrating the conformance.
 The CAE’s calendar may also demonstrate conformance.
 Board or AC charter may have a policy that requires the CAE to meet
privately with the board.
Lesson 7: standard 1112 CAE roles beyond internal auditing
As per standard 1112, the chief audit executive has or is expected to have roles
and/or responsibilities that fall outside of internal auditing, safeguards must
be in place to limit impairments to independence or objectivity.
Safeguards are those oversight activities, often undertaken by the board, to
address these potential impairments, and may include such activities as
periodically evaluating reporting lines and responsibilities and developing
alternative processes to obtain assurance related to the areas of additional
responsibility.
CAE’s role outside of internal auditing, organization independence of the IAA,
or the individual objectivity of the internal auditor may be impaired but board/
senior management may find it appropriate to expand the CAE’s role.
Disclosure of implementation to independence of the standard 1130:
The board to evaluate risk of potential impairments:
 Roles and responsibilities that the CAE is being asked to undertake.
 Risks related to the undertaking
 Safeguards to the CAE’s independence and objectivity including
consideration of appearances.
 Controls in place to validate that the safeguards are operating effectively.
 Transition plan, if the assignment is short term.
 Agreement with senior management and the board
The board can monitor the CAE’s objectivity by increasing the level of scrutiny
applied to the CAE’s risk assessment, IA plan and engagement
communications and considering any potential bias the CAE may have related
to an area for which he or she performed duties beyond internal auditing
To help safeguard the CAE from impairments to objectivity, the standard
1130.A1 prohibits internal auditors from assessing specific operations for
which they were responsible within the previous year. Standard 1130.A2
requires a party outside the IAA to oversee assurance engagement for functions
over which the CAE has responsibility.
If the CAE has responsibilities in areas outside the IAA that are subject to
internal auditing:
 The provision of assurance would be outsourced to an objective,
competent assurance provider.
 That reports independently to the board, rather than the CAE.
 Such an assurance provider could be either internal or external.
  An external assessment of the IIA that includes review of the CAE’s
independence and objectivity- particularly in the areas where the CAE
has the independence of the external assessor can be validated.
Documentation of any safeguards that were established to address potential
impairments to the CAE independence and objectivity may help
demonstrate conformance with standard 1112. Such documentation may
include:
 Statements in the organization’s policies and code of ethics.
 The audit committee’s charter.
 The internal audit activity’s mission statement and approved audit
charter.
 Periodic revisions of the internal audit charter, reflecting the changing
roles and responsibilities of IAA.
 Transition plans.
 Minutes of board meetings.
 Other assurance provider’s reports.
 Surveys of audit clients& board evaluation of CAE performance on the
perception of CAE’S impendence and objectivity.
 Results of external assessments performed by the independent
assessor.
Lesson 8: standard 1120- individual objectivity
As per the standard, internal auditors must have an impartial, unbiased
attitude and avoid any conflict of interest.
Conflict of interest is a situation in which an internal auditor, who is in a
position of trust, has a competing professional or personal interest.
Objectivity refers to an internal auditor’s impartial & unbiased mindset which
is facilitated by avoiding conflicts of interest.
To implement standard 1120, the CAE wants to understand policies or
activities within the organization and within internal audit that could enhance
or hinder such a mindset.
For example:
 Standard performance evaluation.
 Compensation policies.
 Conflict of interest policies.
To manage internal audit objectivity effectively, the CAEs have an internal
audit policy manual or handbook that describes the expectation and
requirements for an unbiased mindset for every internal auditor.
Such a policy manual may describe:
 The critical importance of objectivity to the internal audit profession.
 Typical situations that could undermine objectivity.
 Actions the internal auditor should take if he becomes aware of a current
or potential objectivity concern.
 Reporting requirements, where each internal auditor periodically
considers and discloses conflicts of interest.
Internal auditors sign annual statements indicating that no potential threats
exist or acknowledging any known potential threats.
To consider when assigning internal auditors to specific engagements:
 Potential objectivity impairments.
 Discussion with potential team members.
 Encourage internal auditors to share any concerns.
What the CAE can do if the performance evaluation and compensation system
has impact on individual’s objectivity in the following scenarios:
 Performance and compensation practices can significantly and negatively
affect an individual’s objectivity.
 The auditor evaluation process is heavily focused on the number of
observations, or staying within the audit budget.
Then the CAE can do the following:
 Needs to be thoughtful in designing the internal audit performance
evaluation and compensation system.
 Consider whether the measurements used could impair an internal
auditor’s objectivity.
 Ideally, the evaluation process will balance:
 Auditor performance.
 Audit results.
 Client feedback measurements.
Documentation that may demonstrate conformance with the standard
includes:
 Internal policy manual, which contains:
 Performance evaluation
 Compensation processes
 Clear policies on objectivity
 Avoiding and reporting conflict of interest
 Training records or materials may demonstrate that internal auditors
have been aware of the importance of objectivity, the nature of threats to
objectivity, and examples of conflict of interest.
  If a related policy at the organization or internal audit level exists, there
may be signed acknowledgment forms to disclose the existence or
nonexistence of conflicts
 Engagement work papers would document the team assigned and could
be compared to employment records or acknowledgement forms to
confirm that known conflicts were avoided.
Lesson 9: standard 1130- impairment of independence or objectivity
As per the standard, if independence or objectivity is impaired in fact or
appearance, the details of the impairment must be disclosed to appropriate
parties. The nature of the disclosure will depend upon the impairment.
Impairment to organizational independence and individual objectivity may
include, but is not limited to,
 Personal conflict of interest,
 Scope limitations,
 Restrictions on access to records,
 Personnel, and properties, and resource limitations, such as funding.
Assurance standards:
 Standard 1130-A1
Internal auditors must refrain from assessing specific operations for
which they were previously responsible. Objectivity is presumed to be
impaired if an internal auditor provides assurance services for an
activity for which the internal auditor had responsibility within the
previous year
 Standard 1130-A2
Assurance engagements for functions over which the chief audit
executive has responsibility must be overseen by a party outside the
internal audit activity
 Standard 1130-A3
The internal audit activity may provide assurance services where it had
previously performed consulting services, provided the nature of the
consulting did not impair objectivity and provided individual objectivity
is managed when assigning resources to the engagement.
 Consulting standards:
 Standard 1130- C1
Internal auditors may provide consulting services relating to operations
for which they had previous responsibilities.
 Standard 1130- C 2
If internal auditors have potential impairments to independence or
objectivity relating to proposed consulting services, disclosure must be
made to the engagement client prior to accepting the engagement.
As per implementation guide, the standard requires the CAE to disclose
real or perceived impairments to independence or objectivity. Then, the CAE
must have a clear understanding of independence and objectivity
requirements, as described in the:
 Code of ethics
 Standards 1100, 1110, 1111, 1112, 1120
To fully understand and appreciate independence and objectivity, it is
important that internal auditors consider the perspectives of:
 Their various stakeholders
 The conditions undermining independence or objectivity
Impairment situations generally include:
 Self interest
 Self-review
 Familiarity
 Bias
 Undue influence
These situations can lead to:
 Personal conflicts of interest
 Scope limitations
 Resource limitations
 Restrictions on access to:
 Records
 Personnel
 Properties
Internal audit examples of organizational independence impairments include
the following:
 The CAE has broader functional responsibility than internal audit and
executes an audit of a functional area that is also under the CAE
oversight.
 The CAE supervisor has broader responsibility than internal audit, and
the CAE executes an audit within his or her supervisor’s functional
responsibility.
 The CAE does not have direct communication or interact with the board.
 The budget for the internal audit activity is reduced to the point that
internal audit cannot fulfil its responsibilities as outlined in the charter.
Example of organizational objectivity:
 An internal auditor audits an area in which he recently worked
 An internal auditor audits an area where a relative or close friend is
employed.
 An internal auditor assumes, without evidence that an area being
audited has effectively mitigated risks based solely on a prior positive
audit or personal experience.
 An internal auditor modifies the planned approach or results based
on the undue influence of another person without appropriate
justification.
 Before commencement of an audit the CAE can believe that
 impairment is not real
A perception of impairment exist the CAE may discuss with the
operating management, document it and explain why the concern is
without merit.
 Impairment is real
Affects the ability of internal audit to perform its duties
independently and objectively, the CAE to discuss the impairment
with the board and senior management and seek their support to
resolve the situation.

 Or impairment comes into light after an audit.

Impacts the reliability of the engagement results the CAE will discuss
it with operating and senior management as the board.
Multiple documents may demonstrate conformance, including:
 Internal audit policy manual.
 Board meeting minutes.
  Memos to file
 Reports that contain disclosures.
Lesson 10: standard 1210- proficiency
As per the standard, the Internal auditors must possess the:
 knowledge,
 skills,
 And other competencies needed to perform their individual
responsibilities.
The internal audit activity collectively must possess or obtain the:
 knowledge,
 skills,
 And other competencies needed to perform its responsibilities
Proficiency is a collective term that refers to the knowledge, skills, and other
competencies required of internal auditors to effectively carry out their
professional responsibilities.
Internal auditors are encouraged to demonstrate their proficiency by obtaining
appropriate professional certifications and qualifications, such as CIA.
Assurance standards:
 1210-A1
The chief audit executive must obtain competent advice and assistance if
the internal auditors lack the knowledge, skills, or other competencies
needed to perform all or part of the engagement.
 1210-A2
– Internal auditors must have sufficient knowledge to evaluate the risk of
fraud and the manner in which it is managed by the organization, but are
not expected to have the expertise of a person whose primary responsibility
is detecting and investigating fraud.
 1210-A3
Internal auditors must have sufficient knowledge of key information
technology risks and controls and available technology-based audit
techniques to perform their assigned work. However, not all internal
auditors are expected to have the expertise of an internal auditor whose
primary responsibility is information technology auditing.
Consulting standard:
 1210-C1
The chief audit executive must decline the consulting engagement or obtain
competent advice and assistance if the internal auditors lack the knowledge,
skills, or other competencies needed to perform all or part of the engagement.
Considerations for implementation:
To build and maintain the proficiency of the IIA, the CAE may develop a
competency assessment tool or skills assessment based on the competency
framework or another benchmark. Then, the CAE could incorporate the basic
criteria of internal audit competency into JD and recruitment material to help
attract and hire internal auditors with the appropriate educational background
and experience.
Also the CAE may use the competency assessment tool to complete a periodic
skills assessment of the internal audit activity to identify gaps.
When doing so, the CAE should consider risks related to fraud and IT, as well
as available technology based audit techniques.
The CAE has additional obligations related to ensuring the collective
proficiency of IAA, these include:
 Managing the IAA in conformance with the mandatory guidance of the
IPPF.
 To fulfil the internal audit plan by ensuring that the IAA has the
appropriate mix of:
 Knowledge
 Skills
 Other competencies
If the IAA does not have appropriate and sufficient resources, the CAE is
expected to obtain competent advice or assistance to fill any gaps.
The CAE can use the competency framework to identify gaps in the IAA
collective proficiency and to develop plans for filling coverage gaps through:
 Hiring
 Training
 Outsourcing
 Other methods
To enhance proficiency of the IAA, the CAE would encourage professional
development of internal auditors, whether that occurs through:
  On the job training
 Attendance at professional conferences and seminars
 Encouraging the pursuit of professional certifications
At the level of the individual engagement, the CAE assumes overall
responsibility for supervising the engagement to ensure:
 Quality
 Achievement of objectives
 Staff development
The individual responsibilities of internal auditors at the level of engagement
planning include:
Considering the appropriateness and sufficiency of resources to achieve
engagement objectives.
Individual internal auditors may evidence their proficiency through their:
 Resumes or CV
 By maintaining records of certifications
 Continuing professional development
Any of the following documents could evidence the conformance of the IAA as a
whole:
 The internal audit plan that includes an analysis of resources
requirements
 Any inventory of available audit staff skills or individual profiles listing
qualifications.
 An assurance map with a list of qualifications of service providers on
which the internal audit activity relies.
 Documented results of internal assessments.
Lesson11: standard 1220 due professional care
As per the standard, the internal auditors must apply the care and skill
expected of a reasonably prudent and competent internal auditor. Due
professional care does not imply infallibility.
Infallibility means perfection or flawlessness. It means that internal auditors
are not expected to give absolute assurance that non-compliance or regularities
do not exist.
Assurance standard:
 1220. A1 –
Internal auditors must exercise due professional care by considering the:
 Extent of work needed to achieve the engagement’s objectives.
 Relative complexity, materiality, or significance of matters to which
assurance procedures are applied.
 Adequacy and effectiveness of governance, risk management, and
control processes.
 Probability of significant errors, fraud, or noncompliance.
 Cost of assurance in relation to potential benefits.
 1220. A2 –
In exercising due professional care internal auditors must consider the use of
technology-based audit and other data analysis techniques.
 1220. A3 –
Internal auditors must be alert to the significant risks that might affect
objectives, operations, or resources. However, assurance procedures alone,
even when performed with due professional care, do not guarantee that all
significant risks will be identified.
Consulting standard:
 1220. C1
Internal auditors must exercise due professional care during a consulting
engagement by considering the:
 Needs and expectations of clients, including the nature, timing, and
communication of engagement results.
 Relative complexity and extent of work needed to achieve the
engagement’s objectives.
 Cost of the consulting engagement in relation to potential benefits.
To perform their duties with due professional care, the internal auditor should:
 Get relevant experience, education, certifications and trainings.
 Become familiar with the core competencies described in the IIA global
internal audit competency framework.
 Should understand and apply the mandatory guidance of the IPPF.
At the engagement level, the internal auditor should understand:
 The objectives and scope of the engagement.
 Competencies that will be required to execute the audit work.
  Any policies and procedures specific to the internal audit activity and
the organization
Systematic and discipline approach helps in:
 Planning
 Executing
 Documenting internal audit work.
To ensure due professional care at the engagement level, standard 2340-
engagement supervision requires engagements to be properly supervised,
which generally involves:
 Supervisory review of the engagement work papers
 Results
 Conclusions to be reported
 Supervisor’s feedback to the internal auditors who conducted the
engagement, often through post engagement meetings
 Input about internal auditors due professional care may be solicited
through post engagement surveys of audit clients.
Demonstration of conformance of the standard through proper application
of the IPPF’s mandatory guidance, which would be reflected in their:
 Engagement plans
 Work programs and work papers
 Performance reviews of internal auditors
 Appropriate supervisory reviews of engagements duly documented.
 Engagement supervisor’s post engagement staff meetings
 Feedback from audit clients through surveys or other tools
 Annual declaration related to the IIA code of ethics and organization
code of conduct
 Internal and external assessments performed as part of the internal
audit activity’s quality assurance and improvement program may
indicate that due professional care has been maintained.
Lesson 12: standard 1230-CPD
As per the standard, internal auditors must enhance their knowledge, skills,
and other competencies through continuing professional development.
In order to enhance their competencies and continue their professional
development, internal auditors may want to reflect on their job requirements,
including the training policies and the professional education requirements of
their:
 Profession
  Organization
 Industry
 Any certifications or areas of specialization
Professional development plan may encompass:
 On the job training
 Coaching
 Mentoring
 Internal and external training
 Volunteer or certification opportunities
Opportunities for professional development include participating in:
 Conferences
 Seminars
 Training programs
 Online courses
 Webinars
 Self-study programs
 Classroom courses
 Conducting research projects
 Volunteering with professional organizations
 Pursuing professional certifications
 Industry related CPD
 CPD related to a specialization.
To ensure their internal audit knowledge stays current on a day to day basis,
internal auditors may seek guidance from the IIA regarding standards, best
practices procedures and techniques that could affect the internal audit
profession or their organization and specific industry.
This may involve:
 Maintaining current memberships in the IIA and other professional
organizations
 Networking at local events
 Monitoring or subscribing to feeds or notification services related to the
internal audit profession and industry specific news.
Internal auditors may demonstrate conformance with standard 1230 by
relating documentation or other evidence of any of the following:
 Self-assessments against a competency framework or benchmark.
 Professional development and training plans.
 Memberships and participation in professional organizations
  Subscriptions to sources of professional information.
 Completed training.
Lesson 13: standard 1300 QAIP
As per the standard 1300, the chief audit executive must develop and maintain
a quality assurance and improvement program that covers all aspects of the
internal audit activity.
A quality assurance and improvement program is designed to enable an
evaluation of the internal audit activity’s conformance with the Standards and
an evaluation of whether internal auditors apply the Code of Ethics.
Stakeholder’s engagement and methodology implementation guide:
the CAE must have a thorough understanding of the mandatory elements of
the IPPF, especially the standards and code of ethics.
Generally, the CAE meets with the board to gain an understanding of the
expectations for the IAA and to discuss the importance of the standards and
the QAIP and to encourage the board’s support of the theses.
As per standard 1310- The quality assurance and improvement program must
include both internal and external assessments.
As per standard 1311- Internal assessments must include:
 Ongoing monitoring of the performance of the internal audit activity.
 Periodic self-assessments or assessments by other persons within the
organization with sufficient knowledge of internal audit practices.
Ongoing monitoring is an integral part of the day-to-day supervision, review,
and measurement of the internal audit activity.
Periodic assessments are conducted to evaluate conformance with the Code of
Ethics and the Standards.
An internal periodic assessment is conduct by other persons within the
organization with sufficient knowledge of internal audit practices.
Internal assessment evaluates the internal audit activities conformance with
the:
 Mandatory elements of the IPPF
 Quality and supervision of audit work performed.
 Adequacy of IA policies and procedures
 Value of the IAA adds to the organization.
As per the standard 1320- External assessments must be conducted at least
once every five years by a qualified, independent assessor or assessment team
from outside the organization.
The chief audit executive must discuss with the board:
 The form and frequency of external assessment.
 The qualifications and independence of the external assessor or
assessment team, including any potential conflict of interest.
Report of external assessor must conclude:
 The external assessor must conclude as to conformance with the
code of ethics and the standards
 The external assessment may also include operational or strategic
An example of rating scale:
 Generally conforms- this is the top rating, which means that an IAA
has a charter, policies and processes and the execution and results
of these are judged to be in conformance with the standard.
 Partially conforms- deficiencies in practice are judged to deviate
from the standards, but these deficiencies did not preclude the IAA
from performing its responsibilities.
 Does not conform- deficiencies in practice are judged to be so
significant that they seriously impair or preclude the IAA from
performing adequately in all or in significant areas of its
responsibilities.
A qualified assessor or assessment team demonstrates competence in two
areas:
 The professional practice of internal auditing and
 The external assessment process.
An independent assessor or assessment team means not having either an
actual or a perceived conflict of interest and not being a part of, or under the
control of, the organization to which the internal audit activity belongs.
As per the standard 1320- The chief audit executive must communicate the
results of the quality assurance and improvement program to senior
management and the board. Disclosure (communication) should include:
 The scope and frequency of both the internal and external assessments.
 The qualifications and independence of the assessor(s) or assessment
team, including potential conflicts of interest.
 Conclusions of assessors.
  Corrective action plans.
The results are communicated to the SM/board to demonstrate conformance
with the Code of Ethics and the Standards.
The results of external and periodical assessments communicated upon
completion of such assessments.
The results of the ongoing monitoring are communicated at annual basis.
As per the standard 1321, the results of QAIP should confirm if IAA is
conforming with the code of ethics and the standards.
As per the standard 1322, when nonconformance with the Code of Ethics or
the Standards impacts the overall scope or operation of the internal audit
activity, the chief audit executive must disclose the nonconformance and the
impact to senior management and the board.
As per the standard 2070, when an external service provider serves as the
internal audit activity, the provider must make the organization aware that the
organization has the responsibility for maintaining an effective internal audit
activity.
As per the standard 2430, Indicating that engagements are “conducted in
conformance with the International Standards for the Professional Practice of
Internal Auditing” is appropriate only if supported by the results of the quality
assurance and improvement program.
Adjustments are needed in the quality assurance improvement in order to:
 Ensure that IAA continues to operate in an effective and efficient
manner.
 Assure stakeholders that it adds value by improving the organization’s
operations.
The following documents are the evidence as demonstrate conformance with
1300 including 1311& 1312:
 Documented QAIP
 The results of internal and external assessments.
 Communication of QAIP results with the board.
 Documentation of actions taken to improve the IAA’s efficiency and
effectiveness.
 For external assessments:
 Written independent validation
 Documentation from external assessors
 1) Minutes of the meetings of the board/ AC having deliberations
on QAIP results and corrective action plans.
2) The agenda documents with submissions attachments.
3) Benchmarking report and requests for services to show due
diligence in vetting external assessors.
4) Key performance indicator (KPI) monitoring
5) Performance evaluations and personal development plans
6) Engagement work papers and test reports including minutes of
opening and closing meetings, audit reports, engagement
review notes, and technical and linguistic review notes.
7) For periodic assessment: scope of review, approach plan, work
plan and communication reports.

Lesson 14: standard 2000- managing the internal audit activity

As per the standard 2000, the chief audit executive must effectively manage
the internal audit activity to ensure it adds value to the organization.
The internal audit activity adds value to the organization and its stakeholders
when it:
 Considers strategies, objectives and risks.
 Strives to offer ways to enhance governance, risk management and
control processes
 Objectively provides relevant assurance.
The internal audit activity is effectively managed when:
 It achieves the purpose and responsibility included in the internal audit
charter.
 It conforms with the Standards.
 Its individual members conform with the Code of Ethics and the
Standards.
 It considers trends and emerging issues that could impact the
organization.
The CAE may start by reviewing the IAA’s purpose and responsibility, which is
agreed upon by the CAE, senior management, and the board and recorded in
the internal audit charter.
CAE should study:
 The organizational chart
To identify the stakeholders, structure and reporting relationships.
  The organizational strategic plan
to give insight into the organization’s strategies, objectives and risks.
The risks should include trends and emerging issues.
The CAE develops an internal audit strategy and approach that aligns with the
goals and expectations of the organization’s leadership.
The CAE creates a risk-based internal audit plan to determine the priorities of
the internal audit activity’s assurance and consulting engagements.
In the internal audit plan, the CAE:
 Defines the internal audit activity’s scope and deliverables.
 Specifies the resources needed to achieve the plan
 Outlines an approach to develop the internal audit activity.
 Outlines an approach to measure its performance and progress against
the plan.
The CAE is responsible for communicating:
 The plan.
 Resources requirements.
 The impact of resource limitations.
 Including the significant changes to plan and report to the board and
senior management for their approval.
To implement a systematic and disciplined approach to managing the internal
audit activity, the CAE:
 Considers the mandatory guidance of the IPPF.
 Establishes internal audit policies and procedures (standard 2040).
CAE responsibility for ensuring that the IAA adds value to the organization
by objectively providing relevant assurance and offering suggestions to
enhance governance risk management and control processes.
As per 2100 series of standard and implementation guides - describes the
requirements and processes that enable the internal audit activity to complete
these objectives.
The CAE develops metrics for evaluating the efficiency and effectiveness of the
IAA. Tools the CAE may use for this purpose include:
 Soliciting feedback through post- audit client surveys.
 Completing annual performance reviews of individual internal auditors.
 Implementing the QAIP.
 Benchmarking: comparing the organization’s IAA against contemporary
internal audit groups in the industry.
Demonstrating conformance of the standard is by keeping the required
documents or evidence:
 How well the internal audit activity has been managed.
 Whether it has added value to the organization exists in:
1) The results of post engagement client surveys and other sources of
feedback.
2) In addition, internal and external assessments help gauge or
measure the internal audit activity’s conformance with the
mandatory guidance of the IPPF, including:
a) Performance metrics related to managing the internal audit
activity.
b) The results of comparisons against the industry standard
(e.g. benchmarking) may also be used.
c) Supervisory evaluation and peer reviews of individual
internal auditors and CAE, with metrics tied to performance
and conformance.

Lesson 15: standard 2010- planning

as per the standard, the chief audit executive must establish a risk-based plan
to determine the priorities of the internal audit activity, consistent with the
organization’s goals
To develop the risk-based plan, the chief audit executive consults with senior
management and the board and obtains an understanding of the:
 organization’s strategies,
 key business objectives,
 associated risks, and
 risk management processes
The chief audit executive must review and adjust the plan, as necessary, in
response to changes in the organizations:
 business,
 risks,
 operations,
 programs,
 systems, and
 Controls.
Assurance standards:
 2010. A1 – The internal audit activity’s plan of engagements must be
based on a documented risk assessment, undertaken at least annually.
 The input of senior management and the board must be considered in
this process.
 2010. A2 – The chief audit executive must identify and consider the
expectations of senior management, the board, and other stakeholders
for internal audit opinions and other conclusions.
Consulting standard:
 2010. C1 – The chief audit executive should consider accepting proposed
consulting engagements based on the engagement’s potential to improve
management of risks, add value, and improve the organization’s
operations. Accepted engagements must be included in the plan.
The purpose of the risk based internal audit plan is intended to ensure that
internal audit coverage adequately examines areas with the greatest
exposure to the key risks that could affect the organization’s ability to
achieve its objectives.
The CAE considers the maturity of the organization’s risk management
processes, including whether the organization uses a formal risk
management framework in order to:
 Assess
 Document
 Manage risks.
Less mature organizations may use less formal means of risk management.
The CAE’s preparation usually involves reviewing the results of any risk
assessments that management may have performed.
The CAE may employ tools such as:
 Interviews
 Surveys
 Meetings
 Workshops
To gather additional input about the risks from management at various levels
throughout the organization, from the board and other stakeholders.
By reviewing of the organization’s approach to risk management the CAE may
decide how to organize or update the audit universe.
Audit universe could include the following:
 All risk areas that could be subject to audit.
 List of possible audit engagements that could be performed.
  The projects and initiatives related to the organization’s strategic plan.
 It may be organized by:
a) Business units
b) Product or service lines
c) Processes
d) Programs
e) Systems
f) Controls
Linking critical risks to specific objectives and business processes help the
CAE in:
 Organize the audit universe
 Prioritize the risks.
Risk factor approach:
Risk category Relevant risk factors
Internal risks may affect: Relevant risk factors related to internal risks
 Key products and services include:
 Personnel  The degree of change in risks since the
 Systems. area was last audited.
 The quality of controls.
 Other factors
External risks may be related to: Relevant risk factors for external risks may
 Competition include:
 Suppliers  Pending regulatory or legal changes
 Other industry issues.  Other political
 Economic factors.

Risks are measured in terms of:

 Impact
 Likelihood
The purpose of discussion of CAE with the board are:
 To create alignment among the priorities of various stakeholders.
The CAE discusses the internal audit plan with:
a) The board
b) Senior management
c) Other stakeholders.
 To acknowledge risk areas not addressed in the plan
This discussion may be an opportunity for the CAE to review:
 1) The roles and responsibilities of the board and senior management
related to risk.
2) The standards related to maintaining the IAA’s independence and
objectivity
3) The CAE reflects on any feedback received from stakeholders before
finalizing the plan
The internal audit plan usually includes:
1) A list of proposed audit engagements (and specification regarding
whether the engagements are assurance or consulting in nature).
2) Rationale for selecting each proposed engagement (e.g. risk rating,
time since last audit, and change in management).
3) Objectives and scope of each proposed engagement.
4) A list of initiatives or projects that result from the internal audit
strategy but may not be directly related to an audit engagement.
Internal audit plan cycle are prepared annually.
The internal audit plan is flexible enough to allow the CAE to review and adjust
it as necessary in response to changes in the organizations:
1) Business
2) Risks
3) Operations
4) Programs
5) Systems
6) Controls.
The evidence of conformance to the standard exists in the:
 Internal audit plan
 The risk assessment
 Minutes of meetings
 Memos to file

Lesson16: standard 2020- communication and approval

As per the standard 2020, The CAE must communicate to senior management
and the board for review and approval of the internal audit activity’s:
 Plans
 Resources requirements
 Including the impact of resource limitations
 And any significant interim changes
Step by step process communication with senior management and the board
are as follow:
 Risk based plan prepared and understand as per standard 2010.
 The CAE determines the resources needed to implement the plan, based
on the risk-based priorities identified during the planning process
(standard 2010).
 CAE communicates to senior management and the board regarding:
 The internal audit plan
 The IAA’s resource requirements
 The impact of resource limitations
Resources may include:
1) People (e.g. labor hours and skills)
2) Technology (e.g. audit tools and techniques)
3) Timing/schedule (availability of resources)
4) Funding
A portion of resources is usually reserved to address changes to the audit plan
that may arise, such as:
a) Unanticipated risks that could affect the organization
b) Requests for consulting engagements from senior management and the
board
The CAE usually itemizes the audits that comprise the internal audit plan and
then assesses the types and quantity of resources that would be needed to
accomplish each audit project.
Estimates are generally based on:
 Past experience with a particular project.
 Comparisons to a similar project.
The CAE can compare the resources needed to accomplish the plan’s priorities
with those available to the internal audit activity to determine whether any
gaps exist.
This comparison can be used as a basis for determining the impact of resource
limitations.
The CAE typically meets with individual senior executives for their input
regarding the proposed audit plan before it is formally presented.
During the meetings, the CAE can:
 Address any concerns that senior executives may express.
  Incorporate their feedback.
 Obtain their support.
The process may involve gathering additional information about the:
 Timing of proposed audit engagements
 The availability of resources.
It might introduce changes that affect the scope of work.
Internal audit plan may include:
 A list of proposed audit engagements (specification regarding whether the
engagements are assurance or consulting in nature).
 Rationale for selecting each proposed engagements (e.g. risk rating, time
since last audit, change in management)
 Objectives and scope of each proposed engagement.
 A list of initiatives or projects that result from the internal audit strategy
but may not be directly related to an audit engagement.
Resource limitations affect the priorities in the internal audit plan. For
example, if resources are not sufficient to complete every proposed
engagement in the plan, some engagement may be deferred and some risks
may go unaddressed.
The CAE may demonstrate conformance with standard 2020 by keeping
records of:
 The distribution of the internal audit plan.
 Board meeting materials that includes the internal audit plan as
proposed for review and approval.
 Individual discussions with senior management could be documented
through memo, emails, or notes made during the internal audit
activity’s risk assessment process.
 Typically, board meeting minutes contain records of the board’s
discussion and approval of the internal audit plan, any interim
changes and the impact of any resource limitations.
Lesson 17: standard 2030- resource management
The chief audit executive must ensure that internal audit resources are:
 appropriate,
Appropriate refers to the mix of knowledge, skills, and other competencies
needed to perform the plan.
For example at team with a mix of skills such as IT, fraud etc.
Another example is knowledge of relevant industry.
 sufficient, and
Sufficient refers to the quantity of resources needed to accomplish the plan.
This can be assessed in relation to the RBAP (Risk based audit plan) to
deliver and any gaps should be highlighted.
 Effectively deployed to achieve the approved plan.
Resources are effectively deployed when they are used in a way that optimizes
the achievement of the approved plan.
You may simply say VFM (value for money).
To implement standard 2030, the CAE usually begins by gaining a deeper
understanding of the resources available to the internal audit activity in the
board approved internal audit plan.
The CAE may carefully consider the number of internal audit staff and
productive work hours available to implement the plan within the
organization’s schedule constraints.
Productive work hours generally exclude factors such as:
 Paid time of (sick, annual leaves) the plan.
 Time spent on training and administrative tasks.
The CAE may also want to reflect on the approved budget and consider the
funds available for training, technology, or additional staffing in order to
achieve.
To gain an overview of the internal audit activity’s collective knowledge, skills
and other competencies, the CAE may review:
 A documented skills assessment if available.
 Gather information from employees performance appraisals
 Post audit surveys.
When allocating specific resources to the engagements identified in the
approved internal audit plan:
 The CAE may consider how the available resources matchup with the
particular skills and timing required to perform the engagements
 During this process, the CAE typically works to fill any gaps that may
have been identified.
To fill gaps related to the internal audit staff’s knowledge, skills and
competencies, the CAE could provide:
1) Training for existing staff
2) Request an expert from within the organization to serve as a guest
auditor
3) Hire staff
4) Hire an external service provider (ESP).
If the quantity of resources is insufficient to cover the planned engagements
efficiently and effectively, the CAE may:

 Hire additional staff

 Co-source
 Outsource engagements
 Use one or more guest auditors
 Develop a rotational auditing program.
When developing a schedule for internal audit engagements, the CAE
considers:
 The organization’s schedule
 The schedules of individual internal auditors
 The availability of auditable entities.
For example,
a) If an audit engagement needs to occur during a specific time of year,
the resources needed to complete that engagement must also be
available at that time.
b) Likewise, if an auditable entity is unavailable or constrained during a
certain period of the year, due to business needs, the engagement
would be scheduled to avoid that period.
It is important for the CAE to gauge the overall adequacy of resources
continuously, because the CAE must report:
 On the impact of resource limitation (standard 2020).
  On the internal audit activity’s performance relative to its plan (standard
2060)
To affirm that resources are appropriate sufficient, and effectively deployed,
the CAE established metrics that assess the internal audit activity’s
performance and solicits feedback from internal audit clients.
Documentation that evidences conformance with standard 2030 could
include:
1) The internal audit plan, which contains the estimated schedule of
audit engagements and resources allocated
2) A post audit comparison of budgeted hours to actual hours may be
documented to validate that resources were deployed effectively.
3) The results of client assessments related to the performance of the
internal audit activity and individual internal auditors are often noted
in:
a) Post audit reports
b) Surveys
c) Annual reports

Lesson18: Standard 2040 – Policies and Procedures

As per the standard, the chief audit executive must establish policies and
procedures to guide the internal audit activity.
To establish the policies and procedures that guide the internal audit activity,
the CAE considers several factors:
 It is essential that internal audit policies and procedures are aligned
with:
 The mandatory guidance of the IPPF
 The internal audit charter to ensure that stakeholder expectations
are addressed.
The CAE’s implementation of standard 2040 will depend largely on:
 The structure
 Maturity
 Complexity of the organization
 Internal audit charter.
The following topics are generally included in an internal audit manual or otherwise
documented to help guide the internal audit activity
Internal audit policies: Internal audit Quality Administrative
 The overall purpose procedures: assurance and matters:
and responsibility of  Preparing a risk improvement  Training and
the internal audit based audit program (1300) certification
activity. plan. Includes : opportunities
 Adherence to the  Planning an  Internal  Continuing
mandatory guidance audit and assessment education
of IPPF. preparing the  External requirements
 Independence and engagement assessment  Performance
objectivity work program evaluation
 Ethics  Performing audit
 Protecting engagements
confidential  Documenting
information. audit
 Record retention. engagements
 Communicating
results/reportin
g
 Monitoring and
follow up
processes.

Demonstrating conformance to the standard:

 Documented policies and procedures
 Policies and procedures manual for communication of policies and
procedures
 Internal audit staff meeting agendas
 Minutes
 Emails
 Signed acknowledgements
 Training schedule
 Similar documentation.
Internal audit policies and procedures should be reviewed periodically, either
by the CAE or an internal audit manager assigned to monitor internal audit
processes and emerging issues. Such reviews may be included in the internal
audit activity’s internal assessments and the external assessment that occurs
at least once every five years.
The CAE may begin to develop policies and procedures by gathering
information, examples and templates such as those available through the IIA.
Templates can be customized to fit the organization and needs of the specific
internal audit activity.
It is important for the CAE to consider the organization’s existing:
 Strategies
 Policies
 Processes (including whether organizational leadership expects to review
or approve internal audit policies and procedures).

Lesson 20: Standard 2050- coordination and reliance

As per the standard, the chief audit executive should:
 Share information,
 coordinate activities,
 Consider relying upon the work of:
 internal and external assurance and
 consulting service providers
To ensure proper coverage and minimize duplication of efforts.
In coordinating activities, the chief audit executive may rely on the work of
other assurance and consulting service providers.
 A consistent process for the basis of reliance should be established
 The chief audit executive should consider the competency, objectivity,
and due professional care of the assurance and consulting service
providers.
 The chief audit executive should also have a clear understanding of the
scope, objectives, and results of the work performed by other providers
of assurance and consulting services.
 Where reliance is placed on the work of others, the chief audit executive
is still accountable and responsible for ensuring adequate support for
conclusions and opinions reached by the internal audit activity.
The assurance and consulting service providers can be:
1) Internal
 Internal providers include oversight functions that either report
to senior management or are part of senior management.
 Their involvement may include areas such as environmental,
financial control, health and safety, IT security, legal, risk
management, compliance or quality assurance.
  These are often considered as “second line of defense”
activities, according to the IIA’s three lines model.
2) External
External assurance providers may report to senior management or
external stakeholders, or they could be hired by and report to the
CAE. (Mandatory guides)
The roles of assurance and consulting services providers vary by
organization. The roles can be categorized as either internal providers
or external providers.
To start the task of coordinating their efforts, the CAE identifies the
various roles of existing assurance and consulting service providers
by reviewing:
 The organization chart.
 Board meeting agendas
 Minutes.
Once the providers of assurance and consulting services have been identified,
the CAE considers the type and amount of information that may be shared
with them, in accordance with the organization’s confidentiality requirements.
It’s important that the CAE consider the limitations of sharing confidential
information, particularly with external parties. (Implementation guide)
Within the limitations of the organization’s confidentiality requirements, the
parties share:
 The objectives.
 Scope
 Timing of upcoming
 Reviews
 Assessments
 Audits
 The results of prior audits
 The possibility of relying on one another’s work.
In smaller organizations, coordination assurance activities may be informal.
In large or heavily regulated organizations, coordination may be formal and
complex.
One way to coordinate assurance coverage is to create an assurance map.
Assurance map can be created by linking identified significant risk categories
with relevant sources of assurance and rating the level of assurance provided
for each risk category.
A comprehensive assurance map exposes gaps and duplications in assurance
coverage, enabling the CAE to evaluate the sufficiency of assurance services in
each risk area.
The results can be discussed with the other assurance providers so that the
parties may reach an agreement about how to coordinate activities to minimize
duplication of efforts and maximize the efficiency and effectiveness of
assurance coverage.
Combined assurance model approach is another approach to coordinating
assurance, where internal audit may coordinate assurance efforts with second
line defense functions, such as a compliance function, to reduce:
 The nature
 Frequency
 Redundancy of internal audit engagements.
Examples of coordinating activities include:
 Synchronizing the nature, extent, and timing of planned work.
 Ensuring a common understanding of assurance techniques, methods
and terminology.
 Providing access to one another’s work programs, work papers, and
reports.
 Relying on one another’s work to minimize duplication of effort.
 Meeting intermittently to determine whether it is necessary to adjust the
timing of planned work, based on the results of work that has been
completed.
The CAE may choose to rely on the work of other providers for various reasons,
such as:
 To assess specialty areas outside of the internal audit activity’s
expertise.
 To enhance risk coverage beyond the internal audit plan.
However, if the internal audit activity relies on the work of another
service provider, the CAE retains ultimate responsibility for internal
audit conclusions and opinions.
It is essential that the CAE establish a consistent process and set of criteria to
determine whether the internal audit activity may rely on the work of another
provider. In this process, the CAE may:
 Evaluate objectivity by considering whether the provider has or may
appear to have, any conflicts of interest and whether they have been
disclosed.
 Consider independence by examining the provider’s reporting
relationships and the impact of this arrangement.
 Confirm competency by verifying whether the provider’s professional
experience, qualifications certifications and affiliations are appropriate
and current.
 Assess due professional care by examining elements of the practice the
provider applies to complete the work.
 The CAE may also seek to gain an understanding of the scope, objectives
and results of the actual work performed to determine the extent of
reliance that may be placed on the provider’s work.
Evidence of conformance with standard 2050 could include:
 Communications regarding all assurance and consulting roles and
responsibilities, which may be documented:
 In the notes from meetings with individual providers of
assurance and consulting services.
 In minutes of meetings with the board and senior management.
 The CAE’s documentation of the process and criteria applied to
determine whether the internal audit activity may rely on a provider’s
work.
 Assurance maps.
 Combined internal audit plans that identify which provider is
responsible for providing assurance or consulting services in each
area.