International Standards for Internal Auditing (Standards)

A set of vocabulary flashcards based on the International Standards for the Professional Practice of Internal Auditing.

Internal auditing

Conducted in diverse legal and cultural environments for organizations of varying purpose, size, complexity, and structure.

Assurance services

Objective assessment of evidence to provide opinions or conclusions regarding an entity, operation, function, process, or system.

Consulting services

Advisory activities performed at the specific request of a client, intended to add value and improve organizational processes.

Chief Audit Executive (CAE)

Senior position responsible for managing the internal audit activity in accordance with the internal audit charter and professional standards.

Independence

Freedom from conditions that threaten the ability of the internal audit activity to carry out responsibilities in an unbiased manner.

Objectivity

An unbiased mental attitude that allows auditors to perform engagements and believe in their work product.

Internal audit charter

A formal document that defines the internal audit activity's purpose, authority, and responsibility.

Quality Assurance and Improvement Program

A program designed to evaluate the internal audit activity’s conformance with the Standards and to identify opportunities for improvement.

Due professional care

The application of care and skill expected of a reasonably prudent and competent internal auditor.

Conflict of interest

A situation where an internal auditor's interests conflict with their professional responsibilities, potentially impairing objectivity.

Core Principles for the Professional Practice of Internal Auditing

Foundational principles that support the effectiveness of internal auditing.

Performance Standards

Standards that describe the nature of internal auditing and provide quality criteria for performance measurement.

Standards Start in the 2000’s

Attribute Standards

Standards that address the attributes of organizations and individuals performing internal auditing.

Standards start in the 1000’s

Risk management

A process to identify, assess, manage, and control potential events that may hinder the achievement of organizational objectives.

Governance

The processes and structures implemented by the board to direct and monitor an organization’s activities toward achieving its objectives.

Engagement

A specific internal audit assignment or task aimed at accomplishing a set of related objectives.

Assessment

Evaluation to determine the effectiveness and quality of internal audit activities and adherence to established standards.

Fraud

Any illegal act characterized by deceit or violation of trust, intended to secure an advantage.

Compliance

Adherence to policies, plans, procedures, laws, regulations, and other mandatory requirements.

1000 - Purpose, Authority, and Responsibility

This standard outlines the purpose, authority, and responsibilities of the internal audit activity within an organization, emphasizing the importance of independence and objectivity.

The Chief Audit Executive must periodically review the internal audit charter and present it to senior management and the board for approval.

Interpretation: The internal audit charter is a formal document that defines the internal audit activity’s purpose authority, and responsibility. The internal audit charter establishes the internal audit activity’s position within the organization, including the nature of the chief audit executive’s functional reporting relationship with the board; authorizes access to records, personnel, and physical properties relevant to the performance of engagements; and defines the scope of internal audit activities.

1000.A1 - Purpose, Authority, and Responsibility (Assurance Services)

The nature of assurance services provided to the organization must be defined in the internal audit charter. If assurances are to be provided to parties outside the organization, the nature of these assurances must also be defined in the internal audit charter.

1000.C1 - Purpose, Authority, and Responsibility (Consulting Services)

The nature of the consulting services must be defined in the internal audit charter

1010 - Recognizing Mandatory Guidance in the Internal Audit Charter

The mandatory nature of the Core Principles for the Professional Practice of Internal Auditing, the Code of Ethics, the Standards, and the Definition of Internal Auditing must be recognized in the internal audit charter.

1100 - Independence and Objectivity

The internal audit activity must be independent, and internal auditors must be objective in performing their work.

Interpretation - Independence is the freedom from conditions that threaten the ability of the internal audit activity to carry out internal audit responsibilities in an unbiased manner. To achieve the degree of independence necessary to effectively carry out the responsibilities of the internal audit activity, the chief audit executive has direct and unrestricted access to senior management and the board. This can be achieved through a dual-reporting relationship. Threats to independence must be managed at the individual auditor, engagement, functional, and organizational levels.

Objectivity is an unbiased mental attitude that allows internal auditors to perform engagements in such a manner that they believe in their work project and that no quality compromises are made. Objectivity requires the internal auditors do not subordinate their judgment on audit matters to others. Threats to objectivity must be managed at the individual auditor, engagement, functional, and organizational levels.

1110 - Organizational Independence

The chief audit executive must report to a level within the organization that allows the internal audit activity to fulfill its responsibilities. The chief audit executive must confirm to the board, at least annually, the organizational independence of the internal audit activity.

Interpretation - Organizational independence is effectively achieved when the chief audit executive reports functionally to the board.

• Approving the internal audit charter.

• Approving the risk-based internal audit plan.

• Approving the internal audit budget and resource plan.

• Receiving communications from the chief audit executive on the internal audit activity’s performance relative to its plan and other matters.

• Approving decisions regarding the appointment and removal of the chief audit executive.

• Approving the remuneration of the chief audit executive.

• Making appropriate inquires of management and the chief audit executive to determine whether there are inappropriate scope or resource limitations.

1110.A1 - Organizational Independence (Assurance Services)

The internal audit activity must be free from interference in determining the scope of internal auditing, performing work, and communicating results. The chief audit executive must disclose such interference to the board and discuss the implications.

1111 - Direct Interaction with the Board

The Chief Audit executive must have direct and open communication with the board of directors to discuss important matters and report on the internal audit activity's performance. This relationship promotes transparency and accountability within the organization.

1112 - Chief Audit Executive Roles Beyond Internal Auditing

The chief audit executive may have roles or responsibilities outside of internal auditing, such as risk management, compliance, and ensuring effective governance processes. These additional roles should not compromise the internal audit's objectivity and independence.

Safeguards must be in place to limit impairments to independence or objectivity.

1120 - Individual Objectivity

Individual internal auditors must maintain objectivity and avoid conflicts of interest in the conduct of their work. This ensures unbiased evaluations and recommendations.

A conflict of interest can create an appearance of impropriety that can undermine confidence in the internal auditor, the internal audit activity, and the profession. A conflict of interest could impair an individual's ability to perform his or her duties and responsibilities objectively. This includes disclosing any potential conflicts to relevant parties and taking steps to mitigate their impact.

1130 - Impairment to Independence or Objectivity

The internal audit activity's independence or objectivity can be impaired by personal interests, relationships, or circumstances that affect an internal auditor's impartiality. Such impairments must be disclosed and managed to preserve the integrity of the audit process.

1130.A1 - Impairment to Independence or Objectivity (Assurance Services)

Internal auditors must refrain from assessing specific operations for which they were previously responsible. Objectivity is presumed to be impaired if an internal auditor provides assurance services for an activity for which the internal auditor had responsibility within the previous year

1130.A2 Impairment to Independence or Objectivity (Assurance Services)

Assurance engagements for functions over which the chief audit executive has responsibility must be overseen by a party outside the internal audit activity.

1130.A3 Impairment to Independence or Objectivity (Assurance Services)

The internal audit activity may provide assurance services where it had previously performed consulting services, provided the nature of the consulting did not impair objectivity and provided individual objectivity is managed when assigning resources to the engagement.

1130.C1 Impairment to Independence or Objectivity (Consulting Services)

Internal auditors may provide consulting services relating to operations for which they had previous responsibilities.

1130.C2 Impairment to Independence or Objectivity (Consulting Services)

If internal auditors have potential impairments to independence or objectivity relating to proposed consulting services, disclosure must be made to the engagement client prior to accepting the engagement.

1200 - Proficiency and Due Professional Care

Engagements must be performed with proficiency and due professional care.

1210 - Proficiency

Internal auditors must possess the knowledge, skills, and other competencies needed to perform their individual responsibilities. The internal audit activity collectively must possess or obtain the knowledge, skills, and other competencies needed to perform its responsibilities.

Proficiency

The ability of internal auditors to possess the necessary knowledge, skills, and competencies required to effectively carry out their duties and responsibilities.

1210.A1 - Proficiency (Assurance Services)

The chief audit executive must obtain competent advice and assistance if the internal auditors lack the knowledge, skills, or other competencies needed to perform all or part of the engagement.

1210.A2 - Proficiency (Assurance Services)

Internal auditors must have sufficient knowledge to evaluate the risk of fraud and the manner in which it is managed by the organization, but are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud.

1210.A3 - Proficiency (Assurance Services)

Internal auditors must have sufficient knowledge of key information technology risks and controls and available technology-based audit techniques to perform their assigned work. However, not all internal auditors are expected to have the expertise of an internal auditor whose primary responsibility is information technology auditing.

1210.C1 - Proficiency (Consulting Services)

The chief audit executive must decline the consulting engagement or obtain competent advice and assistance if the internal auditors lack the knowledge, skills, or other competencies needed to perform all or part of the engagement.

1220 - Due Professional Care

Internal auditors must apply the care and skill expected of a reasonably prudent and competent internal auditor. Due professional care does not imply infallibility.

1220.A1 Due Professional Care (Assurance Services)

Internal Auditors must exercise due professional care by considering:

• Extent of work needed to achieve the engagement’s objectives

• Relative complexity, materiality, or significance of matters to which assurance procedures are applied.

• Adequacy and effectiveness of governance, risk management, and control processes

• Probability of significant errors, fraud, or noncompliance

  • Cost of assurance in relation to potential benefits

1220.A2 Due Professional Care (Assurance Services)

In exercising due professional care internal auditors must consider the use of technology-based audit and other data analysis techniques.

1220.A3 Due Professional Care (Assurance Services)

Internal auditors must be alert to the significant risks that might affect objectives, operations, or resources. However, assurance procedures alone, even when performed with due professional care, do not guarantee that all significant risks will be identified.

1220.C1 Due Professional Care (Consulting Services)

Internal auditors must exercise due professional care during a consulting engagement by considering the:

• Needs and expectations of clients, including the nature, timing, and communication of engagement results.

• Relative complexity and extent of work needed to achieve the engagement’s objectives.

  • Cost of the consulting engagement in relation to potential benefits.

1230 - Continuing Professional Development

Internal Auditors must enhance their knowledge, skills, and other competencies through continuing professional development.

1300 - Quality Assurance and Improvement Program

The chief audit executive must develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity.

Interpretation - A quality assurance and improvement program is designed to enable an evaluation of the internal audit activity’s conformance with the Standards and an evaluation of whether internal auditors apply the Code of Ethics. The program also assesses the efficiency and effectiveness of the internal audit activity and identifies opportunities for improvement. The chief audit executive should encourage board oversight in the quality assurance and improvement program.

1310 - Requirements of the Quality Assurance and Improvement Program

The quality assurance and improvement program must include both internal and external assessments.

1311 - Internal Assessments

Internal assessments must include:

• Ongoing monitoring of the performance of the internal audit activity.

• Periodic self-assessments or assessments by other persons within the organization with sufficient knowledge of internal audit practices.

Ongoing monitoring is an integral part of the day-to-day supervision, review, and measurement of the internal audit activity. Ongoing monitoring is incorporated into the routine policies and practices used to manage the internal audit activity and uses processes, tools, and information considered necessary to evaluate conformance with the Code of Ethics and the Standards. Periodic assessments are conducted to evaluate conformance with the Code of Ethics and the Standards. Sufficient knowledge of internal audit practices requires at least an understanding of all elements of the International Professional Practices Framework

1312 - External Assessments

External assessments must be conducted at least once every five years by a qualified, independent assessor or assessment team from outside the organization. The chief audit executive must discuss with the board:

• The form and frequency of external assessment.

• The qualifications and independence of the external assessor or assessment team, including any potential conflict of interest

External assessments may be accomplished through a full external assessment, or a self assessment with independent external validation. The external assessor must conclude as to conformance with the Code of Ethics and the Standards; the external assessment may also include operational or strategic comments. A qualified assessor or assessment team demonstrates competence in two areas: the professional practice of internal auditing and the external assessment process. Competence can be demonstrated through a mixture of experience and theoretical learning. Experience gained in organizations of similar size, complexity, sector or industry, and technical issues is more valuable than less relevant experience. In the case of an assessment team, not all members of the team need to have all the competencies; it is the team as a whole that is qualified. The chief audit executive uses professional judgment when assessing whether an assessor or assessment team demonstrates sufficient competence to be qualified. An independent assessor or assessment team means not having either an actual or a perceived conflict of interest and not being a part of, or under the control of, the organization to which the internal audit activity belongs. The chief audit executive should encourage board oversight in the external assessment to reduce perceived or potential conflicts of interest.