CIA EVIDENCES

A training plan that includes ethics education and training.

Standard 1.1 Honesty and Professional Courage

Documents that evidence internal auditors’ attendance or participation in ethics education and training

Standard 1.1 Honesty and Professional Courage

Performance evaluations showing honesty and professional courage as objective

Standard 1.1 Honesty and Professional Courage

Feedback from key stakeholders regarding the honesty and courage of internal auditors.

Standard 1.1 Honesty and Professional Courage

Records of internal auditors’ participation in workshops, training events, or meetings where ethical expectations and issues were discussed.

Standard 1.2 Organization’s Ethical Expectations

Forms signed by individual internal auditors acknowledging their understanding of and commitment to follow ethics policies and procedures of the organization.

Standard 1.2 Organization’s Ethical Expectations

The internal audit plan, work program, or workpapers showing consideration of the organization’s ethics-related objectives, risks, and control processes.

Standard 1.2 Organization’s Ethical Expectations

Documentation demonstrating that ethical issues were communicated to the board, senior management, and regulators in accordance with the organization’s policies and relevant laws and/or regulations

Standard 1.2 Organization’s Ethical Expectations

Records of internal auditors’ participation in training on laws, regulations, and ethical and professional behavior.

Standard 1.3 Legal and Ethical Behavior

Internal auditors’ acknowledgments of their understanding of and commitment to act in accordance with relevant legal and professional expectations.

Standard 1.3 Legal and Ethical Behavior

Documented methodologies for handling illegal or discreditable behavior by internal auditors and legal or regulatory violations by individuals within the organization.

Standard 1.3 Legal and Ethical Behavior

Documented communication between internal auditors and their supervisors and/or legal counsel that address concerns about illegal or unprofessional actions.

Standard 1.3 Legal and Ethical Behavior

Notes from supervisory reviews and mentoring of internal auditors.

Standard 2.1 Individual Objectivity

Sign-off that workpapers were reviewed.

Standard 1.3 Legal and Ethical Behavior

Documented disclosures of potential conflicts of interest or other impairments to objectivity.

Standard 2.1 Individual Objectivity

Final engagement communication, if applicable.

Standard 1.3 Legal and Ethical Behavior

Attestation forms that confirm internal auditors’ awareness of objectivity’s importance and the obligation to disclose any potential impairments.

Standard 2.1 Individual Objectivity

Records of planned and completed objectivity training, including list of participants

Standard 2.1 Individual Objectivity

Policies and procedures related to objectivity.

Standard 2.1 Individual Objectivity

References in the internal audit charter to internal auditors’ responsibility for maintaining objectivity

Standard 2.1 Individual Objectivity

Results of external quality assessments performed by an independent assessor.

Standard 2.2 Safeguarding Objectivity

Plans showing alternative provisions to fulfill the internal audit plan activities where impairments to objectivity were unavoidable.

Standard 2.2 Safeguarding Objectivity

Minutes of board meetings where impairments to objectivity were discussed.

Standard 2.2 Safeguarding Objectivity

Remuneration plan.

Standard 2.2 Safeguarding Objectivity

Notes from supervisory reviews.

Standard 2.2 Safeguarding Objectivity

Sources of feedback on the perception of internal auditors’ objectivity, such as surveys of the internal audit function’s stakeholders.

Standard 2.2 Safeguarding Objectivity

Documentation through which internal auditors attest that they either have no known impairments or have disclosed potential impairments

Standard 2.2 Safeguarding Objectivity

Records of objectivity training.

Standard 2.2 Safeguarding Objectivity

Policies and procedures for identifying potential impairments and necessary safeguards.

Standard 2.2 Safeguarding Objectivity

Internal audit methodologies for disclosing objectivity impairments

Standard 2.3 Disclosing Impairments to Objectivity

Documentation disclosing the presence or affirming the absence of objectivity impairments

Standard 2.3 Disclosing Impairments to Objectivity

Records of the disclosure of objectivity impairments and the response from and/or approval of the mitigation by appropriate parties

Standard 2.3 Disclosing Impairments to Objectivity

Documentation such as an assurance map that indicates the competencies of other providers of assurance and advisory services upon which the internal audit function may rely

Standard 3.1 Competency

Documentation of relevant competencies necessary to fulfill the internal audit plan, an analysis of resource gaps, and the identification of the training and budget necessary to fill the gaps

Standard 3.1 Competency

The results of internal and external quality assessments.

Standard 3.1 Competency

Documented supervisory reviews of engagements, post-engagement surveys completed by internal audit stakeholders, and other forms of feedback indicating competencies exhibited by individual internal auditors and the internal audit function

Standard 3.1 Competency

Documented performance reviews of internal auditors

Standard 3.1 Competency

Documentation of internal auditors’ completion of continuing professional education, such as courses, conference sessions, workshops, and seminars

Standard 3.1 Competency

Internal auditors’ self-assessments of their competencies and plans for professional development

Standard 3.1 Competency

Documentation listing the certifications, education, experience, work history, and other qualifications of internal auditors.

Standard 3.1 Competency

Documented plans for attending training events, professional conferences, and other continuing professional education

Standard 3.2 Continuing Professional Development

Records of internal auditors’ completed continuing professional education and credentials obtained

Standard 3.2 Continuing Professional Development

Internal auditors’ performance reviews and/or plans for professional development.

Standard 3.2 Continuing Professional Development

Evidence of active involvement in The IIA and other relevant professional organizations, such as volunteer service.

Standard 3.2 Continuing Professional Development

Documentation of the internal audit function’s methodologies and an indication of when they were last updated.

Standard 4.1 Conformance with the Global Internal Audit Standards

If applicable, final engagement communications and communications with the board and senior management where nonconformance has been disclosed.

Standard 4.1 Conformance with the Global Internal Audit Standards

Documentation referencing the laws and/or regulations with which internal auditors were required to comply that prevented their conformance with the Standards

Standard 4.1 Conformance with the Global Internal Audit Standards

Documentation referencing authoritative requirements to which the internal audit function adheres in addition to the Standards.

Standard 4.1 Conformance with the Global Internal Audit Standards

Results of the quality assurance and improvement program.

Standard 4.1 Conformance with the Global Internal Audit Standards

Internal and external assessments performed as part of the internal audit function’s quality assurance and improvement program

Standard 4.2 Due Professional Care

Feedback from stakeholders solicited through surveys or other tools

Standard 4.2 Due Professional Care

Notes from meetings, training, or other discussion of due professional care.

Standard 4.2 Due Professional Care

Internal auditors’ performance reviews

Standard 4.2 Due Professional Care

Workpapers indicating supervisory review of engagements

Standard 4.2 Due Professional Care

Notes from meetings or discussions of the potential costs and benefits of internal audit services and the extent and timeliness of engagement work

Standard 4.2 Due Professional Care

Notes showing assessment of risks including errors, noncompliance, and fraud

Standard 4.2 Due Professional Care

Documented assessments of governance, risk management, and control processes

Standard 4.2 Due Professional Care

Planning notes documenting the strategy and objectives of the organization and activity under review

Standard 4.2 Due Professional Care

Records of relevant training planned and completed, including a list of participants.

Standard 4.3 Professional Skepticism

Workpapers identifying an internal auditor’s approach to evaluate and validate information gathered during an engagement

Standard 4.3 Professional Skepticism

Documentation that false or misleading information was handled as an engagement finding.

Standard 4.3 Professional Skepticism

Workpapers and engagement communications, reviewed and signed or initialed by the engagement supervisor.

Standard 4.3 Professional Skepticism

Performance reviews demonstrating that relevant policies, procedures, laws, and regulations have been followed.

Standard 5.1 Use of Information

Documentation by which internal auditors acknowledge their understanding of relevant policies, procedures, laws, and regulations.

Standard 5.1 Use of Information

Attendance records of training on use of information.

Standard 5.1 Use of Information

Effectively designed and operating controls over access to and use of information.

Standard 5.1 Use of Information

Documentation of relevant policies, procedures, and training related to the proper use of information.

Standard 5.1 Use of Information

Minutes from meetings during which the appropriate use of information was discussed.

Standard 5.1 Use of Information

Performance reviews demonstrating that policies and procedures related to the protection and disclosure of information have been followed

Standard 5.2 Protection of Information

Signed agreements to confidentiality or nondisclosure of information

Standard 5.2 Protection of Information

Records of disclosures required by law or approved by legal counsel, if applicable, and/or the board and senior management

Standard 5.2 Protection of Information

Documentation of authorized disclosures and distribution.

Standard 5.2 Protection of Information

Documentation of restrictions on the distribution of workpapers and final communication

Standard 5.2 Protection of Information

Documentation by which internal auditors acknowledge their understanding of relevant policies, procedures, laws, and regulations

Standard 5.2 Protection of Information

Attendance records of training on protection of information

Standard 5.2 Protection of Information

Documentation regarding the implementation of mechanisms that restrict information access and mitigate the risk of circumventing prevailing controls

Standard 5.2 Protection of Information

Documentation demonstrating application of relevant methodologies

Standard 5.2 Protection of Information

Minutes of board meetings where the mandate was discussed, which may be part of the broader approval of the internal audit charter

Standard 6.1 Internal Audit Mandate

Minutes of board meetings during which any changes to the internal audit charter are discussed and approved by the board.

Standard 6.1 Internal Audit Mandate

Minutes of the board meetings during which the internal audit charter was discussed and approved.

Standard 6.2 Internal Audit Charter

The approved charter and the date approved.

Standard 6.2 Internal Audit Charter

Minutes of board meetings that include evidence that the chief audit executive periodically reviews the internal audit charter with the board and senior management.

Standard 6.2 Internal Audit Charter

Minutes of board meetings indicating board review and approval of the internal audit plan, internal audit budget, and resource plan

Standard 6.3 Board and Senior Management Support

Minutes or other documentation of communication between the board and senior management in which the internal audit function’s unrestricted access was discussed

Standard 6.3 Board and Senior Management Support

An agreed-upon matrix or similar documentation showing what information should be communicated by the chief audit executive to the board and senior management and the expected frequency

Standard 6.3 Board and Senior Management Support

Minutes or other documentation evidencing the board’s approval of the appointment or removal of the chief audit executive.

Standard 7.1 Organizational Independence

Documentation of assurance services to be provided by other internal or external providers as a safeguard to independence.

Standard 7.1 Organizational Independence

Formal action plans that outline specific safeguards to address independence concerns.

Standard 7.1 Organizational Independence

Documented methodologies to be followed when an impairment is suspected or identified.

Standard 7.1 Organizational Independence

The internal audit charter documenting board approval of long-term nonaudit roles and responsibilities and corresponding safeguards to independence, including the expected duration of the roles, responsibilities, and safeguards and how the effectiveness of the safeguards will be evaluated periodically.

Standard 7.1 Organizational Independence

Board meeting minutes or other documentation showing that the chief audit executive confirmed with the board the ongoing independence of the internal audit function or discussed impairments affecting the internal audit function’s ability to fulfill its mandate and the safeguards to manage the impairments.

Standard 7.1 Organizational Independence

Meeting minutes or other evidence of the chief audit executive’s direct communication with the board and senior management regarding potential impairments to independence and planned safeguards.

Standard 7.1 Organizational Independence

The internal audit charter, which documents the internal audit function’s reporting relationships.

Standard 7.1 Organizational Independence

Documented succession-planning conversations with the board, senior management, and/or the organization’s human resources function

Standard 7.2 Chief Audit Executive Qualifications

Documented participation in professional associations

Standard 7.2 Chief Audit Executive Qualifications

The chief audit executive’s professional education plans and evidence of completion

Standard 7.2 Chief Audit Executive Qualifications

Documented approval by the board of the chief audit executive’s job description and/or appointment or other evidence that the board evaluated the qualifications and competencies required for the chief audit executive’s role.

Standard 7.2 Chief Audit Executive Qualifications

Documentation of the criteria for identifying issues to be brought to the attention of the board and a process for communicating or escalating such issues.

Standard 8.1 Board Interaction

Internal audit communications to board members

Standard 8.1 Board Interaction

Presentations made by the chief audit executive to the board.

Standard 8.1 Board Interaction