Essentials of Internal Auditing - Challenge Exam Study Guide Notes

Part 1: Essentials of Internal Auditing

  • Internal auditing helps management, boards, and stakeholders improve governance, risk management, and control.
  • Part 1 covers foundations, independence, objectivity, proficiency, due professional care, quality assurance, governance, risk, and fraud.

Section A: Foundations of Internal Auditing

  • Covers ethical, practical, and legal standards, IPPF guidance, the Mission of Internal Audit, Core Principles, definition, compliance with ethics, documentation, and audit charter approval.

The Framework

  • The IIA uses the International Professional Practices Framework (IPPF) to organize authoritative guidance.
  • The IPPF helps practitioners and stakeholders respond to the demand for high-quality internal auditing.
  • The IPPF contains mandatory and recommended guidance.
  • Mandatory guidance: Mission of Internal Audit, Core Principles, Definition of Internal Auditing, Code of Ethics, and the Standards.
  • Recommended guidance: Implementation Guidance and Supplemental Guidance.

Mission of Internal Audit

  • The Mission articulates what internal audit wants to achieve, leveraging the IPPF.
  • Mission of Internal Audit: To enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight.
  • Risk basis protects organizational value.
  • Objectivity is a strategic enabler.
  • Three activities for value:
    • Assurance
      • Communicates management is achieving objectives and managing risks.
    • Advice
      • Provided through advisory (consulting) engagements to give advice and insight proactively.
    • Insight
      • Provided through reports, committees, meetings, and board reporting of progress.

Core Principles

  • The Principles are basic elements describing internal audit effectiveness linked to the Mission.
  • They form the basis for the Code of Ethics and the Standards.
  • The IIA's Core Principles for the Professional Practice of Internal Auditing:
    • Demonstrates integrity
    • Demonstrates competence and due professional care
    • Is objective and free from undue influence (independent)
    • Aligns with the strategies, objectives, and risks of the organization
    • Is appropriately positioned and adequately resourced
    • Demonstrates quality and continuous improvement
    • Communicates effectively
    • Provides risk-based assurance
    • Is insightful, proactive, and future-focused
    • Promotes organizational improvement
  • Each Principle applies to the individual auditor, the audit activity, or both.
  • Failure to achieve one Principle suggests reduced effectiveness.
  • Consequences of not demonstrating Core Principles examples:
    • Loss of trust and credibility if integrity is not demonstrated.
    • Insufficient risk assessments if competence and due care are lacking.
    • Untrusted observations if objectivity is compromised.
    • Wasted resources if alignment with organizational objectives is missing.
    • Difficult independent reporting if positioning and resources are inadequate.
    • Unreliable work if quality and improvement are neglected.
    • Inability to express results if communication is poor.
    • Lack of validation of controls if assurance is not risk-based.
    • Missed emerging risks if the approach lacks insight and proactivity.
    • Limited value added if organizational improvement is not promoted.

Definition of Internal Auditing

  • The Definition is mandatory guidance and key to understanding the role.
  • Definition of Internal Auditing: Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
  • The strategic focus is aligned with stakeholder expectations.
  • Six significant ways to view internal auditing:
    • Independent and objective activity.
      • Independence = freedom to determine scope, perform work, and communicate results.
      • Objectivity = unbiased, allowing value-added analysis and recommendations.
    • Explicit recognition of the consulting role.
      • Proactive, customer-driven approach to governance, risk management, and control.
    • Designed to “add value and improve an organization’s operations”.
      • Expectation that the activity will add value.
    • Focuses on the whole organization’s objectives.
      • Auditors must understand strategic objectives.
    • Delivers services with a systematic, and disciplined approach.
      • A standards-based profession.
    • Charges internal auditors with a broad role in governance and risk management processes.
      • Controls manage risk and promote effective governance.
  • Internal auditing differs from external auditing because external auditing serves third parties requiring reliable financial information.
  • Distinctions between internal and external auditors and other review functions:
    • External auditors / financial auditors solely attest financial reports.
      • Historical, critical for third-party decisions on investments and debt.
    • Compliance reviewers determine adherence to laws, regulations, standards, policies or procedures.
      • Report results of the compliance.
    • Regulators review compliance with regulations, overall safety, and soundness.
      • Work for regulating bodies.
    • Government auditors provide assurance regarding program requirements, performance, budget reviews, and management audits.
      • Typically work for government departments or agencies.

The Standards

  • The Standards are principle-based, mandatory requirements.
  • Statements of core requirements for professional internal auditing practice.
  • Interpretations clarify terms or concepts.
  • Two main Standard categories:
    • Attribute Standards address the attributes of organizations and individuals performing internal auditing.
    • Performance Standards describe internal auditing nature and quality criteria.
  • Attribute and Performance Standards apply to all internal audit services.
  • Implementation Standards expand upon existing Standards for assurance (.A) or consulting (.C) services.
  • "Must" specifies unconditional requirement.
  • "Should" expects conformance unless professional judgment justifies deviation.

Purpose, Authority, and Responsibility

  • Attribute Standard 1000 requires a formally defined internal audit charter.
  • Charter must be consistent with the Mission of Internal Audit and the mandatory IPPF elements.
  • The chief audit executive (CAE) must periodically review the charter and present it to senior management and the board for approval.
  • Creating understanding allows internal audit to best support organizational goals, strengthen internal controls, and enhance corporate governance.
  • Purpose, Authority, and Responsibility Characteristics for Internal Audit Activity:
    • Purpose
      • Provide risk-based and objective assurance, advice, and insight.
      • Support organizational objectives by bringing a systematic approach to evaluate governance, risk management, and control.
      • Determine if governance, risk management, and control are in place and are functioning properly
      • Communicate improvement opportunities and risk exposures.
      • Add value and improve organization’s operations.
    • Authority
      • Provide appropriate unfettered access to records, personnel, and physical properties.
      • Maintain full and open access with the audit committee, board of directors, or other governing authority.
      • Secure necessary internal and external resources to accomplish audit activity objectives as planned.
    • Responsibility
      • Document the objectives and scope of the engagement as well as the methodology to be used.
      • Ensure that internal audit activity staff have sufficient knowledge, skills, experience, and/or professional certifications to fulfill the engagement charter.
      • Communicate the results of the internal audit activity or other matters that the chief audit executive determines necessary to senior management, the audit committee, the board, or other governing body of the organization.
      • Consider the coordination of internal and external audit work to increase economy, efficiency, and effectiveness of the overall audit process.
      • Do not perform management activities.
  • The internal audit charter is critical for purpose, authority, independence, objectivity, reporting structure, and responsibility.
  • The CAE is responsible for managing the internal audit activity, creating and reviewing the audit charter, and presenting it for board approval.
  • Duties of the CAE are the duties of the internal audit activity as a whole.
  • The board maintains internal audit independence.
  • The board directs/oversees activities and holds senior management accountable.
  • May refer to an audit committee.
  • If a board or audit committee does not exist, the term may refer to the head of an organization.

Internal Audit Charter Requirements

  • Charter provides a statement of purpose, authority, and responsibility for review and acceptance by management and approval by the board.
  • The CAE reviews the IPPF.
  • Charter must recognize the mandatory guidance in the internal audit charter (Core Principles, Code of Ethics, the Standards, and the Definition of Internal Auditing).
  • The CAE reviews the charter periodically with senior management and the board.
  • The CAE may make statements that use language from applicable standards, such as 1010, directly to recognize IPPF elements.
  • Once adopted, the CAE monitors the IIA’s Mandatory Guidance and discusses changes with the board.
  • Elements of the Internal Charter include:
    • Introductory section explains the overall role and professionalism; includes IPPF elements from the IPPF.
    • Authority section specifies full access to records, property, and personnel; includes organization and reporting structure.
    • Independence and Objectivity section describes integrity and objectivity maintenance.
    • Responsibilities section lays out areas of ongoing responsibility; engagement scope may be listed separately.
    • Quality Assurance and Improvement Program section describes expectations for development, maintenance, evaluation, and communication.
    • Signatures indicating agreement among the CAE, board representative, and the administrative reporting line.

Assurance versus Consulting

  • Internal auditors provide assurance and consulting (advisory) services.

  • Assurance services: Objective examination of evidence for an independent assessment on governance, risk management, and control processes.

    • Examples: financial, performance, compliance, system security, and due diligence engagements.

  • Consulting services: Advisory and related client services intended to add value and improve governance, risk management, and control processes without assuming management responsibility.

    • Examples: counsel, advice, facilitation, and training.

  • Attribute Standard 1000 referenced in Standards listed below

  • Standard 1000.A1: Nature of assurance services must be defined in the internal audit charter, including for external parties.

  • Standard 1000.C1: Nature of consulting services must be defined in the internal audit charter.

  • Assurance involves objective assessment of evidence to provide an opinion on an entity, operation, function, process, system, or other subject matter.

    • 3 parties: client, internal auditor, and user/stakeholder.
    • Nature and scope are determined by the internal auditor.

  • Consulting services are advisory and performed at the request of a client.

    • 2 parties: internal auditor and engagement client.
    • Nature and scope are agreed upon with the client.

  • Assurance services are at the core of internal auditing; internal audit has the knowledge of the organization and the independence.

  • Assurance work makes up the majority of internal audit activities.

    • Financial, performance, compliance, system security, due diligence, and strategic.

  • Consulting services include advisory activities to improve governance, risk management, controls and compliance, for example:

    • Advisory consulting engagements: advice on control design, policies, risk management, and solutions.
    • Training consulting engagements are educational in governance, risk management, and internal control.
    • Facilitative consulting engagements facilitates risk assessment, control self-assessment, and task forces.

  • Consulting may range from formal engagements defined by written agreements to informal activities participating in committees, or project teams.

  • Consulting activities include:

    • Business process improvement
    • Risk and control self-assessment
    • Continuous monitoring of controls
    • Internal control review
    • Operational readiness (product launch, new service or system)
    • Governance principles and practices
    • Forensic audits
    • Ethics training
    • Internal control training
    • Participation on committees

  • A consulting engagement should never circumvent assurance requirements.

  • Services once conducted as assurance may be performed as consulting if deemed appropriate.

  • Blended Engagements: Assurance and consulting services are not mutually exclusive.

  • Blended engagements consolidate elements of assurance and consulting activities.

  • Ensure no conflicts exist, especially involving independence, objectivity, or related to roles and responsibilities.

IIA Code of Ethics

  • The IIA’s Code of Ethics key components include integrity, objectivity, confidentiality, and competency.
  • The Code of Ethics promotes an ethical culture in internal auditing.
  • Includes: Principles relevant to the profession and practice of internal auditing, and Rules of Conduct describing behavior norms expected of internal auditors.
  • The Code of Ethics applies to entities and individuals performing internal audit services that extends beyond the Definition of Internal Auditing.
  • It is important for the CAE to uphold the Code of Ethics.
  • Failure to mention conduct in the rules of conduct does not prevent the conduct from being unacceptable.
  • Integrity:
    • Establishes trust and provides the basis for reliance on judgment.
    • Rules of Conduct state that internal auditors:
      • Perform work with honesty, diligence, and responsibility.
      • Observe the law and make disclosures expected by law and the profession.
      • Not be a party to illegal activity or discreditable acts.
      • Respect and contribute to the organization’s ethical objectives.
    • The CAE cultivates a culture of integrity and requires agreement to the Code of Ethics, provides training, proper supervision, and a supportive environment.
    • Individual auditors are expected to tell the truth and do the right thing.
  • Objectivity:
    • Exhibit the highest level of professional objectivity in gathering, evaluating, and communicating information.
    • Balanced assessment not unduly influenced by their own or others’ interests.
    • Objectivity requires that internal auditors do not subordinate their judgment on audit matters to others.
    • Rules of Conduct state that internal auditors:
      • Not participate in activities that may impair unbiased assessment.
      • Not accept anything that may impair professional judgment.
      • Disclose all material facts that may distort the reporting of activities under review.
    • The CAE creates policies regarding gifts and disclosures of conflicts of interest.
    • Auditors pursue objectivity with a balanced assessment, avoiding influence and conflicts of interest.
    • The Standards provide a systematic approach assisted by ensuring objectivity.
  • Confidentiality:
    • Respect the value and ownership of information and do not disclose it without authority unless legally or professionally obligated.
    • Rules of Conduct indicate that internal auditors:
      • Shall be prudent in the use and protection of information.
      • Shall not use information for personal gain or contrary to law/ethics.
    • Information includes data in physical and electronic form.
    • Confidentiality protects information from unauthorized individuals.
    • Internal auditors should understand confidentiality laws and regulations, and organizational policies.
    • The CAE consults legal counsel, implements aligned policies, discusses confidentiality in meetings, and emphasizes its practice.
    • Auditors comply with the Rules of Conduct and should not use insider knowledge for personal gain.
  • Competency:
    • Apply the knowledge, skills, and experience needed to perform internal audit services.
    • Rules of Conduct indicate that internal auditors:
      • Shall engage only in services for which they have the necessary knowledge, skills, and experience.
      • Shall perform internal audit services in accordance with the International Standards for the Professional Practice of Internal Auditing.
      • Shall continually improve their proficiency, effectiveness, and quality of service.
    • The CAE ensures the competency of the activity, the individual, and conformance to standards.
    • The CAE inventories skills and experience aligns with needs, and addresses gaps via training, rotation, guest auditors, and outsourcing.
    • The CAE should develop policies and procedures that include regularly reviewing individual performance and should encourage educational and training opportunities when possible.
    • Auditors regularly assess themselves, seek feedback, and build competencies via education, mentorship, and supervised work.
    • Individual internal auditors are responsible for acting to gain necessary continual development hours and awareness of any credentials held.

Section B: Independence and Objectivity

  • Organizational independence and individual objectivity are crucial.

Organizational Independence

  • The CAE reports to a level allowing fulfillment of responsibilities and confirms organizational independence to the board annually.
  • Independence is “the freedom from conditions that threaten the ability of the internal audit activity to carry out internal audit responsibilities in an unbiased manner.”
  • Assigned roles and responsibilities for internal audit vary by organizational size, type of operations, capital structure, legal and regulatory environment.
  • Effective independence requires CAE reporting functionally to the board.
    • Examples:
      • Board approves the internal audit charter.
      • Board approves the risk-based internal audit plan.
      • Board approves the internal audit budget and resource plan.
      • Board receives communications from the CAE on the internal audit activity’s performance relative to its plan and other matters.
      • Board performs the evaluation and compensation of the CAE.
      • Board performs the appointment and removal of the CAE.
  • The internal audit activity must be free from interference determining scope, work, and communicating results, per 1110.A1.
  • The CAE must disclose such interference to the board and discuss the implications.
  • Functional oversight requires the board to create the right working conditions.
  • The board monitors ability of the internal audit activity to operate independently.
  • The IIA recommends the CAE report administratively to the CEO as a senior position with authority.
  • The charter will reflect the results of discussions between the CAE, the board, and senior management.
  • Attribute Standard 1111, “Direct Interaction With the Board” requires interactions with the board.
  • The CAE has a direct functional reporting relationship with the board or audit committee.
  • Such relationships allow the CAE to absorb business developments and raise issues early.
  • A private meeting with the board, without senior management, should be formally conducted at least annually.
  • Absence of direct board access means sharing Standard 1111, governance recommendations, and best-practice studies.
  • CAEs may consider written communications until a direct line is available.
  • The board and senior management play major roles in setting the tone/substance of the internal audit activity.
  • The internal audit activity must be independent, and internal auditors must be objective in performing their work, per Standard 1100.
  • Independence is viewed as an attribute of the activity while the individual has objectivity.
  • Objectivity requires internal auditors not to subordinate judgment to others.
  • The CAE ensures that staff are not placed in situations where objective judgments are undermined; potential conflicts of interest and assignments are monitored.
  • Consulting with others and an internal policy manual describe expectations for objectivity.
    • CAEs will hold routine workshops or training on fundamental concepts.
  • It is recommended the CAE not have operational responsibilities beyond internal audit.
  • Safeguards must limit impairments to independence and objectivity per Attribute Standard 1112, for example:
    • Senior management has another assurance provider perform the audit rather than an internal auditor.
    • The board or audit committee provides frequent oversight of responsibilities.
    • Alternate processes are developed to obtain assurance in additional areas.

Impairments to Independence

  • Independence may be hindered by an individual’s personal impairments and caused issues stemming from conflict of interest, as well as structural/operational limits caused by reporting structures and resource limitations.
  • Details of organizational independence and objectivity are disclosed to appropriate parties per Attribute Standard 1130.
  • This gives auditors opportunity to fulfill the service and provide audit information, while customers decide on reliance, as well as making disclosure before accepting consulting engagements, in 1130.C2.
  • Examples:
    • Personal conflict of interest
    • Scope limitation
    • Restrictions on record, personnel, and property access/resource limits.
    • Assurance services provided after consulting engagements.
  • Internal auditors must consider stakeholder conditions that undermine independence or objectivity.
  • The CAE has broader functional responsibility than internal audit and executes an audit of a functional area that is also under the CAE’s oversight.
  • The CAE must maintain open communications with the board and senior management regarding the importance
    for auditor independence and objectivity.
  • In areas where auditors may have been given operational responsibilities,
    the CAE should provide various alternatives for how those areas might be audited.
  • In organizations where close working relationships are expected,
    engagements should always be performed with objectivity in mind.
  • When issuing a report where independence or objectivity could
    not be achieved at an acceptable level, the CAE must disclose that
    fact in the audit report, including the reasons and the related impact.

Individual Internal Auditor’sObjectivity

  • The internal audit activity should monitor and promote objectivity for individual internal auditors including compensation and promotion policies.
  • Objectivity is presumed to be impaired if an internal auditor provides assurance services for an activity for which the internal auditor had responsibility within the previous year.
  • Internal policy manuals, training records, and signed acknowledgment forms could be compared to engagement workpapers.

Policies Promoting Objectivity

  • Policies promoting objectivity within the internal audit activity are rooted in the internal audit charter such as dictating that internal audit is independent and objective.
  • threats to objectivity may stem from:
    • Self-review: reviewing one’s own work.
    • Social pressure: pressure from relevant groups.
    • Economic interest: major and direct stake in performance.
    • Personal relationship: close friend or relative with audit customer.
    • Familiarity: a long term relationship with the audit customer.
    • Cultural, racial, and gender biases: biased against those differences.
    • Cognitive biases: unintentional psychological bias.

Section C: Proficiency and Due Professional Care

  • Covers skills, knowledge, and competencies needed to fulfill responsibilities. Covers CAE responsibilities for necessary proficiency and ability to perform engagements.

Knowledge, Skills, and Competencies

  • Attribute Standard 1200 requires proficiency and due professional care, due understanding of the IPPF, Code of Ethics, organization-specific policies.
  • Proficiency refers to knowledge, skills, and competencies by individual for professional responsibilities.
    • To enable relevant advice and recommendations, proficiency encompasses:
      • Current activities, trends, emerging issues.
    • The CAE may help ensure the activity’s proficiency through continuing professional development from professional conferences and seminars, and encouragement to pursuit of professional certifications.
  • Implementation Standard 1220.A1 discusses what must be considered when exercising due professional care such as considering compliance and best practices in code of ethics.
  • The CAE is responsible for whole’s conformance with Standard 1200 by policies and procedures that enable performance with proficiency and due care, and use, or a similar benchmark, to establish criteria to assess proficiency to create job descriptions, inventory of needed competencies, develop strategy; align resources, allocate staffing training for skill gap.

Knowledge and Competency

  • Attribute Standard 1210 describes internal competencies (skills, knowledge, experiences).
  • Individual internal auditors: possess knowledge, skills, and other competencies needed to perform their individual responsibilities.
  • Internal audit activity: collectively possesses or obtains the knowledge, skills, and other competencies to perform its responsibilities, by means of: training, staff rotation or outside resources.
  • The IIA’s Global Internal Audit Competency Framework defines core competencies for all occupational levels for self-assessment.
  • The CAE develops assessments/skills based on the framework for competency gaps regarding frauds, IT as well, which may be filled through hiring, training, outsourcing to encourage progress:
    *on-the-job training
    *attendance at professional seminars and conferences
    *pursuit of professional certifications
  • CAE must decline or pursue the latter options for consulting engagements

Due Professional Care

  • Demonstrating Due Professional Care in the Internal Audit Activity through continuing the level of skill and expertise to perform duties ( education, training, certifications). The auditor should additionally understand and act per the guide.
  • Due professional care, as applied by obtaining education, experience, certifications, and training helps internal auditors develop the level of skill and expertise required to perform their duties with due professional care. This is also achieved thru the IIA guide
  • Individuals understand and follow the mandatory guidance.
  • Mandatory Guidance of the IPPF (Standards, Code of Ethics, etc) required
  • At the engagement level, requires comprehending the objectives and scope, competencies, policies and procedures of IA activity and organization.
  • By following the systematic and disciplined approach of the IPPF and activity, professionals apply due professional care. It is not a guarantee that all significant risks will be identified, Internal standards 1220.A1.
  • The CAE typically develops tools, metrics, and processes to assess individuals, and the team

Continuing Professional Development

  • Attribute Standard 1230 - demonstrate continual growth by enhancing skills in performance, education of professional policies.
  • Individual-reflect their job roles, internal policies, education requirments,feedback, and to build up skills through actions such as self analysis, training, coaching, workshops and conferences
  • The CAE may improve skill sets via support for certification opportunieis, internal auditor guidance, knowledge and training for professional development.

Section D: Quality Assurance and Improvement Program

  • The mandatory requirement for the internal audit activity to develop and periodically perform QAIP processes.

QAIP Required Elements

  • Quality requires the internal audit activity to apply appropriate quality assurance and an improvement program, as mandated by Standard 1300.
  • QAIP is a quality assurance and improvement program.
  • QAIP scopes are limited to mandatory IPPF elements.
    * The assessor can recommend but are not mandatory.
    *The standard designed for the activities’ allowance of assessment , if Internal Audit maintains to the definition:
    *evaluates whether IA applies to Code of Ethics
    * embed the concept of developing IA and quality operations
    *CAE aware of change needs to be communicated for internal activities
    * QA measures must be evaluated, add overall or operational value, improve operations and contribute to the attainment of standards
    *Implementation of Standard 1300: The CAE ensures requirements relating to internal and external assessments, proper conformance statement are addressed using 5 essential components.

Reporting QAIP Results

  • The report demonstrates a standard (QAIP) that the CAE shows top management to ensure results are accurate including: scope, assessor independance and qualifications , corrections of action plans etc.
  • As part of reporting to the Senior Board, the CAE confirms qualifications
    *It is important to consider the external assessment, as potential
    potential or perceived conflicts of interest should be reported
    *The CAE may be seen as a source for all opinion/ spectrum assessment of the work
    Assessment Scales include degree of the report