Definition of Internal Auditing

Internal auditing is an independent, objective assurance and consulting activity designed to add value

And improve an organizations operations. It helps an organization accomplish its objectives by bringing a

systematic, disciplined approach to evaluate and improve the Accuracy+ effectiveness of risk management,

control, and governance processes. (So the internal audit activity can best be described as Assurance and

consulting)

The review for adequacy determines whether control processes exist that are properly planned and

designed.

The review for effectiveness determines whether management has directed processes to provide

reasonable assurance that goals and objectives will be achieved.

Code of Ethics Gleim 21: 87 page 9:47

Outlines the principles and expectations governing the behavior of individuals and organizations in the conduct

of internal auditing.( Promote an ethical culture among professionals who serve others).

An organizations code of ethical conduct is the established general value system the organization wishes to

apply to its members activities by communicating organizational purposes and beliefs and establishing

uniform ethical guidelines for members, which include guidance on behavior for members in making decisions.

The code of conduct should contain Provisions for disciplinary action in the event of violations to enhance its

effectiveness.

The absence of a formal code of ethics does not preclude a successful review of ethical behavior in an

organization. Policies and procedure may provide the criteria for such an engagement.

If a particular conduct is not mentioned in the Rules of Conduct so it does not prevent it from being

unacceptable or discreditable. Consequently, reasonable inferences that individual judgment is necessary in

the application of the principles and Take action that consistent with the principles embodied in The IIAs Code

of Ethics.

Rules of Conduct

Rule of Conduct 1.2 under the integrity principal states, Internal auditors shall observe the law and make

disclosures expected by the law and the profession. Thus, auditors must comply with subpoenas.

When apparent violations of antitrust statutes by officers come to the internal auditors attention, (s) he

should report to the board of directors rather than directly to the government regulators.

Rule of Conduct 2.1 Serving as a consultant to (competitors OR suppliers) might create a conflict of interest.

But Relationships with professional organizations are not likely to create a conflict of interest.

Rule of Conduct 2.2 under the objectivity principle, preparing a personal tax return for a division manager for a

fee falls under this prohibition.

Writing a tax guide for sale to the general public is unlikely to impair the internal auditors professional

judgment.

Teaching an evening tax seminar is unlikely to impair the internal auditors professional judgment.

Engaging in a public service separate from the interests and activities of the organization is unlikely to

impair professional judgment.

Rule of Conduct 2.3 under the objectivity principle states, Shall disclose all material facts known to them..

For ex: the management override of an important control over approval of transaction X created a

material risk exposure. The internal auditor is ethically obligated to report the matter to senior

officials charged with performing the governance function.

For ex: An engagement at a foreign subsidiary disclosed payments to local government officials in

Return for orders The IIAs Code of Ethics suggest for an internal auditor in such a case to Inform

appropriate organizational officials.

If any employee asks the internal auditor to do not mention his name -An internal auditor

cannot guarantee anonymity . Information communicated to an internal auditor

is not deemed to be privileged. (Gleim #56 page 27)

Example 1 The chief audit executive is aware of a material inventory shortage

caused by internal Control deficiencies at one manufacturing plant. The shortage and

related causes are of sufficient magnitude to affect the external auditors report.

Based on The IIAs Code of Ethics, the CAEs most appropriate course of action to

discuss the issue with management and take appropriate action to ensure that the

external auditors are informed. The CAE should share information and coordinate

activities with the external auditors.

Example 2 Through an engagement performed at the credit department, the chief

audit executive (CAE) became aware of a material misstatement of the year-end

accounts receivable balance. The external auditors have completed their engagement

without detecting the misstatement. The CAE should inform the external auditors of

the misstatement (share information and coordinate activities with the external

auditors).

The internal auditor should inform the appropriate authorities in the organization if the indicators of the

commission of a fraud are sufficient to recommend an investigation. Hence, the internal auditor has a duty to

act even though the available facts do not prove that an irregularity has occurred. Moreover, Rule of Conduct

2.3 states, Internal auditors shall disclose all material facts known to them that, if not disclosed, may distort

the reporting of activities under review.

Discussion of sensitive matters with an unauthorized party is the situation most likely to be considered a Code

violation.

It permissible to Disclosing confidential, engagement-related information that is potentially damaging to the

organization in response to a court order.

If staff internal auditor has violated Rule of Conduct 3.2 regarding use of information most appropriate way for

the CAE to deal with this problem is to inform the IIAs Board of Directors and take the personnel action

Required by organizational policy.

If senior management permits the omission, the internal auditor is not guilty of failing to disclose material

facts.

Rule of Conduct 4.1, internal auditors may not have, and are not expected to have, knowledge equivalent to

that of a person whose primary responsibility is to detect and investigate fraud.

All internal auditors need not be proficient in all areas. The internal audit activity as a whole should

have an appropriate mix of skills.

Rule of Conduct 4.2, the internal auditors that are members of The Institute, The IIAs Code of Ethics is

enforceable against them even though they are not CIAs.

Why does The IIAs Code of Ethics in Rule of Conduct 4.2 require that due professional care be used in

obtaining information to support an engagement opinion???

Coz, Sufficient, reliable, relevant, and useful information lend credibility to the opinion.

Rule of Conduct 4.3, Both the IIAs Code of Ethics and the Standards are violated by failing to earn continuing

education credits.

The IIA has identified four purposes of the Standards. They are to:

Outline basic principles that represent the practice

of internal auditing,

Promoting a broad range of value-added internal audit activities.

For the evaluation of internal audit performance.

Foster (support) improved organizational processes and operations.

Attribute Standards (1000 to 1322)

Purpose, Authority, and Responsibility (1000)

Independence and Objectivity (1100)

Proficiency and Due Professional Care (1200)

Quality Assurance and Improvement Program (1300)

Standard 1000: Purpose, Authority, and Responsibility

The purpose, authority, and responsibility of the internal audit activity must be formally defined in an

internal audit charter, consistent with the Definition of Internal Auditing, the Code of Ethics, and the

Standards. The chief audit executive must periodically review the internal audit charter and present it to

senior management and the board for approval.

The objective of internal audit is to promote effective control at a reasonable cost.

The internal auditors responsibilities with respect to the internal control system include:

Testing individuals compliance with controls to determine whether policies and procedures established by

management are being followed.

Examining and evaluating the adequacy and effectiveness of the control system

Examining and evaluating the reliability and integrity of financial and operating information

Examining and evaluating the effective and efficient use of an entitys resources.

Reviewing the means used to safeguard assets and verifying the existence of those assets.

Organizational Status of the Internal Audit Activity

The internal audit function must report to the board of directors through the audit committee.

Need to be supported by both the audit committee and the board in order to make sure that those who are

audited cooperate with them.

The internal audit department must have organizational independence (not have any direct relationships with the

departments it will be auditing).

The Internal Audit Charter

The charter establishes the internal audit activitys position within the organization, including the nature of the

chief audit executives functional reporting relationship with the board; authorizes access to records, personnel,

and physical properties relevant to the performance of engagements; and defines the scope of internal audit

activities (Inter. Std. 1000). Thus, the charter prescribes the internal audit activitys relationships with other units

within the organization and with those outside.

This charter should be written by (and periodically reviewed by) the Chief Audit Executive (CAE), approved by

senior management and the board or audit committee, and communicated to engagement clients.

The charter should define the following items in respect to the IAA:

The scope of the services and work to be performed The objectives of the internal audit activity The authority that the internal audit activity has to access records, personnel, and physical

properties in the organization The accountability ! of the internal audit activity The responsibility of the internal audit activity

The director of the internal audit department (the Chief Audit Executive, or CAE) should report to the Chief

Executive Officer (CEO) or board of directors.( The accounting department, chief accountant, or finance director

would not normally be an appropriate level to report to).

The CAE should review the document at least annually (and more often as circumstances may

Require) to ensure that it continues to address the needs and issues facing the organization.

The Audit Committee

The audit committee is normally a subcommittee of the board of directors. The audit committee receives reports

and communications from both the external auditors and internal auditors, and it should promote their views to

the board as a whole.

The members of the Audit Committee should be independent non-executive directors (do not have a role in the

day-to-day running of the company and do not have any financial interest or other relationship of the company).

A written charter, approved by the board of directors, should detail the audit committees powers, duties, and

responsibilities.

duties and responsibilities of the audit committee are:

To ensure that the external auditors are completely independent of the company

To review and discuss with management and the external auditor the effects of changes in accounting standards.

To appoint or replace the external auditor, who shall report directly to the Audit Committee?

Reviewing the strategy, activity, and work plan of the internal audit activity, ensuring that it has sufficient staff and resources to function as planned.

Reviewing evaluations of risk management, control, and corporate governance reported by auditors

Receiving copies of all external and internal audit reports and communications, and also managements responses to them.

To act as a mediator between management and auditors when there is a difference of opinion.

To ensure that the company complies with all laws and regulations.

Standard 1100: Independence and Objectivity Gleim 102: 163 page 54:47

Confidence in the internal audit activity derives from independence (an attribute of the internal audit activity as a whole), and objectivity (an attribute of individual internal auditors).

Organizational Independence

Direct Interaction with the Board

The chief audit executive must communicate and interact directly with the board.

Direct interaction with the board occurs when the CAE: Regularly attends and participates in board meetings that relate the boards oversight responsibilities for

auditing, financial reporting, organizational governance and control, or

Meets privately with the board, at least annually (without management present).

Individual Objectivity

Internal auditors must have an impartial, unbiased attitude and avoid any conflict of interest.

The timing of assessments + Maintain (not Manage or Maximize or Prioritize) of individual objectivity on the part of internal auditors at the discretion of the CAE not annually.(by Internal auditors avoiding conflicts of interest).

Impairments to Independence or Objectivity

If independence or objectivity is impaired in fact or appearance, the details of the impairment must be disclosed to appropriate parties. The nature of the disclosure will depend upon the impairment.

If impairment arises during an engagement, it must be reported immediately to the manager of the engagement so that the

situation can be addressed or eliminated (needs to be communicated, preferably in writing, to the board).

The internal auditors must be able to distinguish carefully between a scope limitation and other limitations.

Its also important to remember that the internal auditors objectivity is not considered impaired when the auditor

Recommends standards of control or areas for consideration. Reviewing procedures before they are implemented. Determining whether the process has senior managements

support. Developing audit plans for the new system. Evaluate risk exposures of systems.

However, objectivity is considered to be impaired if the auditor

Designs, installs, drafts procedures for, or operates (implement) the redesigned process.

The following activities undertaken by the internal auditor or facts, by themselves, might be In conflict with the standard of independence

The CEO accused the new auditor of not operating in the best interests of the organization. The majority of audit committee members come from within the organization. The internal audit activitys charter has not been approved by the board.

The following activities undertaken by the internal auditor or facts, by themselves, might be not In conflict with the standard of independence

Risk management consultant. Ethics advocate. External audit liaison.

The following factors have the amount of influence when judging an internal audit activitys independence? Criteria used in making internal auditors assignments. Relationship between engagement records and engagement communications. Impartial and unbiased judgments.

A formal document (charter) approved by the board that defines the internal audit activitys purpose, authority, and responsibility enhances its Independence.

Standard 1200: Proficiency and Due Professional Care

Proficiency Gleim Q 164:195 Internal auditors must possess the knowledge, skills, and other competencies needed to perform their

individual responsibilities.

The internal audit activity collectively must possess or obtain certain competencies, including proficiency in

internal audit procedures and techniques. (Only if internal auditors work extensively with financial records

and reports must they have proficiency in accounting principles and techniques.)

The internal audit activity collectively must possess or obtain certain competencies, including an

understanding of Management principles to recognize and evaluate the materiality and significance of

deviations from good business practice.

The internal audit activity collectively must possess or obtain certain competencies, including an appreciation

of the fundamentals of business subjects, such as accounting, economics, commercial law, taxation, finance,

quantitative methods, and information.

technology, risk management, and fraud

Internal auditors must also be skilled in oral and written communications skills so that they can clearly and

effectively convey such matters as engagement objectives, evaluations, conclusions, and recommendations (PA

1210-1, Para. 1).

The risk assessment used in selecting the area for investigation is not necessarily a matter that must

be communicated to engagement client.

The most appropriate preventive measure for staff communication problems with engagement clients

by Provide staff with sufficient training to enhance communication skills not by Avoid unnecessary

communication with engagement clients.

Obtaining Services to Support or Complement the Internal Audit Activity

If the internal audit staff does not have the needed skills and competencies to perform an engagement, the

CAE must either decline the engagement or go outside the IAA (External service providers) or organization to

get those skills.

The catalog of engagements for which the organizations may use outside service providers

Valuations of assets (both tangible and intangible) Determination of physical amounts (oil reserves)

Mergers and acquisitions

Various audit engagements that require specialist knowledge (such as tax questions & Fraud )

assessment of the external party, the CAE should consider, among many things, the following:

The relevant professional certifications

Membership in a professional organization

Experience in similar situations

Reputation

Education and training in the area that they will be engaged in

Knowledge of the business and industry

Contacting others familiar with the ESPs work.

The CAE also needs to consider the independence and objectivity of the expert in respect to the engagement.

Note: Experts that work directly for the engagement client should almost never be used because of the

lack of objectivity of that party in the performance of their work.

If the expert is the external auditor, the CAE will need to be certain that this work that is not part of

the financial statement audit, so that it will not impair the external auditors independence for the

financial statement audit.

Any tasks performed by an outside expert must be reviewed by either the CAE or other internal person.

The CAE does not need to be able to perform the technical work of the expert, but the CAE should assess

whether or Not the work done and conclusions drawn were reasonable, unbiased, and address all of the issues

of the engagement.

Each member of the internal audit activity need not be qualified in all disciplines.

Due Professional Care Gleim Q 196:213

Internal auditors must apply the care and skill expected of a reasonably prudent and competent internal

auditor. Due professional care does not imply infallibility or extraordinary performance.

Internal auditors are not expected to perform a detailed review of every statement or document they receive,

but they are expected to examine and verify the documents as appropriate (This means that the more material

items will be examined and tested in more detail than immaterial items.)

It requires the internal auditor to conduct examinations and verifications to a reasonable extent.

Internal auditors cannot give absolute assurance that noncompliance or irregularities do not exist.

As part of assessing documents and information, internal auditors should always consider the possibility of

intentional errors on the part of others (such as fraud), inefficiencies, waste, and conflicts of interest.

= Considering the possibility of nonconformance or material irregularities at all times during an engagement

If an internal auditor judged an item to be immaterial when planning an assurance engagement.

However, the assurance engagement may still include the item if it is subsequently determined that

Adverse effects related to the item are likely to occur.

To ensure that they are exercising due professional care, internal auditors should:

Understand the complexity, materiality, and significance of matters that they will be addressing in the

engagement.

Extent of work needed to achieve the engagements objectives.

Understand the adequacy and effectiveness of risk management, control, and governance processes.

Assess the probability of significant errors, irregularities, or noncompliance.

Seeking advice from engagement manager of the suspicions and asking for advice on how to proceed.

Alertness to conditions most likely indicative of irregularities.

Balance the costs of the work and the benefits of the work.

o To prevent or detect significant fraud, the internal auditor should review

Large, abnormal, or unexplained expenditures.

Sensitive expenses.

Unusual contributions.

But not Review every control feature pertaining to for ex: petty cash receipts.

If an internal auditor has some suspicion of, but no information about, potential misstatement of financial

statements. The internal auditor fails to exercise due professional care by not testing for possible

misstatement because the engagement work program had already been approved by engagement management.

The internal auditor does not need the engagement clients approval to expand the engagement work

program.

For consulting services, the internal auditor should consider the following:

The needs and expectations of clients including the nature, timing, and communications of engagement

results.

The relative complexity and extent of work needed to achieve the engagements objectives

(professional skills and resources)

Cost/benefit analysis of the engagement

Standard 1300: Quality Assurance and Improvement Program Gleim Q 213: 231 page118

The Chief Audit Executive = CAE must develop and maintain a quality assurance and improvement program

that covers all aspects of the internal audit activity.

The quality assurance and improvement program must include both internal and external assessments.

These internal and external assessments reassure the company stakeholders (that is, top management, audit

committee, and external auditors) about the competency of the services the IAA is providing to the

organization.

assessments should include evaluations of:

Compliance with: Definition of Internal Auditing, the Code of Ethics, and the Standards and applicable

laws, regulations or industry standards.

Adequacy of the IAAs charter, objectives, policies, and procedures.

The extent to which the internal auditing activity adds value and improves the organizations

operations (= Contribution to the organizations governance processes).

The results of these assessments are provided to the stakeholders of the activity (such as senior management,

the board, and external auditors).

Internal Assessments

Carried out periodically (Annually) to assure the CAE that subordinates are complying with the

Standards and other applicable criteria.

The internal audit assessment must include an ongoing review of performance of the internal audit

activity, as well as a periodic review of the program through self-assessment or from an independent

person within the organization who is familiar with the internal auditing program.

o Ongoing Reviews are the conclusions and follow-up actions that should be taken to assure that

appropriate improvements are implemented. (Supervision of an internal auditors work is performed

throughout each audit engagement- tools used in ongoing internal assessments.

*Ongoing reviews may be conducted through (The processes and tools used)

Supervision of the internal auditors work. Checklists to provide assurance that processes adopted by the audit activity are being

followed. Analyses of performance metrics (for example, cycle time and recommendations accepted). Feedback from audit customers and other stakeholders, Project budgets, timekeeping systems, audit plan completion, cost recoveries.

*To evaluate the quality of engagement planning the team will Examine written engagement work

programs (selective peer reviews of working papers by staff not involved in the respective audits).

*The results of ongoing monitoring are communicated at least annually to senior management and

the board.

o Periodic Reviews should be designed to assess compliance with the activitys charter, the Definition of

Internal Auditing, the Code of Ethics, and the Standards.

Periodic internal assessment may

Include more in-depth interviews and surveys of stakeholder groups Be performed by members of the IAA (that is, self-assessment) Include benchmarking of the IAA practices Encompass a combination of self-assessment and preparation of materials subsequently

reviewed by CIAs, or other competent audit professionals, from elsewhere in the organization

The results of periodic internal assessments are communicated upon their completion

(not annually).

Ordinarily, those conducting internal quality program assessments report to the CAE

External Assessments

External assessments must be conducted at least once every five years by a qualified, independent

reviewer or review team from outside the organization.

An external assessment will probably not be able to look at all of the cost/benefit analyses necessary

to determine if the IAA is in fact profitable to the company.

During the review, an external assessor will tend to focus on:

o The objectives, policies and procedures of the IAA.

o The methods and work programs of the IAA

o The skills and work performed by the individuals in the IAA

o The expectations of the internal audit activity expressed by the board, senior management, and

operational managers

o Whether or not the IAA adds value and improves the operations of the organization.

Practice Advisory 1312-1 (External Assessments) lays out two approaches for conducting an external

assessment. The first approach is to have a full external assessment conducted by an external assessor

or review team.

The second approach Self-assessment with Independent Validation

o Full external review might not be appropriate or necessary. For example, the IAA may be in a business or industry that is subjected to strict regulations and supervision. IAA may have been recently subjected to an external review or consulting. may be otherwise subject to extensive external oversight and direction relating to governance

And internal controls. o After the self-assessment has been completed under the direction of the CAE, a draft report, similar

to that for an external assessment, is prepared that should include the CAEs assessment of its conformance with the Standards.

o The external assessor then performs sufficient tests of the self-assessment to validate the results and express an opinion on the level of the activitys conformance with the Definition of Internal Auditing, the Code of Ethics, and the Standards.

o As part of the independent validation, the external assessor will do the following: Review the draft report and attempt to reconcile unresolved issues (if any). If the external assessor agrees with the evaluation, he or she might include additional wording

to the report (if needed) If the external assessor disagrees with the evaluation, he or she would add dissenting wording to

the report, specifying the points of disagreement with it and, to the extent appropriate.

The chief audit executive must communicate the results of the quality assurance and improvement

program to senior management and the board.

The Quality Assurance and Improvement Program (QAIP) analyze the work of the IAA and makes

recommendations for improvement, if appropriate.

External assessments of an internal audit activity contain an expressed opinion as to the entire spectrum of assurance and consulting work performed (or that should have been performed under its charter), including (but not limited to) conformance with the Definition of Internal Auditing, the Code of Ethics, and the Standards. An external assessment also includes, as appropriate, recommendations for improvement

The chief audit executive may state that the internal audit activity conforms with the International

Standards for the Professional Practice of Internal Auditing only if the results of the quality assurance

and improvement program support this statement.

When nonconformance with the Definition of Internal Auditing, the Code of Ethics, or the Standards impacts the

overall scope or operation of the internal audit activity, the chief audit executive must disclose the

nonconformance and the impact to senior management and the board.

The results of external assessments are communicated upon their completion.

Note

The chief audit executive should develop and maintain a quality assurance and improvement program (his responsibility) that covers all aspects of the internal audit activity and continuously monitors its effectiveness included.

Periodic internal assessment.+ Supervision.+ Periodic external assessments But not include

o Annual appraisals of individual internal auditors performance. o Evaluation of Adequacy of the oversight of the work of external auditors.

If theres a complaining that one of the internal auditors is taking up an excessive amount of client time on an engagement that seems to be lacking a clear purpose so The CAE should examine departmental procedures and the conduct of the specific engagement mentioned to ascertain that proper planning and quality assurance procedures are in place and are being followed.

Initial use of the conformance phrase by internal auditors appropriate after an external review completed within the past 5 years.

Quality program assessments may be performed internally or externally. A distinguishing feature of an external assessment is its objective to Provide independent assurance.