Overview

1
Overview
Internal Audit Reviews the effectiveness and efficiency of operations compliance with laws, regulations, policies, and procedures achievement of operational/ organizational objectives reliability of information and safeguarding of assets Internal Audit Reviews the effectiveness and efficiency of operations compliance with laws, regulations, policies, and procedures achievement of operational/ organizational objectives reliability of information and safeguarding of assets Internal Audit Reviews the effectiveness and efficiency of operations compliance with laws, regulations, policies, and procedures achievement of operational/ organizational objectives reliability of information and safeguarding of assets Internal Audit Reviews the effectiveness and efficiency of operations compliance with laws, regulations, policies, and procedures achievement of operational/ organizational objectives reliability of information and safeguarding of assets
Compliance Audit Financial Audit Regulatory Audit Government Audit
Strictly tests adherence to laws, regulations, standards, and policies and procedures Provides an attestation solely on the financial reports and statements generated by an organization Reviews compliance with specific regulations Focuses on compliance with programs, performance audits, budget reviews, and management audits
Part 1, Overview
2
Section Topics

1. Define purpose, authority, and responsibility of
   the internal audit activity
2. Maintain independence and objectivity
3. Determine availability of required knowledge,
   skills, and competencies
4. Develop and/or procure necessary knowledge,
   skills, and competencies collectively required by
   internal audit activity

1. Exercise due professional care
2. Promote continuing professional development
3. Promote quality assurance and improvement of the
   internal audit activity
4. Abide by and promote compliance with The IIAs
   Code of Ethics

Part 1, Section 1
3
Internal Auditing, Defined
Part 1, Section 1, Introduction
4
International Professional Practices Framework
(IPPF)
Practice Advisories Practice Guides Position
Papers
Not mandatory (but endorsed and recommended by
The IIA)
Part 1, Section 1, Introduction
5
Discussion Question
During an internal audit, the Standards establish
all of the following EXCEPT

• basic auditing principles.
• evaluation criteria for audit performance.
• considerations on how to plan and perform the
  engagement.
• a framework for a broad range of value-
• added internal audit activities.

Answer C. Approach and methodology (but not
detailed processes and procedures) are covered in
the PracticeAdvisories.
Part 1, Section 1, Introduction
6
Categories of Standards

• Apply to all internal audit services and internal
  auditors, individually (organizations parties
  performing internal audit activities)
• Provide guidance for the quality of the internal
  audit programs

• Apply to all internal audit services and internal
  auditors
• Describe the nature of internal audit activities
• Provide quality criteria for performance
  evaluation

• Expand Attribute and Performance Standards
• Apply to specific engagements

Part 1, Section 1, Introduction
7
Discussion Question
Defining characteristics such as independence and
objectivity or due professional care are covered
in

1. Attribute Standards.
2. Performance Standards.
3. Implementation Standards.
4. Practice Guides and Position Papers.

Answer A. Attribute Standards describe the
characteristics of organizations and parties
performing internal audit activities.
Part 1, Section 1, Introduction
8
Types of Internal Audit Activity
Assurance Services
Consulting Services
An objective examination of evidence for the
purpose of providing an independent assessment on
governance, risk management, and control
processes for the organization
Advisory and related client service activities,
the nature and scope of which are agreed to by
the client and which are intended to add value
and improve an organizations governance, risk
management, and control processes without the
internal auditor assuming management
responsibility
Part 1, Section 1, Introduction
9
Discussion Question
Which of the following characteristics
differentiates the internal auditors activity
during assurance and consulting engagements?

1. Compliance with applicable Standards
2. Conformance to applicable Standards
3. Assessment or advisory role
4. Internal or external expertise

Answer C
Part 1, Section 1, Introduction
10
IIA Guidance and Materials

• Practice Advisories

• Practice Guides

• Strongly endorsed and recommended guidance on
  best practices for performance of the Standards

• Detailed processes and procedures, such as tools
  and techniques, programs, and step-by-step
  approaches

Position Papers

• Statements to assist a wide range of interested
  parties

Part 1, Section 1, Introduction
11
Internal Audit Activity, Defined
Part 1, Section 1, Topic 1
12
Discussion Question
All of the following are reasonable
responsibilities for the chief audit executive
EXCEPT

• overseeing the service contract with a
  consultant.
• waiving a regulatory agencys recommendation on a
  risk management or control issue.
• developing the audit charter and securing
  approval by the board.
• reporting to senior management and the board
• on internal audit activities.

Answer B. This is a management decision, not an
internal audit decision.
Part 1, Section 1, Topic 1
13
Internal Audit Charter, Defined
Part 1, Section 1, Topic 1
14
Typical Audit Charter Elements

• Mission and scope of the internal auditing
  department
• Accountability of the CAE to management and an
  audit committee
• Independence of the internal auditing function
• Responsibilities of the CAE and internal auditing
  staff
• Range of authority of the CAE and internal
  auditing staff
• Applicable standards of audit practice

Part 1, Section 1, Topic 1
15
Types of Engagements
Part 1, Section 1, Topic 1
16
Discussion Question
Which of the following items is appropriate to
include in an internal audit activity charter?

1. Authorization and access
2. Levels of staff proficiency
3. Inquiry and observation processes employed
4. Activity objectives for external service providers

Answer A
Part 1, Section 1, Topic 1
17
Key Documents

• Basic documents to support the purpose,
  authority, and responsibility of the internal
  audit department and internal audit activities

• Internal audit charter
• Function and responsibility (F and R) statement
• Statement of policy (corporate audit policy or
  policy statement missions)
• Audit manual (policies and procedures)
• Staff job descriptions

Part 1, Section 1, Topic 1
18
Marketing the Audit Function
Brochures Promote the audit function and explain the features and benefits
Newsletters Highlight important aspects of internal audit activities
Publications Provide softer human interest stories
Audit department open house Facilitate introductions and/or dialogue
Advisory board of operating managers chaired by CAE Facilitate an exchange of information on related topics
Client training Educate client personnel and/or internal auditing new hires
Engagement documents and meetings Structure an internal audit activity as a problem-solving partnership
Part 1, Section 1, Topic 1
19
Discussion Question

• Identify whether the statement is related to the
  purpose, authority, or responsibility of the
  internal audit activity.

Answers
1. Ensure that staff possesses sufficient expertise to fulfill the engagement charter.
2. Maintain access with the appropriate governing authority.
3. Add value and improve operations.

Responsibility
Authority
Purpose
Part 1, Section 1, Topic 1
20
Internal Audit Activity Purpose, Authority, and
Responsibility

• Attribute Standard 1000
• Attribute Standard 1130
• Performance Standard 2400
• Performance Standard 2420

Part 1, Section 1, Topic 1
21
Independence and Objectivity, Defined
Part 1, Section 1, Topic 2
22
Independence and Organizational Reporting
Functional reporting
Administrative reporting
Functional reporting
Part 1, Section 1, Topic 2
23
Functional Reporting
Administrative Reporting
Provides independence and authority

• Examples
• Approve
• Internal audit activitys charter.
• Internal audit risk assessment and related audit
  plan.
• All decisions regarding performance evaluation,
  appointment/removal of CAE.
• Annual compensation and salary adjustment of CAE.
• Receive communications from CAE.
• Make appropriate inquiries of management and CAE.

• Examples
• Budgeting and management accounting
• Human resource administration
• Internal communications and information flows
• Administration of the internal audit activitys
  internal policies and procedures

Part 1, Section 1, Topic 2
24
Alignment to Ensure Organizational Independence

• Have regular and direct communication with the
  board.
• Report to an individual at the senior management
  level with sufficient authority to promote
  independence and to ensure broad audit coverage.
• Report directly to the audit committee (or its
  equivalent).

Part 1, Section 1, Topic 2
25
Discussion Question
Which action best exemplifies internal auditing
objectivity?

1. Strategic synergies
2. Win-win conflict resolution
3. Periodic communication with the engagement client
4. Independent mental attitude

Answer D. An internal auditor must have an
unbiased and impartial mindset in regard to all
engagements.
Part 1, Section 1, Topic 2
26
Policies to Promote Objectivity
Internal auditors should

• Have no operational responsibility for the
  activity under review.
• Have had no authority or responsibility during
  the past year or a reasonable time frame.
• Abide by the Code of Ethics.
• Not subordinate their judgment to that of others.
• Not compromise the quality of their work or
  objectivity of their judgment.
• Avoid potential conflicts of interest and bias.
• Have an independent review of engagement results.

Part 1, Section 1, Topic 2
27
Additional Best Practices to Maintain Objectivity

• Periodic query of internal auditing staff
• Periodic staff assignment rotation
• Refusal of material fees, gifts, or
  entertainmentconsideration of what is
  reasonable

Part 1, Section 1, Topic 2
28
Discussion Question

• Identify which of the following items exemplify
  potential impairments. Respond yes, no, or
  probable.

Accepting a breakfast invitation
An executive demanding the rescheduling of an audit
3. A designer passport travel ID case 4. Denial of facility access

Potential impairments should be reported to the
CAE.
Part 1, Section 1, Topic 2
29

• Reinforcing Activity 1-1
• Part 1, Section 1, Topic 2
• Maintain Independence and Objectivity

Part 1, Section 1, Topic 2
30
Engagement Staffing Options
In-house auditing Establishing a dedicated audit team with requisite resources
Total out-sourcing Out-sourcing 100 of the internal audit activity to an external provider, usually on an ongoing basis
Co-sourcing A combination of internal staffing and external out-sourcing external providers provide supplementary specialist skills
Subcontracting (staff augmentation) Securing a specific individual to perform a specific engagement or part of an engagement
Secondment Borrowing an employee from another part of the organization to work in the audit activity for a specified period of time
Part 1, Section 1, Topic 3
31
Requisite Knowledge, Skills, and Competencies
Examples
Knowledge required to perform technical audits
Language/communication skills
Interpersonal skills/audit tools and techniques
Part 1, Section 1, Topic 3
32
Internal Audit Designated Competencies
Part 1, Section 1, Topic 3
33
Discussion Question
Who is ultimately responsible for ensuring that
the internal audit activity is staffed
appropriately?

1. Audit committee
2. Chief audit executive (CAE)
3. Board
4. Human resources

Answer B. The CAE is responsible for determining
levels of education and experience for the
organizations IA positions.
Part 1, Section 1, Topic 3
34
Discussion Question

• Identify the employment term described in the
  example.

Answers
Requiring CIA certification for an internal audit position List of requisite knowledge, skills, and competencies Evaluation and feedback at the end of an engagement Progressive promotions of an internal auditor



Part 1, Section 1, Topic 3
35
How to Evaluate Staff Proficiency
Part 1, Section 1, Topic 3
36
Discussion Question
The CAE must hire an outside service provider to
support the internal audit activity with
statistical analysis responsibilities. This best
describes

1. co-sourcing.
2. out-sourcing.
3. joint venture.
4. alliance.

Answer A. In co-sourcing, an external
provider supplements the internal audit function
in out- sourcing, an outside firm is paid to
handle the responsibility.
Part 1, Section 1, Topic 4
37
Co-sourcing and Out-sourcing
Advantages Disadvantages
Frees internal resources Provides flexibility Can improve efficiency and effectiveness Can reduce expenses Can expand coverage May improve quality and/or timeliness Can provide additional skill sets Can cost more Results in a loss of in-house capabilities and process control Can undermine morale Requires a learning curve, oversight, and coordination Has potential for privacy and confidentiality issues Can undermine career pathing
Part 1, Section 1, Topic 4
38
CAE Responsibilities for Outside Service Providers

• Determine the competence.
• Assess the relationship with the organization.
• Ensure that independence and objectivity are
  maintained.
• Review necessary information (e.g., work
  objectives, scope, access).
• Document matters in an engagement letter or
  contract.
• Reference compliance with The IIAs Standards (as
  applicable).

Part 1, Section 1, Topic 4
39
What Is Fraud?

• Examples
• Acceptance of bribes or kickbacks
• Diversion of a potentially profitable transaction
  
• Embezzlement
• Intentional concealment/misrepresentation of
  events, transactions, or data
• Bogus claims submitted for services or goods
• Intentional failure to act
• Unauthorized or illegal use of confidential or
  proprietary information
• Unauthorized or illegal manipulation of IT
  networks or operating systems
• Theft

Any illegal act characterized by deceit,
concealment or violation of trust
Part 1, Section 1, Topic 4
40
Information Technology Considerations
Internal auditors must have sufficient knowledge
of key information technology risks and controls
and available technology-based audit techniques
to perform their assigned work. However, not all
internal auditors are expected to have the
expertise of an internal auditor whose primary
responsibility is information technology
auditing. (Standard 1210.A3)
Part 1, Section 1, Topic 4
41
Characteristics of Due Professional Care
What is due professional care?
What are the implications?

• Calls for the application of the care and skill
  expected of a reasonably prudent and competent
  internal auditor in the same or similar
  circumstances.
• Requires internal auditors to act responsibly.
• Exercised when internal audits are performed in
  accordance with the Standards.

• Internal auditors must be independent, competent,
  and objective.
• Audit work must be planned and supervised.
• Audit reports must be objective, clear, concise,
  constructive, and timely.
• Internal auditors must follow up on reported
  audit findings.

Part 1, Section 1, Topic 5
42
Discussion Question
Which of the following statements exemplifies due
professional care in an assurance engagement?

1. Understanding the performance goals of the client
2. Recognizing the needs of management
3. Being alert to significant risks that affect
   objectives, goals, and strategies

Answer C
Part 1, Section 1, Topic 5
43
Discussion Question
How does due professional care in a consulting
engagement differ from that in an assurance
engagement?

1. More applicable standards
2. Increased client needs and expectations
3. Fewer potential benefits derived from the
   engagement

Answer B. Many of the same considerations apply.
However, the needs and expectations of clients
have increased significance.
Part 1, Section 1, Topic 5
44

• Reinforcing Activity 1-2
• Part 1, Section 1, Topic 5
• Exercise Due Professional Care

Part 1, Section 1, Topic 5
45
What Is Continuing Professional Development?
Description General Examples The IIA Offerings
The means to maintain, improve, and broaden the knowledge, skills, and competence required in a profession Occupational assignments Mentoring Networking Training Research projects Collective wisdom Formal education Conferences Membership/activity in professional societies Certification and recertification Seminars Conferences Web-based training Vision University
Part 1, Section 1, Topic 6
46
Certification
Description Achieved By The IIA Certifications
The systematic measurement of characteristics that results in recognition of meeting suggested knowledge and other minimum requirements Graduation from accredited or approved training Completion of a specified amount or type of work experience Acceptable exam performance Certified Internal Auditor (CIA) Certification in Control Self-Assessment (CCSA) Certified Government Auditing Professional (CGAP) Certified Financial Services Auditor (CFSA)
Part 1, Section 1, Topic 6
47
Quality Assurance and Improvement Program (QAIP)

• Helps provide reasonable assurance to
  stakeholders that the internal audit activity
• Performs in accordance with its charter and is
  consistent with the Definition of Internal
  Auditing, the Code of Ethics, and the Standards.
• Operates in an effective and efficient manner.
• Is perceived as adding value and improving
  operations.
• Includes appropriate supervision, periodic
  internal assessments, ongoing monitoring of
  quality assurance, and periodic external
  assessments.

Part 1, Section 1, Topic 7
48
QAIP Internal and External Assessments
Periodic internal assessment
Periodic external assessment

• Ongoing internal evaluations of the internal
  audit activity coupled with periodic
  self-assessments and/or reviews
• Conducted by persons within the organizations
  internal audit activity
• Supervised by the direction of the CAE

• Evaluation of the internal audit activity
  compliance with the Standards, the use of best
  practices, and internal audit activity efficiency
  and effectiveness
• Conducted by a qualified independent reviewer or
  review team from outside the organization

Part 1, Section 1, Topic 7
49
Discussion Question

• Identify whether the statement describes internal
  or external periodic quality assessments or both.

Usually incorporated into routine policies and practices Provides an opinion about conformance to the Standards CAE involvement precludes total objectivity Conducted at least once every five years
Part 1, Section 1, Topic 7
50
Scope of Internal Assessments

• Routine and continuous supervision and testing of
  performance of audit/ consulting work
• Ongoing measurements and analyses of performance
  metrics
• Periodic validations of compliance with
  applicable laws, regulations, standards
• Periodic validations of compliance with Standards
  and Code of Ethics

• Evaluation of adequacy of internal audit
  activitys charter, goals, objectives, policies,
  procedures
• Assessment of contribution to organizations
  governance, risk management, and control
  processes
• Evaluation of effectiveness of continuous
  improvement activities and adoption of best
  practices
• Whether auditing activity adds value and improves
  organizations operations

Part 1, Section 1, Topic 7
51
QAIP Internal Performance Measures
Part 1, Section 1, Topic 7
52
Discussion Question

• Which of the following are acceptable teams to
  perform
• external quality assessment reviews? (Select all
  that apply.)
• A team that is totally independent of the
  organization yet knowledgeable in standards of
  audit performance
• Internal auditors from a subsidiary organization
• A self-assessment with independent validation by
  an independent reviewer
• A peer review team made of members from at least
  three different organizations

Answer I, III, and IV. External reviewers must
be independent of the organization whose internal
audit activity is the subject of the assessment.
Independent of the organization means not a
part of or under the control of the organization
to which the internal auditing activity belongs.
Part 1, Section 1, Topic 7
53
Scope of External Assessments

• Tools and techniques employed by the internal
  audit activity
• Mix of knowledge, experience, and disciplines
  within the staff, including staff focus on
  process improvement
• Determination as to whether or not the audit
  activity adds value and improves the
  organizations operations

• Conformance with the Definition of Internal
  Auditing, the Code of Ethics, and the Standards
  and with the internal audit activitys charter,
  plans, policies, procedures, practices, and
  applicable legislative and regulatory
  requirements
• Expectations of the internal audit activity
  expressed by the board, senior management, and
  operational managers
• Integration of the internal audit activity into
  the organizations governance process, including
  the attendant relationships between and among the
  key groups involved in that process

Part 1, Section 1, Topic 7
54
Reporting the Results of QAIP
Internal assessments

• The CAE should share results, necessary action
  plans, and their successful implementation with
  stakeholders such as
• Senior management.
• The board.
• External auditors.

• Preliminary results should be discussed with the
  CAE during and at the conclusion of the process.
• Final results should be communicated in a formal
  report to
• The CAE or other official who authorized the
  review.
• Appropriate members of senior management and the
  board.

Part 1, Section 1, Topic 7
55
Compliance/Conformity to the Standards

• Statement may be used only if validated by
  assessments of the QAIP.
• Assessments should include recommendations for
  compliance improvement.
• Compliance may be expressed in one of three ways.
• In compliance with the Standards
• In conformity to the Standards
• In accordance with the Standards

Compliance is conformity and adherence to
policies, plans, procedures, laws, regulations,
contracts, or other requirements.
Part 1, Section 1, Topic 7
56

• Reinforcing Activity 1-3
• Part 1, Section 1, Topic 7
• Promote Quality Assurance and
• Improvement of the Internal Audit Activity

Part 1, Section 1, Topic 7
57
The IIAs Code of Ethics, Defined
Principles
Principles relevant to the profession and
practice of internal auditing and Rules of
Conduct that describe behavior expected of
internal auditors. The Code of Ethics applies to
both parties and entities that provide internal
audit services. The purpose of the Code of Ethics
is to promote an ethical culture in the global
profession of internal auditing.
Integrity Objectivity Confidentiality Competency
Part 1, Section 1, Topic 8
58

• Reinforcing Activity 1-4
• Part 1, Section 1, Topic 8
• Abide By and Promote Compliance
• With The IIAs Code of Ethics

Part 1, Section 1, Topic 8
59
End of Section 1

• Questions?

Part 1, Section 1