CIA Exam 1: Practice Advisories

• The purpose, authority, and responsibility of IA activity must be defined in a charter
• Must agree with IA Definition, Ethics and Standards
• Periodically reviewed by CAE and presented to senior management and the board for approval
• Establishes the IA activity's position within the organization; authorizes access to records, personnel, and physical properties relevant to the performance of engagements; and defines the scope of IA activities.
• Final approval of the charter lies with the board

Internal auditors must have an impartial, unbiased attitude and avoid any conflict of interest

• May include personal conflict of interest, scope limitations, restrictions on access to records, personnel, and properties, and resource limitations, such as funding.
• Auditors must refrain from assessing operations for which they were previously responsible
• Assurance engagements for functions over which the CAE has responsibility must be overseen by a party outside the IA activity
• IAs may provide consulting services relating to operations for which they had previous responsibilities
• If IAs have potential impairments, disclosure must be made to the engagement client prior to accepting the engagement

• Engagements must be performed with proficiency and due professional care
• Includes conforming with the Code of Ethics and the organization's code of conduct as well as the codes of conduct for other professional designations the IAs may hold.
• The code of ethics includes: 1) Principles that are relevant to the profession and practice of IA - integrity, objectivity, confidentiality, and competency. 2) Rules for conduct that describe behavioral norms expected of IAs. These rules are an aid to interpreting the principles into practical applications and are intended to guide the ethical conduct of IAs.

• Internal auditors must apply the care and skill expected of a reasonably prudent and competent IA.
• Due professional care does not imply infallibility
• Exercised by considering: extent of work needed to achieve engagement's objectives; relative complexity, materiality, or significance of matters to which assurance procedures are applied; adequacy and effectiveness of governance, risk management, and control processes; probability of significant errors, fraud, or noncompliance; cost of assurance in relation to potential benefits
• In exercising due professional care IAs must consider the use of technology-based audit and other data analysis techniques
• IAs must be alert to the significant risks that might affect objectives, operations, or resources
• In consulting: Needs and expectations of clients; complexity and extent of work; cost of the consulting engagement in relation to potential benefits

• Designed to enable evaluation of IA activities in conformance with the definition of IA, the standards, and ethics
• Assess efficiency and effectiveness of the IA activity and identify opportunities for improvement
• CAE is responsible for establishing an IA activity whose scope of work includes the activities in the standards and in the definition of internal auditing
• QAIP should add value and improve organization's operations as perceived by stakeholders
• Processes include appropriate supervision, periodic internal assessments and ongoing monitoring of quality assurance, and periodic external assessments
• QAIP process is performed by or under direct supervision of the CAE
• CAE delegates most QAIP responsibilities to subordinates
• CAE establishes a formal QAIP function - headed by IA executive - independent of the audit and consulting segments of the IA activity
• The executive (and limited staff) administers and monitors the activities needed for a successful QAIP

• Ongoing and periodic assessment of the entire spectrum of audit and consulting work performed by the IA activity
• Ongoing analysis and performance metrics; ongoing supervision and testing; periodic validations of conformance with definitions and code of ethics
• Leads to recommendations for appropriate improvements
• QAIPs include: adequacy of internal audit activity's charter, goals, objectives, policies, and procedures; contribution to the organization's governance, risk management, and control processes; Compliance with applicable laws, regulations, and government or industry standards; effectiveness of continuous improvement activities and adoption of best practices; extent to which the IA activity adds value and improves the organization's operations
• QAIP efforts also include follow-up on recommendations involving appropriate and timely modification of resources, technology, processes, and procedures
• CAE communicates the results of the external and internal quality program assessments to the various stakeholders of the activity
• CAE annually reports to senior management and the board on the quality program efforts and results

An independent objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic disciplined approach to evaluate and improve the effectiveness of risk management, control, and govern its processes.

• Integrity: establishes trust and provides basis for reliance on their judgement
• Objectivity
• Confidentiality
• Competency

• CAE must establish risk-based plans to determine the priorities of the IA activity
• The IA activity plan of engagements must be based on a documented risk assessment undertaken at least annually
• Input of senior management and board must be considered in the process
• CAE should consider accepting proposed consulting engagements based on the engagement's potential to improve management of risks, add value, and improve the organization's operations. Accepted engagements must be included in the plan

CAE should share information and coordinate activities with other internal and external providers of assurance and consulting services to ensure proper coverage and minimize duplication of efforts

• CAE must report periodically to senior management and the board on the IA activity's purpose, authority, responsibility, and performance relative to its plan.
• Must also include significant risk exposures and control issues, including fraud risks, governance issues, and other matters needed or requested by senior management and the board
• Frequency and content determined by board and urgency of related actions to be taken

• Final communication of engagement results must contain IA's opinion and/or conclusions
• IAs are encouraged to acknowledge satisfactory performance in engagement communications
• Must include limitations on distribution and use of the results
• Will vary in form and content depending upon the nature of the engagement and the needs of the client

• CAE must establish a follow-up process to monitor and ensure that management actions ahve been effectively implemented or that senior management has accepted the risk of not taking action
• IA activity must monitor the disposition of results of consulting engagements to the extent agreed upon with the client