The Internal Audit Standards Board (IASB) develops professional standards for internal auditing.
The Internal Audit Standards Board (IASB) is the official body charged by The IIA with developing professional standards for internal auditing. Its primary responsibility is to provide guidance to practitioners.
The International Ethics Committee only investigates complaints against members of The IIA.
The International Ethics Committee considers needed changes in the Code of Ethics and investigates complaints against members of The IIA and CIAs.
Internal auditing is only concerned with compliance during assurance engagements.
Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
The IIA Code of Ethics describes specific activities for conduct and behavioral expectations.
The IIA Code of Ethics states the principles and expectations governing behavior of individuals and organizations in the conduct of internal auditing. It describes the minimum requirements for conduct and behavioral expectations, rather than specific activities.
Position papers and practice guides are both strongly recommended guidance and not mandatory.
The IIA’s hierarchy includes mandatory guidance, e.g., definition, code of ethics, and standards; and strongly recommended guidance, e.g., position papers, practice advisories, and practice guides.
Internal auditors are not required to comply with Practice Advisories.
Practice Advisories are presented with the related sections of the Standards. They are nonmandatory interpretations of the Standards or their application in specific situations. They represent best practices endorsed by The IIA as means of implementing the Standards.
Each internal auditor assigned to an engagement must possess the necessary knowledge and skills to conduct the engagement properly.
According to PA 1200-1, “Proficiency and due professional care are the responsibility of the chief audit executive (CAE) and each internal auditor. As such, the CAE ensures that persons assigned to each engagement collectively possess the necessary knowledge, skills, and other competencies to conduct the engagement appropriately.”
Integrity, objectivity, confidentiality, and competency are relevant to the practice of internal auditing.
The Code of Ethics extends beyond the Definition of Internal Auditing to include two essential components: 1. Principles that are relevant to the profession and practice of internal auditing: integrity, objectivity, confidentiality, and competency. 2. Rules of Conduct that describe behavior norms expected of internal auditors. These rules are an aid to interpreting the Principles into practical applications and are intended to guide the ethical conduct of internal auditors.
An internal auditor must have an understanding of finance.
According to PA 1210-1, “Internal auditors assigned to an engagement collectively possess an appreciation of the fundamentals of business subjects such as accounting, economics, commercial law, taxation, finance, quantitative methods, information technology, risk management, and fraud. An appreciation means the ability to recognize the existence of problems or potential problems and to identify the additional research to be undertaken or the assistance to be obtained.”
Proficiency in accounting principles and techniques is required to recognize the materiality of deviations from good business practices.
According to Practice Advisory 1210-1, “An understanding of management principles to recognize and evaluate the materiality and significance of deviations from good business practices.”
It is advantageous for an internal auditor to be skilled in oral and written communications.
According to Practice Advisory 1210-1, Internal auditors are to be skilled “in oral and written communications to clearly and effectively convey such matters as engagement objectives, evaluations, conclusions, and recommendations.”
Each internal auditor must be qualified in all disciplines needed to meet the internal audit activity’s responsibilities.
According to Practice Advisory 1210.A1-1, each member of the internal audit activity need not be qualified in all disciplines. The internal audit activity may use external service providers or internal sources that are qualified in disciplines such as accounting, auditing, economics, finance, statistics, information technology, engineering, taxation, law, environmental affairs, and other areas as needed to meet the internal audit activity’s responsibilities
An external service provider may only be engaged by senior management.
An external service provider is a person or firm, independent of the organization, who has special knowledge, skill, and experience in a particular discipline. An external service provider may be engaged by the board, senior management, or the chief audit executive
The chief audit executive need not assess the competency, independence, or objectivity of an external service provider when this service provider has been selected by senior management.
According to Practice Advisory 1210.A1-1, “When the chief audit executive intends to use and rely on the work of an external service provider, the chief audit executive needs to consider the competence, independence, and objectivity of the external service provider as it relates to the particular assignment to be performed. This assessment is also needed when the external service provider is selected by senior management or the board, and the chief audit executive intends to use and rely on the external service provider’s work.”
When assessing the competency of an outside service provider, the chief audit executive should consider professional certifications, licenses, and membership in appropriate professional organizations, in addition to other attributes.
When assessing competency, the chief audit executive should consider the following attributes, among others: (1) professional certification, license, or other recognition of the external service provider’s competence, in the relevant discipline; (2) membership of the external service provider in an appropriate professional organization and adherence to that organization’s code of ethics; and (3) the reputation of the external service provider. This may include contacting others familiar with the external service provider’s work.
In assessing the relationship of the external service provider to the organization to ensure independence and objectivity, the chief audit executive should determine that there are no financial, organizational, or personal relationships that will hinder the engagement.
According to Practice Advisory 1210.A1-1, “The CAE needs to assess the relationship of the external service provider to the organization and to the internal audit activity to ensure that independence and objectivity are maintained throughout the engagement. In performing the assessment, the CAE verifies that there are no financial, organizational, or personal relationships that will prevent the external service provider from rendering impartial and unbiased judgments and opinions when performing or reporting on the engagement.”
The chief audit executive considers the expertise of the outside service provider when assessing the objectivity and independence of the provider.
According to Practice Advisory 1210.A1-1, “The CAE assesses the independence and objectivity of the external service provider by considering (1) the financial interest the external service provider may have in the organization; (2) the personal or professional affiliation the external service provider may have to the board, senior management, or others within the organization; (3) the relationship the external service provider may have had with the organization or the activities being reviewed; (4) the extent of other ongoing services the external service provider may be performing for the organization; and (5) the compensation or other incentives that the external service provider may have.”
It is beneficial for the chief audit executive to document the scope of the outside service provider’s work in an engagement letter or contract.
According to Practice Advisory 1210.A1-1, “To ascertain that the scope of work is adequate for the purposes of the internal auditing activity, the CAE obtains sufficient information regarding the scope of the external service provider’s work. It may be prudent to document these and other matters in an engagement letter or contract.”
The internal auditor should have the expertise of a person whose primary responsibility is detecting and investigating fraud.
According to Practice Advisory 1210-1, the knowledge, skills, and other competencies referred to in the standard include knowledge to identify the indicators of fraud. Standard 1210.A2, “Internal auditors must have sufficient knowledge to evaluate the risk of fraud and the manner in which it is managed by the organization, but are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud.”
Internal auditors whose primary responsibility is information technology auditing need to have knowledge of key information technology risks and controls to perform their assigned work.
According to Standard 1210.A3, “Internal auditors must have sufficient knowledge of key information technology risks and controls and available technology-based audit techniques to perform their assigned work. However, not all internal auditors are expected to have the expertise of an internal auditor whose primary responsibility is information technology auditing.”
The chief audit executive must decline the consulting engagement or obtain advice and assistance if the internal audit staff is not competent enough to perform the engagement.
According to Standard 1210.C1, “The chief audit executive must decline the consulting engagement or obtain competent advice and assistance if the internal auditors lack the knowledge, skills, or other competencies needed to perform all or part of the engagement.”
An external service provider is always a person, independent of the organization, who has special knowledge, skill, and experience in a particular discipline.
According to Practice Advisory 1210.A1-1, “An external service provider is a person or firm, independent of the organization, who has special knowledge, skill, and experience in a particular discipline. External service providers include actuaries, accountants, appraisers, culture or language experts, environmental specialists, fraud investigators, lawyers, engineers, geologists, security specialists, statisticians, information technology specialists, the organization’s external auditors, and other audit organizations. An external service provider may be engaged by the board, senior management, or the chief audit executive (CAE).”
External service providers may be used by the IAA in connection with mergers, but not fraud investigations.
According to Practice Advisory 1210.A1-1, "External service providers may be used by the internal audit activity in connection with, among other things, Achievement of the objectives in the engagement work schedule. Audit activities where a specialized skill and knowledge are required, such as information technology, statistics, taxes, or language translations.Valuations of assets such as land and buildings, works of art, precious gems, investments, and complex financial instruments. Determination of quantities or physical condition of certain assets, such as mineral and petroleum reserves. Measuring the work completed and to be completed on contracts in progress. Fraud and security investigations. Determination of amounts, by using specialized methods such as actuarial determinations of employee benefit obligations.Interpretation of legal, technical, and regulatory requirements. Evaluation of the internal audit activity’s quality assurance and improvement program in conformance with the Standards. Mergers and acquisitions.Consulting on risk management and other matters.
When an internal auditor exercises due professional care, all material misstatements and instances of fraud will be found.
According to Standard 1220, “Internal auditors must apply the care and skill expected of a reasonably prudent and competent internal auditor. Due professional care does not imply infallibility.”
In exercising due professional care, internal auditors need not be concerned with errors and omissions or waste.
According to Practice Advisory 1220-1, “Exercising due professional care involves internal auditors being alert to the possibility of fraud, intentional wrongdoing, errors and omissions, inefficiency, waste, ineffectiveness, and conflicts of interest, as well as being alert to those conditions and activities where irregularities are most likely to occur.”
Due care requires examinations and verifications to a reasonable extent.
According to Practice Advisory 1220-1, “Due professional care implies reasonable care and competence, not infallibility or extraordinary performance. As such, due professional care requires the internal auditor to conduct examinations and verifications to a reasonable extent.”
Technology-assisted audit tools are the only data analysis techniques that may be used when exercising due professional care.
According to Practice Advisory 1220.A2, “In exercising due professional care, internal auditors must consider the use of technology-assisted audit and other data analysis techniques.”
An auditor who is performing assurance procedures cannot guarantee that all significant risks will be identified.
According to Standard 1220.A3, “Internal auditors must be alert to the significant risks that might affect objectives, operations, or resources. However, assurance procedures alone, even when performed with due professional care, do not guarantee that all significant risks will be identified.”
Obtaining an appropriate professional certification is one way that an internal auditor can demonstrate his/her proficiency.
According to Practice Advisory 1230-1, “Internal auditors are encouraged to demonstrate their proficiency by obtaining appropriate professional certification, such as the Certified Internal Auditor designation, other designations offered by The Institute of Internal Auditors, and additional designations related to internal auditing.”
Internal auditors are responsible for keeping informed about current developments in internal auditing procedures.
According to Practice Advisory 1230-1, “Internal auditors are responsible for continuing their education to enhance and maintain their proficiency. Internal auditors need to stay informed about improvements and current developments in internal audit standards, procedures, and techniques, including The IIA’s IPPF guidance.”