2-Independence, Objectivity, Proficiency, Care and Quality Flashcards
How frequently must the chief audit executive confirm to the board the organizational independence of the internal audit activity?
At least annually.
The organizational independence of the internal audit activity is achieved when it reports (1) ______ to the board and (2) ______ to senior management.
Functionally
Administratively
Independence is an attribute of ______.
The internal audit activity.
Objectivity is an attribute of ______.
Individual internal auditors.
Define the objectivity of an internal auditor.
Objectivity refers to an internal auditor’s impartial and unbiased mindset, which is facilitated by avoiding conflicts of interest.
What can be used to describe the expectation and requirements for the objectivity of internal auditors?
An internal audit policy manual or handbook.
The chief audit executive must establish (1) _____ and (2) _____ to assess the objectivity of individual internal auditors.
1-Policies
2-Procedures
Who is responsible for maintaining the objectivity of internal auditors?
The responsibility to maintain objectivity rests with the chief audit executive (CAE) and with internal auditors themselves.
Independence and objectivity may be impaired in _____ (1) or _____ (2).
1-Fact
2-Appearance
List examples of impairments to organizational independence and individual objectivity.
Personal conflict of interest
Scope limitations
Restrictions on access to records, personnel, and properties
Resource limitations
Define scope limitation.
A scope limitation is a restriction placed on the internal audit activity that precludes the activity from accomplishing its objectives and plans.
How should the chief audit executive (CAE) respond when an impairment to independence and objectivity is discovered after an audit has been executed?
The CAE should discuss the impairment with operating and senior management, as well as the board.
Assurance engagements for functions over which the chief audit executive has responsibility must be overseen by _______________.
A party outside the internal audit activity.
May the internal audit activity provide assurance services where it had previously performed consulting services?
The internal audit activity may provide assurance services where it had previously performed consulting services, provided the nature of the consulting did not impair objectivity and provided individual objectivity is managed when assigning resources to the engagement.
When may internal auditors provide assurance or consulting services relating to operations for which they had previous responsibilities without impairing objectivity?
Type of service When may internal auditors provide services (without impairment)?
Assurance 1 year after the previous responsibility
Consulting Any time
How should internal auditors respond when there are potential impairments to independence or objectivity relating to proposed consulting services?
Disclosure must be made to the engagement client prior to accepting the engagement.
Who is responsible for ensuring conformance with the Standards regarding internal auditor proficiency and due professional care?
The chief audit executive (CAE).
Who is responsible for performing engagements with proficiency and due professional care?
Every internal auditor.
Should each internal auditor individually be proficient in all necessary competencies of the internal audit activity?
No. The internal audit activity collectively, not each auditor individually, must be proficient in all necessary competencies.
List the 10 core competencies included in The IIA’s Global Internal Audit Competency Framework.
1-Professional ethics 2-Internal audit management 3-International Professional Practices Framework (IPPF) 4-Governance, risk and control 5-Business acumen 6-Communication 7-Persuasion and collaboration 8-Critical thinking 9-Internal audit delivery 10-Improvement and innovation
Which aspects of the internal audit activity cannot be outsourced?
Oversight of and responsibility for the internal audit activity must not be outsourced.
Internal auditors must apply the care and skill expected of a __________ internal auditor.
Reasonably prudent and competent.
List the areas that should be considered when internal auditors are exercising due professional care in assurance engagements.
Extent of work needed to achieve the engagement’s objectives
Relative complexity, materiality, or significance of matters to which assurance procedures are applied
Adequacy and effectiveness of governance, risk management, and control processes
Probability of significant errors, fraud, or noncompliance
Cost of assurance in relation to potential benefits
List the areas that should be considered when internal auditors are exercising due professional care in consulting engagements.
Needs and expectations of clients, including the nature, timing, and communication of engagement results
Relative complexity and extent of work needed to achieve the engagement’s objectives
Cost of the consulting engagement in relation to potential benefits
How many hours of continuing professional education (CPE) must certified internal auditors (CIAs) complete annually?
Types of CIAs Annual Hours
Practicing CIA 40 hours (at least 2 hours of ethics training)
Nonpracticing CIA 20 hours (at least 2 hours of ethics training)
The __________ must develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity.
Chief audit executive.
List the five components of a Quality Assurance and Improvement Program (QAIP).
Internal assessments External assessments Communication of QAIP results Proper use of a conformance statement Disclosure of nonconformance
What are the two types of internal assessment in a Quality Assurance and Improvement Program (QAIP)?
Ongoing monitoring
Periodic self-assessments
What should be the frequency of external assessments in a Quality Assurance and Improvement Program (QAIP)?
At least once every five years.
When can a self-assessment be performed in lieu of a full external assessment in a Quality Assurance and Improvement Program (QAIP)?
When it is validated by a qualified, independent, competent, and professional external assessor
What are the four steps of the Deming Cycle?
Plan
Do
Check
Act
Ongoing monitoring is generally focused on reviews conducted at the ______________ level.
Engagement.
What two aspects of external assessments must the chief audit executive (CAE) discuss with the board?
The form and frequency of external assessments
The qualifications and independence of the external assessor or assessment team, including any potential conflict of interest
To whom must the chief audit executive communicate the results of the Quality Assurance and Improvement Program (QAIP)?
Senior management and the board
The results of the Quality Assurance and Improvement Program (QAIP) should include ___________.
The scope and frequency of both the internal and external assessments
The qualifications and independence of the assessor(s) or assessment team, including potential conflicts of interest
Conclusions of assessors
Corrective action plans
How frequently must the results of (1) external assessments, (2) periodic internal assessments, and (3) ongoing monitoring be communicated?
Type of assessment Frequency
External assessments Upon completion
Periodic internal assessments Upon completion
Ongoing monitoring At least annually
When nonconformance with the Code of Ethics or the Standards impacts the overall scope or operation of the internal audit activity, the chief audit executive must disclose the nonconformance and the impact to _______________.
Senior management and the board.
What are the 4 knowledge areas of the IIA’s global Internal Audit Competency Framework
Professionalism
Performance
Environment
Leadership and Communication
The three levels of competency within the IIA competency framework are:
General awareness
Applied knowledge
Expert
What are the specific competencies for professionalism?
Mission of internal auditing Internal audit charter Organizational independence Individual objectivity Ethical behaviour Due professional care Professional development
What are the specific competencies for Performance?
Organizational governance
Fraud
Risk management
Internal control
Engagement planning, including objectives and scope, risk assessment, work program and resources
Engagement fieldwork, including information gathering, sampling, computer-assisted audit tools and techniques, data analytics, evidence, process mapping, analytical review, and documentation.
Engagement outcomes, including communication quality, conclusions, recommendations, reporting, residual risk and risk acceptance, management action plan, and results montioring.
What are the specific competencies for environment?
Organization strategic planning and management
Common business processes
Social responsibility and sustainability
Information technology, including data analytics, security and privacy, and IT control frameworks.
Accounting and finance
What are the specific competencies for Leadership and Communication?
Internal audit strategic planning and management
Audit plan and coordinating assurance efforts
Quality assurance and improvement program.
What are the common elements in all QAIPs?
Cover all aspects of the internal audit activity
Evaluate the conformance of the IAA with the Standards and the Code of Ethics
Assess the efficiency and effectiveness of the IAA
Identify opportunities for continuous improvement
Involve the board in the oversight of the QAIP
Some stakeholders of the IAA may include:
The board of directors Senior management The external auditor Operational managers Customers Shareholders Oversight organizations, regulators, and government agencies
The two functions of the QAIP are:
Conclude the quality of the IAA
Generate recommendations for improvements within the IAA
The following will be evaluated as part of the QAIP:
Conformance with the Definition, Code of Ethics and Standards.
Adequacy of Charter, Goals, Objectives, Policies and Procedures.
Contribution to governance, risk management and control processes.
Completeness of coverage
Compliance with laws and regulations
Risks affecting operation of IAA
Effectiveness of continuous improvement
Does IAA add value
QAIP must be implemented and applied at three levels:
Individual engagement level (self-assessment at audit by supervisor)
Internal audit activity level (self-assessment by IAA or org level by CAE)
The external perspective (assessment at least every 5 years)
Name two types of internal assessments
Ongoing monitoring
Periodic internal assessments
Results of the ongoing monitoring as a whole need to be reported to the board
At least annually.
The main objectives of periodic self-assessment are:
Identify quality of ongoing performance and opportunities for improvement
To check and validate the QAIP
External assessments:
Must be conducted at least once every 5 years by a qualified independent assessor or assessment team from outside the organization.
What are the 10 Competencies in the Competency Framework?
Professional ethics Internal audit management IPPF Governance, risk and control Business acumen Communication Persuasion and collaboration Critical thinking Internal audit delivery Improvement and innovation
What are thethree levels of competence?
Proficiency: The ability to apply knowledge to situations likely to be encountered and deal with them appropriately without extensive recourse to technical research and assistance.
Understanding: The ability to apply broad knowledge to situations likely to be encountered, recognize significant deviations, and carry out research necessary to arrive at reasonable solutions.
Appreciation: The ability to recognize the existence of problems or potential problems and identify the additional research or assistance needed.
What areas should an internal auditor have proficiency in?
Proficiency in applying: Internal audit standards, Procedures, and Techniques in performing engagements
What should an internal auditor have an understanding of?
Management principles to recognize and evaluate the:
Materiality, and
Significance of deviations
from good business practices
What areas should an internal auditor have an appreciation of?
Accounting Economics Commercial law Taxation Finance Quantitative methods Information technology Risk management Fraud
What specific knowledge shouldan internal auditor have?
Auditors must have knowledge:
To identify the indicators of fraud, and
Of key information technology risks and controls and available technology-based audit techniques.
What specific skills should an internal auditor have?
Dealing with people.
Understanding human relations.
Maintaining satisfactory relationships with engagement clients.
Communicating (both in oral and written form) to clearly and effectively convey such matters as engagement objectives, evaluations, conclusions, and recommendations.
Who is responsible forproficiency and due professional care of the auditors?
The CAE has this responsibility.
When can the CAE engage external specialists?
If the IAA does not have the skills and competencies for an engagement, the CAE must either decline the engagement or go outside the IAA or organization to get those skills.
What must be considered and evaluated before the IAAuses an outside expert?
The independence and objectivity of the expert in respect to the engagement.
The relevant professional certifications and/or membership in a professional organization.
Experience and education in similar situations and the area in which they will be engaged.
Reputation.
Knowledge of the business and industry.
What is Due Professional Care?
Due professional care requires that internal auditors apply the skill and care expected of a reasonably prudent and competent internal auditor.
In Standard 1220, what must the internal auditor consider in exercising due professional care?
Extent of work needed to achieve the engagement’s objectives;
Relative complexity, materiality, or significance of matters to which assurance procedures are applied;
Adequacy and effectiveness of governance, risk management, and control processes;
Probability of significant errors, fraud, or noncompliance; and
Cost of assurance in relation to potential benefits
What does continuingprofessional education include?
Maintaining proficiency through continuing education.
Staying informed about improvements and current developments in the internal audit standards, procedures, and techniques.
What does QAIP stand for?
Quality Assurance and Improvement Program
What are the two types ofinternal assessments in a QAIP?
Ongoing internal assessments of performance of the internal audit activity.
Periodic internal assessments of the program through self-assessment or from an independent person within the organization who is familiar with the internal auditing program.
What are the two waysan external assessmentmay be done in a QAIP?
A full external assessment conducted by an external assessor or review team.
An independent assessor or review team can conduct an independent validation of the internal self-assessment and the corresponding report that was completed by the internal audit activity.
To whom are the results ofthe QAIP communicated?
To senior management and the board of directors.
How often should internal assessments be performed?
Ongoing assessments are performed throughout the year and periodic assessments are performed as needed.
How often should external assessments be performed?
At least once every five years.
When may the phrase, “Conforms with the International Standards for the Professional Practice of Internal Auditing” be used?
It may be used only if it is supported by the results of the QAIP.
To whom must nonconformance with the Standards be disclosed?
To senior management and the board.
What are the 10 Competencies in the Competency Framework
Professional ethics Internal audit management IPPF Governance, risk and control Business acumen Communication Persuasion and collaboration Critical thinking Internal audit delivery Improvement and innovation
What are thethree levels of competence?
Proficiency: The ability to apply knowledge to situations likely to be encountered and deal with them appropriately without extensive recourse to technical research and assistance.
Understanding: The ability to apply broad knowledge to situations likely to be encountered, recognize significant deviations, and carry out research necessary to arrive at reasonable solutions.
Appreciation: The ability to recognize the existence of problems or potential problems and identify the additional research or assistance needed.
What areas should an internal auditor have proficiency in?
Proficiency in applying: Internal audit standards, Procedures, and Techniques In performing engagements
What should an internal auditor have an understanding of?
Management principles to recognize and evaluate the:
Materiality, and
Significance of deviations
from good business practices
What areas should an internal auditor have an appreciation of?
Accounting Economics Commercial law Taxation Finance Quantitative methods Information technology Risk management Fraud
What specific knowledge shouldan internal auditor have?
Auditors must have knowledge:
To identify the indicators of fraud, and
Of key information technology risks and controls and available technology-based audit techniques.
What specific skills should an internal auditor have?
Dealing with people.
Understanding human relations.
Maintaining satisfactory relationships with engagement clients.
Communicating (both in oral and written form) to clearly and effectively convey such matters as engagement objectives, evaluations, conclusions, and recommendations.
Who is responsible forproficiency and due professional care of the auditors?
The CAE has this responsibility.
When can the CAE engage external specialists?
If the IAA does not have the skills and competencies for an engagement, the CAE must either decline the engagement or go outside the IAA or organization to get those skills.
What must be consideredand evaluated before the IAAuses an outside expert?
The independence and objectivity of the expert in respect to the engagement.
The relevant professional certifications and/or membership in a professional organization.
Experience and education in similar situations and the area in which they will be engaged.
Reputation.
Knowledge of the business and industry.
What is Due Professional Care?
Due professional care requires that internal auditors apply the skill and care expected of a reasonably prudent and competent internal auditor.
In Standard 1220, what must the internal auditor consider in exercising due professional care?
Extent of work needed to achieve the engagement’s objectives;
Relative complexity, materiality, or significance of matters to which assurance procedures are applied;
Adequacy and effectiveness of governance, risk management, and control processes;
Probability of significant errors, fraud, or noncompliance; and
Cost of assurance in relation to potential benefits.
What does continuingprofessional education include?
Maintaining proficiency through continuing education.
Staying informed about improvements and current developments in the internal audit standards, procedures, and techniques.
What does QAIP stand for?
Quality Assurance and Improvement Program
What are the two types ofinternal assessments in a QAIP?
Ongoing internal assessments of performance of the internal audit activity.
Periodic internal assessments of the program through self-assessment or from an independent person within the organization who is familiar with the internal auditing program.
What are the two waysan external assessmentmay be done in a QAIP?
A full external assessment conducted by an external assessor or review team.
An independent assessor or review team can conduct an independent validation of the internal self-assessment and the corresponding report that was completed by the internal audit activity.
To whom are the results ofthe QAIP communicated?
To senior management and the board of directors.
How often should internal assessments be performed?
Ongoing assessments are performed throughout the year and periodic assessments are performed as needed.
How often should external assessments be performed?
At least once every five years.
When may the phrase, “Conforms with the International Standards for the Professional Practice of Internal Auditing” be used?
It may be used only if it is supported by the results of the QAIP.
To whom must nonconformance with the Standards be disclosed?
To senior management and the board.
