Ch 2. Study guide Flashcards
Attributes IPPF covers
- individual internal auditor
- characteristics of the internal audit function
- nature of the internal audit activities
- Internal audit performance criteria
What drove the creation of the new IPPF and what essential elements does it contain?
- IPPF was upgraded in July 2015 to support:
- the profession
- its practitioners, and
- its stakeholders - The upgrade includes:
- the Mission of Internal Audit
- Core Principles for the Professional Practice of Internal Auditing
The upgraded IPPF contains essential elements for the delivery of internal audit services that ADD VALUE.
Titles of IPPF categories, including the mandatory guidance
- Mission
- Mandatory Guidance
–> Core Principles
–> Definition of Internal Auditing
–> The Code of Ethics
–> The Standards - Recommended Guidance
–> Implementation Guidance
–> Supplemental Guidance
Mission of internal audit and how value is added
To enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight.
[NOTE: Value is added by providing opportunities to achieve organizational objectives, identifying operational improvement, and/or reducing risk exposure through both assurance and consulting services (i.e. risk advisory services (value proposition).)]
When in relation to the core principles, an internal audit function is considered effective when:
Core Principles
- Demonstrates integrity (hard to develop)
- Demonstrates quality and continuous improvement
- Demonstrates competence and due professional care
- Communicates effectively
- Is objective and free from undue influence (independent)
- Provides risk-based assurance
- Aligns with the strategies, objectives, and risks of the organization
- Is insightful, proactive, and future-focused
- Is appropriately positioned and adequately resourced
- Promotes organizational improvement
For an internal audit function to be considered “effective” —
each principle must be
present and successfully operating.
Purpose of the code of ethics
The purpose of the Code of Ethics is to promote an ethical culture in the internal audit profession.
The Code of Ethics consists of the Principles and Rules of Conduct that describe the necessary attributes and behaviors of the internal auditors
The Principals – describe the four core values necessary to earn trust
The Rules of Conduct – describe twelve behavioral norms required to implement the principles.
What groups can the IIA exercise enforcement over
Enforcement—The Code of Ethics applies to all individuals and/or entities that provide internal audit services, not just those who are IIA members or hold IIA certifications.
However, The IIA is only able to exercise enforcement over IIA members, and recipients of, or candidates for, IIA professional certifications.
As determined by The IIA’s Ethics Committee, breaches of the Code of Ethics can result in:
Censure,
Suspension of membership and/or certifications, and
Expulsion and/or revocation of certification.
Conduct need not be explicitly mentioned in the Rules of Conduct for it to be considered unacceptable or discreditable and thus subject to disciplinary action.
When is conformance with the standards essential?
`The standards are mandatory requirements for the profession and and for evaluating the effectiveness of its performance.
The basic principles of internal auditing are outlined in the standards.
Internal auditing is conducted in diverse legal and cultural environments; within organizations that vary in purpose, size, complexity, and structure; and by persons within or outside the organization.
While the differences that exist among organizations may affect the practices of internal auditing, “conformance with [the Standards] is essential in meeting the responsibilities of internal auditors and the internal audit activity.”
Standards – refers to principles-focused, mandatory requirements consisting of Statements of Interpretations.
Two types of standards and what they address/describe
There are two types of “Standards” - principles-focused, mandatory requirements:
Attributes Standards – address the attributes of organizations and individuals performing internal auditing.
Performance Standards – describe the nature of internal auditing and provide quality criteria against which the performance of these services can be measured.
The Standards are reproduced in their entirety in Appendix B of the textbook.
The Standards include a Glossary of terms that have been given specific meanings.
The Statements, their Interpretations, and terms defined in the Glossary must be considered together to understand and apply the Standards, correctly.
pillars of effective internal audit service
The three pillars of effective internal audit
services are:
Independence & Objectivity
Proficiency
Due Professional Care
Two types of services that internal auditors provide to add value and improve operations, how they differ, which is more stringent and why
The two types of services that internal auditors provide to add value and improve operations – assurance and consulting – are defined in the Glossary to the Standards as follows:
Assurance services – refers to an objective examination of evidence for the purpose of providing an independent assessment on governance, risk management, and control processes for the organization.
Examples may include financial (due diligence engagements), operational (system security), and compliance (taxation.)
Consulting (advisory) services – refers to advisory and related [customer] service activities, the nature and scope of which are agreed with the [customer], are intended to add value and improve an organization’s governance, risk management, and control process without the internal auditor assuming management responsibility.
Examples may include counsel, advise, facilitation, and training
Assurance and Advisory (Consulting) Services
Assurance and consulting (advisory) engagements differ in three respects:
Purpose of the engagement.
-Structure of the engagement.
-The parties involved.
-Nature & scope of the engagement.
The difference in purpose between these two types of services is clear.
Assurance engagements are performed to provide independent assessments.
Consulting (advisory) engagements are performed to provide advisory, training and facilitation services.
The structural difference between assurance and advisory (consulting) engagements are not as obvious.
The structure of the assurance engagements is more complex.
They typically involve three parties:
The party directly responsible for the process, system, or other subject matter being assessed – the auditee,
The party making the assessment – the internal audit function, and
The party/ parties using the assessment – the user(s).
The users of the internal audit function’s assessment are not involved directly in the engagement and in some cases are not identified explicitly.
The structure of consulting (advisory) engagements is relatively simple.
They typically involve two parties:
The party requesting and receiving the advice – the customer, and
The party providing the advice – internal audit function.
The internal audit function works directly with the customer to tailor the engagement to meet the customer’s needs.
Nature and scope of assurance services are determined by Internal Audit.
Nature and scope of consulting (advisory) services are mutually agreed upon by customer and Internal Audit.
The Implementation Standards for assurance services are more stringent and numerous than those for consulting services because the internal audit function must:
Plan and perform an assurance engagement and report the engagement results in a manner that meets the needs of the third-party users who are not involved directly in the engagement.
Take care to avoid any potential conflicts of interest with these users.
.
Difference between mandatory standards and recommended guidance
Mandatory guidance (i.e. Definition, Code of Ethics and Standards) describes principles for the professional practice of internal auditing.
Conformance with the mandatory guidance is considered essential (to IIA members, recipients of, or candidates for, IIA professional certificates.)
This guidance is developed following a rigorous due process, including a period of public exposure.
Recommended guidance describes practices supporting effective implementation of the principles found in the mandatory guidance.
The IIA endorses and strongly encourages conformance with the recommended guidance, but recognizes that there may be other, equally effective practices.
The process for developing strongly recommended guidance is less rigorous.
IIA guidance when recognizing promulgated by other organizations that is more stringent than the IIA guidance
The IIA recognizes that guidance promulgated by other organizations is pertinent to the profession of internal auditing.
In fact, some internal audit functions need to follow other professional guidance in addition to the IPPF.
The IIA’s “Standards” provide the following directive as to how to handle situations in which the multiple standards apply.
“If the “Standards” are used in conjunction with standards issued by other authoritative bodies, audit communications may also cite the use of other standards, as appropriate. In such a case, if inconsistencies exist between the “Standards” and other standards, internal auditors and the internal audit activity must conform to the “Standards”, and may conform with the other standards if they are more restrictive.”
The IIA’s Standards are principles-focused and intended for use by internal audit functions in a wide range of organizations in a variety of legal and cultural environments.
For this reason, there is little, if any, direct conflict between The IIA’s Standards and the standards promulgated by other professional organizations.
The differences that do exist typically involve a situation in which one set of standards is more stringent than another regarding a particular requirement.
For example, ISACA’s Standard S9.10 requires information systems auditors to obtain written representation from management at least annually that acknowledges management’s responsibility for the design and implementation of internal controls to prevent and detect illegal acts.
The IIA’s Standards contain no specific requirements for obtaining written representations from management, but obtaining such representations does not in any way conflict with the Standards.
Why Internal auditors should be knowledgable of other guidance relative to their work
The IIA’s Recognition of Guidance Promulgated by Other Organizations
Standards for U.S. Financial Audits.
The U.S. Public Company Accounting Oversight Board (PCAOB) and the American Institute of Certified Public Accountants (AICPA) currently set the standards for audits of companies’ financial statements in the United States.
Standards for audits of companies’ financial statements are set separately in other countries as well.
However, as is the case with accounting standards, there are initiatives under way to unify the financial audit standards among certain countries.
For example, the International Auditing and Assurance Standards Board (ISAB), which is part of the International Federation of Accountants (IFAC), has issued international audit standards which are being adopted by a number of countries.
Although these standards pertain directly to independent audits of companies’ financial statements, they can have a bearing on internal audit work, particularly those standards pertaining to the coordination of work between internal audit functions and outside independent auditors.
