CIA Part 1 - Unit 2

Ace your homework & exams now with Quizwiz!

External Assessment Approach

"External assessments may be accomplished using one of two approaches: a full external assessment, or a self-assessment with independent external validation (SAIV)."

Self Assessment with Independent External Validation

"The second approach to meeting the requirement for an external assessment is an SAIV [self-assessment with independent external validation]. This type of external assessment typically is conducted by the internal audit activity and then validated by a qualified, independent external assessor. The scope of [this assessment] typically consists of: - A comprehensive and fully documented self-assessment process that emulates the full external assessment process, at least with respect to evaluating the internal audit activity's conformance with the Standards and Code of Ethics. - Onsite validation by a qualified, independent external assessor. - Limited attention to other areas such as benchmarking; review, consultation, and employment of leading practices; and interviews with senior and operations management."

Objectivity: Staffing for Engagements

"When assigning internal auditors to specific engagements, the CAE (or delegate) will consider potential objectivity impairments and avoid assigning team members who may have a conflict. . . ."

QAIP Requirements

"[T]he QAIP also includes ongoing measurements and analyses of performance metrics such as accomplishment of the internal audit plan, cycle time, recommendations accepted, and customer satisfaction."

Board Interaction: Examples

- "If the CAE has a direct functional reporting relationship with the board, then the board assumes responsibility for approving the internal audit charter, internal audit plan, internal audit budget and resource plan, evaluation and compensation of the CAE, and appointment and removal of the CAE. Further, the board monitors the ability of internal audit to operate independently and fulfill its charter." - "[Under a functional] reporting relationship, the CAE will have many opportunities to communicate and interact directly with the board, as required by [Attribute Standard 1111]. For example, the CAE will participate in audit committee and/or full board meetings, generally quarterly, to communicate such things as the proposed internal audit plan, budget, progress, and any challenges. Further, the CAE will have the ability to contact the chair or any member of the board to communicate sensitive matters or issues facing internal audit or the organization. Typically, and at least annually, a private meeting with the board or audit committee and the CAE (without senior management present) is formally conducted to discuss such matters or issues. It is also helpful for the CAE to participate in one-on-one meetings or phone calls periodically with the board or audit committee chair, either prior to scheduled meetings or routinely during the year, to ensure direct and open communication." - "Board meeting agendas and minutes are often sufficient to demonstrate whether the CAE has communicated and interacted directly with the board."

QAIP: CAE's Responsibilities

- "The CAE must have a thorough understanding of the mandatory elements of the IPPF, especially the Standards and Code of Ethics. Generally, the CAE meets with the board to gain an understanding of the expectations for the internal audit activity, to discuss the importance of the Standards and the QAIP, and to encourage the board's support of these." - "The CAE periodically evaluates the QAIP and updates it as needed. For example, as the internal audit activity matures, or as conditions within the internal audit activity change, adjustments to the QAIP may become necessary to ensure that it continues to operate in an effective and efficient manner and to assure stakeholders that it adds value by improving the organization's operations." The quality assurance and improvement program must include both internal and external assessments.

QAIP Characteristics

- "The QAIP should encompass all aspects of operating and managing the internal audit activity—including consulting engagements—as found in the mandatory elements of the [IPPF]." - "A well-developed QAIP ensures that the concept of quality is embedded in the internal audit activity and all of its operations." - "[I]t must include ongoing and periodic internal assessments as well as external assessments by a qualified independent assessor or assessment team. . . ." - The QAIP consists of five components: (1) internal assessments, (2) external assessments, (3) communication of QAIP results, (4) proper use of a conformance statement, and (5) disclosure of nonconformance.

Responsibility

According to IG 1200, Proficiency and Due Professional Care, - "The CAE is responsible for ensuring conformance with [Attribute Standard 1200] by the internal audit activity as a whole." - However, "[p]erforming engagements with proficiency and due professional care is the responsibility of every internal auditor."

Proficiency Standards

- Internal auditors must possess the knowledge, skills, and other competencies needed to perform their individual responsibilities. The internal audit activity collectively must possess or obtain the knowledge, skills, and other competencies needed to perform its responsibilities. - Internal auditors must have sufficient knowledge to evaluate the risk of fraud and the manner in which it is managed by the organization, but are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud. - Internal auditors must have sufficient knowledge of key information technology risks and controls and available technology-based audit techniques to perform their assigned work. However, not all internal auditors are expected to have the expertise of an internal auditor whose primary responsibility is information technology auditing. - The chief audit executive must decline the consulting engagement or obtain competent advice and assistance if the internal auditors lack the knowledge, skills, or other competencies needed to perform all or part of the engagement.

Not Presumed to Impair Objectivity

- Recommending standards of control for a new information system application - Performing reviews of the procedures for retiring capital equipment

Competency Assessment

- The Competency Framework "defines the core competencies needed to fulfill [International Professional Practices Framework (IPPF)] requirements for all occupational levels of the internal audit profession, including staff, management, and executive." - "To build and maintain the proficiency of the internal audit activity, the CAE may develop a competency assessment tool or skills assessment based on the Competency Framework or another benchmark (e.g., a mature internal audit activity)."

Proficiency

- The internal audit activity as a whole, not each auditor individually, must be proficient in all necessary competencies. - The Interpretation of Attribute Standard 1210 states, "Proficiency is a collective term that refers to the knowledge, skills, and other competencies required of internal auditors to effectively carry out their professional responsibilities. It encompasses consideration of current activities, trends, and emerging issues, to enable relevant advice and recommendations." - Proficiency includes knowledge sufficient to evaluate fraud risks and IT risks and controls. - Internal auditors become proficient through professional education (including continuing professional development), professional experience, and certifications.

Outsourcing and Cosourcing

1. An organization may outsource none, all, or some of the functions of the internal audit activity. However, oversight of and responsibility for the internal audit activity must not be outsourced. - Regardless of the degree of outsourcing, services still must be performed in accordance with the Standards, and the guidance for obtaining external service providers should be followed. 2. Outsourcing alternatives include the following: - Partial or total external sourcing on an ongoing basis - Cosourcing for a specific engagement or on an ongoing basis - Cosourcing is performance by internal audit staff of joint engagements with external service providers (Position Paper, The Role of Internal Auditing in Resourcing the Internal Audit Activity).

Periodic Self-Assessments

1. Compared with ongoing monitoring, periodic self-assessments "generally provide a more holistic, comprehensive review of the Standards and the internal audit activity." 2. Periodic self-assessments are generally conducted by those with extensive internal auditing experience (e.g., senior internal auditors or certified internal auditors). 3. "The internal audit activity conducts periodic self-assessments to validate its continued conformance with the Standards and Code of Ethics and to evaluate: - The quality and supervision of work performed. - The adequacy and appropriateness of internal audit policies and procedures. - The ways in which the internal audit activity adds value. - The achievement of key performance indicators. - The degree to which stakeholder expectations are met."

Organization of Competency Framework

1. Professional ethics and internal audit management are the basis of service delivery. 2. The IPPF is the primary set of standards for internal auditors. Technical expertise in governance, risk, and control is needed to help achieve organizational objectives. Business acumen is an understanding of the organizational culture, the economy in which it operates, and the global and local conditions that affect its operations. 3. Competence in communication, persuasion, collaboration, and critical thinking is required to perform engagements and promote the organization's improvement and innovation.

External Service Providers

1. Qualified external service providers may be recruited from many sources, such as the external audit firm, an external consulting firm, or a university. 2. However, an external service provider associated with the engagement client is unacceptable because the person would not be independent or objective. 3. External service providers may more easily accommodate engagement requirements in distant locations.

Competency

A competency is the ability to perform a task or job properly." It is "a set of defined knowledge, skills, and behavior.

Full External Assessment Scope

A full external assessment would be conducted by a qualified, independent external assessor or assessment team. The team should be comprised of competent professionals and led by an experienced and professional project team leader. The scope of a full external assessment typically includes three core components: - The level of conformance with the Standards and Code of Ethics. This may be evaluated via a review of the internal audit activity's charter, plans, policies, procedures, and practices. In some cases, the review may also include applicable legislative and regulatory requirements. - The efficiency and effectiveness of the internal audit activity. This may be measured through an assessment of the internal audit activity's processes and infrastructure, including the QAIP, and an evaluation of the internal audit staff's knowledge, experience, and expertise. - The extent to which the internal audit activity meets expectations of the board, senior management, and operations management, and adds value to the organization.

Functional Reporting

A functional reporting line to the board provides the CAE with direct board access for sensitive matters and enables sufficient organizational status. It ensures that the CAE has unrestricted access to the board, typically the highest level of governance in the organization.

Scope Limitation

A scope limitation is a restriction placed on the internal audit activity that precludes the activity from accomplishing its objectives and plans. Among other things, a scope limitation may restrict (1) the scope defined in the internal audit charter; (2) the internal audit activity's access to records, personnel, and physical properties relevant to the performance of engagements; (3) the approved engagement work schedule; (4) the performance of necessary engagement procedures; and (5) the approved staffing plan and financial budget.

Adequate Supervision

Adequate supervision is a fundamental element of any quality assurance and improvement program (QAIP). Supervision begins with planning and continues throughout the performance and communication phases of the engagement. Adequate supervision is ensured through expectation-setting, ongoing communications among internal auditors throughout the engagement, and workpaper review procedures, including timely sign-off by the individual responsible for supervising engagements.

Objectivity: Performance and Compensation for Staff

Because "performance and compensation practices can significantly and negatively affect an individual's objectivity[,] . . . the CAE needs to be thoughtful in designing the internal audit performance evaluation and compensation system and consider whether the measurements used could impair an internal auditor's objectivity."

Organizational Independence: Examples

Board Reporting: - Approving the internal audit charter. - Approving the risk based internal audit plan. - Approving the internal audit budget and resource plan. - Receiving communications from the chief audit executive on the internal audit activity's performance relative to its plan and other matters. - Approving decisions regarding the appointment and removal of the chief audit executive. - Approving the remuneration of the chief audit executive. - Making appropriate inquiries of management and the chief audit executive to determine whether there are inappropriate scope or resource limitations. The internal audit activity must be free from interference in determining the scope of internal auditing, performing work, and communicating results. The chief audit executive must disclose such interference to the board and discuss the implications.

Impairment Disclosures

Both the nature of the impairment and board/senior management expectations will determine the appropriate parties to be notified of the impairment and the ideal communication approach. For example: - When the CAE believes the impairment is not real, but recognizes there could be a perception of impairment, the CAE may choose to discuss the concern in engagement planning meetings with the operating management, document the discussion (such as in an audit planning memo), and explain why the concern is without merit. Such a disclosure may also be appropriate for a final engagement report. - When the CAE believes the impairment is real and is affecting the ability of internal audit to perform its duties independently and objectively, the CAE is likely to discuss the impairment with the board and senior management and seek their support to resolve the situation. - When an impairment comes to light after an audit has been executed, and it impacts the reliability (or perceived reliability) of the engagement results, the CAE will discuss it with operating and senior management, as well as the board."

Presumption of Impairment

Certain responsibilities lead to the presumption that objectivity is impaired. These responsibilities include designing, installing, implementing, or drafting procedures for information systems. The appearance of objectivity cannot be maintained when an internal auditor both (1) designs, installs, implements, or drafts procedures for an information system and (2) audits or reviews that system.

CPEs

Certified internal auditors (CIAs) demonstrate their continuing professional development by completing continuing professional education (CPE).

Presumed to Impair Objectivity

Drafting procedures for a new hiring system

Dual reporting

Dual reporting separates functional reporting and administrative reporting, but the CAE cannot solely determine organizational independence and placement.

Assessment Results

During an external assessment, the assessor may provide recommendations to address (a) areas that were not in conformance with the Standards and (b) opportunities for improvement. - The CAE may provide management action plans to address recommendations from the external assessment. - The CAE also may consider (1) adding the recommendations and management action plans to the internal audit activity's existing monitoring of progress related to internal audit engagement findings and (2) reporting on resolutions. - Verification that recommendations identified during the external assessment have been implemented is communicated to the board either (1) as part of the internal audit activity's monitoring of progress or (2) by following up separately through the next QAIP internal assessment.

Objectivity Impaired by Previous Assignment of Internal Audit Personnel

Employees often hold several different positions within the organization in sequence, on both temporary and permanent bases. - Organizations build competence and gain the advantages of new perspectives by such cross-training. On occasion, departments or functions in which current internal audit personnel were employed may be scheduled for an engagement in the internal audit work plan.

Objectivity Impairments

Examples of objectivity impairments include: An internal auditor audits an area in which he or she recently worked, such as when an employee transfers into internal audit from a different functional area of the organization and then is assigned to an audit of that function. . . . - An internal auditor audits an area where a relative or close friend is employed. - An internal auditor assumes, without evidence, that an area being audited has effectively mitigated risks based solely on prior positive audit or personal experiences (e.g., a lack of professional skepticism). - An internal auditor modifies the planned approach or results based on the undue influence of another person, often someone senior to the internal auditor, without appropriate justification.

External Assessments

External assessments must be conducted at least once every five years by a qualified, independent assessor or assessment team from outside the organization. The chief audit executive must discuss with the board: - The form and frequency of external assessments. - The qualifications and independence of the external assessor or assessment team, including any potential conflict of interest. - External assessments provide an independent and objective evaluation of the internal audit activity's conformance with the Standards and Code of Ethics.

External Assessors: Conflicts of Interest

External assessors must have no real or apparent conflict of interest due to current or past relationships with the organization. 1. Matters relating to independence include conflicts of former employees or of firms providing (a) the financial statement audit, (b) significant consulting services, or (c) assistance to the internal audit activity. 2. An individual in another part of the organization or in a related organization (e.g., a parent or an affiliate) is not independent. 3. Peer review among three unrelated organizations (but not between two) may satisfy the independence requirement. 4. Given concerns about independence, one or more independent individuals may provide separate validation.

Objectivity

Objectivity is an unbiased mental attitude that allows internal auditors to perform engagements in such a manner that they believe in their work product and that no quality compromises are made. Objectivity requires that internal auditors do not subordinate their judgment on audit matters to others. Threats to objectivity must be managed at the individual auditor, engagement, functional, and organizational levels. Internal auditors must have an impartial, unbiased attitude and avoid any conflict of interest.

Administrative Reporting

Generally, the CAE also has an administrative reporting line to senior management, which further enables the requisite stature and authority of internal audit to fulfill responsibilities. For example, the CAE typically would not report to a controller, accounting manager, or mid-level functional manager. To enhance stature and credibility, The IIA recommends that the CAE report administratively to the chief executive officer (CEO) so that the CAE is clearly in a senior position, with the authority to perform duties unimpeded.

Impairment to Independence or Objectivity

If independence or objectivity is impaired in fact or appearance, the details of the impairment must be disclosed to appropriate parties. The nature of the disclosure will depend upon the impairment. Impairment to organizational independence and individual objectivity may include, but is not limited to, personal conflict of interest; scope limitations; restrictions on access to records, personnel, and properties; and resource limitations, such as funding. The determination of appropriate parties to which the details of an impairment to independence or objectivity must be disclosed is dependent upon the expectations of the internal audit activity's and the chief audit executive's responsibilities to senior management and the board as described in the internal audit charter, as well as the nature of the impairment.

Impairment Situations

Impairment situations generally include self-interest, self-review, familiarity, bias, or undue influence.

Independence

Independence is an organizational attribute of the internal audit activity as a whole. The IIA clarifies this distinction in the Interpretation below.

Aspects of Objectivity

Objectivity refers to an internal auditor's impartial and unbiased mindset, which is facilitated by avoiding conflicts of interest.

Internal Assessments

Internal assessments must include: - Ongoing monitoring of the performance of the internal audit activity. - Periodic self-assessments or assessments by other persons within the organization with sufficient knowledge of internal audit practices.

Independence Impairments

Internal audit examples of organizational independence impairments include the following, which, if in effect, can also undermine internal auditor objectivity: - The CAE has broader functional responsibility than internal audit and executes an audit of a functional area that is also under the CAE's oversight. - The CAE's supervisor has broader responsibility than internal audit, and the CAE executes an audit within his or her supervisor's functional responsibility. - The CAE does not have direct communication or interaction with the board. - The budget for the internal audit activity is reduced to the point that internal audit cannot fulfill its responsibilities as outlined in the charter.

Gifts

Internal auditors are not to accept fees, gifts, or entertainment from an employee, client, customer, supplier, or business associate that may create the appearance that the auditor's objectivity has been impaired. - The appearance that objectivity has been impaired may apply to current and future engagements conducted by the auditor. - The status of engagements is not to be considered as justification for receiving fees, gifts, or entertainment. - The receipt of promotional items (such as pens, calendars, or samples) that are available to employees and the general public and have minimal value does not hinder internal auditors' professional judgments. - Internal auditors are to report immediately the offer of all material fees or gifts to their supervisors.

Due Professional Care

Internal auditors must apply the care and skill expected of a reasonably prudent and competent internal auditor. Due professional care does not imply infallibility.

Continuing Professional Development

Internal auditors must enhance their knowledge, skills, and other competencies through continuing professional development. - The IIA requires internal auditors to continue expanding their knowledge and abilities throughout their careers. - IG 1230, Continuing Professional Development, gives specific advice regarding further education to enhance proficiency. - "An individual internal auditor may use a self-assessment tool, such as the Competency Framework, as a basis for creating a professional development plan. The development plan may encompass on-the-job training, coaching, mentoring, and other internal and external training, volunteer, or certification opportunities." - "Opportunities for professional development include participating in conferences, seminars, training programs, online courses and webinars, self-study programs, or classroom courses; conducting research projects; volunteering with professional organizations; and pursuing professional certifications. . . ."

Due Professional Care: Assurance Services

Internal auditors must exercise due professional care by considering the: - Extent of work needed to achieve the engagement's objectives. - Relative complexity, materiality, or significance of matters to which assurance procedures are applied. - Adequacy and effectiveness of governance, risk management, and control processes. - Probability of significant errors, fraud, or noncompliance. - Cost of assurance in relation to potential benefits. In exercising due professional care internal auditors must consider the use of technology-based audit and other data analysis techniques. Internal auditors must be alert to the significant risks that might affect objectives, operations, or resources. However, assurance procedures alone, even when performed with due professional care, do not guarantee that all significant risks will be identified.

Due Professional Care: Consulting Services

Internal auditors must exercise due professional care during a consulting engagement by considering the: - Needs and expectations of clients, including the nature, timing, and communication of engagement results. - Relative complexity and extent of work needed to achieve the engagement's objectives. - Cost of the consulting engagement in relation to potential benefits.

Objectivity Impairment Example

Internal auditors must refrain from assessing specific operations for which they were previously responsible. Objectivity is presumed to be impaired if an auditor provides assurance services for an activity for which the auditor had responsibility within the previous year.

Periodic Assessments

Ongoing monitoring is an integral part of the day-to-day supervision, review, and measurement of the internal audit activity. Ongoing monitoring is incorporated into the routine policies and practices used to manage the internal audit activity and uses processes, tools, and information considered necessary to evaluate conformance with the Code of Ethics and the Standards. Periodic assessments are conducted to evaluate conformance with the Code of Ethics and the Standards. Sufficient knowledge of internal audit practices requires at least an understanding of all elements of the International Professional Practices Framework.

CPE Requirements

Practicing and nonpracticing CIAs must complete 40 hours and 20 hours, respectively, of CPE annually (including at least 2 hours of ethics training)

CPE Activities

Qualifying CPE activities are those that contribute to internal audit competence. They include the following: - Educational programs (e.g., seminars, conferences, or technical sessions provided by auditing or accounting organizations and chapters; formal in-house training programs; college or university courses passed; or self-study programs relevant to internal auditing) - Passing examinations - Authoring or contributing to publications - Translating publications - Delivering oral presentations - Participating as a subject matter expert volunteer - Performing external quality assessments

Objectivity: Quality Assurance

Review of internal audit work results before the related engagement communications are released assists in providing reasonable assurance that the work was performed objectively.

Reporting Results

Senior management and the board must be kept informed about the degree to which the internal audit activity achieves the degree of professionalism required by The IIA. The chief audit executive must communicate the results of the quality assurance and improvement program to senior management and the board. Disclosure should include: - The scope and frequency of both the internal and external assessments. - The qualifications and independence of the assessor(s) or assessment team, including potential conflicts of interest. - Conclusions of assessors. - Corrective action plans.

QAIP Assessments

The CAE is responsible for ensuring that the internal audit activity conducts internal assessments and external assessments. - "Internal assessments consist of ongoing monitoring and periodic self-assessments . . . , which evaluate the internal audit activity's conformance with the mandatory elements of the IPPF, the quality and supervision of audit work performed, the adequacy of internal audit policies and procedures, the value the internal audit activity adds to the organization, and the establishment and achievement of key performance indicators." - "Ongoing monitoring is achieved primarily through continuous activities such as engagement planning and supervision, standardized work practices, workpaper procedures and signoffs, report reviews, as well as identification of any weaknesses or areas in need of improvement and action plans to address them.""Periodic self-assessments are conducted to validate that ongoing monitoring is operating effectively. . . ." - "External assessments provide an opportunity for an independent assessor or assessment team to conclude as to the internal audit activity's conformance with the Standards and whether internal auditors apply the Code of Ethics, and to identify areas for improvement." - "[T]he CAE is responsible for ensuring that the internal audit activity conducts an external assessment at least once every five years. . . ." - "A self-assessment may be performed in lieu of a full external assessment, provided it is validated by a qualified, independent, competent, and professional external assessor."

Objectivity Impaired by Assignment of Nonaudit Functions to Internal Audit Personnel

The CAE may be assigned responsibility for one or more functions outside the scope of internal auditing. The chief audit executive may be asked to take on additional roles and responsibilities outside of internal auditing, such as responsibility for compliance or risk management activities. These roles and responsibilities may impair, or appear to impair, the organizational independence of the internal audit activity or the individual objectivity of the internal auditor. Safeguards are those oversight activities, often undertaken by the board, to address these potential impairments, and may include such activities as periodically evaluating reporting lines and responsibilities and developing alternative processes to obtain assurance related to the areas of additional responsibility. Assurance engagements for functions over which the chief audit executive has responsibility must be overseen by a party outside the internal audit activity.

Assessing Individual Objectivity

The CAE must establish policies and procedures to assess the objectivity of individual internal auditors. 1. These can take the form of periodic reviews of conflicts of interest or as-needed assessments during the staffing requirements phase of each engagement.

Board Interaction

The CAE's access to the board must not be limited.

Competency Framework

The Competency Framework is described by The IIA as "a tool that defines the competencies needed to meet the requirements of the International Professional Practices Framework for the success of the internal audit profession." The Framework describes 10 interdependent core competencies: "I. Professional ethics: Promotes and applies professional ethics II. Internal audit management: Develops and manages the internal audit function III. IPPF: Applies the International Professional Practices Framework (IPPF) IV. Governance, risk and control: Applies a thorough understanding of governance, risk, and control appropriate to the organization V. Business acumen: Maintains expertise of the business environment, industry practices, and specific organizational factors VI. Communication: Communicates with impact VII. Persuasion and collaboration: Persuades and motivates others through collaboration and cooperation VIII. Critical thinking: Applies process analysis, business intelligence, and problem solving techniques IX. Internal audit delivery: Delivers internal audit engagements X. Improvement and innovation: Embraces change and drives improvement and innovation"

Deming Cycle

The Deming Cycle (or Plan-Do-Check-Act Cycle) is a continuous improvement model popularized by W. Edwards Deming.

Deming Cycle Application

The Deming Cycle can be used to establish the QAIP in a planned, methodical manner. The IIA's Practice Guide, Quality Assurance and Improvement Program, presents the application of the Deming Cycle to the QAIP: 1. Formal documentation of standards and expected practices (PLAN) 2. Development activities to define quality and build staff awareness of standards and expectations (DO) 3. Various forms of assessment and review to measure product or process quality (CHECK) 4. Undertaking improvement initiatives and documenting lessons learned (ACT)

Deming Cycle Steps

The Deming Cycle consists of four steps: 1. Plan establishes standards and expectations for operating a process to meet goals. 2. Do executes the process and collects data for further analysis in the later steps. 3. Check compares actual results with expected results and analyzes the difference. 4. Act provides feedback by identifying and implementing improvements to the process.

Conflict of Interest

The IIA Glossary defines conflict of interest as any "relationship that is, or appears to be, not in the best interest of the organization. A conflict of interest would prejudice an individual's ability to perform his or her duties and responsibilities objectively." Conflict of interest is a situation in which an internal auditor, who is in a position of trust, has a competing professional or personal interest. Such competing interests can make it difficult to fulfill his or her duties impartially. A conflict of interest exists even if no unethical or improper act results. A conflict of interest can create an appearance of impropriety that can undermine confidence in the internal auditor, the internal audit activity, and the profession. A conflict of interest could impair an individual's ability to perform his or her duties and responsibilities objectively.

Frequency of Reporting Assessment Results

The IIA addresses the frequency of reporting on the QAIP in the following excerpt from the Interpretation of Standard 1320: To demonstrate conformance with the Code of Ethics and the Standards, the results of external and periodic internal assessments are communicated upon completion of such assessments and the results of ongoing monitoring are communicated at least annually.

Due Care in Practice

The IIA provides guidance for the application of due care in IG 1220, Due Professional Care: 1. "[D]ue professional care requires conformance with The IIA's Code of Ethics and may entail conformance with the organization's code of conduct and any additional codes of conduct relevant to other professional designations attained." 2. "[T]he internal audit activity's policies and procedures provide a systematic and disciplined approach to planning, executing, and documenting internal audit work. By following this systematic and disciplined approach, internal auditors essentially apply due professional care. However, what constitutes due professional care partially depends upon the complexities of the engagement." 3. "Internal auditors demonstrate conformance with Standard 1220 through proper application of the IPPF's Mandatory Guidance, which would be reflected in their engagement plans, work programs, and workpapers." Due professional care can be demonstrated if the auditor applied the care and skill of a reasonably competent and prudent internal auditor in the same or similar circumstances. For example, any unexpected results from analytical procedures should be investigated and adequately explained.

Internal Assessment: CAE's Role

The chief audit executive (CAE) establishes a structure for reporting results of internal assessments that maintains appropriate credibility and objectivity. Generally, those assigned responsibility for conducting ongoing and periodic reviews report to the CAE while performing the reviews and communicate results directly to the CAE. The CAE should report the results of internal assessments, necessary action plans, and their successful implementation to senior management and the board.

Quality Assurance and Improvement Program

The chief audit executive must develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity. A quality assurance and improvement program is designed to enable an evaluation of the internal audit activity's conformance with the Standards and an evaluation of whether internal auditors apply the Code of Ethics. The program also assesses the efficiency and effectiveness of the internal audit activity and identifies opportunities for improvement. The chief audit executive should encourage board oversight in the quality assurance and improvement program.

CAE's Responsibility

The chief audit executive must obtain competent advice and assistance if the internal auditors lack the knowledge, skills, or other competencies needed to perform all or part of the engagement. Each member of the internal audit activity need not be qualified in all disciplines. When necessary, the CAE can obtain necessary knowledge, skills, and competencies from external service providers.

Achieving Independence through Reporting to the Board

The chief audit executive must report to a level within the organization that allows the internal audit activity to fulfill its responsibilities. The chief audit executive must confirm to the board, at least annually, the organizational independence of the internal audit activity.

Assessment Ratings

The expression of an opinion or conclusion on the results of the external assessment is included in the external assessment report. The report typically includes an assessment for each standard and an overall assessment for each standard series (attribute and performance). These assessments are in addition to the overall conformance results. The following is an example of a rating scale that may be used to show the degree of conformance: 1. Generally conforms. The top rating means that (1) an internal audit activity has a charter, policies, and processes, and (2) their execution and results conform with the Standards. 2. Partially conforms. Deficiencies in practice are judged to deviate from the Standards. But they do not preclude the internal audit activity from performing its responsibilities. 3. Does not conform. Deficiencies in practice are judged to be so significant as to seriously impair, or preclude, the internal audit activity's ability to perform adequately in all or in significant areas of its responsibilities.

Objectivity Impaired by Performance of Consulting Services

The internal audit activity may provide assurance services where it had previously performed consulting services, provided the nature of the consulting did not impair objectivity and provided individual objectivity is managed when assigning resources to the engagement. Internal auditors may provide consulting services relating to operations for which they had previous responsibilities. If internal auditors have potential impairments to independence or objectivity relating to proposed consulting services, disclosure must be made to the engagement client prior to accepting the engagement.

Allowable Recommendations

The internal auditor's objectivity is not impaired when the auditor recommends standards of control for systems or reviews procedures before they are implemented.

Importance of Conforming with the Standards

The internal audit activity cannot claim to comply with the Standards unless it has a successfully functioning QAIP. Indicating that the internal audit activity conforms with the International Standards for the Professional Practice of Internal Auditing is appropriate only if supported by the results of the quality assurance and improvement program.

Importance of Reporting Nonconformance

The internal audit activity is a crucial part of the modern complex organization's governance processes. Senior management and the board must be informed when an assessment discovers a significant degree of nonconformance. When nonconformance with the Code of Ethics or the Standards impacts the overall scope or operation of the internal audit activity, the chief audit executive must disclose the nonconformance and the impact to senior management and the board. Nonconformance of this type refers to the overall internal audit activity and not to specific engagements.

Maintaining Individual Objectivity

The responsibility to maintain objectivity rests with the CAE and with internal auditors themselves. 1. Internal auditors should be aware of the possibility of new conflicts of interest that may result from changes in personal circumstances or the particular auditees to which an auditor may be assigned.

Objectivity: IA Policy/Handbook

To manage internal audit objectivity effectively, many CAEs have an internal audit policy manual or handbook that describes the expectation and requirements for an unbiased mindset for every internal auditor. Such a policy manual may describe: - The critical importance of objectivity to the internal audit profession. - Typical situations that could undermine objectivity, such as auditing in an area in where [sic] an internal auditor recently worked; auditing a family member or a close friend; or assuming, without evidence, that an area under audit is acceptable based solely on prior positive experiences. - Actions the internal auditor should take if he or she becomes aware of a current or potential objectivity concern, such as discussing the concern with an internal audit manager or the CAE. Reporting requirements, where each internal auditor periodically considers and discloses conflicts of interest. Often, policies require internal auditors to indicate that they understand the conflict of interest policy and to disclose potential conflicts. Internal auditors sign annual statements indicating that no potential threats exist or acknowledging any known potential threats."

Objectivity: IA Training/Workshops

To reinforce the importance of these policies and help ensure all internal auditors internalize their importance, many CAEs will hold routine workshops or training on these fundamental concepts. . . . For example, more senior auditors and managers may share personal experiences where objectivity was called into question or where they self-disclosed a relationship or experience that was a conflict. Another common related training topic is professional skepticism. Such training reinforces the nature of skepticism and the criticality of avoiding bias and maintaining an open and curious mindset.

Chief Audit Executive Roles Beyond Internal Auditing

Where the chief audit executive has or is expected to have roles and/or responsibilities that fall outside of internal auditing, safeguards must be in place to limit impairments to independence or objectivity.

External Assessment Teams

[External] assessors or assessment teams must be competent in two main areas: - [T]he professional practice of internal auditing (including current in-depth knowledge of the IPPF), and - [T]he external quality assessment process.

Ongoing Monitoring

a. "[O]ngoing monitoring is generally focused on reviews conducted at the engagement level. - "Thus, "ongoing monitoring helps the CAE determine whether internal audit processes are delivering quality on an engagement-by-engagement basis. - "Compared with periodic self-assessments, ongoing monitoring emphasizes evaluating conformance with the performance standards. b. "Generally, ongoing monitoring occurs routinely throughout the year. . . ." c. "Ongoing monitoring is achieved primarily through continuous activities such as - Engagement planning and supervision, - Standardized work practices, - Workpaper procedures and signoffs, [and] - Report reviews. . . ." d. "Additional mechanisms commonly used for ongoing monitoring include: - "Checklists or automation tools, - Feedback from internal audit clients and other stakeholders, - Staff and engagement key performance indicators (e.g., "the number of certified internal auditors on staff, their years of experience in internal auditing, the number of continuing professional development hours they earned during the year, timeliness of engagements, and stakeholder satisfaction").

Internal Resources

a. The CAE must ensure that the internal audit activity is able to fulfill its responsibilities. 1. Identifying the available knowledge, skills, and competencies within the internal audit activity will help the CAE determine whether the current staff is sufficient to satisfy those responsibilities. b. The following practices help the CAE identify the available resources: 1. Hiring practices are an essential part of understanding the background of the internal audit staff. During this process, the CAE identifies the internal auditor's education, previous experience, and specialized areas of knowledge. 2. The CAE should conduct periodic skills assessments to determine the specific resources available. Assessments should be performed at least annually. 3. Staff performance appraisals are completed at the end of any major internal audit engagement. These appraisals help the CAE assess future training needs and current staff abilities. 4. Continuing professional development encourages continued growth. Acquired training also should be considered when identifying internal audit resources. c. Databases can be used to store internal audit background information. The information stored can include lists of relevant skills, completed projects, acquired training, and development needs. d. If the internal audit staff is not able to fulfill internal audit responsibilities, the use of external service providers must be considered.


Related study sets

Check for Understanding - View From the Empire State Building

View Set

Series 6 Exam - Securities Markets, Investment Securities, and Economic Factors

View Set

Accounting 131 (ch 1-3) Multiple choice practice

View Set

Diverticulosis/Diverticulitis NCLEX Questions

View Set