Course Name: Internal Auditing and Controls Module: 2 Module Title: Internal Auditing Standards

Lectures and handouts by: Chuck Campbell

Copyright The Certified General Accountants Association of British Columbia. All rights reserved.

Internal auditing standards Module 2

In this module, you will be introduced to general standards for the practice of internal auditing, including some detail about the standards on independence, objectivity, proficiency and due professional care. The module concludes with a consideration of outsourcing some of the internal audit functions and the standards dealing with management of the internal audit activity.

Internal Auditing & Controls

Module 2
Part 1 Topic 2.1 Topic 2.2 Part 2 Topic 2.3 Topic 2.4 Part 3 Topic 2.5 Overview of internal auditing standards Purpose, authority and responsibility Independence and objectivity Proficiency and due professional care Using outside service providers for internal audit work Part 4 Topic 2.6 Managing the internal audit department Part 5 Module summary Learning objectives Recent examination questions Assignment hints

Internal Auditing & Controls Module 2

Part 1
Topic 2.1 Topic 2.2 Overview of internal auditing standards Purpose, authority and responsibility

The International Professional Practices Framework

MANDATORY
1. 2. 3.

The Definition of Internal Auditing The IIA Code of Ethics The International Standards for the Professional Practice of Internal Auditing

Attribute standards Performance standards Interpretations

The International Professional Practices Framework

STRONGLY RECOMMENDED
1. 2. 3.

Position papers Practice advisories Practice guides

Purpose of internal auditing standards

The purpose of the International Standards for the Professional Practice of Internal Auditing is to:

delineate basic principles that represent the practice of internal auditing as it should be;

Purpose of internal auditing standards

The purpose of the International Standards for the Professional Practice of Internal Auditing is to:

delineate basic principles that represent the practice of internal auditing as it should be; provide a framework for performing and promoting a broad range of value-added internal auditing;

Purpose of internal auditing standards

The purpose of the International Standards for the Professional Practice of Internal Auditing is to:

delineate basic principles that represent the practice of internal auditing as it should be; provide a framework for performing and promoting a broad range of value-added internal auditing; establish the basis for the evaluation of internal audit performance;

Purpose of internal auditing standards

The purpose of the International Standards for the Professional Practice of Internal Auditing is to:

delineate basic principles that represent the practice of internal auditing as it should be; provide a framework for performing and promoting a broad range of value-added internal auditing; establish the basis for the evaluation of internal audit performance; and foster improved organizational processes and operations.
10

Attribute standards
There are four attribute standards:
1. The purpose, authority and responsibility of the internal audit activity must be formally defined in a charter, consistent with the Definition of Internal Auditing, the Code of Ethics and the Standards. The chief audit executive must periodically review the internal audit charter and present it to senior management and the board for approval.

11

Attribute standards (contd)

There are four attribute standards:
2. The internal audit activity must be independent and internal auditors must be objective in performing their work.

12

Attribute standards (contd)

There are four attribute standards:
3. Engagements must be performed with proficiency and due professional care.

13

Attribute standards (contd)

There are four attribute standards:
4. The chief audit executive must develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity.

14

Performance standards
There are seven performance standards:
1. The chief audit executive must effectively manage the internal audit activity to ensure that it adds value to the organization.

15

Performance standards (contd)

There are seven performance standards:
1. The chief audit executive must effectively manage the internal audit activity to ensure that it adds value to the organization. The internal audit activity must evaluate and contribute to the improvement of governance, risk management, and control processes using a systematic and disciplined approach.

2.

16

Performance standards (contd)

There are seven performance standards:
1. The chief audit executive must effectively manage the internal audit activity to ensure that it adds value to the organization. The internal audit activity must evaluate and contribute to the improvement of governance, risk management, and control processes using a systematic and disciplined approach. Internal auditors must develop and document a plan for each engagement, including the engagements objectives, scope, timing and resource allocations.

2.

3.

17

Performance standards (contd)

There are seven performance standards:
1. The chief audit executive must effectively manage the internal audit activity to ensure that it adds value to the organization. 2. The internal audit activity must evaluate and contribute to the improvement of governance, risk management, and control processes through a systematic and disciplined approach. 3. Internal auditors must develop and document a plan for each engagement, including the objectives, scope, timing and resource allocations. 4. Internal auditors must identify, analyze, evaluate and document sufficient information to achieve the engagements objectives.
18

Performance standards (contd)

There are seven performance standards:
5.

Internal auditors engagements.

must

communicate

the

results

of

19

Performance standards (contd)

There are seven performance standards:
5. 6. Internal auditors engagements. must communicate the results of

The chief audit executive must establish and maintain a system to monitor the disposition of results communicated to management.

20

Performance standards (contd)

There are seven performance standards:
5.

Internal auditors engagements.

must

communicate

the

results

of

6.

The chief audit executive must establish and maintain a system to monitor the disposition of results communicated to management. When the chief audit executive concludes that senior management has accepted a level of residual risk that may be unacceptable to the organization, the chief audit executive must discuss the matter with senior management and, if necessary, the board.
21

7.

Sarbanes-Oxley Act Section 302

Periodic statutory financial reports (of companies whose securities are traded in the United States) must include certifications that:

the signing officers have reviewed the report; the report does not contain any untrue statements, material omissions and is not misleading; the financial statements and related information fairly present the financial position and results in all material respects;

22

Sarbanes-Oxley Act Section 302

Periodic statutory financial reports (of companies whose securities are traded in the United States) must include certifications that:

the signing officers are responsible for internal controls and have evaluated the controls within the last ninety days; a list of all control deficiencies and information on any fraud by employees involved in control activities; any significant changes in controls that could have a negative impact on the internal controls.

23

Sarbanes-Oxley Act Section 404

Management must perform a formal assessment of its controls over financial reporting. Management must include in its annual report an assessment of its controls over financial reporting. The external auditor must provide an opinion on the effectiveness of the system of internal control over financial reporting.

24

Sarbanes-Oxley Act Section 404

The report on internal control must contain:

a statement of managements responsibility for establishing and maintaining adequate internal control over financial reporting; a statement identifying the control framework used by management in its evaluation; managements assessment of the effectiveness of the internal controls over financial reporting; and a statement that the auditors have issued an attest report on the controls over financial reporting.
25

The internal audit charter

Organizations must have a formal audit charter to define and communicate the purpose, authority and responsibility of the internal audit department. The charter must be consistent with the definition of internal auditing, the IIA Code of Ethics and the Standards. The charter must be approved by senior management and the board. The charter should establish the position of the internal audit activity within the organization, set out the scope of its activities and guarantee access to personnel and records.

26

The internal audit charter an example

Contents of the sample internal department charter (from Exhibit 2.2-1)

audit

Mission and scope of work Accountability Independence Responsibility Authority Standards of audit practice

27

Internal Auditing & Controls Module 2

Part 2
Topic 2.3 Independence and objectivity Topic 2.4 Proficiency and due professional care

28

Independence and objectivity

The standards for the practice of internal auditing require that the auditor be independent of the activities audited and be objective in issuing an opinion on those activities.

29

Independence and objectivity (contd)

The independence and objectivity of the internal auditor are enhanced by:

the organizational status of the internal audit department

30

10

Independence and objectivity (contd)

The independence and objectivity of the internal auditor are enhanced by:

the organizational status of the internal audit department the authority and responsibility given to internal auditors

31

Independence and objectivity (contd)

The independence and objectivity of the internal auditor are enhanced by:

the organizational status of the internal audit department the authority and responsibility given to internal auditors the degree of objectivity maintained by internal auditors.

32

Organizational independence
Practice Advisory 1110-1 recommends that:

The chief audit executive should be responsible to an individual in the organization with sufficient authority to promote independence and to ensure broad audit coverage, adequate consideration of engagement communications, and appropriate action on engagement recommendations. Ideally, the chief audit executive should report functionally to the board and administratively to the chief executive officer of the organization. The chief audit executive must have direct communication and interaction with the board of directors.
33

11

Functional reporting
Functional reporting is the reporting line which is responsible for the following activities:

approving the overall charter of the internal audit function; approving the long-term and annual risk-based audit plans; receiving communications from the chief audit executive on the internal audit activitys performance relative to its plan and other matters; approving all decisions regarding the appointment or removal of the chief audit executive; making appropriate inquiries of management and the chief audit executive to determine whether there are scope or budgetary restrictions that impede the ability of the internal audit function to carry out its responsibilities.
34

Administrative reporting
Administrative reporting is the reporting relationship within the management structure that facilitates the day-to-day operations of the internal audit function and includes budgeting and management accounting, human resource administration, internal communications and information flows, and administration of the organizations internal policies and procedures.

35

Factors threatening objectivity

social pressure; economic interest; personal relationships; familiarity; cultural, racial and gender biases; cognitive biases; self-review; intimidation threat; advocacy threat.
36

12

Managing threats to objectivity

incentives (rewards, discipline); use of engagement teams; rotation and/or reassignment; training; supervision/review; quality assessments; hiring practices; outsourcing.
37

Impairments to objectivity
If independence or objectivity is impaired, in fact or appearance, the details of the impairment should be disclosed to appropriate parties. A scope limitation is a restriction placed upon the internal audit activity that precludes the audit activity from accomplishing its objectives and plans. Among other things, a scope limitation may restrict audit scope, access to records and personnel, the engagement work schedule, and/or the performance of necessary procedures. A scope limitation, along with its potential effect, should be communicated, preferably in writing, to the board.
38

Framework for managing threats

1. 2. 3. 4. 5. 6. 7.

8.

Identify threat. Assess significance of threat. Identify mitigating factors. Assess residual threat. Proactively manage residual threat. Assess presence of unresolved threats. Determine reporting and disclosure implications. Review and monitoring.
39

13

Framework for managing threats

Threats should be managed at a variety of levels:
1. 2. 3. 4. 5.

individual auditor; engagement; internal audit activity (department); organization; profession.

40

Consulting activities
Consulting activities should be empowered through the Internal Audit Charter and organizations must have ground rules for the performance of consulting services that are understood by all members of the organization. Consulting activities are generally characterized by a principal responsibility to report to the management of the operating unit, in contrast to assurance engagements where the principal responsibility is to senior management and the board of directors.

41

Proficiency and due professional care

1.

Internal auditors and internal audit departments must possess the knowledge, skills and competencies needed to perform their responsibilities.

42

14

Proficiency and due professional care (contd)

1. Internal

auditors and internal audit departments must possess the knowledge, skills and competencies needed to perform their responsibilities.

2. Internal auditors must apply the care and skills expected of a reasonably prudent and competent internal auditor.

43

Proficiency and due professional care (contd)

1. Internal

auditors and internal audit departments must possess the knowledge, skills and competencies needed to perform their responsibilities.

2. Internal auditors must apply the care and skills expected of a reasonably prudent and competent internal auditor. 3. Internal auditors must enhance their knowledge, skills, and competencies through continuing professional development.

44

Proficiency and due professional care (contd)

Individual internal auditors must:

comply with the Code of Ethics of the IIA.

45

15

Proficiency and due professional care (contd)

Individual internal auditors must:

comply with the Code of Ethics of the IIA. have the knowledge and skills to perform internal audits in an efficient and effective manner, including sufficient oral and written communication skills.

46

Proficiency and due professional care (contd)

Individual internal auditors must:

comply with the Code of Ethics of the IIA. have the knowledge and skills to perform internal audits in an efficient and effective manner, including sufficient oral and written communication skills. understand human relations and maintain satisfactory relationships with auditees.

47

Proficiency and due professional care (contd)

Individual internal auditors must:

comply with the Code of Ethics of the IIA. have the knowledge and skills to perform internal audits in an efficient and effective manner, including sufficient oral and written communication skills. understand human relations and maintain satisfactory relationships with auditees. maintain their technical competence through continuing education.
48

16

Proficiency and due professional care (contd)

Individual internal auditors must:

comply with the Code of Ethics of the IIA. have the knowledge and skills to perform internal audits in an efficient and effective manner, including sufficient oral and written communication skills. understand human relations and maintain satisfactory relationships with auditees. maintain their technical competence through continuing education. exercise due professional care in performing their audits.

49

Internal Auditing & Controls Module 2

Part 3
Topic 2.5 Using outside service providers for internal audit work

50

Use of outsourced or co-sourced resources

Outsourced and/or co-sourced resources may be used:

to provide services to remote locations; to provide subject matter expertise for specific engagements; to replace the existing internal audit function or provide a part-time internal audit resource for organizations which cannot justify a full-time internal audit department.
51

17

Advantages of outsourcing internal audit activities

These include:

obtaining expertise not available in-house

52

Advantages of outsourcing internal audit activities (contd)

These include:

obtaining expertise not available in-house access to leading edge practices

53

Advantages of outsourcing internal audit activities (contd)

These include:

obtaining expertise not available in-house access to leading edge practices increased coverage subject matter and geographical

54

18

Advantages of outsourcing internal audit activities (contd)

These include:

obtaining expertise not available in-house access to leading edge practices increased coverage subject matter and geographical

potential cost savings

55

Advantages of outsourcing internal audit activities (contd)

These include:

obtaining expertise not available in-house access to leading edge practices increased coverage subject matter and geographical

potential cost savings greater flexibility

56

Disadvantages of outsourcing internal audit activities

These include:

lack of familiarity with the industry, the company and its culture

57

19

Disadvantages of outsourcing internal audit activities (contd)

These include:

lack of familiarity with the industry, the company and its culture costs may be greater (if used for relatively routine work)

58

Disadvantages of outsourcing internal audit activities (contd)

These include:

lack of familiarity with the industry, the company and its culture costs may be greater (if used for relatively routine work) may require increased supervision

59

Disadvantages of outsourcing internal audit activities (contd)

These include:

lack of familiarity with the industry, the company and its culture costs may be greater (if used for relatively routine work) may require increased supervision resources may not always be available when required

60

20

Disadvantages of outsourcing internal audit activities (contd)

These include:

lack of familiarity with the industry, the company and its culture costs may be greater (if used for relatively routine work) may require increased supervision resources may not always be available when required loss of potential training ground for future managers

61

Disadvantages of outsourcing internal audit activities (contd)

These include:

lack of familiarity with the industry, the company and its culture costs may be greater (if used for relatively routine work) may require increased supervision resources may not always be available when required loss of potential training ground for future managers potential loss of a source of information if provider is also external auditor (no longer permitted for public companies)
62

Requirements when outsourcing internal auditing activities

When outside service providers are used, the chief audit executive should assess their competency, independence and objectivity in relationship to the specific engagement to be performed. The chief audit executive should agree on the scope of work with the outside service provider before work commences. The chief audit executive should ensure that the work done by the outside service provider complies with the appropriate professional standards.

63

21

Characteristics of successful outsourcing arrangements

A well-defined role in the organization Formal performance evaluations Effective communications An integrated risk analysis approach A flexible audit plan with an ability to react when immediate demands arise Experienced personnel A willingness to bring in outside assistance when necessary
64

Internal Auditing & Controls Module 2

Part 4
Topic 2.6 Managing the internal audit department

65

Standards for the management of the internal audit department

The chief audit executive must:

establish risk-based plans to determine priorities for the internal audit activity that are consistent with the organizations goals.

66

22

Standards for the management of the internal audit department (contd)

The chief audit executive must:

establish risk-based plans to determine priorities for the internal audit activity that are consistent with the organizations goals. communicate the departments plans and resource requirements to senior management and the board for review and approval.

67

Standards for the management of the internal audit department (contd)

The chief audit executive must:

establish risk-based plans to determine priorities for the internal audit activity that are consistent with the organizations goals. communicate the departments plans and resource requirements to senior management and the board for review and approval. ensure that the resources are appropriate, sufficient and effectively deployed to achieve the approved plan.
68

Standards for the management of the internal audit department (contd)

The chief audit executive must:

establish risk-based plans to determine priorities for the internal audit activity that are consistent with the organizations goals. communicate the departments plans and resource requirements to senior management and the board for review and approval. ensure that the resources are appropriate, sufficient and effectively deployed to achieve the approved plan. establish policies and procedures to guide the internal audit activity.
69

23

Standards for the management of the internal audit department (contd)

The chief audit executive should:

share information and co-ordinate activities with other providers of assurance and consulting activities to avoid duplication.

70

Standards for the management of the internal audit department (contd)

The chief audit executive should:

share information and co-ordinate activities with other providers of assurance and consulting activities to avoid duplication.

The chief audit executive must:

report periodically to the board relative to the approved plan.

71

Standards for the management of the internal audit department (contd)

The chief audit executive should:

share information and co-ordinate activities with other providers of assurance and consulting activities to avoid duplication.

The chief audit executive must:

report periodically to the board relative to the approved plan. establish a quality assurance and improvement program including both internal and external assessments.

72

24

Standards for the management of the internal audit department (contd)

The chief audit executive should:

share information and co-ordinate activities with other providers of assurance and consulting activities to avoid duplication.

The chief audit executive must:

report periodically to the board relative to the approved plan. establish a quality assurance and improvement program including both internal and external assessments.
communicate the results of external assessments to the board.

73

Quality assurance and improvement program

The internal audit activity must:

adopt a process to monitor and assess the overall effectiveness of its quality programs provide for internal assessments performed both by members of the department and by others in the organization arrange for external quality assurance reviews to be conducted at least once every five years report the result of the external assessment to the board

If (and only if) the external assessment concludes that the activities are in full compliance with the Standards, this may be indicated in the reports issued by the department.

74

Internal Auditing & Controls Module 2

Part 5
Module summary Learning objectives Recent examination questions Assignment hints

75

25

Module 2 Learning Objectives

1.

Describe the attribute standards and the performance standards governing internal auditing and the key provisions of the Sarbanes-Oxley Act. (Level 1)

76

Module 2 Learning Objectives

2.

Determine the purposes and content of an internal audit charter. (Level 1)

77

Module 2 Learning Objectives

3.

Explain the importance of independence and objectivity in internal auditing and how they are achieved. (Level 1)

78

26

Module 2 Learning Objectives

4. Identify the main standards for proficiency and

due professional care in internal auditing. (Level 1)

79

Module 2 Learning Objectives

5.

Outline the main requirements of using outsourced or co-sourced resources in internal auditing. (Level 2)

80

Module 2 Learning Objectives

6.

State the standards for the proper management of the internal audit department, including quality assurance. (Level 1)

81

27

Recent examination questions

The examination blueprint states that 6% to 10% of the examination material should come from material from Module 2. Typical exam questions:
Multiple choice questions

82

Assignment hints Assignment 1

Question 2 The most important thing to remember when
answering this question is to base your answer on the IIA Standards by applying the relevant sub-standards and Practice Advisories to the circumstances of Newlands Networks Corporation.

Question 3 Your answer should address the issues of

independence and of objectivity. Again, the question is set to test your knowledge of the IIA Standards and your ability to apply the Standards so your answer must be based on specific IIA Standards and Practice Advisories.

Question 4 Remember to provide references to the IIA

Standards wherever possible.
83

28