Вы находитесь на странице: 1из 37

2019 Edition

CIA
Preparatory Program

Part 1
Sections I & II
Sample

Internal Audit Basics

Brian Hock, CIA, CMA


and
Carl Burch, CIA, CMA
with
Kevin Hock and Kekoa Kaluhiokalani
HOCK international, LLC
P.O. Box 6553
Columbus, Ohio 43206

(866) 807-HOCK or (866) 807-4625


(281) 652-5768

www.hockinternational.com
cia@hockinternational.com

Published December 2018

Acknowledgements

Acknowledgement is due to the Institute of Internal Auditors for permission to use


copyrighted questions and problems from the Certified Internal Auditor Examinations by The
Institute of Internal Auditors, Inc., 247 Maitland Avenue, Altamonte Springs, Florida 32701
USA. Reprinted with permission.

The authors would also like to thank the Institute of Certified Management Accountants for
permission to use questions and problems from past CMA Exams. The questions and
unofficial answers are copyrighted by the Certified Institute of Management Accountants
and have been used here with their permission.

The authors also wish to thank the IT Governance Institute for permission to make use of
concepts from the publication Control Objectives for Information and related Technology
(COBIT) 3rd Edition, © 2000, IT Governance Institute, www.itgi.org. Reproduction without
permission is not permitted.

© 2018 HOCK international, LLC

No part of this work may be used, transmitted, reproduced or sold in any form or by any
means without prior written permission from HOCK international, LLC.

ISBN: 978-1-934494-16-5
Thanks

The authors would like to thank the following people for their assistance in the production of
this material:

§ Lynn Roden, CMA for her assistance in the technical elements of the material,
§ All of the staff of HOCK Training and HOCK international for their patience in the
multiple revisions of the material,
§ The students of HOCK Training in all of our classrooms and the students of HOCK
international in our Distance Learning Program who have made suggestions, com-
ments and recommendations for the material,
§ Most importantly, to our families and spouses, for their patience in the long hours
and travel that have gone into these materials.

Editorial Notes

Throughout these materials, we have chosen particular language, spellings, structures and
grammar in order to be consistent and comprehensible for all readers. HOCK study
materials are used by candidates from countries throughout the world, and for many,
English is a second language. We are aware that our choices may not always adhere to
“formal” standards, but our efforts are focused on making the study process easy for all of
our candidates. Nonetheless, we continue to welcome your meaningful corrections and ideas
for creating better materials.

This material is designed exclusively to assist people in their exam preparation. No


information in the material should be construed as authoritative business, accounting or
consulting advice. Appropriate professionals should be consulted for such advice and
consulting.
CIA Part 1 Table of Contents

Table of Contents

Exam Introduction ............................................................................................................. 1


Box Styles Used in This Book 1

Section I – Foundations of Internal Auditing .................................................................. 2


A. The Purpose, Authority, and Responsibility of the IAA 9
B. The Internal Audit Charter 9
C. Assurance and Consulting Services 12
D. IIA Code of Ethics 14

Section II – Independence and Objectivity .................................................................... 17


A. Organizational Independence and Individual Objectivity 18
B and C. Impairments to Independence or Objectivity 22
D. Policies That Promote Objectivity 26

Appendix A: Glossary ..................................................................................................... 27

Appendix B: Model Internal Audit Activity Charter ...................................................... 30

© 2018 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. i
CIA Part 1 Introduction

Exam Introduction
The CIA Part 1 exam, Essentials of Internal Auditing, is 150 minutes (2 hours and 30 minutes) long and
consists of 125 multiple-choice questions.

The CIA Part 1 syllabus has six sections:

• Section I: Foundations of Internal Auditing (15%)


• Section II: Independence and Objectivity (15%)
• Section III: Proficiency and Due Professional Care (18%)
• Section IV: Quality Assurance and Improvement Program (7%)
• Section V: Governance, Risk Management, and Control (35%)
• Section VI: Fraud Risks (10%)

Additionally, the IIA syllabus refers to proficient and basic cognitive levels:

• Proficient. Candidates must exhibit thorough understanding and ability to apply concepts, pro-
cesses, or procedures; analyze, evaluate, and make judgments based on criteria; and/or put
elements or material together to formulate conclusions and recommendations.

• Basic. Candidates must retrieve relevant knowledge from memory and/or demonstrate basic com-
prehension of concepts or processes.

In preparing for the exam, candidates need to read the textbook and use the ExamSuccess software with
questions from past exams. Many of the exam topics are very large; therefore, by studying past exam
questions candidates can get a feeling for the manner and depth to which a topic is tested.

As a word of caution, you might notice that the terminology used in this book may be different than what
you are familiar with from your workplace. Because internal auditing is an internal activity, there are no
established or standardized terms that apply in every organization. Keep in mind that the terms used in
this book are the terms that appear on the exams, so you should become accustomed to them.

Box Styles Used in This Book


The following box styles used throughout this book indicate material quoted from various IIA sources. Minor
changes may have been made to the formatting, but no changes have been made to the content.

1
Content quoted from the IIA website appears in light grey boxes with an orange border.

Content quoted from the Standards or Implementation Guides appears in yellow boxes.

Content quoted from Practice Advisories or Implemention Guides appears in orange boxes.

Note: Quotes may not include the entire section or may include non-sequential sections.

1
The website is https://na.theiia.org/standards-guidance/Pages/Standards-and-Guidance-IPPF.aspx#mandatory.

© 2018 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 1
Section I – Foundations of Internal Auditing CIA Part 1

Section I – Foundations of Internal Auditing


The best place to start preparing for CIA Part 1 is by understanding the guidance for internal auditors and
a company’s internal audit activity (IAA). The IIA provides explanations and outlines of the different cate-
gories of guidance, so when it is appropriate, the IIA explanation and description of the various sources of
guidance will be provided.

The main source of guidance is the International Professional Practices Framework (IPPF).

Within the IPPF there are the following sections:

• The Mission of Internal Audit

• Mandatory Guidance

• Recommend Guidance

As the names indicate, only mandatory guidance must be followed.

Standards & Guidance — International Professional Practices Framework (IPPF)®

The International Professional Practices Framework (IPPF) is the conceptual framework that organizes
authoritative guidance promulgated by The Institute of Internal Auditors. A trustworthy, global, guid-
ance-setting body, The IIA provides internal audit professionals worldwide with authoritative guidance
organized in the IPPF as mandatory guidance and recommended guidance.

Mandatory Guidance

Conformance with the principles set forth in mandatory guidance is required and essential for the pro-
fessional practice of internal auditing. Mandatory guidance is developed following an established due
diligence process, which includes a period of public exposure for stakeholder input. The mandatory ele-
ments of the IPPF are:

• Core Principles for the Professional Practice of Internal Auditing

• Definition of Internal Auditing

• Code of Ethics

• International Standards for the Professional Practice of Internal Auditing (Standards)

Recommended Guidance

Recommended guidance is endorsed by The IIA through a formal approval process. It describes practices
for effective implementation of The IIA’s Core Principles, Definition of Internal Auditing, Code of Ethics,
and Standards. The recommended elements of the IPPF are:

• Implementation Guidance — assist internal auditors in applying the Standards.

• Supplemental Guidance (Practice Guides) — provide detailed processes and procedures for internal
audit practitioners.

2 © 2018 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section I Section I – Foundations of Internal Auditing

This graphic from the IIA website provides a visual representation of the IPPF, the Mission, the Mandatory
Guidance, and the Recommended Guidance.

When you are presented with a question, look first in the Mandatory Guidance for an answer. If there is no
answer in the Mandatory Guidance, look in the Recommended Guidance.

The Mission of Internal Audit


The mission describes the goals of the internal audit activity within the organization and encompasses all
of the remaining elements of the IPPF.

The Mission of Internal Audit articulates what internal audit aspires to accomplish within an organization.
Its place in the New IPPF is deliberate, demonstrating how practitioners should leverage the entire
framework to facilitate their ability to achieve the Mission.

To enhance and protect organizational value by providing risk-based and objective assurance, advice,
and insight.

Exam Tip: Memorize the Mission of Internal Audit.

© 2018 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 3
Section I – Foundations of Internal Auditing CIA Part 1

Mandatory Guidance
“Mandatory guidance” refers to standards and principles from the IIA that must be followed. “Mandatory”
means that it is a requirement, not a suggestion. The four sources of mandatory guidance are:

1) Core Principles for the Professional Practice of Internal Auditing

2) Definition of Internal Auditing

3) Code of Ethics

4) International Standards for the Professional Practice of Internal Auditing (Standards)

The Core Principles, taken as a whole, articulate internal audit effectiveness. For an internal audit
activity to be considered effective, all Principles should be present and operating effectively. How an
internal auditor, as well as an internal audit activity, demonstrates achievement of the Core Principles
may be quite different from organization to organization, but failure to achieve any of the Principles
would imply that an internal audit activity was not as effective as it could be in achieving internal audit’s
mission.

The Definition of Internal Auditing states the fundamental purpose, nature, and scope of internal
auditing. The definition is:

Internal auditing is an independent, objective assurance and consulting activity designed to add value
and improve an organization’s operations. It helps an organization accomplish its objectives by bringing
a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, con-
trol, and governance processes.

The Code of Ethics states the principles and expectations governing behavior of individuals and organ-
izations in the conduct of internal auditing. It describes the minimum requirements for conduct and
behavioral expectations rather than specific activities.

The Standards are principle-focused and provide a framework for performing and promoting internal
auditing. The Standards are mandatory requirements consisting of:

• Statements of basic requirements for the professional practice of internal auditing and for evaluating
the effectiveness of its performance. The requirements are internationally applicable for organiza-
tions and individuals.

• Interpretations, which clarify terms or concepts within the statements.

• Glossary Terms.

It is necessary to consider both Statements and Interpretations to understand and apply the Standards
correctly. The Standards employs terms that have been given specific meanings included in the Glossary.

Exam Tip: Memorize the Definition of Internal Auditing.

4 © 2018 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section I Section I – Foundations of Internal Auditing

The Core Principles


There are ten Core Principles that provide guidance for the IAA:

1) Demonstrates integrity.

2) Demonstrates competence and due professional care.

3) Is objective and free from undue influence (independent).

4) Aligns with the strategies, objectives, and risks of the organization.

5) Is appropriately positioned and adequately resourced.

6) Demonstrates quality and continuous improvement.

7) Communicates effectively.

8) Provides risk-based assurance.

9) Is insightful, proactive, and future-focused.

10) Promotes organizational improvement.

Exam Tip: Memorize the ten core principles of internal auditing.

Introduction to the Standards


The Standards provide a guide for the practice of internal auditing. Most of the Standards are tested on the
CIA exam, but initially it is important just to understand the structure of the Standards. This text from the
IIA is an excellent outline of the Standards and its objectives.

Internal auditing is conducted in diverse legal and cultural environments; for organizations that vary in
purpose, size, complexity, and structure; and by persons within or outside the organization. While dif-
ferences may affect the practice of internal auditing in each environment, conformance with The IIA’s
International Standards for the Professional Practice of Internal Auditing (Standards) is essential in
meeting the responsibilities of internal auditors and the internal audit activity.

The purpose of the Standards is to:

1. Guide adherence with the mandatory elements of the International Professional Practices Frame-
work.
2. Provide a framework for performing and promoting a broad range of value-added internal auditing
services.
3. Establish the basis for the evaluation of internal audit performance.
4. Foster improved organizational processes and operations.
The Standards are principles-focused, mandatory requirements consisting of:
• Statements of core requirements for the professional practice of internal auditing and for evaluating
the effectiveness of performance that are internationally applicable at organizational and individual
levels.
• Interpretations clarifying terms or concepts within the Standards.

The Standards, together with the Code of Ethics, encompass all mandatory elements of the International
Professional Practices Framework; therefore, conformance with the Code of Ethics and the Standards
demonstrates conformance with all mandatory elements of the International Professional Practices
Framework.

(continued)

© 2018 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 5
Section I – Foundations of Internal Auditing CIA Part 1

The Standards employ terms as defined specifically in the Glossary. To understand and apply the Stand-
ards correctly, it is necessary to consider the specific meanings from the Glossary. Furthermore, the
Standards use the word “must” to specify an unconditional requirement and the word “should” where
conformance is expected unless, when applying professional judgment, circumstances justify deviation.

The Standards comprise two main categories: Attribute and Performance Standards. Attribute Stand-
ards address the attributes of organizations and individuals performing internal auditing. Performance
Standards describe the nature of internal auditing and provide quality criteria against which the perfor-
mance of these services can be measured. Attribute and Performance Standards apply to all internal
audit services.

Implementation Standards expand upon the Attribute and Performance Standards by providing the
requirements applicable to assurance (.A) or consulting (.C) services.

Assurance services involve the internal auditor’s objective assessment of evidence to provide opinions
or conclusions regarding an entity, operation, function, process, system, or other subject matters. The
nature and scope of an assurance engagement are determined by the internal auditor. Generally, three
parties are participants in assurance services: (1) the person or group directly involved with the entity,
operation, function, process, system, or other subject matter—the process owner, (2) the person or
group making the assessment—the internal auditor, and (3) the person or group using the assessment—
the user.

Consulting services are advisory in nature and are generally performed at the specific request of an
engagement client. The nature and scope of the consulting engagement are subject to agreement with
the engagement client. Consulting services generally involve two parties: (1) the person or group offer-
ing the advice—the internal auditor, and (2) the person or group seeking and receiving the advice—the
engagement client. When performing consulting services the internal auditor should maintain objectivity
and not assume management responsibility.

The Standards apply to individual internal auditors and the internal audit activity. All internal auditors
are accountable for conforming with the standards related to individual objectivity, proficiency, and due
professional care and the standards relevant to the performance of their job responsibilities. Chief audit
executives are additionally accountable for the internal audit activity’s overall conformance with the
Standards.

If internal auditors or the internal audit activity is prohibited by law or regulation from conformance with
certain parts of the Standards, conformance with all other parts of the Standards and appropriate dis-
closures are needed.

If the Standards are used in conjunction with requirements issued by other authoritative bodies, internal
audit communications may also cite the use of other requirements, as appropriate. In such a case, if the
internal audit activity indicates conformance with the Standards and inconsistencies exist between the
Standards and other requirements, internal auditors and the internal audit activity must conform with
the Standards and may conform with the other requirements if such requirements are more restrictive.

The review and development of the Standards is an ongoing process. The International Internal Audit
Standards Board engages in extensive consultation and discussion before issuing the Standards. This
includes worldwide solicitation for public comment through the exposure draft process. All exposure
drafts are posted on The IIA’s website as well as being distributed to all IIA institutes.

Note: The IIA’s Standards Glossary is presented in Appendix A.

Note: Being familiar with the Standards is one of the best ways to prepare for the exam. The original
text of the Standards is presented in the textbook where it is relevant.

6 © 2018 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section I Section I – Foundations of Internal Auditing

Types of Standards

1) Attribute Standards
Attribute Standards (1000–1300) are concerned with the characteristics of the organization and the parties
performing the auditing activities. The primary components of the Attribute Standards are:

• Purpose, Authority, and Responsibility (1000). The purpose, authority, and responsibility of
the IAA should be formally defined in the internal audit charter, consistent with the Standards, and
approved by the board.

• Independence and Objectivity (1100). The IAA must be independent and the internal auditors
must be objective in performing their work.

• Proficiency and Due Professional Care (1200). The engagement must be performed with pro-
ficiency and due professional care.

• Quality Assurance and Improvement Program (1300). The Chief Audit Executive (CAE, the
head of the IAA) must develop and maintain a quality assurance and improvement program that
covers all aspects of the internal audit activity and continuously monitors its effectiveness. This
program includes periodic internal and external quality assessments and ongoing internal moni-
toring. Each part of the program must be designed to help the internal auditing activity add value
and improve the organization’s operations. Furthermore, the program must provide assurance that
the internal audit activity conforms to the Definition of Internal Auditing, the Standards, and
the Code of Ethics.

2) Performance Standards
Performance Standards (2000–2600) describe the internal audit activities and criteria against which the
performance of these services can be evaluated. The primary components of the Performance Standards
are:

• Managing the Internal Audit Activity (2000). The CAE must effectively manage the internal
audit activity to ensure that it adds value to the organization.

• Nature of Work (2100). The internal audit activity must evaluate and contribute to the improve-
ment of risk management, control, and governance processes using a systematic and disciplined
approach.

• Engagement Planning (2200). Internal auditors must develop and record a plan for each en-
gagement, including the scope, objectives, timing, and resource allocations.

• Performing the Engagement (2300). Internal auditors must identify, analyze, evaluate, and
record sufficient information to achieve the engagement’s objectives.

• Communicating Results (2400). Internal auditors must communicate the engagement results.

• Monitoring Progress (2500). The CAE must establish and maintain a system to monitor the
disposition of results communicated to management.

• Resolution of Management’s Acceptance of Risks (2600). When the CAE believes that senior
management has accepted a level of residual risk that may be unacceptable to the organization,
the CAE must discuss the matter with senior management. If the decision regarding residual risk
is not resolved, the CAE and senior management must report the matter to the board for resolution.

© 2018 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 7
Section I – Foundations of Internal Auditing CIA Part 1

3) Implementation Standards
Implementation Standards apply to the two specific types of engagements: assurance (.A) or consulting
(.C). For example, Standard 1000 (Purpose, Authority, and Responsibility) consists of implementation
standards 1000.A1 or 1000.C1, which are for assurance and consulting, respectively.

1) Assurance services involve the internal auditor’s objective assessment of evidence to provide an
independent opinion or conclusions. The internal auditor determines the nature and scope of the
assurance engagement. There are generally three parties involved in assurance services:

• The process owner, or the person or group directly involved with the process, system, or
other subject matter.

• The internal auditor, or the person or group making the assessment.

• The user, or the person or group using the assessment.

2) Consulting services are advisory in nature and are generally performed at the specific request
of an engagement client. The nature and scope of the consulting engagement are subject to agree-
ment with the engagement client. Consulting services generally involve two parties:

• The internal auditor, or the person or group offering the advice.

• The engagement client, or the person or group seeking and receiving the advice.

Note: The internal auditor should maintain objectivity and not assume management responsibility when
performing consulting services.

Recommended Guidance

1) Implementation Guidance

Implementation Guides assist internal auditors in applying the Standards. They collectively address in-
ternal auditing’s approach, methodologies, and consideration, but do not detail processes or procedures.

2) Supplemental Guidance

Supplemental Guidance provides detailed guidance for conducting internal audit activities. These include
topical areas, sector-specific issues, as well as processes and procedures, tools and techniques, pro-
grams, step-by-step approaches, and examples of deliverables.

Note: Previously, there was a category of recommended guidance called Practice Advisories (PAs). The
PAs provided detailed guidance for the application of the Standards and were the best practices endorsed
by the IIA for applying the Definition, Code of Ethics, and Standards. While the PAs are no longer included
in the Recommended Guidance, they are included here where appropriate. The PAs tend to be longer
and more detailed than the Implementation Guides and therefore make an excellent tool when preparing
for the exam.

8 © 2018 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section I Section I – Foundations of Internal Auditing

A. The Purpose, Authority, and Responsibility of the IAA


The purpose, authority, and responsibility of the internal audit activity is the foundation on which the IAA
is built as it performs its work. The text of Standard 1000, as well as its Interpretations and Implementation
Standards, are shown here:

Standard 1000 – Purpose, Authority, and Responsibility

The purpose, authority, and responsibility of the internal audit activity must be formally defined in an
internal audit charter, consistent with the Mission of Internal Audit and the mandatory elements of the
International Professional Practices Framework (the Core Principles for the Professional Practice of In-
ternal Auditing, the Code of Ethics, the Standards, and the Definition of Internal Auditing). The chief
audit executive must periodically review the internal audit charter and present it to senior management
and the board for approval.

Interpretation:

The internal audit charter is a formal document that defines the internal audit activity’s purpose, author-
ity, and responsibility. The internal audit charter establishes the internal audit activity’s position within
the organization, including the nature of the chief audit executive’s functional reporting relationship with
the board; authorizes access to records, personnel, and physical properties relevant to the performance
of engagements; and defines the scope of internal audit activities. Final approval of the internal audit
charter resides with the board.

Implementation Standards:

1000.A1 – The nature of assurance services provided to the organization must be defined in the internal
audit charter. If assurances are to be provided to parties outside the organization, the nature of these
assurances must also be defined in the internal audit charter.

1000.C1 – The nature of consulting services must be defined in the internal audit charter.

The purpose, authority, and responsibility of the IAA need to be stated in the Internal Audit Charter, which
is covered in detail next.

B. The Internal Audit Charter


The internal audit charter (“the Charter”) provides the internal audit activity with a formal mandate to do
its work. The Charter is:

1) Written by the Chief Audit Executive (CAE).

2) Approved by the senior management and the board or audit committee.

3) Communicated to engagement clients.

4) Reviewed periodically by the CAE to make certain it is still relevant and appropriate.

Note: The Model charter from the IIA is in Appendix B. We strongly recommend that you read through
the entire Charter as you begin your studies and also as a final review before you take the exam.

The Charter should:

• Establish the internal audit activity’s position within the organization, including the nature of the
CAE’s functional reporting relationship with the board.

• Authorize access to records, personnel, and physical properties relevant to the performance of
engagements.

• Define the scope of internal audit activities.

© 2018 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 9
Section I – Foundations of Internal Auditing CIA Part 1

Sections of the Charter


There are seven sections in the Model Charter.

1) Purpose and Mission. Includes both the Mission of Internal Auditing and the Definition of Internal
Auditing.

From the Charter: The purpose of Company X’s internal audit activity is to provide independ-
ent, objective assurance and consulting services designed to add value and improve Company
X’s operations. The mission of internal audit is to enhance and protect organizational value by
providing risk-based and objective assurance, advice, and insight. The internal audit activity
helps Company X accomplish its objectives by bringing a systematic, disciplined approach to
evaluate and improve the effectiveness of governance, risk management, and control pro-
cesses.

2) Standards for the Professional Practice of Internal Auditing. Establishes that the IAA will
follow all of the mandatory elements of the IPPF. Additionally, the CAE must report periodically to
the board about the IAA’s conformance to the Standards and Code of Ethics.

From the Charter: The internal audit activity will govern itself by adherence to the mandatory
elements of The Institute of Internal Auditors' International Professional Practices Framework,
including the Core Principles for the Professional Practice of Internal Auditing, the Code of Ethics,
the International Standards for the Professional Practice of Internal Auditing, and the Definition
of Internal Auditing. The chief audit executive will report periodically to senior management and
the board regarding the internal audit activity’s conformance to the Code of Ethics and the
Standards.

This requirement to follow the Standards is also set out in Standard 1010:

Standard 1010 – Recognizing Mandatory Guidance in the Internal Audit Charter

Recognition of the Definition of Internal Auditing, the Code of Ethics, and the Standards in the
Internal Audit Charter

The mandatory nature of the Core Principles for the Professional Practice of Internal Auditing,
the Code of Ethics, the Standards, and the Definition of Internal Auditing must be recognized in
the internal audit charter. The chief audit executive should discuss the Mission of Internal Audit
and the mandatory elements of the International Professional Practices Framework with senior
management and the board.

3) Authority. Establishes the dual reporting process for the IAA and:

• What the board will do to make certain that the IAA has sufficient authority to fulfil its duties.

• What the board authorizes the IAA to do. This includes the board providing the IAA with full,
free, and complete access to all functions, records, property, and personnel that is needed for
the IAA to fulfill its duties.

The Charter should specify the dual reporting process for the IAA.

From the Charter: The chief audit executive will report functionally to the board and adminis-
tratively (i.e., day-to-day operations) to the chief executive officer.

10 © 2018 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section I Section I – Foundations of Internal Auditing

4) Independence and Objectivity. Specifies that the IAA must have organizational independence
and that internal auditors maintain objectivity. The first two paragraphs of this section are:

From the Charter: The chief audit executive will ensure that the internal audit activity remains
free from all conditions that threaten the ability of internal auditors to carry out their responsi-
bilities in an unbiased manner, including matters of audit selection, scope, procedures,
frequency, timing, and report content. If the chief audit executive determines that independence
or objectivity may be impaired in fact or appearance, the details of impairment will be disclosed
to appropriate parties. 


Internal auditors will maintain an unbiased mental attitude that allows them to perform engage-
ments objectively and in such a manner that they believe in their work product, that no quality
compromises are made, and that they do not subordinate their judgment on audit matters to
others. 


5) Scope of Internal Audit Activities. The potential scope of work for the IAA is vast. The main
type of engagement is assurance, but it is also possible that the IAA will perform consulting en-
gagements. However, if the IAA performs consulting engagements, that authorization must be
specifically stated in the Charter.

From the Charter: The scope of internal audit activities encompasses, but is not limited to,
objective examinations of evidence for the purpose of providing independent assessments to
the board, management, and outside parties on the adequacy and effectiveness of governance,
risk management, and control processes for Company X.

The chief audit executive also coordinates activities, where possible, and considers relying upon
the work of other internal and external assurance and consulting service providers as needed.
The internal audit activity may perform advisory and related client service activities, the nature
and scope of which will be agreed with the client, provided the internal audit activity does not
assume management responsibility.

Opportunities for improving the efficiency of governance, risk management, and control pro-
cesses may be identified during engagements. These opportunities will be communicated to the
appropriate level of management.

6) Responsibility. Outlines the specific responsibilities of the CAE.

From the Charter: The chief audit executive has the responsibility to: 


Submit, at least annually, to senior management and the board a risk-based internal audit plan
for review and approval.

Communicate to senior management and the board the impact of resource limitations on the
internal audit plan. 


Review and adjust the internal audit plan, as necessary, in response to changes in Company X’s
business, risks, operations, programs, systems, and controls. 


Communicate to senior management and the board any significant interim changes to the in-
ternal audit plan. 


Ensure each engagement of the internal audit plan is executed, including the establishment of
objectives and scope, the assignment of appropriate and adequately supervised resources, the
documentation of work programs and testing results, and the communication of engagement
results with applicable conclusions and recommendations to appropriate parties.

(continued)

© 2018 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 11
Section I – Foundations of Internal Auditing CIA Part 1

Follow up on engagement findings and corrective actions, and report periodically to senior man-
agement and the board any corrective actions not effectively implemented. 


Ensure the principles of integrity, objectivity, confidentiality, and competency are applied and
upheld. 


Ensure the internal audit activity collectively possesses or obtains the knowledge, skills, and
other competencies needed to meet the requirements of the internal audit charter. 


Ensure trends and emerging issues that could impact Company X are considered and commu-
nicated to senior management and the board as appropriate. 


Ensure emerging trends and successful practices in internal auditing are considered. 


Establish and ensure adherence to policies and procedures designed to guide the 
internal audit
activity. 


Ensure adherence to Company X’s relevant policies and procedures, unless 
such policies and
procedures conflict with the internal audit charter. Any such conflicts will be resolved or other-
wise communicated to senior management and the board. 


7) Quality Assurance and Improvement Program: States that the IAA must perform engage-
ments at the expected level of quality. The QAIP is one of the ways that the IAA assesses and
ensures the proper level of quality and adherence to all of the Standards.

From the Charter: The internal audit activity will maintain a quality assurance and improve-
ment program that covers all aspects of the internal audit activity. The program will include an
evaluation of the internal audit activity’s conformance with the Standards and an evaluation of
whether internal auditors apply The IIA’s Code of Ethics. The program will also assess the effi-
ciency and effectiveness of the internal audit activity and identify opportunities for
improvement.

The chief audit executive will communicate to senior management and the board on the internal
audit activity’s quality assurance and improvement program, including results of internal as-
sessments (both ongoing and periodic) and external assessments conducted at least once every
five years by a qualified, independent assessor or assessment team from outside Company X.

C. Assurance and Consulting Services


The two main categories of services that the internal audit activity may provide are assurance and consult-
ing services.

The Standards Glossary defines assurance services as:

An objective examination of evidence for the purpose of providing an independent assess-


ment on governance, risk management, and control processes for the organization.
Examples may include financial, performance, compliance, system security, and due dili-
gence engagements.

The Standards Glossary defines consulting services as:

Advisory and related client services, the nature and scope of which are agreed upon with
the client and which are intended to add value and improve an organization’s operations.
Examples include counsel, advice, facilitation, process design and training.

The Standards state that internal auditors can only perform consulting services specifically defined in the
internal audit charter.

12 © 2018 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section I Section I – Foundations of Internal Auditing

Comparing Assurance and Consulting Engagements


In an assurance engagement, the auditor provides an assessment and states an opinion about whether
or not something within the company is operating or performing correctly. The auditor should be objective
in the investigation and independent in the decision. Examples of assurance engagements include:

• Assessing if controls are properly designed and implemented.

• Whether production standards are being met.

• The accuracy of recorded of financial transactions.

In a consulting engagement, the auditor provides advice or makes a suggestion. The auditor does not
need to be independent in a consulting engagement. Consulting engagements are often forward-
looking rather than an analysis of past events.

Types of Assurance Engagements


Some of the more common categories of assurance engagements include:

• Risk and control assessments

• Audits of third parties and contract compliance

• Security and privacy audits

• Performance and quality audits

• Key performance indicator audits

• Operational audits

• Financial audits

• Regulatory compliance audits

Types of Consulting Engagements


The Charter must specifically state that the IAA may provide consulting services before any such engage-
ments are started. Some of the more common categories of consulting engagements include:

• Training

• System design

• System development

• Due diligence

• Privacy

• Benchmarking

• Internal control assessments

• Process mapping

Note: More specific and detailed information about the types of assurance and consulting engagements
is covered in CIA Part 2.

© 2018 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 13
Section I – Foundations of Internal Auditing CIA Part 1

Standards for Consulting Engagements


The Practice Advisories list twelve principles to guide internal auditors during consulting engagements. This
Practice Advisory, formerly PA 1000.C1-1, is no longer current, but the principles it outlined can still serve
as a useful guide for internal auditors. The following list is a condensed version of these twelve principles:

• Value is added by the IAA when it performs both assurance and consulting services. In
fact, the IAA is in a strong position to provide consulting services because of its professional stand-
ards and its knowledge of the company and its operations.

• Included in the internal audit charter is the provision that the IAA provide consulting
and other appropriate services. Additionally, any rules or standards applicable to the consulting
services must also be stated in the charter.

• The IAA may also provide other services besides assurance and consulting, such as in-
vestigating fraud and conducting due diligence.

• Consulting services do not impair the objectivity of either the internal auditor or the IAA.
However, the auditor’s first duty is as an auditor, and so all actions need to be governed by the
applicable internal audit guidelines and standards. Objectivity is not impaired as long as the inter-
nal auditor provides advice and does not take ownership of a specific process.

If an IAA is performing consulting engagements, it is imperative that the company’s internal auditors take
extra precautions to determine that senior management and the board all understand and agree with the
concept, operating guidelines, and communications required for performing consulting engagements. In-
dependence and objectivity issues connected to both consulting and assurance engagements are covered
in Section II.

D. IIA Code of Ethics


The Code of Ethics is an ethical guide for internal auditors and does not provide specific guidance nor does
it prescribe defined actions because an auditor faces many different types of ethical situations.

The four principles in the Code are:

1) Integrity. Auditors should behave in a way that reflects positively on the auditor and the profes-
sion.

2) Objectivity. Auditors should make decisions based on facts and information and not on their
personal preferences or feelings.

3) Confidentiality. Auditors will learn many things that should be kept confidential. When in doubt,
auditors should err on the side of not sharing information.

4) Competency. Internal auditors should have the necessary skills, knowledge, and experience to
perform their work.

We strongly recommend that you memorize the Code of Ethics so that you can identify key words
that may be in a question or answer choice. The full text of the Code of Ethics follows.

14 © 2018 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section I Section I – Foundations of Internal Auditing

The Code of Ethics states the principles and expectations governing the behavior of individuals and
organizations in the conduct of internal auditing. It describes the minimum requirements for conduct,
[sic] and behavioral expectations rather than specific activities.

Introduction to the Code of Ethics

The purpose of The Institute’s Code of Ethics is to promote an ethical culture in the profession of internal
auditing.

Internal auditing is an independent, objective assurance and consulting activity designed to add value
and improve an organization’s operations. It helps an organization accomplish its objectives by bringing
a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, con-
trol, and governance processes.

A code of ethics is necessary and appropriate for the profession of internal auditing, founded as it is on
the trust placed in its objective assurance about governance, risk management, and control.

The Institute’s Code of Ethics extends beyond the Definition of Internal Auditing to include two essential
components:

• Principles that are relevant to the profession and practice of internal auditing.

• Rules of Conduct that describe behavior norms expected of internal auditors. These rules are an aid
to interpreting the Principles into practical applications and are intended to guide the ethical conduct
of internal auditors.

“Internal auditors” refers to Institute members, recipients of or candidates for IIA professional certifica-
tions, and those who perform internal audit services within the Definition of Internal Auditing.

Applicability and Enforcement of the Code of Ethics

This Code of Ethics applies to both entities and individuals that perform internal audit services.

For IIA members and recipients of or candidates for IIA professional certifications, breaches of the Code
of Ethics will be evaluated and administered according to The Institute’s Bylaws and Administrative Di-
rectives. The fact that a particular conduct is not mentioned in the Rules of Conduct does not prevent it
from being unacceptable or discreditable, and therefore, the member, certification holder, or candidate
can be liable for disciplinary action.

Principles

Internal auditors are expected to apply and uphold the following principles:

1. Integrity

The integrity of internal auditors establishes trust and thus provides the basis for reliance on their judg-
ment.

2. Objectivity

Internal auditors exhibit the highest level of professional objectivity in gathering, evaluating, and com-
municating information about the activity or process being examined. Internal auditors make a balanced
assessment of all the relevant circumstances and are not unduly influenced by their own interests or by
others in forming judgments.

3. Confidentiality

Internal auditors respect the value and ownership of information they receive and do not disclose infor-
mation without appropriate authority unless there is a legal or professional obligation to do so.

4. Competency

Internal auditors apply the knowledge, skills, and experience needed in the performance of internal
auditing services.

© 2018 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 15
Section I – Foundations of Internal Auditing CIA Part 1

Rules of Conduct

1) Integrity

Internal auditors:

1.1. Shall perform their work with honesty, diligence, and responsibility.

1.2. Shall observe the law and make disclosures expected by the law and the profession.

1.3. Shall not knowingly be a party to any illegal activity, or engage in acts that are discreditable to
the profession of internal auditing or to the organization.

1.4. Shall respect and contribute to the legitimate and ethical objectives of the organization.

2) Objectivity

Internal auditors:

2.1. Shall not participate in any activity or relationship that may impair or be presumed to impair their
unbiased assessment. This participation includes those activities or relationships that may be in conflict
with the interests of the organization.

2.2. Shall not accept anything that may impair or be presumed to impair their professional judgment.

2.3. Shall disclose all material facts known to them that, if not disclosed, may distort the reporting of
activities under review.

3) Confidentiality

Internal auditors:

3.1. Shall be prudent in the use and protection of information acquired in the course of their duties.

3.2. Shall not use information for any personal gain or in any manner that would be contrary to the
law or detrimental to the legitimate and ethical objectives of the organization.

4) Competency

Internal auditors:

4.1. Shall engage only in those services for which they have the necessary knowledge, skills, and
experience.

4.2. Shall perform internal auditing services in accordance with the International Standards for the
Professional Practice of Internal Auditing.

4.3. Shall continually improve their proficiency and the effectiveness and quality of their services.

16 © 2018 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section II Section II – Independence and Objectivity

Section II – Independence and Objectivity


Independence and objectivity are defined in Standard 1100.

Standard 1100 – Independence and Objectivity

The internal audit activity must be independent, and internal auditors must be objective in performing
their work.

Interpretation:

Independence is the freedom from conditions that threaten the ability of the internal audit
activity to carry out internal audit responsibilities in an unbiased manner. To achieve the degree
of independence necessary to effectively carry out the responsibilities of the internal audit activity, the
chief audit executive has direct and unrestricted access to senior management and the board.
This can be achieved through a dual-reporting relationship. Threats to independence must be managed
at the individual auditor, engagement, functional, and organizational levels.

Objectivity is an unbiased mental attitude that allows internal auditors to perform


engagements in such a manner that they believe in their work product and that no quality
compromises are made. Objectivity requires that internal auditors do not subordinate their judgment
on audit matters to others. Threats to objectivity must be managed at the individual auditor,
engagement, functional, and organizational levels.

The model Charter also includes a statement about independence and objectivity.

From the Charter: The chief audit executive will ensure that the internal audit activity remains free
from all conditions that threaten the ability of internal auditors to carry out their responsibilities in an
unbiased manner, including matters of audit selection, scope, procedures, frequency, timing, and report
content. If the chief audit executive determines that independence or objectivity may be impaired in fact
or appearance, the details of impairment will be disclosed to appropriate parties. 


Internal auditors will maintain an unbiased mental attitude that allows them to perform engagements
objectively and in such a manner that they believe in their work product, that no quality compromises
are made, and that they do not subordinate their judgment on audit matters to others. 


Independence and objectivity are also addressed in four other Standards:

1) Standard 1110 – Organizational Independence

2) Standard 1112 – Chief Audit Executive Roles Beyond Internal Auditing

3) Standard 1120 – Individual Objectivity

4) Standard 1130 – Impairment to Independence or Objectivity

The discussion of independence and objectivity is broken down into the following areas:

• Organizational independence and the reporting lines of the IAA.

• Impairments to the independence of the IAA or the objectivity of an individual auditor.

• Policies that promote independence and objectivity.

© 2018 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 17
Section II – Independence and Objectivity CIA Part 1

A. Organizational Independence and Individual Objectivity


Organizational independence is achieved largely through the status of the IAA and the authority that the
board gives to it. If the IAA is perceived to be important and reports to the board of directors, they will be
more independent because of the support they receive from the highest levels of the organization. If, on
the other hand, they report only to the chief accountant and there is a perception within the organization
that they do not add value to the organization (or are not respected by the board), the IAA will have less
independence and their work will be less useful to the organization.

Note: It is vital for the IAA to have the support of senior management and of the board so that it can
work freely and without interference.

From the Charter: To establish, maintain, and assure that Company X’s internal audit activity has
sufficient authority to fulfill its duties, the board will:

• Approve the internal audit activity’s charter.

• Approve the risk-based internal audit plan.

• Approve the internal audit activity’s budget and resource plan.

• Receive communications from the chief audit executive on the internal audit activity’s performance
relative to its plan and other matters.

• Approve decisions regarding the appointment and removal of the chief audit executive.

• Approve the remuneration of the chief audit executive.

• Make appropriate inquiries of management and the chief audit executive to determine 
whether there
is inappropriate scope or resource limitations.

The chief audit executive will have unrestricted access to, and communicate and interact directly with,
the board, including in private meetings without management present.

The board authorizes the internal audit activity to:

• Have full, free, and unrestricted access to all functions, records, property, and personnel pertinent
to carrying out any engagement, subject to accountability for confidentiality and safeguarding of
records and information.

• Allocate resources, set frequencies, select subjects, determine scopes of work, apply techniques re-
quired to accomplish audit objectives, and issue reports. 


• Obtain assistance from the necessary personnel of Company X, as well as other specialized services
from within or outside Company X, in order to complete the engagement. 


18 © 2018 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section II Section II – Independence and Objectivity

Dual Reporting Lines for the Internal Audit Activity


The ideal reporting situation is for the CAE to have two separate reporting structures:

1) Functional Reporting is connected to the engagements and their results. Proper functional re-
porting is the source of independence and authority for the IAA. The CAE reports functionally to
the board.

2) Administrative Reporting is the reporting relationship within the organization’s management


structure that facilitates the day-to-day operations of the IAA. The CAE reports administratively
to upper management.

Note: When there is an audit committee, functional reporting will often be done to an audit committee,
rather than to the board.

This dual reporting structure is shown below. Because the CEO reports to the board, both the administrative
and functional reporting lines end with the board of directors.

Board of Directors

Administrative Reporting
Functional Reporting

Senior Management
Audit Committee
(CEO)

Internal Audit Activity (CAE)

© 2018 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 19
Section II – Independence and Objectivity CIA Part 1

Functional Reporting
Standard 1110 addresses organizational independence and the interpretation provides a list of examples of
functional reporting.

Standard 1110 – Organizational Independence

The chief audit executive must report to a level within the organization that allows the
internal audit activity to fulfill its responsibilities. The chief audit executive must confirm to the
board, at least annually, the organizational independence of the internal audit activity.

Interpretation:

Organizational independence is effectively achieved when the chief audit executive reports functionally
to the board. Examples of functional reporting to the board involve the board:

• Approving the internal audit charter;


• Approving the risk based internal audit plan;
• Approving the internal audit budget and resource plan;
• Receiving communications from the chief audit executive on the internal audit activity’s performance
relative to its plan and other matters;
• Approving decisions regarding the appointment and removal of the chief audit executive;
• Approving the remuneration of the chief audit executive; and
• Making appropriate inquiries of management and the chief audit executive to determine whether
there are inappropriate scope or resource limitations.

1110.A1 – The internal audit activity must be free from interference in determining the scope of internal
auditing, performing work, and communicating results. The chief audit executive must disclose such
interference to the board and discuss the implications.

Practice Advisory 1110-1 provides more guidance about the role of the CAE in promoting organizational
independence.

Practice Advisory 1110-1

1. Support from senior management and the board assists the internal audit activity in gaining the
cooperation of engagement clients and performing their work free from interference.

2. The chief audit executive (CAE), reporting functionally to the board and administratively to
the organization’s chief executive officer, facilitates organizational independence. At a minimum
the CAE needs to report to an individual in the organization with sufficient authority to promote
independence and to ensure broad audit coverage, adequate consideration of engagement
communications, and appropriate action on engagement recommendations.

Administrative Reporting
PA 1110-1 provides a list of what administrative reporting typically includes.

4. Administrative reporting is the reporting relationship within the organization’s management


structure that facilitates the day-to-day operations of the internal audit activity. Administrative
reporting typically includes:

• Budgeting and management accounting.


• Human resource administration, including personnel evaluations and compensation.
• Internal communications and information flows.
• Administration of the internal audit activity’s policies and procedures.

20 © 2018 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section II Section II – Independence and Objectivity

Individual Objectivity
Being objective means that the auditor must make conclusions based on facts without being influenced by
feelings, emotions, relationships, bribes, or any other outside influence. Individual objectivity is covered in
Standard 1120.

Standard 1120 – Individual Objectivity

Internal auditors must have an impartial, unbiased attitude and avoid any conflict of interest.

Further guidance is found in the Practice Advisory.

Practice Advisory 1120-1

1) Individual objectivity means the internal auditors perform engagements in such a manner that they
have an honest belief in their work product and that no significant quality compromises are made.
Internal auditors are not to be placed in situations that could impair their ability to make objective
professional judgments.

Maintaining Independence and Objectivity


Auditors should not be managers, not even temporary managers, in other departments and they should
not make operational decisions in any part of the company. The Model Charter provides a list of activities
that internal auditors should not do.

From the Charter: Internal auditors will have no direct operational responsibility or authority over any
of the activities audited. Accordingly, internal auditors will not implement internal controls, develop pro-
cedures, install systems, prepare records, or engage in any other activity that may impair their
judgment, including:

• Assessing specific operations for which they had responsibility within the previous year. 


• Performing any operational duties for Company X or its affiliates. 


• Initiating or approving transactions external to the internal audit department. 


• Directing the activities of any Company X employee not employed by the internal audit activity,
except to the extent that such employees have been appropriately assigned to auditing teams or to
otherwise assist internal auditors.

Internal auditors will:

• Disclose any impairment of independence or objectivity, in fact or appearance, to appropriate parties.

• Exhibit professional objectivity in gathering, evaluating, and communicating information about the
activity or process being examined. 


• Make balanced assessments of all available and relevant facts and circumstances. 


• Take necessary precautions to avoid being unduly influenced by their own interests or 
by others in
forming judgments.


© 2018 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 21
Section II – Independence and Objectivity CIA Part 1

B and C. Impairments to Independence or Objectivity


Standard 1130 requires the disclosure of any impairment to the independence or objectivity of an auditor
or the IAA.

Standard 1130 – Impairment to Independence or Objectivity

If independence or objectivity is impaired in fact or appearance, the details of the impairment must
be disclosed to appropriate parties. The nature of the disclosure will depend upon the impairment.

An impairment is anything that might cause the auditor to be less than completely objective in an en-
gagement. As listed in the Interpretation to Standard 1130, common impairments include:

1) A personal conflict of interest.

2) A scope limitation, including a restriction of access to records, personnel, or properties.

3) Resource limitation, which includes funding limitations.

4) Situations where the auditor is assessing operations for which they were previously responsible.

5) Assurance engagements for functions over which the CAE has previously had responsibility.

6) Consulting engagements in areas where assurance engagements are also performed.

If an auditor believes that independence or objectivity has been impaired, the auditor must disclose the
nature of the impairment to the CAE or appropriate parties. If an impairment arises during an engagement,
it must be reported immediately to the manager of the engagement so that the situation can be addressed
or eliminated.

1) Conflicts of Interest
Conflict of interest is defined in the Interpretation to Standard 1120.

Standard 1120 – Interpretation

Conflict of interest is a situation in which an internal auditor, who is in a position of trust, has a
competing professional or personal interest. Such competing interests can make it difficult to fulfill his
or her duties impartially. A conflict of interest exists even if no unethical or improper act results. A
conflict of interest can create an appearance of impropriety that can undermine confidence in the
internal auditor, the internal audit activity, and the profession. A conflict of interest could impair an
individual’s ability to perform his or her duties and responsibilities objectively.

An auditor with a conflict of interest in an assurance engagement should be removed. The auditor can be
reassigned back to the engagement if the conflict is resolved.

Any conflicts of interest in a consulting engagement should be disclosed to the client. If the client has no
objections, then the auditor may remain on the consulting engagement.

22 © 2018 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section II Section II – Independence and Objectivity

2) Scope Limitations, Including Restriction of Access to Records, Personnel, or Property


A scope limitation is a restriction on the engagement that prevents accomplishing the objectives and
plans. Scope limitation are discussed in PA 1130-1.

2. A scope limitation is a restriction placed on the internal audit activity that precludes the activity from
accomplishing its objectives and plans. Among other things, a scope limitation may restrict the:

• Scope defined in the internal audit charter. 


• Internal audit activity’s access to records, personnel, and physical properties relevant to 
the
performance of engagements. 


• Approved engagement work schedule. 


• Performance of necessary engagement procedures. 


• Approved staffing plan and financial budget. 


3. A scope limitation, along with its potential effect, needs to be communicated, preferably in writing,
to the board. The CAE needs to consider whether it is appropriate to inform the board regarding
scope limitations that were previously communicated to and accepted by the board. This may be
necessary particularly when there have been organization, board, senior management, or other
changes. 


3) Resource Limitations
Without sufficient resources and funding, the IAA may not be able to operate independently and objectively.
For example, inadequate staffing, insufficient training, or outdated technology might invite compromises or
shortcuts that would impair the IAA’s position in the organization.

4) Assessing Operations for Which Internal Auditors Were Previously Responsible


Objectivity is assumed to be impaired if an auditor performs an assurance review of any activity over
which he or she recently had responsibility. Individuals who are assigned to or transferred to the IAA should
not audit areas where they worked until a reasonable period of time has elapsed, usually at least one
year. If an individual is assigned to an engagement where he or she worked in the past year, objectivity is
presumed be impaired and such facts should be clearly stated when communicating the results relating to
the audited area.

Note: Objectivity is also impaired when auditors are auditing an area for which they will have future
responsibility within one year after the engagement.

5) CAE’s Previous Responsibility for Non-audit Functions


It is possible that management could ask an internal auditor to assume responsibility for a part of operations
that could be subject to periodic internal auditing assessments. Internal auditors should not accept such
assignments, but it is possible that management may insist.

If the IAA accepts responsibility and the operation is part of the audit plan, the CAE could minimize the
impairment to objectivity by using a third party to complete the audit (for example, an external auditor or
third-party contractor). In addition, the CAE should confirm that the individuals who have operational re-
sponsibility will not participate in any internal audits of the operation.

Practice Advisory 1130.A2-1 Internal Audit’s Responsibility for Other (Non-audit) Functions provides guid-
ance for such situations.

© 2018 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 23
Section II – Independence and Objectivity CIA Part 1

Practice Advisory 1130.A2-1: Internal Audit’s Responsibility for Other (Non-audit) Functions

Primary Related Standard 1130.A2 – Assurance engagements for functions over which the chief audit
executive has responsibility must be overseen by a party outside the internal audit activity.

1. Internal auditors are not to accept responsibility for non-audit functions or duties that are
subject to periodic internal audit assessments. If they have this responsibility, then they are
not functioning as internal auditors.

2. When the internal audit activity, chief audit executive (CAE), or individual internal auditor is
responsible for, or management is considering assigning, an operational responsibility that the
internal audit activity might audit, the internal auditor’s independence and objectivity may be
impaired. At a minimum, the CAE needs to consider the following factors in assessing the impact
on independence and objectivity:

• Requirements of the Code of Ethics and the Standards.

• Expectations of stakeholders that may include the shareholders, board of directors, management,
legislative bodies, public entities, regulatory bodies, and public interest groups.

• Allowances and/or restrictions contained in the internal audit charter.

• Disclosures required by the Standards.

• Audit coverage of the activities or responsibilities undertaken by the internal auditor.

• Significance of the operational function to the organization (in terms of revenue, expenses,
reputation, and influence).

• Length or duration of the assignment and scope of responsibility.

• Adequacy of separation of duties.

• Whether there is any history or other evidence that the internal auditor’s objectivity may be at risk.

3. If the internal audit charter contains specific restrictions or limiting language regarding the
assignment of non-audit functions to the internal auditor, then disclosure and discussion with
management of such restrictions is necessary. If management insists on such an assignment, then
disclosure and discussion of this matter with the board is necessary. If the internal audit charter is
silent on this matter, the guidance noted in the points below are to be considered. All the points
noted below are subordinate to the language of the internal audit charter.

4. When the internal audit activity accepts operational responsibilities and that operation is part of the
internal audit plan, the CAE needs to:

• Minimize the impairment to objectivity by using a contracted, third-party entity or external auditors
to complete audits of those areas reporting to the CAE.

• Confirm that individuals with operational responsibility for those areas reporting to the CAE do not
participate in internal audits of the operation.

• Ensure that internal auditors conducting the assurance engagement of those areas reporting to the
CAE are supervised by, and report the results of the assessment, to senior management and the
board.

• Disclose the operational responsibilities of the internal auditor for the function, the significance of
the operation to the organization (in terms of revenue, expenses, or other pertinent information),
and the relationship of those who audited the function.

5. The auditor’s operational responsibilities need to be disclosed in the related audit report of those
areas reporting to the CAE and in the internal auditor’s standard communication to the board. Results
of the internal audit may also be discussed with management and/or other appropriate stakeholders.
Impairment disclosure does not negate the requirement that assurance engagements for functions
over which the CAE has responsibility need to be overseen by a party outside the internal audit
activity.

24 © 2018 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Section II Section II – Independence and Objectivity

6) Consulting Services

Providing Assurance Service in Areas of Previous Consulting Engagements (1130.A3)

Standard 1130.A3 – The internal audit activity may provide assurance services where it had previously
performed consulting services, provided the nature of the consulting did not impair objectivity and pro-
vided individual objectivity is managed when assigning resources to the engagement.

Internal Audit Responsibility for Consulting Engagements (1130.C1 and C2)


Internal auditors may provide consulting services to areas over which they had previous responsibility, but
they must act independently and objectively. Any potential impairment to their independence or objectivity
must be disclosed to the client before the engagement is accepted.

Standard 1130.C1 – Internal auditors may provide consulting services relating to operations for which
they had previous responsibilities.

Standard 1130.C2 – If internal auditors have potential impairments to independence or objectivity


relating to proposed consulting services, disclosure must be made to the engagement client prior to
accepting the engagement.

Perceived Impairment of Objectivity


Objectivity must exist in both fact and appearance, which means that internal auditors must avoid even
the appearance of impairment. Accepting small promotional items such as pens, calendars, or other insig-
nificant items is generally not considered to impair professional judgment. However, any gifts of larger
value should be immediately reported to a supervisor.

Note: An internal auditor can make recommendations to a department as part of a consulting engage-
ment and still be objective in a future financial audit of that same department.

CAE Disclosure to the Board Connected to Independence and Objectivity


The Charter sets out two responsibilities that the CAE has in reporting independence- and objectivity-related
issues to the board:

1) The CAE will confirm at least annually to the board that the IAA is organizationally independent.
The CAE will need to make certain that the IAA maintains its organizational independence at all
times.

2) The CAE will disclose to the board any interference with the IAA determining the scope of work,
performing the work, or communicating the results.

From the Charter: The chief audit executive will confirm to the board, at 
least annually, the organi-
zational independence of the internal audit activity. 


The chief audit executive will disclose to the board any interference and related implications in deter-
mining the scope of internal auditing, performing work, and/or communicating results. 


© 2018 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 25
Section II – Independence and Objectivity CIA Part 1

D. Policies That Promote Objectivity


There are a number of procedures that the CAE can follow in order to maintain objectivity within the IAA:

• Job assignments should minimize potential conflicts of interests. For example, an auditor should
not audit an area where his or her spouse works.

• Jobs should be periodically rotated so that relationships do not develop between the auditor and
the auditee that might impair the auditor’s judgment.

• A strong QAIP will help ensure that organizational independence and objectivity are part of the
culture of the IAA.

PA 1120-1 provides a list of things that can be done to maintain and promote objectivity.

2) Individual objectivity involves the chief audit executive (CAE) organizing staff assignments that
prevent potential and actual conflict of interest and bias, periodically obtaining information from the
internal audit staff concerning potential conflict of interest and bias, and, when practicable, rotating
internal audit staff assignments periodically.

3) Review of internal audit work results before the related engagement communications are released
assists in providing reasonable assurance that the work was performed objectively.

26 © 2018 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Appendix A Glossary

Appendix A: Glossary
These terms and definitions come directly from the IIA.

Add Value – The internal audit activity adds value to the organization (and its stakeholders) when it
provides objective and relevant assurance, and contributes to the effectiveness and efficiency of govern-
ance, risk management, and control processes.

Adequate Control – Present if management has planned and organized (designed) in a manner that pro-
vides reasonable assurance that the organization’s risks have been managed effectively and that the
organization’s goals and objectives will be achieved efficiently and economically.

Assurance Services – An objective examination of evidence for the purpose of providing an independent
assessment on governance, risk management, and control processes for the organization. Examples may
include financial, performance, compliance, system security, and due diligence engagements.

Board – The highest level of governing body charged with the responsibility to direct and/or oversee the
activities and management of the organization. Typically, this includes an independent group of directors
(e.g., a board of directors, a supervisory board, or a board of governors or trustees). If such a group does
not exist, the “board” may refer to the head of the organization. “Board” may refer to an audit committee
to which the governing body has delegated certain functions.

Charter – The internal audit charter is a formal document that defines the internal audit activity’s purpose,
authority, and responsibility. The internal audit charter establishes the internal audit activity’s position
within the organization; authorizes access to records, personnel, and physical properties relevant to the
performance of engagements; and defines the scope of internal audit activities.

Chief Audit Executive – Chief Audit Executive (CAE) describes a person in a senior position responsible
for effectively managing the internal audit activity in accordance with the internal audit charter and the
Definition of Internal Auditing, the Code of Ethics, and the Standards. The chief audit executive or others
reporting to the chief audit executive will have appropriate professional certifications and qualifications. The
specific job title of the chief audit executive may vary across organizations.

Code of Ethics – The Code of Ethics of The Institute of Internal Auditors (IIA) are principles relevant to
the profession and practice of internal auditing, and Rules of Conduct that describe behavior expected of
internal auditors. The Code of Ethics applies to both parties and entities that provide internal audit services.
The purpose of the Code of Ethics is to promote an ethical culture in the global profession of internal
auditing.

Compliance – Adherence to policies, plans, procedures, laws, regulations, contracts, or other require-
ments.

Conflict of Interest – Any relationship that is, or appears to be, not in the best interest of the organization.
A conflict of interest would prejudice an individual’s ability to perform his or her duties and responsibilities
objectively.

Consulting Services – Advisory and related client service activities, the nature and scope of which are
agreed with the client, are intended to add value and improve an organization’s governance, risk manage-
ment, and control processes without the internal auditor assuming management responsibility. Examples
include counsel, advice, facilitation, and training.

Control – Any action taken by management, the board, and other parties to manage risk and increase the
likelihood that established objectives and goals will be achieved. Management plans, organizes, and directs
the performance of sufficient actions to provide reasonable assurance that objectives and goals will be
achieved.

Control Environment – The attitude and actions of the board and management regarding the importance
of control within the organization. The control environment provides the discipline and structure for the
achievement of the primary objectives of the system of internal control. The control environment includes
the following elements:

© 2018 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 27
Glossary CIA Part 1

• Integrity and ethical values.

• Management’s philosophy and operating style.

• Organizational structure.

• Assignment of authority and responsibility.

• Human resource policies and practices.

• Competence of personnel.

Control Processes – The policies, procedures (both manual and automated), and activities that are part
of a control framework, designed and operated to ensure that risks are contained within the level that an
organization is willing to accept.

Engagement – A specific internal audit assignment, task, or review activity, such as an internal audit,
control self-assessment review, fraud examination, or consultancy. An engagement may include multiple
tasks or activities designed to accomplish a specific set of related objectives.

Engagement Objectives – Broad statements developed by internal auditors that define intended engage-
ment accomplishments.

Engagement Opinion – The rating, conclusion, and/or other description of results of an individual internal
audit engagement, relating to those aspects within the objectives and scope of the engagement.

Engagement Work Program – A document that lists the procedures to be followed during an engage-
ment, designed to achieve the engagement plan.

External Service Provider – A person or firm outside of the organization that has special knowledge, skill,
and experience in a particular discipline.

Fraud – Any illegal act characterized by deceit, concealment, or violation of trust. These acts are not
dependent upon the threat of violence or physical force. Frauds are perpetrated by parties and organizations
to obtain money, property, or services; to avoid payment or loss of services; or to secure personal or
business advantage.

Governance – The combination of processes and structures implemented by the board to inform, direct,
manage, and monitor the activities of the organization toward the achievement of its objectives.

Impairment – Impairment to organizational independence and individual objectivity may include personal
conflict of interest, scope limitations, restrictions on access to records, personnel, and properties, and re-
source limitations (funding).

Independence – The freedom from conditions that threaten the ability of the internal audit activity to
carry out internal audit responsibilities in an unbiased manner.

Information Technology Controls – Controls that support business management and governance as well
as provide general and technical controls over information technology infrastructures such as applications,
information, infrastructure, and people.

Information Technology Governance – Consists of the leadership, organizational structures, and pro-
cesses that ensure that the enterprise’s information technology supports the organization’s strategies and
objectives.

Internal Audit Activity – A department, division, team of consultants, or other practitioner(s) that pro-
vides independent, objective assurance and consulting services designed to add value and improve an
organization’s operations. The internal audit activity helps an organization accomplish its objectives by
bringing a systematic, disciplined approach to evaluate and improve the effectiveness of governance, risk
management and control processes.

28 © 2018 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Appendix A Glossary

International Professional Practices Framework – The conceptual framework that organizes the au-
thoritative guidance promulgated by The IIA. Authoritative Guidance is comprised of two categories - (1)
mandatory and (2) recommended.

Must – The Standards use the word “must” to specify an unconditional requirement.

Objectivity – An unbiased mental attitude that allows internal auditors to perform engagements in such a
manner that they believe in their work product and that no quality compromises are made. Objectivity
requires that internal auditors do not subordinate their judgment on audit matters to others.

Overall Opinion – The rating, conclusion, and/or other description of results provided by the chief audit
executive addressing, at a broad level, governance, risk management, and/or control processes of the
organization. An overall opinion is the professional judgment of the chief audit executive based on the
results of a number of individual engagements and other activities for a specific time interval.

Risk – The possibility of an event occurring that will have an impact on the achievement of objectives. Risk
is measured in terms of impact and likelihood.

Risk Appetite – The level of risk that an organization is willing to accept.

Risk Management – A process to identify, assess, manage, and control potential events or situations to
provide reasonable assurance regarding the achievement of the organization’s objectives.

Should – The Standards use the word “should” where conformance is expected unless, when applying
professional judgment, circumstances justify deviation.

Significance – The relative importance of a matter within the context in which it is being considered,
including quantitative and qualitative factors, such as magnitude, nature, effect, relevance, and impact.
Professional judgment assists internal auditors when evaluating the significance of matters within the con-
text of the relevant objectives.

Standard – A professional pronouncement promulgated by the Internal Audit Standards Board that delin-
eates the requirements for performing a broad range of internal audit activities, and for evaluating internal
audit performance.

Technology-based Audit Techniques – Any automated audit tool, such as generalized audit software,
test data generators, computerized audit programs, specialized audit utilities, and computer-assisted audit
techniques (CAATs).

© 2018 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 29
Model Internal Audit Activity Charter CIA Part 1

Appendix B: Model Internal Audit Activity Charter


The following model charter has been prepared and published by the IIA. The Model is presented as pub-
lished, except that in the Model the IIA presents options of language for a handful of terms. The choices
used for the model presented here are:

• “Name of organization” – Company X

• Internal audit department/activity – internal audit activity

• Board/audit committee/supervisory committee - Board

Purpose and Mission


The purpose of Company X’s internal audit activity is to provide independent, objective assurance and
consulting services designed to add value and improve Company X’s operations. The mission of internal
audit is to enhance and protect organizational value by providing risk-based and objective assurance, ad-
vice, and insight. The internal audit activity helps Company X accomplish its objectives by bringing a
systematic, disciplined approach to evaluate and improve the effectiveness of governance, risk manage-
ment, and control processes.

Standards for the Professional Practice of Internal Auditing


The internal audit activity will govern itself by adherence to the mandatory elements of The Institute of
Internal Auditors' International Professional Practices Framework, including the Core Principles for the Pro-
fessional Practice of Internal Auditing, the Code of Ethics, the International Standards for the Professional
Practice of Internal Auditing, and the Definition of Internal Auditing. The chief audit executive will report
periodically to senior management and the board regarding the internal audit activity’s conformance to the
Code of Ethics and the Standards.

Authority
The chief audit executive will report functionally to the board and administratively (i.e., day-to-day opera-
tions) to the chief executive officer. To establish, maintain, and assure that Company X’s internal audit
activity has sufficient authority to fulfill its duties, the board will:

• Approve the internal audit activity’s charter. 


• Approve the risk-based internal audit plan. 


• Approve the internal audit activity’s budget and resource plan. 


• Receive communications from the chief audit executive on the internal audit activity’s performance
relative to its plan and other matters. 


• Approve decisions regarding the appointment and removal of the chief audit executive. 


• Approve the remuneration of the chief audit executive. 


• Make appropriate inquiries of management and the chief audit executive to determine 
whether
there is inappropriate scope or resource limitations. 


The chief audit executive will have unrestricted access to, and communicate and interact directly with, the
board, including in private meetings without management present.

30 © 2018 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Appendix B Model Internal Audit Activity Charter

The board authorizes the internal audit activity to:

• Have full, free, and unrestricted access to all functions, records, property, and personnel pertinent
to carrying out any engagement, subject to accountability for confidentiality and safeguarding of
records and information.

• Allocate resources, set frequencies, select subjects, determine scopes of work, apply techniques
required to accomplish audit objectives, and issue reports. 


• Obtain assistance from the necessary personnel of Company X, as well as other specialized services
from within or outside Company X, in order to complete the engagement. 


Independence and Objectivity 



The chief audit executive will ensure that the internal audit activity remains free from all conditions that
threaten the ability of internal auditors to carry out their responsibilities in an unbiased manner, including
matters of audit selection, scope, procedures, frequency, timing, and report content. If the chief audit
executive determines that independence or objectivity may be impaired in fact or appearance, the details
of impairment will be disclosed to appropriate parties. 


Internal auditors will maintain an unbiased mental attitude that allows them to perform engagements ob-
jectively and in such a manner that they believe in their work product, that no quality compromises are
made, and that they do not subordinate their judgment on audit matters to others. 


Internal auditors will have no direct operational responsibility or authority over any of the activities audited.
Accordingly, internal auditors will not implement internal controls, develop procedures, install systems,
prepare records, or engage in any other activity that may impair their judgment, including:

• Assessing specific operations for which they had responsibility within the previous year. 


• Performing any operational duties for Company X or its affiliates. 


• Initiating or approving transactions external to the internal audit department. 


• Directing the activities of any Company X employee not employed by the internal audit activity,
except to the extent that such employees have been appropriately assigned to auditing teams or
to otherwise assist internal auditors.

Where the chief audit executive has or is expected to have roles and/or responsibilities that fall outside of
internal auditing, safeguards will be established to limit impairments to independence or objectivity.

Internal auditors will:

• Disclose any impairment of independence or objectivity, in fact or appearance, to appropriate par-


ties. 


• Exhibit professional objectivity in gathering, evaluating, and communicating information about the
activity or process being examined. 


• Make balanced assessments of all available and relevant facts and circumstances. 


• Take necessary precautions to avoid being unduly influenced by their own interests or 
by others
in forming judgments.


The chief audit executive will confirm to the board, at 
least annually, the organizational independence of
the internal audit activity. 


The chief audit executive will disclose to the board any interference and related implications in determining
the scope of internal auditing, performing work, and/or communicating results. 


© 2018 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 31
Model Internal Audit Activity Charter CIA Part 1

Scope of Internal Audit Activities 



The scope of internal audit activities encompasses, but is not limited to, objective examinations of evidence
for the purpose of providing independent assessments to the board, management, and outside parties on
the adequacy and effectiveness of governance, risk management, and control processes for Company X.
Internal audit assessments include evaluating whether: 


• Risks relating to the achievement of Company X’s strategic objectives are appropriately identified
and managed. 


• The actions of Company X’s officers, directors, employees, and contractors are in compliance with
Company X’s policies, procedures, and applicable laws, regulations, and governance standards. 


• The results of operations or programs are consistent with established goals and objectives. 


• Operations or programs are being carried out effectively and efficiently. 


• Established processes and systems enable compliance with the policies, procedures, 
laws, and
regulations that could significantly impact Company X. 


• Information and the means used to identify, measure, analyze, classify, and report 
such infor-
mation are reliable and have integrity. 


• Resources and assets are acquired economically, used efficiently, and protected 
adequately.


The chief audit executive will report periodically to senior management and the board regarding:

• The internal audit activity’s purpose, authority, and responsibility. 


• The internal audit activity’s plan and performance relative to its plan. 


• The internal audit activity’s conformance with The IIA’s Code of Ethics 
and Standards, and action
plans to address any significant conformance issues. 


• Significant risk exposures and control issues, including fraud risks, governance issues, 
and other
matters requiring the attention of, or requested by, the board. 


• Results of audit engagements or other activities. 


• Resource requirements. 


• Any response to risk by management that may be unacceptable to Company X. 


The chief audit executive also coordinates activities, where possible, and considers relying upon the work
of other internal and external assurance and consulting service providers as needed. The internal audit
activity may perform advisory and related client service activities, the nature and scope of which will be
agreed with the client, provided the internal audit activity does not assume management responsibility. 


Opportunities for improving the efficiency of governance, risk management, and control processes may be
identified during engagements. These opportunities will be communicated to the appropriate level of man-
agement. 


Responsibility
The chief audit executive has the responsibility to: 


• Submit, at least annually, to senior management and the board a risk-based internal audit plan
for review and approval.

• Communicate to senior management and the board the impact of resource limitations on the in-
ternal audit plan. 


• Review and adjust the internal audit plan, as necessary, in response to changes in Company X’s
business, risks, operations, programs, systems, and controls. 


32 © 2018 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.
Appendix B Model Internal Audit Activity Charter

• Communicate to senior management and the board any significant interim changes to the internal
audit plan. 


• Ensure each engagement of the internal audit plan is executed, including the establishment of
objectives and scope, the assignment of appropriate and adequately supervised resources, the
documentation of work programs and testing results, and the communication of engagement re-
sults with applicable conclusions and recommendations to appropriate parties. 


• Follow up on engagement findings and corrective actions, and report periodically to senior man-
agement and the board any corrective actions not effectively implemented. 


• Ensure the principles of integrity, objectivity, confidentiality, and competency are applied and up-
held. 


• Ensure the internal audit activity collectively possesses or obtains the knowledge, skills, and other
competencies needed to meet the requirements of the internal audit charter. 


• Ensure trends and emerging issues that could impact Company X are considered and communi-
cated to senior management and the board as appropriate. 


• Ensure emerging trends and successful practices in internal auditing are considered. 


• Establish and ensure adherence to policies and procedures designed to guide the 
internal audit
activity. 


• Ensure adherence to Company X’s relevant policies and procedures, unless 
such policies and pro-
cedures conflict with the internal audit charter. Any such conflicts will be resolved or otherwise
communicated to senior management and the board. 


• Ensure conformance of the internal audit activity with the Standards, with the following qualifica-
tions: 


o If the internal audit activity is prohibited by law or regulation from conformance with certain
parts of the Standards, the chief audit executive will ensure appropriate disclosures and will
ensure conformance with all other parts of the Standards. 


o If the Standards are used in conjunction with requirements issued by other authoritative bodies,
the chief audit executive will ensure that the internal audit activity conforms with the Standards,
even if the internal audit activity also conforms with the more restrictive requirements of other
authoritative bodies. 


Quality Assurance and Improvement Program


The internal audit activity will maintain a quality assurance and improvement program that covers all as-
pects of the internal audit activity. The program will include an evaluation of the internal audit activity’s
conformance with the Standards and an evaluation of whether internal auditors apply The IIA’s Code of
Ethics. The program will also assess the efficiency and effectiveness of the internal audit activity and identify
opportunities for improvement.

The chief audit executive will communicate to senior management and the board on the internal audit
activity’s quality assurance and improvement program, including results of internal assessments (both on-
going and periodic) and external assessments conducted at least once every five years by a qualified,
independent assessor or assessment team from outside Company X.

© 2018 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited. 33