You are on page 1of 10

Definition of Internal Auditing

Internal auditing is an independent, objective assurance and consulting activity designed to add value
And improve an organization’s operations. It helps an organization accomplish its objectives by bringing a
systematic, disciplined approach to evaluate and improve the Accuracy+ effectiveness of risk management,
control, and governance processes. (So the internal audit activity can best be described as Assurance and
The review for adequacy determines whether control processes exist that are properly planned and
The review for effectiveness determines whether management has directed processes to provide
reasonable assurance that goals and objectives will be achieved.

Code of Ethics

Gleim 21: 87

page 9:47

Outlines the principles and expectations governing the behavior of individuals and organizations in the conduct
of internal auditing.( Promote an ethical culture among professionals who serve others).
An organization’s code of ethical conduct is the established general value system the organization wishes to
apply to its members’ activities by communicating organizational purposes and beliefs and establishing
uniform ethical guidelines for members, which include guidance on behavior for members in making decisions.
The code of conduct should contain Provisions for disciplinary action in the event of violations to enhance its
The absence of a formal code of ethics does not preclude a successful review of ethical behavior in an
organization. Policies and procedure may provide the criteria for such an engagement.
If a particular conduct is not mentioned in the Rules of Conduct so it does not prevent it from being
unacceptable or discreditable. Consequently, reasonable inferences that individual judgment is necessary in
the application of the principles and Take action that consistent with the principles embodied in The IIA’s Code
of Ethics.
Rules of Conduct

Rule of Conduct 2. “Internal auditors shall observe the law and make disclosures expected by the law and the profession. the internal auditor has a duty to act even though the available facts do not prove that an irregularity has occurred. preparing a personal tax return for a division manager for a fee falls under this prohibition. (Gleim #56 page 27) Example 1 … The chief audit executive is aware of a material inventory shortage caused by internal Control deficiencies at one manufacturing plant. the chief audit executive (CAE) became aware of a material misstatement of the year-end accounts receivable balance.Rule of Conduct 1.1 Serving as a consultant to (competitors OR suppliers) might create a conflict of interest. if not disclosed.2 under the integrity principal states.2 under the objectivity principle. Rule of Conduct 2. The internal auditor is ethically obligated to report the matter to senior officials charged with performing the governance function.” . • If any employee asks the internal auditor to do not mention his name -An internal auditor cannot guarantee anonymity . Engaging in a public service separate from the interests and activities of the organization is unlikely to impair professional judgment. Example 2 …Through an engagement performed at the credit department.” Thus. For ex: the management override of an important control over approval of transaction X created a material risk exposure. But Relationships with professional organizations are not likely to create a conflict of interest. Hence. the CAE’s most appropriate course of action to discuss the issue with management and take appropriate action to ensure that the external auditors are informed. “Internal auditors shall disclose all material facts known to them that. Rule of Conduct 2. The CAE should inform the external auditors of the misstatement (share information and coordinate activities with the external auditors). For ex: An engagement at a foreign subsidiary disclosed payments to local government officials in Return for orders The IIA’s Code of Ethics suggest for an internal auditor in such a case to Inform appropriate organizational officials. When apparent violations of antitrust statutes by officers come to the internal auditor’s attention. The shortage and related causes are of sufficient magnitude to affect the external auditor’s report. (s) he should report to the board of directors rather than directly to the government regulators. The external auditors have completed their engagement without detecting the misstatement.3 states. auditors must comply with subpoenas. Teaching an evening tax seminar is unlikely to impair the internal auditor’s professional judgment. The internal auditor should inform the appropriate authorities in the organization if the indicators of the commission of a fraud are sufficient to recommend an investigation. Shall disclose all material facts known to them. The CAE should share information and coordinate activities with the external auditors. may distort the reporting of activities under review..3 under the objectivity principle states. Moreover. ‫ دم ا ف ن ا و‬Information communicated to an internal auditor is not deemed to be privileged. Writing a tax guide for sale to the general public is unlikely to impair the internal auditor’s professional judgment. Based on The IIA’s Code of Ethics. Rule of Conduct 2.

Both the IIA’s Code of Ethics and the Standards are violated by failing to earn continuing education credits.2.Discussion of sensitive matters with an unauthorized party is the situation most likely to be considered a Code violation. Why does The IIA’s Code of Ethics in Rule of Conduct 4.1. Foster (support) improved organizational processes and operations. They are to: Outline basic principles that represent the practice … of internal auditing. Rule of Conduct 4. All internal auditors need not be proficient in all areas. The internal audit activity as a whole should have an appropriate mix of skills. For the evaluation of internal audit performance. If staff internal auditor has violated Rule of Conduct 3. the internal auditor is not guilty of failing to disclose material facts. and are not expected to have.3. Attribute Standards (1000 to 1322) ‫ص ا زم وا رھ‬ Purpose. the internal auditors that are members of The Institute. Authority. internal auditors may not have. If senior management permits the omission. and Responsibility (1000) Independence and Objectivity (1100) Proficiency and Due Professional Care (1200) Quality Assurance and Improvement Program (1300) ‫ا‬ . It permissible to Disclosing confidential. and useful information lend credibility to the opinion.2 require that due professional care be used in obtaining information to support an engagement opinion??? Coz. knowledge equivalent to that of a person whose primary responsibility is to detect and investigate fraud. The IIA’s Code of Ethics is enforceable against them even though they are not CIAs. Rule of Conduct 4. Rule of Conduct 4. Promoting a broad range of value-added internal audit activities. The IIA has identified four purposes of the Standards. relevant.2 regarding use of information most appropriate way for the CAE to deal with this problem is to inform the IIA’s Board of Directors and take the personnel action Required by organizational policy. engagement-related information that is potentially damaging to the organization in response to a court order. Sufficient. reliable.

authorizes access to records. To act as a mediator between management and auditors when there is a difference of opinion. The audit committee receives reports and communications from both the external auditors and internal auditors. control. the Code of Ethics. and responsibilities. approved by senior management and the board or audit committee. Thus. The CAE should review the document at least annually (and more often as circumstances may Require) to ensure that it continues to address the needs and issues facing the organization. and corporate governance reported by auditors Receiving copies of all external and internal audit reports and communications. including the nature of the chief audit executive’s functional reporting relationship with the board. 1000). and physical properties relevant to the performance of engagements. The members of the Audit Committee should be independent non-executive directors (do not have a role in the day-to-day running of the company and do not have any financial interest or other relationship of the company). A written charter. should detail the audit committee’s powers. The chief audit executive must periodically review the internal audit charter and present it to senior management and the board for approval. and communicated to engagement clients. Reviewing the means used to safeguard assets and verifying the existence of those assets. who shall report directly to the Audit Committee? Reviewing the strategy. and physical properties in the organization The accountability ! ‫ء وا‬ ‫ ا‬of the internal audit activity The responsibility of the internal audit activity The director of the internal audit department (the Chief Audit Executive. Std. and Responsibility ‫و‬ ‫و ط و‬ ‫ط ا د ق ا دا‬ ‫رض‬ “The purpose. Examining and evaluating the adequacy and effectiveness of the control system Examining and evaluating the reliability and integrity of financial and operating information Examining and evaluating the effective and efficient use of an entity’s resources.( The accounting department. Organizational Status of the Internal Audit Activity The internal audit function must report to the board of directors through the audit committee. approved by the board of directors. The internal audit department must have organizational independence (not have any direct relationships with the departments it will be auditing). and work plan of the internal audit activity. Reviewing evaluations of risk management. To appoint or replace the external auditor. duties. or finance director would not normally be an appropriate level to report to). and the Standards. personnel. . This charter should be written by (and periodically reviewed by) the Chief Audit Executive (CAE). the charter prescribes the internal audit activity’s relationships with other units within the organization and with those outside. duties and responsibilities of the audit committee are: To ensure that the external auditors are completely independent of the company To review and discuss with management and the external auditor the effects of changes in accounting standards.” The objective of internal audit is to promote effective control at a reasonable cost. To ensure that the company complies with all laws and regulations. and responsibility of the internal audit activity must be formally defined in an internal audit charter. and it should promote their views to the board as a whole. authority. activity.Standard 1000: Purpose. Authority. ensuring that it has sufficient staff and resources to function as planned. Need to be supported by both the audit committee and the board in order to make sure that those who are audited cooperate with them. chief accountant. and defines the scope of internal audit activities (Inter. personnel. The charter should define the following items in respect to the IAA: The scope of the services and work to be performed The objectives of the internal audit activity The authority that the internal audit activity has to access records. consistent with the Definition of Internal Auditing. The Internal Audit Charter The charter establishes the internal audit activity’s position within the organization. The internal auditors’ responsibilities with respect to the internal control system include: Testing individuals’ compliance with controls to determine whether policies and procedures established by management are being followed. or CAE) should report to the Chief Executive Officer (CEO) or board of directors. and also management’s responses to them. The Audit Committee • • • • • • • • The audit committee is normally a subcommittee of the board of directors.

Standard 1100: Independence and Objectivity Gleim 102: 163 page 54:47 Confidence in the internal audit activity derives from independence (an attribute of the internal audit activity as a whole). Organizational Independence Direct Interaction with the Board “The chief audit executive must communicate and interact directly with the board.” The timing of assessments + Maintain (not Manage or Maximize or Prioritize) of individual objectivity on the part of internal auditors… at the discretion ‫د ر‬ ‫ ء‬of the CAE not annually. and objectivity (an attribute of individual internal auditors). financial reporting.(by Internal auditors avoiding conflicts of interest). organizational governance and control. unbiased attitude and avoid any conflict of interest. at least annually (without management present). Individual Objectivity “Internal auditors must have an impartial. . or Meets privately with the board.” Direct interaction with the board occurs when the CAE: Regularly attends and participates in board meetings that relate the board’s oversight responsibilities for auditing.

Relationship between engagement records and engagement communications. or operates (implement) the redesigned process.” If impairment arises during an engagement. The nature of the disclosure will depend upon the impairment. preferably in writing.” The majority of audit committee members come from within the organization. Reviewing procedures before they are implemented. The following activities undertaken by the internal auditor or facts. the details of the impairment must be disclosed to appropriate parties. to the board). support. and responsibility enhances its Independence. Evaluate risk exposures of systems. A formal document (charter) approved by the board that defines the internal audit activity’s purpose. The following activities undertaken by the internal auditor or facts. External audit liaison. However. It’s also important to remember that the internal auditor’s objectivity is not considered impaired when the auditor Recommends standards of control or areas for consideration. installs. by themselves. Impartial and unbiased judgments. it must be reported immediately to the manager of the engagement so that the situation can be addressed or eliminated (needs to be communicated. authority. The internal auditors must be able to distinguish carefully between a scope limitation and other limitations. Ethics advocate. The internal audit activity’s charter has not been approved by the board.Impairments to Independence or Objectivity “If independence or objectivity is impaired in fact or appearance. might be In conflict with the standard of independence The CEO accused the new auditor of not operating “in the best interests of the organization. might be not In conflict with the standard of independence Risk management consultant. The following factors have the amount of influence when judging an internal audit activity’s independence? Criteria used in making internal auditors’ assignments. drafts procedures for. Determining whether the process has senior management’s Developing audit plans for the new system. objectivity is considered to be impaired if the auditor Designs. . by themselves.

. The risk assessment used in selecting the area for investigation is not necessarily a matter that must be communicated to engagement client. skills. The CAE also needs to consider the independence and objectivity of the expert in respect to the engagement. including proficiency in internal audit procedures and techniques. the following: The relevant professional certifications Membership in a professional organization Experience in similar situations Reputation Education and training in the area that they will be engaged in Knowledge of the business and industry Contacting others familiar with the ESP’s work. commercial law. (Only if internal auditors work extensively with financial records and reports must they have proficiency in accounting principles and techniques.” The internal audit activity collectively must possess or obtain certain competencies. the CAE should consider. Note: Experts that work directly for the engagement client should almost never be used because of the lack of objectivity of that party in the performance of their work. technology. evaluations. and information. Obtaining Services to Support or Complement the Internal Audit Activity If the internal audit staff does not have the needed skills and competencies to perform an engagement. and other competencies needed to perform their individual responsibilities. the CAE must either decline the engagement or go outside the IAA (External service providers) or organization to get those skills. taxation.Standard 1200: Proficiency and Due Professional Care Proficiency Gleim Q 164:195 “Internal auditors must possess the knowledge. finance. The most appropriate preventive measure for staff communication problems with engagement clients by Provide staff with sufficient training to enhance communication skills not by Avoid unnecessary communication with engagement clients. quantitative methods. The internal audit activity collectively must possess or obtain certain competencies. and recommendations (PA 1210-1. risk management. including an appreciation of the fundamentals of business subjects. such as accounting.) The internal audit activity collectively must possess or obtain certain competencies. 1). including an understanding of Management principles to recognize and evaluate the materiality and significance of deviations from good business practice. conclusions. economics. Para. among many things. and fraud Internal auditors must also be skilled in oral and written communications skills so that they can clearly and effectively convey such matters as engagement objectives. The catalog of engagements for which the organizations may use outside service providers Valuations of assets (both tangible and intangible) Determination of physical amounts (oil reserves) Mergers and acquisitions Various audit engagements that require specialist knowledge (such as tax questions & Fraud ) assessment of the external party.

but they are expected to examine and verify the documents as appropriate (This means that the more material items will be examined and tested in more detail than immaterial items. Any tasks performed by an outside expert must be reviewed by either the CAE or other internal person. waste.If the expert is the external auditor. timing. unbiased. internal auditors should always consider the possibility of intentional errors on the part of others (such as fraud). The relative complexity and extent of work needed to achieve the engagement’s objectives (professional skills and resources) Cost/benefit analysis of the engagement . and communications of engagement results. Due professional care does not imply infallibility ‫ا‬ or extraordinary performance. the assurance engagement may still include the item if it is subsequently determined that Adverse effects related to the item are likely to occur. Due Professional Care Gleim Q 196:213 “Internal auditors must apply the care and skill expected of a reasonably prudent and competent internal auditor. irregularities.) It requires the internal auditor to conduct examinations and verifications to a reasonable extent. Alertness to conditions most likely indicative of irregularities. inefficiencies.” Internal auditors are not expected to perform a detailed review of every statement or document they receive. or noncompliance. Internal auditors cannot give absolute assurance that noncompliance or irregularities do not exist. = “Considering the possibility of nonconformance or material irregularities at all times during an engagement” If an internal auditor judged an item to be immaterial when planning an assurance engagement. and address all of the issues of the engagement. abnormal. For consulting services. the internal auditor should review Large. potential misstatement of financial statements. However. Unusual contributions. As part of assessing documents and information. To ensure that they are exercising due professional care. Understand the adequacy and effectiveness of risk management. Assess the probability of significant errors. internal auditors should: Understand the complexity. materiality. and governance processes. the CAE will need to be certain that this work that is not part of the financial statement audit. but no information about. The internal auditor does not need the engagement client’s approval to expand the engagement work program. Each member of the internal audit activity need not be qualified in all disciplines. The internal auditor fails to exercise due professional care by not testing for possible misstatement because the engagement work program had already been approved by engagement management. Sensitive expenses. or unexplained expenditures. o To prevent or detect significant fraud. but the CAE should assess whether or Not the work done and conclusions drawn were reasonable. Extent of work needed to achieve the engagement’s objectives. Balance the costs of the work and the benefits of the work. and conflicts of interest. control. the internal auditor should consider the following: The needs and expectations of clients including the nature. so that it will not impair the external auditor’s independence for the financial statement audit. But not Review every control feature pertaining to for ex: petty cash receipts. Seeking advice from engagement manager of the suspicions and asking for advice on how to proceed. and significance of matters that they will be addressing in the engagement. If an internal auditor has some suspicion of. The CAE does not need to be able to perform the technical work of the expert.

The internal audit assessment must include an ongoing review of performance of the internal audit used in ongoing internal assessments. Periodic internal assessment may Include more in-depth interviews and surveys of stakeholder groups Be performed by members of the IAA (that is. those conducting internal quality program assessments report to the CAE External Assessments “External assessments must be conducted at least once every five years by a qualified.” These internal and external assessments reassure the company stakeholders (that is. the board. and the Standards. The results of these assessments are provided to the stakeholders of the activity (such as senior management. *Ongoing reviews may be conducted through (The processes and tools used) Supervision of the internal auditor’s work. regulations or industry standards. from elsewhere in the organization The results of periodic internal assessments are communicated upon their completion (not annually). cost recoveries. the Code of Ethics. audit plan completion. Periodic Reviews …should be designed to assess compliance with the activity’s charter.Standard 1300: Quality Assurance and Improvement Program Gleim Q 213: 231 page118 “The Chief Audit Executive = CAE must develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity. The extent to which the internal auditing activity adds value and improves the organization’s operations (= Contribution to the organization’s governance processes). cycle time and recommendations accepted). Project budgets. objectives. or other competent audit professionals. and external auditors). and procedures. Checklists to provide assurance that processes adopted by the audit activity are being followed. Feedback from audit customers and other stakeholders. assessments should include evaluations of: Compliance with: Definition of Internal Auditing. and the Standards and applicable laws. and external auditors) about the competency of the services the IAA is providing to the organization. During the review. policies. as well as a periodic review of the program through self-assessment or from an independent person within the organization who is familiar with the internal auditing program. *The results of ongoing monitoring are communicated at least annually to senior management and the board. Analyses of performance metrics (for example. Adequacy of the IAA’s charter. timekeeping systems. an external assessor will tend to focus on: . the Code of Ethics. An external assessment will probably not be able to look at all of the cost/benefit analyses necessary to determine if the IAA is in fact “profitable” to the company. o Ongoing Reviews … are the conclusions and follow-up actions that should be taken to assure that appropriate improvements are implemented. audit committee. (Supervision of an internal auditor’s work is performed throughout each audit engagement.” “The quality assurance and improvement program must include both internal and external assessments. the Definition of Internal Auditing. self-assessment) Include benchmarking of the IAA practices Encompass a combination of self-assessment and preparation of materials subsequently reviewed by CIAs. independent reviewer or review team from outside the organization. Internal Assessments Carried out periodically (Annually) to assure the CAE that subordinates are complying with the Standards and other applicable criteria. Ordinarily. top management. o *To evaluate the quality of engagement planning the team will Examine written engagement work programs (selective peer reviews of working papers by staff not involved in the respective audits).

Periodic internal assessment. if appropriate. to the extent appropriate.+ Supervision. Note The chief audit executive should develop and maintain a quality assurance and improvement program (his responsibility) that covers all aspects of the internal audit activity and continuously monitors its effectiveness included…. is prepared that should include the CAE’s assessment of its conformance with the Standards. and operational managers o Whether or not the IAA adds value and improves the operations of the organization. similar to that for an external assessment. As part of the independent validation. specifying the points of disagreement with it and. may be otherwise subject to extensive external oversight and direction relating to governance And internal controls.The objectives. . recommendations for improvement “The chief audit executive may state that the internal audit activity conforms with the International Standards for the Professional Practice of Internal Auditing only if the results of the quality assurance and improvement program support this statement. a draft report. If there’s a complaining that one of the internal auditors is taking up an excessive amount of client time on an engagement that seems to be lacking a clear purpose so The CAE should examine departmental procedures and the conduct of the specific engagement mentioned to ascertain that proper planning and quality assurance procedures are in place and are being followed. including (but not limited to) conformance with the Definition of Internal Auditing. The external assessor then performs sufficient tests of the self-assessment to validate the results and express an opinion on the level of the activity’s conformance with the Definition of Internal Auditing. The first approach is to have a full external assessment conducted by an external assessor or review team. and the Standards. The methods and work programs of the IAA The skills and work performed by the individuals in the IAA The expectations of the internal audit activity expressed by the board. Practice Advisory 1312-1 (External Assessments) lays out two approaches for conducting an external assessment. External assessments of an internal audit activity contain an expressed opinion as to the entire spectrum of assurance and consulting work performed (or that should have been performed under its charter). Quality program assessments may be performed internally or externally. policies and procedures of the IAA. as appropriate.” “When nonconformance with the Definition of Internal Auditing. he or she would add dissenting wording to the report. If the external assessor agrees with the evaluation. Initial use of the conformance phrase by internal auditors appropriate after an external review completed within the past 5 years. the chief audit executive must disclose the nonconformance and the impact to senior management and the board. “The chief audit executive must communicate the results of the quality assurance and improvement program to senior management and the board. senior management. the Code of Ethics. he or she might include additional wording to the report (if needed) If the external assessor disagrees with the evaluation.” The results of external assessments are communicated upon their completion. After the self-assessment has been completed under the direction of the CAE. the o o o o o o o IAA may be in a business or industry that is subjected to strict regulations and supervision. and the Standards. o Evaluation of Adequacy of the oversight of the work of external auditors.+ Periodic external assessments But not include o Annual appraisals of individual internal auditors’ performance. the external assessor will do the following: Review the draft report and attempt to reconcile unresolved issues (if any). the Code of Ethics. The second approach … Self-assessment with Independent Validation o Full external review might not be appropriate or necessary. or the Standards impacts the overall scope or operation of the internal audit activity. IAA may have been recently subjected to an external review or consulting. A distinguishing feature of an external assessment is its objective to Provide independent assurance. For example. An external assessment also includes. the Code of Ethics.” The Quality Assurance and Improvement Program (QAIP) analyze the work of the IAA and makes recommendations for improvement.