1

STUDY UNIT ONE
MANDATORY GUIDANCE

1.1 Applicable Guidance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.2 Codes of Ethical Conduct for Professionals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.3 Internal Audit Ethics -- Introduction and Principles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
1.4 Internal Audit Ethics -- Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
1.5 Internal Audit Ethics -- Objectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
1.6 Internal Audit Ethics -- Confidentiality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.7 Internal Audit Ethics -- Competency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
1.8 Internal Audit Charter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

This study unit is the first of two covering Section I: Mandatory Guidance from The IIA’s CIA
Exam Syllabus. This section makes up 35% to 45% of Part 1 of the CIA exam and is tested at the
proficiency level. The relevant portion of the syllabus is highlighted below. (The complete syllabus is
in Appendix B.)

I. MANDATORY GUIDANCE (35%–45%)

A. Definition of Internal Auditing
1. Define purpose, authority, and responsibility of the internal audit activity
B. Code of Ethics
1. Abide by and promote compliance with The IIA Code of Ethics
C. International Standards
1. Comply with The IIA’s Attribute Standards
a. Determine if the purpose, authority, and responsibility of the internal audit activity are documented in the
audit charter, approved by the Board, and communicated to the engagement clients
b. Demonstrate an understanding of the purpose, authority, and responsibility of the internal audit activity
2. Maintain independence and objectivity
3. Determine if the required knowledge, skills, and competencies are available
4. Develop and/or procure necessary knowledge, skills, and competencies collectively required by the internal audit activity
5. Exercise due professional care
6. Promote continuing professional development
7. Promote quality assurance and improvement of the internal audit activity

1.1 APPLICABLE GUIDANCE
1. International Professional Practices Framework (IPPF)
a. The Institute of Internal Auditors (The IIA) defines the mission of internal audit as
follows:
1) “To enhance and protect organizational value by providing risk-based and
objective assurance, advice, and insight.”
2) Facilitating the achievement of this mission is the IPPF.
b. The IPPF organizes The IIA’s authoritative guidance so that it is accessible and
strengthens The IIA as a global standard setter.

Copyright © 2017 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact copyright@gleim.com.

Mandatory Guidance a. The IPPF contains mandatory guidance and strongly recommended guidance. the Code of Ethics. Reward for information exposing violators. b) Demonstrates competence and due professional care. the Definition of Internal Auditing. The following are the Core Principles: a) “Demonstrates integrity. g) Communicates effectively. The internal audit function is effective if all principles are present and operating effectively. Inc. The mandatory guidance consists of four elements: the Core Principles for the Professional Practice of Internal Auditing. 1) The Core Principles are the basis for internal audit effectiveness. b. c) Is objective and free from undue influence (independent). objectives. and future-focused. Contact copyright@gleim. d) Aligns with the strategies. Duplication prohibited. 2.com. Parts 1 and 2 of the CIA exam primarily test understanding and application of IPPF content. proactive. But it is more important that you understand and can accurately apply the content contained in the IPPF. e) Is appropriately positioned and adequately resourced. f) Demonstrates quality and continuous improvement. All rights reserved. and the Standards. Adherence to the mandatory guidance is essential for the professional practice of internal auditing.” Copyright © 2017 Gleim Publications. .2 SU 1: Mandatory Guidance c. and risks of the organization. i) Is insightful. IPPF Standards Knowledge of the IPPF is important for understanding and distinguishing among the elements of the authoritative guidance on internal auditing. h) Provides risk-based assurance. j) Promotes organizational improvement. Figure 1-1.

govern the nature of internal auditing and provide quality criteria for evaluating the internal audit function’s performance. 4. b) Implementation Standards are displayed in gray boxes. Foster improved organizational processes and operations. They are displayed in green boxes throughout this text. the Code of Ethics. Performance Standards also are displayed in green boxes. control. disciplined approach to evaluate and improve the effectiveness of risk management. Duplication prohibited. 3) Interpretations are provided by The IIA to clarify terms and concepts referred to in Attribute or Performance Standards. and governance processes. The Standards are vital to the practice of internal auditing. 3. Guide adherence to the mandatory elements of the International Professional Practices Framework. Strongly Recommended Guidance a. conformance with the Code and the Standards demonstrates conformance with all mandatory elements of the IPPF. 4) Implementation Standards expand upon the individual Attribute or Performance Standards that apply to all internal audit engagements. Inc. However. 3. d. the Definition of Internal Auditing. c. attitudes. All rights reserved. 3) The detailed text of the Code of Ethics is in Subunits 1. Establish the basis for the evaluation of internal audit performance.2 through 1. Thus. Reward for information exposing violators. SU 1: Mandatory Guidance 3 2) The Definition of Internal Auditing is a concise statement of the role of the internal audit activity in the organization. 1) The two strongly recommended elements of the IPPF are (a) Implementation Guidance and (b) Supplemental Guidance. . Interpretations are in light blue. the principles they establish should be thoroughly understood and appropriately applied. and actions of the organization’s internal audit activity and the people who serve as internal auditors. 1) Attribute Standards. Copyright © 2017 Gleim Publications. numbered in the 1000s. It helps an organization accomplish its objectives by bringing a systematic. numbered in the 2000s. objective assurance and consulting activity designed to add value and improve an organization’s operations. govern the responsibilities. and the Standards. The Core Principles and the Definition of Internal Auditing are encompassed in the Code of Ethics and the Standards.7. Contact copyright@gleim. 2. 2) Performance Standards. a) Each Implementation Standard describes the requirements of either an assurance or a consulting engagement.com. 4) The Standards (known formally as the International Standards for the Professional Practice of Internal Auditing) serve the following four purposes described by The IIA: Purpose of the Standards 1. Provide a framework for performing and promoting a broad range of value-added internal auditing services. They describe practices for effective implementation of the Core Principles. but CIA candidates need not memorize them. The pronouncements that constitute strongly recommended guidance have been developed by The IIA through a formal approval process. Definition of Internal Auditing Internal auditing is an independent.

authority. disciplined approach to evaluate and improve the effectiveness of governance. The Racketeer Influenced and Corrupt Organizations Act of 1970 a. commonly pronounced ree-ko) Act to combat the problem of organized crime. a) A formal charter for the internal audit activity that defines the internal audit activity’s purpose. and the civil portion provides for the awarding of treble damages and attorney’s fees to the successful plaintiff.S. The act’s goals were to eliminate organized crime by concentrating on the transfer of illegal monies. All rights reserved. 1)RICO has both civil and criminal provisions. and responsibility must be adopted. 5. risk management and control processes. b. RICO specifically makes the following activities unlawful: 1) Conspiring to commit any of the offenses in items 2)-4) 2) Using income derived from a pattern of racketeering activity to acquire an interest in an enterprise 3) Acquiring or maintaining an interest in an enterprise through a pattern of racketeering activity 4) Conducting the affairs of an enterprise through a pattern of racketeering activity Copyright © 2017 Gleim Publications. The criminal portion provides for fines and prison sentences. and physical properties relevant to the performance of every engagement. The internal audit activity helps an organization accomplish its objectives by bringing a systematic. Purpose. and it should contain a grant of sufficient authority. and Responsibility of the Internal Audit Activity a. 1) Common examples of such laws are (a) regulations regarding the discharge of pollutants and (b) workplace safety rules. the internal audit activity is responsible for evaluating (and recommending improvements to) compliance with relevant laws. Authority.” b. Authority 1) The support of management and the board is crucial when inevitable conflicts arise between the internal audit activity and the department or function under review. risk management. b. As part of its role in organizational governance. Purpose 1)As defined in The IIA Glossary. Congress passed the Racketeer Influenced and Corrupt Organizations (RICO.8. personnel. and control processes. . the internal audit activity must evaluate and improve the effectiveness of the organization’s governance. Thus. (The internal audit charter is the subject of Subunit 1. An internal auditor in the U. Duplication prohibited. Compliance with U. Laws a.com.S. and the Sarbanes- Oxley Act. and control. Inc. Final approval of the charter resides with the board. the purpose of the internal audit activity is to provide “independent. Contact copyright@gleim. In 1970. the Foreign Corrupt Practices Act. the internal audit activity should be empowered to require auditees to grant access to all records. Reward for information exposing violators. should be aware of the Racketeer Influenced and Corrupt Organizations Act.4 SU 1: Mandatory Guidance 4. Responsibility 1) The internal audit activity’s responsibility is to provide the organization with assurance and consulting services that will add value and improve the organization’s operations. Specifically.) c. objective assurance and consulting services designed to add value and improve an organization’s operations. 6. risk management.

compensating. not to management. The Sarbanes-Oxley Act of 2002 (SOX) was a response to the numerous financial reporting scandals of late 2001 and early 2002. SU 1: Mandatory Guidance 5 c. Copyright © 2017 Gleim Publications. The FCPA contains two sets of provisions: 1) All public companies must devise and maintain a system of internal accounting control. 9. Compliance with Control Frameworks a. developed in different nations. Duplication prohibited. is the most prominent control framework in the United States. Inc. and overseeing the work of the independent auditor. 1) RICO has been used against Wall Street insider traders. foreign political party or official thereof. regardless of whether they have foreign operations. The Sarbanes-Oxley Act of 2002 a.com. or candidate for political office in a foreign country. they are widely accepted methods for implementing effective systems of internal control. 2) Public companies may not make corrupt payments to any foreign official. 2) CoCo (an acronym based on its original title. known formally as Internal Control -. a phenomenon that came to light during the Watergate investigations of 1973-74. companies to foreign government officials. Criminal penalties were provided for those who conceal or destroy accounting or other records in an attempt to obstruct an investigation. SOX imposes specific governance practices on issuers of publicly traded securities. 2) At least one member of the audit committee must be a financial expert. The Foreign Corrupt Practices Act (FCPA) was enacted in 1977 in response to the flood of bribes handed out by U. Despite the intent of the RICO Act to be used against organized crime groups. the COSO Framework was issued by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission (named for James C. individuals found in violation of the FCPA are subject to both a fine and imprisonment. b. 4) The independent auditor must report directly to the audit committee. Major League Baseball. Although control frameworks do not have the force of law. it has had unforeseen consequences. c. b. 7. Reward for information exposing violators. 8. anti-abortion protesters. Criteria of Control) is known formally as Guidance on Control.Integrated Framework. are tested on the CIA exam. Contact copyright@gleim. The following five frameworks. 1) The COSO Framework. its first chairman). It was published in 1995 by the Canadian Institute of Chartered Accountants (CICA). SOX also imposes specific reporting requirements. 1) Each member of the issuer’s audit committee must be an independent member of the board of directors. The Foreign Corrupt Practices Act of 1977 a. d. . As under RICO. and public accounting firms. Treadway. c. a) Published in 1992 and most recently modified in 2013.S. A corporation may be assessed a fine as well. 3) The audit committee must be directly responsible for appointing. All rights reserved. among them a provision that the issuer’s CEO and CFO must certify the effectiveness of the system of internal control.

A refusal to compromise professional values for personal gain. Inc. Copyright © 2017 Gleim Publications. 5) eSAC (Electronic Systems Assurance and Control) is an alternative control model for IT. Another facet of integrity is performance of professional duties in accordance with relevant laws. A refusal to use organizational information for private gain. 4) Competency. A code of ethical conduct can help establish minimum standards of competence. c. . A commitment to providing stakeholders with unbiased information. but it is impossible to require equality of competence by all members of a profession. 3. All rights reserved. The primary purpose of a code of ethical conduct for a professional organization is to promote an ethical culture among professionals who serve others. Contact copyright@gleim. b.com. A code of ethical conduct for professionals should contain at least the following: 1) Integrity. 4) COBIT(Control Objectives for Information and Related Technology) is the best- known framework specifically for IT controls. Duplication prohibited. 2) Objectivity. b. Reward for information exposing violators. a) It was originally published in 1999 by the Financial Reporting Council (FRC) of the UK and re-released as Internal Control: Revised Guide for Directors on the Combined Code in 2005. chair of the committee that drafted the report. The mere existence of a code of ethical conduct does not ensure that its principles are followed or that those outside the organization will believe that it is trustworthy. Additional functions of a code of ethical conduct for a professional organization include 1) Communicating acceptable values to all members. Version 5 of this document was published in 2012 by the Information Systems Audit and Control Associations (ISACA). Aspects of Codes of Ethical Conduct a. and 3) Communicating the organization’s values to outsiders. 1) A code of ethical conduct worded so as to reduce the likelihood of members being sued for substandard work would not earn the confidence of the public. A measure of the cohesion and professionalism of an organization is the degree of voluntary compliance with its adopted code. Typical Components of a Code of Ethical Conduct a. 2. 2) Establishing objective standards against which individuals can measure their own performance.6 SU 1: Mandatory Guidance 3) The Turnbull Report (Internal Control: Guidance for Directors on the Combined Code) is named for Nigel Turnbull. 3) Confidentiality. 1. A commitment to acquiring and maintaining an appropriate level of knowledge and skill. Another facet of objectivity is a commitment to independence from conflicts of economic or professional interest.2 CODES OF ETHICAL CONDUCT FOR PROFESSIONALS 1. Reasons for Codes of Ethical Conduct a. To be effective. b. These four elements are the core principles of The IIA’s Code of Ethics. It is a publication of The Institute of Internal Auditors Research Foundation. the code must provide for disciplinary action for violators.

Internal auditors make a balanced assessment of all the relevant circumstances and are not unduly influenced by their own interests or by others in forming judgments. Copyright © 2017 Gleim Publications. A code of ethics is necessary and appropriate for the profession of internal auditing. The Rules of Conduct in the Code are organized based on the principles of integrity. The IIA incorporates the Definition of Internal Auditing into the Introduction to the Code of Ethics and specifies the reasons for establishing the Code. The fact that a particular conduct is not mentioned in the Rules of Conduct does not prevent it from being unacceptable or discreditable. Introduction to The IIA’s Code of Ethics The purpose of The Institute’s Code of Ethics is to promote an ethical culture in the profession of internal auditing.INTRODUCTION AND PRINCIPLES 1. Violations of rules of ethics should be reported to The IIA’s board of directors. Internal auditing is an independent. Core Principles a. Reward for information exposing violators. control. and governance processes. Inc. 1) Integrity. certification holder. SU 1: Mandatory Guidance 7 1. All rights reserved. It helps an organization accomplish its objectives by bringing a systematic.com. and therefore. risk management. not just CIAs and members of The IIA. confidentiality. Duplication prohibited. Contact copyright@gleim. Rules of Conduct that describe behavior norms expected of internal auditors. and control. These rules are an aid to interpreting the Principles into practical applications and are intended to guide the ethical conduct of internal auditors. “Internal auditors” refers to Institute members. recipients of or candidates for IIA professional certifications. founded as it is on the trust placed in its objective assurance about governance. and competency. Introduction a. and communicating information about the activity or process being examined. objective assurance and consulting activity designed to add value and improve an organization’s operations. Internal auditors exhibit the highest level of professional objectivity in gathering. or candidate can be liable for disciplinary action. the member. 2. disciplined approach to evaluate and improve the effectiveness of risk management. evaluating. objectivity. The integrity of internal auditors establishes trust and thus provides the basis for reliance on their judgment. . 2) Objectivity. Applicability a. 3. The Institute’s Code of Ethics extends beyond the Definition of Internal Auditing to include two essential components: 1. b. The provisions of the Code are applied broadly to all organizations and persons who perform internal audit services. and those who perform internal audit services within the Definition of Internal Auditing. 2. Applicability and Enforcement of the Code of Ethics This Code of Ethics applies to both entities and individuals that perform internal audit services. For IIA members and recipients of or candidates for IIA professional certifications. breaches of the Code of Ethics will be evaluated and administered according to The Institute’s Bylaws and Administrative Directives.3 INTERNAL AUDIT ETHICS -. Principles that are relevant to the profession and practice of internal auditing.

the auditor violated the Rules of Conduct by 1. Duplication prohibited. out of loyalty to the employer.2. Shall perform their work with honesty. 2. Reward for information exposing violators. EXAMPLE An internal auditor is working for a cosmetics manufacturer that may be inappropriately testing cosmetics on animals. Shall respect and contribute to the legitimate and ethical objectives of the organization. Internal auditors apply the knowledge.OBJECTIVITY 1.1. All rights reserved.5 INTERNAL AUDIT ETHICS -.4.8 SU 1: Mandatory Guidance 3) Confidentiality. 1. Knowingly becoming a party to an illegal act.2. skills. 1.1. no information about the testing is gathered. 1. Shall not knowingly be a party to any illegal activity. Rules of Conduct – Objectivity Rules of Conduct – Objectivity Internal auditors: 2. . If. 2. or engage in acts that are discreditable to the profession of internal auditing or to the organization. Not performing the work diligently. Contact copyright@gleim.INTEGRITY 1. 1.3. Inc. Shall observe the law and make disclosures expected by the law and the profession. Engaging in an act discreditable to the profession. 3. Rules of Conduct – Integrity Rules of Conduct – Integrity Internal auditors: 1. This participation includes those activities or relationships that may be in conflict with the interests of the organization.4 INTERNAL AUDIT ETHICS -. Shall disclose all material facts known to them that. 4) Competency.com. diligence. the internal auditor is ethically obligated to report the matter to senior officials charged with performing the governance function. a. Shall not participate in any activity or relationship that may impair or be presumed to impair their unbiased assessment. Failing to make disclosures expected by the law. if management override of an important control creates exposure to a material risk. if not disclosed. and responsibility. and 4. and experience needed in the performance of internal audit services.3. For example. Copyright © 2017 Gleim Publications. Internal auditors respect the value and ownership of information they receive and do not disclose information without appropriate authority unless there is a legal or professional obligation to do so. may distort the reporting of activities under review. Shall not accept anything that may impair or be presumed to impair their professional judgment. 2. 1.

Shall not use information for any personal gain or in any manner that would be contrary to the law or detrimental to the legitimate and ethical objectives of the organization. The following reasons for accepting or not accepting the gift were discussed: One auditor said. Copyright © 2017 Gleim Publications. Rules of Conduct – Confidentiality Rules of Conduct – Confidentiality Internal auditors: 3.CONFIDENTIALITY 1. The lead auditor then decided that acceptance of the gift would be inappropriate because of the presumed impairment of the internal auditor’s professional judgment. ■ The principle of confidentiality permits the disclosure of confidential information given a legal or professional obligation to do so. ● Disclosing confidential information in response to a court order. ■ Rule of Conduct 3. the division manager presented the internal audit team with a gift of moderate value. ■ Investigating potential instances of fraud is within the internal auditor’s normal responsibilities.6 INTERNAL AUDIT ETHICS -.” The lead auditor considered the opinions of the other auditors and the intent of the Rules of Conduct. “we should not accept the gift.” The stock purchase is a violation. 3.com. EXAMPLE Which of the following violate(s) The IIA’s Code of Ethics? ● Investigating a lead sales person’s expense reports based on rumors of overstatement. “we should accept the gift because its value is insignificant. 1.2 states. All rights reserved. A conflict of interest policy should 1) Prohibit the transfer of benefits between an employee and those with whom the organization deals 2) Prohibit the use of organizational information for private gain EXAMPLE At the end of the year. Inc. Duplication prohibited. This disclosure is not a violation. ● Purchasing stock in a target organization after reading reports that it may be acquired. Reward for information exposing violators. Conflict of Interest Policy a.” Another auditor said. Shall be prudent in the use and protection of information acquired in the course of their duties. SU 1: Mandatory Guidance 9 2. To express gratitude.2. . It is not a violation. “Internal auditors shall not use information for any personal gain. “we should not accept the gift until after we submit our final engagement communication.1. an internal auditing team made observations and recommendations that an organization can use to improve operating efficiency. The internal audit team meets to discuss whether to accept the gift.” A third auditor said. Contact copyright@gleim.

skills. or experience regarding interrogation of suspects possessed by security specialists. Authority. 1) An auditee must not be able to place a scope limitation on the internal audit activity by refusing to make relevant records. The organization has a security department. Internal Audit Charter a. 1. authority. and defines the scope of internal audit activities. the Standards. Reward for information exposing violators. The auditor currently has no expertise in this area but accepted the assignment and plans to take continuing professional education courses in warehousing. The internal auditor most likely did not violate the Code of Ethics. Inc. . 4. Shall perform internal audit services in accordance with the International Standards for the Professional Practice of Internal Auditing (Standards). authorizes access to records. and experience.7 INTERNAL AUDIT ETHICS -. The lack of proficiency most likely is a violation. and the Definition of Internal Auditing).com. personnel. ● An internal auditor has been assigned to perform an engagement in the warehousing department next year. ■ The internal auditor plans to acquire the required knowledge and skills prior to the start of this engagement.1. 4.10 SU 1: Mandatory Guidance 1. Copyright © 2017 Gleim Publications.2.COMPETENCY 1. authority. and Responsibility The purpose. The chief audit executive must periodically review the internal audit charter and present it to senior management and the board for approval. Rules of Conduct – Competency Rules of Conduct – Competency Internal auditors: 4. and physical properties relevant to the performance of engagements. ■ Internal auditors generally lack the knowledge. EXAMPLE Which of the following violate(s) The IIA’s Code of Ethics? ● After obtaining evidence that an employee is embezzling funds. Shall continually improve their proficiency and the effectiveness and quality of their services. Duplication prohibited. including the nature of the chief audit executive’s functional reporting relationship with the board.8 INTERNAL AUDIT CHARTER Attribute Standard 1000 Purpose. the internal auditor interrogates the suspect.3. The following Interpretation was issued by The IIA: Interpretation of Standard 1000 The internal audit charter is a formal document that defines the internal audit activity’s purpose. All rights reserved. the Code of Ethics. The internal audit charter establishes the internal audit activity’s position within the organization. consistent with the Mission of Internal Audit and the mandatory elements of the International Professional Practices Framework (the Core Principles for the Professional Practice of Internal Auditing. skills. 1. and physical properties available to the internal auditors. and responsibility. Shall engage only in those services for which they have the necessary knowledge. personnel. Contact copyright@gleim. Final approval of the internal audit charter resides with the board. and responsibility of the internal audit activity must be formally defined in an internal audit charter.

Contact copyright@gleim. 1) Chief audit executive (CAE) describes the role of a person in a senior position responsible for effectively managing the internal audit activity in accordance with the internal audit charter and the mandatory elements of the International Professional Practices Framework. the Code of Ethics. Attribute Standard 1010 Recognizing Mandatory Guidance in the Internal Audit Charter The mandatory nature of the Core Principles for the Professional Practice of Internal Auditing. the International Standards for the Professional Practice of Internal Auditing. .org/ standards-guidance/Public%20Documents/ModelCharter. IG 1000. and Responsibility. The complete IIA Glossary is in Appendix A. the chief audit executive (CAE) must understand the Mission of Internal Audit and the mandatory elements of The IIA’s International Professional Practices Framework (IPPF) — including the Core Principles for the Professional Practice of Internal Auditing.theiia. and the Definition of Internal Auditing.” d. the Code of Ethics. but they are useful to exam candidates and practitioners. Purpose. and the Definition of Internal Auditing must be recognized in the internal audit charter. physical property. the CAE retains the approved charter. Inc. In addition. 5) The minutes of the board meetings during which the CAE initially discusses and then formally presents the internal audit charter provide documentation of conformance. CIA candidates who prefer to study using specific examples should download The IIA’s model internal audit charter from the following source: global. further addresses the charter: 1) “To create [the internal audit charter]. and personnel) required for the internal audit activity to perform engagements and fulfill its agreed-upon objectives and responsibilities 3) The CAE may need to confer with the organization’s legal counsel or the board secretary regarding the preferred format for charters and how to effectively and efficiently submit the proposed internal audit charter for board approval. e. Engagement clients must be informed of the internal audit activity’s purpose. Duplication prohibited. the Standards. SU 1: Mandatory Guidance 11 b. c. Key Definitions from the Glossary a. and the board to mutually agree upon: a)Internal audit objectives and responsibilities b)The expectations for the internal audit activity c)The CAE’s functional and administrative reporting lines d)The level of authority (including access to records. 2) This understanding provides the foundation for a discussion among the CAE. the CAE formally presents it during a board meeting to be discussed and approve. Authority. the proposed internal audit charter should be discussed with senior management and the board to confirm that it accurately describes the agreed-upon role and expectations or to identify desired changes. 2.com. All rights reserved. authority. The specific job title or responsibilities of the chief audit executive may vary across organizations. The definitions do not need to be memorized. and responsibility to prevent misunderstandings about access to records and personnel. 4) Once drafted. The chief audit executive or others reporting to the chief audit executive will have appropriate professional certifications and qualifications. Copyright © 2017 Gleim Publications.pdf. Once the draft has been accepted. The chief audit executive should discuss the Mission of Internal Audit and the mandatory elements of the International Professional Practices Framework with senior management and the board. Reward for information exposing violators. The charter itself must refer to the mandatory guidance portion of the IPPF. senior management.

Contact copyright@gleim.com. “board” in the Standards may refer to a committee or another body to which the governing body has delegated certain functions (e. Although governance arrangements vary among jurisdictions and sectors. Duplication prohibited. Reward for information exposing violators. a board of directors...12 SU 1: Mandatory Guidance 2) The board is the highest-level governing body (e. Copyright © 2017 Gleim Publications. . or a board of governors or trustees) charged with the responsibility to direct and/or oversee the organization’s activities and hold senior management accountable. All rights reserved. Inc.g.g. the word “board” in the Standards refers to a group or person charged with governance of the organization. If a board does not exist. a supervisory board. an audit committee). Furthermore. typically the board includes members who are not part of management.