Parte 2 Cap 1

1.
1 Introduction to Internal Auditing

1.2 Internal Audit Administrative Activities
CIA REVIEW: PART 2 1.3 Stakeholder Relationships
1.4 Ethical Climate
Study Unit 1 1.5 Coordination
1.6 Other Topics
Strategic and Operational 1.7 Change Management
Roles of Internal Audit 1.8 Role of Internal Audit in Risk Management

1.9 Quality Assurance and Improvement Program (QAIP)
Copyright © 2017 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact copyright@gleim.com. 1 Copyright © 2017 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact copyright@gleim.com. 2
CIA 2, SU 1 CIA 2, SU 1
Nature of Work
• Performance Standard 2100: Nature of Work
o The internal audit activity must evaluate and contribute
to the improvement of the organizations governance, risk
management, and control processes using a systematic,
disciplined, and risk based approach. Internal audit
Introduction to Internal credibility and value are enhanced when auditors are
proactive and their evaluations offer new insights and
Auditing consider future impact.
• Per The IIAs Definition of Internal Auditing, the internal audit

1.1 activity helps an organization accomplish its objectives by
bringing a systematic, disciplined approach to evaluate and
improve the effectiveness of risk management, control, and
governance processes.
Nature of Work Nature of Work
• These processes are closely related: • According to IG 2100, Nature of Work, an understanding of
o Governance The combination of processes and the processes previously listed is necessary.
structures implemented by the board to inform, direct,
manage, and monitor the activities of the organization • The CAE then interviews the board, and senior management
toward the achievement of its objectives. about the responsibilities of each stakeholder for these
o Risk Management A process to identify, assess, processes.
manage, and control potential events or situations to • An understanding of the business is also necessary.
provide reasonable assurance regarding the
achievement of the organizations objectives.
o Control Any action taken by management, the board,
and other parties to manage risk and increase the
likelihood that established objectives and goals will be
achieved. (The IIA Glossary)
Reasonable Assurance Basic Types of Internal Audit Engagements

• Governance, risk management, and control processes are • Assurance Services
adequate if management has planned and designed them to o An objective examination of evidence for the purpose
provide reasonable assurance of achieving the of providing an independent assessment on governance,
organizations objectives efficiently and economically. risk management, and control processes for the
organization.
• Consulting Services
o Advisory and related client service activities, the nature
and scope of which are agreed with the client, are
intended to add value and improve an organizations
governance, risk management, and control processes
without the internal auditor assuming management
responsibility. (The IIA Glossary)
Reporting Multiple-Choice Question
• Reporting to senior management and the board provides The internal audit activity is responsible for implementing
Risk management
assurance about
1.
2. Governance
o Governance 3. Control
o Risk management
A. 1 only.
o Control
B. 2 only.
• Periodic reports also are made on internal audits purpose, C. 3 only.
authority, responsibility, and performance. D. None of the answers are correct.
Multiple-Choice Answer
The internal audit activity is responsible for implementing
1. Risk management
2. Governance
3. Control
A. 1 only.
B. 2 only.
Internal Audit
C. 3 only.
D. None of the answers are correct.
Administrative Activities
1.2
The internal audit activity is responsible for evaluating and contributing to the
improvement of governance, risk management, and control processes. But
management is responsible for implementing those processes.
Overview Budgeting
• The chief audit executive (CAE) is responsible for • The CAE is responsible for creating the operating and
management of internal audit activity resources in a financial budget.
manner that ensures fulfillment of its responsibilities.
• Generally, the CAE, audit managers, and the internal audit
• Management oversees the day to day operations of the activity work together to develop the budget annually.
internal audit activity, including the following administrative
activities: • The budget is then submitted to management and the
o Budgeting and management accounting board for their review and approval.
o Human resource administration, including personnel
evaluations and compensation
o Internal communications and information flows
o Administration of the internal audit activitys policies
and procedures
Human Resources Multiple-Choice Question

• The skill set and knowledge of the internal audit activity are Policies and procedures must be established to guide the internal audit activity. Which of the
following statements is false with respect to this requirement?
essential to its ability to help the organization achieve its
objectives.
A. The form and content of written policies and procedures depend on the size of the internal
• Internal auditors should be qualified and competent. audit activity.
• Internal auditors need a diverse set of skills to perform their B. All internal audit activities must have a detailed policies and procedures manual.
jobs effectively. C. Formal administrative and technical manuals may not be needed by all internal audit activities.
D. A small internal audit activity may be managed informally through close supervision and
• Effective interviewing methods are structured interviews memoranda.
and behavioral interviewing.
o Structured interviews use a set of job related
questions with standardized answers
o Behavioral interviews determine how candidates
handled past situations
Policies and procedures must be established to guide the internal audit activity. Which of the
following statements is false with respect to this requirement?
A. The form and content of written policies and procedures depend on the size of the internal
audit activity.
B. All internal audit activities must have a detailed policies and procedures manual.
C. Formal administrative and technical manuals may not be needed by all internal audit activities.
Stakeholder
D. A small internal audit activity may be managed informally through close supervision and
memoranda. Relationships
The form and content of policies and procedures are dependent upon the size and
structure of the internal audit activity and the complexity of its work (Inter. Std.
1.3
2040). Thus, all internal audit activities are not required to have a detailed policies
and procedures manual.
The Board and the Audit

Stakeholder Relationships Committee
• For internal auditors to be effective, Sawyers Guide for • For the internal audit activity to achieve organizational
Internal Auditors, 6th edition, states that they must build independence, the chief audit executive (CAE) must have
and maintain strong constructive relationships with direct and unrestricted access to senior management and
managers and other stakeholders within the organization. the board.
• These relationships require conscious ongoing focus to • The audit committee is a subunit of the board of directors.
ensure that risks are appropriately identified and evaluated However, not every member of the board is necessarily
to best meet the needs of the organization. qualified to serve on the audit committee.
• Internal auditors have a responsibility to work together with
external auditors and other stakeholders to facilitate work
efforts and compliance with regulators.
Relationships with
Role of the Audit Committee Management
• The most important function of the audit committee is to • According to Sawyers Guide for Internal Auditors, 6th
promote the independence of the internal and external edition, internal auditors are responsible for performing
auditors by protecting them from managements influence. their mission, maintaining their objectivity, and ensuring the
• Other functions include internal audit activitys independence.
o Selecting or removing the CAE and setting his or her • They also should develop and maintain good working
compensation relationships with management.
o Approving the internal audit charter • Good relationships are developed by communicating
o Reviewing and approving the internal audit activitys effectively, resolving conflicts constructively, and using
work plan participative auditing methods.
o Resolving disputes between the internal audit activity o Participative auditing is a collaboration between the
and management internal auditor and management during the auditing
o Communicating with the CAE, who attends all audit
process. The objective is to minimize conflict and build a
committee meetings shared interest in the engagement.
Multiple-Choice Question Multiple-Choice Answer

To avoid creating conflict between the chief executive officer (CEO) and the audit committee, the
chief audit executive (CAE) should
To avoid creating conflict between the chief executive officer (CEO) and the audit committee, the
chief audit executive (CAE) should
A. Submit copies of all engagement communications to the CEO and audit committee.
B. Strengthen independence through organizational status. A. Submit copies of all engagement communications to the CEO and audit committee.
C. Discuss all pending engagement communications to the CEO with the audit committee. B. Strengthen independence through organizational status.
D. Request board establishment of policies covering the internal audit activitys relationships with C. Discuss all pending engagement communications to the CEO with the audit committee.
the audit committee.
D. Request board establishment of policies covering the internal audit activitys relationships with
the audit committee.
Independence is not sufficient to prevent conflict unless reporting relationships

are well defined.
Definitions
• Business ethics are an organizations policies and standards
established to ensure certain kinds of behavior by its
members.
• Individual ethics are the principles of conduct expected to
be followed by individuals.
Ethical Climate
1.4
Issues in Business Ethics Factors that May Lead to Unethical Behavior

• The following are the major issues: • Organizational Factors
o General business understanding of ethical issues o Pressure to improve short run performance is an
o Compliance with laws incentive for wrongdoing.
o External financial reporting o Emphasis on strict chain of command authority may
o Conflicts of interest
excuse unethical behavior when following orders.
o Entertainment and gift expenses • External Factors
o Relations with customers and suppliers o Competitive pressures may result in unethical
o Social responsibility
compromises in the interest of survival.
o The advantage obtained by a competitors wrongdoing is
an excuse for imitation of that behavior.
Criteria for Evaluating Ethical
Behavior Code of Ethics
• The following questions aid in defining an ethical issue: • An organizations code of ethics is the established general
o Would my behavior be acceptable if people I respect value system the organization wishes to apply to its
were aware of it? members activities by
o What are the consequences of this behavior for myself, 1. Communicating organizational purposes and beliefs and
other employees, customers, and society? 2. Establishing uniform ethical guidelines for members.
• Organizations benefit from establishing a code of ethics that

effectively communicates acceptable values to all interested
internal and external parties.
Role of the Internal Audit

Code of Ethics Activity
• A typical code for auditors or accountants in an organization • The internal audit activitys role in this process includes
requires the following: monitoring compliance with the corporate code of conduct
and assessing the ethical climate of the board and the
o Independence from conflicts of economic or
organization.
professional interest
• The ethical culture of an organization has a significant effect
o Integrity and a refusal to compromise professional
on the success of the overall governance process.
values for personal gain
• The governance process meets four responsibilities:
o Objectivity in presenting information, preparing reports,
o Compliance with legal and regulatory rules
and making analyses
o Satisfaction of generally accepted norms and social
expectations
o Providing benefits to society and specific stakeholders
o Reporting fully and truthfully to ensure accountability
Role of the Internal Audit Role of the Internal Audit
Activity Activity
• Governance practices reflect the organizations culture and • Other internal audit activity roles include
largely depend on it for effectiveness. o Recommending resolution of ethics complaints,
• Because of their skills and position in the organization, o Determining the disposition of ethics violations,
auditors should actively support the ethical culture. o Fostering a healthy ethics climate,
• The minimum internal audit activity role is assessor of o Administering the business conduct policy, and
o The ethical climate and o Reporting on compliance.
o The effectiveness of processes to achieve legal and
ethical compliance.

A code of conduct was developed several years ago and distributed by a large financial institution to A code of conduct was developed several years ago and distributed by a large financial institution to
all its officers and employees. What is the internal auditors best approach to providing the board all its officers and employees. What is the internal auditors best approach to providing the board
with the highest level of comfort about the code of conduct? with the highest level of comfort about the code of conduct?
A. Fully evaluate the comprehensiveness of the code and compliance with it and report the results A. Fully evaluate the comprehensiveness of the code and compliance with it and report the
to the board. results to the board.
B. Fully evaluate organizational practices for compliance with the code and report to the board. B. Fully evaluate organizational practices for compliance with the code and report to the board.
C. Review employee activities for compliance with provisions of the code and report to the board. C. Review employee activities for compliance with provisions of the code and report to the board.
D. Perform tests on various employee transactions to detect potential violations of the code of D. Perform tests on various employee transactions to detect potential violations of the code of
conduct. conduct.
When evaluating a code of conduct, it is important to consider two items:

comprehensiveness and compliance. The code should address the ethical issues that
the employees are expected to encounter and provide suitable guidance. The
internal auditor also must consider the extent to which employees are complying
with the standards established.
Coordination
• Performance Standard 2050: Coordination and Reliance
o The chief audit executive should share information, coordinate
activities, and consider relying upon the work of other internal and
external assurance and consulting service providers to ensure
proper coverage and minimize duplication of efforts.
• Interpretation of Standard 2050

o In coordinating activities, the chief audit executive may rely on the
Coordination work of other assurance and consulting service providers. A

consistent process for the basis of reliance should be established,
and the chief audit executive should consider competency,
objectivity, and due professional care of the assurance and
1.5 consulting service providers. The chief audit executive should also
have a clear understanding of the scope, objectives, and results of
the work performed by other providers of assurance and consulting
services. Where reliance is placed on the work of others, the chief
audit executive is still accountable and responsible for ensuring
adequate support for conclusions and opinions reached by the
internal audit activity.
Coordinating the Work of the Coordinating the Work of the

Internal Audit Activity with Other Internal Audit Activity with Other
Auditors Auditors
• Oversight of the work of external auditors, including • The process varies by organization.
coordination with the internal audit activity, is the • Assurance mapping
responsibility of the board. o Connects significant risk categories and sources of assurance
• Further guidance is provided in IG 2050, Coordination and o Assesses each category
Reliance: • In the combined assurance model, the internal audit activity
coordinates activities with second line of defense activities.
o Internal providers may report to senior management or
be part of senior management. • Coordinating activities include the following:
o Simultaneity of the nature extent, and timing of scheduled
o External providers may report to senior management, work
external parties, or the CAE. o Mutual understanding of methods and vocabulary
• Subject to the organizations confidentiality constraints, the o The parties access to each others programs, working papers,
parties share the objectives, scope, and timing of upcoming and communications of results
reviews, assessments, and audits; the results of prior audits; o Reliance on others work to avoid overlap
and the possibility of relying on one anothers work. o Meeting to adjust the timing of scheduled work given results
to date
Coordinating with Regulatory
Oversight Bodies Multiple-Choice Question
• Businesses and not for profit organizations are subject to An internal audit activity is often requested to coordinate its work with that of the external
auditors. Which of the following activities is most likely to be restricted to the external auditor?
governmental regulation in many countries.
• Particularly in larger organizations, entire departments or A. Evaluating the system of controls over cash collections and similar transactions.
functions are established to monitor compliance with the B. Attesting to the fairness of presentation of cash position.
regulations issued by these governmental bodies. C. Evaluating the adequacy of the organizations overall system of internal controls.
D. Reviewing the system established to ensure compliance with laws, regulations, and contracts.
• Among the responsibilities of the internal audit activity is
the evaluation of the organizations compliance with
applicable laws and regulations.
An internal audit activity is often requested to coordinate its work with that of the external
auditors. Which of the following activities is most likely to be restricted to the external auditor?
A. Evaluating the system of controls over cash collections and similar transactions.
B. Attesting to the fairness of presentation of cash position.
C. Evaluating the adequacy of the organizations overall system of internal controls.
Other Topics
D. Reviewing the system established to ensure compliance with laws, regulations, and contracts.
Professional standards place sole responsibility for the attest function on the
external auditors. Only the external auditors have the necessary independence to
1.6
permit the provision of assurance to external parties. Unlike circumstances in
which the external auditors use the work of other independent auditors, the
responsibility cannot be shared with the internal auditors.
Strategic Role of the Internal
Governance Audit Activity
• The IIA Glossary defines governance as the combination of processes and structures
implemented by the board to inform, direct, manage, and monitor the activities of • The internal audit activity plays an important strategic role
the organization toward the achievement of its objectives. in the governance function of an organization.
• Internal auditors evaluate and improve governance processes as part of their
assurance function. • That role includes providing leadership, assessing the
adequacy of performance measurement systems, making
• Performance Standard 2110: Governance appropriate recommendations, and assessing the
o The internal audit activity must assess and make appropriate recommendations
to improve the organizations governance process for: achievement of corporate objectives.
• Making strategic and operational decisions.
• Overseeing risk management and control.
• Promoting appropriate ethics and values within the organization.
• Ensuring effective organizational performance management and
accountability.
• Communicating risk and control information to appropriate areas of the
organization.
• Coordinating the activities of and communicating information among the
board, external and internal auditors, other assurance providers, and
management.
Business Process Internal Audit Performance

Improvement Measurements
• One of the strategic roles of internal auditors involves organizing • Establishing performance measures is critical in determining
and leading a team in mapping, analysis, and business process whether an audit activity is meeting its objectives,
improvement. consistent with the highest quality practices and standards.
• Internal auditors evaluate the whole management process of • The first step is to identify key performance measures for
planning, organizing, and directing to determine whether activities that stakeholders believe add value and improve
reasonable assurance exists that objectives will be achieved. the organizations operations.
• Internal auditing provides reasonable assurance that
managements • Once key effectiveness and efficiency measurements and
o Risk management activities are effective;
targets have been identified, a monitoring process and a
method of reporting to stakeholders should be established.
o Internal control is effective and efficient; and
o Governance process is effective by establishing and • It is important that the internal audit activity obtain
preserving values, setting goals, monitoring activities and feedback from key stakeholders on audit effectiveness and
performance, and defining the measures of accountability. make adjustments when necessary.
Performance Measurement
Internal Audit Performance Systems and Corporate
Measurements Objectives
• Provided below is an example from the Practice Guide using • An important element of corporate governance is the
a balanced scorecard approach to measuring internal audit establishment of performance objectives. Internal auditors
effectiveness and efficiency: can use them as standards to measure performance.
• Internal auditors can add value to an organization by
assessing the adequacy of the performance measurement
system and the achievement of corporate objectives.
• Internal auditors may gather relevant information during
multiple engagements. The results of these engagements
provide a basis for assessing whether the current system is
adequate.

Which of the following statements regarding corporate governance is not correct? Which of the following statements regarding corporate governance is not correct?
A. Corporate control mechanisms include internal and external mechanisms. A. Corporate control mechanisms include internal and external mechanisms.
B. The compensation scheme for management is part of the corporate control mechanisms. B. The compensation scheme for management is part of the corporate control mechanisms.
C. The dilution of shareholders wealth resulting from employee stock options or employee stock C. The dilution of shareholders wealth resulting from employee stock options or employee stock
bonuses is an accounting issue rather than a corporate governance issue. bonuses is an accounting issue rather than a corporate governance issue.
D. The internal auditor of a company has more responsibility than the board for the companys D. The internal auditor of a company has more responsibility than the board for the companys
corporate governance. corporate governance.
Governance is the responsibility of the board. Internal audits responsibility is to

assess governance processes and make appropriate recommendations for
improvement.
Change Management
• Change management is important to all organizations.
• An appropriate balance between change and stability is
necessary for an organization to thrive.
• Organizational change is conducted through change agents,
who may include managers, employees, and consultants
Change Management hired for the purpose.
1.7
Interpersonal Skills Types of Change

• The internal audit activity can add value to an organization • Cultural change is a change in attitudes and mindset, for
by acting as a catalyst of change. example, when a total quality management approach is
• An internal auditor can do the following: adopted.
o Champion the change, enlist others in its pursuit, and • A product change is a change in a products physical
develop a change strategy that includes milestones and attributes and usefulness to customers.
a timeline • A structural change is a change in an organizations systems
o Model the change expected of others or structures.
o Maintain work efficiency and respond positively to a
changing environment
o Provide direction and focus during the change process
o Cope with stress
Resistance Models for Planned Change
• Organizational and procedural changes often are resisted by • Kurt Lewins process model consists of three stages:
the individuals and groups affected. 1. Unfreezing is the diagnosis stage. It involves choosing a
o This response may be caused by simple surprise, inertia, change strategy, preparing employees for the change,
or fear of failure. and offsetting resistance.
• Resistance may arise from 2. Change is the intervention in (altering of) the status quo.
o Misunderstandings or lack of needed skills
3. Refreezing makes the change relatively permanent so
o Bad timing
that old habits will not reassert themselves. It is the
o Dissolution of tightly knit work groups follow up stage.
• Methods of coping with employee resistance include
o Prevention through education and communication
o Participation in designing and implementing a change
o Facilitation and support through training and counseling
Models for Planned Change Models for Planned Change

• The continuous change process model recognizes that • Organizational development (OD) provides a framework for
change is ongoing and often requires a change agent to managing change using the findings of the behavioral
prevent the process from being haphazard. sciences.
• In this five step model, the change agent coordinates steps • True OD has three distinctive characteristics:
2. through 5. below: o The change must be planned and deliberate.
1. The forces for change accumulate. o The change must actually improve the organization.
2. The organization recognizes that a problem exists and Changes forced by regulatory requirements or changes
defines it. that merely attempt to follow management trends and
3. The problem is submitted to the organizations problem fads are not included.
solving process. o The change must be implemented using the findings of
4. The change is implemented. the behavioral sciences, such as organizational behavior
5. Success in implementation is measured and evaluated.
and group psychology.
An organization has embarked on a program of process innovation and core process redesign. To An organization has embarked on a program of process innovation and core process redesign. To
counter resistance, it has adopted an organizational development (OD) approach that includes counter resistance, it has adopted an organizational development (OD) approach that includes
A. Inducing employees to share organizational purposes and values. A. Inducing employees to share organizational purposes and values.
B. Incremental change of subsystems. B. Incremental change of subsystems.
C. Focusing each divisions attention on its own objectives. C. Focusing each divisions attention on its own objectives.
D. Manipulating information and events. D. Manipulating information and events.
The objectives of OD are to (1) deepen the sense of organizational purpose and
values and align individuals with them; (2) promote interpersonal trust,
communication, cooperation, and support; (3) encourage a problem solving
approach; (4) develop a satisfying work experience; (5) supplement formal
authority with authority based on expertise; (6) increase personal responsibility;
and (7) encourage willingness to change.
Role of the Internal Audit

Activity
• Internal audit can add value to an organization by providing
the board with objective assurance that
1. The major business risks are being managed
appropriately and
Role of Internal Audit in 2. The risk management and internal control framework is
operating effectively.
Risk Management • An organization can undertake a broad range of enterprise
wide risk management (ERM) activities. However, internal
1.8 auditors should not undertake any activities that could
threaten their independence and objectivity.
Core Internal Audit Activity Legitimate Internal Audit Activity
Roles in ERM Roles Given Safeguards
• Giving assurance on the risk management process. • Facilitating identification and evaluation of risks.
• Giving assurance that risks are correctly evaluated. • Coaching management in responding to risks.
• Evaluating risk management processes. • Coordinating ERM activities.
• Evaluating the reporting of key risks. • Consolidating the reporting on risks.
• Reviewing the management of key risks. • Maintaining and developing the ERM framework.
• Championing establishment of ERM.
• Developing an ERM strategy for board approval.
Roles the Internal Audit Activity

Should Not Undertake Role in Risk Management
• Setting the risk appetite. • Interpretation of Standard 2120
o Determining whether risk management processes are effective is a
• Imposing risk management processes. judgment resulting from the internal auditors assessment that:
• Organizational objectives support and align with the organizations
• Management assurance on risks. mission;
• Significant risks are identified and assessed;
• Making decisions on risk responses. • Appropriate risk responses are selected that align risks with the
organizations risk appetite; and
• Implementing risk responses on managements behalf. • Relevant risk information is captured and communicated in a
timely manner across the organization, enabling staff,
• Accountability for risk management. management, and the board to carry out their responsibilities.
o The internal audit activity may gather the information to support this
assessment during multiple engagements. The results of these
engagements, when viewed together, provide an understanding of the
organizations risk management processes and their effectiveness.
o Risk management processes are monitored through ongoing
management activities, separate evaluations, or both.
Responsibility for Organizational
Role in Risk Management Risk Management
• Implementation Standard 2120.A1 • Risk management is a key responsibility of senior
o The internal audit activity must evaluate risk exposures
relating to the organizations governance, operations, and management and the board.
information systems regarding the: o Boards have an oversight function. They determine that
• Achievement of the organizations strategic objectives. risk management processes (RMPs) are in place,
• Reliability and integrity of financial and operational adequate, and effective.
information.
• Effectiveness and efficiency of operations and programs. o Management ensures that sound RMPs are in place and
• Safeguarding of assets. functioning.
• Compliance with laws, regulations, policies, procedures, o The internal audit activity may be directed to examine,
and contracts.
evaluate, report, or recommend improvements.
• Implementation Standard 2120.A2
o The internal audit activity must evaluate the potential for the
occurrence of fraud and how the organization manages fraud
risk.

Which of the following represents the best statement of responsibilities for risk management? Which of the following represents the best statement of responsibilities for risk management?
Management Internal Auditing Board Management Internal Auditing Board

A. Responsibility for risk Oversight role Advisory role A. Responsibility for risk Oversight role Advisory role
B. Oversight role Responsibility for risk Advisory role B. Oversight role Responsibility for risk Advisory role
C. Responsibility for risk Advisory role Oversight role C. Responsibility for risk Advisory role Oversight role
D. Oversight role Advisory role Responsibility for risk D. Oversight role Advisory role Responsibility for risk
Risk management is a key responsibility of senior management and the board. To achieve its business objectives, management
ensures that sound risk management processes are in place and functioning. Boards have an oversight role to determine that
appropriate risk management processes are in place and that these processes are adequate and effective. The internal audit
activity should have a process for planning, auditing, and reviewing risk management issues. It also evaluates risk management
during assurance and advisory reviews of an area or process. After communications with the board and senior management,
the CAE considers their risk appetite, risk tolerance, and risk culture. Moreover, (1) management should be alerted to new risks
or those not sufficiently mitigated, (2) recommendations and action plans for risk exposure should be provided, and (3)
sufficient information should be obtained to evaluate risk management effectiveness (IG 2120).
Attribute Standards 1300 and
1310
• Attribute Standard 1300: Quality Assurance and
Improvement Program
Quality Assurance and o The chief audit executive must develop and maintain a
quality assurance and improvement program that covers
Improvement Program all aspects of the internal audit activity.
(QAIP) • Attribute Standard 1310: Requirements of the Quality

Assurance and Improvement Program
1.9 o The quality assurance and improvement program must
include both internal and external assessments.
Quality Assurance and

Improvement Program (QAIP) QAIP
• The QAIP components are internal assessments, external • The following is guidance from IG 1310, Requirements of the
assessments, communication of results, use of a conformance Quality Assurance and Improvement Program:
statement, and disclosure of nonconformance. o The CAE is responsible for ensuring that the internal audit
• IG 1300, Quality Assurance and Improvement Program, addresses activity conducts internal and external assessments.
the CAEs responsibilities for the QAIP: o The elements of internal assessments are ongoing
o They include understanding mandatory guidance from The

monitoring and periodic self assessments.
IIA. • Ongoing monitoring involves planning and supervision,
o The CAE also obtains an understanding of the boards
standard work practices, working paper procedures,
expectations for the internal audit activity and seeks to obtain report reviews, and determination of needs for
the boards support for the Standards and the QAIP. improvement and responses.
o The CAEs responsibilities extend to periodic evaluation of the
• Periodic self assessments evaluate whether ongoing
QAIP and making any necessary changes. monitoring is effective.
• External assessments are performed by an independent
• The QAIP embraces all facets of the internal audit activity as assessor or team. They assess adherence to the
reflected in the pronouncements of The IIA and best practices of Standards and Code of Ethics and identify needed
the profession. improvements.
Attribute Standard 1311 Internal Assessments
• Attribute Standard 1311 Internal Assessments • The focus of ongoing monitoring generally is on determining
o Internal assessments must include: whether audit processes provide quality at the engagement level.
• Ongoing monitoring of the performance of the internal audit o Continuous monitoring activities include engagement
activity.
planning and supervisions, standard work practices, working
• Periodic self assessments or assessments by other persons within paper procedures, and reviews of reports.
the organization with sufficient knowledge of internal audit
practices. • Periodic self assessments are comprehensive reviews performed
by very experienced internal auditors.
• Interpretation of Standard 1311 o They address conformity with the Standards and Code of
o Ongoing monitoring is an integral part of the day to day supervision, Ethics.
review, and measurement of the internal audit activity. Ongoing o They assess quality and supervision of work, policies and
monitoring is incorporated into the routine policies and practices used procedures, how value is added, whether key performance
to manage the internal audit activity and uses processes, tools, and indicators are met, and stakeholder satisfaction.
information considered necessary to evaluate conformance with the
Code of Ethics and the Standards. • Supervision is essential to the QAIP and involves setting
o Periodic assessments are conducted to evaluate conformance with the expectations, communication among auditors, and review of
Code of Ethics and the Standards. working papers.
o Sufficient knowledge of internal audit practices requires at least an
understanding of all elements of the International Professional • A periodic internal assessment may facilitate and reduce the cost
Practices Framework. of an external assessment performed shortly afterward.
Internal Assessments Attribute Standard 1312

• After an ongoing or periodic internal assessment, • Attribute Standard 1312 External Assessments
conclusions about performance are reached and o External assessments must be conducted at least once
appropriate action is begun to ensure improvements are every five years by a qualified, independent assessor or
made. assessment team from outside the organization. The
• Those conducting internal assessments generally report chief audit executive must discuss with the board:
directly to the CAE, who should establish a structure for • The form and frequency of external assessments.
reporting results that maintains credibility and objectivity. • The qualifications and independence of the external
reviewer or assessment team, including any
potential conflict of interest.
Attribute Standards 1320,
External Assessments 1321, and 1322
• External assessments provide an independent and objective • Attribute Standard 1320: Reporting on the Quality Assurance and Improvement Program
o The chief audit executive must communicate the results of the quality assurance and
evaluation of the internal audit activitys compliance with improvement program to senior management and the board. Disclosure should
include:
the Standards and Code of Ethics. • The scope and frequency of both the internal and external assessments.
• An external assessment may be a full assessment by a • The qualifications and independence of the assessor(s) or assessment team,
including potential conflicts of interest.
qualified, independent external assessor or assessment • Conclusions of assessors.
team. • Corrective action plans.
• It also may be a self assessment with independent external

• Attribute Standard 1321: Use of Conforms with the International Standards for the
validation by the internal audit activity and validated by a Professional Practice of Internal Auditing
qualified, independent external assessor. o Indicating that the internal audit activity conforms with the International Standards
for the Professional Practice of Internal Auditing is appropriate only if supported by
• Individuals who perform the external assessment must the results of the quality assurance and improvement program.
currently be competent in the professional practice of
internal auditing and external quality assessment. • Attribute Standard 1322: Disclosure of Nonconformance
o When nonconformance with the Code of Ethics or the Standards impacts the overall
scope or operation of the internal audit activity, the chief audit executive must
disclose the nonconformance and the impact to senior management and the board.
Importance of Reporting
Reporting Results Noncomformance
• Senior management and the board must be kept informed • The internal audit activity is a crucial part of a complex
about the extent to which the internal audit activity organizations governance processes. Senior management
achieves the degree of professionalism required by The IIA. and the board must be informed when an assessment
• This excerpt from the Interpretation of Standard 1320 discovers significant nonconformance.
addresses the frequency of reporting on the QAIP:
To demonstrate conformance with the Code of Ethics and
the Standards, the results of external and periodic internal
assessments are communicated upon completion of such
assessments and the results of ongoing monitoring are
communicated at least annually.
When is initial use of the conformance phrase by internal auditors appropriate? When is initial use of the conformance phrase by internal auditors appropriate?
A. After an internal review completed within the past 5 years. A. After an internal review completed within the past 5 years.
B. After an external review completed within the past 10 years. B. After an external review completed within the past 10 years.
C. After an internal review completed within the past 10 years. C. After an internal review completed within the past 10 years.
D. After an external review completed within the past 5 years. D. After an external review completed within the past 5 years.
The chief audit executive may state that the internal audit activity conforms with the International Standards for the
Professional Practice of Internal Auditing only if the results of the quality assurance and improvement program support this
statement (Attr. Std. 1321). The internal audit activity conforms with mandatory guidance when it achieves the outcomes
described in the Code of Ethics and the Standards. The results of the quality assurance and improvement program include the
results of both internal and external assessments. All internal audit activities will have the results of internal and external
assessments. All internal audit activities will have the results of internal assessments. Internal audit activities in existence for at
least 5 years will also have the results of external assessments (Inter. Std. 1321). Thus, to use the phrase, the chief audit
executive of an internal audit activity in existence for at least 5 years must have the results of an external assessment within
that period.

Parte 2 Cap 1

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Parte 2 Cap 1

Uploaded by

Copyright:

Available Formats

1.

1 Introduction to Internal Auditing

Roles of Internal Audit 1.8 Role of Internal Audit in Risk Management

Auditing consider future impact.

• Per The IIAs Definition of Internal Auditing, the internal audit

Reasonable Assurance Basic Types of Internal Audit Engagements

Human Resources Multiple-Choice Question

The Board and the Audit

Multiple-Choice Question Multiple-Choice Answer

Independence is not sufficient to prevent conflict unless reporting relationships

Issues in Business Ethics Factors that May Lead to Unethical Behavior

• Organizations benefit from establishing a code of ethics that

Role of the Internal Audit

Multiple-Choice Question Multiple-Choice Answer

When evaluating a code of conduct, it is important to consider two items:

• Interpretation of Standard 2050

Coordination work of other assurance and consulting service providers. A

Coordinating the Work of the Coordinating the Work of the

Business Process Internal Audit Performance

Multiple-Choice Question Multiple-Choice Answer

Governance is the responsibility of the board. Internal audits responsibility is to

Change Management hired for the purpose.

Interpersonal Skills Types of Change

Models for Planned Change Models for Planned Change

Role of the Internal Audit

Roles the Internal Audit Activity

Multiple-Choice Question Multiple-Choice Answer

Management Internal Auditing Board Management Internal Auditing Board

(QAIP) • Attribute Standard 1310: Requirements of the Quality

Quality Assurance and

o They include understanding mandatory guidance from The

Internal Assessments Attribute Standard 1312

• It also may be a self assessment with independent external

You might also like

• Per The IIAs Definition of Internal Auditing, the internal audit

Governance is the responsibility of the board. Internal audits responsibility is to