Essentials of

Internal Auditing
Overview and Section I
 Internal Auditing
• Discipline that works on behalf of management, board
of directors, and stakeholders to improve and add
value to governance, risk management, and control.
• Broad focus that requires examination/appraisal of
controls, financial performance, compliance, and
operational performance.
• Helps board and management make current as well as
future-oriented decisions in an informed manner.

www.LearnCIA.com
v6.0 Part 1 Overview I-2
 Part 1: Essentials of Internal Auditing
I Foundations of Internal Auditing

II Independence and Objectivity

III Proficiency and Due Professional Care

IV Quality Assurance and Improvement Program

V Governance, Risk Management, and Control

VI Fraud Risks

www.LearnCIA.com
v6.0 Part 1 Overview I-3
 Section I: Foundations of
Internal Auditing
• Topic A: The IIA’s International
Professional Practices Framework/
Purpose, Authority, and Responsibility
of the Internal Audit Activity
• Topic B: Requirements of the Internal
Audit Charter
• Topic C: Assurance and Consulting
Services
• Topic D: The IIA’s Code of Ethics

www.LearnCIA.com
v6.0 Part 1, Section I I-4
 What Is an Integrated Audit?
• Auditors provide assurance related to any
combination of following engagement types:
– Controls assurance
– IT
– Compliance
– Operations
– Financial assurance

www.LearnCIA.com
v6.0 Part 1, Section I, Section Introduction I-5
 Integrated Audit Engagement Types
Controls Information Financial
Compliance Operations
Assurance Technology (IT) Assurance
Assurance Assurance related Assurance Assurance related Assurance on
related to the to design and related to design to effectiveness achievement of one
design and operation of: and operation of and efficiency of or more financial
operation of key • General IT control activities an organization’s assertions:
control activities. control and procedures operations, • Existence or
activities. in place to assure including: occurrence
Controls may be • Specific compliance with: • Performance, • Completeness
related to: application • Laws. profitability • Valuation and
• Operations. control • Regulations. goals. allocation
• Reporting. activities. • Policies. • Safeguarding • Rights and
• Compliance. resources obligations
against loss. • Presentation and
disclosure

www.LearnCIA.com
v6.0 Part 1, Section I, Section Introduction I-6
 Internal Audits and the Board
Internal Audits
• Independent, unbiased,
fact-finding exercises
• Verifiable information
• Users of audit information
– Board of directors
– Management
– Outside interests
www.LearnCIA.com
v6.0
Board of Directors
• Highest-level governing body
• Direct and/or oversee
• Independent group
– Board of governors or trustees
– Head of organization if no
board exists
– Audit committee if so
delegated
Part 1, Section I, Section Introduction I-7
 The IPPF Framework
“Red Book”

www.LearnCIA.com
v6.0 Part 1, Section I, Topic A I-8
 The IPPF Framework
• Exists to guide internal auditors’ professional practice
and ensure highest-quality internal audit results
• Facilitates consistent development, interpretation, and
application
• Relationship with organizations and countries’ laws
– IPPF should not conflict with laws or regulations.
– Contact The IIA or legal counsel if conflicts appear.

www.LearnCIA.com
v6.0 Part 1, Section I, Topic A I-9
 International Professional
Practices Framework (IPPF)
• Mission of Internal Audit
• Core Principles for the Professional Practice of
Internal Auditing
Mandatory
• Definition of Internal Auditing
• Code of Ethics (must, should)
• International Standards for the Professional
Practice of Internal Auditing (the Standards)

• Implementation Guidance
Recommended
• Supplemental Guidance
(optional)
www.LearnCIA.com
v6.0 Part 1, Section I, Topic A I-10
 Practice Question
When the word should appears in the
IPPF, this means it is
A. recommended guidance.
B. an unconditional requirement.
C. a qualified conformance expectation.
D. unrelated to professional judgment.

www.LearnCIA.com
v6.0 Part 1, Section I, Topic A I-11
 Practice Question
When the word should appears in the
IPPF, this means it is
A. recommended guidance.
B. an unconditional requirement.
C. a qualified conformance expectation.
D. unrelated to professional judgment.
Answer: C. The word should is used where conformance is
expected unless, when applying professional judgment,
circumstances justify deviation.
www.LearnCIA.com
v6.0 Part 1, Section I, Topic A I-12
 Discussion Question
What does mandatory guidance mean?

www.LearnCIA.com
v6.0 Part 1, Section I, Topic A I-13
 Discussion Question
What does mandatory guidance mean?
Answer:
• Applies to individual internal auditors and internal
audit activities.
• Accountable for conforming to Standards on:
– Objectivity.
– Proficiency.
– Due professional care.
– Standards relevant to performance of job responsibilities.
• CAEs: Accountable for overall conformance to Standards.
• If statement “conformance with the standards” appears, adherence is
required even if not IIA member or CIA.
www.LearnCIA.com
v6.0 Part 1, Section I, Topic A I-14
 Mission of Internal Audit
To enhance and protect organizational
value by providing risk-based and
objective assurance, advice, and insight

• Articulates what internal audit aspires to accomplish in an

organization.
• Practitioners should leverage the entire IPPF framework to
facilitate their ability to achieve the mission.

www.LearnCIA.com
v6.0 Part 1, Section I, Topic A I-15
 The IPPF Core Principles
• Demonstrates integrity
• Demonstrates competence and due professional care
• Is objective and free from undue influence (independent)
• Aligns with the strategies, objectives, and risks of the organization
• Is appropriately positioned and adequately resourced
• Demonstrates quality and continuous improvement
• Communicates effectively
• Provides risk-based assurance
• Is insightful, proactive, and future-focused
• Promotes organizational improvement

www.LearnCIA.com
v6.0 Part 1, Section I, Topic A I-16
 The IIA’s Definition of Internal Auditing

“Internal auditing is an independent, objective

assurance and consulting activity designed to add
value and improve an organization’s operations. It
helps an organization accomplish its objectives by
bringing a systematic, disciplined approach to
evaluate and improve the effectiveness of risk
management, control, and governance processes.”

www.LearnCIA.com
v6.0 Part 1, Section I, Topic A I-17
 Discussion Question
IIA Standard 1110 states that the
________ “must confirm to the
________, at least annually, the
___________________ of the internal
audit activity.”

www.LearnCIA.com
v6.0 Part 1, Section I, Topic A I-18
 Discussion Question
IIA Standard 1110 states that the
________ “must confirm to the
________, at least annually, the
___________________ of the internal
audit activity.”

Answers: CAE; board; organizational

independence

www.LearnCIA.com
v6.0 Part 1, Section I, Topic A I-19
 Organizational Independence
Organizational independence exists if the CAE:
• Reports functionally to the board.
• Has direct and unrestricted access to the board.
• Reports administratively to the CEO or a similar head
of the organization or to some other organizational
level so long as the internal audit activity controls the
scope of the work, the performance of the work, and
the reporting of results without interference.

www.LearnCIA.com
v6.0 Part 1, Section I, Topic A I-20
 Objectivity
• Avoid conflict of interest—or
appearance thereof.
• Credibility issue.

www.LearnCIA.com
v6.0 Part 1, Section I, Topic A I-21
 Consulting
• Expands role of internal auditing into areas of
other value-added services
• Insight
• Proper controls from the start
• Doesn’t compromise independence
• No decision making

www.LearnCIA.com
v6.0 Part 1, Section I, Topic A I-22
 Internal Audit Activity Nature of Work
Governance
Help assess and improve
governance by:
• Promoting ethics, values.
• Providing assurance on
management effectiveness
and accountability.
• Clearly communicating about
risk, control, and
organizational objectives.
• Coordinating activities.
www.LearnCIA.com
v6.0
Risk Control
Help manage risk by: Help maintain
• Identifying and effective controls by:
evaluating significant • Evaluating control
risk exposures. effectiveness and
• Improving risk efficiency.
management and • Promoting control
controls. environment and
• Evaluating the risk control activities
management system. improvement.
Part 1, Section I, Topic A I-23
 The Standards
Purpose:
• To guide adherence to mandatory elements of the IPPF
• To provide a framework for performing and promoting
a broad range of value-added internal auditing
• To establish the basis for the evaluation of internal
audit performance
• To foster improved organizational processes and
operations

www.LearnCIA.com
v6.0 Part 1, Section I, Topic A I-24
 The Standards Guidance
“Red Book”

Includes Glossary

Some standards include “interpretation” text:

• Italicized
• Further explains guidance description
• Should not be overlooked
www.LearnCIA.com
v6.0 Part 1, Section I, Topic A I-25
 The Standards: Three Types

Attribute Standards Performance Standards

(1000s) (2000s)

Implementation
Standards
(A or C)

www.LearnCIA.com
v6.0 Part 1, Section I, Topic A I-26
 Attribute and Performance Standards
Attribute Standards (1000s)
• Address characteristics of organizations
and parties performing internal audit
activities
• Apply to all internal audit services and
internal auditors individually
Performance Standards (2000s)
• Nature of internal auditing
• Quality criteria for evaluating audit
performance
• Apply to all internal audit services and
internal auditors

www.LearnCIA.com
v6.0 Part 1, Section I, Topic A I-27
 Implementation Standards
• Mandatory instructions for implementing Attribute/
Performance Standards for assurance (A) and consulting (C)
engagements
• Expand upon Attribute/Performance Standards

www.LearnCIA.com
v6.0 Part 1, Section I, Topic A I-28
 Practice Question
Defining characteristics such as independence
and objectivity or due professional care are
covered in
A. Attribute Standards.
B. Performance Standards.
C. Implementation Standards.
D. Practice Guides.

www.LearnCIA.com
v6.0 Part 1, Section I, Topic A I-29
 Practice Question
Defining characteristics such as independence
and objectivity or due professional care are
covered in
A. Attribute Standards.
B. Performance Standards.
C. Implementation Standards.
D. Practice Guides.
Answer: A. Attribute Standards describe the characteristics of organizations
and parties performing internal audit activities. The 1100 series deals with
independence and objectivity.

www.LearnCIA.com
v6.0 Part 1, Section I, Topic A I-30
 Recommended Guidance
Implementation Guidance Supplemental Guidance

Implementation Practice
Guides (IG) Guides

Concise and timely guidance to Detailed processes and procedures,

help internal auditors in such as tools and techniques,
interpreting and applying the programs, and step-by-step
Code of Ethics and the Standards approaches
www.LearnCIA.com
v6.0 Part 1, Section I, Topic A I-31
 Practice Question
During an internal audit, the Standards establish
all of the following EXCEPT
A. basic auditing principles.
B. evaluation criteria for audit performance.
C. considerations on how to plan and perform the
engagement.
D. a framework for a broad range of value-added
internal audit activities.

www.LearnCIA.com
v6.0 Part 1, Section I, Topic A I-32
 Practice Question
During an internal audit, the Standards establish
all of the following EXCEPT
A. basic auditing principles.
B. evaluation criteria for audit performance.
C. considerations on how to plan and perform the
engagement.
D. a framework for a broad range of value-added
internal audit activities.
Answer: C. Approach and methodology (but not detailed processes and
procedures) are covered in the Implementation Guides.

www.LearnCIA.com
v6.0 Part 1, Section I, Topic A I-33
 Purpose, Authority, and Responsibility
for Internal Audit Activity
Purpose  Provide independent, objective assurance and consulting activity.
 Support organizational objectives.
 Determine if governance, risk management, and control exist and function properly.
 Communicate opportunities for improvement or risk exposures.
 Add value and improve organization’s operations.
Authority  Provide access to records, personnel, and physical properties.
 Maintain full and open access.
 Secure necessary internal and external resources.
Responsibility  Document the objectives, scope, and methodology of the engagement.
 Ensure that staff have knowledge, skills, experience, professional certifications.
 Report internal audit activity results to senior management, audit committee, board.
 Consider coordination of internal and external audit work.
 Do not perform management activities.

www.LearnCIA.com
v6.0 Part 1, Section I, Topic A I-34
 Internal Audit Charter

Attribute Standard
1000
“The purpose, authority, and responsibility of the internal audit activity must be
formally defined in an internal audit charter, consistent with the Mission of
Internal Audit and the mandatory elements of the International Professional
Practices Framework (the Core Principles for the Professional Practice of Internal
Auditing, the Code of Ethics, the Standards, and the Definition of Internal
Auditing). The chief audit executive must periodically review the internal audit
charter and present it to senior management and the board for approval.”

www.LearnCIA.com
v6.0 Part 1, Section I, Topic B I-35
 Internal Audit Charter, Defined
“A formal • “Establishes the internal audit
document that activity’s position within the
organization”
defines the
• “Authorizes access to records,
internal audit personnel, and physical properties
activity’s purpose, relevant to the performance of
authority, and engagements”
responsibility.” • “Defines the scope of internal audit
activities”
The internal audit charter must be approved by the board.
www.LearnCIA.com
v6.0 Part 1, Section I, Topic B I-36
 Typical Audit Charter Elements
• Role and professionalism of internal audit activity
• Full access to records, physical property, and personnel
• Accountability for safeguarding assets, confidentiality
• Organization and reporting structure (functionally to board, administratively
to level that allows internal audit to fulfill its responsibilities)
• Importance of independence and objectivity
• Scope of assessments, plan draft and submittal, engagements,
results/reports communication, and monitoring of corrective actions
• Quality assurance and improvement
• Signatures of CAE, designated board representative, and person to whom
CAE reports

www.LearnCIA.com
v6.0 Part 1, Section I, Topic B I-37
 Other Key Documents
Purpose, Authority, and Responsibility

Function and Statement Audit Staff

responsibility of manual job
(F and R) policy (policies and descriptions
statement procedures)

www.LearnCIA.com
v6.0 Part 1, Section I, Topic B I-38
 Types of Audit Engagements
“An objective examination of evidence for the
Assurance purpose of providing an independent assessment
Services on governance, risk management, and control
processes for the organization”

“Advisory and related client service activities, the

nature and scope of which are agreed with the
Consulting client, are intended to add value and improve an
Services organization’s governance, risk management, and
control processes without the internal auditor
assuming management responsibility”

www.LearnCIA.com
v6.0 Part 1, Section I, Topic C I-39
 Discussion Question
Which list describes assurance audit
services and which describes consulting
audit services?

• Objective assessment of evidence • Advisory engagement

• Independent opinion or conclusions
about a process, system, etc.
• Internal auditor sets nature, scope
• Three parties: process owner,
internal auditor, user
• Requested by client
• Nature and scope subject to
client-auditor agreement
• Two parties: internal auditor and
engagement client

www.LearnCIA.com
v6.0 Part 1, Section I, Topic C I-40
 Discussion Question
Which list describes assurance audit
services and which describes consulting
audit services?
Answer:
Assurance Consulting
• Objective assessment of evidence • Advisory engagement
• Independent opinion or conclusions • Requested by client
about a process, system, etc. • Nature and scope subject to
• Internal auditor sets nature, scope client-auditor agreement
• Three parties: process owner, • Two parties: internal auditor and
internal auditor, user engagement client

www.LearnCIA.com
v6.0 Part 1, Section I, Topic C I-41
 Assurance and Consulting
Assurance Work Consulting Work

• Operational (effectiveness • Advisory (e.g., control, policy/

and efficiency to achieve
organizational objectives)
• Compliance (conformance)
• Reporting (including ICFR)
• IT (integrity of
information)
procedure development)
• Training (e.g., GRC,
benchmarking, post mortem)
• Facilitative (e.g., risk
assessment, control self-
assessment)

www.LearnCIA.com
v6.0 Part 1, Section I, Topic C I-42
 Practice Question
Which is an example of a consulting engage-
ment that may not need a written agreement?
A. Being on a standing management committee
B. Facilitating a task force for control redesign
C. Participating in a merger
D. Consulting always needs a written agreement.

www.LearnCIA.com
v6.0 Part 1, Section I, Topic C I-43
 Practice Question
Which is an example of a consulting engage-
ment that may not need a written agreement?
A. Being on a standing management committee
B. Facilitating a task force for control redesign
C. Participating in a merger
D. Consulting always needs a written agreement.
Answer: A. The nature and scope of a consulting
engagement are subject to agreement with the client, and
this should be formalized in writing. Informal activities
such as committee participation may be an exception.
www.LearnCIA.com
v6.0 Part 1, Section I, Topic C I-44
 The IIA’s Code of Ethics
• “Principles relevant to the profession and practice of internal
auditing, and Rules of Conduct that describe behavior
expected of internal auditors.”
• “This Code of Ethics
applies to both individuals Integrity Objectivity
and entities that provide
internal audit services.” Fundamental Principles
• Purpose: “To promote an
Confidentiality Competency
ethical culture in the
profession of internal
auditing.”
www.LearnCIA.com
v6.0 Part 1, Section I, Topic D I-45
 The IIA’s Code of Ethics
Internal auditors are expected to apply/uphold the following principles:
Integrity Objectivity
1.1. Work with honesty, 2.1. Avoid acts or
diligence, responsibility. relationships that may
1.2. Observe law; make impair unbiased
disclosures expected by assessment, including
law and profession. conflict with
organization’s interests.
1.3. Avoid illegal/
discreditable acts. 2.2. Accept nothing that
may impair professional
1.4. Respect and judgment.
contribute to legitimate
2.3. Disclose all material
and ethical objectives of
organization. facts that, if undisclosed,
may distort reporting.
Confidentiality Competency
3.1. Be prudent in 4.1. Engage only in
use and protection of services for which they
information acquired have knowledge, skills,
in course of duties. and experience.
3.2. Do not use 4.2. Perform internal
information for auditing services in
personal gain or in accordance with
manner contrary to Standards.
law or to detriment
4.3. Continually improve
of legitimate and proficiency and
ethical objectives of
effectiveness and quality
organization. of services.

www.LearnCIA.com
v6.0 Part 1, Section I, Topic D I-46
 Discussion Question
What should you do when confronted
by an ethical dilemma that can’t be
resolved by reference to any of the
specific Rules of Conduct?

www.LearnCIA.com
v6.0 Part 1, Section I, Topic D I-47
 Discussion Question
What should you do when confronted
by an ethical dilemma that can’t be
resolved by reference to any of the
specific Rules of Conduct?

Answer:
Apply the four principles to determine an
ethical course of action.
www.LearnCIA.com
v6.0 Part 1, Section I, Topic D I-48
 End of Section I

Questions?

www.LearnCIA.com
v6.0 Part 1, Section I I-49