Professional Documents
Culture Documents
Engage only in those services for which we have Be prudent in the use and relationship that may impair or be diligence, and responsibility
the necessary knowledge, skills, and experience protection of information presumed to impair their unbiased
4. Competency acquired in the course of duties assessment OR professional judgment Make disclosures
Perform internal audit services in commitment to acquiring
expected by the law
accordance with Standards and maintaining an Not use information for any Disclose all material facts known to
appropriate level of personal gain or in any manner that, if not disclosed, may distort the Not knowingly be a party to any
Continually improve the proficiency and knowledge and skill that would be contrary to the law reporting of activities under review illegal activity, or engage in acts that
the effectiveness and quality of services are discreditable to the profession
interest of the organization Conflict of (To promote the Persuasion and collaboration
Interest
(B) OBJECTIVITY CARE, AND QUALITY top) Communication
Internal auditors must avoid any Organization may outsource Business acumen
conflict of interest all, or some of the functions Technical
Governance, risk and control
(C) IMPAIRMENT TO (E) INTERNAL of the internal audit activity. Expertise
Objectivity refers to im partial and unbiased INDEPENDENCE AND AUDIT However, oversight of and IPPF
mindset, which is facilitated by avoiding Aspects responsibility for the internal Internal audit management
OBJECTIVITY RESOURCES Foundation/Basis
conflicts of interest audit activity must not be of Framework Professional ethics
If independence or objectivity is impaired in outsourced
Many CAEs have an internal audit policy fact or appearance, the details of the
manual or handbook that may describe: impairment must be disclosed to Competency Framework
appropriate parties (10 core competencies)
(D) PROFICIENCY
a. Critical importance of objectivity Examples of Examples of
independence objectivity
b. Situations that could undermine objectivity
impairments impairments
c. Actions the internal auditor should take if Meaning
1. The CAE has broader functional 1. An internal auditor audits an area in
(s)he becomes aware of a current or potential
responsibility than internal audit which he or she recently worked
objectivity concern
2. The CAE does not have direct communication or 2. An internal auditor audits an area where a Internal auditors must possess
d. Reporting requirements, where each internal interaction with the board relative or close friend is employed the knowledge, skills, and
auditor periodically considers & discloses other competencies needed to
conflicts of interest 3. The budget for the internal audit activity is reduced to 3. An internal auditor assumes, without evidence, that an area
perform Their individual
the point that internal audit cannot fulfill its responsibilities being audited has effectively mitigated risks
responsibilities. Internal audit
When assigning internal auditors to specific as outlined in the charter
4. An internal auditor modifies the planned approach or result s activity is considered
engagements, CAE should avoid assigning team
based on the undue influence of another person proficient if it collectively
members who may have a conflict 4. Scope limitation (restriction placed on a. internal audit possesses or obtains the
charter, b. access to records, personnel, and physical 5. Accept fees, gifts, or entertainment from an employee, client, competencies needed to
CAE needs to be thoughtful in designing the internal audit properties, c. Approved engagement work schedule, or d.
performance evaluation and compensation customer, supplier, or business associate perform its responsibilities
Approved staffing plan and financial budget)
Board: Responsible for oversight, identify stakeholders and their More mature system: IA emphasis on
expectations, Selection and removal of officers optimizing structure and practices
Management: establishes & maintains the organizational culture, a) Setting values, objectives, and
and Day-to-day governance functions, and determine who will be risk strategies; Ensure the 1) Complies with society’s legal
owners
b) Defining roles and behaviors; Affect organization 2) Satisfies the accepted business norms
Internal Audit: Assesses and makes recommendations to improve
governance processes 3) Provides overall benefit to society
c) Measuring performance;
Risk owners: Evaluating the adequacy of the design of RM activities 4) Reports fully and truthfully to stakeholders
and whether they are operating as designed & Establishing d) Specifying accountability; and
monitoring activities, and reports are accurate The Overall control environment and individual engagement risks and controls.
e) Complying with corporate social * Risk aggressive = im portance of control is Low = engagement risks and controls is High
Risk committee: a. Identifies key risks, b. Connects them to RM
processes, c. Delegates them to risk owners, d. Considers tolerance responsibilities. * Risk averse = im portance of control is High = engagement risks and controls is Low
levels delegated
SU 4 : RISK
Culture, capabilities, and practices, integrated with
strategy-setting and performance, that organizations rely MANAGEMENT 2. Risk identification
on to manage risk in creating, preserving, and realizing 1. Definition
value.
i) Reviewing and challenging decisions Internal and external environments *Affect the reasonable expectation of achieving i) Internal environment include those due to
Elements of effective data management:
related to strategy, risk appetite, Business context may be: strategy rapid growth, innovation, and turnover of key
i) Data and information governance
and significant business decisions. i) Dynamic. *Identify New, emerging, and changing risks and personnel.
ii) Processes and controls
ii) Approving management compensation. ii) Complex. opportunities ii) changes in external environment include those
iii) Data management architecture
iii) Participating in stakeholder relations. iii) Unpredictable. *The risk inventory consists of all risks in the economy or regulations.
When the components, principles, and supporting controls are present and functioning, ERM is reasonably expected to manage risks effectively and to help create, preserve, and realize value.
1) Present means the components, principles, and controls exist in the design and implementation of ERM to achieve objectives.
2) Functioning means the components, principles, and controls continue to operate to achieve objectives.
Any transaction should be performed by separate (F) Sawyer’s The employment of all the means devised in an enterprise to promote, direct,
individuals through 3 functions: (C) Segregation of Definition of restrain, govern, and check upon its various activit ies for the purpose of seeing
(a) Authorization, (b) Recordkeeping, (c) Custody that enterprise objectives are met. These means of control include, but are not
Duties Control
limited to, form of organization, policies, systems, procedures, instructions,
standards, committees, charts of accounts, forecasts, budgets, schedules, reports,
records, checklists, methods, devices, and internal audit ing.
5) Payment of salaries for employees Imposed control is the traditional, mechanical approach. It Self-control evaluates the entire process of management and
measures performance against standards and then takes the functions performed. Thus, it attempts to improve that
corrective action through the individual responsible for the process instead of simply correcting the specific performance of
function or area being evaluated the manager. Management by objectives is an example.