Iiav7ce-Part1 Compressed

License Agreement for The IIA’s CIA®
Challenge Exam Study Guide

STUDENT MATERIALS
By opening and using The IIA’s CIA® Challenge Exam Study Guide
student materials (the “Materials”), the user (“User”) hereby agrees
as follows:
(i) That The Institute of Internal Auditors is the exclusive

copyright owner of the Materials.
(ii) Provided that the required fee for use of the Materials by
User has been paid to The IIA or its agent, User has the right, by
this License, to use the Materials solely for his/her own educational
use.
(iii) User has no right to print or make any copies, in any

media, of the materials, or to sell, or sublicense, loan, or otherwise
convey or distribute these materials or any copies thereof in any
media.
The IIA’s CIA® Challenge Exam Study Guide
The IIA’s CIA® Challenge Exam Study Guide is based on select
portions of the Certified Internal Auditor® (CIA®) syllabus developed
by The IIA. However, program developers do not have access to the
exam questions. Therefore, while the study guide is a good tool for
study, reading the text does not guarantee a passing score on the
CIA exam.
Every effort has been made to ensure that all information is current
and correct. However, laws and regulations change, and these
materials are not intended to offer legal or professional services or
advice. This material is consistent with the revised Standards of the
International Professional Practices Framework (IPPF) introduced in
July 2015, effective in 2017.
Copyright
These materials are copyrighted; it is unlawful to copy all or any
portion. Sharing your materials with someone else will limit the
program’s usefulness. The IIA invests significant resources to create
quality professional opportunities for its members. Please do not
violate the copyright.
Acknowledgments
The IIA would like to thank the following dedicated subject matter
experts who shared their time, experience, and insights during
development and subsequent updates.
Subject matter experts
Farah George Araj, CPA, CIA, Jayson Walter Kwasnik, CIA,
CFE, QIAL, Australia CPA, CA, Canada
Scott Blankenship, CIA, Jessica Minshew, CIA, United
CRMA, CPA, CFE, United States
States Joanne F. Prakapas, CIA,
Melissa Clawson, CIA, CRMA, CRMA, CFE, CPA, CFF,
United States United States
Christy Decker-Weber, CIA, James M. Reinhard, CIA,
CRMA, CPA, CFE, CHIAP United States
Elizabeth Sandwith, CFIIA,
United Kingdom
Past subject matter experts

Pat Adams, CIA Al Marcella, PhD, CISA, CCSA
Terry Bingham, CIA, CISA, Markus Mayer, CIA
CCSA Vicki A. McIntyre, CIA, CFSA,
Raven Catlin, CIA, CPA, CFSA CRMA, CPA
Patrick Copeland, CIA, CRMA, Gary Mitten, CIA, CCSA
CISA, CPA Lynn Morley, CIA, CGA
Don Espersen, CIA Lyndon Remias, CIA
Michael J. Fucilli, CIA, QIAL, James Roth, PhD, CIA, CCSA
CRMA, CGAP, CFE Brad Schwieger, CPA, DBA
James D. Hallinan, CIA, CPA, Doug Ziegenfuss, PhD, CIA,
CFSA, CBA CCSA, CPA, CMA, CFE,
Larry Hubbard, CIA, CCSA, CISA, CGFM, CR.FA., CIT
CPA, CISA
Jim Key, CIA
David Mancina, CIA, CPA
Part 1: Essentials of Internal
Auditing
Internal auditing is a discipline that works on behalf of management,

the board of directors, and other stakeholders of public and private
entities to improve and add value to governance, risk management,
and control procedures.
Part 1 of The IIA’s CIA Challenge Exam Study Guide looks at a

number of the essentials of internal auditing.
Section A covers the foundations of internal auditing—The IIA’s

International Professional Practices Framework; the purpose,
authority, and responsibility of the internal audit activity; the
requirements of the audit charter; and the difference between
assurance and consulting services.
Section B looks at the concepts of independence and objectivity.
Section C looks at the concepts of proficiency and due

professional care.
Section D describes aspects of a quality assurance and
improvement program.
Section E covers organizational governance and risk, and it looks

at risk management within an audit activity charter.
Section F focuses on fraud risks—the types of these risks and

controls to prevent and detect fraud.
Section A: Foundations of Internal
Auditing
This section is designed to help you:
Identify and apply relevant ethical, practical, and legal standards
to the audit practice, including The Institute of Internal Auditors’
(The IIA’s) Code of Ethics, International Standards, and Practice
Advisories and relevant laws.
Explain the International Professional Practices Framework
categories of guidance.
Explain the Mission of Internal Audit.
Describe the Core Principles for the Professional Practice of
Internal Auditing.
Define internal auditing.
Describe compliance with The IIA’s Code of Ethics.
Explain how the purpose, authority, and responsibility for an
internal audit activity are documented, communicated, and
approved.
Understand the importance of securing the board’s approval of
the internal audit activity charter and audit plan.
According to The IIA
The IIA’s guidance referenced in the Challenge Exam Study
Guide may be accessed using the links below. Access to specific
pages and documents varies for the public and The IIA members.
Attribute Standards: www.theiia.org/Attribute-standards
Performance Standards: www.theiia.org/Performance-
standards
Standards and Guidance: www.theiia.org/Guidance
Position Papers: www.theiia.org/Position-papers
Implementation Guidance: www.theiia.org/Practiceadvisories
Practice Guides and GTAGs: www.theiia.org/Practiceguides
Topic 1: Mission, Definition, and Core

Principles
This topic discusses The IIA’s Mission of Internal Audit, Definition of
Internal Auditing, and Core Principles for the Professional Practice of
Internal Auditing and the purpose, authority, and responsibility of the
internal audit activity.

In addition to reviewing the contents of this topic, students can
review the following IIA materials:
Implementation Guidance for Standard 1000
Practice Guide, “Demonstrating the Core Principles for the
Professional Practice of Internal Auditing”
The Framework
The Institute of Internal Auditors (The IIA) uses the International
Professional Practices Framework (IPPF) to organize its
authoritative guidance in a manner that is readily accessible. The
IPPF, sometimes called the “Red Book,” is intended to help
practitioners and stakeholders throughout the world respond to the
expanding market for high-quality internal auditing.
The IPPF contains both mandatory and recommended guidance. The

Mission of Internal Audit, the Core Principles for the Professional
Practice of Internal Auditing, the Definition of Internal Auditing, the
Code of Ethics, and the International Standards for the Professional
Practice of Internal Auditing (the Standards) comprise the mandatory
guidance. Recommended guidance in the IPPF includes
Implementation Guidance and Supplemental Guidance. All of the
guidance sources listed above will be discussed throughout this
product. The IPPF is shown in Exhibit 1-1.
Exhibit 1-1: International Professional Practices Framework
Note that recommended guidance is endorsed by The IIA, but it is not

required, and the IIA recommends using independent expert advice
for any specific situations that may arise.
Mission of Internal Audit

Exhibit 1-2: Mission of Internal Audit
The Mission of Internal Audit articulates what internal audit aspires to

accomplish in an organization. It demonstrates how practitioners
should leverage the entire IPPF to facilitate their ability to achieve the
Mission. The placement of the Mission within the IPPF is shown in
Exhibit 1-2.

Mission of Internal Audit
To enhance and protect organizational value by providing risk-
based and objective assurance, advice, and insight.
Key Point
The Mission of Internal Audit is deliberately placed in the IPPF,
demonstrating how practitioners should leverage the entire
framework to facilitate their ability to achieve the Mission.
By requiring that the services provided by internal audit be risk-based

and objective, the Mission aligns directly with the expectations of
stakeholders. Each requirement serves a different function. The risk
basis supports the goal to protect organizational value, and objectivity
is one of the main strategic success enablers of the internal audit
activity.
The Mission makes it clear that internal audit must be focused on

increasing the organization’s value and that there are three general
types of risk-based and objective activities through which internal
audit increases and protects this value:
Assurance
Advice
Insight
Assurance work makes up the majority of internal audit activities. It is

designed to communicate to the main stakeholders that management:
Has deployed appropriate activities to achieve its objectives.
Is appropriately managing the risks to those objectives.
Has agreed to implement required additional risk mitigation and
improvement measures.
Advice can be provided through advisory engagements, which are

often referred to as consulting engagements. These are designed to
provide advice and insight to the organization in a proactive,
customer-driven approach.
Insight can be provided in a variety of formats, which may include but

are not limited to:
Assurance engagement reports.
Advisory engagement reports.
Participation on committees and task forces.
Personal meetings.
Board reporting.
Progress reporting.
Core Principles
Exhibit 1-3: Core Principles for the Professional Practice of Internal
Auditing
The Principles set out the basic elements that describe internal audit
effectiveness with respect to the aspirations expressed in the Mission
of Internal Audit. They serve as fundamental propositions that form
the basis for the Code of Ethics and the Standards. The placement of
the Core Principles within the IPPF is shown in Exhibit 1-3.
Core Principles for the Professional Practice of Internal
Auditing
Demonstrates integrity.
Demonstrates competence and due professional care.
Is objective and free from undue influence (independent).
Aligns with the strategies, objectives, and risks of the
organization.
Is appropriately positioned and adequately resourced.
Demonstrates quality and continuous improvement.
Communicates effectively.
Provides risk-based assurance.
Is insightful, proactive, and future-focused.
Promotes organizational improvement.
Each Principle may apply to the individual auditor, the audit activity, or
both. Though internal audit activities may demonstrate achievement of
principles in various ways, each of the Principles must be present and
successfully operating for the audit activity to be considered effective.
Failure to achieve any one of the Principles suggests that the activity
is not as effective as it could be.
Consequences of Not Demonstrating Core Principles

The consequences that may result from not demonstrating the Core
Principles help reinforce the importance of each Principle. For each
Principle listed below, an example is given describing a potential
negative consequence.
Demonstrates integrity. The internal audit activity may lose the

trust placed in it and consequently its credibility to provide
independent and objective assurance and advice.
Demonstrates competence and due professional care. Internal

audit risk assessments, the activity’s plan of engagements, and
the scope and objectives of engagements may not be sufficient,
accurate, or complete.
Is objective and free from undue influence (independent).

Management and the board are unlikely to trust internal audit
observations as accurate and complete.
Aligns with the strategies, objectives, and risks of the

organization. The internal audit activity risks wasting resources on
assessing areas, processes, or issues that do not help the
organization manage its key risks and achieve its objectives.
Is appropriately positioned and adequately resourced. The

results and conclusions of internal audit work may not be treated
with sufficient importance to prompt action from management, and
independent reporting may be difficult.
Demonstrates quality and continuous improvement. Errors
may occur in internal audit work, or there may be a perception that
the work is not reliable. The internal audit activity may fail to keep
up with innovations in technology, methodology, and audit
techniques.
Communicates effectively. The internal audit activity may be

unable to obtain the position, resources, and information it needs to
conduct engagements and to effectively express its results,
conclusions, and opinions to management and the board.
Provides risk-based assurance. Management and the board will

not have independent validation that its controls are designed
properly and are working as expected to mitigate risks.
Is insightful, proactive, and future-focused. The internal audit

activity is likely to miss emerging risks, and the value it adds will be
limited.
Promotes organizational improvement. The value that internal

audit adds may be limited, as it may miss opportunities to
recommend ways the organization could increase efficiency.
Definition of Internal Auditing

Exhibit 1-4: Definition of Internal Auditing
The Definition of Internal Auditing is mandatory guidance from the IIA

and is key to understanding the role and depth of internal auditing.
The placement of the Definition within the IPPF is shown in Exhibit 1-
4.

Definition of Internal Auditing
Internal auditing is an independent, objective assurance and
consulting activity designed to add value and improve an
organization’s operations. It helps an organization accomplish its
objectives by bringing a systematic, disciplined approach to
evaluate and improve the effectiveness of risk management,
control, and governance processes.
The strategic focus of internal audit is clearly aligned with the
expectations of key organizational stakeholders. The Definition of
Internal Auditing focuses the image of internal auditing in six
significant ways.
It describes internal auditing as an independent, objective activity.

Independence refers to a structure that allows for the audit
activity’s freedom to determine audit or assurance scope, to
perform the work judged necessary to achieve engagement
objectives, and to communicate the results. Objectivity refers to the
personal ability to be non-biased, which allows auditors to be
responsive to their customers and to add value through their
objective analyses and recommendations for improvement.
The definition explicitly recognizes the consulting role of internal

audit in providing advice to the organization, in addition to
assurance activities. This conveys a proactive, customer-driven
approach where internal audit plays a role in organizational
governance, risk management, and control activities.
By stating that internal auditing is designed to “add value and

improve an organization’s operations,” the definition articulates the
expectation that the internal audit activity will add value to the
organization.
By referring to the organization’s objectives, the definition focuses
on the whole organization. This requires auditors to understand the
strategic objectives of the organization and the goals and
objectives that support it and to view problems and solutions from a
broad perspective.
The definition recognizes internal auditing’s legacy of delivering

services with a tried-and-true, systematic, and disciplined approach
that results from being a standards-based profession.
The definition charges internal auditors with a broad and involved

role to play in the organization’s governance and risk management
processes. Underlying the terminology is the understanding that
controls exist to help the organization manage risk and promote
effective governance processes.
Internal auditing differs from external auditing, which serves third

parties who require reliable financial information based on reliable
supporting records. Drawing further distinctions between internal and
external auditors as well as other related review functions can help
clarify what internal auditing is and what it is not. These distinctions
are described below:
External auditors/financial auditors. These auditors provide an

attestation solely based on the financial reports and statements
generated by an organization. The work of external and financial
auditors is historical in nature and is critical to allowing investors
and other third parties to make informed decisions (e.g., investing,
approving debt issuance) about an organization based on its
financial statements when taken as a whole.
Compliance. Compliance reviews typically serve to determine

whether or not an organization is adhering to a specified law,
regulation, standard, policy, or procedure, and the results are
reported as such.
Regulators. These auditors work for regulating bodies that review

compliance with specific regulations as well as the overall safety
and soundness of the organizations being examined. These
auditors perform compliance reviews of corporations or agencies
that are regulated by the specified regulating body.
Government auditors. Government auditors typically work for

departments, ministries, or agencies of a government and provide
assurance regarding program requirements, performance audits,
budget reviews, and management audits.
The Standards
Exhibit 1-5: Standards
The Standards are a set of principles-based, mandatory

requirements consisting of:
Statements of core requirements for the professional practice of
internal auditing and the evaluation of performance effectiveness
that are internationally applicable at organizational and individual
levels.
Interpretations that clarify terms or concepts within the Standards.
The placement of the Standards within the IPPF is shown in Exhibit 1-

5.
The Standards comprise two main categories:

Attribute Standards address the attributes of organizations and
individuals performing internal auditing.
Performance Standards describe the nature of internal auditing and
provide quality criteria against which the performance of these
services can be measured.
Attribute and Performance Standards apply to all internal audit

services.
Implementation Standards expand upon existing Attribute and

Performance Standards by providing the requirements specifically
applicable to assurance (.A) or consulting (.C) services. These
requirements are discussed as applicable throughout the text.
Many of the Standards use the words “must” or “should.” These

terms have specific meaning within the IPPF. The word “must”
specifies an unconditional requirement; the word “should” is used
where conformance is expected unless, when applying professional
judgment, circumstances justify deviation.
Purpose, Authority, and Responsibility

Attribute Standard 1000, “Purpose, Authority, and
Responsibility”
The purpose, authority, and responsibility of the internal audit
activity must be formally defined in an internal audit charter,
consistent with the Mission of Internal Audit and the mandatory
elements of the International Professional Practices Framework
(the Core Principles for the Professional Practice of Internal
Auditing, the Code of Ethics, the Standards, and the Definition of
Internal Auditing). The chief audit executive must periodically
review the internal audit charter and present it to senior
management and the board for approval.
Standard 1000 requires that the purpose, authority, and responsibility

of the internal audit activity be clearly defined and approved by senior
management and the board. Creating an understanding of the
purpose, authority, and responsibility allows the internal audit activity
to best support overall organizational goals and objectives and to
strengthen internal controls and corporate governance. Exhibit 1-6
reviews the key elements characterizing internal audit activity
purpose, authority, and responsibility.
Exhibit 1-6: Purpose, Authority, and Responsibility Characteristics

for Internal Audit Activity
Purpose, Authority, and Responsibility Characteristics for

Internal Audit Activity
Purpose Provide risk-based and objective assurance,

advice, and insight.
Support organizational objectives by bringing a
systematic, disciplined approach to evaluate and
improve the effectiveness of governance, risk
management, and control processes.
Determine if organizational governance, risk
management, and control processes are in place
and functioning properly.
Communicate any opportunities for improvement or
risk exposures to the appropriate management
level (and the board/audit committee as
appropriate).
Add value and improve an organization’s
operations.
Authority Provide appropriate unfettered access to records,
personnel, and physical properties.
Maintain full and open access with the audit
committee, board of directors, or other
appropriate governing authority.
Secure necessary internal and external resources
to accomplish audit activity objectives as planned.
Responsibility Document the objectives and scope of the

engagement as well as the methodology to be
used.
Ensure that internal audit activity staff have
sufficient knowledge, skills, experience, and/or
professional certifications to fulfill the engagement
charter.
Communicate the results of the internal audit
activity or other matters that the chief audit
executive determines necessary to senior
management, the audit committee, the board, or
other governing body of the organization.
Consider the coordination of internal and external
audit work to increase economy, efficiency, and
effectiveness of the overall audit process.
Do not perform management activities.
Standard 1000 introduces several concepts that are crucial to

understand when following the mandatory and recommended
guidance contained within the IPPF.
The internal audit charter is a critical document that records the

agreed-upon purpose, authority, independence and objectivity,
reporting structure, and responsibility of an organization’s internal
audit activity. It establishes the internal audit activity’s position
within the organization; authorizes access to records, personnel,
and physical properties; and defines the scope of internal audit
activities.
The chief audit executive (CAE) is defined in the IPPF glossary

as “a person in a senior position responsible for effectively
managing the internal audit activity....” This person is charged with
the creation of the internal audit charter and with the task of
reviewing and presenting the audit charter for board approval
periodically. The specific job title and/or responsibilities of the CAE
may vary across organizations, and the position may be outsourced
as well. For example, in organizations with smaller audit activities,
the CAE may also be responsible for conducting engagements. It
should be understood that the duties of the CAE are the duties of
the internal audit activity as a whole, with these duties typically
being managed by the CAE. The CAE should report to the board,
which helps maintain internal audit independence.
The board is defined in the IPPF glossary as “the highest level

governing body (e.g., a board of directors, a supervisory board, or
a board of governors or trustees) charged with the responsibility to
direct and/or oversee the organization’s activities and hold senior
management accountable.” It may refer to an audit committee,
which is a subset of the broader board to oversee certain functions
(e.g., internal audit, external auditors, financial concerns). If a
board or audit committee does not exist, the term may refer to the
head of an organization.
Topic 2: Internal Audit Charter

Requirements
This topic discusses the required information, approval requirements,
and typical components of an internal audit charter.

IIA Model Charter
Implementation Guidance for Standards 1000 and 1010
Audit Charter and Approval

The internal audit charter provides a recognized statement of the
purpose, authority, and responsibility of internal audit for review and
acceptance by management and for approval by the board. If a
question should arise, the internal audit charter provides a formal,
written agreement with management and the board.
Before writing or revising the internal audit charter, the CAE typically
reviews the IPPF to refresh his or her understanding of the Mission of
Internal Audit and the elements that must be included in the charter,
which are governed by Standard 1010.

Attribute Standard 1010, “Recognizing Mandatory Guidance in
the Internal Audit Charter”
The mandatory nature of the Core Principles for the Professional
Practice of Internal Auditing, the Code of Ethics, the Standards,
and the Definition of Internal Auditing must be recognized in the
internal audit charter. The chief audit executive should discuss the
Mission of Internal Audit and the mandatory elements of the
International Professional Practices Framework with senior
management and the board.
The CAE is required to review the internal audit charter periodically

and present it to senior management and the board for review. The
CAE and the board may agree on the frequency of review and
reaffirmation for the charter, sometimes accomplished by establishing
a standing annual agenda item with the board. If questions arise in
the interim, the charter may be referenced and updated as needed.
To recognize the mandatory elements of the IPPF in the internal audit

charter, the CAE may make specific statements that use language
from applicable standards, such as Standard 1010, directly.
Alternatively, the CAE may use language and content throughout the
internal audit charter that require conformance with Mandatory
Guidance.
Key Point
Once the charter is adopted, it is important for the CAE to monitor
the IIA’s Mandatory Guidance and discuss any changes that may be
warranted during the next charter review with senior management
and the board.
Elements of the Internal Charter

Let’s examine the typical elements of an internal audit charter, using
the IIA Model Charter as an example.
The introductory section explains the overall role and professionalism

of the internal audit activity. Relevant elements of the IPPF are often
cited in the introduction. In Exhibit 1-7, the Mission of Internal Audit
and the Definition of Internal Auditing are both used to craft the
“Purpose and Mission” section. The “Standards for the Professional
Practice of Internal Auditing” section conforms with the requirements
of Standard 1010.
Exhibit 1-7: Introduction
The “Authority” section specifies the internal audit activity’s full access
to the records, physical property, and personnel required to perform
engagements. In the Model Charter, this section also covers the
organization and reporting structure, as seen in Exhibit 1-8. Some
charters may use a separate section for the organization and
reporting structure, which may also delve into specific functional
responsibilities.
Exhibit 1-8: Authority
The “Independence and Objectivity” section of the charter describes

the importance of internal audit independence and objectivity and how
these will be maintained, as seen in Exhibit 1-9.
Exhibit 1-9: Independence and Objectivity
The “Responsibilities” section of the charter lays out major areas of
ongoing responsibility. As seen in Exhibit 1-10, the scope of
engagements may be listed separately from other areas of ongoing
responsibility.
Exhibit 1-10: Responsibilities
The “Quality Assurance and Improvement Program” section, shown in
Exhibit 1-11, describes the expectations for developing, maintaining,
evaluating, and communicating the results of a quality assurance and
improvement program.
Exhibit 1-11: Quality Assurance and Improvement
Signatures at the end of the charter document agreement among the

CAE, a designated board representative, and the individual to whom
the CAE administratively reports. As seen in Exhibit 1-12, the dates
and the titles of the signatories are included in this section.
Exhibit 1-12: Signatures
Topic 3: Assurance versus Consulting

This topic discusses the difference between the assurance and
consulting services that are provided by the internal audit activity.
Assurance and Consulting Services

Internal auditors provide a variety of assurance and consulting
(advisory) services.
The IPPF glossary defines assurance services as:
An objective examination of evidence for the purpose of

providing an independent assessment on governance, risk
management, and control processes for the organization.
Examples may include financial, performance, compliance,
system security, and due diligence engagements.
The glossary defines consulting services as:
Advisory and related client services activities, the nature

and scope of which are agreed with the client, are intended
to add value and improve an organization’s governance, risk
management, and control processes without the internal
auditor assuming management responsibility. Examples
include counsel, advice, facilitation, and training.
Assurance and consulting services are referenced in Implementation

Standards listed with Attribute Standard 1000 in the IPPF, seen
below.

Implementation Standard 1000.A1 (Assurance Engagements)
The nature of assurance services provided to the organization
must be defined in the internal audit charter. If assurances are to
be provided to parties outside the organization, the nature of
these assurances must also be defined in the internal audit
charter.
Implementation Standard 1000.C1 (Consulting Engagements)
The nature of consulting services must be defined in the internal
audit charter.
Let’s look at some key differences between assurance and

consulting, and some examples of the different types of services
internal auditors may provide.
Assurance Services
Assurance services involve the internal auditor’s objective
assessment of evidence to provide an independent opinion or
conclusion regarding an entity, operation, function, process, system,
or other subject matter. Three parties are generally involved in
assurance services:
The person or group directly involved with the entity, operation,
function, process, system, or other subject matter—the client
The person or group making the assessment—the internal auditor
The person or group using the assessment—the user or
stakeholder
The nature and the scope of the assurance engagement are

determined by the internal auditor.
Assurance services are at the core of internal auditing. While others
can provide consulting services, internal audit has the knowledge of
the organization and the independence to provide the board with the
information, facts, and conclusions they need to make appropriate
decisions. Assurance work makes up the majority of internal audit
activities. Examples of assurance services may include:
Financial.
Performance.
Compliance.
System security.
Due diligence.
Strategic.
Consulting Services
Consulting services are advisory in nature and are generally
performed at the specific request of an engagement client. They
generally involve two parties:
The person or group offering the advice—the internal auditor
The person or group seeking and receiving the advice—the
engagement client
The nature and the scope of a formal consulting engagement are

subject to agreement with the engagement client. Such agreements
should be formalized in writing.
Consulting services can include any advisory activity that improves the
organization’s governance, risk management, controls, and
compliance. The following are examples of different types of
consulting services.
Advisory consulting engagements. These engagements are

designed to offer advice and might include:
Advising on control design.
Advising during development of policies and procedures.
Participating in an advisory role for high-risk projects.
Advising on certain enterprise risk management activities.
Recommending solutions to key issues or challenges facing the
organization.
Training consulting engagements. These engagements are

educational in nature and might include:
Training on governance, risk management, and internal control.
Benchmarking internal areas with comparable areas of similar
organizations to identify best practices.
Post-mortem analysis—that is, determining lessons learned from
a project after it is completed.
Facilitative consulting engagements. These engagements might

include:
Facilitating an organization’s risk assessment process.
Facilitating management’s control self-assessment.
Facilitating a task force charged with redesigning controls and
procedures for a new or changed area.
Acting as a liaison between management and independent
outside auditors, government agencies, vendors, and contractors
on control issues.
Consulting may range from formal engagements, defined by written

agreements, to informal activities, such as participating in standing or
temporary management committees or project teams. Internal
auditors may be requested to help in special consulting engagements,
such as participation in a merger or acquisition project or in an
emergency engagement. These may require departure from normal
or established procedures for conducting consulting engagements.
The following are common examples of consulting activities:

Business process improvement
Risk and control self-assessment
Continuous monitoring of controls
Internal control review
Forensic audits
Operational readiness (product launch, new service or system)
Governance principles and practices
Ethics training
Internal control training
Participation on committees
Consistent with the IIA’s Code of Ethics, a consulting engagement

should never be conducted in an attempt to circumvent assurance
engagement requirements such as the need to provide an opinion at
the end of an engagement. Services once conducted as an assurance
engagement may be performed as a consulting engagement—if
deemed appropriate.
Blended Engagements
Assurance and consulting services are not mutually exclusive, so an
audit activity can have both assurance and consulting components. A
blended engagement may consolidate elements of assurance and
consulting activities. A blended engagement may take the form of a
due diligence engagement to provide assurance and consulting
services in support of management's evaluation of an acquisition
candidate, for example. In other instances, individual components of
an engagement may be specified as assurance or consulting. This
blending of the two types of services can add value and create
efficiencies.
However, if assurance and consulting services are blended, it must be
ensured that there are no conflicts of independence, objectivity, or
otherwise with regard to roles and responsibilities.
Topic 4: IIA Code of Ethics

Conformance
This topic discusses the IIA’s Code of Ethics, including its four key
components:
Integrity
Objectivity
Confidentiality
Competency

IPPF Code of Ethics Implementation Guides
Purpose of the Code of Ethics

Exhibit 1-13: The Code of Ethics
The purpose of the IIA's Code of Ethics is to promote an ethical

culture in the profession of internal auditing. It is necessary and
appropriate for the profession of internal auditing. The Code of Ethics
extends beyond the Definition of Internal Auditing to include two
essential components:
Principles that are relevant to the profession and practice of
internal auditing.
Rules of Conduct that describe behavior norms expected of internal
auditors. These rules are an aid to interpreting the Principles into
practical applications and are intended to guide the ethical conduct
of internal auditors.
The Code of Ethics applies to both entities and individuals that
perform internal audit services. The placement of the Code of Ethics
within the IPPF is shown in Exhibit 1-13.

Code of Ethics
Internal auditing is an independent, objective assurance and
consulting activity designed to add value and improve an
organization’s operations. It helps an organization accomplish its
objectives by bringing a systematic, disciplined approach to
evaluate and improve the effectiveness of risk management,
control, and governance processes.
Key Point
It is especially important for the CAE to uphold the Code of Ethics,
thereby setting the tone for the value of ethics among the team.
The fact that a particular conduct is not mentioned in the Rules of

Conduct does not prevent it from being unacceptable or discreditable
and, therefore, the member, certification holder, or candidate can be
liable for disciplinary action.
We will now focus on each of the four main principles in the Code of
Ethics, starting with integrity.
Integrity
The Code of Ethics describes integrity as follows:
The integrity of internal auditors establishes trust and thus

provides the basis for reliance on their judgment.
The Rules of Conduct specify that internal auditors:

1. Shall perform their work with honesty, diligence, and responsibility.
2. Shall observe the law and make disclosures expected by the law
and the profession.
3. Shall not knowingly be a party to any illegal activity or engage in
acts that are discreditable to the profession of internal auditing or
to the organization.
4. Shall respect and contribute to the legitimate and ethical objectives
of the organization.
While the principle of integrity applies to all auditors, it may be

implemented differently from the perspective of the CAE compared to
the perspective of the individual auditor.
As the leader of the internal audit activity, the CAE should cultivate a
culture of integrity by acting with integrity and adhering to the Code of
Ethics. In order to assist in cultivating that culture, the CAE may:
Require internal auditors to agree in writing to follow the IIA’s Code
of Ethics and any additional ethics-related policies.
Emphasize the importance of integrity by providing training that
demonstrates integrity and other ethical principles.
Effectively managing the internal audit activity includes proper

engagement supervision and periodic reviews of internal auditors’
performance, which provide opportunities to discuss how integrity
may be challenged and applied in real situations. The CAE should
also maintain a working environment in which internal auditors feel
supported when expressing legitimate, evidence-based observations,
conclusions, and opinions, even if they are not favorable.
For the individual auditor, integrity may be considered primarily a

personal attribute, making it difficult to measure, enforce, or
guarantee. In simple terms, internal auditors are expected to tell the
truth and do the right thing, even when it is uncomfortable or difficult
to do so.
Objectivity
The Code of Ethics describes objectivity as follows:
Internal auditors exhibit the highest level of professional

objectivity in gathering, evaluating, and communicating
information about the activity or process being examined.
Internal auditors make a balanced assessment of all the
relevant circumstances and are not unduly influenced by
their own interests or by others in forming judgments.
Objectivity is defined in the IPPF glossary as:
An unbiased mental attitude that allows internal auditors to

perform engagements in such a manner that they believe in
their work product and that no quality compromises are
made. Objectivity requires that internal auditors do not
subordinate their judgment on audit matters to others.

1. Shall not participate in any activity or relationship that may impair or
be presumed to impair their unbiased assessment. This
participation includes those activities or relationships that may be in
conflict with the interests of the organization.
2. Shall not accept anything that may impair or be presumed to impair
their professional judgment.
3. Shall disclose all material facts known to them that, if not
disclosed, may distort the reporting of activities under review.
The CAE may create relevant policies and procedures, for example,
regarding gifts or requiring internal auditors to complete a form
disclosing potential conflicts of interest and impairments to objectivity.
For internal auditors, objectivity can be best pursued by providing a

balanced assessment, ensuring that they are not unduly influenced in
forming judgments, and avoiding conflicts of interest and impairments.
The Standards provide a systematic and disciplined internal audit
approach that can assist with ensuring objectivity.
Confidentiality
The Code of Ethics describes confidentiality as follows:
Internal auditors respect the value and ownership of

information they receive and do not disclose information
without appropriate authority unless there is a legal or
professional obligation to do so.

1. Shall be prudent in the use and protection of information acquired in
the course of their duties.
2. Shall not use information for any personal gain or in any manner
that would be contrary to the law or detrimental to the legitimate
and ethical objectives of the organization.
Information includes data in physical form and in electronic form.

Confidentiality involves protecting information from being disclosed to
unauthorized individuals, both within and outside the organization.
Internal auditors should understand laws and regulations related to
confidentiality and information security as well as any policies specific
to their organization or the internal audit activity.
To properly follow confidentiality laws and regulations, organizations
usually issue information security policies. To better understand the
impact of legal and regulatory requirements and protections, the CAE
should consult with legal counsel. Organizational policies and
procedures may require that specific authorities, such as legal
counsel, review and approve business information before external
release.
The CAE may implement additional policies, processes, and

procedures for the internal audit activity and external consultants to
follow, typically closely aligned with the IPPF’s Mandatory Guidance.
During meetings or training of the internal audit activity, the CAE may
discuss principles, rules, policies, and expectations related to
confidentiality.
Ultimately, internal auditors are responsible for practicing

confidentiality, which may be most evident when receiving
confidential, proprietary, or personally identifiable information during
the course of an audit engagement. To comply with the Rules of
Conduct related to the confidentiality principle, internal auditors must
follow established procedures for disclosure. Internal auditors should
not use insider financial, strategic, or operational knowledge to bring
about personal financial gain.
Competency
The Code of Ethics describes competency as follows:
Internal auditors apply the knowledge, skills, and

experience needed in the performance of internal audit
services.

1. Shall engage only in those services for which they have the
necessary knowledge, skills, and experience.
2. Shall perform internal audit services in accordance with the
International Standards for the Professional Practice of Internal
Auditing.
3. Shall continually improve their proficiency and the effectiveness and
quality of their services.
The CAE is responsible for ensuring the competency of the internal

audit activity as a whole. However, individual internal auditors are
responsible for their own conformance with the competency principle,
the Rules of Conduct, and the relevant standards and for obtaining
the knowledge, skills, and experience needed to perform their
responsibilities and to continually improve their proficiency and quality
of service.
To ensure the competency of the internal audit activity as a whole, the

CAE should inventory the skills and experience of individual auditors,
align them with the competencies needed to fulfill the internal audit
plan, and identify any gaps in coverage. The CAE may address
deficiencies by:
Providing training and mentorship.
Rotating internal audit staff.
Bringing in guest auditors.
Hiring external service providers.
The CAE should also develop polices and procedures that include
regularly reviewing individual performance and should encourage
educational and training opportunities when possible.
To gain insight into their level of competency, proficiency, and

effectiveness and to find areas for potential growth, internal auditors
should regularly assess themselves. Internal auditors should also
seek constructive feedback from peers, supervisors, and the CAE.
Internal auditors may build their competencies by pursuing

educational and mentorship opportunities and supervised work
experiences that enable them to expand their skills. Properly
supervised internal audit engagements play a large role in facilitating
the development of internal auditors, because most internal audit
activities have limited resources.
Individual internal auditors are responsible for taking the necessary
actions to obtain any continuing professional education and
development hours they may need. They should be aware of the
current requirements for maintaining the active status of any
credentials they hold. Most certifications require the completion of
ethics training and continuing professional development.
Section B: Independence and
Objectivity
Define independence and objectivity in terms of internal audit.
Interpret organizational independence of the internal audit
activity.
Explain the importance of independence in an internal audit
activity.
Explain the reporting relationships for internal auditors.
Identify whether the internal audit activity has any impairments to
its independence.
Assess and maintain an individual internal auditor’s objectivity,
including determining whether an individual internal auditor has
any impairments to his/her objectivity.
Analyze policies that promote objectivity.
standards
This section covers the crucial requirements for the internal audit
activity to be independent and individual internal auditors to be
objective. Lacking either of these crucial traits can render the results
of engagements and the recommendations of internal audit unreliable
and inaccurate, to the detriment of the organization.
Topic 1: Organizational Independence

This topic discusses the organizational independence of the internal
audit activity, including the importance of independence and functional
reporting.
Implementation Guidance for Standards 1100, 1110, 1111,
1112
Organizational Independence

Attribute Standard 1110, “Organizational Independence”
The chief audit executive must report to a level within the
organization that allows the internal audit activity to fulfill its
responsibilities. The chief audit executive must confirm to the
board, at least annually, the organizational independence of the
Independence is defined in the IPPF glossary as “the freedom from

conditions that threaten the ability of the internal audit activity to carry
out internal audit responsibilities in an unbiased manner.” These
conditions often stem from the organizational placement and assigned
responsibilities of internal audit.
The assigned roles and responsibilities for internal audit vary from
organization to organization based on factors such as:
Organizational size.
Type of operations.
Capital structure.
Legal and regulatory environment.
If the internal audit activity does not have sufficient organizational

status and autonomy, the ability to effectively manage the
independence of its work and reports is subject to question.
Standard 1110 is effectively achieved when the CAE reports

functionally to the board. Some examples of this functional
reporting involve the board:
Approving the internal audit charter.
Approving the risk-based internal audit plan.
Approving the internal audit budget and resource plan.
Receiving communications from the CAE on the internal audit
activity’s performance relative to its plan and other matters.
Evaluation and compensation of the CAE.
Appointment and removal of the CAE.

The internal audit activity must be free from interference in
determining the scope of internal auditing, performing work, and
communicating results. The chief audit executive must disclose
such interference to the board and discuss the implications.
Functional oversight requires the board to create the right working
conditions to permit the operation of an independent and effective
internal audit activity. The board monitors the ability of the internal
audit activity to operate independently.
The IIA recommends that the CAE report administratively to the

CEO, indicating that the CAE is in a senior position with the authority
to perform duties unimpeded. However, in some cases, the CAE has
an administrative reporting line to a member of senior
management, which enables the requisite stature and authority of
internal audit to fulfill responsibilities. The essential point is that the
CAE will have unrestricted access to report sensitive matters to the
highest level of governance in the organization.
Generally, the CAE, the board, and senior management discuss and
agree upon internal audit's responsibility, authority, and expectations
as well as the necessary organizational placement of internal audit
and CAE reporting relationships to enable internal audit to fulfill its
duties. The internal audit charter will reflect the decisions reached
during those discussions.

Attribute Standard 1111, “Direct Interaction With the Board”
The chief audit executive must communicate and interact directly
with the board.
In addition to the administrative reporting relationship to the CEO
and/or senior management, the CAE typically has a direct functional
reporting relationship with the board or audit committee, as seen in
Exhibit 1-14.
Exhibit 1-14: Internal Audit Reporting Structure
With such a relationship, the CAE will have many opportunities to

communicate and interact directly with the board, such as during audit
committee and/or full board meetings, as well as through the ability to
directly contact the chair or any member of the board. Access to
these meetings allows the CAE to absorb strategic business and
operational developments as well as raise high-level risk, system,
procedure, or control issues at an early stage. A private meeting with
the board, without senior management present, is formally conducted
at least annually to discuss matters and issues.
CAEs without direct access to the board can share Standard 1111
(as well as Standards 1100 and 1110), recommended governance
practices, and board/audit committee best practice studies to pursue
a stronger relationship and direct access. CAEs in this situation may
consider written communications to the board until a direct line of
communication is available.
In addition to the audit committee, the board and/or senior

management also play a major role in setting the tone and substance
of the internal audit activity.

Attribute Standard 1100, “Independence and Objectivity”
The internal audit activity must be independent, and internal
auditors must be objective in performing their work.
As seen in Standard 1100, independence is viewed as an attribute of

the internal audit activity, whereas objectivity is an attribute of the
individual auditor. The attribute of the internal audit activity relates to
its organizational independence.
Objectivity
Objectivity is defined in the IPPF glossary as:
An unbiased mental attitude that allows internal auditors to

perform engagements in such a manner that they believe in
their work product and that no quality compromises are
made. Objectivity requires that internal auditors do not
subordinate their judgment on audit matters to others.
Maintaining this impartial state of mind and avoiding conflicts of
interest is prerequisite to any value being gained from internal audit
work.
It is the responsibility of the CAE to ensure that internal audit staff are
not placed in situations where they feel unable to make objective
professional judgments. The CAE should monitor potential conflicts of
interest and bias within the internal audit activity and make
assignments accordingly to avoid problems.
One strategy for an individual internal auditor to ensure that he or she

is acting objectively is to consult with others in the internal audit
activity when addressing potentially sensitive areas.
The CAE may use an internal audit policy manual or handbook that
describes expectations and requirements for an unbiased mindset. To
reinforce the importance of those policies, some CAEs will hold
routine workshops or training on fundamental concepts.
CAE Roles Beyond Internal Auditing

The IIA recommends that the CAE not have operational
responsibilities beyond the internal audit activity. If the CAE does
have other operational responsibilities, such as risk management or
compliance, the CAE typically discusses the independence concerns
and the potential objectivity impairment with the board and senior
management.

Attribute Standard 1112, “Chief Audit Executive Roles Beyond
Internal Auditing”
Where the chief audit executive has or is expected to have roles
and/or responsibilities that fall outside of internal auditing,
safeguards must be in place to limit impairments to independence
and objectivity.
To address the risks of impairment in situations where the CAE is

asked to take on a role outside of internal audit, the CAE should gain
an understanding of any proposed role that falls outside of internal
auditing and speak with senior management and the board about the
reporting relationships, responsibilities, and expectations related to
the role.
In situations where the CAE has roles outside of internal audit, the
board and/or senior management will implement safeguards to limit
the impairment. Examples include:
Periodically evaluating CAE responsibilities.
Developing alternate processes to obtain assurance related to the
additional areas of responsibility.
Being aware of the potential objectivity impairment when
considering internal audit risk assessments.
When the CAE is asked to take on a role outside of internal audit,

documentation of any safeguards that were established to address
potential impairments may be used to demonstrate conformance with
Standard 1112. The CAE can also demonstrate conformance by
showing that other assurance providers have assessed the areas
where the CAE had undertaken additional roles beyond internal
auditing.
Ensuring Independence and Objectivity in Small Audit

Activities
The 1100 section of the Standards is an area where there could be a
high degree of challenge for smaller internal audit activities. Small
audit shops may encounter challenges with independence and
objectivity because of the reporting structure or the newness of the
activity, closer associations with management, weaker organizational
governance, and the existence of additional responsibilities outside
the core activity.
The IIA suggests the following approaches to addressing this

challenge:
The CAE must maintain open communications with the board and
senior management regarding the critical need for auditor
independence and objectivity.
In areas where auditors may have been given operational
responsibilities, the CAE should provide various alternatives for
how those areas might be audited.
In organizations where close working relationships are expected,
engagements should always be performed with objectivity in mind.
When issuing a report where independence or objectivity could not
be achieved at an acceptable level, the CAE must disclose that fact
in the audit report, including the reasons and the related impact.
Topic 2: Impairments to Independence

This topic discusses what impairments may hinder the independence
of the internal audit activity. This can be caused by issues stemming
from the individual auditor’s personal impairments, such as conflict of
interest, as well as structural and operational limits caused by
reporting structures and resource limitations.

Practice Guide, “Interaction with the Board”
Impairments to Independence
Attribute Standard 1130, “Impairment to Independence or
Objectivity”
If independence or objectivity is impaired in fact or appearance,
the details of the impairment must be disclosed to appropriate
parties. The nature of the disclosure will depend on the
impairment.
Disclosing impairments to independence or objectivity, in accordance

with Standard 1130, gives auditors the opportunity to perform the
requested service and provide the needed audit information but at the
same time empowers the customers to determine for themselves
whether or not to rely on the audit results. This must be disclosed
before accepting consulting engagements, in accordance with
Implementation Standard 1130.C2.

If internal auditors have potential impairments to independence or
objectivity relating to proposed consulting services, disclosure
must be made to the engagement client prior to accepting the
engagement.
Examples of impairment to organizational independence and

objectivity may include:
Personal conflict of interest.
Scope limitation.
Restrictions on access to records, personnel, and properties.
Resource limitations.
Assurance services provided within a period after an internal audit
consulting engagement.
The final example may be completed without impairment by following

Implementation Standard 1130.A3.

The internal audit activity may provide assurance services where
it had previously performed consulting services, provided the
nature of the consulting did not impair objectivity and provided the
internal objectivity is managed when assigning resources to the
engagement.
To fully understand and appreciate independence and objectivity, it is

important that internal auditors consider the perspectives of their
various stakeholders and the conditions that could be perceived as
undermining or appearing to undermine independence and objectivity.
Examples of organizational independence impairments include the

following, which can also undermine internal auditor objectivity:
The CAE has broader functional responsibility than internal audit
and executes an audit of a functional area that is also under the
CAE’s oversight.
The CAE’s supervisor has broader responsibility than internal audit,
and the CAE executes an audit within his or her supervisor’s
functional responsibility.
The CAE does not have direct communication or interaction with
the board.
The budget for the internal audit activity is reduced to the point that
internal audit cannot fulfill its responsibilities as outlined in the
charter.
The first example is specifically governed by Implementation

Standard 1130.A2, which requires that audits in an area under the
CAE's oversight be overseen by a party outside the internal audit
activity.

Assurance engagements for functions over which the chief audit
executive has responsibility must be overseen by a party outside
the internal audit activity.
When internal auditors observe what they believe to be an

impairment, typically they will begin to address it by discussing the
situation with an internal audit manager or the CAE to determine
whether it is truly an impairment and how to best proceed.
The determination of who must receive the details of an impairment is

dependent on the expectations of the internal audit activity and the
CAE responsibilities to senior management and the board as
described in the internal audit charter as well as the nature of the
impairment. This requires that the CAE have a clear understanding of
independence and objectivity requirements.
Documents that may demonstrate conformance with Standard 1130

include the internal audit policy manual, board meeting minutes,
memos to file, or reports that contain such disclosures of impairments
to independence and objectivity.
Topic 3: Individual Internal Auditor’s

Objectivity
This topic discusses how the internal audit activity should monitor and
promote objectivity for individual internal auditors. This includes policy
decisions that the CAE may make that will greatly affect objectivity,
such as compensation and promotion policies.
Assessing and Maintaining Objectivity

Attribute Standard 1120, “Individual Objectivity”
Internal auditors must have an impartial, unbiased attitude and
avoid any conflict of interest.
Conflict of interest is a situation in which an internal auditor has a

competing professional or personal interest. It exists even if no
unethical or improper act results. It can create an appearance of
impropriety that can undermine confidence in the internal auditor, the
internal audit activity, and the profession.
In order to implement Standard 1120, the CAE will first want to

understand policies or activities within the organization and within
internal audit that could enhance or hinder objectivity.
The CAE may additionally choose to include training on professional

skepticism.
Individual internal auditors may ensure that they are acting objectively
by consulting with others within the internal audit activity when
addressing potentially sensitive areas.

Internal auditors must refrain from assessing specific operations
for which they were previously responsible. Objectivity is
presumed to be impaired if an internal auditor provides assurance
services for an activity for which the internal auditor had
responsibility within the previous year.
In order to follow Implementation Standard 1130.A1, the CAE or audit

team management may choose to discuss details of upcoming
assignments with potential team members, including the individuals
and departments involved, so that the CAE can explore if there is a
conflict that would impair or appear to impair an internal auditor’s
objectivity. Internal auditors are encouraged to share any concerns
they may have so that the CAE or audit team management can
determine whether the internal auditor may participate in the
engagement.
In addition to the internal policy manual, conformance with Standard

1120 may be evidenced by training records and also through signed
acknowledgment forms disclosing the existence (or nonexistence) of
conflicts. Engagement workpapers documenting team assignments
could be compared to the acknowledgment forms to confirm that
known conflicts were avoided.
Topic 4: Policies Promoting Objectivity

This topic discusses the importance of policies that promote
objectivity within the internal audit activity, which are rooted in the
internal audit charter.

Policies Promoting Objectivity

To fully understand and appreciate independence and objectivity,
internal auditors should consider the perspectives of their various
stakeholders and the conditions that could be perceived as
undermining these factors.
The IIA Model Charter features a section on independence and

objectivity that sets out baseline policies and expectations for the
internal audit activity and discusses how they will be maintained. In
addition to dictating that internal audit is independent and objective,
the charter discusses all other areas of responsibility of internal audit,
including any potential areas that could impair objectivity. It should
discuss how to overcome those potential impairments, if applicable.
Often the CAE will develop an internal audit policy manual or

handbook that includes a discussion of organizational independence
and internal auditor objectivity, the nature of threats to objectivity, and
how internal auditors should handle potential impairments. The
manual will often describe the appropriate actions for an auditor to
take should he or she become aware of or concerned about such
impairments. Categories of threats to objectivity include:
Self-review. These threats may arise when an auditor reviews his

or her own work.
Social pressure. These threats may occur when an auditor is

exposed to, or perceives that he or she is exposed to, pressures
from relevant groups.
Major economic interest. This threat may arise when the auditor
has a major, direct economic stake in the performance of the client
or fears that significant negative findings could jeopardize the
entity’s future and hence the auditor’s own interest as an
employee. It may also arise due to performance incentives related
to the area under review or when the audit concerns the work or
department of an individual who may subsequently make decisions
that directly affect the auditor’s employment or salary.
Personal relationship. This may arise when an auditor is a close

relative or friend of the manager or an employee of the audit
customer unit.
Familiarity. This threat may occur due to an auditor’s long-term

relationship with the audit customer.
Cultural, racial, and gender biases. This threat may occur when
auditors are biased against another culture, race, or gender.
Cognitive biases. This threat may arise from an unconscious and

unintentional psychological bias in interpreting information.
Section C: Proficiency and Due
Professional Care
Identify and describe the required knowledge, skills, and
competencies for an internal audit activity and how an
organization develops and/or procures them.
Identify and describe the required knowledge, skills, and
competencies that an internal auditor needs to possess to
perform his/her individual responsibilities.
Explain how to exercise due professional care in an internal audit
activity.
Describe the importance of professional development and formal
certification for internal auditors.
Explain how an individual internal auditor’s competency is
demonstrated through continuing professional development.
standards
This section covers the necessary proficiency and due professional

care that are required for both internal auditors and the internal audit
activity as a whole. Skills, knowledge, and competencies important to
the profession of internal audit must be developed and maintained by
internal auditors and must be maintained or sourced from an external
provider for the internal audit activity to successfully complete
necessary engagements. Due professional care ensures that the
internal audit activity can rely on all internal auditors to apply the care
and skill of a reasonably prudent and competent auditor.
Topic 1: Knowledge, Skills, and

Competencies
This topic discusses the knowledge, skills, and due professional care
that a successful internal audit activity needs to fulfill its
responsibilities and how individual internal auditors may develop those
skills. It also covers the responsibilities of the CAE pertaining to the
internal audit activity’s ability to perform engagements with necessary
proficiency.

IIA Global Internal Audit Competency Framework
Internal Audit Knowledge, Skills, and

Competencies

Attribute Standard 1200, “Proficiency and Due Professional
Care”
Engagements must be performed with proficiency and due
professional care.
Proficiency is a collective term that refers to the knowledge, skills,

and other competencies required of internal auditors to effectively
carry out their professional responsibilities. In order to enable
relevant advice and recommendations, proficiency encompasses:
Current activities.
Trends.
Emerging issues.
Changes that may affect the industry or the internal audit profession
may be learned about via continuing professional development. The
CAE may help ensure the internal audit activity’s overall proficiency in
this regard.
Internal auditors generally develop individual proficiency throughout

their careers:
By obtaining and maintaining appropriate certifications.
By gaining experience.
Through professional education, including continuing professional
development.
Internal auditors must be aware of continuing education requirements

for any certifications they maintain.
Due professional care requires the understanding of the IPPF’s

approach to internal auditing as well as organization-specific policies.
Implementation Standard 1220.A1 discusses what must be
considered by internal auditors when exercising due professional
care.

Internal auditors must exercise due professional care by
considering the:
Extent of work needed to achieve the engagement’s objectives.
Relative complexity, materiality, or significance of matters to
which assurance procedures are applied.
Adequacy and effectiveness of governance, risk management,
and control processes.
Probability of significant errors, fraud, or noncompliance.
Cost of assurance in relation to potential benefits.
For internal auditors, due professional care requires compliance with

the IIA’s Code of Ethics and may entail compliance to the
organization’s code of conduct and any additional codes of conduct
relevant to other professional designations attained.
The CAE is responsible for ensuring conformance with Standard 1200

by the internal audit activity as a whole. The CAE establishes policies
and procedures that enable internal auditors to perform engagements
with proficiency and due professional care as part of managing the
The CAE may use The IIA’s Global Internal Audit Competency
Framework or a similar benchmark to establish the criteria by which
to assess the proficiency of internal auditors. The criteria may be
used to:
Create job descriptions.
Create an inventory of the competencies needed with the internal
audit activity.
Develop a strategy for:
Recruiting.
Assigning.
Training.
Professional development.
The CAE generally thinks about the alignment between the

knowledge, skills, and other competencies needed to complete the
internal audit plan and the resources available among the internal
audit activity and other providers of assurance and consulting
services.
Conformance with Standard 1200 could be demonstrated using any

of the following items:
Competency assessments of the internal audit activity
Records of a recruitment and training strategy, job descriptions,
and resumes
Internal audit policies and procedures and workpaper templates
Evidence that internal audit policies and procedures were
communicated and signed acknowledgment that the internal audit
staff understands them
Evidence supporting annual declaration related to The IIA’s Code of
Ethics and the organization’s code of conduct
The internal audit plan and engagement plans, which demonstrate
the sufficient and appropriate allocation of internal audit staff
Topic 2: Knowledge and Competency

This topic discusses how internal auditors may show that they
possess the knowledge and competencies required by the internal
audit activity and how organizations and individuals may use
competency assessment tools to identify and develop missing
competencies.

Demonstrating Proficiency
Attribute Standard 1210, “Proficiency”
Internal auditors must possess the knowledge, skills, and other
competencies needed to perform their individual responsibilities.
The internal audit activity collectively must possess or obtain the
knowledge, skills, and other competencies needed to perform its
responsibilities.
Internal auditors are encouraged to demonstrate their proficiency by

obtaining appropriate professional certifications and qualifications.
The IIA’s Global Internal Audit Competency Framework defines the
core competencies needed to fulfill IPPF requirements for all
occupational levels of the internal audit profession. The Competency
Framework may be used by internal auditors as a basis of self-
assessment.
To build and maintain the proficiency of the internal audit activity, the
CAE may develop a competency assessment tool or skills
assessment based on the Competency Framework or another
benchmark. When using a competency tool to identify proficiency
gaps in the internal audit activity, the CAE should consider risks
related to fraud and IT as well as technology-based audit techniques,
as required by Standards 1210.A2 and 1210.A3.
Internal auditors must have sufficient knowledge to evaluate the
risk of fraud and the manner in which it is managed by the
organization, but are not expected to have the expertise of a
person whose primary responsibility is detecting and investigating
fraud.

Internal auditors must have sufficient knowledge of key
information technology risks and controls and available
technology-based audit techniques to perform their assigned
work. However, not all internal auditors are expected to have the
expertise of an internal auditor whose primary responsibility is
technology auditing.
Once the CAE has identified gaps in the internal audit activity’s
collective proficiency, he or she may also use the Competency
Framework to develop plans for filling coverage gaps through hiring,
training, outsourcing, and other methods, as described by Standard
1210.A1.
The chief audit executive must obtain competent advice and
assistance if the internal auditors lack the knowledge, skills, or
other competencies needed to perform all or part of the
engagement.
The CAE can encourage professional development of internal

auditors through:
On-the-job training.
Attendance at professional conferences and seminars.
Encouraging the pursuit of professional certifications.
The proficiency and experience of internal auditors help determine the

extent of supervision required for specific audit engagements, as
described by Standard 2340. When consulting engagements are
being considered and the available internal auditors do not have the
required proficiencies, the CAE must decline the engagement or
pursue other options, as described in Standard 1210.C1.

The chief audit executive must decline the consulting engagement
or obtain competent advice and assistance if the internal auditors
lack the knowledge, skills, or other competencies needed to
perform all or part of the engagement.
Conformance with Standard 1210 may be evidenced through different
means for individual internal auditors, the CAE, and the internal audit
activity as a whole.
Individual internal auditors may demonstrate conformance by:

Resume or curriculum vitae.
Records of certifications and continuing professional development.
The CAE may demonstrate conformance through:

The use of a competency assessment tool.
The development of:
Internal audit policies.
Internal audit procedures.
Training materials.
Conformance for the internal audit activity as a whole may be

demonstrated by:
An internal audit plan that includes an analysis of resource
requirements.
An inventory of available audit staff skills or individual profiles listing
qualifications.
An assurance map with a list of qualifications of service providers
on which the internal audit activity relies.
Documented results of internal assessments.
Technical and Soft Skills
Technical skills are the hard skills needed to perform the duties of an
internal auditor. Some examples of technical skills that may be useful
to the internal audit activity are:
Accounting.
Risk management assurance.
Information technology.
Data mining and analytics.
Negotiation.
Change facilitation capabilities.
Business/process knowledge.
Personal (soft) skills can affect how the recommendations that arise
from the applications of technical skills impact the recipients of
assurance and advisory services. Some examples of soft skills that
may be useful to the internal audit activity are:
Written communication.
Oral communication.
Analytical skills.
Critical thinking.
Persuasion and collaboration.
Topic 3: Due Professional Care

This topic discusses the required due professional care that internal
auditors must exercise, including how following the IPPF’s systematic
and disciplined approach can help auditors apply due professional
care.

Practice Guide, “Measuring Internal Audit Effectiveness and
Efficiency”
Demonstrating Due Professional Care

Attribute Standard 1220, “Due Professional Care”
Internal auditors must apply the care and skill expected of a
reasonably prudent and competent internal auditor. Due
professional care does not imply infallibility.
Obtaining appropriate education, experience, certifications, and

training helps internal auditors develop the level of skill and expertise
required to perform their duties with due professional care.
Additionally, individual auditors should understand and apply the
Mandatory Guidance of the IPPF and may find it helpful to become
familiar with the core competencies described in the IIA’s Global
Internal Audit Competency Framework. Conformance with the IIA’s
Code of Ethics is required, and conformance with the organization’s
code of conduct and other codes of conduct may also apply.
At the engagement level, due professional care involves

comprehending:
The objectives of the engagement.
The scope of the engagement.
The competencies required to execute the audit work.
Knowledge of any policies and procedures specific to the internal
audit activity and the organization.
By following the systematic and disciplined approach of the IPPF and

the internal audit activity’s policies and procedures, internal auditors
essentially apply due professional care. However, what constitutes
due professional care partially depends on the complexities of the
engagement.
Key Point
Internal auditors are not expected to be infallible and are not
expected to give absolute assurance that noncompliance or
irregularities do not exist.
Implementation Standard 1220.A1, shown elsewhere, and
Implementation Standards 1220.A2, 1220.A3, and 1220.C1, shown
below, describe some of the elements that internal auditors must
consider in exercising due professional care.

In exercising due professional care internal auditors must
consider the use of technology-based audit and other data
analysis techniques.

Internal auditors must be alert to the significant risks that might
affect objectives, operations, or resources. However, assurance
procedures alone, even when performed with due professional
care, do not guarantee that all significant risks will be identified.
Internal auditors must exercise due professional care during a
consulting engagement by considering the:
Needs and expectations of clients, including the nature, timing,
and communication of engagement results.
Relative complexity and extent of work needed to achieve the
engagement’s objectives.
Cost of the consulting engagement in relation to potential
benefits.
The CAE assumes overall responsibility for ensuring that due

professional care is applied throughout the internal audit activity. The
CAE typically develops measurement tools, metrics, and a process to
assess the performance of individual internal auditors and the internal
audit activity as whole.
Conformance with Standard 1220 may be reflected in engagement

plans, work programs, and workpapers as well as through
performance reviews, post-engagement staff meetings, and feedback
from audit clients.
Topic 4: Continuing Professional

Development
This topic discusses the crucial task of continuing professional
development and how it helps individual auditors demonstrate
competency while enhancing the capabilities of the internal audit
activity as a whole.

Continuing Professional Development and

Competency

Attribute Standard 1230, “Continuing Professional Development”
Internal auditors must enhance their knowledge, skills, and other
competencies through continuing professional development.
The internal auditor is ultimately responsible for conforming with

Standard 1230. Internal auditors may want to reflect on:
Their job requirements.
Training policies.
Professional education requirements of their profession,
organization, or industry.
Any certifications or areas of specialization.
Feedback from recent performance reviews.
Assessment results regarding conformance with the Mandatory
Guidance of the IPPF.
Results of self-assessments.
Internal auditors may use a self-assessment tool as the basis for

creating a professional development plan. The plan is typically
discussed with the CAE and may be used as the basis for the
creation of key performance indicators to be used in supervisory
reviews, client surveys, and annual performance reviews. The plan
may encompass:
On-the-job training.
Coaching.
Mentoring.
Other internal and external training.
Volunteering.
Certification opportunities.
Continuing professional development may lead to additional

professional competencies that could enhance internal audit work in
specific areas. Opportunities to pursue professional development
include participating in:
Conferences.
Seminars.
Training programs.
Online courses and webinars.
Self-study programs.
Classroom courses.
Conducting research projects.
Volunteering with professional organizations.
Pursuing professional certifications, such as the CIA.
If internal audit client surveys reveal a concern regarding internal

auditors’ business acumen, the CAE may establish a training and
development policy to support continuing professional development.
The policy may specify a minimum number of hours of training for
each auditor.
To ensure that their internal audit knowledge stays current, internal

auditors may seek guidance from the IIA.
Internal auditors may demonstrate conformance with Standard 1230

by retaining documentation or evidence of any of the following:
Self-assessments against a competency framework or benchmark
Professional development and training plans
Memberships and participation in professional organizations
Subscriptions to sources of professional information
Completed training
Section D: Quality Assurance and
Improvement Program
Describe the required elements of a quality assurance and
improvement program (QAIP), including both internal and
external assessments.
Describe the requirement of reporting the results of the QAIP to
the board or other governing body.
Identify appropriate disclosure of conformance versus
nonconformance with The IIA’s International Standards for the
Professional Practice of Internal Auditing.

standards
The topics in this section address the mandatory requirement for the
internal audit activity to develop and periodically perform the
processes in a quality assurance and improvement program. Details
covered include the required elements of these programs, including
internal and external assessments, the reporting requirements, and
how to disclose conformance versus nonconformance with the Code
of Ethics or Standards.
Topic 1: QAIP Required Elements

This topic discusses the importance of quality in the internal audit
activity and how quality can be delivered using a quality assurance
and improvement program (QAIP) as mandated by Standard 1300.
Internal assessments (including ongoing monitoring and periodic self-
assessments) and external assessments are described as well as
how to establish a QAIP and how such a program and other tools can
be used to help measure internal audit activity effectiveness and
efficiency.
Implementation Guidance for 1300 series
Practice Guide, “Quality Assurance and Improvement
Program”
Practice Guide, “Measuring Internal Audit Effectiveness and
Efficiency”
Quality and the QAIP

Attribute Standard 1300, “Quality Assurance and Improvement
Program”
The chief audit executive must develop and maintain a quality
assurance and improvement program that covers all aspects of
Organizations undergo refinement, and internal processes change

and evolve. As an organization changes, auditing services must keep
pace. To ensure its consistent relevance and quality, the internal audit
activity is required to have a quality assurance and improvement
program (QAIP) in place.
Key Point
The mandatory scope of a QAIP is limited to the mandatory
elements of the IPPF. This includes the Standards, the Code of
Ethics, the Core Principles for the Professional Practice of Internal
Auditing, and the Definition of Internal Auditing. Assessors can
evaluate against recommended guidance (implementation guidance
and supplemental guidance) or make additional improvement
recommendations, but these are not mandatory.
Let’s break down the interpretation (shown in italics) and

implementation guidance or other IIA guidance (the sub-bullets) for
Standard 1300:
A quality assurance and improvement program is designed to

enable an evaluation of the internal audit activity’s conformance
with the Definition of Internal Auditing and the Standards and an
evaluation of whether internal auditors apply the Code of Ethics.
(The term “conformance to the IPPF” is used in the rest of this
topic to refer to conformance to these and other mandatory
elements of the IPPF.)
A well-developed QAIP helps embed the concept of quality in the
internal audit activity and operations.
Following a general methodology helps ensure quality and
conformance to the IPPF.
It is crucial that the CAE regularly reviews the IPPF and is aware
of any changes that may need to be communicated throughout
The program also assesses the efficiency and effectiveness of the

internal audit activity and identifies opportunities for improvement.
The QAIP needs to be periodically evaluated and updated to
ensure that it adds value.
A QAIP is a key way to measure the effectiveness and efficiency
of the internal audit activity.
The chief audit executive should encourage board oversight in the

quality assurance and improvement program.
Quality
What is quality?
Quality is the degree to which a product, service, or process meets
the customer’s expectations—the degree to which it is fit for
purpose.
Rather than being an absolute, quality is relative.
Quality does not just happen. It is the combination of the right
people, the right systems, and a commitment to excellence.
Quality is driven by the leaders of the organization, but it is
implemented by everyone at the organization.
A formal, structured approach is required to ensure quality.
Quality in internal audit is an obligation to meet customer
expectations and to meet professional responsibilities by
conforming to the IIA’s Standards and Code of Ethics.
Internal audit quality includes operating with proficiency and due
professional care, undertaking continuing professional
development, and conforming to a set of recognized standards.
Quality can be assured by implementing a quality assurance program

and adhering to its requirements on an ongoing basis. Anderson et al.
in Internal Auditing define quality assurance as “the process of
assuring that an internal audit function operates according to a set of
standards defining the specific elements that must be present to
ensure that the findings of the internal audit function are legitimate.”
A QAIP ensures that quality is built in to, rather than on to, internal
audit operations. After all, “demonstrates quality and continuous
improvement” is one of the Core Principles for the Professional
Practice of Internal Auditing.
Note that “conformance” in regard to the Standards is a technical

term from the quality management discipline that implies a principles-
based approach. It is not about complying with the letter of the
standard (i.e., it is not rules-based). Someone who is in conformance
is expected to achieve the spirit of the standard.
Continuous Improvement
Continuous improvement is an ongoing, cyclical process of
regularly evaluating and working to improve a product, service, or
process, either by a series of incremental improvements or by larger
initiatives that may result in breakthrough improvements. A common
way to establish continuous improvement in a QAIP is to use a
planned, methodological structure such as the Deming cycle, also
called the Plan, Do, Check, Act model, as shown in Exhibit 1-15.
Exhibit 1-15: Deming Cycle (Plan, Do, Check, Act)
As quality guru W. Edwards Deming said, “It is not enough to do your

best. You must know what to do, and then do your best.” Using a
sound measurement and feedback loop provides information on what
the internal audit activity or internal auditor needs to do to continually
improve.
Embedding continuous improvement into internal audit operations
requires:
Setting up a performance measurement framework.
Regularly reporting on quality metrics and deviations from targets
so that corrective actions can be planned and implemented as
needed.
Periodically reviewing quality criteria themselves for continued
validity.
Continuous improvement is necessary regardless of whether the

internal audit activity is new or established. It is a continuing journey
that can add value regardless of internal audit complexity level.
QAIP
A QAIP is an ongoing and periodic assessment of all assurance and
consulting work performed by the internal audit activity. These
ongoing and periodic assessments are composed of:
Rigorous, comprehensive processes.
Continuous supervision and testing of internal audit assurance and
consulting work.
Periodic evaluations of conformance to the IPPF.
Ongoing measurements and analyses, assessments, and
implementation of improvements.
QAIP evaluation areas can be at the internal audit activity level and
the internal audit engagement level. The following things need to be
evaluated (some of which are at the internal audit activity level only):
Conformance to the IPPF
Adequacy of the internal audit activity’s charter, goals, objectives,
policies, and procedures
Completeness of coverage of the entire audit universe
Internal audit activity’s contribution to the organization’s
governance, risk management, and control (GRC) processes
Internal audit activity compliance with applicable laws, regulations,
and government or industry standards
Internal audit operational risks
Effectiveness of continuous improvement activities and adoption of
best practices
Whether the internal audit activity adds value, improves the
organization’s operations, and contributes to the attainment of
objectives
To implement Standard 1300, the CAE must consider requirements

related to its five essential components:
Internal assessments
External assessments
Communication of QAIP results
Proper use of a conformance statement
Disclosure of nonconformance
Note that Standard 1310 requires both internal and external

assessments.

Attribute Standard 1310, “Requirements of the Quality
Assurance and Improvement Program”
The quality assurance and improvement program must include
both internal and external assessments.
In preparing to do internal assessments or arranging for external

assessments, the CAE is responsible for:
Gaining awareness of prior results from both internal and external
assessments.
Implementing any action plans that come out of internal or external
assessments.
General considerations for the scope of internal and external

assessments include:
Ensuring that the scope falls within the responsibilities of the CAE
and the internal audit activity as documented in the internal audit
charter.
Considering the expectations of senior management, the internal
audit activity, and other stakeholders.
Assessing internal audit practices against the Standards and any
internal audit–related regulatory requirements.
Establishing a QAIP Program

Exhibit 1-16 shows the QAIP framework adapted from the IIA’s
“Quality Assurance and Improvement Program” Practice Guide.
Exhibit 1-16: QAIP Framework
While CAEs may develop whatever framework works for their internal
audit activity, this framework builds quality into the activity by explicitly
addressing internal audit governance, professional practice, and
communication programs. Exhibit 1-17 expands upon these
programs.
Exhibit 1-17: Program-Based QAIP Structure

Governance Professional Communication
Practice
Internal audit charter Rules and Communicating

IPPF responsibilities results
Legislation Risk-based audit Follow-up
Independence and planning Stakeholder
objectivity Other assurance communications
Risk management providers
Resourcing Audit engagement
planning
Performing the
engagement
Proficiency and due
professional care
Quality assurance
For each of the program elements listed in Exhibit 1-17:

1. An objective is defined.
2. Criteria are identified for each objective. (Their number may vary
by objective.)
3. A quality assurance process (methodology) is developed for each
criterion.
4. An assessment is made per the quality assurance process.
5. Results are captured back into the continuous improvement cycle
and reported to stakeholders.
The right side of Exhibit 1-16 shows the components of the QAIP
program. These processes provide quality assurance over the entire
internal audit activity and result in findings, observations, and
recommendations as well as reporting and follow-up steps. The
arrows around the right and top of the diagram show how internal
audit processes and the QAIP program are reviewed to keep them
current and continually improved for efficiency and effectiveness.
QAIP Internal Assessments (Standard 1311)

Attribute Standard 1311, “Internal Assessments”
Internal assessments must include:
Ongoing monitoring of the performance of the internal audit
activity.
Periodic self-assessments or assessments by other persons
within the organization with sufficient knowledge of internal
audit practices.
Note that part of the interpretation of Standard 1311 indicates that

sufficient knowledge requires at least an understanding of all
elements of the International Professional Practices Framework.
Internal assessments in a QAIP program address both the internal

audit activity as a whole and the internal audit engagement level.
At the internal audit activity or organization-wide level, the CAE
provides assurance that:
Policies and procedures are formally documented and are in
conformance with the IPPF, and audit work conforms to these
policies and procedures.
Audit work achieves the general purposes and responsibilities
described in the internal audit charter.
Audit work is performed per quality standards and has adequate
supervision.
Audit work conforms to the IPPF or at least correctly reflects the
internal audit activity’s statement of conformance (e.g., partially
conforms).
Internal audit work meets stakeholder expectations.
The internal audit activity adds value and improves the
organization's operations.
Resources for the internal audit activity are used efficiently and
effectively.
Appropriate mechanisms are established and used to follow up on
management actions in response to audit recommendations.
Post-engagement client surveys, lessons learned, self-
assessments, and other continuous improvements are done.
At the internal audit engagement level, the engagement supervisor

provides assurance that:
Appropriate processes have been used to translate audit plans into
specific, appropriately resourced audit engagements.
Planning, fieldwork, conduct, and reporting/communicating results
demonstrate conformance to the IPPF.
For any internal assessment, where appropriate, the assessor(s)

provide recommendations for improvement, corrective action plans,
and progress against completion.
Ongoing Monitoring
According to Standard 1311’s interpretation, ongoing monitoring is
an integral part of the day-to-day supervision, review, and
measurement of the internal audit activity. Ongoing monitoring is part
of routine policies, practices, processes, tools, and information
necessary for evaluating conformance to the IPPF. The focus of
ongoing monitoring is at the engagement level. It is achieved through
continuous activities conducted on an engagement-by-engagement
basis, including engagement supervision, standardized work
practices, workpaper procedures and sign-offs, report reviews,
assessments of areas of weakness, and any related action plans
developed to address those weaknesses.
CAEs may review innovations and best practices to develop a

number of ongoing monitoring tools for team use, including:
Pre-fieldwork audit engagement readiness assessments, including
a pre-approved audit scope, clear staff assignments, and budgeted
staff hours.
Templates to ensure consistency between engagements.
Checklists or other automation tools for compliance areas.
Key performance indicators (KPIs) such as number of auditors,
years of experience, professional development hours, engagement
timeliness, and stakeholder satisfaction.
Tools to promote efficiency and effectiveness, including budgets,
timekeeping systems, audit plan completion status, and monitoring
and controlling using variance data.
Processes to collect and analyze feedback from internal audit
clients and stakeholders regarding the efficiency and effectiveness
of internal audit teams.
Ongoing monitoring requires adequate supervision in all phases of the

engagement, including during the planning, performance, and
communication phases. The audit supervisor sets clear expectations
during planning and promotes ongoing communications during
performance with the supervisor and among team members. The
responsible supervising individual follows best practices for
workpaper review procedures, including timely sign-off.
Exhibit 1-18 shows an example of how ongoing monitoring can use
the Deming cycle (the Plan, Do, Check, Act model), introduced earlier
in the topic, to continually improve ongoing monitoring processes.
(Note that the bullets are not a comprehensive list.)
Exhibit 1-18: Deming Cycle (PDCA) Applied to Ongoing Monitoring
Source: Quality Assessment Manual for the Internal Audit Activity. © 2017, IIA Foundation.
Consistent processes are needed for gathering, summarizing, and
analyzing measurement data. Responsibility for measuring and
validating data should be established as for any other audit
engagement. A continuous improvement framework for ongoing
monitoring like the one in Exhibit 1-18 helps the internal audit activity
get to this desired level of consistency and quality.
Periodic Self-Assessments
Periodic-self-assessments as part of a QAIP are conducted to
evaluate conformance to the IPPF, according to the interpretation of
Standard 1311. These self-assessments are also the basis for self-
assessments with independent validation (SAIVs), as is discussed
later. The scope of a periodic self-assessment includes evaluating
the:
Quality and supervision of work performed.
Adequacy and appropriateness of internal audit policies and
procedures.
Ways in which the internal audit activity adds value.
Achievement of KPIs.
Degree to which stakeholder expectations are met.
The focus of a periodic self-assessment needs to be on a holistic,

comprehensive review of the Standards, the Code of Ethics, and the
internal audit activity. A holistic view also includes a focus on the
quality of audit work and adherence to internal audit methodology,
identifying and implementing improvements, and monitoring and
controlling the activity’s efficiency and effectiveness.
A periodic self-assessment is typically led by a senior member of the
internal audit activity who has extensive experience with the IPPF and
is a Certified Internal Auditor (CIA). Self-assessments can include
persons who are on the internal audit team or who are assigned
elsewhere. This type of assessment is a good IPPF training tool for
internal audit staff. The self-assessment can also be done by a
dedicated quality assurance team given sufficient knowledge of the
IPPF and internal audit practices.
Exhibit 1-19 shows elements that could be included in a periodic self-

assessment process, including some optional components.
Exhibit 1-19: Self-Assessment Process
Frequency of Internal Assessments

Key Point
Internal assessments need to be performed once every five years
at a minimum. However, a best practice (not mandatory) for
successful internal audit practice is for periodic self-assessments to
be performed at least annually, especially if the IPPF changes or
there are significant organizational changes.
Larger organizations may conduct periodic internal assessments

annually, while smaller or less mature internal audit activities may
perform them less frequently (e.g., every two years).
Periodic internal assessments can be over a multi-year period, with

each period’s results reported separately.
QAIP External Assessments (Standard 1312)

Attribute Standard 1312,“External Assessments”
External assessments must be conducted at least once every five
years by a qualified, independent assessor or assessment team
from outside the organization. The chief audit executive must
discuss with the board:
The form and frequency of external assessment.
The qualifications and independence of the external assessor
or assessment team, including any potential conflict of interest.
The form of an external quality assessment (EQA), also called just an
external assessment, can be one of two types:
Full external assessment
Self-assessment with independent external validation (SAIV)
Both types require involvement of a qualified, independent assessor

or team from outside the organization. In the former type,
assessor(s) do the assessment and provide an opinion. In the latter
type, the assessor(s) validate the internal audit activity’s periodic self-
assessment.
Full External Assessment

Exhibit 1-20 reviews the scope of a full external assessment and
methods often used to evaluate each component. The only mandatory
element of a full external assessment is the first component listed.
Exhibit 1-20: Full External Assessment Scope and Methods of

Assessment
Component Method of Assessment
Level of Review internal audit activity’s charter, plans,

conformance with policies, procedures, and practices for
mandatory conformance with the Standards and Code of
elements of IPPF Ethics, and if applicable, legislative and
regulatory requirement compliance.
Component Method of Assessment
Efficiency and Assess internal audit activity’s processes and

effectiveness of infrastructure, including the QAIP. Evaluate
internal audit internal audit staff’s knowledge, experience, and
activity expertise.
Expectations and Interview the board, senior management, and
value operations management.
Self-Assessment with Independent External Validation

(SAIV)
The internal audit activity typically conducts a self-assessment and
then submits the work for validation by an independent external
assessor. The scope of an SAIV usually includes a comprehensive
and fully documented process that emulates the full external
assessment process. The process must include an evaluation of the
internal audit activity’s conformance to the IPPF. The qualified,
independent external assessor must conduct the validation on site.
The external assessor verifies that the evidence from the self-
assessment is adequate to support conformance with the Standards,
thus providing independent assurance without bias. Because the
external assessor is not mapping out the full assessment and finding
evidence for each element, this may free up additional scope for a
limited amount of attention given to:
Benchmarking.
Review, consultation, and employment of leading practices.
Interviews with senior and operations management.
Comparison of Full External Assessment and SAIV

Key differences between full external assessments and SAIVs include
the following.
The direct cost will be lower for an SAIV than for a full external
assessment. SAIVs may be able to be linked more closely to
ongoing monitoring, which can be leveraged to further reduce
costs.
SAIVs enable full external assessments to be less frequent.
SAIVs provide an opportunity for staff development but require
more intensive internal resource commitments than full external
assessments.
Internal portions of the SAIV are not independent and objective.
SAIVs may give the external person(s) doing the independent
validation less opportunity to do a comprehensive overview of the
internal audit activity than full external assessments.
Occurrence, Frequency, and Type of External

Assessments
Key Point
External assessments are an area of conformance to the IPPF that
is not under the direct control of the CAE and the internal audit
activity. The board and management need to approve a budget for
this type of assessment. This is significant because if the
organization decides not to invest in an external assessment, the
internal audit activity will not be able to indicate that it conforms to
the IPPF.
The CAE must discuss the frequency and type of external

assessments with senior management and the board. Difficulty
getting senior management and the board to approve external
assessments can arise in any organization. The CAE works to sell the
benefits of these programs to the board and management, such as
by highlighting the ability to improve the internal audit activity and add
organizational value. Agreeing to set the frequency and type of
external assessments so as to stay within budget constraints can
also help.
In addition to cost, the CAE considers the following.
Small internal audit activities that have recently undergone a full

external assessment may find an SAIV useful.
Frequency may need to account for the size and maturity of the
internal audit activity, with smaller or less mature activities leaning
toward the minimum frequency of once every five years. The CAE
may discuss increasing the frequency given:
Changes in CAE or management leadership.
Significant changes in internal audit policies or procedures.
Mergers of two or more internal audit activities into a single unit.
Significant staff turnover.
Industry-specific or environmental issues.
Independent Assessor/Team Qualifications and

Competence
The CAE must discuss with the board the qualifications of external
assessor(s). Preferred qualifications for external assessors include
that they:
Are CIAs with knowledge of leading internal audit practices.
Have sufficient and recent management-level experience.
Have experience with external assessments.
Have completed The IIA’s quality assessment training course.
Have CAE experience.
Possess relevant technical and/or industry expertise.
While the team overall needs to have a full set of competencies, there
is no need to require each individual to have all required skills. For
example, only the team leader may need to be an experienced and
professional project team leader. Also, if team size permits,
specialists in risk management can provide assistance.
In addition to discussing with the board the necessary qualifications of

external assessor(s), the interpretation to Standard 1312 indicates
that the CAE uses professional judgment when assessing whether
an assessor or assessment team demonstrates sufficient
competence to be qualified. Competence is assessed in two areas:
Professional practice of internal auditing
External assessment process
This competence can be a mix of theory and experience, but the

relevance of that experience matters. Experience with organizations
of similar size, complexity, or industry carries more weight than with
dissimilar organizations, as does experience with similar technical
issues.
Independent Assessor/Team Independence and

Objectivity
The CAE must discuss with the board the independence of the
external assessor(s), including any potential conflict of interest. The
CAE encourages board oversight in these areas. Prerequisites for
these assessments include that the CAE understands:
The organization’s procurement policies.
Independence requirements.
Situations that may impair independence or objectivity or create a
conflict of interest.
Independence, objectivity, and lack of a conflict of interest require not

being a part of or under the control of the organization to which the
internal audit activity belongs. Assessors should have neither an
actual nor a perceived conflict of interest. Potential impairments
include a past, present, or future relationship with the organization, its
personnel, or its internal audit activity. This could include external
audits of financial statements, assistance to the internal audit activity,
personal relationships, or consulting.
Assessor(s) who would not be considered independent include:

Individuals from another department at the organization or from a
parent, affiliate, or other related organization.
Public sector auditors who report to the same CAE even if they
work for different entities.
Assessor(s) operating reciprocal peer assessments between two
organizations.
A reciprocal peer assessment is a teaming arrangement in which

the internal audit activity for one organization agrees to perform the
full external assessment or validation for an SAIV for another
organization in exchange for that organization providing a similar
service. When such arrangements are bilateral, this is not considered
independent. However, a round robin of three or more organizations
can create independence, as shown in Exhibit 1-21.
Exhibit 1-21: Reciprocal Peer Assessment Teaming of Three or

More Organizations
Demonstrating QAIP Conformance to Standards 1300,

1310, 1311, and 1312
Demonstrating conformance to Standards 1300, 1310, 1311, and
1312 includes use of relevant board presentations and minutes or
documentation of improvement actions taken. In addition,
conformance to individual standards includes (but is not limited to) the
following types of documentation or evidence:
Standard 1300: QAIP documents and internal and external
assessment results
Standard 1310: Documentation related to Standards 1311 and
1312, benchmarking reports, and requests for services
Standard 1311: Evidence of ongoing monitoring activities (KPI and
workpaper reviews), documentation of completed self-
assessments, QAIP results (e.g., action plans), completed
checklists, survey results, and internal audit efficiency and
effectiveness KPIs (e.g., budget to actual engagement hours)
Standard 1312: External assessor’s report, including degree of
conformance, recommendations, benchmarking reports, and
requests for services (e.g., due diligence documentation from
vetting external assessors)
Internal Audit Effectiveness and Efficiency

Organizations that use internal auditing effectively are better able to
identify business risks and process and system inefficiencies, take
appropriate corrective action, and ultimately support continuous
improvement. To maintain and enhance the internal audit activity’s
credibility, however, its effectiveness and efficiency should be
monitored.
Measuring the effectiveness and efficiency of the internal audit activity

or of individual assurance and consulting engagements involves
measuring the quality of and the degree to which internal audit
objectives are achieved. Effectiveness involves aligning with
objectives or doing the right things; efficiency involves avoiding
unnecessary work or doing the things right.
Exhibit 1-22 shows an internal audit activity effectiveness and
efficiency performance measurement process from The IIA’s Practice
Guide “Measuring Internal Audit Effectiveness and Efficiency.”
Exhibit 1-22: Internal Audit Efficiency and Effectiveness

Measurement Process
1. Define internal audit effectiveness.

Review relevant IPPF guidance, including the
Standards.
Review the strategic plans of the internal audit activity
and organization.
Review the board, audit committee, and internal audit
activity charters.
Assess basic, expected, and targeted/preferred internal
audit activity deliverables.
Formulate an initial definition of internal audit
effectiveness and efficiency.
Define agreement from key stakeholders of the
definition of effectiveness and efficiency.
2. Identify key internal and external stakeholders.
Determine key internal and external stakeholders for
the activity and organization.
Determine who directly or indirectly relies upon the
internal audit activity’s work.
Determine who benefits, directly or indirectly, from the
internal audit activity’s work.
Consider who supports the internal audit activity.
3. Develop measurements of internal audit
effectiveness.
Understand key stakeholders’ expectations of the
Understand what internal audit attributes, deliverables,
and capabilities key stakeholders value and related
shortcomings or advancements in these areas.
Develop measurement tools such as a balanced
scorecard to document relevant attributes of
effectiveness and efficiency and related performance
against these.
Agree upon effectiveness and efficiency metrics with
key stakeholders.
4. Monitor and report results.
Establish an agreed-upon format and frequency for
reporting that considers the organization’s size, nature,
and governance structure.
Establish a periodic review of such monitoring and
reporting to ensure relevance, efficiency, and
effectiveness.
Use the results of reporting to shape and guide internal
audit activities.
Align internal audit activities to the defined measures of
internal audit effectiveness and efficiency.
Here are some examples of KPIs for measuring internal audit activity
effectiveness and efficiency:
Level of contribution to the improvement of governance, risk
management, and control processes
Achievement of key goals and objectives
Evaluation of progress against audit activity plan
Improvement in staff productivity
Increase in efficiency of the audit process
Increase in number of action plans for process improvements
Adequacy of engagement planning and supervision
Effectiveness in meeting stakeholders’ needs
Results of quality assurance assessments and internal audit
activity’s quality improvement programs
Effectiveness in conducting the audit
Clarity of communications with the audit client (i.e., the “auditee”)
and the board
Balanced Scorecard Approach

A balanced scorecard approach can be used to develop specific
KPIs. A balanced scorecard examines performance from four
different perspectives: financial, customer satisfaction, business
processes required to accomplish the activity’s mission, and learning
and growth to ensure continuous improvement. Exhibit 1-23 lists
sample KPIs from these perspectives and Exhibit 1-24 shows how
the perspectives themselves can be customized. Both are just
illustrative examples. The center of each graphic lists examples of
sources for internal audit activity objectives and criteria. The KPIs
need to trace back to and align with these objectives.
Exhibit 1-23: Aligning KPIs to Stakeholder Expectations with

Balanced Scorecard
Exhibit 1-24: QAIP Performance Measurements in Custom Balanced
Scorecard
Source: Adapted from A Balanced Scorecard Framework for Internal Auditing Departments by
Mark L. Frigo.
Topic 2: Reporting QAIP Results

This topic discusses the mandate for the CAE to report QAIP results
to senior management and the board. The topic also discusses
assessment scales showing degree of conformance.
Program”
Communicating QAIP Results

Attribute Standard 1320, “Reporting on the Quality Assurance
and Improvement Program”
The chief audit executive must communicate the results of the
quality assurance and improvement program to senior
management and the board. Disclosure should include:
The scope and frequency of both the internal and external
assessments.
The qualifications and independence of the assessor(s) or
assessment team, including potential conflicts of interest.
Conclusions of assessors.
Corrective action plans.
Let’s break down this standard’s interpretation (shown in italics) and

implementation guidance or other IIA guidance (the sub-bullets):
The form, content, and frequency of communicating the results of

the quality assurance and improvement program is established
through discussions with senior management and the board.
Typically, the CAE meets regularly with senior management and
the board to understand and agree upon the expectations for
communications.
The CAE reviews the internal audit charter and policies and
procedures manual for QAIP responsibilities prior to these
discussions.
The CAE needs to be aware of all internal assessments and any
completed external assessments.
The results of external and periodic internal assessments are

communicated upon completion..., and the results of ongoing
monitoring are communicated at least annually.
To determine the frequency of reporting the results of ongoing
monitoring, survey key stakeholders to determine their needs
and expectations (which also helps define the criteria upon which
the internal audit activity should be measured).
Note that the CAE is responsible for communicating the results of the
entire QAIP program. Demonstrating conformance with Standard
1320 can take the form of relevant board meeting and senior
management meeting minutes.
As part of reporting to the board the results of periodic internal

assessments, the CAE typically confirms that internal assessor(s)
have “sufficient knowledge” of internal audit practices per Standard
1311. After the board and senior management have received the
results of an external assessment, the CAE typically confirms
qualifications and independence of the external assessor or external
assessment team per Standard 1312. Any actual, potential, or
perceived conflicts of interest should be reported to senior
management and the board.
Conclusions of Assessors
Internal and external QAIP assessment reports include an evaluation
of the internal audit activity’s overall degree of conformance with the
Standards and the Code of Ethics, but such reports can also include
an assessment for each standard or standard series.
For internal assessments, to reinforce the independence and

objectivity of the internal assessment team, the team and the CAE
should agree on the reporting medium and format at the start of the
assessment. The CAE may share the results of internal assessments,
necessary action plans, and their successful implementation with
senior management and the board.
Providers of QAIP external assessments express an opinion on the

entire spectrum of the assurance and consulting work the internal
audit activity has or should have performed. Any type of external
assessment must conclude as to conformance with the IPPF. The
degree of conformance, as addressed below, is part of the
assessment. Optionally, the assessor may also provide operational or
strategic comments, such as how management can be improved or
how the internal audit activity can add more value to the organization.
For external assessments, a draft report is prepared either before or

after the closing conference. External team members may provide
comments for potential inclusion by the full external assessment team
leader. After this, the draft is sent to the CAE, who is asked to
respond to the recommendations and provide an action plan to
address deficiencies or opportunities. The CAE may also make
comments on observations and recommendations. The final report,
plus CAE comments or action plans, is typically addressed to the
CAE with the expectation that copies will be distributed to:
The board (typically its audit committee). This is mandatory.
Senior management to whom the CAE reports.
Any parties who initiated the full external assessment.
In contrast, the conclusions of an SAIV are reported to the CAE, who

reports to the board.
Assessment Scales
As interpretation to Standard 1320 states, the results include the
assessor’s or assessment team’s evaluation with respect to the
degree of conformance. While a QAIP report should include a rating
scale to assess the degree of conformance to the Standards, there is
no requirement to use a particular scale or model. Exhibit 1-25
compares two assessment scales from The IIA, the left one from the
Quality Assessment Manual for the Internal Audit Activity and the
right one from “The Path to Quality—Maturity Model for Implementing
a QA&IP.”
Exhibit 1-25: Comparison of Two Conformance Assessment Scales

Since the exhibit provides some guidance regarding what each level
means in the “Path to Quality” scale, let’s do the same for the Quality
Assessment Manual scale:
Generally conforms. This is the top rating in the scale. The

internal audit activity has a charter and policies that align to it. The
activity’s processes, execution, and results are judged to be in
conformance with the Standards and elements of the Code of
Ethics in all material aspects. This includes general conformity with
the majority of individual standards within the sections (Attribute
and Performance) and categories (e.g., 1000s). Individual
standards tested also demonstrate conformity. Opportunities for
improvement may be identified, but none are in areas related to the
acceptable implementation or application of the Standards or the
Code of Ethics.
Partially conforms. There are deficiencies in internal audit activity

practice that are judged to deviate from the Standards or the Code
of Ethics, but the activity can still perform its responsibilities. The
internal audit activity is making good-faith efforts at conformance
but falls short of achieving some major objectives. There are
significant areas for improvement related to mandatory IPPF
conformance or achieving objectives. Some deficiencies may be
beyond the control of the internal audit activity, and these may
result in recommendations to senior management or the board that
they address these issues.
Does not conform. The internal audit activity is not aware of, or is
not making good-faith efforts to conform with, or is failing to
achieve the objectives of the Standards and/or the Code of Ethics.
Deficiencies in practice are judged to be so significant that they
seriously impair or preclude the activity from performing adequately
in all or in significant areas of its responsibilities.
Corrective Action Plans

It is the CAE’s responsibility to respond to recommendations from
internal and external assessments and provide action plans for
remediation. Corrective action plans address areas of
nonconformance with the Standards and other opportunities for
improvement. The CAE should document in writing a response/action
plan and implementation timetable for each recommendation from the
final written report. The CAE may consider adding recommendations
from external assessments and any related action plans to the
internal audit activity’s existing monitoring processes to ensure that
improvements become part of ongoing operations.
The CAE should communicate to senior management and the board

any corrective action plans, either generally as part of the internal
audit activity’s monitoring progress or as part of the next QAIP
report.
Topic 3: Conformance versus

Nonconformance Disclosures
This topic discusses when it is appropriate to state that the internal
audit activity “conforms with” the Standards versus omitting such a
statement due to nonconformance.

Program”
Use of IPPF Conformance Statement

Attribute Standard 1321, “Use of ‘Conforms with the
Auditing’ ”
Indicating that the internal audit activity conforms with the
Auditing is appropriate only if supported by the results of the
quality assurance and improvement program.
Let’s break down this standard’s interpretation (shown in italics) and

implementation guidance or other IIA guidance (the sub-bullets):
The internal audit activity conforms with the Code of Ethics and
the Standards when it achieves the outcomes described therein.
Proper use applies to written or verbal communications.
The CAE uses the conformance statement only if he or she
understands the QAIP requirements and is familiar with the QAIP
results.
The CAE understands and periodically discusses the board's
expectations regarding use of the conformance statement.
All internal audit activities will have the results of internal

assessments.
If an external assessment has occurred in the past five years but
the internal audit activity has not satisfied its internal assessment
per the frequency as disclosed to the board, the CAE should
consider whether it is still operating in conformance and if it is
appropriate to indicate conformance until validated by an internal
assessment.
Internal audit activities in existence for at least five years will also
have the results of external assessments.
If the internal audit activity has been in existence for less than
five years, use the conformance statement only if a periodic self-
assessment supports this conclusion.
Do not use the conformance statement if the internal audit
activity has been in existence for at least five years but has not
completed an external assessment.
Do not use the conformance statement if more than five years
have passed since the last external assessment.
The CAE can continue to use the conformance statement until the
next external assessment occurs. However, proper use of a
conformance statement requires stopping use if the current internal
assessment or the most recent external assessment does not
indicate general conformance with the Standards and the Code of
Ethics. The internal audit activity cannot resume using the
conformance statement until it has remediated the areas of
nonconformance and has conducted an external assessment that
does show conformance.
Key Point
Note that the Standards are principles-based. Standards 1321 and
1322 address overall, systemic conformance or nonconformance. In
assessing conformance with the Standards, there may be situations
where the internal audit activity achieves only partial conformance
with one or more standards. In such cases, the activity should
consider the overall conformance conclusion when determining its
ability to use the conformance statement.
Disclosure of Nonconformance

Attribute Standard 1322, “Disclosure of Nonconformance”
When nonconformance with the Code of Ethics or the Standards
impacts the overall scope or operation of the internal audit
activity, the chief audit executive must disclose the
nonconformance and the impact to senior management and the
board.
A disclosure of nonconformance is necessary whenever the CAE

makes the conclusions as stated in Standard 1322: Nonconformance
not only exists but also impacts the overall scope or operation of the
internal audit activity. The CAE also discloses the impact of the
nonconformance to senior management and the board. Prerequisites
to making these conclusions include the CAE understanding:
The mandatory elements of the IPPF.
How conformance deviations might affect the overall scope of the
The expectations of the board and senior management regarding
reporting nonconformance issues.
Nonconformance could be related to impairments of independence

and objectivity, insufficient access that impairs audit scope, and so
on. The CAE would evaluate the nonconforming area to see if it
impacts the overall scope or operation of the internal audit activity.
Part of this assessment involves determining the degree to which a
nonconformance situation may affect the activity’s ability to fulfill its
professional responsibilities and/or the expectations of stakeholders.
For example, this could be whether the activity can provide reliable
assurance on internal controls over financial reporting (ICFR).
Demonstrating conformance with Standard 1322 requires maintaining

documentation of the occurrence, nature, and overall impact of any
nonconformance with the Standards or the Code of Ethics, including
any relevant board meeting minutes, memos, emails, or external
assessment results.
Section E: Governance, Risk
Management, and Control
Describe the concept of organizational governance.
Recognize the impact of organizational culture on the overall
control environment and individual engagement risks and
controls.
Interpret fundamental concepts of risk and the risk management
process.
Describe globally accepted risk management frameworks
appropriate to the organization, including the COSO enterprise
risk management (ERM) framework and ISO 31000, “Risk
Management.”
Examine the effectiveness of risk management within processes
and functions.
Recognize the appropriateness of the internal audit activity’s role
in the organization’s risk management process.
standards
This section addresses the closely interconnected areas of

governance, risk management, and control. (Internal control is
addressed at a high level only in this Challenge Exam Study Guide.)
In addition to discussing each of these areas and how they
interrelate, topics also cover how culture impacts the control
environment and how to address ethics- and compliance-related
issues.
Topic 1: Organizational Governance

This topic shows how governance fits within governance, risk
management, and control (GRC), including an overview of The IIA’s
Three Lines Model. Governance and assessing the organization’s
governance structure are covered from general governance and IT
governance perspectives.

Position Paper, “The IIA’s Three Lines Model: An Update of the
Three Lines of Defense”
Global Technology Audit Guide (GTAG) 17, “Auditing IT
Governance”
Practice Guide, “Auditing Culture”
Governance in GRC Context

Performance Standard 2100, “Nature of Work”
The internal audit activity must evaluate and contribute to the
improvement of the organization's governance, risk management,
and control processes using a systematic, disciplined, and risk-
based approach. Internal audit credibility and value are enhanced
when auditors are proactive and their evaluations offer new
insights and consider future impact.
Conforming with Standard 2100 requires a thorough understanding of

the concepts of governance, risk management, and control (GRC).
This understanding starts by knowing the IPPF definitions of these
terms:
Governance. “The combination of processes and structures

implemented by the board to inform, direct, manage, and monitor
the activities of the organization toward the achievement of its
objectives.”
Risk management. “A process to identify, assess, manage, and

control potential events or situations to provide reasonable
assurance regarding the achievement of the organization’s
objectives.”
Control. “Any action taken by management, the board, or other

parties to manage risk and increase the likelihood that established
objectives and goals will be achieved. Management plans,
organizes, and directs the performance of sufficient actions to
provide reasonable assurance that objectives and goals will be
achieved.”
Key Point
Standard 2100 notes that internal auditors must use a “systematic,
disciplined, and risk-based approach.” This type of approach is a
differentiating attribute for internal auditing and is a key reason the
discipline commands respect. Consistency in approach is vital to
ensuring that the internal audit activity is delivering the quality
required by the Standards.
Internal auditors seeking an understanding of GRC concepts should

understand all of the GRC-related Standards: 2100, 2110, 2120, and
2130.
It is also important to learn about GRC frameworks and best

practices and consider how they might need to be tailored to the
organization. Developing an understanding of the organization’s
objectives, the business, and so on will help guide this evaluation.
Relationship between Governance, Risk Management,

and Control
Governance, risk management, and control are so interconnected
that evaluating and improving one area typically improves the other
two areas at the same time. For example:
Effective governance activities consider risk when setting strategy.
Risk management relies on effective governance (e.g., “tone at the
top”).
Effective governance relies on internal controls and related
communication to the board.
Exhibit 1-26 shows how GRC can be thought of as existing in layers.

Note that the back-and-forth arrows are feedback loops (not one-way
information flows).
The governance structure surrounds all activities to ensure that the
organization’s values are promoted and key stakeholder needs are
considered.
Risk management highlights key risks to success or key
opportunities.
Internal control is where the risk management strategies are
executed.
Exhibit 1-26: Interrelationship of GRC Elements
Source: Anderson et al., Internal Auditing: Assurance and Advisory Services, 4th edition.
Stakeholder Responsibilities for GRC
While the ultimate responsibility for governance is with the board,
senior management and other stakeholders also play important roles.
Board Responsibilities for GRC

Exhibit 1-27 shows how the board of directors functions like an
overarching “umbrella” by providing two broad types of governance to
the organization:
Strategic direction
Governance oversight
Exhibit 1-27: Governance “Umbrella”
As shown at the top of the exhibit, board responsibilities for GRC

start with identifying and understanding the needs of the
organization’s stakeholders in part because the board has a fiduciary
responsibility to certain stakeholders. Stakeholder interests need to
be understood before they can be protected. This includes
discovering what would constitute an unacceptable outcome for each
stakeholder in the areas of strategy, finance, compliance, and
operations.
The board:
Takes the lead role in governance, including providing strategic
direction and guidance toward setting business objectives.
Provides governance oversight.
Establishes a governance committee.
Articulates requirements for reporting to the board.
Periodically reevaluates governance expectations.
Sets the risk appetite and risk tolerance levels.
Interacts directly with internal and external assurance providers.
Senior Management Responsibilities for GRC

The board provides direction to and empowers senior management to
execute the organization’s strategy and governance on a day-to-day
basis. Senior management (chief executive officer and finance, ethics,
risk, compliance, HR, and IT executives) also provide direct
leadership over risk management and control processes, but they
delegate the specifics to a risk committee and/or specific line
managers who become risk owners.
To be effective, senior management needs to understand the limits to

the scope of their authority and the board’s governance expectations.
This can take the form of determining:
Who should be the risk owner for key risks, where in the
organization to manage specific risks to enable the most efficient
and effective responses, and how to manage those risks.
When to direct risk owners to have a lower risk tolerance than the
general tolerance level (e.g., multiple significant control deficiencies
aggregate to an unacceptable level).
How to set reporting requirements (nature, format, timing) for risk
owners to ensure sufficient information for senior management’s
reporting requirements to the board.
How to refine GRC expectations given business changes, changes
in risk tolerance levels, and feedback on GRC effectiveness.
Responsibilities of Other Stakeholders for GRC

A number of other stakeholders are directly or indirectly involved in
GRC. Direct involvement starts with line management, especially
managers designated as risk owners. Risk owners have
responsibilities such as:
Evaluating risk management design against risk tolerance.
Assessing risk management capabilities, maturity, and operations.
Monitoring risks on a daily basis.
Providing accurate and timely information and recommendations to
senior management and the board.
Others directly involved in GRC include members of the supply chain:

suppliers, employees, and customers. These stakeholders take an
active role in the business and would be impacted by business
disruptions. Employees need a livelihood. Customer and supplier
obligations need to be fulfilled.
Owners, shareholders, and investors are not directly involved in the

organization’s business, but they have a strong interest in the
organization’s success. Shareholders can strongly influence the board
and help determine who is on the board.
Regulatory agencies, creditors, and other outside parties may have

an interest in the organization and may have influence. Regulatory
agencies are responsible for establishing the regulations. Creditors
protect their capital by setting stipulations (covenants).
Internal Audit’s Role in GRC

Internal auditors also play an indirect (assurance and consulting) role
in GRC. The CAE may document in the internal audit charter the
internal audit activity’s independence by affirming that senior
management and the board are responsible and accountable for
GRC. The CAE works to understand the business and key
organizational roles related to GRC. This can include using GRC
frameworks as a guide (especially if adopted by senior
management), reviewing board and committee charters and meeting
minutes, and reviewing the organization’s mission, vision, key
objectives, strategic plan, and key controls. The CAE:
Discusses with the board and senior management the best
strategies for the internal audit activity to evaluate and contribute to
GRC.
Considers the maturity level of governance, risk management, and
control processes.
Assesses risks to GRC (including the impact of culture and the
seniority of risk owners).
Highlights areas of weakness.
Makes recommendations (including adoption of a particular GRC
framework).
To demonstrate conformance to Standard 2100, the internal audit

activity can refer to the roles and responsibilities related to GRC as
documented in the internal audit charter, audit plans, or minutes of
relevant meetings. Audit plans in particular may provide evidence that
the internal audit activity follows a disciplined, systematic, and risk-
based approach. Engagement reports can also support that results
are relevant and add value to GRC processes.
The IIA’s Three Lines Model helps clarify the internal audit activity’s
role in GRC.
Three Lines Model

GRC requires a cohesive and coordinated approach to ensure that
limited risk and control resources are deployed effectively, significant
risks are identified and managed appropriately, and risk ownership is
clear to all. Disconnected risk management efforts can otherwise
lead to inefficiencies, coverage gaps, and risk ownership arguments.
The IIA’s position paper “The IIA’s Three Lines Model: An Update of
the Three Lines of Defense,” helps clarify GRC roles and
responsibilities. Exhibit 1-28 shows the model.
Exhibit 1-28: Three Lines Model
Source: IIA Position Paper, “The IIA's Three Lines Model: An Update of the Three Lines of
Defense,” © 2020, The IIA.
Key Point
Note that the word “defense” was dropped from the Three Lines
Model to highlight that organizations don’t exist to manage risk; they
exist to achieve their objectives. Risk management therefore needs
to both be proactive in helping achieve those objectives and serve
as a defense.
The Three Lines Model is a principles-based model intended to be

adapted to the needs of any organization. Its six principles are as
follows:
1. Governance. Governance of an organization requires appropriate
structures and processes that enable:
Accountability to stakeholders by the board through integrity,
leadership, and transparency.
Actions by management to achieve objectives, manage risk, and
use risk-based decision making and application of resources.
Assurance and advice by an independent internal audit activity.
2. Governing body roles. The board establishes appropriate

governance structures and ensures that organizational objectives
align with the prioritized interests of stakeholders. The governing
body role is critical to the Three Lines Model:
Accountable to stakeholders for oversight and engages with
them for two-way, transparent communications on objectives.
Nurtures an ethical and accountable control environment.
Delegates responsibility and provides resources to management
to achieve organizational objectives while conforming to legal,
regulatory, and ethical expectations.
Establishes appropriate committees, compliance oversight
functions, and an independent, objective, and competent internal
audit activity.
Determines risk appetite and oversees GRC.
3. Management first and second line roles. Management is defined
broadly to include both “front of house” as well as “back office”
activities (e.g., HR). Management has both first and second line
roles. Positions may have blended roles or specialize in one or the
other role.
First line roles. First line roles deliver products and services to
customers and are responsible for managing risk through
leadership, action, development of structures and processes,
and resource allocation. They require maintaining a continuous
dialogue with the board, including reporting on objective
achievement and risk. They involve ensuring compliance with
legal, regulatory, and ethical expectations.
Second line roles. Second line roles provide complementary
expertise, support, monitoring, and challenge to first line roles.
They develop, implement, continuously improve, and report on
the adequacy and effectiveness of risk management and internal
control at a process, systems, and entity level. Roles can be
broad enterprise risk management roles or they can be
specialized, including compliance, ethics, internal control, IT
security, sustainability, and quality assurance.
4. Third line roles. The internal audit activity is the third line role
because it is a systematic, disciplined, competent, independent,
and objective assurance and advice role for GRC. It remains
primarily accountable to the board and reports to it on GRC,
achievement of objectives, continuous improvement, and
disclosures of impairments.
5. Third line independence. Accountability to the board, unfettered

access, freedom from bias and interference, and independence
from management responsibilities enable the internal audit activity
to have objectivity, authority, and credibility.
6. Creating and protecting value. All roles collectively create and

protect value when they align with each other and with the
prioritized interests of stakeholders. Alignment requires
communication, cooperation, and collaboration. This ensures the
reliability, coherence, and transparency of information needed for
risk-based decision making.
The three lines need to be coordinated to ensure efficiency and

effectiveness, but there is no one right way to do this. However, there
is a natural division of labor created by the differing risk roles:
The first line role has the risk owner role.
The second line role has the risk control and compliance role.
The third line role has the risk assurance role.
While having all three roles is a best practice, if internal audit takes
on first or second line roles, the CAE should communicate to the
board and senior management the impact of this combination and
recommend their separation when appropriate, such as after the
organization grows in size or complexity.
Other GRC stakeholders, including external auditors, regulators, and

other external bodies, are not directly part of any of the three lines.
However, they play important roles in GRC. External assurance
providers provide additional assurance to:
Satisfy legal and regulatory expectations that serve to protect the
interests of stakeholders.
Satisfy requests by management and the governing body to
complement internal sources of assurance.
External assurance providers are more effective in GRC when:

Their activities are carefully coordinated to avoid duplication of
effort.
The internal audit activity addresses gaps in their coverage due to
their specialized focus areas.
Governance
Performance Standard 2110, “Governance”
The internal audit activity must assess and make appropriate
recommendations to improve the organization’s governance
processes for:
Making strategic and operational decisions.
Overseeing risk management and control.
Promoting appropriate ethics and values within the
organization.
Ensuring effective organizational performance management
and accountability.
Communicating risk and control information to appropriate
areas of the organization.
Coordinating the activities of, and communicating information
among, the board, external and internal auditors, other
assurance providers, and management.
Governance is a board and senior management responsibility, not an

internal audit activity responsibility. However, the CAE and internal
auditors need a clear understanding of the concept of governance
and the characteristics of typical governance processes. This
includes:
Studying best practices and GRC framework principles.
Learning about how the organization applies GRC frameworks (if
used) given their size, complexity, life cycle, maturity, stakeholder
structure, and legal requirements.
Noting the direction that the board is providing to management in
terms of risk tolerance levels and reporting expectations.
The CAE may interview key governance roles and review board and
committee charters, meeting agendas, and minutes to:
Gain insight into the role the board plays in the organization’s
governance, especially regarding strategic and operational decision
making.
Understand organization-specific processes and assurance
activities currently in place.
Learn about the board’s and senior management’s understanding
and expectations of governance, the requirements of Standard
2110, the nature of governance processes, and the internal audit
activity’s role in governance.
Governance is a broad concept, and differences will exist (especially

when considering governance in a global context, which is also
influenced by national culture). However, Exhibit 1-29 lists some
commonly identified governance principles considered to be effective.
Exhibit 1-29: Commonly Identified Governance Principles
Board Ensure that the board has correct/proper members,

membership committee structure, meeting protocols, sound and
independent judgment about organizational affairs,
and periodically reaffirmed membership.
Board Ensure that board members have appropriate
qualifications qualifications and experience, clear understanding of
governance roles, sound knowledge of organizational
operations, and independent/objective mindset.
Board Ensure that the board has sufficient authority,
independence funding, and resources to conduct independent
inquiries.
Transparent Maintain an understanding by executive management
structure and the board of the organization’s operating
structure, including structures that impede
transparency.
Measurable Articulate an organizational strategy against which
strategy the success of the overall enterprise and the
contributions of individuals are measured.
Strategic Create an organizational structure that supports the
structure enterprise in achieving its strategy.
Governing Establish a governing policy for the operation of key
policy activities of the organization.
Clear lines Set and enforce clear lines of responsibility and
accountability in the organization.
Effective Ensure effective interaction among the board,
interaction management, internal auditors, external auditors,
and other assurance providers.
Management Secure appropriate oversight by management,
oversight including establishment and maintenance of a strong
set of internal controls.
Compensation Ensure that compensation policies and procedures
policies for senior management and for others encourage
appropriate behavior and are consistent with the
organization’s ethical values, objectives, strategy,
and control environment.
Control Communicate and reinforce an ethical culture,
environment organizational values, appropriate “tone at the top,”
a nonretaliatory environment for employees to raise
concerns, and a way to monitor and investigate
potential conflicts of interest.
Internal audit Use internal auditors effectively, ensuring the
adequacy of their independence, resources, and
scope of activities and the effectiveness of
operations.
Risk Clearly define and implement risk management
management policies, processes, and accountabilities at the board
level and throughout the organization.
External audit Effectively use independent outside auditors,
ensuring their independence, adequate resources,
and scope of activities.
Key Provide appropriate disclosure of key information, in
information a transparent manner, to stakeholders.
disclosure
Governance Disclose the organization’s governance processes,
disclosure comparing those processes with recognized national
codes or best practices.
Conflicts of Ensure appropriate oversight of related-party
interest transactions and conflict-of-interest situations.
Source: Adapted from Anderson and Dahle, Applying the International Professional Practices
Framework (IPPF), 4th edition.
Given a clear understanding of how the organization approaches
governance, the CAE can contemplate whether the current internal
audit plan addresses governance processes and their associated
risks, including whether the integration requirements of the
governance, risk management, and compliance functions are
adequate. This may lead to opportunities for the internal audit activity
to improve its plans and approaches for conformance with Standard
2110.
Internal auditors can use the organization’s adopted governance

framework as the basis of evaluation. Organizations may take
advantage of governance frameworks to help set their governance
objectives. One example is the King Report.
King Report
The King Report on Corporate Governance is the output of South
Africa’s King Committee on Corporate Governance. The latest
version is King IV (2016). The report is principles- and outcomes-
based, focusing on transparency and disclosures that require entities
to explain how the principles are applied.
The report provides a model for good governance that requires an

integrated approach inclusive of stakeholder interests and a focus on
corporate social responsibility.
A Code of Corporate Practices and Conduct is included in the report:
Discipline. Organizations commit to disciplined behavior that is

universally accepted as proper and correct.
Transparency. Organizations commit to make it easy for outsiders

to analyze the organization’s activities.
Independence. Organizations are self-reliant and can manage or

avoid conflict.
Accountability. Organizations develop ways to accept and

acknowledge the positive and negative consequences of their
actions.
Responsibility. Organizations design corrective action into all

processes and consider the needs of all stakeholders in decision
making.
Fairness. Organizations balance competing interests.
Social responsibility. Organizations embed corporate social

responsibility programs into their core business model.
The King Report addresses the role and function of internal auditing
as well as specific reporting requirements, for example, the need for
audit committees to approve all appointments and dismissals of the
CAE.
The report emphasizes effective leadership based on an ethical

foundation and the need to fundamentally redesign the organization
around sustainability. Innovation, fairness, and collaboration are
described as key tools to achieve sustainability. Internal auditors are
also placed as central to maintaining proper governance and
developing organizational strategy. King III highlighted the imperative
to use risk-based auditing, stating:
A compliance-based approach to internal audit adds little

value to the governance of a company as it merely
assesses compliance with existing procedures and
processes without an evaluation of whether or not the
procedure or process is an adequate control. A risk-based
approach is more effective as it allows internal audit to
determine whether controls are effective in managing the
risks which arise from the strategic direction that a
company, through its board, has decided to adopt.
It went on to recommend that internal auditors assess the general

effectiveness of the system of internal controls, the control
environment, and risk management processes.
IT Governance
The internal audit activity must assess whether the information
technology governance of the organization supports the
organization’s strategies and objectives.
According to Anderson et al. in Internal Auditing, IT governance is

“the leadership, structure, and oversight processes that ensure the
organization’s IT supports the objectives and strategies of the
organization.” IT governance is the subset of organizational
governance directly related to oversight of IT assets and IT risks.
Beginning with the end in mind, the primary outcomes of effective IT

governance include the following:
IT strategies are aligned with organizational objectives.

The board and senior management understand the potential and
limitations of IT.
IT senior management understands organizational objectives and
needs.
An IT governance structure is used to apply and monitor this
understanding.
Risks are identified and managed properly.

IT investments are optimized to deliver value.
IT performance is defined, measured, and reported using

meaningful metrics.
IT resources are managed effectively.
Key Point
Because IT is now embedded everywhere throughout most
organizations, it is important to understand that it will be part of
most areas being audited. All three parts of the IIA CIA exam could
have questions that take an IT perspective. IT-related questions in
Parts 1 and 2 of the exam will likely be conceptual rather than
testing on specific IT details.
The alignment of organizational objectives and IT is more about

governance and less about technology. Therefore, it is important to
take a strategic approach to implementing IT governance. A strategic
approach includes:
Evaluating alternatives.
Ensuring that execution is directed toward objectives.
Monitoring risk and performance against financial and nonfinancial
goals:
A key financial goal is to realize the organization’s strategy and
provide competitive advantage. (A counterexample is senior
management thinking that IT exists solely to deliver day-to-day
services and limiting goals to operational cost savings.)
A key nonfinancial goal is to ensure a strong system of internal
controls. Strong IT governance promotes good control design;
weak IT governance could be the root cause of ineffective and
deficient controls.
IT governance is a shared responsibility of the board and senior

management. That is, the board and senior management “own” IT
governance. The board is responsible for overall strategic IT
guidance. Senior management carries out the day-to-day direction of
IT strategy execution. The board and senior management are
responsible for establishing the organization’s IT objectives in
alignment with the overall business strategy, for defining IT strategies
to achieve business objectives, and for establishing:
IT governance policies.
Organizational structures that include IT roles and authorities.
IT processes.
Use of an IT governance framework can provide the organization with

a foundation and mechanism for measuring IT’s effectiveness at
achieving planned outcomes.
IT Governance Framework
The IIA’s Global Technology Audit Guide (GTAG) 17, “Auditing IT
Governance” provides a general IT governance framework that
focuses on the areas shown in Exhibit 1-30.
Exhibit 1-30: IT Governance Framework
Framework Description
Area
Strategic IT governance provides the strategic direction for IT

alignment and ensures that IT and business strategies are
aligned for all IT projects and services.
Risk IT governance can ensure that IT risks are
management addressed and that enterprise risk management
includes risk aspects of IT investments, defined
responsibilities for risk management, and a holistic
process for analyzing, addressing, and continuously
monitoring risks.
Value IT governance can drive the maximum value from IT
delivery by ensuring that financial value is measured not only
in terms of overall return on investment but also in
terms of other strategic measures such as IT tactical
plan execution, systems uptime, degree of
automation in the systems development life cycle,
productivity, and revenue generation.
Framework Description
Area
Performance IT governance can help in measurement of the

measurement achievement of strategic IT objectives, IT
performance, and the delivery of promised business
functionality (and therefore contribution to
profitability). Tools such as continuous monitoring or
root cause analysis support these measurements.
Resource IT governance oversees the aggregate funding of IT
management at the enterprise level and ensures that there is (and
will continue to be) adequate IT capability and
infrastructure at the organization.
An IT governance framework addresses the following components:
IT process areas. Change management, information security

management, software development, IT project management, etc.
IT mechanisms. Standards, policies, and frameworks for

directing, monitoring, and measuring IT performance and managing
IT risks.
IT governance organizational structures. IT roles and reporting

lines (see Exhibit 1-31) to meet organizational objectives and
formally evaluate and prioritize requirements.
Exhibit 1-31: Examples of IT Governance Organizational Structures

Governance Members Scope
Body
IT Chief executive officer, chief Set business and IT

governance financial officer, and chief strategy and
board information officer, plus CAE investment plans.
as nonvoting advisor on
risk/control
IT steering IT senior management and Ensure IT strategic
committee business unit owners alignment.
IT portfolio IT and business Develop IT project
office program/project managers metrics, monitor, and
report.
IT Chief information officer, chief Determine IT
architecture information security officer architecture design.
office (CISO), chief operating
officer, IT infrastructure
managers
Technology Chief information officer, chief Evaluate technology
council technology officer (CTO), and opportunities.
business unit owners
Cybersecurity Chief information officer, Evaluate risk and
and data CTO, CISO, chief risk officer strategies to protect
protection (CRO), chief financial officer, organization’s
council chief operating officer, information assets.
business unit owners, and
CAE as nonvoting advisor on
risks/controls
Role of Internal Audit in IT Governance
The internal audit activity must assess IT governance per Standard
2110.A2. The activity’s independence puts internal auditing in a
neutral position to influence IT governance and recommend change.
Providing advice should not impede independence if management
takes full responsibility and accountability for implementation and
operation of controls.
The internal audit activity may include IT governance in its risk

universe. Risk-based audit planning can use a root cause analysis
framework such as the one shown in Exhibit 1-32 to evaluate
potential IT weaknesses.
Exhibit 1-32: IT Risk—Root Cause Analysis Framework

The model shows three layers of control:
Start at the technical configuration layer at the bottom (e.g., poor
firewall configuration is identified).
Work backwards to potential root causes in IT processes (e.g.,
poor oversight).
Finish with potential root causes in IT governance (e.g., no firewall
configuration training).
To ensure that here will be opportunities to provide advice, it is

imperative that audits of IT governance include both assurance and
consulting engagements. Either type of engagement can focus on the
organization’s implementation of IT governance practices, which
include clearly defined policies, roles, responsibilities, risk appetite
alignment, effective communication, “tone at the top,” management of
IT value, and clear accountability. Here are some specific areas for
review:
IT strategic planning. There is a clear definition of IT’s mission

and vision, and an IT strategic planning process with major
initiatives is in place.
IT tactical planning. Project and change management

methodologies are used with related controls, clear definitions of
expected benefits, and clarity of scope definition.
IT delivery process. Operational controls, modification processes,
and project management processes are functioning as intended.
Actual versus planned benefits are analyzed.
Application development methodology. A process such as the

systems development life cycle is in place and is used consistently.
Current portfolio administration. A process exists and is

effective.
Overall IT efficiency and effectiveness. IT adds more value than

it costs.
Management and Board Governance Audits

For internal auditors to contribute to the governance area, it is critical
that they:
Define governance and the organization’s governance processes.
Determine what is in versus out of the internal audit scope due to
the broad nature of governance.
Develop plans aligned with this understanding and start executing.
Usually, a single audit of governance overall is not attempted. Rather,

the assessment of governance processes is likely to be based on
information obtained from numerous audit assignments over time.
However, if an overall governance assessment is appropriate, it
should include review of:
Results of audits of specific governance processes.
Results of audits not specifically focused on governance, such as
strategic planning, risk management processes, operational
efficiency and effectiveness, internal controls over financial
reporting (ICFR), IT risks, fraud risks, and law/regulation
compliance.
Results of management assessments (e.g., compliance
assessments, quality audits, or control self-assessments).
Governance issues such as adverse events.
The CAE’s final audit plan uses a risk-based approach to identify

higher-risk governance processes to potentially include as assurance
engagements. Consulting services may be preferred when known
issues exist or the organization’s governance process is immature. In
other cases, continuous monitoring methods can be used, such as
assigning internal auditors to observe meetings of governance-related
bodies and providing internal audit advice upon request on an ongoing
basis.
Using Standard 2110 as a Checklist for Potential Audit

Coverage Areas
Internal audit coverage of governance can consider each of the
bullets in Standard 2110 to be part of the risk universe for potential
audits of organizational governance:
Making strategic and operational decisions
Overseeing risk management and control
Promoting appropriate ethics and values within the organization
Ensuring effective organizational performance management and
accountability
Communicating risk and control information to appropriate areas of
the organization
Coordinating the activities of, and communicating information
among, the board, external and internal auditors, other assurance
providers, and management
Making Strategic and Operational Decisions

Anderson et al. in Internal Auditing indicate that strategy “refers to
how management plans to achieve the organization’s objectives.”
When assessing how strategic and operational decisions are made:
Start by understanding organizational objectives. This could include
a review of strategy documents, mission and vision statements,
and so on.
Assess how strategic and operational decisions are discussed and
implemented.
Assess whether established, consistent decision-making processes
are used.
Audit techniques can include:

Review of past audit reports, board meeting minutes, the board
policy manual, and related governance documents.
Interviews with department heads to provide perspective.
Overseeing Risk Management and Control

Assessing oversight of risk management and control functions can
include:
Reviewing the process for conducting the annual risk assessment.
Reviewing minutes from risk strategy meetings.
Reviewing previously conducted risk assessments.
Interviewing key risk management persons: compliance, risk, and
finance officers.
Benchmarking risk management and control processes against
relevant sources such as competitors or industry trends.
Assessing the level and type of support the internal audit activity
provides to the organization’s risk management program, including:
Robust and thorough analysis of risk management and internal
control systems.
Structure and discipline in the risk management program.
Organizational and divisional risk assessments.
Ongoing formal or informal oversight and input.
Promoting Appropriate Ethics and Values within the

Organization
Audits can assess whether governance activities promote appropriate
ethics and values within the organization. Document reviews in this
area can include:
Mission and value statements, the organization’s code of conduct,
and related ethics and values objectives, programs, and activities.
Hiring and training processes, anti-fraud and whistleblowing
policies/hotlines, and the related investigation process.
In addition to document reviews, personnel can be interviewed or

surveyed to determine their level of awareness of ethical standards
and values.
Ensuring Effective Organizational Performance Management

and Accountability
To assess the effectiveness of organizational performance
management and accountability processes, review:
The organization’s policies and processes related to staff
compensation, objective setting, and performance evaluation.
Associated KPIs and incentive plans for appropriate design and
execution to prevent or detect unacceptable behavior or excessive
risk taking and to promote strategic alignment.
Communicating Risk and Control Information to Appropriate

Areas of the Organization
Assessments of how the area under review communicates risk and
control information typically involve:
Determining the accuracy, completeness, and timeliness of risk and
control information in internal reports, newsletters, relevant memos
and emails, and staff meeting minutes.
Using surveys and interviews to gauge how well employees
understand their risk and control responsibilities and the potential
impact of failure to exercise those responsibilities.
A potential service the internal audit activity could offer in this area
would be to provide education on risk and control topics, especially if
targeting identified deficiencies.
Coordinating the Activities of, and Communicating Among, the

Board, External and Internal Auditors, Other Assurance
Providers, and Management
Assessments of activity coordination and communication among the
board, external and internal auditors, other assurance providers, and
management include:
Identifying the meetings that include these parties and determining
their frequency of occurrence.
Reviewing meeting minutes, work plans, and reports.
Attending such meetings as participants or observers.
Improvement Recommendations for Governance

Processes
The CAE considers the ramifications of potential governance process
observations and may communicate with the board and senior
management during all phases of the engagement (planning,
evaluating, and reporting) as appropriate. Here are some examples
of recommendations that might be made:
Finding ways to improve the flow of information to the board (e.g.,
more relevant, complete, timely, accurate, and forward-looking)
Avoiding subjectivity by objectively analyzing execution of past
strategies
Assessing measurement processes and metrics for degree of
alignment to strategy
Analyzing past ethics- or value-based code violations or trends
Assessing post-merger integration plans and progress toward their
execution
Demonstrating conformance to Standard 2110 can be made through

multiple separate internal audit reports on individual governance
processes. Alternatively, an overall report on governance can be
prepared that summarizes observations and recommendations from
relevant assurance and consulting engagements.
Topic 2: Culture, the Control

Environment, and Engagements
This topic introduces the control environment and how to audit it. The
impact of organizational culture on the control environment and on
individual engagement risks and controls is also addressed.

Implementation Guidance for Standards 2100, 2110, and 2130
Practice Guide, “Auditing Culture”
Control Environment
The IPPF glossary defines the control environment as follows.
The attitude and actions of the board and management

regarding the importance of control within the organization.
The control environment provides the discipline and
structure for the achievement of the primary objectives of
the system of internal control. The control environment
includes the following elements:
Integrity and ethical values.
Management’s philosophy and operating style.
Organizational structure.
Assignment of authority and responsibility.
Human resource policies and practices.
Competence of personnel.
Much as the foundation of a house determines whether the structure

will stand the test of time, the control environment is the foundation
for the system of internal controls. It sets the tone for how controls
are perceived. A good foundation can result in a control-conscious
culture that applies rigor to control design and implementation; a poor
foundation can have a pervasive impact on the system of internal
controls.
It is important to see how the control environment fits in the context of

the entire system of internal controls. One way to see this context is
to study the Committee of Sponsoring Organizations of the Treadway
Commission’s (COSO’s) Internal Control—Integrated Framework
cube, shown in Exhibit 1-33.
Exhibit 1-33: COSO Internal Control—Integrated Framework Cube
Source: Internal Control—Integrated Framework, COSO.
Key Point
The key point about this cube is that a system of internal controls
requires a number of interconnected elements to function
effectively.
Note that this is just one of several internal control frameworks, and
the internal audit activity needs to fully understand and support
whichever framework the organization has chosen to adopt.
The control environment forms a critical foundation for the other

components of internal control that need to be integrated: risk
assessment, control activities, information and communication, and
monitoring activities. The top of the cube shows the three categories
of objectives that an organization works to achieve using the system
of internal controls: operations, reporting, and compliance objectives.
The final side of the cube shows the organization’s structure to
reinforce that the system of internal controls needs to be integrated
into the organization at multiple layers that are more and more
detailed.
Given this context, let’s explore each of the elements of the control
environment listed in the control environment definition.
Integrity and Ethical Values

COSO’s Internal Control—Integrated Framework has five principles
related to the control environment. Each principle contains points of
focus, which are optional characteristics that management may
decide to evaluate in terms of whether or not they are present and
functioning. The principle related to integrity and ethical values and its
points of focus are as follows:
The organization demonstrates a commitment to integrity and
ethical values.
Sets the tone at the top.
Establishes standards of conduct.
Evaluates adherence to standards of conduct.
Addresses deviations in a timely manner.
(This and later quotations from the framework are copyrighted by

COSO [© 2013] and are used with permission. Note that the points of
focus are helpful in organizing the content below; however, the
guidance includes information from IIA materials and other sources.)
Sets the “Tone at the Top”

The tone at the top is one of the most important elements of culture.
For example, an attitude of ignoring the rules on the part of those at
the top tends to pervade to lower levels. People may either adopt the
same attitude or leave the organization, which results in fewer people
remaining who show integrity. The tone at the top encompasses the
following concepts:
Top management and the board lead by example, considering
stakeholder expectations.
The tone is shown through the actions and decisions of
management, leadership and communication that is provided, and
responses to deviations.
The tone at the top is fundamental to the proper functioning of the
internal control system.
The tone at the top is further expressed in the form of mission
statements, value statements, codes of conduct, principles, policies
and practices, directives, and guidelines.
The operating style and the conduct of senior management and the
board and the risk tolerances they set create an atmosphere that
subordinates pick up on—for good or for ill.
A consistent tone helps pull the organization together, while a poor
or inconsistent tone creates unintended consequences such as
poor risk awareness, poor risk responses, poorly defined or
ignored controls, or lack of improvement given feedback.
The history and culture of an organization directly influence the control

environment. Culture supports the control environment when it creates
behavioral expectations that reinforce commitment to ethics, integrity,
oversight, and performance evaluation.
Establishes Standards of Conduct

The internal audit activity must evaluate the design,
implementation, and effectiveness of the organization’s ethics-
related objectives, programs, and activities.
Standards of conduct can include ethics programs, a written code of

ethics, a written code of conduct, and related entity-level policies and
procedures. An organization could have a combined code of ethics
and conduct.
A strong ethical culture is the foundation of good governance. An
ethical culture is created through a robust ethics program that sets
expectations for acceptable behaviors in conducting business in the
organization and with external parties. It includes:
Effective board oversight.
Strong tone at the top and senior management involvement.
Organization-wide commitment.
A customized code of conduct.
Timely follow-up and investigation of reported incidents and
consistent disciplinary action for offenders.
Ethics training and communications.
Ongoing monitoring systems.
An anonymous incident reporting system.
Ethics is everyone’s responsibility:

The board oversees the ethical climate and ensures that
management has sound ethics-related objectives and programs via
assurance from internal auditing.
Senior management promotes and exemplifies an ethical tone at
the top and creates explicit strategies to support and enhance the
ethical culture, including ethics training.
Line managers’ attitudes and behaviors create an ethical subculture
for their areas.
Outsourced service providers (e.g., customs clearance) can create
reputation risks for unethical actions on the behalf of the
organization. Contracts should include things like anti-bribery and
conflict-of-interest clauses.
There may be a chief ethics officer and/or designated person
(ombudsman) for ethics advice.
A written code of ethics will likely include principles that the majority
of boards or organizational managers would agree are considered
desirable in conducting business. The board and senior management
will come to consensus on the set of principles that are considered
acceptable behavior at the organization. Note that due to the need for
consensus, corporate ethics will likely not match the personal ethics
of all persons. Components of a written code of ethics may include
principles related to honesty, integrity, transparency, fair dealing,
clear delegation, positive personnel practices, and so on.
A written code of conduct provides behavioral guidance and rules for

staff (and outsourced service providers who have been delegated
responsibility for organizational processes) when taking actions or
making decisions. The code clarifies the expectations of the board
and senior management as to what is considered right versus wrong.
It provides guidance on common gray areas or difficult decisions and
highlights associated risks.
A code of conduct may address the following subjects:
Conflicts of interest
Confidentiality
Fair dealing
Proper use of organizational assets
Gifts and gratuities
Compliance with laws, rules, and regulations
Compliance with voluntary standards such as for corporate social
responsibility
Reporting of illegal or unethical behavior
For example, a written statement about conflicts of interest should:

Generally define conflicts of interest.
Address the expected behavior for employees, other corporate
agents, and suppliers.
Include provisions for activities, investments, or other interests that
reflect on the entity’s integrity or reputation.
Policies and procedures for the control environment are determined

by the board and are at the entity level. They form the basis for more
detailed policies and procedures at the division, operating unit, and
business function levels. In addition to stating requirements, a best
practice is to provide the rationale for adherence, which could cite a
related law or regulation or key risks, such as to customer safety or
company reputation.
Control environment policies and procedures include defined

accountabilities for business functions with control environment
implications. This includes safeguarding of assets, product safety,
and guidelines on developing compensation systems in ways that
minimize unintended consequences.
Evaluates Adherence to Standards of Conduct

One way to evaluate adherence to standards of conduct is to require
staff to recertify annually that they understand, accept, and adhere to
the code. Best practices include teaching the standards of conduct to
new employees using quarterly or biannual training sessions.
Policies and procedures also need processes for evaluating

compliance and addressing shortcomings. This includes ensuring that:
There is a process for enforcing consequences.
Training or guidance occurs.
There is a process to seek and address root causes of the
shortcomings.
There is a process for keeping policies and procedures up to date
given new laws, regulations, values, etc.
Addresses Deviations in a Timely Manner

Standards of conduct should contain a process for monitoring and
enforcing the code, including how potential deviations will be
investigated and addressed and how disciplinary actions will be
applied. Failure to enforce or being too slow in enforcing
consequences creates a control environment risk, because persons
may see a lack of enforcement as a tone from the top that these
standards are not important and can be ignored.
Management’s Philosophy and Operating Style

COSO’s Internal Control—Integrated Framework does not have a
principle related directly to management’s philosophy and operating
style. However, the prior discussion of the tone at the top and how
management enforces standards of conduct are just a few of the
many examples in this topic of how the philosophy and operating style
of management impacts the control environment.
Organizational Structure
The principle in COSO’s Internal Control—Integrated Framework
related to organizational structure and its point of focus are as
follows:
Management establishes, with board oversight, structures,
reporting lines, and appropriate authorities and responsibilities in
the pursuit of objectives.
Considers all structures of the entity.
Considers All Structures of the Entity

Organizations develop structures to accomplish their objectives,
including:
Legal entity structures (e.g., partnerships, subsidiaries).
Organizational structures (e.g., hierarchical, matrix).
Geographic market structures (e.g., regional divisions).
Supply chain structures (e.g., outsourced processes and services).
Many of these types of structures are addressed in Part 3 of these

materials. The main point in regard to the control environment is that
management needs to consider how such structures impact
achievement of objectives, related risks, and controls. For example, a
structure may help keep authorities and responsibilities separate or
concentrate too much control in a given entity or individual. Structures
can be reviewed for continued relevance, effectiveness, and
efficiency.
Assignment of Authority and Responsibility

The Internal Control—Integrated Framework principles related to the
assignment of authority and responsibility and their points of focus
are as follows:
The board of directors demonstrates independence from
management and exercises oversight of the development and
performance of internal control.
Establishes oversight responsibilities.
Applies relevant expertise.
Operates independently.
Provides oversight for the system of internal control.
Management establishes, with board oversight, structures,

reporting lines, and appropriate authorities and responsibilities in
the pursuit of objectives.
Establishes reporting lines.
Defines, assigns, and limits authorities and responsibilities.
Establishes Oversight Responsibilities

The board of directors establishes oversight responsibilities by
creating oversight committees and processes that align with the
organization’s objectives.
Applies Relevant Expertise

Examples of the board applying relevant expertise include:
Exercising fiduciary responsibilities to shareholders/owners with
due professional care (e.g., reviewing financial statements and
disclosures).
Delving into management’s plans and performance by asking
probing questions and following up on corrective actions.
Operates Independently
Examples of how the board operates independently include setting
expectations for and evaluating the conduct of the CEO in regard to
ethical values, integrity, and performance.
Provides Oversight for the System of Internal Control

Examples of how the board provides oversight for the system of
internal control include:
Overseeing definition and application of the organization’s code of
conduct.
Requiring assessments of board oversight effectiveness and
continually improving.
Establishes Reporting Lines

Reporting lines are how managers in various organizational or other
structures execute their assigned authorities and responsibilities,
including reporting information to higher levels. These lines should be
documented and understood by the relevant parties.
Defines, Assigns, and Limits Authorities and Responsibilities

The board retains some authority over significant decisions and
delegates other areas of authority and responsibility to management,
who in turn do so with their subordinates. Limitations to authority
include segregation of duties.
Human Resource Policies and Practices

The principle in COSO’s Internal Control—Integrated Framework
related to HR policies and practices and its points of focus are as
follows:
The organization demonstrates a commitment to attract, develop,
and retain competent individuals in alignment with objectives.
Establishes policies and practices.
Evaluates competence and addresses shortcomings.
Attracts, develops, and retains individuals.
Plans and prepares for succession.
Establishes Policies and Practices

HR policies and practices:
Establish the necessary level of competence for a given role.
Indicate the basis for requirements (e.g., legal compliance).
Specify the skills and conduct that will be required for achieving
objectives and supporting internal control.
Establish specific accountabilities.
Evaluates Competence and Addresses Shortcomings
HR policies and practices form the basis for evaluating competence
and addressing shortcomings. Role descriptions provide guidance on
the expected level of competence required to achieve the
organization’s objectives. This starts with the skills and conduct that
are needed to ensure that the system of internal control is effective.
For example:
Skills could include proficiency with the enterprise resources
planning system an organization uses for its business transactions
and knowledge of the system's transaction authorization
requirements.
Conduct could include consistently adhering to those authorization
requirements.
Management evaluations may address knowledge, skills, experience,

degree of judgment the role requires, and limitations of authority.
They may also assess whether the required level of competence is
appropriate from a cost-benefit perspective.
Attracts, Develops, and Retains Individuals

Management determines the appropriate number of individuals for
each role and whether this is adequate to achieve objectives and
reduce internal control risks to an acceptable level. The processes for
seeking out qualified candidates, training or mentoring them,
evaluating competence, and retaining personnel are also reviewed for
quality and compliance.
Plans and Prepares for Succession

For roles or business functions considered essential for
accomplishing the organization’s key objectives, management has
plans for replacing key persons or entities (e.g., a key supplier) or
otherwise fulfilling those objectives in absence of the individual or
entity.
Competence of Personnel
The Internal Control—Integrated Framework principle related to
competence of personnel and its points of focus are as follows:
The organization holds individuals accountable for their internal
control responsibilities in the pursuit of objectives.
Enforces accountability through structures, authorities, and
responsibilities.
Establishes performance measures, incentives, and rewards.
Evaluates performance measures, incentives, and rewards for
ongoing relevance.
Considers excessive pressures.
Evaluates performance and rewards or disciplines individuals.
Enforces Accountabilities Through Structures, Authorities, and
Responsibilities
The board and management hold persons accountable for
accomplishing objectives and fulfilling internal control responsibilities
by exercising their authority as authorized by the organizational
structure, reporting lines, and defined responsibilities. An escalation
process to higher levels of authority exists to ensure that enforcement
occurs and is consistently applied.
Establishes Performance Measures, Incentives, and Rewards

Management promotes achievement of objectives and fulfilling of
internal control responsibilities through use of cost-effective
performance measures, incentives, and rewards. Rewards and
incentives are discussed more in Part 3 of these materials.
Evaluates Performance Measures, Incentives, and Rewards for

Ongoing Relevance
These programs are assessed for cost-benefit and alignment to
objectives.
Considers Excessive Pressures

Performance measures, incentives, and rewards may create
excessive pressures on individuals or entities, creating a risk of
subversion of internal controls to achieve organizational objectives.
Management makes necessary adjustments to mitigate this risk.
Evaluates Performance and Rewards or Disciplines Individuals

Management evaluates performance against performance measures
and adherence to standards of conduct and ensures that appropriate
rewards or discipline occur and are consistent.
Basis for Evaluating Ethics

Organizational standards of conduct are the basis for assessing
adherence to organizational ethics and values. There are stated
values as well as operating values.
An important aspect of the effectiveness of codes of ethics or

conduct is the degree to which these function as the basis for the
values of the organization and its people. Values are beliefs about
right versus wrong that guide people’s and organizations’ decisions
and actions, especially in situations that require making tradeoffs
between conflicting objectives. Inherent in values is a set of priorities
or criteria that help people determine which values are more
important than others. There are two types of values:
Stated values. These are ideal or written values, such as written
codes of ethics and/or conduct.
Operating values. These are cultural values that guide actual
organizational behavior.
If there is little difference between stated and operating values, then

the codes of ethics and/or conduct may be considered effective.
However, if there is a disconnect between the two types of values, it
will be difficult for staff to determine what is “acceptable.” The
operating values, even if dysfunctional, may become the status quo.
For example, a peer might say, “That’s the theory, but this is how it is
really done,” or, “This is what you have to do around here if you want
to get ahead.”
Auditing the Control Environment

When auditing the control environment, the internal audit activity
considers the risk of control environment failures as they develop the
annual audit plan and as they plan each individual engagement.
Key Point
If the effectiveness of the control environment is not considered in
an audit engagement, there is a risk that the assessment of the
adequacy of controls will be incomplete or misleading.
Audits of the control environment:

Start with a risk assessment to help set audit scope, frequency,
and rotation.
Take into account planning considerations as individual
engagements are planned.
Require assessment criteria.
Require selection of tools and techniques to use.
Each of these areas is discussed more next.
Control Environment Risk Assessment and Audit

Scope
A control environment risk assessment can use the elements from the
IPPF definition of control environment as potential audit scope areas.
These elements are repeated below along with examples of
situations that may influence the risk assessment. (Note that these
examples may apply to more than one of the control environment
elements.)
Integrity and ethical values. Lack of code of conduct/ethics or

inability to evaluate adherence; high fraud rate.
Management’s philosophy and operating style. Frequent

management override of controls; lack of consideration of risk in
management decision making.
Organizational structure. Ineffective board oversight or control
environment monitoring; silos that promote department objectives
over organizational objectives.
Assignment of authority and responsibility. Unclear job

descriptions; insufficient separation of duties.
HR policies and practices. Compensation and incentive structures

that create a high risk of inappropriate behavior or risk taking; poor
or nonexistent background or reference checks; no whistleblower
policy or hotline.
Competence of personnel. Key function turnover resulting in

ineffective supervision; lack of key personnel competence (e.g.,
favoritism to unqualified family or associates).
In addition to assessing the risks of failure of each of these elements

individually, it is also important to consider the interaction of the
elements with one another.
Given risk assessments in each of these or other areas, the CAE

selects the scope of the audit or series of audits. The scope could
encompass all elements, either for the organization as a whole or
limited to a specific division or business unit. Alternately, control
environment elements could be assessed as part of the scope of
other audits such as an audit of a specific business process. For
example, an audit of accounts payable (A/P) might add an audit step
to determine how familiar A/P staff are with expectations for ethical
behavior.
The CAE also determines the frequency and rotation of control

environment audits and how to integrate the results of multiple audits
while avoiding duplication of effort.
Planning Considerations and Assessment Criteria

Because control environment audits involve discussion of sensitive
issues and often require interviews with board/audit committee
members and senior management, some special planning
considerations apply, including but not limited to:
Considering staffing the audit with experienced persons to enhance
credibility and recommendation acceptance.
Consulting legal counsel for some areas such as pending
investigations.
Ensuring that the internal audit activity’s reporting structure as
documented in the charter is sufficiently independent to enable
appropriate access and audit scope.
Considering how differences in national culture or national
laws/regulations would impact how the engagement or its
recommendations would be received.
Another sensitive task for the CAE is to determine the criteria against
which the control environment will be assessed. The CAE should
clearly articulate and communicate the audit scope and criteria to be
used, which may help with getting buy-in from the board and senior
management. These criteria could be based on:
An organization’s rating system.
A defined internal control framework’s principles.
A maturity model.
An industry standard or other benchmarking subject.
Specific objectives provided by legal counsel.
In general, a best practice is to use an internal control framework the

first time the control environment is audited at an organization. This
can help ensure that the criteria are well rounded and complete.
Tools and Techniques for Auditing the Control

Environment
Auditing the control environment is an example of auditing “soft
controls,” which means there will be subjectivity in the assessments
and direct evidence may be difficult to gather. Selecting tools and
techniques may require thinking outside the box. Examples include:
Using surveys to test the effectiveness of control environment

elements such as ethics.
Using networking and discussions to evaluate if the actions of
management align with their talk.
Leveraging internal auditors’ knowledge of the organization’s inner

workings to provide corroboration on the effectiveness of controls.
“Auditing by walking around” and being visible and observant, which

can help:
Uncover intangible clues that prompt deeper assessments.
Reveal persons who are willing to provide opinions anonymously.
Assessing how management has reacted to past audits and

recommendations.
Reviewing materials and experiences from internal auditor

participation in committees, task forces, work groups, or ethics and
compliance program implementations.
Using data analytics to uncover anomalies.
Culture's Impact on Control Environment

The IIA’s Practice Guide “Auditing Culture” cites the definitions of
culture and conduct from St-Onge et al. in Measuring Conduct and
Culture:
Culture represents the invisible belief systems, values, norms, and
preferences of the individuals that form an organization.
Conduct represents the tangible manifestation of culture through
the actions, behaviors, and decisions of these individuals.
Culture exists whether intentionally created or not at multiple levels:

National culture affects the desired objectives of an organizational
culture. Researching the cultures of the various countries where the
organization’s business units are located and where they primarily
do business is a best practice.
Organizational culture drives how the organization conducts
business and executes its strategies.
Subcultures likely exist at different campuses, in different
departments, etc.
Since internal auditors are part of the organization’s culture, it is

difficult to be objective when evaluating culture. However, due to the
internal audit activity’s deliberate steps taken to be independent and
objective, the activity is in the best position of any of the three lines of
defense to evaluate culture. The internal audit activity is also in a
position to lead by example. Internal auditors should be living and
promoting organizational values (per Standard 2110).
Poor organizational culture may be the root cause of many control

environment issues. A toxic culture can erode the effectiveness of
other control layers. Risk factors include:
Unreasonable deadlines or performance targets.
Incentives not aligned with values.
Employees with little or no risk training.
Organizational silos or other information impediments.
Mistrust toward auditors.
Dislike of controls or disregard of “inconvenient” laws or
regulations.
Poor senior management accountability.
Inability to accept evidence that disproves beliefs.
A belief that “this could never happen here.”
Failure to enforce standards of conduct.
Conversely, healthy organizational cultures have common

characteristics:
Positive tone at the top. The board and senior management

define, proactively model, and enforce accountability for desired
organizational values, including in their strategies.
Clear communication. Management sets explicit expectations in

all communications, daily interactions, and meetings with
employees, customers, and third parties.
Open dialogue. Management listens to feedback or constructive
criticism and has tools like ethics hotlines or open-door policies to
encourage dialogue.
Employee engagement. Objective-setting and strategy

discussions are inclusive, such as by listening to personal
objectives and evaluating how they align to strategy.
Incentives aligned with core values. Compensation and

incentives align with the organization’s core values and risk
appetite.
Assessments of Culture
An organization’s management and board are responsible for risk
management related to culture and conduct. The internal audit activity
can aid management and the board with this task by providing
targeted assessments of culture. Assessments can review:
Root causes for both those areas with culture deficiencies and
those deemed to be operating with best practices (to benchmark
culture impact).
Roles and responsibilities of the governance structure.
Programs for communicating values, strategies, and objectives.
Code of conduct, ethics, and sexual harassment training program
effectiveness.
Incentives, hiring programs, disciplinary actions, escalation
protocols, or treatment of whistleblowers.
Existing information sources for culture insights, such as employee
survey data.
Audits of culture can take place in formal engagements, but ongoing

monitoring can often be very effective. Ongoing monitoring includes
auditors being observers or participants in risk management meetings
or quarterly financial results meetings. If internal auditors are skilled
at reading body language or “reading the room,” the reaction of
people to things like bad news or risk occurrences can be telling in
regard to the culture.
Assessments of Ethical Climate

The internal audit activity can conduct an entity-wide review of ethics-
related policies and processes. Such an evaluation might consider
using a maturity model. For each attribute to be tested, the board
and/or senior management can choose the desired level of maturity
to use as a benchmark. Then the internal audit activity can determine
the actual level through testing.
When getting started, it is important to determine to whom the

organization’s ethical principles and code-of-conduct rules apply.
Directors and employees are required to adhere to these principles
and rules; suppliers, business partners, contractors, and third-party
service providers may also be required to abide by them.
Key areas for an ethical climate assessment to address include:

Whether ethical values are consistent among policy statements.
Whether any policies lack ethics statements and, if so, whether
they should be added.
Whether ethics statements are consistently expressed to enable
staff to have a cohesive, easily understood picture of expected
behavior.
Whether statements are specific and concrete enough to be
meaningful.
An entity-wide employee survey is a common tool for ethical climate

assessments.
Culture and Engagements

When conducting an individual assurance or consulting engagement,
the internal audit activity considers organizational culture as a risk
factor when setting audit scope. The risk is of a disconnect between
stated and operating values for the persons in the engagement area
because these values, positive or negative, are inherent to how that
work is getting done.
Self-assessment exercises, surveys, and questionnaires can be used
to measure how well the key parties in the area being audited (e.g.,
parties in joint ventures) understand organizational values, how well
their own goals and objectives align with those values, and the
degree to which they see others in the organization living by those
stated values. Depending on the audience, questionnaires could:
Ask the board to trace their policies back to core values and
identify any gaps.
Ask whether annual staff training programs on board policies and
procedures occur in the audit area and ask for descriptions of such
programs.
Ask whether audit area staff are required to confirm their
compliance with board policies and procedures at least annually.
Internal auditors need to be aware that self-assessments, surveys,

and questionnaires measure perceptions but that such perceptions
may or may not be accurate. Another consideration is that one way
to get buy-in from the manager of the area being audited and add
value is to allow that person to add survey items related to culture
issues they are interested in, such as a sales manager asking sales
staff about whether they feel undue pressure related to sales goals.
Audit programs can also be developed to test for each specific value
in the written code of conduct. For example, an audit program to
assess “We value and respect all individuals” may focus primarily on
HR policies and procedures and observations of related behavior. If
there is a second-line-of-defense compliance function for a particular
value (e.g., health and safety), the internal audit activity will still need
to evaluate the effectiveness of those programs.
Topic 3: Risk and Risk Management

This topic introduces the subject of risk and the GRC process of risk
management from the perspective of the organization’s efforts in this
area. It also addresses risk-based audit planning.

Practice Guide, “Assessing the Risk Management Process”
Risk Concepts
The IPPF glossary defines risk as follows:
The possibility of an event occurring that will have an impact

on the achievement of objectives. Risk is measured in terms
of impact and likelihood.
A key element of risk is the notion that it always involves
uncertainty. Both positive and negative events can be uncertain.
Negative risks are sometimes called threats; positive risks are
sometimes called opportunities. Anderson et al. in Internal Auditing
define an opportunity as “an action or potential action that creates
or alters goals or approaches for creating, preserving, or realizing
value.”
Here are some fundamental concepts of risk:

Achieving strategic and operational objectives and succeeding in
business requires putting the organization’s assets and resources
at some degree of risk.
Risks taken should be commensurate with the potential reward.
Risks are not single-point estimates. Rather, there will be a range
of possible outcomes associated with a risk, such as from worst
case to most likely to best case.
Risk management should reduce the likelihood of negative events
and increase the likelihood of positive events.
An event, also called an issue, is the occurrence or realization of a

risk (threat or opportunity).
Note that an organization may adopt its own risk terminology, and it is
the internal auditor’s responsibility to learn such organization-specific
terms and their definitions.
Risk Appetite
The IPPF glossary defines risk appetite as “the level of risk that the
organization is willing to accept.” Some related terms defined by
Anderson et al. in Internal Auditing follow:
Tolerance. “The boundaries of acceptable outcomes related to

achieving business objectives.”
Inherent risk. “The combination of internal and external risk factors

in their pure, uncontrolled state, or the gross risk that exists
assuming there are no internal controls in place.”
Controllable risk. “The portion of inherent risk that management

can reduce through day-to-day operations and management
activities.”
Residual risk. “The portion of inherent risk that remains after

management executes its risk responses (sometimes referred to
as net risk).” Note that responses include application of internal
controls or other risk management measures.
Exhibit 1-34 presents a conceptual-level view of how the risk

assessment process works to address inherent risk to objectives but
still results in some level of residual risk.
Exhibit 1-34: Conceptual View of Risk Assessment Process
Source: Adapted from “Enterprise Risk Management: What’s New? What’s Next” seminar,
The Institute of Internal Auditors.
Here are additional considerations related to risk appetite:

The purpose of setting a risk appetite is to limit risks to
organizational objectives to an acceptable level. This is done by
comparing the cost to the benefits of control.
Because the future is uncertain, there is no way to completely
eliminate risk. (Some amount of residual risk will remain.)
Risk appetite helps the board and management prioritize potential
strategies and resource allocations.
Risk appetite can be defined at a high level and at increasing levels
of detail.
Risk appetite can differ between business units or products (with
higher risk being acceptable for areas with higher potential for
reward).
Risk appetite can change based on changes in the external
environment.
Internal auditors can learn about the organization’s risk appetite by

reviewing the organization’s risk management policies and discussing
the organization’s risk management philosophy with the board, senior
management, or risk management officers. The chief financial officer
and external auditors can also help define financial reporting risk
appetite. (Typically this is highly risk-averse.)
Enterprise Risk Management (ERM)

The IPPF glossary defines risk management as “a process to
identify, assess, manage, and control potential events or situations to
provide reasonable assurance regarding the achievement of the
organization’s objectives.” COSO’s Enterprise Risk Management:
Integrating with Strategy and Performance defines enterprise risk
management (ERM) as:
The culture, capabilities, and practices, integrated with

strategy-setting and performance, that organizations rely on
to manage risk in creating, preserving, and realizing value. It
does not refer to a function, group, or department within an
entity.
Every organization exists to deliver value to its stakeholders.

Value is created when the benefits from resource investments
exceed the cost of those resources. (The opposite would mean
that value is being eroded.)
Value is preserved when resources deployed in daily operations
sustain the things creating the benefits, such as maintaining
customer loyalty.
ERM exists to help organizations understand the nature of the risks

they are facing, determine the amount of risk they are willing and able
to accept, and proactively respond to risks to:
Create and preserve value (and realize it by delivering actual
benefits to stakeholders).
Achieve organizational objectives.
Improve deployment of resources using a risk-based approach.
Reduce volatility and improve stability (a key objective of
shareholders and lenders).
Key Point
ERM is likely to be effective in creating value when the
organization’s ERM capabilities are aligned with each other and are
fully integrated into operations. Managers should not just manage
their own risks within their own organizational “silos.” Integration is a
sign of ERM maturity that helps prioritize tradeoffs and improves
timeliness.
The organization’s mission, vision, and values need to drive the
strategy, business objectives, and performance objectives to result in
value. Enterprise risk management:
Validates that the strategy and objectives align with the mission,
vision, and values.
Projects the results and implications of the chosen strategy.
Enumerates and evaluates the risks to the strategy and
performance.
Risk Governance and Other ERM Roles

The organization’s governance functions (the board and senior
management) are responsible for supporting and championing the use
of ERM. This function also creates demand for relevant, reliable, and
timely risk analysis and reporting. The board is responsible for
ensuring that risks are managed and that there is an adequate ERM
system in use. The board may establish a risk committee, or the audit
committee may have this responsibility.
In practice, the board will delegate the operation of the ERM

framework to management. Senior management may, in turn, create
specialized risk management roles and add ERM to the scope of
duties of other roles, such as:
Chief risk officer.
Financial executives.
Line managers and employees. (Risk management is everyone’s
responsibility.)
Internal auditors.
Independent outside auditors.
External stakeholders, including customers, creditors, financial
analysts, suppliers, and outsourced service providers.
Key Point
Management owns ERM, not internal auditing, but the internal audit
activity is important in monitoring and recommending improvements
in the organization’s ERM practices.
A key need and opportunity for adding value for the internal audit
activity is to assess ERM practices and recommend improvements.
Internal auditors also may provide other services such as:
Educating the board and senior management on the importance or
methods of ERM.
Facilitating risk management training sessions.
Promoting risk language and use of the organization’s framework in
internal audit activity work.
Risk Culture
Effective risk management depends on the organization having a
culture that is open to the discussion of positive and negative risks.
For ERM to function properly, persons at all organizational levels
need to be able to raise or escalate risk issues without fear of
retaliation. This enables:
The ERM process to be transparent.
A high level of organizational risk awareness.
A culture that is not ready for ERM can undermine the hard work of
persons performing risk analysis and reporting even when policies
and procedures are in place to ensure that ERM occurs. For
example, if the results of a risk analysis are not discussed or
incorporated into decisions, then the process will be ineffective.
While culture shifts are difficult and time-consuming, some steps to

start transforming a culture to better leverage ERM might include
periodic forums for discussing risk or creating clear risk management
roles and responsibilities in the organization. Consulting engagements
may be the best way to work to improve risk culture.
ERM Process Overview

A generic ERM process consists of identifying and categorizing risks,
evaluating their impact and likelihood and doing other forms of
analysis and prioritization, selecting and implementing risk responses
in a timely fashion (possibly including planning for specific scenarios),
and communicating and reporting on risks and responses.
ERM needs to be an ongoing process. New risks continually arise
and their risk ratings change, so a best practice is to match risk
assessment frequency to the velocity of risk profile changes.
Methods to continually acquire new risk information include:
Management call programs.
Quarterly risk committee involvement.
Specific risk topic discussions at each audit committee or board
meeting.
Automated tools to capture and understand risk indicators.
Steps in the ERM process are discussed more next.
Risk Identification and Categorization

An organization identifies and categorizes the risks it encounters to
ensure that important risks are captured. Risks in the same category
could also potentially be addressed by creating a response that
addresses several related risks. A common approach for risk
identification and categorization is to have a brainstorming session
to identify as many risks as possible and then place the identified
risks into categories. A good place to start is to use a generic risk
model, such as the one from Internal Auditing by Anderson et al., as
shown in Exhibit 1-35.
Exhibit 1-35: Generic Risk Model

Strategic Risks Compliance Risks Reporting Risks
External: External: External:
Changes in laws Contractual Accounting and
and regulations Regulatory financial reporting
Competition Litigation Taxation
Change in markets Permits Internal:
Industry Internal: Budgeting
Technology Ethics Performance
Internal: Policies measures
Reputation Fraud and illegal Internal control and
Strategic acts regulatory reporting
Satisfied customers Information
Governance Resources
Access
Availability
Data integrity
Infrastructure
Privacy
Operation Risks
Process: People: Financial:
Supply chain Labor supply Interest rates
capacity Leadership, key Foreign exchange
Process execution employees rates
Health and safety Incentives Capacity
Business continuity Empowerment Default
Cycle time Change readiness Concentration
Catastrophic events Communications Capital availability
Lack of product Cash management
innovation Commodity pricing
Duration
Source: Adapted from Anderson et al., © 2017. Internal Auditing: Assurance and Advisory
Services, 4th Edition.
Exhibit 1-36 summarizes some common risk identification

approaches.
Exhibit 1-36: Common Risk Identification Approaches
Technique Description Example
Event Detailed listings of Lists of typically

inventories potential events common encountered events in a
to companies within a custom software
particular industry, development project
process, etc.
Internal Detailed analysis of New product launch
analysis information; data from analysis that examines
ongoing operations or internal data and events
other business units, affecting the success of
customers, suppliers, or competitors’ products
external sources
Escalation or Comparison of Review of the
threshold transactions/events organization’s pricing
triggers against predefined criteria structure when
alerting management to competitors’ prices
areas of concern that may reach a specific
require assessment or threshold
fast response
Technique Description Example
Facilitated Facilitator-led events to Focus group with

workshops draw on the knowledge accounting team led by a
and interviews and experience of financial controller to
management, staff, and identify events that have
stakeholders regarding an impact on the
achievement of objectives organization’s external
financial reporting
Process flow Combination of inputs, Medical lab making
analysis tasks, and responsibilities process maps for the
in a process; internal and receipt and testing of
external factors or events samples and then
that could impact process evaluating the process
objectives maps for risks
Leading key Qualitative or quantitative Monitoring loan payment
indicators measures that help patterns to mitigate
identify upcoming changes potential for default
to risks
Loss event Examination of past Insurance company
data individual loss events to examining a historical
methodologies identify trends and root database of accident
causes; assessment of claims to identify the
whether to treat the root root cause of the
cause or address accidents
individual events
Source: Adapted from Enterprise Risk Management—Integrated Framework and Enterprise

Risk Management—Integrating with Strategy and Performance, © 2004 and 2017, Committee
of Sponsoring Organizations of the Treadway Commission (COSO). All rights reserved. Used
with permission.
Analysis: Impact, Likelihood, and Heat Maps
Management analyzes every identified risk by determining two risk
factors (definitions are from Anderson et al., Internal Auditing):
Impact. “The adverse effect of a risk outcome.”
Likelihood. “The odds or probability of the risk occurring.”
Examples of some common likelihood and impact factors are shown

in Exhibit 1-37.
Exhibit 1-37: Common Likelihood and Impact Factors
Likelihood Factors Impact Factors
Probability based on history Materiality (e.g., dollar

or cycles loss)
Complexity of activities Potential reputation or
Change or stability (e.g., brand damage
employee turnover or new Importance of the related
laws) objective to the
Control environment organization’s mission
Control process Velocity of occurrence,
effectiveness duration, and/or
pervasiveness of the event
Recovery costs
Both impact and likelihood can be defined using subjective or

objective methods. Organizations determine the scales they want to
use and assign meanings to each category.
A subjective scale is not quantifiable or measurable but is instead a
set of general categories such as negligible, low, medium, high,
and extreme.
An objective scale may add a monetary value range to each level
(for impact) or a percentage range (for likelihood).
Key Point
An important audit consideration is that risk analysis scales be used
consistently across the enterprise and that people using the scales
have a shared understanding of the meanings of each element.
Next, a heat map is used to determine each risk’s overall rating or

severity. A heat map, also called a risk assessment model, is a two-
axis risk assessment chart or grid that places impact on one axis and
likelihood on the other to create a combination assessment of a risk’s
overall rating.
A risk rating, also called severity, is a combination assessment of a

risk’s impact and likelihood. Organizations define the categories and
what risk ratings to put in each category.
Exhibit 1-38 shows an example of a heat map from Anderson et al. in

Internal Auditing. It includes examples of the monetary impact and
percentage ranges that might be used. (Such ranges will vary based
on the size of the organization or other factors.)
Exhibit 1-38: Heat Map
Source: Anderson et al., Internal Auditing: Assurance and Consulting Services, 4th edition.
Each risk identified in the earlier parts of the process can be mapped
to a specific location on the heat map. (Note how each cell created in
the grid is assigned a number.) For example, if data privacy risks are
considered high in impact and probable in likelihood, privacy risks
would be placed in box 21 and be considered a critical risk. Risks in
higher- numbered boxes get more analysis in general, but all get
some form of response.
The process of placing risks on the heat map is best performed in a

team session to capture the consensus of the persons with the best
understanding of the risks being discussed. For risk management at
the enterprise-wide level, it is important to involve senior management
(if available), operations management, and more experienced internal
auditors.
The next step in the analysis phase is to link each risk back to one or
more specific business objectives. This shows what areas of the
organization would be impacted. Risk categories, such those shown
in Exhibit 1-35, will help with this exercise. For example, risks in the
strategic risks category will likely trace back to strategic objectives.
Performing this process could result in modifying a risk’s impact. It
also helps ensure completeness, because it could reveal more risks
that need to be mapped.
Many organizations further refine the risk analysis process to account

for other risk factors, such as urgency of response needed and so
on. These additional considerations may result in modifying a risk’s
overall rating or be a consideration when choosing a risk response.
Risk Responses
For each risk analyzed, the organization determines a response that
will be cost-effective, meaning that the cost of the response is not
greater than the cost of the impact if the event were to occur.
Categories of risk responses include:
Acceptance. No action is taken to decrease risk impact or

likelihood. The organization is willing to accept the risk at the
current level rather than spend resources on it (or no viable plan
can be devised).
Avoidance. A decision is made to exit or divest of the activities

giving rise to the risk (e.g., exiting a product line or country of
operations).
Pursuit. Exploit the risk if taking such a risk is advantageous to the

organization or is necessary to achieve a particular business
objective (e.g., entering a new product line or region).
Reduction. Action is taken to reduce or mitigate the risk impact,

likelihood, or both. Implementing controls is an example.
Sharing. The risk impact or likelihood is reduced by transferring or

sharing a portion of the risk with a third party. Insurance,
outsourcing, and partnering are examples.
Risk Scenario Planning

Certain extreme events, such as disruptive competitive innovations,
cybersecurity threats, or commodity cost volatility, may require
developing more detailed risk response plans, perhaps as part of an
overall business continuity plan. Making plans for such events helps
keep ERM processes proactive and helps avoid a potential ERM
deficiency in which the process primarily just maps past business
events into the future.
Risk Communication and Reporting

Risk communication and reporting need to leverage the organization’s
IT so that risk data can be efficiently collected and risk analysis
information can be presented in a timely fashion in an easily digestible
format. To avoid information overload, present the right level of
information at the right level of detail for the audience’s decision-
making needs.
Communications regarding risk management include providing the

rationale for using ERM along with the guidelines for applying it
appropriately. This includes communicating risk appetite levels and
other management expectations. Specific communications and
reports about risk also need to occur with the board and at every
level of management.
Risk Management Standards 2120 and
2120.A1

Performance Standard 2120, “Risk Management”
The internal audit activity must evaluate the effectiveness and
contribute to the improvement of risk management processes.

The internal audit activity must evaluate risk exposures relating to
the organization’s governance, operations, and information
systems regarding the:
Achievement of the organization’s strategic objectives.
Reliability and integrity of financial and operational information.
Effectiveness and efficiency of operations and programs.
Safeguarding of assets.
Compliance with laws, regulations, policies, procedures, and
contracts.
Let’s break down the first part of Standard 2120’s interpretation

(shown in italics) and implementation guidance or other IIA guidance
(the sub-bullets). The interpretation starts with the following
preamble: Determining whether risk management processes are
effective is a judgment resulting from the internal auditor’s
assessment that:
Organizational objectives support and align with the organization’s
mission.
Review strategic and business plans, discuss with the board and
senior management, and interview mid-level management to gain
insight on alignment and risk appetite at the business unit level.
Significant risks are identified and assessed.

Important risk categories include strategic, compliance, reporting
(including financial reporting), IT resources (including
cybersecurity), and operational (including processes, people, and
financial) risks.
The internal audit activity should alert management to new or
inadequately addressed risks.
The internal audit activity may consider using an established
ERM framework.
Appropriate risk responses are selected that align risks with the
organization’s risk appetite.
The CAE discusses risk appetite, risk tolerance, and risk culture
with senior management and the board and reviews related
policies and meeting minutes.
The internal audit activity provides recommendations and action
plans for improving risk responses.
The internal audit activity may independently perform gap
analyses to look for significant risks not being identified or
addressed.
Relevant risk information is captured and communicated in a

timely manner across the organization, enabling staff,
management, and the board to carry out their responsibilities.
The internal audit activity should have a process in place to plan,
audit, and report on ERM.
Interview staff at various levels to determine if the organization’s
objectives, significant risks, and risk appetite are sufficiently
articulated and understood.
The internal audit activity may review board minutes to determine
whether the most significant risks are communicated in a timely
fashion and the board is acting to ensure that management is
responding appropriately.
If the CAE concludes that management is taking on unacceptable
levels of risk, the CAE must discuss the matter with senior
management and may discuss it with the board, per Standard
2600, “Communicating the Acceptance of Risks.”
Key Point
It is important for internal auditors to identify whether risk
information is used in decision making and whether risk responses
are appropriate to the organization’s risk appetite and ERM
strategy.
Let’s break down the remainder of Standard 2120’s interpretation and

implementation guidance or other IIA guidance.
The internal audit activity may gather the information to support

this assessment during multiple engagements. The results of
these engagements, when viewed together, provide an
understanding of the organization’s risk management processes
and their effectiveness.
Internal auditors should attain an understanding of the
organization’s current ERM environment and responses to prior
risks.
Internal auditors consider the organization’s size, complexity, life
cycle, maturity, stakeholder structure, and changes in laws,
competitors, etc.
Internal auditors review ERM maturity to determine how much to
rely on the organization’s ERM assessments.
An organization may believe it has higher maturity than it has in
actual practice.
Highly regulated industries tend to have higher levels of ERM
maturity.
The internal audit activity typically also does its own risk
assessments.
Risk management processes are monitored through ongoing

management activities, separate evaluations, or both.
It is important to know how the organization does ERM and
oversees it before starting to implement Standard 2120.
Demonstrating conformance to this standard can use the internal
audit charter, internal audit plans, and related ERM meeting
minutes.
The internal audit activity will evaluate the responsibilities of the
board and those in key ERM roles by reviewing completed risk
assessments and reports.
The internal audit activity may evaluate the adequacy and
timeliness of remedial actions by reviewing control designs and
testing the controls and monitoring procedures.
In addition to assessing the organization’s ERM, the internal audit

activity should also take the necessary steps to ensure that it is
managing and correcting deficiencies related to its own risks, such as
audit failure, false assurance, and reputation risks.
Risk-Based Audit Planning

Performance Standard 2010, “Planning”
The chief audit executive must establish a risk-based plan to
determine the priorities of the internal audit activity, consistent
with the organization’s goals.
Internal auditors cannot evaluate every possible risk facing an

organization. The multiple sources of potential engagements coupled
with the related scope of work require the efficient use of limited
internal audit resources. A risk assessment framework for audit
planning provides a systematic way for the CAE and the internal audit
activity to assess internal and external risk factors and develop an
annual audit plan.
Interpretation helps us understand how to develop the risk-based

audit planning framework:
The CAE is responsible for developing a risk-based plan.
The CAE takes into account the organization’s risk management
framework, including using risk appetite levels set by
management for the different activities or parts of the
organization.
If a framework does not exist, the CAE uses his/her own judgment
of risks after consideration of input from senior management and
the board.
The CAE must review and adjust the plan, as necessary, in
response to changes in the organization’s business, risks,
operations, programs, systems, and controls.
Frameworks for assessing and developing risk-based audit plans will

vary between organizations. An organization’s size, formality,
management team dynamics, industry, regulatory requirements, and
other demographics are some of the potential influencing factors.
Most risk-based frameworks for internal audit planning include the
steps listed in Exhibit 1-39.
Exhibit 1-39: Risk-Based Assessment Framework for Internal

Auditing
Step Description
Determine Identifies all organizational sources of potential

the audit engagements and all potential auditable units.
universe. Also identifies specific activities (auditable activities)
in a functional area at risk.
Auditable units may vary depending on the industry
or nature of the organization; for example, locations,
processes, products, or divisions may be
considered.
Example: A list of all organizational units/processes
(can be hundreds of items).
Step Description
Examine Develops and applies standard risk assessment

organizational methodology for qualitative and quantitative
risk factors. measurement(s) of risk within and across all
auditable units.
Assesses internal and external organizational risks
based on their impact on organizational objectives
more than on the extent of change in specific
functions.
Considers potential engagement sources.
Involves discussing the audit universe with
organizational senior managers to identify levels of
risk, planned new activities, and/or process
changes.
Incorporates ERM results (if the organization has an
ERM process).
Considers other internal and external assurance
activities.
Example: Consideration of size of revenue or assets,
visibility of areas, liquidity or cash flow, results of
other reviews, and reported problems.
Step Description
Prioritize Evaluates proposed engagements.

audits. Establishes criteria and ranks the risks based on
their significance to organizational objectives and
risk appetite.
Considers if the internal audit staff is sufficient to
cover all the primary risks and whether some can be
delayed and/or handled by other assurance
providers.
Leads to the annual audit plan.
Example Identification of the most important areas to
audit during the upcoming year based on high-level
risk evaluations, planned process changes, and
requests from management coupled with the internal
audit resources available.

The internal audit activity’s plan of engagements must be based
on a documented risk assessment, undertaken at least annually.
The input of senior management and the board must be
considered in this process.
Internal audit activities can leverage their organization’s ERM

framework—if one exists—and apply it to the selection of audit
engagements, engagement criteria, and audit tools.
Once a risk-based annual audit plan exists, the next step is to
perform individual engagement planning, which also includes a risk
assessment component.
Topic 4: Risk Management

Frameworks
Organizations may choose to implement enterprise risk management
in different ways. Best practice has shown that using a framework
can improve the efficiency and effectiveness of ERM. By formally
organizing risk management responsibilities and activities in a
framework, an organization is better positioned to achieve its
strategic objectives. Use of a framework helps to ensure that risk
management activities are focused on ERM (rather than on risk
management at the functional level) and that risk is being proactively
managed (not just reduced).
There are numerous ERM models. They generally vary in their focus
and complexity. Some are highly specialized frameworks applicable
to specific situations (e.g., IT security, insurance). Here we will look
at two major frameworks: COSO’s ERM framework and ISO 31000.
A discussion of internal audit activity assurance over ERM follows

discussion of these frameworks.
Practice Guide, “Assessing the Adequacy of Risk Management
using ISO 31000”
COSO’s ERM Framework

The COSO (The Committee of Sponsoring Organizations of the
Treadway Commission) ERM framework is called Enterprise Risk
Management—Integrating with Strategy and Performance. The
purpose of this framework is to help organizations accelerate growth
and enhance performance by integrating ERM at every organizational
level and applying the principles of the framework to everything from
strategic decision making to performance management.
The COSO ERM framework addresses the evolution of ERM as

integral to development and achievement of strategy through effective
organizational performance and value creation. Supporting an
organization’s mission, vision, and core values is a key differentiator.
The model describes the connection between strategy, business
objectives, performance (what the organization strives to achieve),
and ERM components (what is needed to achieve the objectives).
This framework introduces key ERM concepts and a common ERM
language and provides principles-based guidance. It addresses the
need for organizations to improve their approach to managing risk to
meet the growing demands in business.
The COSO ERM framework is applicable to all industries and all

types of risk. It has gained broad acceptance by many organizations
globally.
Components of COSO ERM Framework

The COSO ERM framework consists of five interrelated components,
shown in Exhibit 1-40.
Exhibit 1-40: Components of COSO ERM Framework
Component Description
Governance Governance sets the organization’s tone, reinforcing

and culture the importance of, and establishing oversight
responsibilities for, ERM. Culture pertains to ethical
values, desired behaviors, and understanding of risk
in the entity.
Strategy and ERM, strategy, and objective setting work together
objective in strategic planning. A risk appetite is established
setting and aligned with strategy; business objectives
implement strategy while forming a basis for
identifying, assessing, and responding to risk.
Component Description
Performance Risks to achievement of strategy and objectives are

identified and assessed. Risks are prioritized by
severity (impact and likelihood) in the context of risk
appetite. The organization selects risk responses
and takes a portfolio view of the amount of risk it
has assumed and reports key risks to stakeholders.
Review and By reviewing entity performance, an organization
revision can consider ERM component effectiveness as the
organization changes and what revisions are
needed.
Information, ERM requires a continual process of obtaining and
communication, sharing necessary information, from both internal
and reporting and external sources, which flows up, down, and
across the organization.
Source: Enterprise Risk Management—Integrating with Strategy and Performance, © 2017,

Committee of Sponsoring Organizations of the Treadway Commission (COSO). All rights
reserved. Used with permission.
Strategy and objective setting, performance, and review and revision

represent common processes that flow through an organization. The
other components—governance and culture and information,
communication, and reporting—are supporting aspects of ERM.
Principles of COSO ERM Framework

These five components are supported by a set of 20 principles—the
things the organization would do as part of the ERM process. The
principles, listed in Exhibit 1-41, provide senior management and the
board with a reasonable expectation that the organization
understands and strives to manage the risks associated with its
strategy and business objectives.
Exhibit 1-41: Principles of COSO ERM Framework
Component Principles
Governance 1. Exercises board risk oversight—The board of

and culture directors provides oversight of the strategy and
carries out governance responsibilities to
support management in achieving strategy and
business objectives.
2. Establishes operating structures—The
organization establishes operating structures in
the pursuit of strategy and business objectives.
3. Defines desired culture—The organization
defines the desired behaviors that characterize
its desired culture.
4. Demonstrates commitment to core values—
The organization demonstrates a commitment
to its core values.
5. Attracts, develops, and retains capable
individuals—The organization is committed to
building human capital in alignment with the
strategy and business objectives.
Strategy and 6. Analyzes business context—The organization

objective considers potential effects of business context
setting on risk profile.
7. Defines risk appetite—The organization defines
risk appetite in the context of creating,
preserving, and realizing value.
8. Evaluates alternative strategies—The
organization evaluates alternative strategies
and potential impact on risk profile.
9. Formulates business objectives—The
organization considers risk while establishing
the business objectives at various levels that
align and support strategy.
Performance 10. Identifies risk—The organization identifies risk
that impacts the performance of strategy and
11. Assesses severity of risk—The organization
assesses the severity of risk.
12. Prioritizes risks—The organization prioritizes
risks as a basis for selecting risk responses.
13. Implements risk responses—The organization
identifies and selects risk responses.
14. Develops portfolio view—The organization
develops and evaluates a portfolio view of risk.
Review and 15. Assesses substantial change—The

revision organization identifies and assesses changes
that may substantially affect strategy and
16. Reviews risk and performance—The
organization reviews entity performance and
considers risk.
17. Pursues improvement in enterprise risk
management—The organization pursues
improvement of enterprise risk management.
Information, 18. Leverages information and technology—The
communication, organization leverages the entity’s information
and reporting and technology systems to support enterprise
risk management.
19. Communicates risk information—The
organization uses communication channels to
support enterprise risk management.
20. Reports on risk, culture, and performance—
The organization reports on risk, culture, and
performance at multiple levels and across the
entity.
Source: Enterprise Risk Management—Integrating with Strategy and Performance, © 2017,

Committee of Sponsoring Organizations of the Treadway Commission (COSO). All rights
reserved. Used with permission.
The components and principles of the framework do not represent

isolated, stand-alone concepts. COSO states that enterprise risk
management is not static. It is integrated into the development of
strategy, the formulation of business objectives, and the
implementation of those objectives through day-to-day decision
making.
More information on COSO’s Enterprise Risk Management—

Integrating with Strategy and Performance can be found on the
COSO website, at www.coso.org.
ISO 31000 Framework

ISO 31000:2018, “Risk management—Guidelines,” is a simple and
concise international standard and framework for the systematic
development of enterprise risk management. It can be used
successfully by any size or type of organization because the
organization can adapt the framework to the proper scope and
environmental context. The purpose of ISO 31000 is to help
organizations manage uncertainty. It provides a guide for managing
risk based on key principles, a framework, and a process.
ISO 31000 Principles

ISO 31000 is a principles-based standard intended to generate
transparency and credibility within the risk management function. The
principles describe characteristics of effective and efficient risk
management and should be used as a foundation for establishing an
organization’s ERM processes.
Assessments of the organization’s overall risk management process

can use these key principles as an audit approach to ensure that the
process is complete and effective. This is just one of several audit
approaches that will be addressed in this topic. An audit based on
ERM principles would assess the extent to which each principle is
true for the risk management process. Exhibit 1-42 provides an
overview of the ISO 31000 principles (these are paraphrased) along
with examples of how they can be used as audit tests.
Exhibit 1-42: ISO 31000 Principles and Related Audit Tests
Principle Audit Test

(Extent to which the following
are true)
Integrated Risk management is not an add-

Risk management is an integral on task.
part of all activities in an
organization.
Structured and comprehensive The organization has its own
Risk management should follow a framework or uses a standard
structured and comprehensive framework.
approach to provide consistent
results.
are true)
Customized Rather than being an out-of-the-

Risk management is customized box process, the process
to the organization’s operating matches the organization’s
environment, culture, and operations.
objectives.
Inclusive There should be appropriate and
Risk management is inclusive of timely involvement of
all stakeholders, providing stakeholders.
improved communications and
risk management awareness.
Dynamic The process is regularly
Risk management uses an reviewed for organizational and
iterative cycle to generate environmental relevance. Risk
continual improvement, management matures along with
organizational learning, and quick other organizational processes.
response to changing
environments and emerging risks.
are true)
Best information available Obtaining information can be

Risk management makes use of expensive, and so the process
the best historical, current, and has guidance on what constitutes
future-oriented information sufficient information. The
available. Relevant stakeholders process documents areas of
need timely and clear uncertainty and how best to
information. address uncertainty. Information
is timely if it is available when
decisions need to be made.
Behavioral and cultural factors The process is appropriate to the
Risk management is influenced competence and culture of those
by organizational culture and staff who use it.
behavior.
Continuous improvement ERM has a deliberate process
Learning and experience are for gathering, considering, and
used to continually improve risk incorporating feedback related to
management. the efficiency and effectiveness
of the program.
ISO 31000 Framework Components

The ISO 31000 framework components assist in integrating risk
management into all organizational activities and functions. These
components, which should work together and be customized as
needed to achieve the organization’s own objectives, include:
Leadership and commitment. Oversight by top management
ensures that a risk management approach is integrated into all
activities, promoting the value to the organization and stakeholders.
Integration. Risk management should be a key aspect of

governance. It should be aligned to the organizational purpose,
strategy, objectives, and operations.
Design. The framework should be designed to fit the context of the

organization and demonstrate the commitment to risk management.
Implementation. Success requires stakeholder engagement and

awareness. The framework ensures that a risk management
process is included in all activities.
Evaluation. To evaluate the effectiveness of the framework,

auditors should measure performance against indicators and
expected behaviors.
Improvement. Organizations should continually monitor and adapt

the framework to address identified gaps and incorporate
enhancements.
ISO 31000 Cycles

At a high level, the ISO 31000 framework is a cyclical process that
begins with top executives expressing a strong commitment to risk
management and mandating its adoption based upon the principles
described above. The framework is then designed and customized.
Once implemented, it is monitored and reviewed to enable continual
improvement.
The implementation phase has its own cycle, as shown in Exhibit 1-

43.
Exhibit 1-43: ISO 31000 Implementation Phase Process Framework
Assurance Based on ISO 31000 Process Elements

Assurance of management’s overall risk management process can
use the process elements of ISO 31000 as an audit approach. For
each of the following elements, it is essential to substantiate with
sufficient audit evidence that management’s expressions of intent are
being satisfied in practice.
Communication and consultation. Structured and ongoing

communication and consultation occur with parties affected by
operations.
Establish context. The external environment (political, social, etc.)

and internal environment (strategies, structures, ethics, etc.) are
understood as a prerequisite of identifying the full range of risks.
Risk identification. Identifying risks uses a formal, structured

process that considers risk sources, impact areas, potential
events, causes, and consequences.
Risk analysis. A formal technique is used to consider each risk’s

impact and likelihood.
Risk evaluation. A method is used to rank the relative importance

of each risk so that a treatment priority can be established.
Determine risk treatment. Rational decisions are made about risk

treatment (acceptance, avoidance, pursuit, reduction, and sharing).
Monitoring and review. Progress of treatment plans, existence

and effectiveness of controls, avoidance of proscribed activities,
and environment changes are monitored and reviewed.
Record and report. Reports are made in the appropriate
frequency and level of detail to the appropriate parties.
How the ISO 31000 and COSO ERM Frameworks

Compare
The ISO 31000 and COSO ERM frameworks are very similar. Both
approaches:
Help organizations achieve their business objectives through the
effective management of internal and external risks.
Recognize the importance of embedding a risk management
mentality in the culture of the organization.
Recognize the importance of the “tone at the top” in risk
management.
Are deliberately broad in focus yet allow for more detail-level
integration.
Recognize that risk management is a complex iterative process
requiring multidisciplinary skills to implement and manage properly.
While the risk management processes are parallel in nature, there

are some differences. One difference is in terminology. ISO 31000
uses “risk treatment,” whereas COSO employs “risk response.”
Another difference is that the components of COSO ERM and ISO
31000 do not align precisely, as is shown in Exhibit 1-44.
Exhibit 1-44: Differences Between COSO ERM and ISO
31000 Components
COSO ERM Components ISO 31000 Components
Governance and culture Leadership and commitment

(Process: communication
and consultation)
Strategy and objective Integration
setting Design
(Process: scope, context,
criteria)
Performance Implementation
Identifies risk (Process: risk identification)
Assesses severity of risk (Process: risk assessment)
Prioritizes risks
(Process: risk analysis)
Implements risk responses
(Process: risk treatment)
Develops portfolio view
Review and revision Evaluation
Improvement
(Process: monitoring and
review)
Information, communication, (Process: communication
and reporting and consultation)
(Process: recording and
reporting)
Assessments of ERM
Internal audit activity assessments of the organization’s ERM typically
occur either when the organization has no real ERM process or if the
CAE determines that management’s assessment of its ERM
effectiveness is not reliable. Otherwise, the internal audit activity can
typically rely on the organization’s own ERM assessment. ERM
assessments can provide:
Assurance on the risk management process itself (addressed
here).
Assurance on significant risks and management assertions of
control as part of a risk-based audit (addressed elsewhere).
Follow-up on risk treatment plan status or planned control
remediations (addressed here).
Assessments of the risk management process itself are a good way

for the internal audit activity to help the organization adopt or improve
its risk management systems. Note that if there is resistance to the
idea of performing risk assessments at all (e.g., it is considered a
non-beneficial or time-consuming bureaucratic exercise), the internal
audit activity is likely facing a risk culture issue.
ERM assessments start with a gap analysis that evaluates current

capabilities, processes, and systems. If any essential elements are
missing, the organization’s efforts to manage significant risks will be
ineffective. Here are some considerations:
In addition to the nature and significance of risks, consider the
competence and experience of persons performing ERM.
Avoid duplication of effort with compliance functions and risk
management specialists. An assurance map (see Practice Advisory
2050-2) can help ensure coordination.
Key objectives of internal audit activity assessments of the

organization’s ERM may include the following:
Management has a vision for the risk management process.
Business strategy risks are identified and prioritized.
Management and the board have determined the general level of
risks and the risks required for the chosen strategy to be tolerable.
Management’s ongoing monitoring includes periodic reassessments
of risks and the effectiveness of controls.
Risk management roles periodically report on ERM results to the
board (or risk committee/audit committee) and senior management.
Management assesses the risk profile of strategies or
opportunities that use innovation.
Assessment approaches can include:

Assessments based on ongoing monitoring.
Assessments based on a maturity model.
Resource-based assessment approaches (top-down, bottom-up,
or combination).
Assessments that rely on ISO 31000 principles and/or process
elements.
Adoption of more than one approach can yield the most informative
and useful results. The approach(es) selected should be tailored to
the organization’s needs.
Key Point
Regardless of the assessment approach(es) selected, always
include normal control-based assurance that determines whether:
Risks are being effectively identified and appropriately analyzed.
There is adequate and appropriate risk treatment and control.
There is effective monitoring and review by management to
detect changes in risks and controls.
Assessments and follow-up also include process and documentation

reviews, analytical techniques, recommendations, and follow-up on
risk treatment plan status. Assessments based on ongoing monitoring
and on a maturity model and resource-based assessment
approaches are discussed more next.
Assessments Based on Ongoing Monitoring

A good example of assessing ERM using ongoing monitoring is for
internal auditors to be present in risk management meetings at the
levels being assessed. Observations such as these can help
determine if there are gaps between the design and implementation
of ERM.
A combination of ongoing monitoring and separate evaluations is a

best practice. Note that the more effective the ongoing monitoring,
the less need there may be for separate evaluations. Because
ongoing evaluations are done in real time, they can be adapted to
dynamically changing conditions.
Assessments Based on a Maturity Model

Risk culture and risk management maturity level play a role in the
organization’s risk attitude, which the ISO defines as an
“organization’s approach to assess and eventually pursue, retain, or
turn away from risk.” Exhibit 1-45 shows an example of a risk
management maturity model. Internal auditors can assess the
organization’s actual position as part of assessing the organization’s
ERM process, but note that it may not be necessary or practical for
an organization to aspire to the highest level. A level of 2 or 3 may be
acceptable. Conversely, an organization may need a push to a higher
level if the culture is ready.
Exhibit 1-45: Risk Management Maturity Model
Stage Culture Governance Process

Stage Culture Governance Process
1: Initial Risk belongs to CAE/audit Risk-based auditing

the internal audit committee chair
activity.
2: Risk is Business As-needed risk and
Repeatable considered on managers control self-
an as-needed assessment
basis. process
3: Defined Internal audit All levels of Common risk
and control management language and risk
functions share and board assessment
risk information. process used by
internal audit and
control functions
4: Risk is Executives and Common risk
Managed integrated into board language and
strategic consistent risk
planning; risk assessment
appetite is processes in all of
communicated. organization
5: Risk is Total Common risk
Optimized integrated into participation language and
all decision aggregated risk
making, reporting through
compensation, the organization
and goals.
Source: The IIA’s “Assessing the Risk Management Process” Practice Guide.
The organization’s desired level of ERM maturity can help set the
scope of ERM assessments and serve as evaluation criteria.
Depending on maturity, scope/criteria may include:
The organization has a process to manage the risk of
noncompliance with external laws and regulations (this is the
minimum scope) and with internal policies and procedures.
The internal audit activity does not have management responsibility
for ERM.
There is a common risk language, and consistent risk assessment
processes are used.
An ERM framework is used and adapted to the organization and
business environment.
Leading risk management practices (e.g., industry and professional
guidance) are used.
Resource-Based Assessment Approaches

Because assessing an entire risk management process is a labor-
and time-intensive exercise, the CAE should develop an approach
that considers the available resources while fulfilling audit objectives.
Three examples include a top-down, bottom-up, or combination
approach. Exhibit 1-46 compares these approaches.
Exhibit 1-46: Types of ERM Audit Assessment

Approaches
Top-Down Approach
Effective Interviews
methods Document reviews
Participants Board members (e.g., audit and/or
risk committee chairs)
Senior management
Group/division management
Limitations Low level of detail.
Assessment may take a governance
focus due to the participants involved.
Board and senior management views
may not represent remainder of
organization, especially regarding
culture.
Bottom-Up Approach
Effective Interviews
methods Surveys
Document reviews
Walkthroughs
Participants Line managers
Supervisors
Limitations Surveys may be confusing without a
risk process/language background.
Feedback may be inconsistently
distributed across participants.
Participants may not make time
(indicative of low priority given to
ERM).
Combination Approach
Effective Interviews with higher-level personnel
methods Surveys with lower-level personnel
Document reviews
Participants Board members (e.g., audit and/or
risk committee chairs)
Senior management
Group/division management
Line managers
Limitations While this approach can be more
comprehensive, it could be more
expensive/time-consuming, and any of
the prior limitations may still apply.
A top-down assessment is good for strategic-level identification and

evaluation of exposures. These assessments can serve as a catalyst
to get the organization moving toward its desired ERM maturity level.
Internal auditors performing such assessments should understand the
business and its strategy as well as external environment and
stakeholder risk priority changes. Interviews (or brainstorming
sessions) can get board members or senior management engaged by
leading off with targeted questions, such as:
What risks can impact strategy realization and could risk
management enhance performance relative to these risks?
What would we hate to see reported in the media?
What unique risks exist in our industry?
Bottom-up assessments are more likely to be limited-scope
engagements because it can be difficult to assess ERM at the detail
level. The scope can instead be defined based on specific objectives
such as for specific locations or strategic objectives. Here are some
examples of questions internal auditors could ask of line managers or
other participants:
Do you seek information from field personnel to get early warning
of emerging risks?
Are risk management resources sufficient?
Are risk management roles for you and your subordinates defined
clearly enough?
Combination approaches can be used when the benefits of both

methods are desired and there is budget available for its greater
administrative cost. Here are a few examples of questions that one
could ask of participants to determine how the top and bottom
interact:
How are differences of opinion on a risk or its priority shared
between senior and line management and how are they settled?
Do you feel pressured to go along with the group opinion
(groupthink)?
Are there discussions of how a risk could impact other business
units, how one risk may naturally offset another risk, or how
addressing one risk may create new risks?
ERM Process and Documentation Reviews
In addition to gathering information from persons involved in ERM,
internal auditors can review ERM processes and related
documentation. Internal auditors seek evidence that there is
structured analysis and documentation of risks, including the
following:
An overall strategy for managing risk information from multiple
sources is in place.
Guidelines for the creation, modification, deletion, and sharing of
risk information exist.
A risk register exists and is used. A risk register is a spreadsheet
or document that links risks to organizational objectives, provides
an assessment of each risk, including its impact and probability,
identifies the risk owner, and identifies the response or key control
to address the risk.
A risk communications process exists that has the necessary
infrastructure for communicating risk information throughout the
organization.
A risk reporting process provides quarterly communications with
management and the audit committee, has reports that clearly link
the risk universe back to shareholder value, and is focused on
transparency and education.
Decision making and performance measurement processes
integrate risk information.
To gather evidence, the internal audit activity may review these and
other sources:
Prior risk assessments, control-self assessments, or external
assurance reports
Risk management process flows
Risk appetite and strategy documents
Board minutes
Business cases for capital projects
Management discussion and analysis (MD&A) in financial
statements
Results of risk monitoring activities
Once the various documents are gathered, internal auditors assess

the quality of the documentation against the criteria they have
determined for the engagement. This can include assessing:
The extent and formality of the documentation. (Note that less
formality does not necessarily mean less effectiveness.)
Whether the documents such as risk registers make monitoring
risks more efficient.
Whether technology is leveraged where appropriate to make the
process cost-effective.
Note that if the purpose of the assessment is to make a formal

statement to external parties, be sure to retain the documentation.
Analytical Techniques
Risk management analytical techniques can include performing root
cause analysis of detected faults or statistical analysis of incident
trends.
Recommendations
Recommendations resulting from ERM assessments should be
appropriate to management’s current and desired ERM maturity
levels.
Follow-up of Risk Treatment Plan Status

The internal audit activity also needs to follow up on the status of risk
treatment plans and related control remediation plans. Follow-up
activities include ensuring that monitoring provides management with
an assessment of progress against milestones and validating that
plan status reports to the board are accurate and timely.
Topic 5: Process and Function Risk

Management Effectiveness
This topic follows the recommended engagement planning steps as
presented in Standard 2200 and in the “Assessing the Risk
Management Process” Practice Guide to provide a systematic
process for examining the effectiveness of risk management within
processes and functions as part of a risk-based audit plan during an
engagement.

Assessing ERM on an Engagement

A best practice when conducting an individual engagement that
includes a risk assessment component is to follow the engagement
planning steps as presented in Standard 2200 and further detailed in
The IIA’s Practice Guide “Engagement Planning: Establishing
Objectives and Scope.” Each of these steps is adapted for use in a
risk management assessment context in The IIA’s Practice Guide
“Assessing the Risk Management Process.” Here we provide a brief
overview of the process in that Practice Guide.
Understand the Context and Purpose of the

Engagement
Internal auditors develop an understanding of the organization’s
overall risk management maturity level in the context of the
organization’s size, industry, and regulatory environment. In particular,
there must be an assessment as to whether management has
articulated objectives for risk management. Given this understanding,
the internal audit engagement requires:
Identifying the principles at work in the organization’s risk
management process.
Evaluating whether those principles are appropriate and effective.
In planning the assessment, internal auditors should review

Implementation Guidance for Standard 2120, “Risk Management,”
and consider elements including:
Mission, vision, strategy, and objectives.
Risk management frameworks used and methods of risk
management and oversight.
Robustness of risk management roles, responsibilities, and
activities.
Historically experienced risks, current risks, and changes that may
introduce new risks.
Stakeholder expectations for the internal audit activity to provide
assurance in the area being audited that the risk management
process is effective.
Preparations can include reviewing prior assessments, understanding

and mapping risk management process flows (flowcharts), and
interviewing relevant stakeholders.
Gather Information to Understand the Risk
Management Process
Given an understanding of the areas relevant to the engagement,
internal auditors should gather information to support a preliminary
risk assessment. The manager of every business area should have at
least some risk information, because every area should be managing
risk. Internal auditors may need to look in less obvious areas for this
information. For example, business cases for projects or initiatives
contain risk assessments that could be reviewed.
Conduct a Preliminary Risk Assessment

internal auditors must conduct a preliminary assessment of the
risks relevant to the activity under review.
An effective way to perform and document an engagement-level risk

assessment is to create a heat map (risk assessment model) of
significant risk exposures including errors, fraud, and noncompliance.
Establish Engagement Objectives

Performance Standard 2210, “Engagement Objectives”
Objectives must be established for each engagement.
An example of an overall objective could be to provide management

with insight into their ERM maturity. Standard 2210.A2 adds that
assurance engagement objectives must consider the probability (i.e.,
likelihood) of significant exposures including, errors, fraud, and
noncompliance.
For an assurance engagement, according to Standard 2210.A3,

adequate criteria are needed to evaluate risk management, and if
internal auditors find that senior management and the board have
already established adequate criteria (i.e., a risk management
framework is in place), then that criteria must be used for the
evaluation. If none exist, internal auditors should work with
management and/or the board to develop internal and external criteria
and leading practices. Note that for less mature organizations,
consulting engagements may be more appropriate.
Establish Engagement Scope

Performance Standard 2220, “Engagement Scope”
The established scope must be sufficient to achieve the
objectives of the engagement.
At a minimum, the scope of any assessment regarding risk

management should confirm whether any identified risk-related
processes are followed and comply with external criteria. The
engagement scope may include evaluating:
The effectiveness of governance structures supporting the audit
area’s risk management policies, procedures, and activities.
The sufficiency and operating effectiveness of the audit area’s risk
management policies, procedures, and activities, including
alignment with the organization’s risk appetite, stakeholder
expectations, and industry standards.
The adequacy of dedicated risk management resources in the audit
area.
Clearly defined risk management and assurance roles.
Explicit consideration of risk in strategy setting, clear expectations
related to risk treatment, and processes for classification,
escalation, tracking, and reporting.
Existence of risk registers, rating criteria, and other tools.
Allocate Resources
Performance Standard 2230, “Engagement Resource
Allocation”
Internal auditors must determine appropriate and sufficient
resources to achieve engagement objectives based on an
evaluation of the nature and complexity of each engagement, time
constraints, and available resources.
The CAE or internal auditors assigned to the engagement determine

whether the quantity of resources and mix of competencies available
are sufficient to perform the engagement with due professional care.
Another consideration when allocating resources is the impact that
the culture and control environment will have on the engagement’s
requirements. A top-down, bottom-up, or combined approach may be
considered, but a bottom-up approach may be most appropriate for
auditing processes and functions.
Document the Work Program

Documents gathered may include process maps for the process or
function, the area’s risk register, and summaries of interviews and
surveys. It is important to document the rationale used for decisions
regarding the assessment of the organization’s risk management
maturity level and any criteria used to assess the risk management
process.
Topic 6: Internal Audit Role in the
Organization’s ERM
This topic addresses what internal audit activities are and are not
acceptable in regard to the organization’s ERM process. The topic
focuses on potential consulting roles.

Practice Guide, “Interaction with the Board”
Position Paper, “The Role of Internal Auditing in Enterprise-
Wide Risk Management”
Practice Guide, “Internal Audit and the Second Line of
Defense”
Internal Audit’s Role in the Organization’s

ERM
Exhibit 1-47 presents a range of ERM activities, differentiating
between roles the internal audit activity should and, equally important,
should not undertake. Roles in the far left area are core internal audit
roles the activity should undertake. These are all assurance activities.
The area in the center includes consulting and other non-assurance
activities that are still legitimate internal audit activity roles but require
some safeguards, and activities in the far right are roles the activity
should not undertake.
Exhibit 1-47: Internal Audit’s Role in ERM
The key factors to take into account regarding the role of internal
audit are whether the particular activity raises any threats to internal
audit’s independence and objectivity and whether it is likely to improve
the organization’s governance, risk management, and control
processes.
Key Point
Carefully review the “roles internal audit should not undertake” in the
graphic above. These are all things for which the board, senior
management, or other management levels should be responsible
and accountable.
Because assurance activities are addressed elsewhere, this topic

focuses primarily on the center of the graphic, as this represents an
area that requires judgment. These consulting or non-project, value-
added internal audit activities are discussed more next.
Consulting or Non-Project Internal Audit Activities for

ERM

During consulting engagements, internal auditors must address
risk consistent with the engagement’s objectives and be alert to
the existence of other significant risks.

Internal auditors must incorporate knowledge of risks gained from
consulting engagements into their evaluation of the organization’s
risk management processes.
When assisting management in establishing or improving risk
management processes, internal auditors must refrain from
assuming any management responsibility by actually managing
risks.
The internal audit activity’s knowledge of and reputation in risk

management frequently results in organizations seeking out the
activity’s involvement as the organization embeds risk management
into its culture and practices. In some cases, internal audit may be
asked to take the lead on enterprise risk management or some
portion of it, even though this type of activity will be in violation of
Standard 2120.C3 if internal auditors assume any management
responsibility. Also, internal audit cannot give objective assurance on
any part of the risk management framework for which it is
responsible.
Key Point
Whenever the internal audit activity consults with management to
set up or improve risk management processes, its plan of work
should include a clear strategy and time line for migrating the
responsibility for these activities to members of management.
If there is no ERM function, the internal audit activity advises on how
to set one up and consults on the best ERM methodology for the
organization. The activity’s ERM role should be discussed with senior
management and the board and codified in the internal audit charter.
Here are some potential ERM consulting areas. (Note how all of them
are carefully worded to avoid taking on any actual management
responsibility.)
Assess articulation of strategies and business objectives.
Champion ERM and introduce its concepts, frameworks, and risk
language by providing workshops or coaching that highlights ways
ERM could add value. Use specific examples that leverage the
internal audit activity’s overall knowledge of the organization.
Provide insight on the nature and effectiveness of the control
environment.
Facilitate risk appetite setting.
Brainstorm risk events.
Provide management with internal audit tools and techniques for
analyzing risks and controls.
Facilitate assessment and risk priority setting.
Advise on additional risk criteria.
Advise on choice of risk response/treatment.
Assist management with monitoring external and internal
environments, such as by providing a central point for coordinating,
monitoring, and reporting on risks.
Provide audit results that highlight risk management methodologies
to show their effectiveness.
Some internal audit activities may consider some ongoing or informal

activities to be non-project work and therefore not consulting work.
Others will consider this a form of consulting. Regardless of how such
activities are categorized, they need to comply with the Standards,
including refraining from taking on management responsibility. An
example of non-project, value-added work could include providing the
board (especially new board members) with white papers on industry
risks or accounting rule changes.
As an organization’s ERM processes mature, consulting tends to

become less of a focus and assurance takes on priority. More mature
organizations not only are already doing many of the right things in
regard to ERM but may have specialist roles such as a risk manager.
An assurance focus then provides the independent and objective view
that the first line (management) and second line (compliance) cannot
provide.
Consulting Safeguards
Safeguards for consulting on ERM include:
Making it clear to management that they are responsible for risk
management, including by documenting the nature of internal audit
responsibilities in the internal audit charter and related policies and
procedures.
Abstaining from actually managing any of the risks on behalf of
management. Instead, the internal audit activity may challenge or
support management’s decision-making process or provide other
advice.
Recognizing any work beyond assurance activities as consulting
engagements. Implementation Standards related to consulting
engagements should be followed.
Consulting versus Second-Line Roles

While there will be some areas of overlap in the knowledge, skills,
and values between internal auditors and second-line-of-defense
functions related to ERM (such as a risk manager or a financial
controller), it is important for internal auditors to know their limitations.
Most second-line-of-defense roles will have areas of expertise and
knowledge that are outside the body of knowledge for most internal
auditors. This can include:
How to use and interpret complex risk quantification and modeling
techniques.
Knowledge of the details of implementing risk responses (e.g.,
financial risk transfer).
If specialized skills are needed, the internal audit activity needs to
recognize its limitations and acquire the expertise or not undertake
the work.
Interaction with the Board in Relation to ERM

Performance Standard 2060, “Reporting to Senior Management and
the Board,” indicates that the CAE’s periodic reporting to senior
management and the board must include significant risk exposures
and control issues. An effective internal audit activity provides the
board with assurance in these areas and suggests governance, risk
management, and control improvement opportunities.
Developing both formal and informal communication channels and

strong relationships is important to enable discussion of sensitive
matters, such as management’s failure to manage strategic and/or
operational risk or an executive’s ethically questionable behaviors and
actions (including fraud). Here are some considerations for
communications:
Clear, relevant, and frequent communication between the CAE and
members of the board is essential.
Formal board meetings are best served if all presentation materials
are relevant, complete, and risk-based.
A quarterly or similar meeting should include risk themes, for
example, a review of emerging risks. The CAE also helps the
board to understand changes in the regulatory and business
environment related to governance, risk management, and control.
The CAE may also need to have frequent informal discussions with
the chair or other board members, in part to establish trust and
rapport.
One of the most important aspects of interacting with the board is

gaining their confidence that the internal audit activity is fully engaged
with senior management to monitor and treat risks, stay alert to
emerging risks, and align with stakeholders on risk attitudes.
Use of a risk-based audit plan is itself a confidence-building tool.

Such a plan helps build stakeholder confidence when it is grounded
on:
A thorough understanding of the risk appetite of the board and
senior management.
CAE discussions with the board and management on how to best
prioritize projects and resources so as to provide the most value in
helping them assess risks.
Regular review of the audit plan with the board and senior
management will give them opportunities to set new priorities and
adapt to internal and external environment changes.
Section F: Fraud Risks
Define fraud and the conditions that must exist for fraud to occur.
Discriminate among the major types of fraud.
Identify common types of fraud associated with the engagement
area during the engagement planning process.
Determine if fraud risks require special consideration when
conducting an engagement.
Complete a process review to improve controls to prevent fraud
and recommend changes.
Provide examples of fraud risk management controls.
Use computer data analysis, including continuous online
monitoring, to detect fraud.
Support a culture of fraud awareness, and encourage the
reporting of improprieties.
Describe the features of an effective whistleblower hotline.
Demonstrate an understanding of forensic auditing techniques.
Demonstrate an understanding of fraud interrogation/investigative
techniques.
standards
This section discusses the basics of fraud and internal audit’s

responsibilities regarding fraud. Understanding the various types of
fraud, the threats fraud poses, and fraud controls is a crucial task for
internal audit, even though internal audit is often not tasked with the
actual detection and investigation of fraudulent activities.
Topic 1: Fraud Risks and Types

This topic covers fraud risk and the types of fraud. The topic also
discusses fraud risks that are present when conducting an
engagement.
Practice Guide, “Engagement Planning: Assessing Fraud
Risks”
Practice Guide, “Internal Auditing and Fraud”
Fraud Risks and Types

The internal audit activity must evaluate the potential for the
occurrence of fraud and how the organization manages fraud
risk.
In order to evaluate the potential for the occurrence of fraud, internal

auditors must first understand what fraud is and the different types of
fraud that may occur. The IPPF glossary defines fraud as:
Any illegal act characterized by deceit, concealment, or

violation of trust. These acts are not dependent upon the
application of threat of violence or of physical force. Frauds
are perpetrated by parties and organizations to obtain
money, property, or services; to avoid payment or loss of
services; or to secure personal or business advantage.
Fraud risk is the probability that fraud will occur and the potential
consequences to the organization when it occurs.
Note that the specific legal definition of fraud may vary by jurisdiction.
Fraud is an area where the services of outside experts are often

retained. The internal auditor’s responsibilities for detecting fraud
during engagements include:
Considering fraud risks in the assessment of control design and
determination of audit steps to perform.
Having sufficient knowledge of fraud to identify red flags indicating
that fraud may have been committed.
Being alert to opportunities that could be considered conducive for
fraud, such as control weaknesses.
Evaluating the indicators of fraud and deciding whether any further
action is necessary or whether an investigation should be
recommended.
Notifying the appropriate authorities within the organization if a
determination is made that fraud has occurred to recommend an
investigation.
Examples of Fraud
Fraud is perpetrated by a person knowing that it could result in some
unauthorized benefit to him or her, to the organization, or to another
person, and it can be perpetrated by persons outside or inside the
organization. Some common fraud schemes include the following:
Asset misappropriation involves stealing cash or assets

(supplies, inventory, equipment, information) from the organization.
In many cases, the perpetrator tries to conceal the theft, usually by
adjusting the records.
Skimming occurs when cash is stolen from an organization before

it is recorded on the organization’s books and records.
Disbursement fraud occurs when a person causes the

organization to issue a payment for fictitious goods or services,
inflated invoices, or invoices for personal purchases.
Expense reimbursement fraud occurs when an employee is paid

for fictitious or inflated expenses.
Payroll fraud occurs when a person causes the organization to

issue a payment by making false claims for compensation.
Financial statement fraud involves misrepresenting the

organization’s financial statements, often by overstating assets or
revenue or understating liabilities or expenses.
Information misrepresentation involves providing false

information, usually to those outside the organization.
Corruption is the misuse of entrusted power for private gain.
Corruption includes bribery and other improper uses of power.
Bribery is the offering, giving, receiving, or soliciting of anything of

value to influence an outcome. Bribes may be offered to key
employees or managers such as purchasing agents who have
discretion in awarding business to vendors.
A diversion is an act to divert a potentially profitable transaction to

an employee or outsider.
Related-party activity is a situation where one party receives

some benefit not obtainable in a normal arm’s-length transaction.
Tax evasion is intentional reporting of false information on a tax

return to reduce taxes owed. By purposely structuring pricing
techniques improperly, management can improve their operating
results to the detriment of other organizations and one or more
countries’ taxation systems.
Internal controls must pass a cost-benefit test, and so not all controls
can be designed with a literal zero tolerance for fraud.
Developing Fraud Knowledge

Internal auditors must have sufficient knowledge to evaluate the
risk of fraud and the manner in which it is managed by the
organization, but are not expected to have the expertise of a
person whose primary responsibility is detecting and investigating
fraud.
Developing sufficient knowledge to evaluate the risk of fraud requires

learning about the fraud triangle and common red flags of fraud in
various types. Standard 1210.A2 also requires evaluating the manner
in which fraud is managed by the organization. This process may be
called an organization-wide fraud prevention, detection, and
investigation program. Organizations may develop sub-programs for
specific areas of fraud.
Fraud Triangle
The fraud triangle is a set of three conditions that, if present in the
right proportions, suggest the possibility of fraud: opportunity, motive,
and rationalization. The fraud triangle is shown in Exhibit 1-48.
Exhibit 1-48: The Fraud Triangle
These three conditions can be described as follows:
Opportunity. A process may be designed properly for

typical conditions. However, a window of opportunity may
arise for something to go wrong or that creates
circumstances for the control to fail.
An opportunity for fraud may exist due to poor control
design or lack of controls. For example, a system can be
developed that appears to protect assets but is missing an
important control. Anyone aware of the gap may be able
to take advantage of it without much effort.
Persons in positions of authority can create opportunities
to override existing controls (i.e., management override)
because subordinates or weak controls allow them to
circumvent the rules.
Motive (also called incentive or pressure). While people

can rationalize their acts, there needs to be an incentive
that entices them to behave that way.
A key motivator is the gratification of a desire, such as
greed, or an addiction.
Power is a great motivator. Power can be career-related
or simply gaining esteem in the eyes of family or
coworkers. For instance, some computer frauds are done
just to show that the hacker has the power to do it.
A third motivator is pressure, from either unrealistic job
requirements, physical stresses, or outside parties.
Rationalization. Fraud perpetrators must be able to justify

their actions to themselves as a psychological coping
mechanism, allowing them to believe that they have done
nothing wrong and are “normal people.” For example, these
individuals might consider that they were entitled to the
stolen item or that if executives break the rules, it must be
right for others to do so as well.
Some people will do things that are defined as
unacceptable behavior by the organization yet are
commonplace in their culture (e.g., bribery) or were
accepted by previous employers. As a result, these
individuals will not comply with rules that don’t make sense
to them.
Some people may have periods of financial difficulty in
their lives, have succumbed to a costly addiction, or are
facing other pressures. Consequently, they will rationalize
that they are just borrowing the money and, when their
lives improve, they will pay it back.
Others may feel that stealing from a company is not bad,
thereby depersonalizing the act.
Key Point
It is important to remember that it isn’t failures in systems, policies,
procedures, or controls that cause fraud—it’s people. People may
take advantage of these failures, but it is still a human activity, so
much of the discussion regarding detecting fraud relates to
understanding the motivations and rationalizations of people.
Although internal auditors may not be able to know the exact motive
or rationalization leading to fraud, they are expected to understand
enough about internal controls to identify opportunities for fraud.
Auditors also should understand fraud schemes and scenarios and be
aware of the signs that point to fraud and how to prevent such
schemes or scenarios. Information available from The IIA and other
professional associations or organizations should be reviewed to
ensure that the auditor’s knowledge is current.
Red Flags of Fraud

The internal auditor is a potential “early warning system” for the
organization by detecting the indicators of fraud, often called red
flags. Red flags are signs that indicate both the inadequacy of
controls in place to deter fraud and the possibility that some
perpetrator has overcome weak or absent controls to commit fraud.
Fraud red flags may surface at any stage of the internal audit. Red
flags are only warning signs; they are not proof that fraud has been
committed.
Red flags may relate to time, frequency, place, amount, or

personality. They include items such as:
Overrides of controls by management or officers.
Lack of separation of duties.
Irregular or poorly explained management activities.
Constantly exceeding goals/objectives regardless of business
conditions or competition.
Too many nonroutine transactions or journal entries.
Problems or delays in providing requested information.
Significant or unusual changes in customers or suppliers.
Transactions that lack documentation or normal approval.
Employees or management hand-delivering checks.
Customer complaints about delivery.
Employees exhibiting significant behavioral changes.
Poor IT access controls.
Environmental Red Flags

Environment may be viewed on a macro or micro level. The macro
level refers to conditions that affect an entire industry, a country, or a
global region, while the micro level refers to specific organizations.
Examples of macro-level red flags include:
Stiff competition, unfair trade practices, or economic downturns
that create pressure to perform or lead to layoffs that place
economic pressures on individuals. These conditions may generate
the motive to commit fraud.
Recently deregulated or poorly regulated industries in which
absence or laxity of controls creates opportunity for fraud, for
example, the ease of accessing cash in the business or the
complexity and opacity of transactions.
An industry or cultural trend toward dishonesty and disregard of
law and regulation (e.g., a history of corrupt practices by certain
types of government contractors, a pattern of bribe taking by
government officials). Perpetrators may point to a history or
climate of acceptance as rationalization for fraud.
The same types of red flags may be seen on the micro or

organizational level:
Financial motive from the loss of a lucrative contract, the pressure
to improve financial performance to obtain a loan or before issuing
stock, or a research and development failure that threatens the
organization’s product pipeline.
Reorganizations that disrupt control policies and create fraud
opportunity. Failure to screen may lead to hiring with the motive to
commit fraud (e.g., hiring supervisors who fail to implement,
enforce, and monitor control policies).
Failure to train all personnel in the organization’s ethical code. This
can contribute to a culture that easily rationalizes small and large
acts of fraud, including theft, bid rigging, kickbacks, and conflicts of
interest.
Two particular types of micro environments offer special opportunities

for fraud and challenges for internal auditing: international
organizations and organizations that rely heavily on technology.
International organizations. Internal audits of multinational

corporations may uncover many types of red flags that result from
the difficulty of maintaining controls in a decentralized and
multicultural organization. Bribery may be occurring in both
directions: Employees may be receiving kickbacks, and large,
poorly described expenditures may mask bribes to foreign officials.
Managers may carry ghost employees on the payroll. Differences
in exchange rates can be exploited.
Organizations dependent on computer technology. Computer

systems can be used to steal assets or intellectual property,
facilitate identity theft, tamper with controls and records, and then
hide the fraud. Internal auditors look for red flags of ineffective
security controls: poor network administration that fails to define
and enforce appropriate levels of access, lack of reports showing
unauthorized access to the system, use of passwords by
unauthorized users, users’ failure to use password protocols, lack
of firewalls to detect intruders, or users inviting intruders into a
system through careless internet use.
Industry-Specific Red Flags

It has been estimated that four industries alone account for more than
70% of white-collar fraud: financial services, insurance,
manufacturing, and energy. Organizations in such industries therefore
may see a significant return on investment from assurance that
controls are adequate and operating correctly related to fraud
prevention and detection.
The financial services sector—which includes banks, savings and loan

institutions, credit card companies, investment firms, and finance
companies—may often already satisfy at least two of the
components of fraud: motive and opportunity. The industry is highly
competitive, with high sales incentives, so both organizations and
individuals may be motivated to take unacceptable risks or misstate
sales and earnings.
Similarly, the insurance sector offers ready access to cash through

fraudulent claims or payouts to nonexistent clients or mis-evaluation
of underwritten properties.
Opportunity in the manufacturing sector includes complicated

procurement processes and lax oversight that allows cost overruns
and discrepancies. Closely held technology companies offer
opportunity for fraud to the handful of decision makers who know the
product.
In the energy sector, a decentralized structure, often international,

allows greater opportunity for fraud and for bribery to cover it up. It
may be difficult to evaluate assets or track profits. Customers may
not be able to verify what and how much they are actually receiving.
Perpetrator Red Flags

People committing fraud often display certain behaviors or
characteristics that may serve as warning signs or red flags.
Personal red flags include:
Living beyond one’s means.
Conveying dissatisfaction with the job to fellow employees.
Unusually close association with suppliers.
Severe personal financial losses.
Addiction to drugs, alcohol, or gambling.
Change in personal circumstances.
Developing outside business interests.
In addition, there are those who consistently rationalize poor
performance, perceive beating the system to be an intellectual
challenge, provide unreliable communications and reports, and rarely
take vacations or sick time (and when they are absent, no one
performs their work).
Perpetrators may be employees or managers.
Perpetrator Red Flags—Employees

An organization’s management and internal auditors need to be
trained to understand and identify the potential warning signs of
employee fraudulent conduct, which fall into the three main categories
of the fraud triangle.
Auditors look for behavioral signals, like a pattern of complaints

against an employee, a decline in employee morale or attendance,
abrupt resignations or evasiveness in answering questions, and a lack
of cooperation or an adversarial attitude during an audit.
Other red flags may signal the techniques used to commit the fraud.
These include:
Unexplained variances (e.g., abnormally high expenses versus
previous periods).
Unusual shortages in cash or inventories.
Missing or altered documents.
Invoice items inconsistent with the charge code or business
function.
Approval circumventions (e.g., splitting orders to stay below
approval thresholds).
Vendors with generic names or post office box addresses.
Manual transactions in an area characterized by automated
transactions.
Even amounts in an environment characterized by irregular
amounts.
Duplicate payments.
Using a fictitious “middle man” to divert company cash or assets.
Perpetrator Red Flags—Managers

Managers who are committing fraud against (instead of on behalf of)
their companies exhibit many of the same red flags as their
employees. They may have additional needs that stem from company
expectations. They may be late with reports, play favorites, and
demand loyalty from employees. Managers may have significantly
more opportunities for fraud.
Financial Statement Red Flags

Although external auditors are responsible for reviewing financial
statements and identifying financial statement fraud, internal auditors
may be asked to consult on the preparation of the financial statement
in order to avoid problems during the external audit. The CAE may
also need to form an overall opinion on the internal controls over
financial reporting (ICFR) based on all assurance and consulting
activity performed during the period. Internal auditors may be in a
position to detect irregularities before they become a public, costly
embarrassment to the organization.
Some red flags that may be associated with financial statements

follow.
Fictitious revenues. Unusual growth in income or profitability,

earnings growth despite recurring negative cash flows in some
parts of the organization, highly complex transactions (like those
used by the Enron Corporation, which board members and many
financial experts said they could not follow), end-of-reporting-period
transactions (e.g., channel loading, or building sales through
special incentives at the cost of sales in later periods), sales or
income attributed to unknown companies or areas, absence of
documentation for posted sales.
Improper asset valuation. Changes made to inventory counts,

fictitious sales accounts, unacknowledged and uncollected
liabilities, fictitious assets supported by fictitious documents.
Concealed liabilities. Unposted invoices from vendors, calling an
expense an asset (which can be depreciated or amortized), debts
assumed by shell companies (off-balance-sheet accounting),
reliance on subjective valuations, unusually low expenses or
purchases, unusually low level of loss (e.g., returns or warranty),
irregular accounting entries that reduce tax liabilities.
Improper disclosures. Poor communication of standards about

disclosure, ineffective boards of directors.
In general, a heavy concentration of authority in one individual or area

(usually combined with poor controls), evasiveness, a history of
dishonesty or disrespect for laws and regulations, the potential for
significant financial reward for certain individuals—these can all be
general red flags for financial statement fraud.
What to Do About Red Flags

An internal audit is not a fraud investigation. Identification of red flags
directs the scope of current and subsequent audit steps until sufficient
evidence is gathered to form an objective conclusion regarding the
existence of fraud.
When fraud is suspected, a best practice is for the internal auditor to

refer the case to the CAE, who will secure appropriate resources for
further investigation, such as a certified fraud examiner or an IT
security specialist.
Internal auditors assist fraud investigators by furnishing them with

analyses, appraisals, recommendations, counsel, and information
concerning the activities reviewed. The succeeding
auditor/investigator should be briefed on fraud risks in the
engagement, red flags noticed, fraud tests implemented to date, and
preliminary findings. To be better prepared to support fraud
investigations, internal auditors should be aware of how investigations
are conducted.
Topic 2: Fraud Controls

This topic discusses internal audit’s role in recommending and
assessing controls to prevent and detect fraud and how education
can improve an organization’s fraud prevention efforts.

Practice Guide, “Internal Auditing and Fraud”
Practice Guide, “Engagement Planning: Assessing Fraud
Risks”
Preventing and Detecting Fraud
After internal auditors have considered fraud scenarios and identified
and prioritized fraud risks, they should determine which controls, if
any, are in place to mitigate those risks. This can be done by
expanding the fraud risk matrix to include existing controls.
The fraud risk assessment team identifies preventive and detective

controls in place to address each fraud risk and assesses the
likelihood and significance of each potential fraud. Entity-level anti-
fraud controls are key elements to this exercise and may include:
Whistleblower hotline and whistleblower protection policy.
Board oversight.
Results of continuous monitoring.
Code of conduct.
Tone of management’s communications regarding fraud risk
tolerance.
Hiring and promotion guidelines and practices.
Continuous auditing.
The presence of these elements may indicate a strong control

environment that can help prevent fraud. Control activities should also
include the appropriate authority limits and segregation of
incompatible duties. Internal auditors consider not only the existence
of the internal controls; they also assess the effectiveness of the
controls through periodic testing.
The resulting fraud risk and control matrix should be included in

engagement workpapers.
Detective controls are designed to provide warnings or evidence that

fraud is occurring or has occurred. Simultaneous use of preventive
and detective controls enhances any fraud risk management
program’s effectiveness.
Fraud detection methods need to be flexible, adaptable, and

continuously changing to meet the changes in the risk environment. An
effective way for an organization to learn about existing fraud is to
provide employees, suppliers, and other stakeholders with a variety
of methods for reporting their concerns. Ways to collect this
information include:
Code-of-conduct confirmation.
Whistleblower hotline.
Exit interviews.
Proactive employee survey.
Other methods for fraud detection include surprise audits in high fraud
risk areas, continuous monitoring of critical data, and routine and/or
ad hoc matching of data against relevant transactions, vendor lists,
employee rosters, and other data.
Fraud Awareness Education

Fraud training is usually a key factor in the deterrence of fraud.
Training can cover the organization’s expectations for employees’
conduct, the procedures and standards necessary to implement
internal controls, and employee roles and responsibilities to report
misconduct.
Employee fraud training needs to be tailored to the organization and

the employees’ positions within the organization. Tailored training is
more effective than generic training, allowing employees to better
understand their role in the organization’s fraud detection system.
Periodic training throughout an employee’s career reinforces

awareness of fraud and its cost to the organization. Regardless of
the training method selected, a key goal of the training is to test the
employee’s comprehension of the fraud training.
Topic 3: Forensic Auditing

This topic discusses the role internal audit plays when using forensic
auditing and some of the different forensic auditing techniques
available to internal auditors.
Fraud Investigations
The internal audit activity plays an important role in contributing to the
overall governance of a fraud risk management program. This is
primarily evident from the independent assurance the activity provides
to the board and management that the controls in place to manage
fraud risks are designed adequately and operate effectively.
Key Point
The role of the internal audit activity in investigations needs to be
defined in the internal audit charter as well as in the fraud policies
and procedures.
For example, internal audit may have the primary responsibility for
fraud investigations, may act as a resource for investigations, or may
refrain from involvement in investigations entirely. This may vary from
organization to organization, based on organizational policy or
relevant local laws.
There are several reasons internal audit may not participate in

investigations, including that the activity may:
Have the responsibility for assessing the effectiveness of
investigations.
Lack the appropriate resources.
Lack internal auditors holding specialized training or certifications
necessary to gather evidence.
Investigators versus Internal Auditors

Investigators interview individuals, such as witnesses, to gather
evidence to support a suspicion of fraud and to establish the scope of
the fraud and the degree of complicity. While some internal auditors
are also qualified investigators, when this is not the case, it is
important that the internal auditors not conduct themselves as
investigators. The two roles should be separate and distinct.
However, internal audit involvement in fraud investigation can be

acceptable as long as the impact on internal auditing’s independence
is recognized and handled appropriately.
In some cases, in addition to using contractors, the internal audit

activity may use non-audit employees of the organization to assist. It
is often important to assemble the investigation team without delay.
In organizations where primary responsibility for the investigation

function is not assigned to internal audit, the activity may still be
asked to assist, for example, by:
Monitoring the investigation process to help the organization follow
relevant policies and procedures and applicable laws and statutes.
Locating and/or securing misappropriated or related assets.
Evaluating and monitoring the organization’s internal and external
post-investigation reporting and communication plans and
practices.
Monitoring the implementation of recommended control
enhancements.
Investigation Policies and Procedures

Management is responsible for developing controls for the
investigation process, including policies and procedures for effective
investigations, preserving evidence, handling the results of
investigations, reporting, and communications. Such standards are
often documented in a fraud policy; internal auditors may assist in the
evaluation of the policy. Such policies and procedures need to
consider the rights of individuals, the qualifications of those authorized
to conduct investigations, and the relevant laws where the fraud
occurred. The policies should also consider the extent to which
management will discipline employees, suppliers, or customers,
including taking legal measures to recover losses or civil or criminal
prosecution.
It is important for management to clearly define the authority and

responsibilities of those involved in the investigation, especially the
relationship between the investigator and legal counsel. It is also
important for management to design and comply with procedures that
minimize internal communications about an ongoing investigation,
especially in the initial phases.
The policy needs to specify the investigator’s role in determining

whether a fraud has been committed. Either the investigator or
management will decide if fraud has occurred, and management will
decide whether the organization will notify outside authorities. A
judgment that fraud has occurred may in some jurisdictions be made
only by law enforcement or judicial authorities. The investigation may
simply result in a conclusion that organization policy was violated or
that fraud is likely to have occurred.
Fraud Investigation Process

A fraud investigation consists of gathering sufficient information about
specific details and performing the procedures necessary to
determine whether fraud has occurred, the loss or exposures
associated with the fraud, who was involved, and how it happened.
An investigation plan is developed for each investigation, following the

organization’s investigation procedures. The lead investigator
determines the knowledge, skills, and other competencies needed to
carry out the investigation effectively and assigns competent,
appropriate people to the team who have no potential conflict of
interest with those being investigated or with any of the employees in
the organization.
The plan should consider the following investigative activities:

Gathering evidence through surveillance, interviews, or written
statements
Documenting and preserving evidence, considering legal rules of
evidence and the business uses of the evidence
Determining the extent of the fraud
Determining the techniques used to perpetrate the fraud
Evaluating the cause of the fraud
Identifying the perpetrators
The investigator may conclude at any point that the complaint or

suspicion is unfounded. The investigator then follows the
organization’s process to close the case.
Investigation Evidence
The collection and preparation of evidence is critical to understanding
the fraud or misconduct, and it is needed to support the conclusions
reached by the investigation team. The investigation team may use
computer forensic procedures or data analysis. All reports,
documents, and evidence obtained should be recorded
chronologically in an inventory or log. Some examples of evidence
include:
Memos and correspondence, both in hard copy and electronic form
(such as emails or information on personal computers).
Computer files, general ledger postings, etc.
IT or system access records.
Security timekeeping logs, videos, or access badge records.
Internal phone records.
Public or internal customer or vendor information, such as
contracts, invoices, and payment information.
Public records, such as business registrations or property records.
Social networking sites.
The level and extent of complicity in the fraud throughout the

organization needs to be assessed. This assessment can be critical
to not destroy or taint crucial evidence and to avoid obtaining
misleading information from persons who may be involved.
Interrogations
Generally the accused is interrogated by two people: 1) an
experienced investigator and 2) another individual who takes notes
and functions as a witness if needed. It is essential that all
information obtained from the interrogation is rendered correctly.
Investigative activities need to be coordinated with management,
legal counsel, and other specialists such as HR and insurance risk
management as appropriate.
Investigators need to be knowledgeable and cognizant of the rights of

persons within the scope of the investigation. The investigator has the
responsibility to ensure that the investigation process is handled in a
consistent and prudent manner.
Fraud Reporting and Communicating

Reporting and communicating consists of the various oral, written,
interim, or final communications to senior management and/or the
board regarding the status and results of fraud investigations.
Communications may include the reason for beginning the

investigation, time frames, observations, conclusions, resolution, and
recommendations to improve controls.
Some additional considerations concerning fraud reporting are:

Submitting a draft of the proposed final communications to legal
counsel for review.
Notifying senior management and the board in a timely manner
when significant fraud or erosion of trust occurs or a fraud may
have a material effect on financial statements (e.g., a previously
undiscovered adverse effect on the organization’s financial position
and its operational results for one or more years).
The investigation needs to adequately secure evidence collected,

maintaining chain-of-custody procedures appropriate for the situation.

Performance Standard 2400, “Communicating Results”
Internal auditors must communicate the results of engagements.

Performance Standard 2410, “Criteria for Communicating”
Communications must include the engagement’s objectives,
scope, and results.
As specified in these standards, distribution of investigation results

should be appropriately limited and information should be treated in a
confidential manner. Implementation Guide 2600 notes that
information regarding fraud comes under the category of “highly
significant risks that the CAE judges to be beyond the organization’s
tolerance level.”
In addition, communication of results should take care to protect

internal whistleblowers.
In the case of fraud, local laws may accelerate communication of
investigation reports to the board and may require reporting to local
authorities as well.
Resolution
Management and the board (not the internal audit activity or the
investigator) are responsible for resolving fraud incidents once a fraud
scheme and perpetrators have been fully investigated and evidence
has been reviewed.
When disclosures are voluntary rather than mandatory, management

or the board determines whether to inform entities outside the
organization after consultation with legal counsel, HR personnel, and
the CAE. The organization may be required to notify law
enforcement, regulators, insurers, bankers, and external auditors of
instances of fraud. Any comments made by management to the
press, law enforcement, or other external parties may be coordinated
through legal counsel in accordance with organizational policies.
Internal communications are used by management to reinforce its

position relating to integrity, to demonstrate that it takes appropriate
action when organizational policy is violated, and to show why internal
controls are important.
Lessons Learned
After the fraud has been investigated and communicated,
management and the internal audit activity consider lessons learned.
For example:
How did the fraud occur?
What controls failed?
What controls were overridden?
Why wasn’t the fraud detected earlier?
What red flags were missed by management?
What red flags did internal audit miss?
How can future fraud be prevented or more easily detected?
What controls need strengthening?
What internal audit plans and audit steps need to be enhanced?
What additional training is needed?
These sessions need to stress the importance of acquiring up-to-date

information on perpetrators and fraud schemes.
Internal auditors typically assess the facts of investigations and

advise management relating to remediation of control weaknesses
that lead to the fraud. Internal auditors may design steps in audit
programs or develop “auditing for fraud” programs to help disclose
the existence of similar frauds in the future.
Engagement Fraud Risks

Internal auditors must consider the probability of significant
errors, fraud, noncompliance, and other exposures when
developing the engagement objectives.
To ensure adequate review of the risks relevant to each engagement,

internal auditors may conduct a fraud risk assessment as part of
engagement planning. A full fraud risk assessment consists of five
key steps:
Identify relevant fraud risk factors.
Identify potential fraud schemes and prioritize them based on risk.
Map existing controls to potential fraud schemes and identify gaps.
Test operating effectiveness of fraud prevention and detection
controls.
Document and report the fraud risk assessment.
Note that internal auditors may not conduct a full fraud risk
assessment during engagement planning. They may also consider
and discuss fraud risk with senior management or review the
organization’s fraud risk assessment, if available, instead of
conducting their own assessment.
Opportunity is the only factor in the fraud triangle that organizations

can control directly. Internal auditors should note that those who
engage in fraudulent activities may rationalize fraud not only for their
own benefit but also for the benefit of the organization or an external
individual or organization.
Based on the information gathered, internal auditors can begin

contemplating potential fraud scenarios and fraud risks relevant to the
area or process under review. Brainstorming fraud scenarios is an
effective way to determine the characteristics and circumstances
unique to the specific area or process that may produce opportunities
and incentives for fraud. Internal auditors should brainstorm with
individuals diverse in their knowledge, perspective, and relationship to
the area or process under review.
Forensic Auditing Techniques

Forensic investigations and fraud examinations will depend heavily on
computer forensics, computer data imaging, electronic evidence
discovery, and the analysis of structured and unstructured data.
Some examples of forensic auditing techniques include the
following:
Rules-based descriptive tests and reporting use historical data with
simple and complex analytical weighted tests to identify areas of
risk. Alerts will be produced when a specific condition is met.
Keyword search scans free text fields and unstructured data
sources to identify suspicious or high-risk language.
Topic modeling uses text analytics to identify suspicious phrases,
high-risk topics, or unusual patterns of behavior in the free text
components of data. Beyond keyword searching, topic modeling
seeks to cluster, quantify, and group the key noun or noun phrases
in the data, enabling the investigative team to quickly gain an
understanding of what information may have been compromised.
Linguistic analysis also uses text analytics, identifying the emotive
tone of the communication. It identifies angry, frustrated, secretive,
harassing, or confused communications.
Pattern and link analysis is a data visualization technique that finds
hidden patterns and relationships in vast, seemingly unrelated data
sources.
Bibliography
The following references were used in the development of Part 1 of
The IIA’s CIA Challenge Exam Study Guide. Please note that all
website references were valid as of April 2020.
“About the Profession.” The Institute of Internal Auditors,

na.theiia.org/about-us/about-ia/Pages/About-the-Profession.aspx.
Adams, Pat, Sally Culter, Bruce McCuaig, Sajay Rai, and James
Roth. Sawyer’s Internal Auditing, sixth edition. Lake Mary, Florida:
The Institute of Internal Auditors Research Foundation, 2012.
“All in a Day’s Work: A Look at the Varied Responsibilities of Internal

Auditors.” The Institute of Internal Auditors, na.theiia.org/about-
ia/PublicDocuments/06262_All_In_A_Days_Work-Rev.pdf.
American Institute of Certified Public Accountants. “Management

Antifraud Programs and Controls.” New York: American Institute of
Certified Public Accountants, Inc., 2002.
Anderson, Urton, and Andrew J. Dahle. Applying the International

Professional Practices Framework, fourth edition. Lake Mary,
Florida: The Institute of Internal Auditors, 2018.
Anderson, Urton, and Andrew J. Dahle. Implementing the

Professional Practices Framework, second edition. Altamonte
Springs, Florida: The Institute of Internal Auditors, 2006.
Anderson, Urton, and Andrew J. Dahle. Implementing the

International Professional Practices Framework, third edition.
Altamonte Springs, Florida: The Institute of Internal Auditors, 2009.
Anderson, Urton, et al. Internal Auditing: Assurance and Advisory
Services, fourth edition. Lake Mary, Florida: The Institute of Internal
Auditors, 2017.
“AS/NZS ISO 31000:2009, “Risk Management—Principles and

Guidelines.” Standards Australia/Standards New Zealand,
www.standards.govt.nz.
“Assessing the Adequacy of Risk Management Using ISO 31000”

(IPPF Practice Guide). Altamonte Springs, Florida: The Institute of
Internal Auditors, 2010.
“Assessing the Risk Management Process” (IPPF Practice Guide).

Lake Mary, Florida: The Institute of Internal Auditors, 2019.
Audit Committee Effectiveness—What Works Best, third edition.

“The Audit Committee: Purpose, Process, Professionalism.” The

Institute of Internal Auditors,
www.yumpu.com/en/document/view/36619613/the-audit-committee-
purpose-process-professionalism.
“Auditing External Business Relationships” (IPPF Practice Guide).

“Auditing Privacy Risks” (IPPF Practice Guide). Altamonte Springs,

“Auditing Techniques” course. Altamonte Springs, Florida: The

Institute of Internal Auditors.
“Basel III: International Regulatory Framework for Banks.” Bank for

International Settlements, www.bis.org/bcbs/basel3.htm?
m=3%7C14%7C572.
Baxter, Ralph. “The Role of Spreadsheets in Today’s Corporate
Climate.” ITAudit, Vol. 9, December 2006.
Biegelman, Martin T., and Joel T. Bartow. Executive Roadmap to

Fraud Prevention and Internal Control—Creating a Culture of
Compliance. Hoboken, New Jersey: John Wiley and Sons, 2006.
“Business Continuity Management” (Global Technology Audit Guide

[GTAG] 10). The Institute of Internal Auditors, 2009.
Chartered Professional Accountants Canada (CPA Canada),

www.cpacanada.ca.
“Chief Audit Executives—Appointment, Performance Evaluation, and

Termination” (IPPF Practice Guide). Altamonte Springs, Florida: The
Institute of Internal Auditors, 2010.
“COBIT 5: Enabling Processes.” ISACA,

www.isaca.org/COBIT/Pages/COBIT-5-Enabling-Processes-product-
page.aspx.
“COBIT 2019 Framework: Introduction and Methodology.”

Schaumburg, Illinois: ISACA (www.isaca.org), 2018.
Coenen, Tracy L. “The Fraud Files: The True Cost of Fraud.”

Wisconsin Law Journal, May 24, 2006.
Committee of Sponsoring Organizations of the Treadway Commission

(COSO), www.coso.org.
Committee of Sponsoring Organizations of the Treadway

Commission. Enterprise Risk Management—Integrated Framework.
Jersey City, New Jersey: American Institute of Certified Public
Accountants, 2004.
Commission. Enterprise Risk Management—Integrating with Strategy
and Performance. Jersey City, New Jersey: American Institute of
Certified Public Accountants, 2017.

Commission. Fraud Risk Management Guide. 2016.

Commission. Internal Control—Integrated Framework. Jersey City,
New Jersey: American Institute of Certified Public Accountants, 1994.

Commission. Internal Control—Integrated Framework (2013). Jersey
City, New Jersey: American Institute of Certified Public Accountants,
2013.

Commission. Internal Control Over Financial Reporting—Guidance
for Smaller Public Companies. Jersey City, New Jersey: American
Institute of Certified Public Accountants, 2006.
“Continuous Auditing: Coordinating Continuous Auditing and

Monitoring to Provide Continuous Assurance, 2nd Edition” (Global
Technology Audit Guide [GTAG] 3). The Institute of Internal Auditors,
2015.
“Coordinating Risk Management and Assurance” (IPPF Practice

Guide). Altamonte Springs, Florida: The Institute of Internal Auditors,
2012.
“Corporate Governance: A Practical Guide.” London Stock Exchange,

www.ecgi.org/codes/documents/rsmi_lse_guide2004.pdf, 2004.
Corporate Governance and the Board—What Works Best. Altamonte

“Corporate Governance Principles and Recommendations with 2010
Amendments.” ASX Corporate Governance Council,
www.asx.com.au/documents/asx-
compliance/cg_principles_recommendations_with_2010_amendments
.pdf.
“Corporate Social Responsibility: Opportunities for Internal Audit”

course. Altamonte Springs, Florida: The Institute of Internal Auditors.
Daft, Richard L., and Dorothy Marcic. Understanding Management,

tenth edition. Boston, Massachusetts: Cengage Learning, 2015.
“Demonstrating the Core Principles for the Professional Practice of

Internal Auditing” (IPPF Practice Guide). Lake Mary, Florida: The
Directory of Software Products for Internal Auditors. Altamonte

Elkington, John. Cannibals with Forks: Triple Bottom Line of 21st

Century Business. Stony Creek, Connecticut: New Society
Publishers, 1998.
“Engagement Planning: Assessing Fraud Risks” (IPPF Practice

Guide). Lake Mary, Florida: The Institute of Internal Auditors, 2017.
“Enterprise Risk Management: What’s New? What’s Next” seminar.

Altamonte Springs, Florida: The Institute of Internal Auditors.
“Environmental, Health, and Safety Guidelines.” International Finance

Corporation,
www.ifc.org/wps/wcm/connect/topics_ext_content/ifc_external_corpo
rate_site/sustainability-at-ifc/policies-standards/ehs-guidelines.
“Evaluating Corporate Social Responsibility/Sustainable Development”
(IPPF Practice Guide). Altamonte Springs, Florida: The Institute of
Financial Reporting Council (FRC), www.frc.org.uk/Home.aspx.
“Formulating and Expressing Internal Audit Opinions” (IPPF Practice

2009.
Fraser, John, and Hugh Lindsay. 20 Questions Directors Should Ask

About Internal Audit. Toronto, Ontario: The Canadian Institute of
Chartered Accountants, 2004.
Fraud Examiners Manual, 2003 edition. Austin, Texas: Association of

Certified Fraud Examiners, 2003.
“Frequently Asked Questions,” The Institute of Internal Auditors,

na.theiia.org/about-us/about-ia/Pages/Frequently-Asked-
Questions.aspx.
Frigo, Mark L. A Balanced Scorecard Framework for Internal

Auditing Departments. Altamonte Springs, Florida: The Institute of
Internal Auditors Research Foundation, 2002.
Galloway, David. Internal Auditing: A Guide for the New Auditor,

second edition. Altamonte Springs, Florida: The Institute of Internal
Auditors, 2002.
Global Reporting Initiative, www.globalreporting.org.
Glover, Hubert D., and James C. Flag. Effective Fraud Detection and
Prevention Techniques Practice Set. Altamonte Springs, Florida: The
Gray, Glen L. Changing Internal Audit Practices in the New
Paradigm: The Sarbanes-Oxley Environment. Altamonte Springs,
“Guidance on Risk Management, Internal Control and Related

Financial Business Reporting.” Financial Reporting Council, 2014.
Hubbard, Larry. Control Self-Assessment: A Practical Guide.

Hutton, David W. The Change Agents’ Handbook. Milwaukee,

Wisconsin: ASQ Quality Press, 1994.
“The IIA’s Global Internal Audit Competency Framework.” Altamonte

“The IIA’s Three Lines Model: An Update of the Three Lines of

Defense.” Lake Mary, Florida: The Institute of Internal Auditors,
2020.
“IIA Position Paper on Resourcing Alternatives for the Internal Audit

Function.” Altamonte Springs, Florida: The Institute of Internal
Auditors.
“Independence and Objectivity” (IPPF Practice Guide). Altamonte

“Information Technology Risks and Controls, 2nd Edition” (Global

Technology Audit Guide [GTAG] 1). The Institute of Internal Auditors,
2012.
Institute of Chartered Accountants in England and Wales (ICAEW),

www.icaew.com.
The Institute of Directors in Southern Africa (IoDSA),

www.iodsa.co.za.
The Institute of Internal Auditors, www.theiia.org.
“Integrated Auditing” (IPPF Practice Guide). Altamonte Springs,

“Interaction with the Board” (IPPF Practice Guide). Altamonte

Internal Audit Foundation. Sawyer’s Internal Auditing, seventh edition.

Lake Mary, Florida: Internal Audit Foundation, 2019.
Internal Audit Reporting Relationships: Serving Two Masters.

“Internal Auditing and Fraud” (IPPF Practice Guide). Altamonte

International Professional Practices Framework (IPPF), 2017

Edition. Lake Mary, Florida: The Institute of Internal Auditors, 2017.
“International Standards for the Professional Practice of Internal

Auditing (Standards),” na.theiia.org/standards-guidance/mandatory-
guidance/Pages/Standards.aspx.
“Interpersonal Skills—Abilities Needed to Interact With Others

Effectively.” The Institute of Internal Auditors. (As of April 2018, this
publication is suppressed.)
ISO 14001:2015, “Environmental Management Systems.” ISO,

www.iso.org/standard/60857.html.
ISO 26000:2010, “Guidance on Social Responsibility.” ISO,

ISO 31000:2018, “Risk Management—Guidelines.” ISO,

ISO 31010:2009, “Risk Management—Risk Assessment Techniques.”
ISO, www.iso.org/standard/51073.html.
ISO Guide 73:2009, “Risk Management—Vocabulary.” ISO,

Jerskey, Pamela. “Automated Workpapers Made Easy.”
Keith, Jonnie T. “Killing the Spider.” Internal Auditor, April 2005.
“King IV Report,” Institute of Directors of Southern Africa.

www.iodsa.co.za/page/KingIVReport, 2016.
“The Laws That Govern the Securities Industry—Sarbanes-Oxley Act

of 2002.” Securities and Exchange Commission,
www.sec.gov/about/laws.shtml.
Mainardi, Robert L. Harnessing the Power of Continuous Auditing:

Developing and Implementing a Practical Methodology. Hoboken,
New Jersey: John Wiley, 2011.
“Managing and Auditing IT Vulnerabilities” (Global Technology Audit

Guide [GTAG] 6). The Institute of Internal Auditors.
“Managing the Business Risk of Fraud, A Practical Guide.” The

Institute of Internal Auditors, the American Institute of Certified Public
Accountants, and the Association of Certified Fraud Examiners, 2008,
global.theiia.org/standards-
guidance/Public%20Documents/fraud%20paper.pdf.
Marcella, Albert J., Jr., and Carol Stucki. Privacy Handbook.

Hoboken, New Jersey: John Wiley and Sons, 2003.
Marks, Norman. “Auditing Governance Processes.” Internal Auditor

(Ia), February 2012.
Mautz, Robert K. Internal Control in U.S. Corporations: The State of
the Art. New York: Financial Executives Research Foundation, 1980.
McNamee, David. Business Risk Assessment. Altamonte Springs,

McNamee, David. “Risk Management and Risk Assessment.” Pleier

Corporation, www.pleier.com/rmra.htm.
“Measuring Internal Audit Effectiveness and Efficiency” (IPPF

Practice Guide). Altamonte Springs, Florida: The Institute of Internal
Auditors, 2010.
Miccolis, Jerry A., Kevin Hively, and Brian W. Merkley. Enterprise

Risk Management: Trends and Emerging Practices. Altamonte
“Model Internal Audit Activity Charter.” The Institute of Internal

Auditors, global.theiia.org/standards-guidance/recommended-
guidance/Pages/Model-Internal-Audit-Activity-Charter.aspx.
“OECD Guidelines on the Protection of Privacy and Transborder

Flows of Personal Data.” Organisation for Economic Co-operation
and Development,
www.oecd.org/document/18/0,2340,en_2649_34255_1815186_1_1_
1_1,00.html.
Operational Auditing. Altamonte Springs, Florida: The Institute of

“The Path to Quality.” The Institute of Internal Auditors,

na.theiia.org/services/quality/Public_Documents/Path to Quality.pdf.
Pickett, K. H. Spencer, and Jennifer M. Pickett. The Internal Auditing

Handbook, second edition. West Sussex, England: John Wiley and
Sons, 2003.
“Practical Considerations Regarding Internal Auditing Expressing an
Opinion on Internal Control.” The Institute of Internal Auditors, 2005.
PriceWaterhouseCoopers. Audit Committee Effectiveness—What

Works Best, third edition. Altamonte Springs, Florida: The Institute of
PriceWaterhouseCoopers. Corporate Governance and the Board—

What Works Best. Altamonte Springs, Florida: The Institute of
Privacy Rights Clearinghouse, www.privacyrights.org.
Quality Assessment Manual for the Internal Audit Activity, 2017 IPPF
Aligned. Lake Mary, Florida: Internal Audit Foundation, 2017.
Quality Assessment Manual, fifth edition. Altamonte Springs, Florida:

The Institute of Internal Auditors, 2006.
“Quality Assurance and Improvement Program” (IPPF Practice

2012.
Reding, Kurt F., Paul J. Sobel, Urton L. Anderson, Michael J. Head,

Sri Ramamoorti, Mark Salamasick, and Cris Riddle. Internal Auditing:
Assurance and Consulting Services. Altamonte Springs, Florida: The
Institute of Internal Auditors Research Foundation, 2007.
“Reliance by Internal Audit on Other Assurance Providers” (IPPF

Practice Guide). Altamonte Springs, Florida: The Institute of Internal
Auditors, 2011.
“Report to the Nations: 2018 Global Study on Occupational Fraud

and Abuse.” Association of Certified Fraud Examiners,
www.acfe.com/report-to-the-nations/2018/.
“Revised Guidance for Directors on the Combined Code.” Financial
Reporting Council, www.ecgi.org/codes/documents/frc_ic.pdf.
Rife, Randal. “Planning for Success.” Internal Auditor (Ia), October

2006.
“Risk Assessment in Practice.” COSO,

www2.deloitte.com/content/dam/Deloitte/global/Documents/Governan
ce-Risk-Compliance/dttl-grc-riskassessmentinpractice.pdf, 2012.
“The Role of Internal Auditing in Enterprise-Wide Risk Management.”

The Institute of Internal Auditors, global.theiia.org/standards-
guidance/Public%20Documents/PP%20The%20Role%20of%20Intern
al%20Auditing%20in%20Enterprise%20Risk%20Management.pdf,
2009.
Roth, James. Control Model Implementation: Best Practices.

Sawyer, Lawrence B., Mortimer A. Dittenhofer, and James H.

Scheiner. Sawyer’s Internal Auditing, fifth edition. Altamonte Springs,
Sawyer, Lawrence B., Mortimer A. Dittenhofer, and James H.

Scheiner. Sawyer’s Internal Auditing—Instructor’s Guide. Altamonte
Sobel, Paul. “Internal Auditing’s Role in Risk Management.”

bookstore.theiia.org/internal-auditings-role-in-risk-management,
March 2011.
Steinberg, Richard M., and Deborah Pojunis. “Corporate

Governance: The New Frontier.” Internal Auditor (Ia), December
2000.
“The Three Lines of Defense in Effective Risk Management and
Control.” Altamonte Springs, Florida: The Institute of Internal
Auditors, 2013.
Verschoor, Curtis C. Audit Committee Briefing: Understanding the

21st Century Audit Committee and Its Governance Roles. Altamonte
Verschoor, Curtis C. Governance Update 2003: Impact of New

Initiatives on Audit Committees and Internal Auditors. Altamonte
“What Is COBIT 5?” ISACA,

www.isaca.org/COBIT/Pages/default.aspx.
Index
A
assets
improper valuation [1]
auditing [1]
auditors [1]
audit plan [1]
authority of internal audit activity [1]
B
balanced scorecard [1]
C
codes of conduct [1]
Committee of Sponsoring Organizations frameworks
Enterprise Risk Management—Integrating with Strategy and
Performance [1]
concealed liabilities [1]
conduct, codes of [1]
control(s) [1]
control environment [1] , [2]
Core Principles for the Professional Practice of Internal Auditing [1]
COSO frameworks
Enterprise Risk Management—Integrating with Strategy and
Performance [1]
culture [1] , [2]
D
Definition of Internal Auditing [1]
disclosures [1]
E
effectiveness [1]
efficiency [1]
enterprise risk management [1] , [3]
See also: risk
environmental red flags [1]
EQAs (external quality assessments) [1]
ERM (enterprise risk management) [1] , [3]
See also: risk
ethics [1] , [2]
external auditing [1]
external auditors [1]
external quality assessments [1]
F
fictitious revenues [1]
financial statement red flags [1]
forensic auditing [1]
fraud
awareness [1]
fraud:motive [1]
fraud:opportunity [1]
fraud:rationalization [1]
red flags [1]
risk assessment [1]
risks [1]
training [1]
triangle [1]
G
Global Technology Audit Guide, “Auditing IT Governance” [1]
governance
information technology [1]
principles [1]
GTAG (Global Technology Audit Guide), “Auditing IT Governance” [1]
H
heat maps [1]
I
impact of risk [1]
improper asset valuation [1]
improper disclosures [1]
independence [1]
industry-specific red flags [1]
information technology governance [1]
internal auditing [1]
internal auditors [1]
internal quality assessments [1]
International Organization for Standardization, ISO 31000, “Risk
management—Guidelines” [1]
International Professional Practices Framework
Core Principles for the Professional Practice of Internal Auditing [1]
Definition of Internal Auditing [1]
Mission of Internal Audit [1]
Standards
See: International Standards for the Professional Practice of
Internal Auditing
Auditing
1000, “Purpose, Authority, and Responsibility” [1]
1210.A2 [1]
1300, “Quality Assurance and Improvement Program” [1]
1310, “Requirements of the Quality Assurance and Improvement
Program” [1]
1311, “Internal Assessments” [1] , [2]
1312, “External Assessments” [1]
1322, “Disclosure of Nonconformance” [1]
2010, “Planning” [1]
2010.A1 [1]
2060, “Reporting to Senior Management and the Board” [1]
2110, “Governance” [1] , [2]
2110.A2 [1]
2120, “Risk Management” [1]
2120.A1 [1]
2210.A2 [1]
ISO 31000, “Risk management—Guidelines” [1]
K
King Report on Corporate Governance [1]
L
liabilities, concealed [1]
likelihood of risk [1]
M
maturity model approach to assessing risk management [1]
Mission of Internal Audit [1]
motive, and fraud [1]
N
nonconformance [1]
O
objectivity [1]
opportunity, and fraud [1]
P
perpetrator red flags [1]
Practice Guides
“Auditing Culture” [1]
“Measuring Internal Audit Effectiveness and Efficiency” [1]
purpose of internal audit activity [1]
R
rationalization, and fraud [1]
red flags of fraud [1]
responsibility of internal audit activity [1]
risk
assessment [1] , [2]
categorization [1]
fraud [1]
heat maps [1]
identification [1]
impact [1]
likelihood [1]
management [1]
rating [1]
reporting [1]
responses [1]
risk-based audit plan [1]
S
SAIVs (self-assessments with independent external validation) [1]
scope [1]
self-assessments [1]
self-assessments with independent external validation [1]
Standards
See: International Standards for the Professional Practice of
Internal Auditing
T
Three Lines Model [1]
V
values [1]

Iiav7ce-Part1 Compressed

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Iiav7ce-Part1 Compressed

Uploaded by

Copyright:

Available Formats

License Agreement for The IIA’s CIA®

Challenge Exam Study Guide

(i) That The Institute of Internal Auditors is the exclusive

(iii) User has no right to print or make any copies, in any

Past subject matter experts

Internal auditing is a discipline that works on behalf of management,

Part 1 of The IIA’s CIA Challenge Exam Study Guide looks at a

Section A covers the foundations of internal auditing—The IIA’s

Section B looks at the concepts of independence and objectivity.

Section C looks at the concepts of proficiency and due

Section E covers organizational governance and risk, and it looks

Section F focuses on fraud risks—the types of these risks and

Topic 1: Mission, Definition, and Core

According to The IIA

The IPPF contains both mandatory and recommended guidance. The

Note that recommended guidance is endorsed by The IIA, but it is not

Mission of Internal Audit

The Mission of Internal Audit articulates what internal audit aspires to

According to The IIA

By requiring that the services provided by internal audit be risk-based

The Mission makes it clear that internal audit must be focused on

Assurance work makes up the majority of internal audit activities. It is

Advice can be provided through advisory engagements, which are

Insight can be provided in a variety of formats, which may include but

Consequences of Not Demonstrating Core Principles

Demonstrates integrity. The internal audit activity may lose the

Demonstrates competence and due professional care. Internal

Is objective and free from undue influence (independent).

Aligns with the strategies, objectives, and risks of the

Is appropriately positioned and adequately resourced. The

Communicates effectively. The internal audit activity may be

Provides risk-based assurance. Management and the board will

Is insightful, proactive, and future-focused. The internal audit

Promotes organizational improvement. The value that internal

Definition of Internal Auditing

The Definition of Internal Auditing is mandatory guidance from the IIA

According to The IIA

It describes internal auditing as an independent, objective activity.

The definition explicitly recognizes the consulting role of internal

By stating that internal auditing is designed to “add value and

The definition recognizes internal auditing’s legacy of delivering

The definition charges internal auditors with a broad and involved

Internal auditing differs from external auditing, which serves third

External auditors/financial auditors. These auditors provide an

Compliance. Compliance reviews typically serve to determine

Regulators. These auditors work for regulating bodies that review

Government auditors. Government auditors typically work for

The Standards are a set of principles-based, mandatory

The placement of the Standards within the IPPF is shown in Exhibit 1-

The Standards comprise two main categories:

Attribute and Performance Standards apply to all internal audit

Implementation Standards expand upon existing Attribute and

Many of the Standards use the words “must” or “should.” These

Purpose, Authority, and Responsibility

Standard 1000 requires that the purpose, authority, and responsibility

Exhibit 1-6: Purpose, Authority, and Responsibility Characteristics

Purpose, Authority, and Responsibility Characteristics for

Purpose Provide risk-based and objective assurance,

Responsibility Document the objectives and scope of the

Standard 1000 introduces several concepts that are crucial to

The internal audit charter is a critical document that records the

The chief audit executive (CAE) is defined in the IPPF glossary

The board is defined in the IPPF glossary as “the highest level