OVERVIEW OF

IA
INTERNAL AUDITING
INTERNAL AUDITING
BY G R O U P 1
 INTERNATIONAL
IA
INTERNAL AUDITING
PROFESSIONAL
PRACTICE FRAMEWORK
 INTERNATIONAL
IA
INTERNAL AUDITING
PROFESSIONAL
PRACTICE FRAMEWORK
 - A conceptual framework
that organizes authoritative
IA
INTERNAL AUDITING
guidance promulgated by
the Institute of Internal
Auditors
 IA
INTERNAL AUDITING
Institute of Internal
Auditors
 - trustworthy, global &
guidance-setting body that
IA
INTERNAL AUDITING
provides internal audit
professionals worldwide
with authoritative guidance
organized in the IPPF
International
Professional
Practice
Framework

Add a footer 7
 FR
Authoritative Guidance

Mandatory Guidance Recommended Guidance

• Required and essential for the
professional practice of internal auditing
• Developed following an established due
diligence process, which includes a
periodic public exposure for stakeholder
input
• Endorsed by the IIA through formal
approval process
• Describes practices for effective
implementation of the elements of
Mandatory Guidance

Add a footer 8
 FR

Mandatory Guidance
ELEMENTS

• Core Principles for the Professional

Practice of Internal Auditing
• Definition of Internal Auditing
• Code of Ethics
• International Standards for the
Professional Practice of Internal
Auditing (Standards)

Add a footer 9
 FR

Recommended Guidance
ELEMENTS

• Implementation Guidance
• Supplemental Guidance

Add a footer 10
 FR

Implementation Guidance
DEFINITION

• Assists internal auditor in applying

the Standards & Code of Ethics
• Collectively address IA’s approach,
methodologies, and considerations,
but do not detail the process or
procedures

Add a footer 11
 FR

Supplemental Guidance
DEFINITION

• Provide detailed guidance for

conducting internal audit activities
• Include the procedures, steps
techniques, etc. for implementation
guidance

Add a footer 12
WHAT IS INTERNAL AUDITING?
INTERNAL AUDITING
• Internal Audit (IA) is an independent, objective
assurance and consulting activity designed to add
value and improve an organization’s operations.
• IA is responsible to assess the effectiveness of risk
management, control and governance processes and
to provide insight and recommendations that can
enhance these processes, particularly relating to:
• Effectiveness of operations;
• Reliability of financial management and
reporting; and
• Compliance with laws and regulations.
Add a footer 13
 FR
INTERNAL VS. EXTERNAL AUDITORS

Add a footer 14
 FR
SIMILARITIES BETWEEN INTERNAL
AND EXTERNAL AUDITORS

Add a footer 15
 The mission of Internal Audit?
• To enhance and protect organizational value by providing risk-
based and objective assurance, advice and insight, whilst
consistently building trust and strengthening the relationship
with our clients, through the delivery of high quality and
distinctive internal audit services.

Add a footer 16
 FR
Professional Standards for Internal
Auditors
• According to the IIA Code of Ethics, IAs are expected to uphold the
following principles:

Add a footer 17
 FR
The importance of having an Audit
Committee (AC)
The primary purpose of an AC is to provide oversight of the financial
reporting process, the audit process, the system of internal controls
and compliance with laws and regulations.

Add a footer 18
 FR

What are Internal Controls?

• • Internal Controls (IC) are a set of policies (guidelines, manuals) and
procedures (processes) which Management has the responsibility of
implementing and maintaining
• • The objective of IC is to provide reasonable assurance that business’
goals are achieved
• • IC aim to detect and prevent misstatements which may arise from
fraud and error
• • A good IC structure is also established in order to:
• 1. Maximize the efficiency and effectiveness of operations;
• 2. Safeguard the business’ assets from loss or damage due to
inefficiency, error or fraud;
• 3. Provide accurate, timely, reliable and relevant accounting
information through proper maintenance of accounting records; and
• 4. Ensure compliance with all applicable laws and regulations.

Add a footer 19
 FR

Example of IC in Financial Reporting

TOP LEVEL
Overall objective is to prepare and issue reliable financial information

DETAILED LEVEL (Accounts Receivable)

1. All goods shipped are accurately billed in the proper period.
2. Invoices are accurately recorded for all authorized shipments and only for such
shipments.
3. Authorized and only authorized sales returns and allowances are accurately
recorded.
4. The continued completeness and accuracy of accounts receivable is ensured.
5. Accounts receivable records are safeguarded.
 FR
Types of controls

21
 FR
Other Controls
Other Controls
Complementary Function together to achieve same control
objective
Redundant Addresses the same control objective
Compensating Control Reduces the risk that a potential control
weakness will result to a misstatement

22

The International Standards for the
Professional Practice of Internal Auditing
The purpose of the Standards is to:
• 1. Guide adherence with the mandatory
elements of the International Professional
Practices Framework.
• 2. Provide a framework for performing and
promoting a broad range of value-added
internal auditing services.
• 3. Establish the basis for the evaluation of
internal audit performance.
• 4. Foster improved organizational processes
and operations.
FR
The Standards are a set of principles-based,
mandatory requirements consisting of:
• Statements of core requirements for the
professional practice of internal auditing
and for evaluating the effectiveness of
performance that are internationally
applicable at organizational and
individual levels.
23
 FR
Attribute Standards(S-1000)
Address the characteristics that the internal audit function
and individual internal auditors must possess to perform
effective assurance and consulting services

1000 Purpose, Authority, and Responsibility

1100 Independence and Objectivity

1130 Impairment to Independence or Objectivity

1200
Proficiency and Due Professional Care

1300
Quality Assurance and Improvement Program
Add a footer 24
 FR
1000 Purpose, Authority, and Responsibility
The purpose, authority, and responsibility of the internal audit activity must be
formally defined in an internal audit charter, consistent with the Definition of Internal
Auditing, the Code of Ethics, and the Standards. The chief audit executive must
periodically review the internal audit charter and present it to senior management
and the board for approval.

• 1000.A1 – The nature of assurance services provided to the organization must be defined in the
internal audit charter. If assurances are to be provided to parties outside the organization, the
nature of these assurances must also be defined in the internal audit charter.
• 1000.C1 – The nature of consulting services must be defined in the internal audit charter.

1010
Recognition of the Definition of Internal Auditing, the Code
of Ethics, and the Standards in the Internal Audit Charter
 FR
1100 Independence and Objectivity
The internal audit activity must be independent, and internal auditors must be
objective in performing their work.

1110
Organizational Independence
The chief audit executive must report to a level within the organization that allows the
internal audit activity to fulfill its responsibilities. The chief audit executive must confirm
to the board, atleast annually, the organizational independence of the internal audit
activity.
1110.A1 – The internal audit activity must be free from interference in determining
the scope of internal auditing, performing work, and communicating results.
1111 Direct Interaction with the Board

1120
Individual Objectivity
 FR
1130 Impairment to Independence or Objectivity
If independence or objectivity is impaired in fact or appearance, the details of the
impairment must be disclosed to appropriate parties. The nature of the disclosure will
depend upon the impairment.
• 1130.A1 – Internal auditors must refrain from assessing specific operations for which they were
previously responsible. Objectivity is presumed to be impaired if an internal auditor provides
assurance services for an activity for which the internal auditor had responsibility within the
previous year.
• 1130.A2 – Assurance engagements for functions over which the chief audit executive has
responsibility must be overseen by a party outside the internal audit activity.
• 1130.C1 – Internal auditors may provide consulting services relating to operations for which they
had previous responsibilities.
• 1130.C2 – If internal auditors have potential impairments to independence or objectivity relating
to proposed consulting services, disclosure must be made to the engagement client prior to
accepting the engagement.
 FR
1200 Proficiency and Due Professional Care
• Engagements must be performed with proficiency and due professional care.
1210 Proficiency
Internal auditors must possess the knowledge, skills, and other competencies needed to
perform their individual responsibilities. The internal audit activity collectively must possess
or obtain the knowledge, skills, and other competencies needed to perform its
responsibilities.
1210.A1 – The chief audit executive must obtain competent advice and assistance if the internal auditors
lack the knowledge, skills, or other competencies needed to perform all or part of the engagement.
1210.A2 – Internal auditors must have sufficient knowledge to evaluate the risk of fraud and the manner
in which it is managed by the organization, but are not expected to have the expertise of a person whose
primary responsibility is detecting and investigating fraud.
1210.A3 – Internal auditors must have sufficient knowledge of key information technology risks and
controls and available technology-based audit techniques to perform their assigned work. However, not
all internal auditors are expected to have the expertise of an internal auditor whose primary
responsibility is information technology auditing.
1210.C1 – The chief audit executive must decline the consulting engagement or obtain competent advice
and assistance if the internal auditors lack the knowledge, skills, or other competencies needed to
 Due Professional Care
1220
Internal auditors must apply the care and skill expected of a reasonably prudent and FR
competent internal auditor. Due professional care does not imply infallibility.
1220.A1 – Internal auditors must exercise due professional care by considering the:
 Extent of work needed to achieve the engagement’s objectives;
 Relative complexity, materiality, or significance of matters to which assurance procedures
are applied;
 Adequacy and effectiveness of governance, risk management, and control processes;
 Probability of significant errors, fraud, or noncompliance; and
 Cost of assurance in relation to potential benefits.
1220.A2 – In exercising due professional care internal auditors must consider the use of
technology-based audit and other data analysis techniques.
1220.A3 – Internal auditors must be alert to the significant risks that might affect objectives,
operations, or resources. However, assurance procedures alone, even when performed with
due professional care, do not guarantee that all significant risks will be identified.
1220.C1 – Internal auditors must exercise due professional care during a consulting
engagement by considering the:
 Needs and expectations of clients, including the nature, timing, and communication of
engagement results;
 Relative complexity and extent of work needed to achieve the engagement’s objectives; and
 Cost of the consulting engagement in relation to potential benefits.
 FR

1220 Continuing Professional Development

Internal auditors must enhance their knowledge, skills, and other
competencies through continuing professional development.
1300Quality Assurance and Improvement FR
Program
The chief audit executive must develop and maintain a quality assurance and
improvementprogram that covers all aspects of the internal audit activity.

Requirements of the Quality Assurance and Improvement

1310
Program
The quality assurance and improvement program must include both internal and external
assessments.
1311 Internal Assessments
Internal assessments must include:
 Ongoing monitoring of the performance of the internal audit activity; and
 Periodic self-assessments or assessments by other persons within the organization with
sufficient knowledge of internal audit practices.
 External Assessments
1312
External assessments must be conducted at least once every five years by a qualified,
FR
independent assessor or assessment team from outside the organization. The chief audit
executive must discuss with the board:
The form and frequency of external assessment; and
The qualifications and independence of the external assessor or assessment team,
including any potential conflict of interest.

1320
Reporting on the Quality Assurance and Improvement Program
The chief audit executive must communicate the results of the quality assurance and
improvement program to senior management and the board.

1321
Use of “Conforms with the International Standards for the
Professional Practice of Internal Auditing”
The chief audit executive may state that the internal audit activity conforms with the
International Standards for the Professional Practice of Internal Auditing only if the results of
the quality assurance and improvement program support this statement.
1322 Disclosure of Nonconformance
When nonconformance with the Definition of Internal Auditing, the Code of Ethics, or the
Standards impacts the overall scope or operation of the internal audit activity, the chief audit
executive must disclose the nonconformance and the impact to senior management and the
board.
 FR
Performance Standards (S-2000)
Describe the nature of internal audit services and the criteria
against which the performance of these services can be
assessed
Managing the Internal Audit Activity
2000

2100 Nature of Work

2200 Engagement Planning

2300 Performing the Engagement

2400 Communicating Results

2500
Monitoring Progress
2400
Resolution of Senior Management’s Acceptance of Risks 33
 FR
PS 2000- Managing the Internal Audit
Activity
The CAE must effectively manage the internal
audit activity to ensure that it adds value to the
organization.

PS 2100- Nature of Work

The internal audit activity must evaluate and
contribute to the improvement of governance, risk
management and control processes using a
systematic and disciplined approach.
34
PS 2100- Nature of Work FR
for the Internal Audit Activity
RISK
Help organization manage risk by-
• Identifying and evaluating significant exposures of
risk
• Contributing to the improvement of risk
management and control systems
• Monitoring and evaluating risk management system
CONTROL
Help organization maintain effective controls by-
• Evaluating the effectiveness and efficiency of
controls
• Promoting the continuous improvement of the
control environment
35
 FR
GOVERNANCE
Help an organization assess and make
recommendations for improving governance in its
accomplishment of the ff objectives:
• Promoting appropriate ethics and values within
the organization
• Ensuring effective organizational performance
management and accountability
• Effectively communicating risk and control info
to appropriate areas of the organization
• Effectively coordinating the activities of and
communicating info among the board, external
and internal auditors and management
 FR
Performance Standards (S-2000)

2200 Engagement Planning

2300 Performing the Engagement

2400 Communicating Results

2500 Monitoring Progress

2400 Resolution of Senior Management’s Acceptance of Risks

37
 FR
IMPLEMENTATION STANDARDS
The Implementation Standards expand upon Attribute and
Performance Standards and provide separate mandatory
instructions for implementing the Attribute Standards and
Performance Standards depending on whether the engagement
is to be for assurance (A) or consulting (C)

The Standards Glossary defines an engagement an

engagement as “specific internal audit assignment, task, or
review activity such as an internal audit , control self-
a s s e s s m e n t r e v i e w, f r a u d e x a m i n a t i o n o r c o n s u l t a n c y

Add a footer 38
 FR
PRACTICE ADVISORIES
Practice Advisories to help Internal Auditors put the
m a n d a t o r y S t a n d a r d s i n t o p r a c t i c e . PA a r e I I A - e n d o r s e d a n d
provide concise and timely guidance to assist internal
auditors in interpreting and applying the Code of Ethics and
Standards and promoting best practices.

 PA ’s a r e i n t e n d e d f o r t h e u s e o f I I A m e m b e r s a n d a r e
therefore password protected on the IIAs website

Add a footer 39
 FR
PRACTICE GUIDES
Practice Guides provide detailed guidance for
conducting internal audit activities and include a
detailed processes and procedures such as tools and
techniques, programs, step -by-step approaches
including examples of deliverables.
 FR
POSITION PAPERS
P O S I T I O N PA P E R S a r e I I A s t a t e m e n t s t o a s s i s t a w i d e r a n g e o f
interested parties, including those not in the practice in the
internal audit profession in understanding significant
governance , risk or control issues and delineating the related
roles and responsibilities of the internal audit profession.
 IA
INTERNAL AUDITING
Thank You.