Unit 1 – Foundations of Internal Auditing Notes
IPPF
• Mission – Enhance and protect org value. IPPF helps facilitate this mission.
• Mandatory Guidance:
o Core principles – Are basis for internal audit effectiveness. There are 10 core
principles, namely integrity, dpc, independent, alignment to strategies,
positioned and adequately resourced, QAIP, effective communication,
promotes improvement, risk based and future focused.
o Definition
o Standards (Purposes)
▪ Guidance adherence with mandatory elements of IPPF.
▪ Framework to help add value.
▪ Use standards to determine performance.
▪ Foster improved org processes and operations (add value).
▪ Attribute stds (1000) – Govern responsibility, attitudes and actions of
IAA.
▪ Performance stds (2000) - Govern nature of IA and provide quality
criteria.
▪ Implementation stds – Expand upon attributes and performance stds
by providing requirements applicable to assurance and consulting
activities.
o Code of ethics (Refer below)
o The core principles and definition are reflected in the standards and code of
ethics. Thus conforming to standards and code of ethics demonstrates
conformance with all mandatory elements of the IPPF.
o If the standards and other requirements are inconsistent, IA must conform to
standards.
• Recommended Guidance: (help in implementing mandatory guidance)
o Implementation guidance
o Supplemental guidance
Purpose, Authority and Responsibility of IAA (This is in the charter)
• Purpose (This would be the definition of IA)
o Assurance services:
▪ Nature and scope determined by IA.
▪ Three parties – process owner, IA and user.
▪ Examples – Financial, performance, compliance, system security and
due diligence.
o Consulting services
▪ Nature and scope agreed with engagement client.
▪ Two parties – IA and engagement client.
▪ Examples – Counsel, advice, facilitation and training.
• Authority – Auditees grant access of all records relevant to performance of
engagement.
• Final approval of the charter resides with the board.
• Responsibility – IAA to provide org with assurance and consulting activities.
, Code of ethics (The purpose of the COE is to promote ethical culture)
• The COE extends beyond the definition of IA to include two components:
- Principles
- Rules of conduct – Aid to interpreting the principles and guide ethical conduct of IA.
• COE is applicable to everyone.
• Breaches to the COE will be evaluated according to (i) IIA bylaws (ii) Disposition of
COE violation process and (iii) Disposition of certification violation process.
• Refer to the rules of conduct below:
• Integrity (Foundation of the other three principles)
o IA shall (definition):
▪ Perform work with honesty, diligence and responsibility.
▪ Observe law.
▪ Not knowingly be part of any illegal activity.
▪ Respect and contribute to objectives of org.
o CAE responsibility with integrity is (i) culture of integrity, (ii) establish policies
and procedures and (iii) integrity training.
o Ways IA can identify and measure integrity (i) awareness and understanding
of integrity and (ii) Mandatory guidance and supporting practice.
o Conformance with integrity:
▪ Maintaining and reporting on QAIP.
▪ Participation in CPE.
o Demonstration of Integrity for IAA:
▪ Supervision of engagements.
▪ Performance of self-assessments.
• Objectivity
o IA shall (definition):
▪ Not participate in activity that may impair or presume to impair their
unbiased assessment.
▪ Not accept anything that may impair or presume to impair their
judgement.
▪ Disclose all material facts known to them.
o A material ownership interest in a competitor is allowable (Can have shares in
outsurance) and IA can take action to enhance the value of the
shares/interest.
o IA cannot assure anonymity when information is communicated to them. IA
can promise merely to attempt to keep the source of information confidential.
o Conflict of interest examples:
▪ Certain dealings in commercial properties (excluding rental activity)
▪ Sales of services by IA to organization
▪ Participating in non-public service organisations e.g. being a
consultant to third parties which conduct business to organization.
▪ Performing an audit in a department managed by family member.
▪ Accepting bonus on work accomplished during an audit.
▪ Auditing an area in which IA had management responsibility within
one year.
▪ Accepting gifts that exceeds policy limits.
▪ IA working in non-audit and accepts gifts. etc.
o Conformance with objectivity:
▪ Policies and procedures.
▪ Trainings about objectivity.
, ▪ Documenting rationale for allocation of resources and potential
conflict of interest.
▪ Documenting potential conflict of interest for outsourced and
cosourced.
▪ Review of WP.
▪ Feedback from post engagement surveys.
▪ Assessment of QAIP.
• Confidentiality
o Org issue information security policies to protect data.
o IA precautions when handling data:
▪ Collect only info required for the engagement
▪ Have controls over data
▪ Delete data when done with engagement
o IA shall (definition):
▪ Prudent use and protection of info.
▪ Not use info for personal gain.
o Conformance with confidentiality:
▪ Policies, procedures and training.
▪ Documenting and retaining records of disclosures.
▪ Documenting and retaining distribution restrictions.
▪ No violation or investigations regarding confidentiality means IAA is in
conformance this principle.
• Competence
o IA shall (definition):
▪ Engage in services which they have the necessary skills and
knowledge.
▪ Perform IA services in accordance with ISPPIA.
▪ Continually improve their proficiency.
o Conformance with competence:
▪ QAIP program, training, performance reviews, feedback from
stakeholders and engagements properly resources and supervised.
▪ IPPF Mandatory guidance.
o Evidence of skills, knowledge and experience of IA can be evidenced
through qualifications and relevant work history.
Internal Audit Charter
• Documents purpose, authority and responsibility (PAR) of IAA.
• CAE must periodically review charter.
• Board approves charter.
• Auditee not allowed to place scope limitation.
• Engagement clients informed of PAR.
• CAE retains approved charter.
• To create charter CAE must understand the mission of IA and mandatory elements.
• CAE may need to refer to the legal counsel or board secretary with regards to
preferred format of charter.
• Meeting minutes are evidence of the discussion of the charter.
IPPF
• Mission – Enhance and protect org value. IPPF helps facilitate this mission.
• Mandatory Guidance:
o Core principles – Are basis for internal audit effectiveness. There are 10 core
principles, namely integrity, dpc, independent, alignment to strategies,
positioned and adequately resourced, QAIP, effective communication,
promotes improvement, risk based and future focused.
o Definition
o Standards (Purposes)
▪ Guidance adherence with mandatory elements of IPPF.
▪ Framework to help add value.
▪ Use standards to determine performance.
▪ Foster improved org processes and operations (add value).
▪ Attribute stds (1000) – Govern responsibility, attitudes and actions of
IAA.
▪ Performance stds (2000) - Govern nature of IA and provide quality
criteria.
▪ Implementation stds – Expand upon attributes and performance stds
by providing requirements applicable to assurance and consulting
activities.
o Code of ethics (Refer below)
o The core principles and definition are reflected in the standards and code of
ethics. Thus conforming to standards and code of ethics demonstrates
conformance with all mandatory elements of the IPPF.
o If the standards and other requirements are inconsistent, IA must conform to
standards.
• Recommended Guidance: (help in implementing mandatory guidance)
o Implementation guidance
o Supplemental guidance
Purpose, Authority and Responsibility of IAA (This is in the charter)
• Purpose (This would be the definition of IA)
o Assurance services:
▪ Nature and scope determined by IA.
▪ Three parties – process owner, IA and user.
▪ Examples – Financial, performance, compliance, system security and
due diligence.
o Consulting services
▪ Nature and scope agreed with engagement client.
▪ Two parties – IA and engagement client.
▪ Examples – Counsel, advice, facilitation and training.
• Authority – Auditees grant access of all records relevant to performance of
engagement.
• Final approval of the charter resides with the board.
• Responsibility – IAA to provide org with assurance and consulting activities.
, Code of ethics (The purpose of the COE is to promote ethical culture)
• The COE extends beyond the definition of IA to include two components:
- Principles
- Rules of conduct – Aid to interpreting the principles and guide ethical conduct of IA.
• COE is applicable to everyone.
• Breaches to the COE will be evaluated according to (i) IIA bylaws (ii) Disposition of
COE violation process and (iii) Disposition of certification violation process.
• Refer to the rules of conduct below:
• Integrity (Foundation of the other three principles)
o IA shall (definition):
▪ Perform work with honesty, diligence and responsibility.
▪ Observe law.
▪ Not knowingly be part of any illegal activity.
▪ Respect and contribute to objectives of org.
o CAE responsibility with integrity is (i) culture of integrity, (ii) establish policies
and procedures and (iii) integrity training.
o Ways IA can identify and measure integrity (i) awareness and understanding
of integrity and (ii) Mandatory guidance and supporting practice.
o Conformance with integrity:
▪ Maintaining and reporting on QAIP.
▪ Participation in CPE.
o Demonstration of Integrity for IAA:
▪ Supervision of engagements.
▪ Performance of self-assessments.
• Objectivity
o IA shall (definition):
▪ Not participate in activity that may impair or presume to impair their
unbiased assessment.
▪ Not accept anything that may impair or presume to impair their
judgement.
▪ Disclose all material facts known to them.
o A material ownership interest in a competitor is allowable (Can have shares in
outsurance) and IA can take action to enhance the value of the
shares/interest.
o IA cannot assure anonymity when information is communicated to them. IA
can promise merely to attempt to keep the source of information confidential.
o Conflict of interest examples:
▪ Certain dealings in commercial properties (excluding rental activity)
▪ Sales of services by IA to organization
▪ Participating in non-public service organisations e.g. being a
consultant to third parties which conduct business to organization.
▪ Performing an audit in a department managed by family member.
▪ Accepting bonus on work accomplished during an audit.
▪ Auditing an area in which IA had management responsibility within
one year.
▪ Accepting gifts that exceeds policy limits.
▪ IA working in non-audit and accepts gifts. etc.
o Conformance with objectivity:
▪ Policies and procedures.
▪ Trainings about objectivity.
, ▪ Documenting rationale for allocation of resources and potential
conflict of interest.
▪ Documenting potential conflict of interest for outsourced and
cosourced.
▪ Review of WP.
▪ Feedback from post engagement surveys.
▪ Assessment of QAIP.
• Confidentiality
o Org issue information security policies to protect data.
o IA precautions when handling data:
▪ Collect only info required for the engagement
▪ Have controls over data
▪ Delete data when done with engagement
o IA shall (definition):
▪ Prudent use and protection of info.
▪ Not use info for personal gain.
o Conformance with confidentiality:
▪ Policies, procedures and training.
▪ Documenting and retaining records of disclosures.
▪ Documenting and retaining distribution restrictions.
▪ No violation or investigations regarding confidentiality means IAA is in
conformance this principle.
• Competence
o IA shall (definition):
▪ Engage in services which they have the necessary skills and
knowledge.
▪ Perform IA services in accordance with ISPPIA.
▪ Continually improve their proficiency.
o Conformance with competence:
▪ QAIP program, training, performance reviews, feedback from
stakeholders and engagements properly resources and supervised.
▪ IPPF Mandatory guidance.
o Evidence of skills, knowledge and experience of IA can be evidenced
through qualifications and relevant work history.
Internal Audit Charter
• Documents purpose, authority and responsibility (PAR) of IAA.
• CAE must periodically review charter.
• Board approves charter.
• Auditee not allowed to place scope limitation.
• Engagement clients informed of PAR.
• CAE retains approved charter.
• To create charter CAE must understand the mission of IA and mandatory elements.
• CAE may need to refer to the legal counsel or board secretary with regards to
preferred format of charter.
• Meeting minutes are evidence of the discussion of the charter.
