The Standards

FEU | 2020

Page 1
Page 2
Page 3
IPPF

Page 4
 IPPF

International Standards for the Professional Practice of Internal Auditing

(The Standards) - ISPPIA
The purpose of the Standards is to:
1. Guide adherence with the mandatory elements of the International
Professional Practices Framework.
2. Provide a framework for performing and promoting a broad range
of value-added internal auditing services.
3. Establish the basis for the evaluation of internal audit performance.
4. Foster improved organizational processes and operations.

Page 5
 IPPF

International Standards for the Professional Practice of Internal Auditing

(The Standards)
The Standards comprise two main categories:
- Attribute Standards address the attributes of organizations and
individuals performing internal auditing
- Performance Standards describe the nature of internal auditing and
provide quality criteria against which the performance of these
services can be measured

Page 6
 IPPF

International Standards for the Professional Practice of Internal Auditing

(The Standards)
The Standards are a set of principles-based, mandatory requirements
consisting of:
- Statements of core requirements for the professional practice of
internal auditing and for evaluating the effectiveness of
performance that are internationally applicable at organizational
and individual levels.
- Interpretations clarifying terms or concepts within the Standards.

Page 7
 IPPF

International Standards for the Professional Practice of Internal Auditing

(The Standards)
- Applies to individual internal auditors and the internal audit activity.

- Chief audit executives are additionally accountable for the internal

audit activity’s overall conformance with the Standards.

- If prohibited by law or regulation from conformance with certain

parts of the Standards, conformance with all other parts of the
Standards and appropriate disclosures are needed.

Page 8
 ISPPIA

IA Governance
1000 – Purpose, Authority, and Responsibility
1100 – Independence and Objectivity
1300 – Quality Assurance and Improvement Program
IA Staff
1200 – Proficiency and Due Professional Care
IA Management
2000 – Managing the Internal Audit Activity
2100 – Nature of Work
2600 – Communicating the Acceptance of Risks
IA Process
2200 – Engagement Planning
2300 – Performing the Engagement
2400 – Communicating Results
2500 – Monitoring Progress

Page 9
 ISPPIA

Attribute Standards
1000 Purpose, Authority, and Responsibility
1010 Recognizing Mandatory Guidance in the Internal Audit Charter
1100 Independence and Objectivity
1110 Organizational Independence
1111 Direct Interaction with the Board
1112 Chief Audit Executive Roles Beyond Internal Auditing
1120 Individual Objectivity
1130 Impairment to Independence or Objectivity
1200 Proficiency and Due Professional Care
1210 Proficiency
1220 Due Professional Care
1230 Continuing Professional Development
1300 Quality Assurance and Improvement Program
1310 Requirements of the Quality Assurance and Improvement Program
1311 Internal Assessments
1312 External Assessments
1320 Reporting on the Quality Assurance and Improvement Program
Use of “Conforms with the International Standards for the Professional Practice of Internal
1321
Auditing”
1322 Disclosure of Nonconformance

Page 10
 ISPPIA

Performance Standards
2000 Managing the Internal Audit Activity
2010 Planning
2020 Communication and Approval
2030 Resource Management
2040 Policies and Procedures
2050 Coordination and Reliance
2060 Reporting to Senior Management and the Board
2070 External Service Provider and Organizational Responsibility for Internal Auditing
2100 Nature of Work
2110 Governance
2120 Risk Management
2130 Control
2200 Engagement Planning
2201 Planning Considerations
2210 Engagement Objectives
2220 Engagement Scope
2230 Engagement Resource Allocation
2240 Engagement Work Program

Page 11
 ISPPIA

Performance Standards
2300 Performing the Engagement
2310 Identifying Information
2320 Analysis and Evaluation
2330 Documenting Information
2340 Engagement Supervision
2400 Communicating Results
2410 Criteria for Communicating
2420 Quality of Communications
2421 Errors and Omissions
Use of “Conducted in Conformance with the International Standards for the Professional
2430
Practice of Internal Auditing”
2431 Engagement Disclosure of Nonconformance
2440 Disseminating Results
2450 Overall Opinions
2500 Monitoring Progress
2600 Communicating the Acceptance of Risks

Page 12
Attribute Standards

Page 13
 Attribute Standards

1000 – Purpose, Authority, and Responsibility

The purpose, authority, and responsibility of the internal audit activity must be
formally defined in an internal audit charter, consistent with the Mission of Internal
Audit and the mandatory elements of the International Professional Practices
Framework (the Core Principles for the Professional Practice of Internal Auditing, the
Code of Ethics, the Standards, and the Definition of Internal Auditing). The chief audit
executive must periodically review the internal audit charter and present it to senior
management and the board for approval.
scope, position
(assurance, consulting access, allocation of
and non-audit) resources, assistance board’s expectation,
competence,
deliverables

Page 14
 Attribute Standards

1000 – Purpose, Authority, and Responsibility

1000.A1 – The nature of assurance services provided to the organization must be
defined in the internal audit charter. If assurances are to be provided to parties
outside the organization, the nature of these assurances must also be defined in the
internal audit charter.

1000.C1 – The nature of consulting services must be defined in the internal audit
charter.

Charter should be amended if there are changes on

the scope

Page 15
 Attribute Standards

1000 – Purpose, Authority, and Responsibility

1010 – Recognizing Mandatory Guidance in the Internal Audit Charter

The mandatory nature of the Core Principles for the Professional Practice of Internal
Auditing, the Code of Ethics, the Standards, and the Definition of Internal Auditing
must be recognized in the internal audit charter. The chief audit executive should
discuss the Mission of Internal Audit and the mandatory elements of the
International Professional Practices Framework with senior management and the
board.

Page 16
 Attribute Standards

1100 – Independence and Objectivity

The internal audit activity must be independent, and internal auditors must be
objective in performing their work.

Page 17
 Attribute Standards

Independence
“The freedom from conditions that threaten the ability of the internal audit activity
to carry out internal audit responsibilities in an unbiased manner. ”

- IPPF Glossary

Restrictions

Objectivity

As a group

Page 18
 Attribute Standards

Objectivity
“An unbiased mental attitude that allows internal auditors to perform
engagements in such a manner that they believe in their work product and
that no quality compromises are made. Objectivity requires that internal
auditors do not subordinate their judgment on audit matters to others. ”

- IPPF Glossary

To protect individual objectivity, IAA

must be independent

Page 19
 Attribute Standards

1100 – Independence and Objectivity

1110 – Organizational Independence

The chief audit executive must report to a level within the organization that allows
the internal audit activity to fulfill its responsibilities. The chief audit executive must
confirm to the board, at least annually, the organizational independence of the
internal audit activity.

Board ensures independence of

the IAA

Page 20
Organizational Structure

Audit
Board
Committee

President/CEO

Internal Audit External Audit

COO CFO CIO

Page 21
 Attribute Standards

1100 – Independence and Objectivity

Organizational independence is effectively achieved when the chief audit executive
reports functionally to the board. Examples of functional reporting to the board
involve the board:
- Approving the internal audit charter.
- Approving the risk-based internal audit plan.
- Approving the internal audit budget and resource plan.
- Receiving communications from the chief audit executive on the internal audit
activity’s performance relative to its plan and other matters.
- Approving decisions regarding the appointment and removal of the chief audit
executive.
- Approving the remuneration of the chief audit executive.
- Making appropriate inquiries of management and the chief audit executive to
determine whether there are inappropriate scope or resource limitations.

Page 22
 Attribute Standards

1100 – Independence and Objectivity

Administrative Reporting:
- Budgeting / management accounting
- HR administrations: evaluations and compensations
- Internal communications
- Policies and procedures

Page 23
 Attribute Standards

1100 – Independence and Objectivity

1110.A1 – The internal audit activity must be free from interference in determining
the scope of internal auditing, performing work, and communicating results. The
chief audit executive must disclose such interference to the board and discuss the
implications.

Cooperation with Senior Management and the Board

Page 24
 Attribute Standards

1100 – Independence and Objectivity

1111 – Direct Interaction with the Board

The chief audit executive must communicate and interact directly with the board.

- Regularly attends and participates in board meetings

- Meets privately with the Board, at least annually

Page 25
 Attribute Standards

1100 – Independence and Objectivity

1112 – Chief Audit Executive Roles Beyond Internal Auditing

Where the chief audit executive has or is expected to have roles and/or
responsibilities that fall outside of internal auditing, safeguards must be in place to
limit impairments to independence or objectivity.

Oversight activities, often undertaken by the board, such

activities as:
- Periodically evaluating reporting lines and responsibilities
- Developing alternative processes to obtain assurance related to
the areas of additional responsibility.

Page 26
 Attribute Standards

1100 – Independence and Objectivity

1120 – Individual Objectivity

Internal auditors must have an impartial, unbiased attitude and avoid any conflict of
interest.

CAE has the responsibility to

maintain objectivity of IAA

Page 27
 Attribute Standards

1100 – Independence and Objectivity

Conflict of interest is a situation in which an internal auditor, who is in a position of
trust, has a competing professional or personal interest. A conflict of interest could
impair an individual's ability to perform his or her duties and responsibilities
objectively.

Not adversely affected when:

- Recommends standards of control for system
- Reviews procedures before implementation
- Occasional performance of non-audit work with full disclosure

Objectivity is impaired when:

- Designs
- Installs
- Drafts procedures
- Operates
Page 28
 Attribute Standards

1100 – Independence and Objectivity

1130 – Impairment to Independence or Objectivity

If independence or objectivity is impaired in fact or appearance, the details of the

impairment must be disclosed to appropriate parties. The nature of the disclosure
will depend upon the impairment.

Page 29
 Attribute Standards

1100 – Independence and Objectivity

Impairment to organizational independence and individual objectivity may include,
but is not limited to, personal conflict of interest, scope limitations, restrictions on
access to records, personnel, and properties, and resource limitations, such as
funding.

The determination of appropriate parties to which the details of an impairment to

independence or objectivity must be disclosed is dependent upon the expectations
of the internal audit activity’s and the chief audit executive’s responsibilities to senior
management and the board as described in the internal audit charter, as well as the
nature of the impairment.

Page 30
 Attribute Standards

1100 – Independence and Objectivity

Scope limitation may restrict:
- Scope defined in IA charter
- Access to records
- Work schedule
- Engagement procedures
- Staffing plan and financial budget

Needs to be communicated preferably in

writing to the board

Page 31
 Attribute Standards

1100 – Independence and Objectivity

1130.A1 – Internal auditors must refrain from assessing specific operations for which
they were previously responsible. Objectivity is presumed to be impaired if an
internal auditor provides assurance services for an activity for which the internal
auditor had responsibility within the previous year.

1130.A2 – Assurance engagements for functions over which the chief audit executive
has responsibility must be overseen by a party outside the internal audit activity.

1130.A3 – The internal audit activity may provide assurance services where it had
previously performed consulting services, provided the nature of the consulting did
not impair objectivity and provided individual objectivity is managed when assigning
resources to the engagement.

At least one year has elapsed

Page 32
 Attribute Standards

1100 – Independence and Objectivity

Acceptance of operational responsibilities with remedies:
- Using contracted third-party entity or auditors
- Confirmation from each staff
- Supervised by, and report the results of the assessment to senior management
and the Board
- Disclosure

Need to be disclosed in the

related audit report

Page 33
 Attribute Standards

1100 – Independence and Objectivity

1130.C1 – Internal auditors may provide consulting services relating to operations for
which they had previous responsibilities.

1130.C2 – If internal auditors have potential impairments to independence or

objectivity relating to proposed consulting services, disclosure must be made to the
engagement client prior to accepting the engagement.

Page 34
Recap

• ISPPIA
• Standard 1000
• Standard 1100

Page 35
 Attribute Standards

1200 – Proficiency and Due Professional Care

Engagements must be performed with proficiency and due professional care.

Overall responsibility of the CAE

Page 36
 Attribute Standards

1200 – Proficiency and Due Professional Care

1210 – Proficiency

Internal auditors must possess the knowledge, skills, and other competencies
needed to perform their individual responsibilities. The internal audit activity
collectively must possess or obtain the knowledge, skills, and other competencies
needed to perform its responsibilities.

Page 37
 Attribute Standards

1200 – Proficiency and Due Professional Care

Proficiency – apply knowledge to situations likely to be encountered without
extensive recourse to technical research and assistance

Knowledge – familiarity, awareness or understanding of which is acquired through

experience and education

Understanding – apply broad knowledge to recognize significant deviations, and to

research reasonable solutions

Appreciation – recognize the existence of problems, identify the additional research,

and the assistance to be obtained

Skills – expected to all internal auditors

Page 38
 Attribute Standards

1200 – Proficiency and Due Professional Care

Proficiency
• Internal audit standards, procedures and techniques
• Accounting principles (If financial audit)

Knowledge
• Indicators of fraud – intentional illegal act characterized by deceit, concealment,
or violation of trust
• Key IT risks and controls
• Technology audit techniques

Understanding
• Management principles

Page 39
 Attribute Standards

1200 – Proficiency and Due Professional Care

Appreciation
• Accounting
• Economics
• Law
• Taxation
• Finance
• Quantitative Methods
• Fraud
• Risk Management
• IT

Skills
• People skills
• Oral and written communications
Page 40
 Attribute Standards

1200 – Proficiency and Due Professional Care

CAE ensures IAA is able to fulfill its responsibilities:
• Hiring to consider education, experience and specialization
• Periodic staff performance appraisals
• Continuing professional development

Page 41
 Attribute Standards

1200 – Proficiency and Due Professional Care

1210.A1 – The chief audit executive must obtain competent advice and assistance if
the internal auditors lack the knowledge, skills, or other competencies needed to
perform all or part of the engagement.

1210.A2 – Internal auditors must have sufficient knowledge to evaluate the risk of
fraud and the manner in which it is managed by the organization, but are not
expected to have the expertise of a person whose primary responsibility is
detecting and investigating fraud.

1210.A3 – Internal auditors must have sufficient knowledge of key information

technology risks and controls and available technology-based audit techniques to
perform their assigned work. However, not all internal auditors are expected to have
the expertise of an internal auditor whose primary responsibility is information
technology auditing.
Page 42
 Attribute Standards

1200 – Proficiency and Due Professional Care

CAE determines external service providers considering:
• Professional certification
• Appropriate professional membership
• Reputation
• Experience
• Education and training
• Knowledge, skills and experience in the industry

Page 43
 Attribute Standards

1200 – Proficiency and Due Professional Care

1210.C1 – The chief audit executive must decline the consulting engagement or
obtain competent advice and assistance if the internal auditors lack the knowledge,
skills, or other competencies needed to perform all or part of the engagement.

Page 44
 Attribute Standards

1200 – Proficiency and Due Professional Care

1220 – Due Professional Care

Internal auditors must apply the care and skill expected of a reasonably prudent and
competent internal auditor. Due professional care does not imply infallibility.

Appropriate to the complexities of

the engagement
Reasonable care and
competence

Extraordinary performance

Page 45
 Attribute Standards

1200 – Proficiency and Due Professional Care

Alert to possibility of:
• Fraud
• Intentional wrongdoing
• Errors and omissions
Opportunity to identify inadequate
• Inefficiency
• Waste controls and recommend
• Ineffectiveness improvements
• Conflicts of interest
• Irregularities

Page 46
 Attribute Standards

1200 – Proficiency and Due Professional Care

1220.A1 – Internal auditors must exercise due professional care by considering the:

• Extent of work needed to achieve the engagement’s objectives.

• Relative complexity, materiality, or significance of matters to which assurance
procedures are applied.
• Adequacy and effectiveness of governance, risk management, and control
processes.
• Probability of significant errors, fraud, or noncompliance.
• Cost of assurance in relation to potential benefits.

Page 47
 Attribute Standards

1200 – Proficiency and Due Professional Care

1220.A2 – In exercising due professional care internal auditors must consider the use
of technology-based audit and other data analysis techniques.

1220.A3 – Internal auditors must be alert to the significant risks that might affect
objectives, operations, or resources. However, assurance procedures alone, even
when performed with due professional care, do not guarantee that all significant
risks will be identified.

Reasonable assurance

Page 48
 Attribute Standards

1200 – Proficiency and Due Professional Care

1220.C1 – Internal auditors must exercise due professional care during a consulting
engagement by considering the:

• Needs and expectations of clients, including the nature, timing, and

communication of engagement results.
• Relative complexity and extent of work needed to achieve the engagement’s
objectives.
• Cost of the consulting engagement in relation to potential benefits.

Page 49
 Attribute Standards

1200 – Proficiency and Due Professional Care

1230 – Continuing Professional Development

Internal auditors must enhance their knowledge, skills, and other competencies
through continuing professional development.

Page 50
 Attribute Standards

1200 – Proficiency and Due Professional Care

Continuing Professional Development (CPD) may be obtained:
• Membership, participation and volunteering
• Attendance at conferences, seminars and in-house training programs
• Completion of college and self-study courses
• Involvement in research projects

Page 51
 Attribute Standards

1300 – Quality Assurance and Improvement Program

The chief audit executive must develop and maintain a quality assurance and
improvement program that covers all aspects of the internal audit activity.

All aspects of operations and

management of IAA
Entire spectrum of audit and
consulting
Evaluate and conclude on
the quality of IAA
Recommendations for
improvements

Page 52
 Attribute Standards

1300 – Quality Assurance and Improvement Program

Objectives of QAIP:
• Perform in accordance to mandatory guidance of IPPF
• Operates effectively and efficiently
• Adding value

Page 53
 Attribute Standards

1300 – Quality Assurance and Improvement Program

1310 – Requirements of the Quality Assurance and Improvement Program

The quality assurance and improvement program must include both internal and
external assessments.

Page 54
 Attribute Standards

1300 – Quality Assurance and Improvement Program

1311 – Internal Assessments

Internal assessments must include:

• Ongoing monitoring of the performance of the internal audit activity.
• Periodic self-assessments or assessments by other persons within the
organization with sufficient knowledge of internal audit practices.

Page 55
 Attribute Standards

1300 – Quality Assurance and Improvement Program

Ongoing Monitoring
• Supervision
• Checklist and procedures
• Feedback
• Peer reviews
• Performance metrics

Periodic Self-Assessments
• In-depth interviews and surveys
• Self-assessment
• By CIA within the company (full or verification)
• Benchmarking / performance metrics

Page 56
 Attribute Standards

1300 – Quality Assurance and Improvement Program

1312 – External Assessments

External assessments must be conducted at least once every five years by a qualified,
independent assessor or assessment team from outside the organization. The chief
audit executive must discuss with the board:

• The form and frequency of external assessment.

• The qualifications and independence of the external assessor or assessment
team, including any potential conflict of interest.

Full External Assessment

Self-Assessment with Independent Validation

Page 57
 Attribute Standards

1300 – Quality Assurance and Improvement Program

External reviewer should:
• Competent, CIA professional, in-depth knowledge of the Standards
• Well versed in the best practices (technical expertise and industry experience)
• At least 3 years experience in practice of IA at a management level
• Successful completion of The IIA’s quality assessment training course

Conflict of interest due to current or past relationship:

• Former employees: financial audit, consulting services and assistance
• Parent or affiliate
• Peer review between two

Page 58
 Attribute Standards

1300 – Quality Assurance and Improvement Program

Page 59
 Attribute Standards

1300 – Quality Assurance and Improvement Program

1320 – Reporting on the Quality Assurance and Improvement Program

The chief audit executive must communicate the results of the quality assurance and
improvement program to senior management and the board. Disclosure should
include:
• The scope and frequency of both the internal and external assessments.
• The qualifications and independence of the assessor(s) or assessment team,
including potential conflicts of interest.
• Conclusions of assessors.
• Corrective action plans.

Page 60
 Attribute Standards

1300 – Quality Assurance and Improvement Program

1321 – Use of “Conforms with the International Standards for the Professional
Practice of Internal Auditing”

Indicating that the internal audit activity conforms with the International Standards
for the Professional Practice of Internal Auditing is appropriate only if supported by
the results of the quality assurance and improvement program.

Page 61
 Attribute Standards

1300 – Quality Assurance and Improvement Program

1322 – Disclosure of Nonconformance

When nonconformance with the Code of Ethics or the Standards impacts the overall
scope or operation of the internal audit activity, the chief audit executive must
disclose the nonconformance and the impact to senior management and the board.

Page 62
 Attribute Standards

1300 – Quality Assurance and Improvement Program

QAIP External Assessment Sample

Page 63
 Attribute Standards

1300 – Quality Assurance and Improvement Program

QAIP External Assessment Sample

Page 64
Questions

► [email protected]

Page 65