134 THE ESSENTIAL HANDBOOK OF INTERNAL AUDITING

Chapter 6 6.2 Internal Auditing Standards

The IIA have described their original objectives in 1941 when they were first established
PROFESSIONALISM (www.theiiaorg.com):

To cultivate, promote, and disseminate knowledge and information concerning internal auditing
and subjects related thereto; to establish and maintain high standards of integrity, honor, and
character among internal auditors; to furnish information regarding internal auditing and the
Introduction practice and methods thereof to its members etc.

Internal audit is now a complete profession and features in most larger organizations in all sectors. Since then the IIA has moved on to develop their Professional Practices Framework (PPF)
This entails the use of competent staff, a respected role in the organization and robust quality which contains the basic elements of the profession. It provides a consistent, organized method
assurance arrangements that underpin the defined services that are provided. This chapter covers of looking at the fundamental principles and procedures that make internal auditing a unique,
the following areas: disciplined and systematic activity. The purpose of the standards is to:

6.1 Audit Professionalism 1. Delineate basic principles that represent the practice of internal auditing as it should be.
6.2 Internal Auditing Standards 2. Provide a framework for performing a broad range of value-added internal audit activities.
6.3 Due Professional Care 3. Establish the basis for the measurement of internal audit performance.
6.4 Professional Consulting Services 4. Foster improved organizational processes and operations.
6.5 The Quality Concept
6.6 Defining the Client The PPF consists of:
6.7 Internal Review and External Review
• Standards for the Professional Practice of Internal Auditing and the Code of Ethics which have
6.8 Marketing the Audit Role
to be followed by all practising (IIA) internal auditors.
6.9 Audit Feedback Questionnaire
• Practice Advisories are pronouncements that are strongly recommended and endorsed by
6.10 Continuous Improvement
the IIA.
Summary and Conclusions
• Development and Practice Aids—research, books, seminars, conferences, etc.—developed or
Chapter 6: Multi-Choice Questions
endorsed by the IIA.

6.1 Audit Professionalism A main part of the PPF is attribute and performance standards. Attribute standards describe
the defining character of organizations and individuals performing internal audit services, while
Internal auditing needs defined standards and this contributes to the development of professional performance standards describe the nature of internal audit services and provide quality criteria
audit services. Notwithstanding the problem of securing a truly international dimension to internal against which to measure performance, and the individual implementation standards are used to
auditing, the Global Institute of Internal Auditors seeks to represent a worldwide position. This augment the attribute and performance standards by helping employ them in particular types
exciting development may have a profound impact on the profession and is mentioned again in of engagements. The standards cover both assurance services and client-based consulting. Over
the final chapter of The Essential Handbook. Before studying the various standards attached to 2004 the IIA clarified the status of their standards and made it clear that the use of the word
internal auditing we list the main features of a professional discipline: ‘should’ means that the related standard is a mandatory obligation. This tightening up of the
1. Training programme 2. Common body of knowledge standards adds to the professionalism of internal auditing.
3. Code of ethics 4. Sanctions
5. Control over services 6. Qualified practitioners ATTRIBUTE STANDARDS
7. Morality 8. Technical difficulty
9. Examinations 10. Journals 1000—Purpose, Authority, and Responsibility
11. Professional body 12. Compliance with rules
13. Service to society The purpose, authority, and responsibility of the internal audit activity should be formally defined
in a charter, consistent with the Standards, and approved by the board.
Internal auditing is able to meet all of the above measures and is now firmly established as a
1000.A1—The nature of assurance services provided to the organization should be defined in
professional discipline. This has been a huge achievement as, ten to twenty years ago, it certainly
the audit charter. If assurances are to be provided to parties outside the organization, the nature
was not the case. Having a firm professional base allows the internal audit community to plan for
of these assurances should also be defined in the charter.
the future and track the way it needs to progress as its newly acquired high profile places it firmly
on the boardroom agenda. 1000.C1—The nature of consulting services should be defined in the audit charter.
 PROFESSIONALISM 135 136 THE ESSENTIAL HANDBOOK OF INTERNAL AUDITING

1100—Independence and Objectivity However, not all internal auditors are expected to have the expertise of an internal auditor
whose primary responsibility is information technology auditing.
The internal audit activity should be independent, and internal auditors should be objective in
1210.C1—The chief audit executive should decline the consulting engagement or obtain
performing their work.
competent advice and assistance if the internal audit staff lacks the knowledge, skills, or other
1110—Organizational Independence competencies needed to perform all or part of the engagement.
The chief audit executive should report to a level within the organization that allows the internal 1220—Due Professional Care
audit activity to fulfil its responsibilities.
Internal auditors should apply the care and skill expected of a reasonably prudent and competent
1110.A1—The internal audit activity should be free from interference in determining the scope internal auditor. Due professional care does not imply infallibility.
of internal auditing, performing work, and communicating results.
1220.A1—The internal auditor should exercise due professional care by considering the:
1120—Individual Objectivity
• Extent of work needed to achieve the engagement’s objectives.
Internal auditors should have an impartial, unbiased attitude and avoid conflicts of interest. • Relative complexity, materiality, or significance of matters to which assurance procedures
1130—Impairments to Independence or Objectivity are applied.
• Adequacy and effectiveness of risk management, control, and governance processes.
If independence or objectivity is impaired in fact or appearance, the details of the impairment • Probability of significant errors, irregularities, or noncompliance.
should be disclosed to appropriate parties. The nature of the disclosure will depend upon • Cost of assurance in relation to potential benefits.
the impairment.
1130.A1—Internal auditors should refrain from assessing specific operations for which they 1220.A2—In exercising due professional care the internal auditor should consider the use of
were previously responsible. Objectivity is presumed to be impaired if an internal auditor computer-assisted audit tools and other data analysis techniques.
provides assurance services for an activity for which the internal auditor had responsibility 1220.A3—The internal auditor should be alert to the significant risks that might affect objectives,
within the previous year. operations, or resources. However, assurance procedures alone, even when performed with
1130.A2—Assurance engagements for functions over which the chief audit executive has due professional care, do not guarantee that all significant risks will be identified.
responsibility should be overseen by a party outside the internal audit activity. 1220.C1—The internal auditor should exercise due professional care during a consulting
1130.C1—Internal auditors may provide consulting services relating to operations for which engagement by considering the:
they had previous responsibilities.
• Needs and expectations of clients, including the nature, timing, and communication of
1130.C2—If internal auditors have potential impairments to independence or objectivity relating engagement results.
to proposed consulting services, disclosure should be made to the engagement client prior to • Relative complexity and extent of work needed to achieve the engagement’s objectives.
accepting the engagement. • Cost of the consulting engagement in relation to potential benefits.

1230—Continuing Professional Development

1200—Proficiency and Due Professional Care
Internal auditors should enhance their knowledge, skills, and other competencies through
Engagements should be performed with proficiency and due professional care. continuing professional development.
1210—Proficiency
Internal auditors should possess the knowledge, skills, and other competencies needed to 1300—Quality Assurance and Improvement Program
perform their individual responsibilities. The internal audit activity collectively should possess or
obtain the knowledge, skills, and other competencies needed to perform its responsibilities.
The chief audit executive should develop and maintain a quality assurance and improvement
1210.A1—The chief audit executive should obtain competent advice and assistance if the program that covers all aspects of the internal audit activity and continuously monitors its
internal audit staff lacks the knowledge, skills, or other competencies needed to perform all or effectiveness. This program includes periodic internal and external quality assessments and
part of the engagement. ongoing internal monitoring. Each part of the program should be designed to help the internal
auditing activity add value and improve the organization’s operations and to provide assurance
1210.A2—The internal auditor should have sufficient knowledge to identify the indicators of
that the internal audit activity is in conformity with the Standards and the Code of Ethics.
fraud but is not expected to have the expertise of a person whose primary responsibility is
detecting and investigating fraud. 1310—Quality Program Assessments
1210.A3—Internal auditors should have knowledge of key information technology risks and The internal audit activity should adopt a process to monitor and assess the overall effectiveness
controls and available technology-based audit techniques to perform their assigned work. of the quality program. The process should include both internal and external assessments.
 PROFESSIONALISM 137 138 THE ESSENTIAL HANDBOOK OF INTERNAL AUDITING

1311—Internal Assessments review and approval. The chief audit executive should also communicate the impact of resource
limitations.
Internal assessments should include:
2030—Resource Management
• Ongoing reviews of the performance of the internal audit activity; and
• Periodic reviews performed through self-assessment or by other persons within the organ- The chief audit executive should ensure that internal audit resources are appropriate, sufficient,
ization, with knowledge of internal audit practices and the Standards. and effectively deployed to achieve the approved plan.
2040—Policies and Procedures
1312—External Assessments
The chief audit executive should establish policies and procedures to guide the internal
External assessments, such as quality assurance reviews, should be conducted at least once every
audit activity.
five years by a qualified, independent reviewer or review team from outside the organization.
2050—Coordination
1320—Reporting on the Quality Program
The chief audit executive should share information and coordinate activities with other internal
The chief audit executive should communicate the results of external assessments to the board.
and external providers of relevant assurance and consulting services to ensure proper coverage
1330—Use of ‘‘Conducted in Accordance with the Standards’’ and minimize duplication of efforts.

Internal auditors are encouraged to report that their activities are ‘‘conducted in accordance 2060—Reporting to the Board and Senior Management
with the International Standards for the Professional Practice of Internal Auditing.’’ However, internal
The chief audit executive should report periodically to the board and senior management on
auditors may use the statement only if assessments of the quality improvement program
the internal audit activity’s purpose, authority, responsibility, and performance relative to its plan.
demonstrate that the internal audit activity is in compliance with the Standards.
Reporting should also include significant risk exposures and control issues, corporate governance
1340—Disclosure of Noncompliance issues, and other matters needed or requested by the board and senior management.

Although the internal audit activity should achieve full compliance with the Standards and internal
auditors with the Code of Ethics, there may be instances in which full compliance is not achieved. 2100—Nature of Work
When noncompliance impacts the overall scope or operation of the internal audit activity,
disclosure should be made to senior management and the board. The internal audit activity should evaluate and contribute to the improvement of risk manage-
ment, control, and governance processes using a systematic and disciplined approach.
2110—Risk Management
PERFORMANCE STANDARDS
The internal audit activity should assist the organization by identifying and evaluating significant
2000—Managing the Internal Audit Activity exposures to risk and contributing to the improvement of risk management and control systems.
2110.A1—The internal audit activity should monitor and evaluate the effectiveness of the
The chief audit executive should effectively manage the internal audit activity to ensure it adds organization’s risk management system.
value to the organization.
2110.A2—The internal audit activity should evaluate risk exposures relating to the organization’s
2010—Planning governance, operations, and information systems regarding the
The chief audit executive should establish risk-based plans to determine the priorities of the • Reliability and integrity of financial and operational information.
internal audit activity, consistent with the organization’s goals. • Effectiveness and efficiency of operations.
• Safeguarding of assets.
2010.A1—The internal audit activity’s plan of engagements should be based on a risk assessment, • Compliance with laws, regulations, and contracts.
undertaken at least annually. The input of senior management and the board should be considered
in this process. 2110.C1—During consulting engagements, internal auditors should address risk consistent with
the engagement’s objectives and be alert to the existence of other significant risks.
2010.C1—The chief audit executive should consider accepting proposed consulting engage-
ments based on the engagement’s potential to improve management of risks, add value, and 2110.C2—Internal auditors should incorporate knowledge of risks gained from consulting
improve the organization’s operations. Those engagements that have been accepted should be engagements into the process of identifying and evaluating significant risk exposures of the
included in the plan. organization.
2020—Communication and Approval 2120—Control
The chief audit executive should communicate the internal audit activity’s plans and resource The internal audit activity should assist the organization in maintaining effective controls by
requirements, including significant interim changes, to senior management and to the board for evaluating their effectiveness and efficiency and by promoting continuous improvement.
 PROFESSIONALISM 139 140 THE ESSENTIAL HANDBOOK OF INTERNAL AUDITING

2120.A1—Based on the results of the risk assessment, the internal audit activity should • The significant risks to the activity, its objectives, resources, and operations and the means by
evaluate the adequacy and effectiveness of controls encompassing the organization’s governance, which the potential impact of risk is kept to an acceptable level.
operations, and information systems. This should include: • The adequacy and effectiveness of the activity’s risk management and control systems
• Reliability and integrity of financial and operational information. compared to a relevant control framework or model.
• Effectiveness and efficiency of operations. • The opportunities for making significant improvements to the activity’s risk management and
• Safeguarding of assets. control systems.
• Compliance with laws, regulations, and contracts.
2201.A1—When planning an engagement for parties outside the organization, internal audi-
2120.A2—Internal auditors should ascertain the extent to which operating and program goals tors should establish a written understanding with them about objectives, scope, respective
and objectives have been established and conform to those of the organization. responsibilities and other expectations, including restrictions on distribution of the results of the
engagement and access to engagement records.
2120.A3—Internal auditors should review operations and programs to ascertain the extent
to which results are consistent with established goals and objectives to determine whether 2201.C1—Internal auditors should establish an understanding with consulting engagement
operations and programs are being implemented or performed as intended. clients about objectives, scope, respective responsibilities, and other client expectations. For
significant engagements, this understanding should be documented.
2120.A4—Adequate criteria are needed to evaluate controls. Internal auditors should ascertain
the extent to which management has established adequate criteria to determine whether 2210—Engagement Objectives
objectives and goals have been accomplished. If adequate, internal auditors should use such
criteria in their evaluation. If inadequate, internal auditors should work with management to Objectives should be established for each engagement.
develop appropriate evaluation criteria. 2210.A1—Internal auditors should conduct a preliminary assessment of the risks relevant to the
2120.C1—During consulting engagements, internal auditors should address controls con- activity under review. Engagement objectives should reflect the results of this assessment.
sistent with the engagement’s objectives and be alert to the existence of any significant 2210.A2—The internal auditor should consider the probability of significant errors, irregularities,
control weaknesses. noncompliance, and other exposures when developing the engagement objectives.
2120.C2—Internal auditors should incorporate knowledge of controls gained from consulting 2210.C1—Consulting engagement objectives should address risks, controls, and governance
engagements into the process of identifying and evaluating significant risk exposures of the processes to the extent agreed upon with the client.
organization.
2220—Engagement Scope
2130—Governance
The established scope should be sufficient to satisfy the objectives of the engagement.
The internal audit activity should assess and make appropriate recommendations for improving
the governance process in its accomplishment of the following objectives: 2220.A1—The scope of the engagement should include consideration of relevant systems,
• Promoting appropriate ethics and values within the organization. records, personnel, and physical properties, including those under the control of third
• Ensuring effective organizational performance management and accountability. parties.
• Effectively communicating risk and control information to appropriate areas of the organization.
• Effectively coordinating the activities of and communicating information among the board, 2220.A2—If significant consulting opportunities arise during an assurance engagement, a
external and internal auditors and management. specific written understanding as to the objectives, scope, respective responsibilities and other
expectations should be reached and the results of the consulting engagement communicated in
2130.A1—The internal audit activity should evaluate the design, implementation, and effective- accordance with consulting standards.
ness of the organization’s ethics-related objectives, programs and activities.
2220.C1—In performing consulting engagements, internal auditors should ensure that the scope
2130.C1—Consulting engagement objectives should be consistent with the overall values and of the engagement is sufficient to address the agreed-upon objectives. If internal auditors develop
goals of the organization. reservations about the scope during the engagement, these reservations should be discussed
with the client to determine whether to continue with the engagement.
2200—Engagement Planning 2230—Engagement Resource Allocation

Internal auditors should develop and record a plan for each engagement, including the scope, Internal auditors should determine appropriate resources to achieve engagement objectives.
objectives, timing and resource allocations. Staffing should be based on an evaluation of the nature and complexity of each engagement,
time constraints, and available resources.
2201—Planning Considerations
2240—Engagement Work Program
In planning the engagement, internal auditors should consider:
• The objectives of the activity being reviewed and the means by which the activity controls its Internal auditors should develop work programs that achieve the engagement objectives. These
performance. work programs should be recorded.
 PROFESSIONALISM 141 142 THE ESSENTIAL HANDBOOK OF INTERNAL AUDITING

2240.A1—Work programs should establish the procedures for identifying, analyzing, evaluating, 2410.A3—When releasing engagement results to parties outside the organization, the commu-
and recording information during the engagement. The work program should be approved prior nication should include limitations on distribution and use of the results.
to its implementation, and any adjustments approved promptly.
2410.C1—Communication of the progress and results of consulting engagements will vary
2240.C1—Work programs for consulting engagements may vary in form and content depending in form and content depending upon the nature of the engagement and the needs of the
upon the nature of the engagement client.
2420—Quality of Communications
2300—Performing the Engagement
Communications should be accurate, objective, clear, concise, constructive, complete, and timely.
Internal auditors should identify, analyze, evaluate, and record sufficient information to achieve
the engagement’s objectives. 2421—Errors and Omissions

2310—Identifying Information If a final communication contains a significant error or omission, the chief audit executive should
communicate corrected information to all parties who received the original communication.
Internal auditors should identify sufficient, reliable, relevant, and useful information to achieve
the engagement’s objectives. 2430—Engagement Disclosure of Noncompliance with the Standards

2320—Analysis and Evaluation When noncompliance with the Standards impacts a specific engagement, communication of the
results should disclose the:
Internal auditors should base conclusions and engagement results on appropriate analyses and
evaluations. • Standard(s) with which full compliance was not achieved,
• Reason(s) for noncompliance, and
2330—Recording Information • Impact of noncompliance on the engagement.
Internal auditors should record relevant information to support the conclusions and engage- 2440—Disseminating Results
ment results.
The chief audit executive should communicate results to the appropriate parties.
2330.A1—The chief audit executive should control access to engagement records. The chief
audit executive should obtain the approval of senior management and/or legal counsel prior to 2440.A1—The chief audit executive is responsible for communicating the final results to parties
releasing such records to external parties, as appropriate. who can ensure that the results are given due consideration.

2330.A2—The chief audit executive should develop retention requirements for engagement 2440.A2—If not otherwise mandated by legal, statutory or regulatory requirements, prior to
records. These retention requirements should be consistent with the organization’s guidelines releasing results to parties outside the organization, the chief audit executive should:
and any pertinent regulatory or other requirements. • Assess the potential risk to the organization.
2330.C1—The chief audit executive should develop policies governing the custody and retention • Consult with senior management and/or legal counsel as appropriate
of engagement records, as well as their release to internal and external parties. These policies • Control dissemination by restricting the use of the results.
should be consistent with the organization’s guidelines and any pertinent regulatory or other 2440.C1—The chief audit executive is responsible for communicating the final results of
requirements. consulting engagements to clients.
2340—Engagement Supervision 2440.C2—During consulting engagements, risk management, control, and governance issues
Engagements should be properly supervised to ensure objectives are achieved, quality is assured, may be identified. Whenever these issues are significant to the organization, they should be
and staff is developed. communicated to senior management and the board.

2400—Communicating Results
Internal auditors should communicate the engagement results. 2500—Monitoring Progress
2410—Criteria for Communicating
The chief audit executive should establish and maintain a system to monitor the disposition of
Communications should include the engagement’s objectives and scope as well as applicable results communicated to management.
conclusions, recommendations, and action plans.
2500.A1—The chief audit executive should establish a follow-up process to monitor and ensure
2410.A1—Final communication of engagement results should, where appropriate, contain the that management actions have been effectively implemented or that senior management has
internal auditor’s overall opinion and or conclusions. accepted the risk of not taking action.
2410.A2—Internal auditors are encouraged to acknowledge satisfactory performance in engage- 2500.C1—The internal audit activity should monitor the disposition of results of consulting
ment communications. engagements to the extent agreed upon with the client.
 PROFESSIONALISM 143 144 THE ESSENTIAL HANDBOOK OF INTERNAL AUDITING

2600—Resolution of Management’s Acceptance of Risks due diligence engagements.’ While consulting services are defined as: ‘Advisory and related client
service activities, the nature and scope of which are agreed upon with the client and which
are intended to add value and improve an organisation’s operations. Examples include counsel,
When the chief audit executive believes that senior management has accepted a level of residual
risk that may be unacceptable to the organization, the chief audit executive should discuss the
advice, facilitation, process design, and training.’ The primary players in assurance work are the
matter with senior management. If the decision regarding residual risk is not resolved, the chief auditor, the client and the third party to whom assurance is being provided, while for consulting
audit executive and senior management should report the matter to the board for resolution. work it is simply the auditor and the client. Assurance work is well understood by the internal
audit community and over the years there has been ‘creeping consulting’ normally in the form of
advice and information on request from the line managers. What has not happened before is the
The IIA Code of Ethics offer of a formal consulting service based around the corporate governance, risk management
and control dimensions. Many auditors simply suggest that they will do more consulting work, but
The purpose of the Institute’s Code of Ethics is to promote an ethical culture in the profession may not appreciate that this is an entire industry, with set standards and methods, many of which
of internal auditing. A code of ethics is necessary and appropriate for the profession of internal are similar to internal audit techniques.
auditing, founded as it is on the trust placed in its objective assurance about risk management,
control and governance. The Institute’s Code of Ethics extends beyond the definition of internal
auditing and has been described in Chapter 5. What is Management Consulting?

IIA Implementation Standard 1000.C1 states that the nature of consulting services should be
6.3 Due Professional Care defined in the charter. But just what is the nature of this work? After considering several different
Taking care during the audit process is becoming an increasingly onerous requirement for the definitions Milan Kubr came up with the following: ‘Management consulting is an independent
internal auditor. The dismissal of two internal auditors by Allied Irish Bank’s US subsidiary (Allfirst) professional advisory service assisting managers and organisations to achieve organisational
in the wake of the activities of rogue trader John Rusnak provides a powerful illustration of the purposes and objectives by solving management and business problems, identifying and seizing
concept of due professional care. The need to take care is reinforced by Attribute Standard new opportunities, enhancing learning and implementing changes.’1
1220 (Due Professional Care) which states that internal auditors should apply the care and skill The Institute of Management Consultants (IMC) has prepared a code of conduct that is binding
expected of a reasonably prudent and competent internal auditor. Due professional care does on its members and which is based on three key principles of:
not imply infallibility. As a short-cut to isolating the principles upon which the elements of an audit 1. Meeting the client’s requirements.
are based, we may seek to devise a model in Figure 6.1. 2. Integrity, independence, objectivity.
3. Responsibility to the profession and to the IMC.
ASSIGNMENT PLANNING (terms of reference)
Moreover members have to ensure that in publicizing work or making representations to a client,
ANALYSIS OF INFORMATION (evidence for terms of reference) the information given:

FORMULATION OF FINDINGS (interpretation) • Is factual and relevant.

• Is neither misleading nor unfair to others.
COMMUNICATION OF FINDINGS (reporting) • Is not otherwise discreditable to the profession.

FOLLOW-UP (assignment of risk) In terms of adding value, we can return to Milan Kubr for a consideration of the two main aspects
of consulting work being:
FIGURE 6.1 Model of baseline standards.
• The technical dimension, which concerns the nature of the management or business processes
Each individual audit has to meet a set of baseline standards if it is to be of acceptable quality, and problems faced by the client and the way in which these problems can be analysed
and as such the components outlined above will have to be firmly in place. If this is not the case and resolved.
then there is a strong argument to conclude that the audit has not been performed properly. • The human dimension, i.e. interpersonal relationships in the client organisation, people’s feelings
about the problem at hand and their interest in improving the current situation, and the
interpersonal relationship between the consultant and the client.2
6.4 Professional Consulting Services
The IIA see a crossover between consulting work and the assurance role, which is unique to
The definition of internal auditing makes it clear that it is an assurance and consulting activity. the audit position where strict confidentiality may not be an absolute. Implementation Standard
The IIA has defined an assurance service as: ‘An objective examination of evidence for the 2110.C2 makes it clear that: ‘Internal auditors should incorporate knowledge of risks gained from
purpose of providing an independent assessment of risk management, control, or governance consulting engagements into the process of identifying and evaluating significant risk exposures of
processes for the organisation. Examples may include financial, compliance, systems security, and the organisation.’
 PROFESSIONALISM 145 146 THE ESSENTIAL HANDBOOK OF INTERNAL AUDITING

6.5 The Quality Concept who received audit services were simply known as auditees. However, we have moved on from
here and there are various views on exactly how we deliver the audit service. The first point is
The IIA’s Attribute Standard 1300 (Quality Assurance and Improvement Program) states that: that internal audit has moved away from a ‘them and us’ battleground as made crystal clear by
many commentators:
The CAE should develop and maintain a quality assurance and improvement program that
covers all aspects of the internal audit activity and continuously monitors its effectiveness. The Abbey National’s new chief internal auditor tells Neil Hodge what he thinks makes an invaluable
program included periodic internal and external quality assessments and ongoing monitoring. audit function. . . ‘Internal audit needs to make sure that it works as a kind of ‘‘controls consultant’’.
Each part of the program should be designed to help the internal auditing activity add value and It is definitely not tenable for internal audit just to sit back and pull management plans apart,
improve the organization’s operations and to provide assurance that the internal audit activity is however justified their criticism might be. Auditors need to work with management—not
in conformity with the Standards and the Code of Ethics. against it—and this needs to be made explicit in internal audit’s dealings with the board. . .’

There is a lot being said about quality assurance, as this appears to be one of the standard Once we understood and accepted the fact that internal auditing’s customers included virtually
management buzzwords. Quality is about: everyone in the organization, we were prepared to initiate a survey process that would help us
learn how well we were serving these customers. We determined that our audit process could
• Knowing your business. be reduced to five basic categories that would be relevant to our customers:
• Knowing your customers and understanding how they see your business. • audit planning
• Looking for and dealing with problems. • performance of audits
• Having a way of finding out what stakeholders think of the service. • the reporting of results
• Relating all problems to systems that need to be improved. In other words risks to success • our response to ad hoc requests for assistance
should be identified, assessed and managed. • auditor professionalism3
• Being very concerned about the section’s reputation and overall standing in the organization.
• A clear focus on value for money.
6.7 Internal Review and External Review
• Resourcing the drive for quality.
• Having efficient and effective procedures. Quality can be promoted by clear standards and effective supervision to ensure these standards
• Having the quality role built into all staff and ensuring audit managers review and supervise are understood and employed throughout the audit shop. The CAE should also install a system of
work with this in mind. internal assessment to review whether everything is as it should be. The IIA’s Attribute Standard
• Developing assessment models that can be used to judge whether quality standards are 1311 requires the CAE to provide an internal assessment which should include:
being met.
• Adopting a culture of getting things right and continually improving. • Ongoing reviews of the performance of the internal audit activity; and
• Periodic reviews performed through self-assessment or by other persons within the organization,
Several Attribute Standards address the quality concept: with knowledge of internal auditing practices and the Standards.
1310—The internal audit activity should adopt a process to monitor and assess the overall The internal review will consider various aspects of an audit that has been recently completed
effectiveness of the quality program. The process should include both internal and external including the way it was performed and the standards that were applied.
assessments.
1311—Internal assessments should include:
• Ongoing reviews of the performance of the internal audit activity; and External Review
• Periodic reviews performed through self-assessment or by other persons within the organ-
The IIA’s Attribute Standard 1312 requires that: ‘external assessments, such as quality assurance
isation, with knowledge of internal auditing practices and the Standards.
reviews, should be conducted at least once every five years by a qualified, independent reviewer
1312—External assessments, such as quality assurance reviews, should be conducted at least or review team from outside the organisation’. There are various options for commissioning this
once every five years by a qualified, independent reviewer or review team from outside the wide ranging review:
organisation.
1320—The CAE should communicate the results of external assessments to the board. External audit—Here an overemphasis on financial systems and support for the external audit
role may bias the work.
Internal audit departments in groups of companies—An informal policy of not criticizing
6.6 Defining the Client
each other may invalidate the work. Or fierce competition may make the review less
Professionalism and quality is about giving the client what they both want and need. This than objective.
simple concept becomes more involved for internal auditors because we have several different Reciprocal arrangements—Here companies may review each other, although confidential-
stakeholders and because we deliver both assurance and consulting services. In the past, people ity may be a real problem.
 PROFESSIONALISM 147 148 THE ESSENTIAL HANDBOOK OF INTERNAL AUDITING

Other external auditors—Using other companies’ external auditors helps reduce bias but 29. Compliance mechanisms to ensure laws and regulations are adhered to.
they would still tend to have a financial orientation. 30. The adopted value add proposition and whether this is being achieved.
Consultant—A consultant who specializes in internal audit reviews will probably be the
The list is, in one sense, open ended—it really depends on the risks that form the basis of the
best choice in terms of skills, independence and final result.
terms of reference for the review. Where the three-pronged approach of supervision, internal
and/or external review uncovers a problem to do with non-compliance, this problem needs to
be addressed. Senior management and the board need to be informed where this impacts the
The CAE should use the results of the external review to help form a strategy for improving overall scope or operation of internal audit, including a lack of external assessment (Practice
the audit function and producing an effective quality programme. The review will look at whatever Advisory 1330-1: Use of ‘Conducted in Accordance with the Standards’). The results of any
is set in the agreed terms of reference, which as suggested could come from a risk workshop. review of quality and compliance within internal audit should be reported back to the party who
However, it may well include some of the following areas: requested the assessment in the first place (Practice Advisory 1320-1: Reporting on the Quality
Program) and an appropriate action prepared from the findings and recommendations. The CAE
1. Audit charter—mission and vision and buy-in from staff and stakeholders. is responsible for following up this action plan.
2. Organizational status.
3. Independence.
4. Codes of conduct and internal disciplinary mechanisms. 6.8 Marketing the Audit Role
5. Mix between assurance and consulting activity.
6. Audit strategy and whether it fits with corporate strategy of organization. The IIA distance learning manuals have made clear the need for internal audit to prove its position
7. Relations with the board, senior manager and general reputation. in an organization:
8. Interface with audit committee and whether best practice measures used to keep the audit
committee informed. In this day and age no function has the right to exist. Each must be able to demonstrate how
9. Links with external audit and internal review teams. it adds value to the organisation, and can expect to be continually questioned about its role
10. Performance measurement system and whether this makes sense—also links with perfor- and contribution. Although internal audit is primarily a review function it is increasingly coming
mance reporting systems. under the same scrutiny as every other part of an organisation and must be able to justify its
11. Communications and participation between auditors and also with external parties—whether existence.4
use is made of web-based material.
There are those who argue that the unique feature of the internal audit function, that relates to
12. Mix of specialist such as fraud, IT, projects, contract and other areas.
its independence, in some way means that there is no need to adopt a market-based orientation
13. Complaints procedure and whether this picks up all significant problems.
in the way services are delivered. They may go on to suggest that if we let managers define the
14. Structure and flexibility—in response to changes and strategies.
way internal audit works then we become little more than consultants. This view is misconceived
15. Staff competence, qualification and CPD.
as it fails to recognize that internal audit is a service to the organization and not to itself, although
16. Morale levels among auditors, and remuneration and retention rates—why do people leave
there are some considerations that impact on a purist view of marketing. One useful way of
internal audit?, policies on secondment, career auditors and short-term placements.
assessing whether our marketing efforts have interfered with the levels of independence that we
17. Formal training programmes.
should have achieved is to apply the basic acid test:
18. Research into developing best practice and links with professional bodies, local universi-
ties, conferences, and international developments. Do the audit staff keep themselves up
to date?
If internal audit were instantly removed from the organization, would certain opera-
19. Planning systems and the annual audit plan.
tions collapse?
20. Budgets and budgetary control also cost per audit day.
21. Extent to which audit is accomplishing its objectives.
22. Planning and control of audit assignments and supervision arrangements.
23. Working papers, standards and compliance (also extent of automation, protection, security, A purist’s view would insist that this question receives a negative answer to reinforce the concept
retention, back-up and confidentiality). of the audit services being free from operational involvement. The dilemma, from a marketing
24. Level of equipment such as laptops, communication links, etc. angle, is that this exposes the audit role and makes it akin to a dispensable commodity. This
25. Balance work–life issues and use of flexible approaches such as working from home. problem warrants further exploration since there is an inherent conflict between the marketing
26. Measures to encourage diversity among staff. concept and the independence test that must be recognized and managed by the CAE when the
27. Quality assurance systems and whether internal reviews are adequate—the review will start marketing mix is being considered:
with considering outcomes of recent internal reviews.
28. Due professional care and measures taken to ensure professionalism and consistency— • The product Here we consider whether the audit work that is being provided fits with the
including the use of the audit manual. requirements of the organization.
 PROFESSIONALISM 149 150 THE ESSENTIAL HANDBOOK OF INTERNAL AUDITING

• The price The costs of the audit work should be subject to ongoing review so as to work • Sensitivity to management’s needs.
to an optimum profile. • Respect for confidentiality with an understanding of the damage that idle gossip can do.
• Promotion This may be seen more as being built into the public relations function as a way • A team-based audit approach working with and alongside management.
of selling the audit image and underlying services. • A hard-working attitude with a constant mission to encourage management to promote
good controls.
• A desire to explain the role of audit and promote the audit service wherever possible.
The Audit Budget
It may be an idea to organize a series of seminars (or a slot at the corporate annual conference)
Clients pay for audit services through for example, a quarterly fee charging system, and it is and deliver the new-look internal audit approach.
essential that the charges are linked into the audit budget. We need to recover whatever it costs
to provide the audit service and the main annual cost components are shown in Table 6.1.
6.9 Audit Feedback Questionnaire
TABLE 6.1 Audit cost profile.
Item £ One way of achieving a degree of feedback from the client is to obtain a response to a formal
Salaries questionnaire that makes enquiries about the audit service. The purpose of the survey should be
Staff expenses explained in a covering memo from the CAE, the main objectives being:
Office accommodation
General admin. overheads • To obtain the client’s view on the benefits secured from the audit.
Equipment • To isolate any communication problems that may have been experienced by the client.
Other expenses • To assess whether the client’s perceived needs have been met.
Total cost • To identify any adjustments to marketing strategy and audit methodologies that may be required.

By dividing the total annual costs over the projected number of chargeable audit hours for the The client survey operates at two levels: one as an assignment follow-up while the other looks
year (normally 214), we can arrive at a recovery hourly rate. By increasing this hourly rate we for more general comments that are not linked to any particular audit. An Audit Effectiveness
may achieve a trading surplus as a contribution to non-recoverable time and purchases such as Questionnaire, along with a covering memorandum from the CAE, may be given to the client by
expenditure on computer equipment. The hourly charge-out rate will vary by grade of auditor the lead field auditor and once the audit has been completed it will be returned direct to the
and this factor will be entered into the time monitoring system. Alternatively, a rough indicator of CAE. It is felt that allowing the field auditors to distribute and explain the survey dispels the view
the hourly rate may be calculated by using the following formula: that the CAE does not trust them. The arrangement whereby the form is filled in by the client
and returned direct to the CAE ensures that the client may be quite open in their views. Audit
Annual salary (×1.5) working papers will note any disagreement that the auditors may have had with the client and this
= Hourly rate
Chargeable hours for the year point should be taken on board when reviewing the survey results. A wider survey may also be
carried out from time to time, which can be used to provide feedback on audit’s overall impact
The time charging system will allow audit management to monitor the extent to which the
on management, for use in formulating audit marketing plans.
budgeted income is being achieved and this will be reported quarterly to audit management. The
audit committee, as well as having a general overseeing role, may also request certain reviews and
will be charged accordingly. The CAE will probably advise the audit committee on any necessary
6.10 Continuous Improvement
corporate reviews. Note that management should not generally be able to refuse a planned
audit review, but may negotiate the timing or ask to negotiate additional work where there are
To make a start on noting a few comments on the quality drive we can mention the points made
sufficient audit resources available. Managers may in addition request details of audit’s planning,
by the founding father of the quality movement, Dr Edwards Deming:
risk analysis and time charging mechanisms.
1. An organization must have a consistent message about quality.
2. There must be a commitment to change and continual improvement.
Creating the Audit Image 3. Defect prevention rather than detection.
4. Build partnerships with suppliers.
Audit needs to formulate and maintain an appropriate image and one auditor who breaches
5. Constantly improve.
professional behaviour may tarnish the reputation of the whole department. The audit image is
6. Train in a way which makes everyone responsible for their own quality.
based around the standards set out in the audit manual and the auditor code of conduct. In
7. Supervision must encourage and support, not chase.
addition it requires the following features of the internal auditor:
8. Drive out ‘fear’ of improvement.
• Politeness, having regard to the need to respect fellow officers at whatever grade. 9. Break down department barriers to foresee problems and improve quality.
• Being positive by building constructive working relations with management. 10. Don’t set unrealistic targets.
 PROFESSIONALISM 151 152 THE ESSENTIAL HANDBOOK OF INTERNAL AUDITING

11. Enable employees to have pride in their work. b. Provide a framework for performing a broad range of value-added internal audit activities.
12. Train and educate. c. Establish the basis for the measurement of internal audit performance.
13. Create an organizational structure which supports all of the above. d. Foster improved organizational processes and operations.

Meanwhile the three key drivers for the marketing campaign have been noted as just as crucial 2. Which item is wrong?
to the survival of an in-house audit team: The IIA’s Professional Practices Framework consists of:
a. Standards for the Professional Practice of Internal Auditing and the Code of Ethics which
Many internal auditors have failed to appreciate what marketing can offer them and even worse,
have to be followed by all practising (IIA) internal auditors.
have become complacent about themselves and the role that they play within their organisation.
b. Practice Advisories are pronouncements that are strongly recommended and endorsed
Marketing can achieve many benefits not least:
by the IIA.
• the opportunity to truly demonstrate to the organisation the value added by internal audit. c. Development and Practice Aids—research, books, seminars, conferences, etc.—
• the ability to raise internal audit’s profile so that it is invited to the ‘top table’ and involved in developed or endorsed by the IIA.
key projects within the organisation. d. Best practice guides prepared by leading audit functions.
• the opportunity to ensure that the organisation does not consider outsourcing internal audit
as a serious option.5 3. Insert the missing words:
IIA Attribute Standard 1000:
Having the following three mechanisms in place promotes continuous learning and success: The purpose, authority, and responsibility of the internal audit activity should be formally
defined in a charter, consistent with the Standards, and approved by . . . . . . . . . . .
1. A clear role definition and service base that responds to changing needs of stakeholders. a. the management.
2. Procedures that are efficient, flexible and focused on achieving service delivery standards. b. chief audit executive.
3. A staff development system that ensures continuous revitalization of skills, attitudes and c. external auditor.
approaches. d. the board.

4. Which is the most appropriate sentence?

Summary and Conclusions IIA Attribute Standard 1210:
a. Internal auditors should possess the personality, skills and other competencies needed
The quality movement has been established for many years and there are various standards, to perform their individual responsibilities. The internal audit activity collectively should
guidelines and tools that can be used to incorporate quality into the internal audit shop. Moreover, possess or obtain the knowledge, skills and other competencies needed to perform its
there are benchmarks, measures and full-blown accreditation schemes that can be used so as to responsibilities.
avoid reinventing the wheel. In one sense, we could argue that an independent review activity b. Internal auditors should possess the knowledge, skills and other competencies needed
must have its own house in order before it can embark on this review activity with any real to perform their individual responsibilities. The internal audit activity collectively should
credibility. The IIA standards make it clear that there must be a system of quality assurance in possess or obtain the knowledge, skills and other competencies needed to perform its
place and that any non-compliance should be formally reported. There is really no excuse for responsibilities.
failing to reach the exacting levels of performance and profiles that many internal audit shops are c. Internal auditors should possess the knowledge, skills and other competencies needed to
achieving. Professional standards abound, and the IIA with their professional practices framework perform their individual responsibilities. Each auditor should possess the knowledge, skills
have been knocking on the boardroom door for many years now. Professional standards create and other competencies needed to perform internal audit’s responsibilities.
the targets that need to be aimed at, even where the audit shop is small. It is essential that d. Internal auditors should possess the knowledge and skills needed to perform their
each internal audit team tracks developments in the professional standards and incorporates new individual responsibilities. The internal audit activity collectively should possess or obtain
aspects into their own policies and interpretations of the audit role. the knowledge and skills needed to perform its responsibilities.

5. Insert the missing words

Chapter 6: Multi-Choice Questions IIA Attribute Standard 1300:
The chief audit executive should develop and maintain a quality assurance and improvement
Having worked through the chapter the following multi-choice questions may be attempted. (See program that covers all aspects of the internal audit activity and . . . . . . . . . . .
Appendix A for suggested answer guide and Appendix B where you may record your score.) a. continuously monitors its effectiveness.
b. monitors its effectiveness.
1. Which is the least appropriate sentence? c. continuously monitors its staff.
The purpose of the IIA standards is to: d. continuously report its effectiveness.
a. Delineate demanding principles that represent the practice of internal auditing as it
should be.
 PROFESSIONALISM 153 154 THE ESSENTIAL HANDBOOK OF INTERNAL AUDITING

6. Insert the missing word not resolved, the chief audit executive and senior management should report the matter to
IIA Attribute Standard 1312: the board for resolution.
External assessments, such as quality assurance reviews, should be conducted at least once a. is certainly.
every . . . . . . . . . . years by a qualified, independent reviewer or review team from b. may be.
outside the organization. c. is not.
a. two. d. should be.
b. four.
c. five.
d. seven. References
7. Which is the most appropriate sentence? 1 Kubr, Milan (ed.) (2002) Management Consulting, A Guide to the Profession, 4th edition, International Labour
IIA Performance Standard 2010: Organisation, p. 10.
a. The chief audit executive should establish plans to determine the priorities of the internal 2 Kubr, Milan (ed.) (2002) Management Consulting, A Guide to the Profession, 4th edition, International Labour
audit activity, consistent with the organization’s goals. Organisation p. 5.
b. The chief audit executive should establish risk-based plans to determine the priorities of 3 ‘Abbey Road’. Internal Auditing and Business Risk, Aug. 2002, p. 29.
the internal audit activity, consistent with the organization’s goals. 4 Internal Auditing, Distance Learning Module (2002) Institute of Internal Auditors, UK&Ireland.
c. The chief audit executive should establish risk-free plans to determine the priorities of the 5 ‘Lex service: marketing internal audit effectively’. Internal Auditing and Business Risk, Nov. 2000, p. 30.

internal audit activity, consistent with the organization’s goals.

d. The chief audit executive should establish risk-based plans to determine the risks of the
internal audit activity, consistent with the organization’s goals.

8. Insert the missing words:

IIA Performance Standard 2060:
The chief audit executive should report periodically to the board and senior management on
the internal audit activity’s purpose, authority, responsibility, and performance relative to its
plan. Reporting should also include . . . . . . . . . . and control issues, corporate governance
issues, and other matters needed or requested by the board and senior management.
a. significant risk exposures.
b. all risk exposures.
c. significant risk opportunities.
d. significant risk probabilities.

9. Which is the most appropriate sentence?

IIA Implementation Standard 2110.C1:
a. During assurance engagements, internal auditors should address risk consistent with the
engagement’s objectives and be aware of the existence of other significant risks.
b. During consulting engagements, internal auditors should address risk consistent with the
audit committee’s objectives and be alert to the existence of other significant risks.
c. During consulting engagements, internal auditors should address risk consistent with the
engagement’s objectives and be alert to the existence of other assurance risks.
d. During consulting engagements, internal auditors should address risk consistent with the
engagement’s objectives and be alert to the existence of other significant risks.

10. Insert the missing words:

IIA Performance Standard 2600:
When the chief audit executive believes that senior management has accepted a level of
residual risk that . . . . . . . . . . unacceptable to the organization, the chief audit executive
should discuss the matter with senior management. If the decision regarding residual risk is