AUI3702
NOTES
,Topic 1: IPPF requirements and guidance for performing tests of controls
Code of ethics & The rules of conduct
The purpose of the IIA Code of Ethics is to promote an ethical culture in the internal audit profession.
Internal auditors should strive to comply with these principles to earn the trust of those who rely on
their services.
Integrity
o Perform work with honesty, diligence and responsibility
o Observe the law and make disclosures expected by law or the profession
o Not be part of illegal activity or acts discreditable to the profession or the organisation
o Respect and contribute to legitimate and ethical objectives of the organisation
Objectivity
o Not participate in any activity or relationship which may impair unbiased assessment or which
is in conflict with the interests of the organisation
o Not accept anything which may impair professional judgement
o Disclose all known material facts that, if not disclosed, may distort the reporting of activities
under review
Confidentiality
o Be prudent in the use and protection of information acquired
o Not use any information for personal gain and/or that is contrary to the law or detrimental to
the organisation
Competency
o Engage only in those services for which they have the necessary knowledge, skills and
experience
o Perform internal audit services in accordance with the Standards
o Continually improve proficiency and the effectiveness and quality of services
INTERNATIONAL STANDARDS FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING
The Standards are mandatory requirements consisting of:
statements of basic requirements for the professional practice of internal auditing and for
evaluating the effectiveness of its performance which are internationally applicable at
organisational and individual levels
interpretations, which clarify terms or concepts within the statements
The purpose of the Standards is to
delineate basic principles that represent the practice of internal auditing
provide a framework for performing and promoting a broad range of value-added internal auditing
services
establish the basis for the evaluation of internal audit performance
foster improved organisational process and operations
The difference between attribute and performance standards is that attribute standards cover the
attributes of organisations and individuals performing internal auditing while performance standards
describe the nature of internal auditing and provide quality criteria against which the performance of
these services can be measured.
ATTRIBUTE STANDARDS
1000 – Purpose, Authority and Responsibility
1100 – Independence and Objectivity
1200 – Proficiency and Due Professional Care
1300 – Quality Assurance and Improvement Program
The key concepts to focus on when studying the Attribute Standards are
the internal audit charter
assurance and consulting services
organisational independence
individual objectivity
proficiency
due professional care
ongoing monitoring
using the statement “Conforms with the International standards for the Professional Practice
of Internal Auditing”
1
,PERFORMANCE STANDARDS
2000 – Managing the Internal Audit Activity
2100 – Nature of Work
2200 – Engagement Planning
2300 – Performing the Engagement
2400 – Communicating Results
2500 – Monitoring Progress
2600 – Resolution of Senior Management’s Acceptance of Risks
The key concepts to focus on when studying the Performance Standards are
adding value
effectively managing the internal audit activity
risk-based planning
resource management
coordination of activities with other assurance providers
using a systematic and disciplined approach
assessing and improving governance processes
evaluating and improving risk management processes
assist in maintaining effective controls
engagement planning
establishing engagement objectives
engagement scope
resources allocation
work programmes
identifying sufficient, reliable, relevant and useful information
analysing and evaluating engagement results
documenting information
supervision
communicating results
disseminating results
monitoring progress
resolution of senior management’s acceptance of risks
Attribute standards:
Concept Standard Interpretation/Implementation
The internalaudit 1000 •The internalaudit charter should clearly state the internal
charter auditor’s responsibility and authority to conduct tests
ofcontrols within the organisation.•The charter should
authorise access to records,personneland physical
properties relevant to performing tests of controls.•Iftests of
controls resultinassurances to be provided to partiesoutside
the organisation, thecharter must define the nature of these
assurances.
Assurance& 1000 •The nature of assurance and consulting services
consultingservices involving tests of controls should be defined in
thecharter.(For a betterunderstanding of the difference
between assurance and consulting services, read the
section “Assurance and Consulting Services”in Reding et al,
chapter 2.)
Organisational 1110 •When testing controls, the internal audit activity must be
independence free from interference when determining the scope ofsuch
testing, the procedures applied to do the testing and
communicating the results of such testing.•To accomplish
this,the chief internal auditor should report to a levelwithin
the organisation that allows the internalaudit function to
accomplish its responsibilitiesand have direct interaction
with the board and auditcommittee.
Individualobjectivity 1120 •An internal auditor should have no conflicting intereststhat
may influence or mayappear to be influencing hisor her
ability to performtests of controls objectively.
2
, Impairment to 1130 •If independence or objectivity isimpaired in fact
independence orappearance, the details of the impairment (i.e.
and/orobjectivity conflictofinterest, scope limitation, restriction on access to
records, personneland propertiesand resource limitations)
must be disclosed to appropriate parties.•Internal auditors
must refrain from performing tests ofcontrols as part of
assurance engagements in areastheywere previously
responsible for–atleast forone year.
Proficiency 1210
• Internal audit activities and individual internal auditors
involved in the testing of controls should possess the
knowledge, skills and other competencies needed to
conduct tests of controls.
• Practice Advisory 1210-1 elaborates on the proficiency
requirements for internal auditors.
• Where an internal audit activity lacks competencies to
conduct a specific assurance engagement, the
competencies should be obtained elsewhere.
• Internal auditors must have sufficient knowledge to
evaluate the risk of fraud when performing tests of controls.
• Internal auditors should have sufficient knowledge of key
information technology risks and controls and available
technology-based audit techniques to perform their
assigned work.
Due professional care 1220
• When performing tests of controls, the internal auditor
should exercise due professional care by considering the
- extent of work needed to achieve the engagement’s
objectives
- relative complexity, materiality or significance of matters to
which testing procedures are applied
- adequacy and effectiveness of governance, risk
management and control processes
- probability of significant errors, fraud or non-compliance
- cost of controls/assurance provided in relation to the
potential benefit
• When performing tests of controls the internal auditor
must consider the use of technology-based audit and other
data analysis techniques.
• Internal auditors must be alert to potential risks that might
affect objectives, operations or resources when testing
controls.
• When performing tests of controls as part of a consulting
engagement, internal auditors should consider
- the needs and expectations of clients, including the
nature, timing, and communication of engagement results
- relative complexity and extent of work needed to achieve
the engagement’s objectives
- cost of the consulting engagement in relation to potential
benefits
1311 • Tests of controls should be subjected to ongoing
monitoring which should form an integral part of the day-to-
day supervision, review, and measurement of the internal
audit activity.
3