Please enable JavaScript.
Coggle requires JavaScript to display documents.
Introduction to Internal Auditing (Core Principles for the Professional…
Introduction to Internal Auditing
Internal Auditing by definition
IA
Is an:
--> Independent
--> Objective assurance
--> Consulting activity
Designed to:
--> add value
--> improve organisation's operation
Helps organisation accomplish objectives by:
--> bringing a systematic, declined approach to evaluate and:
• improving the effectiveness of
• risk management
• control
• governance processes
Definitions of IA
Previous IA definition
Independent appraisal function
Established within an organisation
Examines and evaluates its activities as a service to the organisation
Assists members of the organisation in performing their responsibilities
Does analyses, appraisals; makes recommendations; provides counsel and info regarding the reviewed activities
Promotes effective control at a reasonable cost
Current IA definition
Objective assurance and consulting activity
Independently managed within an organisation
Adds value to improve the operations of the organisation
Assists an organisation in accomplishing its objectives
Uses a systematic and disciplined approach
Evaluates and improves the effectiveness of an organisation's risk management, control and governance processes
IPPF (International Professional Practices Framework)
Purpose:
--> To establish a set of guidelines that defined the proper role and responsibilities of the internal audit activity
Mandatory Guidance
(must consist of)
Core principles of IA
Definition of IA
Code of ethics
Established to promote an ethical culture throughout the organisation
The Standards
Recommended Guidance
(must consist of)
Implementation guidance
Help IA's in applying:
The definition
The code of ethics
The standards
Supplement guidance
Help parties understand the significant governance, risk and control issues and portraying related roles and responsibilities in IA
Core Principles for the Professional Practice of Internal Auditing
Demonstrates integrity
Demonstrates competence and due care
Objective and free from undue influence
Aligns with strategies, objectives and risks of the organisation
Appropriately positions and adequately resourced
Demonstrates quality and continuous improvement
Communicates effectively
Provides risk-based assurance
Insightful, proactive and future-focused
Promotes organisational improvement
International Standards for the Professional Practice of Internal Auditing (ISPPIA)
Definition
Minimum requirements
Internationally acceptable
@ organisational and individual levels
provide framework for performing and promoting IA
Purpose of the Standards
Portray basic principles that represent the practice of IA as it should be
Provide a framework for performing and promoting a broad range of value-added IA activities
Establish the basis for the evaluation of IA performance
Foster improved organisational processes and operations
The Standards
Attribute Standards (1000 Series)
Focus on the characteristics and qualities of the internal audit activity as well as the individuals performing the services of such activities
Series
Purpose, authority and responsibility (1000)
1000.A1
--> Assurance nature provided disclosed to the IA Charter
1000.C1
--> Nature of consulting services provided need be disclosed in the IA charter
1010
--> Recognizing the mandatory elements of the IPPF in the IA Charter
--> Mission and mandatory elements must be discussed with the board
1000
--> Purpose, authority and responsibilities of IAs must be disclosed in the IA Charter
--> Must be consistent with the mission of IA and the mandatory requirements of the IPPF
--> CAE must periodically review IA Charter and present to board for approval
Proficiency and due professional care (1200)
1200
--> Engagements must be performed with proficiency and due care
1210 (Proficiency)
--> IAs must possess skills, knowledge, competencies needed to perform their individual responsibilities
--> IAA must collectively possess or obtain the knowledge, skills and other competencies needed to perform its responsibilities
1210.A1
--> CAE must obtain competent assistance or advice if the IAs lack skills, knowledge and other competencies needed to form all or part of the engagement
1210.A2
--> IA must have sufficient knowledge to evaluate risk or fraud and the manner by which it is managed by the organisation, but need not possess the skillset of someone who specifically deals with fraud
1210.A3
--> IAs must have sufficient knowledge of key IT risks and controls and tech based audit techniques to perform their assigned work
--> Do not have to have expertise of someone solely responsible for IT auditing
1210.C1
--> CAE must decline engagement or obtain competent advice and assistance if IAs lack knowledge, skills and other competencies needed to perform all or part of the engagement
1220 (Due Professional Care)
--> IAs must apply the care and skill expected of a reasonably prudent and competent IA
1220.A1
--> Exercising due professional care by considering the:
extent of work needed to achieve the engagement's objectives
relative complexity, materialty
adequacy and effectiveness of gov, ctrl and risk
probability of errors, fraud or non-compliance
Cost related to potential benefit
1220.A2
--> Consider use of tech based audit and other data analysis techniques
1220.A3
--> IAs must be aware of risks that could affect objectives, resources and operations
1220.C1
--> Exercising due professional care in the consulting activity by considering the:
needs and expectations of the client
relative complexity and extent of work needed to achieve the engagement's objectives
cost of consulting engagement relative to potential benefits
1230 (Continuing Professional Development)
Auditors must enhance knowledge, skills and other competencies through continuing prof dev
Quality assurance and improvement programme (1300)
Independence and objectivity (1100)
1110 (Organizational Independence)
--> Chief audit executive need report to a level within the org that allows the IA Acvivity to perform its responsibilities
--> CAE confirm the independence of the IA Activity annually
1110.A1
--> IA activity must function (determine IA scope, perform work, communicate results) free of interference, any such must be disclosed to the board
1111 (Direct Interaction with the Board)
--> CAE must directly interact and report to the board
1112 (CAE Roles beyond IA)
1120 (Individual Objectivity)
--> IAs must have an impartial, unbiased attitude and avoid conflict of interest
1130 (Impairment to Independence or Objectivity)
--> If I/O is impaired in fact/appearance, the details of such impairment must be disclosed to the appropriate parties
--> Nature of disclosure depends on the impairment
1130.A1
--> IAs must refrain from assessing operations for which they were previously responsible
--> Should an IA provide assessment for an operation he/she was previously responsible, objectivity is presumed to be impaired
1130.A2
--> Assurance engagements for functions CAE has responsibility over must be overseen by a party outside the IAA
1130.A3
--> IAA may provide assurance services where they previously provided consulting services, provided that the nature of the consulting services did not impair objectivity and that individual objectivity is managed when assigning resources to the engagement
1130.C1
--> IAs may provide consulting services relating to operations for which they had previous responsibilities
1130.C2
--> If IAs have impaired objectivity and independence relating to the proposed consulting services, this must be disclosed to the engagement client prior to accepting the engagement
Performance Standards (2000 Series)
Focus on IA services and the IA process as well as the measurement of the quality thereof
Series
Managing the IA activity (2000)
Nature of the work (2100)
Engagement planning (2200)
Performing the engagement (2300)
Communication results (2400)
Monitoring progress (2500)
Resolution of management's acceptance of risks (2600)
Implementation Standards
Apply the attribute and performance standards to various types of services rendered
Assurance Implementation Standards (A Series)
Deal with the objective evaluation of evidence
To provide an independent assessment of:
--> Governance
--> Risk Management
--> Control Processes
Risk management = processes put into place to mitigate and addressing risks to an acceptable level
Control = refers to actions take by management, board etc. to manage risk and enhance the achievement of organisational objectives and goals
Parties involved in assurance services
Person involved with the process (Process Owner)
Person making the assessment (Auditor)
Person using the assessment to make decisions (Management)
IA determines scope and nature of the engagement
Consulting Implementation Standards (C Series)
Definition
Focus on consulting services
CS are activities beyond assurance work
These consulting services assist management to achieve the organisations objectives
Parties involved
Client
Auditor
Auditors
External Auditors
Appointed as an independent service for shareholders
Provide assurance regarding financial and non-financial affairs of the company
Subsequently, shareholders are more likely to invest based on the satisfaction with the governance practices
Audit committee
Oversee the external audit function and report back to the board of directors about the activities of the external audit function
Internal audit function
Appointed as an independent service for management
Provide reassurance regarding the risk management, governance and control within the organisation to the board of directors
this leads to increased value addition to the board
Report on the effectiveness of risk management, governance and control processes within the organisation
The assurance of the IA
Assure policies, plans and processes are adhered to
improve internal processes and systems
add value by assessing whether the activities performed by the organisation are done economically, efficiently and effectively
Legislation and Codes
King Report on Corporate Governance (King I)
--> dealt with governance issues for SA companies
King II
--> Simply an amendment and improvement of King I
King III
--> highlights the critical role IA's play within the business environment
King IV
--> Has similar emphasis on the role of IA's as in King III
--> builds on the King III recommendations and highlights the pivotal role of IA in the combined assurance model as one of the key internal assurance providers
-->simply put, the importance of IA's in providing assurance is emphasised
Global Internal Auditor Competency Framework
Purpose:
Provides insights into the future practice of IA
Provides guidelines, competencies, knowledge and skills needed by IA to stay in touch with the changing business environment such that they are able to perform their responsibilities with due care
10 Competency areas for IA's
Professional ethics
: promoting and applying them
IA management
: developing and managing IA function
IPPF
: applying it
Governance, risk and control
: applying an understanding of it throughout the organisation
Business acumen
: maintaining the expertise of the business environment, industry practices
Communication
: doing so with impact
Persuasion and collaboratio
n: persuading and motivating through collab
Critical thinking
: applying process analysis, business intelligence and problem solving technique
IA Delivery
: delivering IA engagements
Improvement and innovation
: embracing change and driving these
IPPF: Code of ethics
Purpose:
Used as a way to guide the behaviour of the members and to promote an ethical culture in the profession
Includes ethical principles or values and specific rules or standards and behaviours
Components
Principles relevant to IA
rules of conduct that describe the behaviour norms expected of IAs
IPPF principles
Integrity
establishes trust and provides the basis for reliance on their judgement
Rules and standards
shall perform work with honesty, diligence and responsibility
shall observe the law and make disclosures expected by the law and IA profession
shall not knowingly be part of illegal activity or engage in acts that discredit the IA profession or organisation
Objectivity
make balanced assessment of all relevant circumstances and are not unduly influences by their own interests or by others informing judgements
Rules and standards
shall not participate in any relationship or activity that may impair or presume to impair their unbiased assessment. Such participation is inclusive of activities that may conflict with the interests of the organisation
shall not accept anything that may impair or presume to impair their professional judgement
shall disclose all material facts known to them
Confidentiality
IAs respect the value and ownership of the info they receive and do not disclose such info without the appropriate authority unless there is a legal or professional obligation to do so
Rules and standards
shall be prudent in the use and protection of info acquired in the course of their duties
shall not use info for personal gain or in any manner that would be contrary to the law or detrimental to the ethical objectives of the organisation
Competency
IAs apply knowledge, skills and experience required in the performance of IA services
Rules and standards
shall engage only in those services for which they have the necessary knowledge, skills and experience
shall perform IA services in accordance with ISPPIA
shall continually improve their proficiency and the effectiveness and quality of their work
Institute of Internal Auditors (IIA)
Purpose:
--> To lead the global profession and advance its value
Vision:
--> To be universally recognised as indispensable to effective governance, risk and control