Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

Module 2: Internal auditing standards

Overview
This module introduces the International Standards for the Professional Practice of Internal Auditing. These are the attribute standards and performance standards. You should be able to apply the attribute standards and the first of the performance standards after studying this module. The standards on independence, objectivity, proficiency, and due professional care are covered in this module. The module concludes with a look at the use of outsourced resources for some or all of the internal audit functions. You will recognize when and how to refer to other professionals and experts.

Test your knowledge

Begin your work on this module with a set of test-your-knowledge questions designed to help you gauge the depth of study required.

Learning objectives
2.1 Overview of internal auditing standards Describe the attribute standards and the performance standards governing internal auditing and the key provisions of the Sarbanes-Oxley Act . (Level1) 2.2 Purpose, authority, and responsibility Determine the purposes and content of an internal audit charter. (Level1) 2.3 Independence and objectivity Explain the importance of independence and objectivity in internal auditing and how they are achieved. (Level1) 2.4 Proficiency and due professional care Identifythe main standards for proficiency and due professional care in internal auditing. (Level1) 2.5 Using outside service providers for internal audit work Outline the main requirements of using outsourced or co-sourced resources in internal auditing. (Level2) 2.6 Managing the internal audit department State the standards for the proper management of the internal audit department, including quality assurance. (Level1) Module summary Print this module

Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

MU1 Module 2: Test your knowledge

1. Which of the following is a specific IIA Standard for the attainment of proficiency in internal auditing? a. b. c. d. Review of effectiveness and efficiency Adequate knowledge, skills, and other competencies Quality assurance Independence and objectivity

2. Who is responsible for coordinating the efforts of internal and external auditors? a. b. c. d. The The The The corporate controller chief audit executive partner responsible for the external audit chair of the audit committee of the board of directors

3. In applying the standard on proficiency, which of the following would be an incorrect application of the standard? a. b. c. d. Requiring that all applicants have a professional accounting designation Obtaining university or college transcripts from all applicants Verifying the applicants prior employment history Checking the applicants references

4. An internal auditor may accept fees, gifts, or other items of value (other than promotional items of nominal value) from which of the following without violating the IIA Code of Ethics or Standards? a. b. c. d. A A A A manager of a department to be audited supplier of the internal auditors employer business associate of the internal auditor's employer professional association to which the internal auditor belongs

5. Which of the following would be a violation of an internal auditors independence and/or objectivity? a. Continuing an assurance audit engagement in a division for which the auditor will soon be promoted to supervisor or manager b. Reducing the number of audits carried out during the year due to budgetary constraints c. Participating on a committee that recommends standards for the implementation of a new computerized inventory system d. Reviewing contracts prior to their execution 6. After what period of time may an internal auditor who previously had been supervisor of an operational unit participate in an assurance audit of that unit? a. As soon as the new supervisor has assumed his or her responsibilities b. When sufficient time (perhaps a year) has passed so that the new supervisor has had the opportunity to make changes to the controls over the activities of the unit c. Never, because there is no way to measure a reasonable period of time in which to establish objectivity d. At any time after the completion of the annual external audit following the appointment of the new supervisor

7. What is the appropriate action to be taken by the chief audit executive when faced with an instruction from an operational vice-president to discontinue an audit following an internal auditors questioning of the accounting treatment of certain deferred charges? a. b. c. d. Solutions Bring the matter to the attention of the external auditors Continue with the audit and issue the audit report on the findings Seek advice from The Institute of Internal Auditors Bring the matter to the attention of the CEO and the chair of the audit committee

Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

MU1 Module 2: Test your knowledge solutions

1. a. Incorrect. This is part of the work of the internal auditor, but has nothing to do with the standard on proficiency. b. Correct. This is part of the standard on proficiency (Attribute Standard 1210). c. Incorrect. This is a separate standard on its own (Attribute Standard 1300). d. Incorrect. This is a separate standard on its own (Attribute Standard1100). 2. a. b. c. d. Incorrect. The Standards assign this responsibility Correct. This is implied in Performance Standard Incorrect. The Standards assign this responsibility Incorrect. The Standards assign this responsibility to the chief audit executive. 2050 on Coordination. to the chief audit executive. to the chief audit executive.

3.

a. Correct. There is no reason why all internal auditors need to be accountants; they can come from any one of a number of disciplines including, for example, engineering or general management. b. Incorrect. This should be done to establish that the applicant has a suitable academic background. c. Incorrect. This should be done to verify the background of the applicant. d. Incorrect. This should be done to verify the integrity and suitability of the applicant.

4.

a. Incorrect. Accepting a gift from the manager of a department to be audited could impair or be presumed to impair the auditors objectivity and violates Attribute Standard 1120 as interpreted in Practice Advisory 1120-1. b. Incorrect. Accepting such a gift might impair the auditors objectivity and violates Attribute Standard 1120. c. Incorrect. Accepting such a gift might impair the auditors objectivity and violates Attribute Standard 1120. d. Correct. It is difficult to see how accepting such a gift (for example, a token as thanks for presenting an address on internal auditing to a group of CGAs or members of the IIA) could impair or be presumed to impair an internal auditors objectivity. a. Correct. This would violate Attribute Standard 1120 by posing at least a perceived conflict of interest. b. Incorrect. Management has the right to set the budget for the year and the internal audit department will determine how many assignments can be carried out depending on the resources available. c. Incorrect. This is a consulting activity and does not contravene the Standards. d. Incorrect. This would not impair independence or objectivity. a. Incorrect. The internal auditor may do so only When sufficient time (perhaps a year) has passed so that the supervisor has had the opportunity to make changes to the controls over the activities of that unit. b. Correct. At this point, the auditor would not be considered to lack objectivity (Implementation Standard 1130.A1 Assurance Engagements). c. Incorrect. The Standards permit such audits after one year has passed. d. Incorrect. The timing of the external audit is irrelevant to the objectivity of the internal auditor. a. Incorrect. This would be a violation of confidentially, although the internal auditor should answer any questions from the external auditors truthfully. b. Incorrect. The audit should not continue; management may be aware of the

5.

6.

7.

problem and feel that further work in this area would not be justified on a cost basis. c. Incorrect. This would violate confidentiality; this is not a matter for reference to the IIA. d. Correct. The chief audit executive should bring the matter to the attention of both the CEO and the chair of the audit committee and take instructions from them as to further action, if any.

Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

2.1 Overview of internal auditing standards

Learning objective

Describe the attribute standards and the performance standards governing internal auditing and the key provisions of the SarbanesOxley Act .(Level1)
Required reading

Online reading 2.1-1: Internal Auditings Role in Sections 302 and 404 of the U.S. Sarbanes-Oxley Act of 2002 (Level 1) Reading 2-1, International Standards for the Professional Practice of Internal Auditing, 2012 (Level 1)
LEVEL 1

One of the identifying characteristics of a profession is the existence of a professional framework and set of established standards that govern expectations of performance for both the members of the profession and those who use its services. Standards are typically established by the professional association to which the members of the profession belong. Many professions (such as medicine and law) are able to enforce their standards because membership in the related professional association is a requirement to practice that profession. This same requirement does not exist in internal auditing, as there is no requirement for internal auditors to belong to any professional association. However, the long-established authoritative reference and the largest professional association for internal auditing is the Institute of Internal Auditors (IIA), based in Florida. The International Professional Practices Framework (IPPF) of the IIA consists of both mandatory and strongly recommended guidance. According to the IIA, conformance with the standards is required and essential for the professional practice of internal auditing and is intended to be applicable to both entities and individuals that perform internal auditing. Mandatory guidance consists of the definition of internal auditing, which you will find in the IIA Code of Ethics (Online reading 1.8-2) and the International Standards for the Professional Practice of Internal Auditing , which was revised and effective as of January 1, 2013 (Reading 2-1). Position papers, practice advisories, and practice guides document best practices, help internal auditors implement the standards, and are the strongly recommended guidance components of the IPPF. (Note : Some of this guidance material is included as required reading throughout the course.) The International Standards for the Professional Practice of Internal Auditing (Standards) are principle-focused and provide a framework and guidance for internal auditing. The Standards are principles that apply globally, and serve as a basis for evaluating internal audit and for encouraging improvement. The Standards include an introduction, interpretations, and a glossary of terms. The Standards are considered the most generally accepted internal auditing standards in Canada, the United States, Great Britain, France, and many other countries. They may not be applicable in all situations, however, and internal auditors must be aware of the need to use their judgment in applying the standards to specific situations.

Updating the Standards

The Standards were first established in 1947, and are revised at least every three years after a comprehensive international review and public exposure. The latest revision of the Standards was effective January 1, 2013. The Attribute Standards address the attributes or characteristics of organizations and individuals performing internal audit services. The Performance Standards describe the nature of internal audit services and provide quality criteria against which the performance of these services can be measured.

The Attribute and Performance Standards apply to individual internal auditors and all internal audit activities. Chief audit executives are accountable for overall conformance with the Standards . The current version of the Standards includes interpretations, which clarify terms or concepts within the statements. Some of these interpretations were previously issued as Implementation Standards, but are now included with the Attribute and Performance Standards. It is necessary to consider both the standards and the interpretations to understand and apply the standards correctly. The glossary of terms is part of the Standards; it is included as a required reading in this module, and it should be referred to throughout the course. Here is a summary of the Attribute and Performance Standards :
Attribute Standards There are four Attribute Standards. There are also Practice Advisories provided for many of the standards. Practice Advisories contain additional material to assist the internal auditor in interpreting and applying the standards to specific situations. The Attribute Standards address the following areas: 1. purpose, authority, and responsibility 2. independence and objectivity Covered in Performance Standards There are seven Performance Standards. The Performance Standards address the following areas: Covered in

Standards 1. managing the internal audit activity Standards 1000 to 1010 2000 to 2070 Standards 1100 to 1130.C2 2. nature of work Standards 2100 to 2130.C1 Standards 2200 to 2240.C1 Standards 2300 to 2340 Standards 2400 to 2450 Standards 2500 to 2500.C1 Standard 2600

3. proficiency and due professional care

Standards 3. engagement planning 1200 to 1230 Standards 4. performing the engagement 1300 to 1322 5. communicating results 6. monitoring progress

4. quality assurance and improvement program

7. communicating the acceptance of risks

Reading 2-1 sets out the Standards of the IIA. Although the Standards will not always be referred to specifically in the topics of the following modules, parts of Reading 2-1 will be required reading throughout the rest of this course. Strongly recommended guidance includes position papers, practice advisories, and practice guides, many of which are required reading in this course. Finally, Online reading 2.1-1 outlines the legislative requirements of internal controls in the United States under Sections 302 and 404 of the Sarbanes-Oxley Act of 2002 . (Except for Sections 302 and 404, the requirements of the Sarbanes-Oxley Act of 2002 are not examinable.) For MU1 examinations , you need to be proficient in the Attribute and Performance Standards. You do not need to memorize the standard numbers, but you should be able to understand and apply the Attribute Standards and Performance Standards by the end of this course.

Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

2.2 Purpose, authority, and responsibility

Learning objective

Determine the purposes and content of an internal audit charter. (Level 1)

Required reading

Reading 2-1, Attribute Standards 1000 to 1010 (Level 1) Reading 2-2, Practice Advisory 1000-1: Internal Audit Charter (Level 1)
LEVEL 1

Internal audit charter

Standard 1000 states that the purpose, authority, and responsibility of the internal audit activity must be formally defined in a charter, consistent with the Definition of Internal Auditing, the Code of Ethics, and the Standards. The chief audit executive must periodically review the internal audit charter and present it to senior management and the board for approval. The Implementation Standards state that the nature of assurance services and consulting services to be provided to the organization should be set out in the audit charter. You will notice that, in Reading 2-1, following each of the major standards there is a short interpretation of the standard provided by the IIA. In this instance, it is similar to the definition of charter contained in the glossary at the end of the Standards . The interpretation for Standard 1000 states that the internal audit charter is a formal document that defines the internal audit activitys purpose, authority, and responsibility. The internal audit charter establishes the internal audit activitys position within the organization; including the nature of the chief internal audit executives functional reporting to the board; authorizes access to records, personnel, and physical properties relevant to the performance of engagements; and defines the scope of internal auditing activities. Final approval of the internal audit charter resides with the Board. Practice Advisory 1000-1 (Reading 2-2), supports the main standard and states that the charter must be in writing and approved by senior management and the board. The charter should establish the position of the internal audit activity within the organization, set out the scope of work to be performed, and guarantee access to personnel and records. The charter should be reviewed periodically to ensure that it remains relevant. Exhibit 2.2-1 is an example of an internal audit department charter showing how the mission, accountabilities, independence, responsibilities, authority, and standards of audit practice may be presented.

Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

2.3 Independence and objectivity

Learning objective

Explain the importance of independence and objectivity in internal auditing and how they are achieved. (Level 1)
Required reading

Reading 2-1, Attribute Standards 1100 to 1130.C2 (Level 1) Reading 2-3, Practice Advisory 1110-1: Organizational Independence (Level 1) Reading 2-4, Practice Advisory 1111-1: Board Interaction (Level 1) Reading 2-5, Practice Advisory 1120-1: Individual Objectivity (Level 1) Reading 2-6, Practice Advisory 1130-1: Impairment to Independence or Objectivity (Level 1) Reading 2-7, Practice Advisory 1130.A2-1: Internal Audits Responsibility for Other (Non-audit) Functions (Level 1) Online reading 2.3-1, IPPF Practice Guide: Independence and Objectivity (Level 1)
LEVEL 1

The issues of independence and objectivity are covered in this topics readings. Standard 1100 states that the internal audit activity must be independent, and internal auditors must be objective in performing their work. Both independence and objectivity are defined in the interpretation of this standard and in the glossary accompanying the Standards . Independence is extremely important because having independence from the activities audited permits auditors to render the impartial judgments essential to providing assurance. Auditors must be able to carry out their work freely and objectively. Auditors are independent when they are free from conditions that threaten objectivity or the appearance of objectivity. Independence and objectivity are achieved through the following means: The organizational status of the internal audit function (Readings 2-3 and 2-4) The degree of objectivity maintained by internal auditors (Readings 2-5 and 2-6) The authority and responsibility given to internal auditors (Reading 2-7).

Organizational status of the internal audit function

To ensure independent internal auditing, the chief audit executive (CAE) must report to someone in the organization who has enough authority to promote independence and to ensure unrestricted audit coverage, and also to ensure that appropriate action is taken on audit recommendations. The CAE must also communicate and interact directly with the board of directors. This helps to ensure independence and keeps board members informed of control issues, which are part of their responsibility as directors. In establishing the organizational status of the internal audit department, the CAE should report functionally to the board or the audit committee of the board of directors, in order to ensure independence. The CAE reports to senior management on administrative matters. In addition, the CAE usually meets with the board or audit committee, at least annually, to obtain approval of the audit plan and to communicate a summary of audit findings. As explained in the interpretation to Standard 1110, functional reporting is the reporting line which is responsible for the following activities: Approving the overall charter of the internal audit function Approving the long-term and annual risk-based audit plans Approving the internal audit budget and resource plan Receiving communications from the chief audit executive on the internal audit activitys performance relative to its plan and other matters Approving all decisions regarding the appointment or removal of the chief audit executive

Approving the remuneration of the chief audit executive Making appropriate inquiries of management and the chief audit executive to determine whether there are scope or budgetary limitations that impede the ability of the internal audit function to carry out its responsibilities Administrative reporting is the reporting relationship within the management structure that facilitates the dayto-day operations of the internal audit function and includes budgeting and management accounting, human resource administration, internal communications and information flows, and administration of the organizations internal policies and procedures. In some organizations, to reflect the importance of internal auditing, the chief audit executive function is a vice-president or senior vice-president.

Degree of objectivity maintained by internal auditors

The Standards require internal auditors to be objective in performing audits. Internal auditors should not place themselves, or be placed, in situations where they will be (or will appear to be) unable to make objective professional judgments. They must avoid and report any situation of actual or potential conflict of interest. For example, internal auditors would not be assigned to audit a department where their spouse or partner was employed. Objectivity is primarily a state of mind, a perspective that is neutral and free from undue influence (that is, an independent mental attitude). It is an unbiased mental attitude that allows internal auditors to perform engagements in such a manner that they have an honest belief in their work product and that no significant quality compromises are made. Objectivity requires internal auditors not to subordinate their judgment on audit matters to that of others. The effectiveness of internal auditors is directly affected by their credibility and the extent to which management can trust the objectivity of the auditors reports. This trust is developed, in part, by ethical practices, including an objective state of mind. In the definition of internal auditing adopted in 1999, the term independent was supplemented with the term objective. Independence was retained as a concept reflecting the freedom to determine the scope of work and perform the appropriate work without interference. For more on the importance of objectivity, read Example 2.3-1.

Example 2.3-1: The importance of objectivity

Jodi Chang, CGA, provides a variety of consulting services to Big Co., a large organization. Big Co. recently relocated a number of its administrative activities from scattered office locations throughout Vancouver into its new office complex. Jodi was hired by one of the smaller administrative groups to provide strategic support during the move. Her work included cost-benefit analyses, budgeting for the move, and accounting for variances between actual and budgeted costs. During the course of her work, she formed some firm opinions about the efficiency and economy of the overall relocation projects planning and coordination carried out at the corporate level, and some specific criticisms of some of the activities of the group for which she was working. The internal audit department of Big Co. was asked to undertake a review of the effectiveness, efficiency, and economy of the relocation project. Jodi was approached by the audit manager responsible for the audit and asked if she would join the audit team as an outside consultant, partly because of her past audit experience, but mostly because of her specific experience, information, and comments on this relocation project and the small group that she had been advising.

Question: Should Jodi accept the engagement? Why or why not?

Solution

Online reading 2.3-1 provides more in-depth guidance for internal auditors on the increasing importance of managing independence and objectivity in a changing business environment. As internal auditors have

expanded the scope of their activities, and have become more valuable to senior management and the audit committee, this practice guide provides helpful guidance for some of the challenges to auditor independence and objectivity.

Authority and responsibility given to internal auditors

The internal audit function is a staff function and must not have any direct authority over the activities subject to audit. In rare situations where internal audit personnel are asked to perform management functions, they should not subsequently be asked to audit these activities. Similarly, when individuals with management responsibilities are transferred to the internal audit department, they should not audit the activities they were previously performing until a reasonable period has elapsed. Standard 1130.A1 states that objectivity is assumed to be impaired if an internal auditor provides assurance services for an activity for which the internal auditor had responsibility within the previous year. In recent years, internal auditors have more frequently been asked to take on roles and responsibilities that include responsibility for operations that are (or should be) subject to periodic internal audit assessments. Reading 2-7 sets out factors to be considered in determining an appropriate course of action in such circumstances.

Independence and considerations in internal audit consulting engagements

The Standards define consulting services as the following: advisory and related client service activities, the nature and scope of which are agreed with the client, are intended to add value and improve an organizations governance, risk management, and control processes without the internal auditor assuming management responsibility. Examples include counsel, advice, facilitation, and training. While internal auditors must be objective in performing consulting services, the independence requirements are not as stringent as they are for assurance engagements. A significant contribution to the organization can come from consulting activities performed by the internal audit group. At the same time, the consultant needs to remain objective by avoiding involvement in the decision-making processes of the organizational units to which consulting or other services are provided. Standard 1130.C1 permits an internal auditor to provide consulting services to operations where they had previous responsibilities. If an internal auditor is engaged to audit the activities they had previously provided consulting work on, steps must be taken to minimize the effects of such impairment to independence and objectivity. This might be accomplished, for example, by assigning different staff members than those involved in the consulting assignment to perform the assurance engagement.

Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

Example 2.3-1 solution

No, Jodi should not accept this assignment. Her objectivity has been affected by the strong opinions she formed during her previous work experience, and she has a personal conflict of interest (Standard 1120). If she took part in the audit, she could neither practically nor ethically ignore the information available to her from her previous assignment. Her strong opinions from the previous work experience would prevent her from performing her internal audit engagement in an unbiased and impartial way. She would not have the appearance of objectivity, and, if she used the information from her previous assignment in the audit, she would lose personal credibility with the department for which she had performed the work. In addition, since Jodi continues to provide a variety of consulting services to this company, she has a personal conflict of interest, which could impair her ability to perform the internal audit engagement objectively.

Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

2.4 Proficiency and due professional care

Learning objective

Identify the main standards for proficiency and due professional care in internal auditing. (Level 1)
Required reading

Reading 2-1, Attribute Standards 1200 to 1230 (Level 1) Reading 2-8, Practice Advisory 1210-1: Proficiency (Level 1) Reading 2-9, Practice Advisory 1220-1: Due Professional Care (Level 1) Online reading 1.8-2 , The IIA Code of Ethics (Level 1)
LEVEL 1

Standards for professional proficiency

Standard 1200 requires that engagements must be performed with proficiency and due professional care. To achieve this requirement, specific supporting standards were developed for both internal audit departments and internal auditors. These are set out in Standards 1200 to 1230 of Reading 2-1. These standards and the related Practice Advisory, PA 1210-1 (Reading 2-8), address various areas including staffing requirements, collective knowledge and skills, and supervision of internal audit assignments. The Standards require that the internal audit department provide assurance that the technical proficiency and educational background are appropriate and that the department possesses or obtains the knowledge, skills, and discipline needed to carry out its audit functions. The department must have the appropriate skills in the discipline of internal auditing and recognize the extent to which it possesses other skills necessary for specific assignments. Example 2.4-1 illustrates this point.

Example 2.4-1: The importance of proficiency

If the internal audit department of a hydro-electric utility conducted an effectiveness audit of the utilitys management of the risk of breach or failure of any of its major hydro-electric dams, it is unlikely that anyone within the department would have the competence to evaluate the performance of the utilitys dam safety efforts. The department would need to obtain outside services from acknowledged experts in the subject matter of the audit (in this instance, in dam safety). Actual audits of this type use resources from organizations such as the U.S. Army Corps of Engineers, who are internationally renowned as experts in this subject. The audit department staff supplies the auditing methodology; the subject matter experts supply the specific knowledge needed to assess technical performance. The Standards also require that the personnel conducting the audit be appropriately supervised.

To comply with the standard on proficiency, individual internal auditors must meet the following requirements: Comply with the Code of Ethics and the Standards of the IIA. Have the knowledge and skills to perform internal audits in an efficient and effective manner, including sufficient oral and written communication skills. Understand human relations and maintain satisfactory relationships with auditees. Maintain their technical competence through continuing education. Exercise due professional care in performing their audits. The responsibility of the individual internal auditor with respect to knowledge is similar to that of the department: to have expertise in audit methodology and to recognize the limitations of his or her specific

subject knowledge. See Example 2.4-2 for an illustration of this concept.

Example 2.4-2: Knowledge of the internal auditor

Many natural resource companies in Canada have aboriginal relations departments, which provide advice and manage the companies interactions with the countrys various aboriginal groups. If an internal auditor were to undertake an audit of the effectiveness and efficiency of such a program without prior experience in that area, the auditor would almost certainly be violating the standards regarding knowledge, skills, and disciplines. The rapid growth of knowledge provides an obligation for professionals in all fields to maintain their technical competence through continuing education.

Due professional care

The Standards require that internal auditors exercise due professional care in carrying out audit work. Due professional care sets as a standard the care and skill that would be expected of a reasonably prudent and competent internal auditor in similar circumstances. Standard 1220 and PA 1220-1 (Reading 2-9) state that due professional care does not imply infallibility. However, it requires more than simply following rules. As well as a good understanding of the specific context, due professional care requires the auditor to exercise good judgment and have appropriate knowledge and skills. In exercising due care in specific situations, the auditor should consider the extent of work required to achieve the audit objectives, the relative significance of the matters reviewed, the adequacy and effectiveness of internal controls, and the cost of the audit work in relation to the potential benefits.

Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

2.5 Using outside service providers for internal audit work

Learning objective

Outline the main requirements of using outsourced or co-sourced resources in internal auditing. (Level 2)
Required reading

Reading 2-10, Practice Advisory 1210.A1-1: Obtaining External Service Providers to Support or Complement the Internal Audit Activity (Level 2) Reading 2-11, The Role of Internal Auditing in Resourcing the Internal Audit Activity (Level 2) Reading 2-12, The Outsourcing Relationship (Level 2)
LEVEL 2

Outsourcing and co-sourcing internal audit services

One phenomenon of the past two decades was the increased use of outsourced and co-sourced resources by businesses. It arose from a belief that management would be better able to focus on core competencies and strategic plans if it was able to turn over (or outsource) ancillary activities to organizations whose core competence is to provide those services. In theory, this should result in economies of scale and greater flexibility. One of the areas that organizations considered outsourcing was internal audit, which is never considered to be a core competency of the business. Most internal audit departments do not always have the full range of resources necessary to undertake every audit within their audit plan. This is particularly true for operational audits, where the audit staff are often supplemented by subject matter experts who have operational experience in the department or with the activity being audited. Audit departments can draw such experts from a number of outside sources, known as co-sourcing. These include retired executives from the industry, retired staff from regulatory agencies, specialist audit consultants, and public accounting and consulting firms. It may be possible to obtain the services of staff from other companies in the same industry, as long as the companies are not competing (for example, highly localized industries). As shown in Example 2.4-1, a hydro-electric utility undertaking an operational audit of its dam safety program would not normally have auditors with expertise in this highly technical area within its internal audit department. The audit staff would provide the methodology and rely on outside consultants to provide the engineering expertise. In recent years, as businesses have come under increasing budgetary pressure, some companies have outsourced their complete internal audit function. However, other organizations have recently placed increased emphasis on corporate governance and have increased their internal audit staffing, supplemented with cosourcing for specialized audit services. The major public accounting firms have all established internal audit support practices. These firms will contract with clients to provide a complete internal audit service or specialized resources for specific audit engagements. The IIAs Guidance Task Force, which developed the current definition of internal auditing, recognized the reality of the use of outsourced resources and no longer includes the words within the organization in its definition. Practice Advisory 1210.A1-1 (Reading 2-10) sets out some guidelines to follow when outsourcing internal audit work. Reading 2-11 presents a useful summary of the types of outsourcing arrangements that are possible and important considerations in determining the extent of use of outsourced resources. Reading 2-12 identifies some risks of outsourcing in general, and provides guidance on how to manage relationships with outside service providers. Below are some advantages and disadvantages of using outside service providers for internal audit work.

Advantages of using outsourced resources

Outsourcing provides access to expertise that would not normally be available in-house, access to leading-edge practices, increased subject matter and geographical coverage, and increased flexibility. External expertise is often necessary in auditing areas such as the companys investments in derivatives because the area is relatively complex and few internal auditors are sufficiently knowledgeable about the risks, opportunities, and appropriate controls over such investments. It would not be cost-effective to train a staff auditor in this area or to recruit an auditor with the necessary expertise because the opportunity to use such training would be limited. Using external subject matter experts in this case makes sense. Outsourcing internal audit work to public accounting firms need not be excessively costly. It is often possible to schedule internal audit work to be done during the least busy times in the public accounting firms schedule. This may allow pricing well below the rates charged for external audits during the busiest times of year. Some public accounting firms have developed enterprise risk frameworks that can be used to identify business risk. An increasing number of clients are using these frameworks to help focus their audit activities. Staff from the firms who have developed the risk frameworks can provide training in the use of the frameworks to internal audit staff.

Disadvantages of using outsourced resources

The consultants will not be familiar with the company and its corporate culture and may not be familiar with the specific industry, so there will be a learning curve each time a new consultant begins an assignment. If outsourcing is used for routine, non-specialized assignments, the costs will usually be greater than the cost of employing a senior staff auditor. Even if costs are lower at the outset, costs may increase over time. Where a company relies extensively on external resources for internal auditing, they may have difficulty responding to urgent management requests. Departments that are largely internally staffed would be more able to redirect resources more easily in such situations.

Question: Should external auditors do internal audit work for the same company?
A specific concern arises when a company outsources its internal audit work to the same public accounting firm that carries out its external audit. For many years, the public accounting profession has maintained that the performance of consulting services to audit clients does not impair the independence of the auditor. In the United States, the American Institute of Certified Public Accountants drew up ethical guidelines that address the issue of the independence of auditors providing both internal and external audit services to the same client. Despite the guidelines, the reality of the conflict that could exist when the same public accounting firm provides both internal and external audit services arose as a major factor in the controversy surrounding the business failure of Enron (and ultimately the accounting firm of Arthur Andersen). Following these (and other) incidents of the late 1990s and early 2000s, the United States government passed the Sarbanes-Oxley Act of 2002 (SOX), which severely restricts the range of non-audit services that may be provided to public companies by their auditors, and limits outsourcing of internal audit services. In Canada, Bill 198, which became law in 2005, deals with virtually all of the same issues as Sarbanes-Oxley, including auditor independence. This has resulted in a reduction of full outsourcing of internal audit services and it has become more common for audit projects to be cosourced. Cosourcing occurs when a project team includes members of the organizations internal audit department and outside personnel; the latter usually act as subject matter experts with respect to the subject areas of the specific internal audit engagement.

The Institute of Internal Auditors has responded to the increased use of outsourced resources in two ways. In December 1997, it issued Statement 18 on the use of outside service providers. This statement recognizes the use of outside providers (including public accounting firms) and provides guidelines for their use. The main responsibilities of the chief audit executive are to assess the competence and objectivity of the outside service provider and to assess the scope and adequacy of the work performed.

Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

2.6 Managing the internal audit department

Learning objective

State the standards for the proper management of the internal audit department, including quality assurance. (Level 1)
Required reading

Reading 2-1, Attribute Standards 1300 to 1322 (Level 1) Reading 2-1, Performance Standards 2000 to 2070 (Level 1)
LEVEL 1

Quality assurance
The Attribute Standards require that the chief audit executive (CAE) develop and continually maintain quality assurance and improvement programs. These programs include the results of both internal and external assessments of the internal audit activities. If internal audit activities are carried out in full compliance with the Standards , the audit reports may contain the statement that the audit conforms with the International Standards for the Professional Practice of Internal Auditing. If full compliance is not achieved and the noncompliance affects the overall scope or operation of the internal audit activity, this fact must be disclosed to the CEO and the board. The Standards require the internal audit department to develop and implement a quality assurance program that includes both periodic internal and external quality assessments as well as ongoing internal monitoring. External assessments must be performed at least once every five years by a qualified, independent reviewer or review team from outside the organization. Failure to obtain such an external assessment within five years of the enactment of the requirement would be an example of noncompliance with the Standards , which would prevent the internal audit department from stating that their audits were conducted in accordance with the IIA Standards .

Management standards
The chief audit executive (CAE) is responsible for properly managing the internal audit activity so that it adds value to the organization. The CAE should ensure that the audit work meets the expectations of the internal audit department charter and those of the board and senior management. In addition, processes should be in place to employ the resources of the department effectively and efficiently and to ensure that work performed complies with the International Standards for the Professional Practice of Internal Auditing. There are seven supporting standards in the area of management of the internal audit department, as stated in Standards 2010-2070: The first three, Standards 2010-2030, deal with the need to plan the work of the department. Note the emphasis on risk-based assessment as a crucial process in effectively planning audit work schedules in Standard 2010. Standard 2040 requires that there be written policies and procedures to guide the audit staff. These are needed to ensure consistency of evaluation across the organization. Standard 2050 notes that the internal auditors cannot always determine the approach and methods used by the external auditors, but they can be aware of them and aim to carry out their audits so that the external auditors can rely on the work of the internal auditors, thus reducing

the amount of substantive work they would otherwise carry out themselves. It may be appropriate for the internal audit department to carry out some work to assist the external auditors in their annual audit. Standard 2060 requires the chief audit executive to report to senior management and the board on the internal audit's purpose, authority, responsibility, and performance relative to its plan. Such reporting must also discuss significant risk exposures and control issues, including fraud risks, governance issues, and other matters as requested. Standard 2070 requires an external service provider, who is providing internal audit services, to inform the client organization that the responsibility for maintaining effective internal auditing resides with the organization, not with the external service provider. The interpretation of this standard suggests that this responsibility can be demonstrated through a quality assurance and assessment program.

Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

Module 2 summary
Internal auditing standards
This module introduces the Attribute Standards and Performance Standards for the practice of internal auditing. You should be able to apply the Attribute Standards and the first of the Performance Standards after studying this module. The standards on independence, objectivity, proficiency, and due professional care are covered. The module concludes with a look at using external service providers for some or all of the internal audit function. You will recognize when and how to refer to other professionals and experts.

Describe the attribute standards and the performance standards governing internal auditing and the key provisions of the Sarbanes-Oxley Act .
According to Attribute Standard 1000, [t]he purpose, authority, and responsibility of the internal audit activity must be formally defined in an internal audit charter, consistent with the Definition of Internal Auditing, the Code of Ethics, and the Standards and approved by senior management and the board. The internal audit activity must be independent and internal auditors must be objective in performing their work. (Standard 1100) Engagements must be performed with proficiency and due professional care. (Standard 1200) There must be a quality assurance program in place to monitor the effectiveness of the internal audit activity. Such a quality assurance program must include internal and external quality assessments and internal monitoring. The chief audit executive must effectively manage the internal audit activity to ensure it adds value to the organization. The internal audit activity must evaluate and contribute to the improvement of governance, risk management, and control processes using a systematic and disciplined approach. (Standard 2100) Internal auditors must develop and document a plan for each engagement, including the engagements objectives, scope, timing, and resource allocations. (Standard 2200) Internal auditors must identify, analyze, evaluate, and document sufficient information to achieve the engagements objectives. (Standard 2300) Internal auditors must communicate the engagement results. The chief audit executive must establish and maintain a system to monitor the disposition of results communicated to management. (Standard 2500) When the chief audit executive concludes that management has accepted a level of risk that may be unacceptable to the organization, the chief audit executive must discuss the matter with senior management. If the chief audit executive determines that the matter has not been resolved, the chief audit executive must communicate the matter to the board. (Standard 2600)

Determine the purposes and content of an internal audit charter.

Organizations must have a formal internal audit charter to define and communicate the purpose, authority, and responsibility of the internal audit department.

This charter must be approved by senior management and the board. The charter must establish the position of the internal audit activity within the organization, set out the scope of its activities, and guarantee access to personnel and records.

Explain the importance of independence and objectivity in internal auditing and how they are achieved.
The standards for the practice of internal auditing require that the auditor be independent of the activities audited and be objective in issuing an opinion on those activities. The independence and objectivity of the internal auditor are enhanced by the following: The organizational status of the internal audit department (The chief audit executive must report functionally to the board.) The authority and responsibility given to internal auditors The degree of objectivity maintained by internal auditors Internal auditors must be objective when performing consulting engagements. Consulting engagements may enhance the auditors understanding of business processes or issues, which may be helpful in performing assurance engagements. Impairments to independence or objectivity should be brought to the attention of the management of the engagement client. Management must be responsible for accepting and implementing recommendations. Internal auditors must take care to ensure that they do not inappropriately assume management responsibilities.

Identify the main standards for proficiency and due professional care in internal auditing.
There are three main standards related to proficiency and due professional care: Internal auditors and internal audit departments must possess the knowledge, skills, and competencies needed to perform their individual responsibilities. Internal auditors must apply the care and skills expected of a reasonably prudent and competent internal auditor. Internal auditors must enhance their knowledge, skills, and competencies through continuing professional development.

Outline the main requirements of using outsourced or co-sourced resources in internal auditing.
Outsourcing arose from a belief that management would be better able to focus on core competencies and strategic plans and turn over (or outsource) ancillary activities to organizations with internal audit expertise. Outsourcing provides specialized techniques and expertise, as well as greater flexibility, compared to in-house staff. Major public accounting firms have all established internal audit support practices. These firms will contract to provide a complete internal audit service to their clients or provide specialized cosourced resources for specific audit engagements.

Advantages include the following: Access to expertise not available in-house Access to leading-edge practices Increased subject matter and geographical coverage Potential cost reductions Greater flexibility Disadvantages include the following: Consultants may be unfamiliar with the company, corporate culture, or specific industry. For routine, non-specialized assignments, costs will usually be greater than using internal staff. It may be difficult to respond to urgent management requests if the company relies too heavily on external contractors. Responsibilities of the chief audit executive when outside service providers are used include the following: The chief audit executive must assess their competency, independence, and objectivity in relationship to the specific engagement to be performed. The chief audit executive must agree on the scope of work with the outside service provider before work commences. The chief audit executive must ensure that the work done by the outside service provider complies with the appropriate professional standards. In addition, an external service provider of internal audit services must inform the client organization of its responsibility for maintaining an effective internal audit activity. This can be demonstrated with a quality assessment program.

State the standards for the proper management of the internal audit department, including quality assurance.
The chief audit executive must perform the following: Establish risk-based plans to determine priorities for the internal audit activity that are consistent with the organizations goals. Communicate the departments plans and resource requirements to senior management and the board for review and approval. Ensure that the resources are appropriate, sufficient, and effectively deployed to achieve the approved plan. Establish policies and procedures to guide the internal audit activity. Share information and coordinate activities with other providers of assurance and consulting activities to ensure proper coverage and minimize duplication of efforts. Report periodically to the board relative to the approved plan. Establish a quality assurance and improvement program including both internal and external assessments. Communicate the results of external assessments to the board.

Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

Module 2: Self-test
1. Multiple choice a. In which of the following areas would an internal auditor be required by IIA Practice Advisory 1210 to have proficiency when carrying out an audit of corporate governance processes? 1. 2. 3. 4. Computerized management information systems Management and financial accounting Internal auditing standards, procedures, and techniques Fundamentals of commercial law

b. Under which of the following situations would the type of annual bonus offered to the internal auditor be acceptable under the IIA standards concerning his or her objectivity? 1. The bonus is based on dollar recoveries from financial audits. 2. The bonus is based on expected future savings from audit recommendations. 3. The bonus is determined by the chief executive officer and approved by the audit committee of the board. 4. The bonus is based on the number of complaints received by the CEO about the work of the audit department. c. An internal auditor suspects that a cashier is lapping receipts (that is, covering up temporary or permanent misappropriation by delaying recording transactions). What is the first action that the internal auditor should take? 1. Immediately suspend the cashier, pending a fraud investigation. 2. Implement better controls over receipts and bank deposits so that such an activity is no longer possible. 3. Confront the cashier with his or her suspicions. 4. Report the matter to senior management. d. In drawing up a charter for a newly created internal auditing department, what is the most appropriate organizational status for the department? 1. The CAE should be a member of the audit committee of the board of directors. 2. The CAE should report to the controller. 3. The CAE should report to the president with guaranteed access to the audit committee of the board of directors. 4. The CAE should report to the partner responsible for the companys external audit with access to the companys administrative vicepresident, who would act as a liaison to senior management and the board of directors. e. The chief audit executive (CAE) provides a report at each quarterly meeting of the audit committee of the board. Senior management has requested that a copy of this report be provided to senior managers prior to the audit committee meeting so that issues can be resolved before the actual meeting where possible. How should the CAE react to this request? 1. The CAE should provide the report as requested.

2. The CAE should provide the report to management only after the audit committee meeting. 3. The CAE should not provide the report to management because this is an unacceptable limitation on the independence of the internal auditor. 4. The CAE should provide the report for information only, and consider any attempts by management to resolve issues prior to the committee meeting as unwarranted interference with the independence of the audit function. f. The definition of internal auditing and the IIA Standards set out which of the following as included in the nature of work of internal auditing? 1. Assessing effectiveness, efficiency, and economy of operations 2. Evaluating financial and operational controls 3. Evaluating and improving risk management, control, and governance processes 4. Performing financial, compliance, and operational audits Solution 2. CASE STUDY T2-1: Kenny Incorporated You have just been promoted to chief audit executive at Kenny Incorporated on the retirement of the previous incumbent. You are acutely aware of the importance of auditor independence and objectivity to the internal audit function. In your previous role as senior internal auditor, you were aware of several activities carried out by internal auditors that you believed could impair the actual or perceived objectivity and independence of your department. You have decided to write a memo to the controller on the matter. Your specific concerns relate to the following activities:

1. The bank statements of the corporation are reconciled each month as a regular assignment by one of the internal auditors. The corporate controller believes this strengthens internal controls because the internal auditor is not involved in the receipt and disbursement of cash. 2. An internal auditor evaluates all budget-to-actual variances each month, along with the associated explanations provided by the corporate controllers staff after consultation with the individuals involved. After completing the review, the auditor sends a memo to the appropriate staff indicating the action needed to address the variances. 3. The internal auditors are frequently asked to make accounting entries for nonroutine complex transactions before the transactions are recorded. The employees in the accounting department are not adequately trained to handle such transactions. In addition, this serves as a means of maintaining internal control over such transactions. 4. One of the auditors has recently been involved in the design, testing, and training of a new accounts receivable system. The auditor was asked to design the system because of her strong accounting and systems background and her knowledge of internal controls.
Required

Prepare the memo to the controller, covering each activity separately.

Solution

Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

Self-test 2 Solution 1
a. 1. Incorrect. This would be useful for some audits, but would not likely be required in an 2. Incorrect. This is required only when working extensively with financial records and 3. Correct . This is required for all internal audit engagements as set out in the first 4. Incorrect. The internal auditor should have an appreciation of the fundamentals of
commercial law, but need not be proficient in it. paragraph of Practice Advisory 1210-1. reports, which would not apply to this engagement. audit of governance processes.

b. 1. Incorrect. This might cause the auditor to bias the work plan towards financial audits based on the potential for cost recovery rather than other organizational priorities. 2. Incorrect. This might also bias the internal auditors selection of audit work. 3. Correct. This would not compromise the auditors objectivity. 4. Incorrect. Auditors should not be provided with incentives that might cause them to avoid conflict, even when such conflict is necessary for them to carry out their work in a professional manner. c. 1. 2. 3. 4. d. 1. Incorrect. The audit committee should be made up of non-executive members of the board of directors. 2. Incorrect. Usually reporting at the level of the controller would be inadequate to provide full independence, both when auditing financial controls and other operational areas. 3. Correct. This would provide the organizational status to enhance the independence and objectivity of the internal auditor. 4. Incorrect. The internal auditor should not report to the external auditor; in addition, the auditor should have direct access to the audit committee or to the board of directors. e. 1. Correct. The internal auditor should report both to senior management and to the audit committee. 2. Incorrect. The reports of the internal auditor should be discussed with management before they are issued. 3. Incorrect. This does not in any way compromise the auditors independence. 4. Incorrect. The Standards state that the auditor should discuss the reports with management before they are issued. f. 1. Incorrect. These are assessed in operational auditing, but are not part of the definition or the Standards . 2. Incorrect. These are part of the work of internal auditors, but are not part of the definition. 3. Correct. These are set out in the definition and in Performance Standard 2100. Incorrect. The internal auditor has no line responsibility. Incorrect. The auditor cannot implement controls only recommend them. Incorrect. This would be unwise without confirming the suspicions. Correct. This is the first thing that the auditor should do.

4. Incorrect. Although internal auditors do these types of audits, they are not part of the definition.

Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

Self-test 2 Solution 2
CASE STUDY T2-1: Kenny Incorporated MEMORANDUM
DATE: TO: FROM: RE: October 10, 20X1 Controller Chief Audit Executive Independence and objectivity

In order to preserve our independence and objectivity, which are essential to our value to the organization, it is important that the internal audit staff maintain an impartial, unbiased, and objective attitude in the performance of our work. The IIA International Standards for the Professional Practice of Internal Auditing define objectivity as an unbiased mental attitude that requires internal auditors to perform engagements in such a manner that they have an honest belief in their work product and that no significant quality compromises are made. Objectivity requires internal auditors not to subordinate their judgment on audit matters to that of others. Objectivity does not exist whenever internal audit staff audit the work that they or other members of the internal audit department have performed. I would be grateful, therefore, if you could reassign the following activities to members of your department, effective as soon as possible: 1. The preparation of bank reconciliations is an internal control over cash. In order to maintain objectivity, the internal auditor should not perform duties that would be evaluated as part of an independent verification of the effectiveness and efficiency of internal controls as this would violate Implementation Standard 1130.A1. This duty should be reassigned by the corporate controller while maintaining effective segregation of incompatible responsibilities. 2. Objectivity is impaired when an internal auditor makes managerial decisions such as directing actions in response to adverse variances. The audit department could be called upon to audit this process and there would be at least an apparent conflict of interest. 3. Internal auditors should not be involved in the record-keeping process. Auditors, therefore, should not make accounting entries as part of regular processing of transactions, even if these transactions are non-routine and complex, as this could put them in a position of auditing their own work in violation of Implementation Standard 1130.A1. Auditors should only recommend accounting entries arising from observations during an audit. 4. Objectivity is impaired if an internal auditor is called upon to evaluate a system for which the auditor played a significant role in developing the design and implementation. (This would violate Implementation Standard 1130.A1.) Testing of the internal controls of the system does not impair objectivity as this is part of assessing the effectiveness and efficiency of the controls.