AUI3702_summary_notes.

Topic 1: IPPF requirements and guidance for performing tests of controls Code of ethics & The rules of conduct The purpose of the IIA Code of Ethics is to promote an ethical culture in the internal audit profession. Internal auditors should strive to comply with these principles to earn the trust of those who rely on their services.  Integrity o Perform work with honesty, diligence and responsibility o Observe the law and make disclosures expected by law or the profession o Not be part of illegal activity or acts discreditable to the profession or the organisation o Respect and contribute to legitimate and ethical objectives of the organisation  Objectivity o Not participate in any activity or relationship which may impair unbiased assessment or which is in conflict with the interests of the organisation o Not accept anything which may impair professional judgement o Disclose all known material facts that, if not disclosed, may distort the reporting of activities under review  Confidentiality o Be prudent in the use and protection of information acquired o Not use any information for personal gain and/or that is contrary to the law or detrimental to the organisation  Competency o Engage only in those services for which they have the necessary knowledge, skills and experience o Perform internal audit services in accordance with the Standards o Continually improve proficiency and the effectiveness and quality of services INTERNATIONAL STANDARDS FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING The Standards are mandatory requirements consisting of:  statements of basic requirements for the professional practice of internal auditing and for evaluating the effectiveness of its performance which are internationally applicable at organisational and individual levels  interpretations, which clarify terms or concepts within the statements The purpose of the Standards is to  delineate basic principles that represent the practice of internal auditing  provide a framework for performing and promoting a broad range of value-added internal auditing services  establish the basis for the evaluation of internal audit performance  foster improved organisational process and operations The difference between attribute and performance standards is that attribute standards cover the attributes of organisations and individuals performing internal auditing while performance standards describe the nature of internal auditing and provide quality criteria against which the performance of these services can be measured. ATTRIBUTE STANDARDS 1000 – Purpose, Authority and Responsibility 1100 – Independence and Objectivity 1200 – Proficiency and Due Professional Care 1300 – Quality Assurance and Improvement Program The key concepts to focus on when studying the Attribute Standards are  the internal audit charter  assurance and consulting services  organisational independence  individual objectivity  proficiency  due professional care  ongoing monitoring 1 AUI3702_summary_notes.  using the statement “Conforms with the International standards for the Professional Practice of Internal Auditing” PERFORMANCE STANDARDS 2000 – Managing the Internal Audit Activity 2100 – Nature of Work 2200 – Engagement Planning 2300 – Performing the Engagement 2400 – Communicating Results 2500 – Monitoring Progress 2600 – Resolution of Senior Management’s Acceptance of Risks The key concepts to focus on when studying the Performance Standards are  adding value  effectively managing the internal audit activity  risk-based planning  resource management  coordination of activities with other assurance providers  using a systematic and disciplined approach  assessing and improving governance processes  evaluating and improving risk management processes  assist in maintaining effective controls  engagement planning  establishing engagement objectives  engagement scope  resources allocation  work programmes  identifying sufficient, reliable, relevant and useful information  analysing and evaluating engagement results  documenting information  supervision  communicating results  disseminating results  monitoring progress  resolution of senior management’s acceptance of risks Attribute standards: Concept Standard Interpretation/Implementation The internalaudit 1000 •The internalaudit charter should clearly state the internal charter auditor’s responsibility and authority to conduct tests ofcontrols within the organisation.•The charter should authorise access to records,personneland physical properties relevant to performing tests of controls.•Iftests of controls resultinassurances to be provided to partiesoutside the organisation, thecharter must define the nature of these assurances. Assurance& 1000 •The nature of assurance and consulting services consultingservices involving tests of controls should be defined in thecharter. (For a betterunderstanding of the difference between assurance and consulting services, read the section “Assurance and Consulting Services”in Reding et al, chapter 2.) Organisational 1110 •When testing controls, the internal audit activity must be 2 independence free from interference when determining the scope ofsuch testing, the procedures applied to do the testing and communicating the results of such testing.•To accomplish this,the chief internal auditor should report to a levelwithin the organisation that allows the internalaudit function to accomplish its responsibilitiesand have direct interaction with the board and auditcommittee. Individualobjectivity 1120 •An internal auditor should have no conflicting intereststhat may influence or mayappear to be influencing hisor her ability to performtests of controls objectively. Impairment to independence and/orobjectivity 1130 •If independence or objectivity isimpaired in fact orappearance, the details of the impairment (i.e. conflictofinterest, scope limitation, restriction on access to records, personneland propertiesand resource limitations) must be disclosed to appropriate parties.•Internal auditors must refrain from performing tests ofcontrols as part of assurance engagements in areastheywere previously responsible for–atleast forone year. Proficiency 1210 • Internal audit activities and individual internal auditors involved in the testing of controls should possess the knowledge, skills and other competencies needed to conduct tests of controls. • Practice Advisory 1210-1 elaborates on the proficiency requirements for internal auditors. • Where an internal audit activity lacks competencies to conduct a specific assurance engagement, the competencies should be obtained elsewhere. • Internal auditors must have sufficient knowledge to evaluate the risk of fraud when performing tests of controls. • Internal auditors should have sufficient knowledge of key information technology risks and controls and available technology-based audit techniques to perform their assigned work. Due professional care 1220 • When performing tests of controls, the internal auditor should exercise due professional care by considering the - extent of work needed to achieve the engagement’s objectives - relative complexity, materiality or significance of matters to which testing procedures are applied - adequacy and effectiveness of governance, risk management and control processes - probability of significant errors, fraud or non-compliance - cost of controls/assurance provided in relation to the potential benefit • When performing tests of controls the internal auditor must consider the use of technology-based audit and other data analysis techniques. • Internal auditors must be alert to potential risks that might affect objectives, operations or resources when testing controls. • When performing tests of controls as part of a consulting engagement, internal auditors should consider - the needs and expectations of clients, including the nature, timing, and communication of engagement results - relative complexity and extent of work needed to achieve the engagement’s objectives - cost of the consulting engagement in relation to potential benefits