IA 2018 - 02 1

THE INTERNATIONAL PROFESSIONAL PRACTICES FRAMEWORK

Internal auditors provide professional services to a diverse set of MISSION OF INTERNAL AUDIT
organization ranging from publicly traded and private companies to “To enhance and protect organizational value by providing risk-based
government and not-for-profit entities. and objective assurance, advice, and insight.”
❖ Board of directors
❖ Senior Management MANDATORY GUIDANCE
❖ Financial and operating managers ❖ Conformance with the mandatory guidance is considered
❖ Investors essential.
❖ Creditors ❖ The guidance is developed following a rigorous due process,
❖ Regulators including a period of public exposure.
❖ Suppliers
❖ Customers CORE PRINCIPLES FOR THE PROFESSIONAL PRACTICE OF
INTERNAL AUDITING
THE HISTORY OF GUIDANCE SETTING FOR THE INTERNAL AUDIT ❖ Demonstrates integrity.
PROFESSION ❖ Demonstrates competence and due professional care.
❖ 1947 – first formal guidance, the Statement of the ❖ Is objective and free from undue influence (independent).
Responsibilities of the Internal Auditor (Statement of ❖ Aligns with the strategies, objectives, and risks of the organization.
Responsibilities) was issued. ❖ Is appropriately positioned and adequately resourced.
❖ 1957 – scope of the Statement of Responsibilities had been ❖ Demonstrates quality and continuous improvement.
broadened. ❖ Communicates effectively.
❖ The scope of internal audit activities continued to expand as the ❖ Provides risk-based assurance.
profession evolved over the years and the Statement of ❖ Is insightful, proactive, and future-focused.
Responsibilities was revised accordingly in 1971, 1976, 1981, and ❖ Promotes organizational improvement.
1990.
❖ 1968 – Issuance of Code of Ethics. THE DEFINITION OF INTERNAL AUDITING
❖ 1973 – implementation of Certified Internal Auditor certification ❖ Internal auditing is an independent, objective assurance and
program consulting activity designed to add value and improve an
❖ 1978 – The IIA issued the Standards for the Professional Practice organization's operations. It helps an organization accomplish its
of Internal Auditing (the 1978 Standards). objectives by bringing a systematic, disciplined approach to
❖ 1997 – the IIA established the Guidance Task Force evaluate and improve the effectiveness of risk management,
❖ 2006 – the Standards had become recognized globally, with control, and governance processes.
authorized translations in 32 languages
THE CODE OF ETHICS
THE INTERNATIONAL PROFESSIONAL PRACTICES FRAMEWORK ❖ Purpose: Promote an ethical culture in the internal audit
❖ The only globally recognized guidance for the internal audit profession
profession. ❖ The Code of Ethics consists of two components: The
Principles and the Rules of Conduct
▪ Integrity – establishes trust and thus provides the basis for
reliance on their judgment
o Shall perform their work with honesty, diligence, and
responsibility.
o Shall observe the law and make disclosures expected by
the law and profession.
o Shall not knowingly be a party to any illegal activity, or
engage in acts that are discreditable to the profession of
internal auditing or to the organization.
o Shall respect and contribute to the legitimate and ethical
objectives of the organization.

Page 1 of 4

THE INTERNATIONAL PROFESSIONAL PRACTICES FRAMEWORK
▪ Objectivity – not unduly influenced by their own interests or
by others in forming judgments
o Shall not participate in any activity or relationship that
may impair or be presumed to impair their unbiased
assessment.
o Shall not accept anything that may impair or be
presumed to impair their professional judgment.
o Shall disclose all material facts known to them that, if
not disclosed, may distort the reporting of activities
under review.
▪ Confidentiality – internal auditors respect the value and
ownership of information they receive and do not disclose
without appropriate authority unless there is a legal or
professional obligation to do so.
o Shall be prudent in the use and protection of
information acquired in the course of their duties.
o Shall not use information for any personal gain or in
any manner that would be contrary to law or
detrimental to the legitimate and ethical objectives of
the organization.
▪ Competency – internal auditors apply the knowledge, skills,
and experience in the performance of internal audit
services.
o Shall engage only in those services for which they have
the necessary knowledge, skills, and experience.
o Shall perform internal audit services in accordance with
the International Standards for the Professional
Practice of Internal Auditing.
o Shall continually improve their proficiency and the
effectiveness and quality of their services.
❖ The Code of Ethics applies to all individuals and entities that
provide internal audit services, not just those who are IIA
members or hold IIA certifications.
THE INTERNATIONAL STANDARDS FOR THE PROFESSIONAL
PRACTICE OF INTERNAL AUDITING
❖ Conformance with the Standards is essential in meeting the
responsibilities of internal auditors and the internal audit activity.
❖ The Standards applies to individual internal auditors and internal
audit activities.
❖ The chief audit executive is accountable for overall conformance
with the Standards.
❖ The purpose of the Standards is to:
▪ Guide adherence with the mandatory elements of the
International Professional Practices Framework.
▪ Provide a framework for performing and promoting a broad
range of value-added internal auditing.
▪ Establish the basis for the evaluation of internal audit
performance.
▪ Foster improved organizational processes and operations.
IA 2018 - 02 2
❖ Three types of Standards:
▪ Attribute Standards – attributes of organizations and
individuals performing internal auditing (1000 series)
▪ Performance Standards – nature of internal auditing and
provide quality criteria against which the performance of
these services can be measured (2000 series)
▪ Implementation Standards – expand upon the Attribute
and Performance standards
ASSURANCE SERVICES
User
Internal Auditor Auditee
CONSULTING SERVICES
Internal Auditor Customer
THE ATTRIBUTE STANDARDS
❖ PURPOSE, AUTHORITY AND RESPONSIBILITY (1000)
▪ The internal audit function must have a charter that clearly
states the function’s purpose, authority, and responsibilities
and specifies the nature of the assurance and consulting
services the function provides.
▪ The CAE must periodically review the internal audit charter
and present it to senior management and the board for
approval.
▪ Final approval of the charter is the responsibility of the
board.
❖ INDEPENDENCE AND OBJECTIVITY (1100)
▪ The internal audit must be independent, and internal
auditors must be objective in performing their work.
▪ Positioning the internal audit function at a high level within
the organization facilitates broad audit coverage and
promotes due consideration of engagement outcomes.
▪ Objectivity is a state of mind and is defined as freedom
from bias.
▪ Conflict of interest impairs independence and objectivity. It
is a situation in which an internal auditor, who is in a
position of trust, has a competing professional or personal
interest.
▪ Impairment to independence or objectivity indicates that, in
such instances, the CAE must disclose the details of the
impairment to appropriate parties.
Page 2 of 4
 IA 2018 - 02 3
THE INTERNATIONAL PROFESSIONAL PRACTICES FRAMEWORK
❖ PROFICIENCY AND DUE PROFESSIONAL CARE (1200) THE PERFORMANCE STANDARDS
▪ Proficiency – the knowledge, skills, and other competencies ❖ MANAGING THE INTERNAL AUDIT ACTIVITY (2000)
needed to fulfill internal audit responsibilities. ▪ The CAE is responsible for managing the internal audit
▪ Due Professional Care – the care and skill expected of a function and ensuring that the function adds value to the
reasonably prudent and competent internal auditor. organization.
▪ The Standards does not mandate a specific set of ▪ The internal audit activity is effectively managed when:
knowledge, skills and other competencies. o It achieves the purpose and responsibility included in
▪ The internal auditors must consider the following for the internal audit charter.
assurance engagements: o It conforms with the Standards.
o Its individual members conform with the Code of
o Extent of work needed to achieve the engagement’s
Ethics and the Standards.
objectives;
oIt considers trends and emerging issues that could
o Relative complexity, materiality, or significance of
impact the organization.
matters to which assurance procedures are applied; ❖ NATURE OF WORK (2100)
o Adequacy and effectiveness of governance, risk ▪ The internal audit activity must evaluate and contribute
management, and control processes; to the improvement of governance, risk management,
o Probability of significant errors, fraud, or and control processes using a systematic and disciplined
noncompliance; and approach.
o Cost of assurance in relation to potential benefits. ❖ THE ENGAGEMENT PROCESS
▪ The internal auditors must consider the following for ▪ Engagement Planning (2200)
consulting engagements: Performing the Engagement (2300)
o Needs and expectations of customers, including the Communicating Results (2400)
nature, timing and communication of engagement Monitoring Progress (2500)
results; ▪ The following standards apply when planning the internal
o Relative complexity and extent of work needed to audit engagement:
achieve the engagement’s objectives; and o Objectives must be established for each
o Cost of the consulting engagement in relation to engagement.
potential benefits. o The established scope must be sufficient to achieve
❖ QUALITY ASSURANCE AND IMPROVEMENT PROGRAMS (1300) the objectives of the engagement.
▪ Quality assurance and improvement program is designed to o Internal auditors must determine appropriate and
enable an evaluation of the internal audit activity’s sufficient resources to achieve engagement
conformance with the Standards and an evaluation of objectives based on evaluation of the nature and
whether internal auditors apply the Code of Ethics. complexity of each engagement, time constraints,
▪ The program assesses the efficiency and effectiveness of and available resources.
the internal audit and identifies opportunities for o Internal auditors must develop and document work
improvement. programs that achieve the engagement objectives.
▪ The CAE must develop and maintain a QAIP that covers all ▪ While performing the engagement, the internal audit
aspects of the internal audit function. function must:
▪ The CAE must communicate the results of the QAIP to o Identify sufficient, reliable, relevant, and useful
senior management and the board. information to achieve the engagement’s objectives.
▪ The QAIP must include both internal and external o Base conclusions and engagement results on
assessments. appropriate analyses and evaluations.
▪ Internal assessments must include: o Document relevant information to support the
o Ongoing monitoring of the performance of the internal conclusions and engagement results.
audit; and o Make sure the engagement is properly supervised.
o Periodic self-assessment or assessments of other ▪ Communications must include the engagement’s objectives
persons within the organization with sufficient and scope as well as applicable conclusions,
knowledge of internal audit practices. recommendations, and action plans.
▪ External assessments must be conducted at least once ▪ For assurance engagements, the CAE must ascertain that
every five years by a qualified, independent assessor or management actions have been effectively implemented or
assessment team from outside the organization.

Page 3 of 4
 IA 2018 - 02 4
THE INTERNATIONAL PROFESSIONAL PRACTICES FRAMEWORK
that the senior management has accepted the risk of not
taking action.
▪ For consulting engagements, the CAE must monitor the
disposition of results to the extent agreed upon with the
customer.

RECOMMENDED GUIDANCE
❖ Recommended guidance is endorsed by The IIA through a
formal approval process. It describes practices for effective
implementation of The IIA's Core Principles, Definition of
Internal Auditing, Code of Ethics, and Standards.
❖ Implementation Guides assist internal auditors in applying
the Standards. They collectively address internal auditing's
approach, methodologies, and consideration, but do not detail
processes or procedures.
❖ Supplemental Guidance provides detailed guidance for
conducting internal audit activities. These include topical areas,
sector-specific issues, as well as processes and procedures, tools
and techniques, programs, step-by-step approaches, and
examples of deliverables.

HOW THE INTERNATIONAL PROFESSIONAL PRACTICES

FRAMEWORK IS KEPT CURRENT
❖ The Professional Guidance Advisory Council is responsible for
coordinating the initiation, development, issuance, and
maintenance of the authoritative guidance that makes up the
IPPF.
❖ The Council comprises The IIA’s vice president of professional
practices and the chairs of The IIA’s four international technical
committees (Global Ethics Committee, International Internal
Audit Standards Board, the Professional Issues Committee, and
the Public Sector Committee).

References:
Internal Auditing Assurance & Advisory Services, Reding, Sobel, Anderson,
Head, Ramamoorti, Salamasick, Riddle
IPPF, The Institute of Internal Auditors

Page 4 of 4