IIA's CIA Challenge Exam Study Guide

Questions and Answers

What is the primary goal of the IIA's CIA Challenge Exam Study Guide student materials license agreement?

• To protect The IIA's copyright ownership of the Materials and define the user's rights for educational use. (correct)
• To grant the user rights to sell or sublicense the Materials for profit.
• To ensure the user passes the CIA exam.
• To allow unrestricted copying and distribution of the Materials.

According to the study guide, what assurance does reading the text provide regarding the CIA exam?

• It is legally binding professional advice.
• It is a good tool for study, but does not guarantee a passing score. (correct)
• It ensures the reader has access to actual exam questions.
• It guarantees a passing score on the CIA exam.

The IIA's CIA Challenge Exam Study Guide is consistent with which version of the Standards of the International Professional Practices Framework (IPPF)?

• The revised Standards of the IPPF introduced in July 2015, effective in 2017. (correct)
• The forthcoming Standards of the IPPF expected to be released in 2025.
• The original Standards of the IPPF introduced in 2010.
• The draft Standards of the IPPF released for public comment in 2016.

What does the IIA expect of its members regarding the copyright of its study materials?

Members must not violate the copyright by copying or sharing the materials. (C)

What overall aim does internal auditing have for an organization's governance, risk management, and control procedures?

To improve and add value to these procedures. (B)

Which of the following topics are covered in Part 1 of The IIA’s CIA Challenge Exam Study Guide?

Foundations of internal auditing, independence, objectivity, quality assurance, governance, risk, and fraud risks. (A)

What is the primary purpose of Section A in Part 1 of The IIA's CIA Challenge Exam Study Guide?

Cover the foundations of internal auditing, including the IPPF, audit charter, and the difference between assurance and consulting services. (B)

What does the 'Mission of Internal Audit' within the IPPF articulate?

What internal audit aspires to accomplish in an organization. (A)

How does the Mission of Internal Audit in the IPPF align with the expectations of stakeholders?

By requiring that the services be risk-based and objective. (B)

What are the three general types of activities through which internal audit increases and protects organizational value?

Assurance, advice, and insight. (C)

What is the primary purpose of assurance work performed by internal audit activities?

To communicate to stakeholders that management has deployed appropriate activities to achieve objectives and is managing risks effectively. (C)

How are advisory engagements (consulting engagements) designed?

To provide advice and insight to the organization in a proactive, customer-driven approach. (B)

What role do the Core Principles for the Professional Practice of Internal Auditing play within the IPPF?

They serve as fundamental propositions that form the basis for the Code of Ethics and the Standards. (B)

Which of the following is an example of a potential negative consequence of an internal audit activity failing to demonstrate integrity?

The internal audit activity may lose the trust placed in it and consequently its credibility to provide independent and objective assurance and advice. (B)

What is the focus of the Definition of Internal Auditing according to the text?

To clarify the role and depth of internal auditing by highlighting its independence, objectivity, consulting role, value addition, organizational focus, systematic approach, and role in governance and risk management. (A)

According to the definition, what distinguishes internal auditing from external auditing?

Internal auditing serves management and the board, while external auditing serves third parties requiring reliable financial information. (B)

Why is it important to comply with laws, regulations, standards, policies, or procedures?

To determine whether or not an organization is adhering to a specified law, regulation, standard, policy, or procedure, and the results are reported as such. (B)

What are the two main categories that the Standards comprise?

Attribute Standards and Performance Standards. (B)

What is the role of the internal audit charter as described in the text?

It records the agreed-upon purpose, authority, independence and objectivity, reporting structure, and responsibility of an organization’s internal audit activity. (D)

What key responsibilities does the chief audit executive (CAE) have as described in the text?

The creation of the internal audit charter and with the task of reviewing and presenting the audit charter for board approval periodically. (B)

What role does the board play in relation to the internal audit activity?

The board is responsible for directing and/or overseeing the organization’s activities and hold senior management accountable. (A)

What should the CAE do before writing or revising the internal audit charter?

Review the IPPF to refresh understanding of the Mission of Internal Audit and the elements that must be included in the charter, which are governed by Standard 1010. (B)

What does the “Authority” section of an internal audit charter typically specify?

The internal audit activity’s full access to the records, physical property, and personnel required to perform engagements. (B)

What is the purpose of an ‘Independence and Objectivity’ section within the internal audit charter?

To describe the importance of internal audit independence and objectivity and how these will be maintained. (A)

What do assurance services involve?

An objective examination of evidence for the purpose of providing an independent assessment on governance, risk management, and control processes for the organization. (B)

How are consulting services generally initiated?

They are generally performed at the specific request of an engagement client. (B)

How does the text define training consulting engagements?

These engagements are educational in nature and might include: Training on governance, risk management, and internal control; benchmarking internal areas with comparable areas of similar organizations to identify best practices; post-mortem analysis. (A)

How does the text define facilitative consulting engagements?

These engagements might include: Facilitating an organization’s risk assessment process; facilitating management’s control self-assessment; facilitating a task force charged with redesigning controls and procedures for a new or changed area; acting as a liaison between management and independent outside auditors, government agencies, vendors, and contractors on control issues. (D)

What should be ensured if assurance and consulting services are blended?

That there are no conflicts of independence, objectivity, or otherwise with regard to roles and responsibilities. (B)

What is the overarching purpose of the IIA's Code of Ethics?

To promote an ethical culture in the profession of internal auditing. (C)

How is integrity described in the Code of Ethics?

The integrity of internal auditors establishes trust and thus provides the basis for reliance on their judgment. (C)

What does the Code of Ethics say about internal auditors and illegal activity?

They shall knowingly be a party to any illegal activity or engage in acts that are discreditable to the profession of internal auditing or to the organization. (B)

How is objectivity described in the Code of Ethics?

Internal auditors exhibit the highest level of professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined. (D)

How is confidentiality described in the Code of Ethics?

Internal auditors respect the value and ownership of information they receive and do not disclose information without appropriate authority unless there is a legal or professional obligation to do so. (C)

How is competency described in the Code of Ethics?

Internal auditors apply the knowledge, skills, and experience needed in the performance of internal audit services. (A)

What is the definition of Independence according to the IPPF glossary?

The freedom from conditions that threaten the ability of the internal audit activity to carry out internal audit responsibilities in an unbiased manner. (B)

Who does The IIA recommends that the CAE report administratively to?

Recommends that the CAE report administratively to the CEO, indicating that the CAE is in a senior position with the authority to perform duties unimpeded. (C)

Flashcards

Mission of Internal Audit

To enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight.

Core Principles for the Professional Practice of Internal Auditing

Demonstrates integrity. Demonstrates competence and due professional care. Is objective and free from undue influence (independent). Aligns with the strategies, objectives, and risks of the organization. Is appropriately positioned and adequately resourced. Demonstrates quality and continuous improvement. Communicates effectively. Provides risk-based assurance. Is insightful, proactive, and future-focused. Promotes organizational improvement.

Definition of Internal Auditing

An independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

The Standards

Statements of core requirements for the professional practice of internal auditing and the evaluation of performance effectiveness that are internationally applicable at organizational and individual levels; Interpretations that clarify terms or concepts within the Standards.

Attribute Standard 1000

The purpose, authority, and responsibility of the internal audit activity must be formally defined in an internal audit charter, consistent with the Mission of Internal Audit and the mandatory elements of the International Professional Practices Framework.

Internal audit charter

A critical document that records the agreed-upon purpose, authority, independence and objectivity, reporting structure, and responsibility of an organization’s internal audit activity.

Chief audit executive (CAE)

A person in a senior position responsible for effectively managing the internal audit activity

The board

The highest level governing body charged with the responsibility to direct and/or oversee the organization’s activities and hold senior management accountable.

Attribute Standard 1010

The mandatory nature of the Core Principles for the Professional Practice of Internal Auditing, the Code of Ethics, the Standards, and the Definition of Internal Auditing must be recognized in the internal audit charter.

Assurance services

An objective examination of evidence for the purpose of providing an independent assessment on governance, risk management, and control processes for the organization.

Consulting services

Advisory and related client service activities, the nature and scope of which are agreed with the client, are intended to add value and improve an organization’s governance, risk management, and control processes without the internal auditor.

Confidentiality

Internal auditors respect the value and ownership of information they receive and do not disclose information without appropriate authority unless there is a legal or professional obligation to do so.

Competency

Internal auditors apply the knowledge, skills, and experience needed in the performance of internal audit services.

Organizational Independence

The chief audit executive must report to a level within the organization that allows the internal audit activity to fulfill its responsibilities.

Implementation Standard 1110.A1

The internal audit activity must be free from interference in determining the scope of internal auditing, performing work, and communicating results.

Attribute Standard 1111

The chief audit executive must communicate and interact directly with the board.

Individual Objectivity

Internal auditors must have an impartial, unbiased attitude and avoid any conflict of interest.

Impairment to Independence

If independence or objectivity is impaired in fact or appearance, the details of the impairment must be disclosed to appropriate parties.

Implementation Standard 1130.A1

Internal auditors must refrain from assessing specific operations for which they were previously responsible.

Attribute Standard 1200

Engagements must be performed with proficiency and due professional care.

Implementation Standard 1220.A1

Internal auditors must exercise due professional care by considering the extent of work needed to achieve the engagement’s objectives.

CAE Responsibilities

The CAE manages the internal audit to make sure rules and standards are in place to help auditors perform

Attribute Standard 1210

Internal auditors must possess the knowledge, skills, and other competencies needed to perform their individual responsibilities.

Study Notes

• The below notes summarize the text
• They are intended for use as study material

License Agreement

• Using The IIA’s CIA Challenge Exam Study Guide means agreeing to its license terms
• The IIA owns the copyright to the study guide
• The user can only use it for educational purposes after paying the fee
• The user cannot copy, print, sell, sublicense, loan, or distribute the materials

Study Guide Purpose

• The IIA's CIA Challenge Exam Study Guide uses parts of the Certified Internal Auditor (CIA) syllabus
• Program developers do not have access to the exam questions themselves
• Using the study guide does not guarantee a passing score on the CIA exam
• The information is current and correct to the best of their knowledge
• The materials are not intended to offer legal or professional services or advice
• The material aligns with the revised Standards of the International Professional Practices Framework (IPPF) introduced in July 2015, which went into effect in 2017

Copyright Notice

• Copying any part of these materials is illegal

Acknowledgements

• The IIA thanks subject matter experts for their contributions to the study guide's development and updates

Part 1: Essentials of Internal Auditing

• Internal auditing aims to improve governance, risk management, and control procedures for organizations
• Part 1 covers the fundamentals of internal auditing
• Section A focuses on the International Professional Practices Framework, internal audit activity's purpose, authority, responsibility, audit charter requirements, and differences between assurance and consulting
• Section B discusses independence and objectivity
• Section C covers proficiency and due professional care
• Section D describes quality assurance and improvement programs
• Section E examines organizational governance and risk and risk management within an audit activity charter
• Section F highlights fraud risks and related controls

Section A: Foundations of Internal Auditing

• The section aims to help with the following:
• Applying ethical, practical, and legal standards, including The IIA’s Code of Ethics, International Standards, Practice Advisories, and relevant laws
• Explaining the International Professional Practices Framework categories of guidance
• Explaining the Mission of Internal Audit
• Describing the Core Principles for the Professional Practice of Internal Auditing
• Defining internal auditing
• Describing compliance with The IIA’s Code of Ethics
• Explaining how to document, communicate, and approve the purpose, authority, and responsibility for an internal audit activity
• Understand the importance of securing the board’s approval of the internal audit activity charter and audit plan

The Framework

• The IIA uses the International Professional Practices Framework (IPPF) (aka the "Red Book") to organize its guidance
• The IPPF helps practitioners and stakeholders respond to the need for high-quality internal auditing
• The IPPF includes mandatory and recommended guidance
• Mandatory guidance includes:
  • The Mission of Internal Audit
  • Core Principles for the Professional Practice of Internal Auditing
  • The Definition of Internal Auditing
  • The Code of Ethics
  • The International Standards for the Professional Practice of Internal Auditing (the Standards)
• Recommended guidance includes Implementation Guidance and Supplemental Guidance
• Recommended guidance is endorsed by The IIA, but it is not mandatory, and seeking expert advice is advised for specific situations

Mission of Internal Audit

• The Mission of Internal Audit outlines what internal audit wants to achieve
• It shows how to use the IPPF to reach the Mission
• The Mission requires services to be risk-based and objective to meet stakeholder expectations
• The risk basis helps protect organizational value, and objectivity enables the internal audit activity to succeed
• Internal audit focuses on increasing the organization’s value through:
  • Assurance
  • Advice
  • Insight
• Assurance tells stakeholders that management:
  • Uses the right activities to meet goals
  • Manages risks
  • Will implement risk mitigation and improvements
• Advice comes from advisory (consulting) engagements, providing proactive advice
• Insight is given through:
  • Assurance and advisory reports
  • Committee and task force participation
  • Meetings
  • Board and progress reporting

Core Principles

• The Principles are basic elements describing internal audit effectiveness regarding the Mission of Internal Audit
• They support the Code of Ethics and the Standards
• Core Principles include:
  • Demonstrates integrity
  • Demonstrates competence and due professional care
  • Is objective and free from undue influence (independent)
  • Aligns with the strategies, objectives, and risks of the organization
  • Is appropriately positioned and adequately resourced
  • Demonstrates quality and continuous improvement
  • Communicates effectively
  • Provides risk-based assurance
  • Is insightful, proactive, and future-focused
  • Promotes organizational improvement
• Each Principle applies to the auditor, the audit activity, or both
• All Principles must be in place for the audit to be effective
• Failure to achieve a Principle suggests the activity is not as effective as it could be

Consequences of Not Demonstrating Core Principles

• Consequences include:
  • Loss of trust and credibility if integrity is not demonstrated
  • Insufficient risk assessments and engagement plans if competence and due professional care are lacking
  • Management and board mistrusting observations if objectivity and independence are compromised
  • Wasting resources if alignment with strategies, objectives, and risks is missing
  • Lack of action from management and difficult reporting if positioning and resources are inadequate
  • Errors and unreliable work if quality and improvement are absent
  • Inability to obtain resources and communicate results effectively
  • Lack of confidence in controls if risk-based assurance is not provided
  • Missing emerging risks if lacking insight, proactivity, and future focus
  • Limited value added if failing to promote organizational improvement

Definition of Internal Auditing

• The Definition helps understand internal auditing's role
• Internal auditing is:
  • An independent, objective assurance and consulting activity
  • Designed to add value and improve an organization’s operations
  • Helps an organization achieve its objectives
  • Uses a systematic, disciplined approach
  • Evaluates and improves risk management, control, and governance
• Independence allows freedom in determining audit scope and communicating results
• Objectivity ensures unbiased analysis and recommendations
• Consulting offers proactive advice
• Adding value articulates the expectation that the internal audit activity will add value to the organization
• Focusing on objectives requires understanding strategic goals
• The systematic and disciplined approach results from being a standards-based profession
• Internal auditors play a broad role in governance and risk management

Internal vs External Auditors

• Internal auditing differs from external auditing
• External auditors attest to financial reports for third parties
• External audits are historical and help investors make decisions
• Compliance reviews check adherence to laws and policies
• Regulators audit compliance with specific regulations and overall safety
• Government auditors assure program requirements and performance

The Standards

• The Standards:
  • Are a set of principles-based, mandatory requirements
  • Include statements of core requirements for internal auditing
  • Include interpretations that clarify terms
• The Standards comprise two main categories:
  • Attribute Standards (address the attributes of organizations and individuals)
  • Performance Standards (describe internal auditing and provide quality criteria)
• Attribute and Performance Standards apply to all services
• Implementation Standards apply to assurance (.A) or consulting (.C) services
• "Must" indicates an unconditional requirement, while "should" expects conformance unless circumstances justify deviation

Purpose, Authority, and Responsibility

• Standard 1000 needs the purpose, authority, and responsibility of internal audit activity to be in an audit charter
• The charter should align with the Mission of Internal Audit and mandatory IPPF elements
• The CAE reviews the charter periodically and presents it for approval
• The purpose is to provide risk-based assurance, advice, and insight
• The aim is to support objectives and evaluate governance, risk management, and control
• The goal is to determine if processes are in place and working
• Communication is key for improvements or risk exposures
• Authority includes access to records, personnel, and properties
• It involves open access with the audit committee/board
• It entails securing resources to achieve audit objectives
• Responsibility requires documenting objectives and scope
• Internal audit activity staff need the right skills and certifications
• Results are communicated to senior management/the board
• Coordinating internal and external audit work is important
• Performing management activities is not part of the role
• The internal audit charter is a document outlining purpose, authority, independence, reporting, and responsibility
• The chief audit executive (CAE) manages the internal audit activity
• The CAE creates and reviews the audit charter for board approval
• CAE duties are the duties of the internal audit activity as a whole
• The CAE reports to the board
• The board oversees the organization and holds senior management accountable

Internal Audit Charter Requirements

• The internal audit charter is a recognized statement of purpose and is reviewed by the board and management
• The CAE reviews the IPPF before writing/revising the charter
• Standard 1010 requires recognizing the mandatory guidance in the charter
• The CAE discusses the Mission of Internal Audit and mandatory IPPF elements with management and the board
• The CAE and the board agree on the frequency of review
• The CAE can use language from applicable standards in the charter
• Once adopted, the CAE monitors the IIA’s Mandatory Guidance

Elements of the Internal Charter

• The charter:
  • Explains the internal audit activity's role and professionalism
  • Cites the IPPF
  • Specifies access to records, property, and personnel
  • Covers organization and reporting structure
  • Describes independence and objectivity
  • Lays out areas of responsibility
  • Includes expectations for a quality assurance and improvement program
• Signatures document agreement among the CAE, board representative, and administrative reporting individual

Assurance vs Consulting Services

• Internal auditors offer assurance and consulting services
• Assurance services objectively examine evidence to assess governance, risk management, and control
• Consulting services advise and improve governance, risk management, and control
• Implementation Standards reference these services
• Assurance services assess evidence to provide an opinion
• In assurance, there is:
  • The client involved with the subject matter
  • The internal auditor making the assessment
  • The user/stakeholder using the assessment
• Consulting services are advisory and requested by a client
• In consulting, there is:
  • Internal auditor offering advice
  • The client seeking advice
• Consulting can improve governance, risk management, controls, and compliance
• Consulting types:
  • Advisory (control design, policy development, risk management)
  • Training (governance, risk management, and internal control training)
  • Facilitative (risk assessment, control self-assessment)
• Consulting includes process improvement, risk assessment, control review, and training
• Consulting should not circumvent assurance needs
• Services can shift from assurance to consulting
• Assurance and consulting can be blended, but there cannot be conflicts of interest

IIA Code of Ethics Conformance

• The IIA's Code of Ethics promotes ethical culture
• It includes principles and rules of conduct
• The Code applies to all providers of internal audit services
• The CAE should uphold the Code
• Unmentioned conduct may still be unacceptable
• Integrity establishes trust
• Rules of Conduct require honesty, lawfulness, and respect for the organization
• The CAE cultivates integrity
• Individual auditors are expected to tell the truth
• Objectivity requires balanced assessment
• Rules of Conduct prohibit biased assessments
• The CAE creates policies addressing conflicts of interest
• Standardized approaches can assist with ensuring objectivity
• Confidentiality protects information
• Rules of Conduct require prudence and lawful information use
• Organizations have information security policies
• The CAE consults legal counsel
• Policies and procedures guide information release
• Auditors are responsible for practicing confidentiality
• Competency involves applying knowledge and skills
• Rules of Conduct require engaging in services within one's expertise
• The CAE ensures the internal audit activity's competency
• Individual auditors must conform to competency principles
• The CAE inventories and aligns skills
• The CAE addresses deficiencies through training and mentorship
• Auditors should regularly assess themselves
• Auditors gain insight and development through education and supervised work

Section B: Independence and Objectivity

• Section B is designed to help with the following:
  • Defining independence and objectivity
  • Interpreting organizational independence
  • Explaining the importance of independence
  • Explaining reporting relationships
  • Identifying impairments to independence
  • Assessing and maintaining objectivity
  • Analyzing policies that promote objectivity

Organizational Independence

• Independence allows unbiased engagements and reliable recommendations
• Standard 1110 says that The CAE must report to a level allowing internal audit activity to fulfill its responsibilities
• The CAE must confirm organizational independence to the board annually
• Independence frees the internal audit activity from conditions that threaten unbiased work

Functional Reporting

• Independence is achieved when the CAE reports functionally to the board Reporting to the board involves:
• Approving the internal audit charter
• Approving the risk-based internal audit plan
• Approving the internal audit budget and resource plan
• Receiving communications from the CAE on the internal audit activity’s performance
• Evaluation and compensation of the CAE
• Appointment and removal of the CAE
• The internal audit activity must be free from interference in determining scope, performing work, and communicating results
• Functional oversight requires the board to permit independent internal audit activity
• IIA recommends the CAE reports administratively to the CEO
• CAE should have unrestricted access to report issues to the highest governance level
• The CAE, board, and senior management discuss internal audit's responsibility and reporting lines
• The internal audit charter reflects these decisions

Direct Interaction With the Board

• The CAE must communicate and interact directly with the board
• Access allows the CAE to absorb business developments and raise issues early
• Conducting a private meeting is formally conducted annually
• The board and senior management set the tone of internal audit activity
• The internal audit activity must be independent, while auditors must be objective
• Objectivity needs an unbiased mindset
• Objectivity maintains impartiality and avoids conflicts of interest
• The CAE ensures staff can make objective judgments
• One strategy is to consult with others in internal audit activity
• Handbook describes expectations for an unbiased mindset
• Workshops or training are held on fundamental concepts

CAE Roles

• The IIA recommends the CAE not have operational responsibilities
• If the CAE has other responsibilities, the CAE typically discusses independence concerns with the board and senior management
• Documenting the safeguards demonstrates conformance

Ensuring Independence and Objectivity

• Ensuring Independence and Objectivity in Small Audit Activities can be challenging due to structure or the newness of the activity
• The IIA suggests the following approaches to addressing this challenge:
  • The CAE must maintain open communications with the board and senior management regarding the critical need for auditor independence and objectivity
  • CAE should provide alternatives for how those areas might be audited
  • Engagements should be performed with objectivity in mind
  • The CAE must disclose that fact in the audit report, including the reasons and the related impact

Impairments to Independence

• Disclosure empowers customers to rely (or not rely) on audit results
• This must be disclosed before accepting consulting engagements
• Examples of independence/objectivity impairments:
  • Personal conflict of interest
  • Scope limitation
  • Restrictions on access
  • Resource limitations
  • Assurance services provided after consulting engagement
• To fully understand and appreciate independence and objectivity, it is important that internal auditors consider the perspectives of their various stakeholders and the conditions that could be perceived as undermining it
• Examples of organizational independence impairments include the following(can undermine objectivity):
  • The CAE has broader responsibility and audits functional areas under their oversight
  • The CAE’s supervisor has broader responsibility, and the CAE executes an audit within their supervisor’s oversight
  • The CAE does not have direct communication with the board
  • The budget prevents internal audit from fulfilling its responsibilities
• If the CAE has broader functional responsibility than internal audit and executes an audit of a functional area that is also under the CAE’s oversight, audits in an area be overseen by a party outside the internal audit activity.

Addressing Concerns

• Internal auditors address impairments by discussing the situation with a manager or the CAE
• Disclosure of impairments is dependent on the expectations of the internal audit activity and the CAE responsibilities to senior management and the board as described in the internal audit charter as well as the nature of the impairment
• The CAE should have a clear understanding of independence and objectivity requirements

Individual Internal Auditor’s Objectivity

• The internal audit activity should monitor and promote objectivity for individual internal auditors.
• Policies decisions made by the CAE greatly affect objectivity, such as compensation and promotion policies

Assessing and Maintaining Objectivity

• CAE will first want to understand policies or activities within the organization and internal audit that could enhance or hinder objectivity
• Objectivity is presumed to be impaired if providing assurance services for an activity an internal auditor had responsibility over the previous year

Impartiality

• Impartiality is a key element of individual objectivity
• To follow standards, CAE or audit managements may choose to discuss team assignments, including individuals and departments involved, so the CAE can explore conflicts of interest
• Evidence of compliance includes:
  • Training records
  • Acknowledgment forms
  • Engagement workpapers

Policies Promoting Objectivity

• To fully understand and appreciate independence and objectivity, internal auditors should consider the perspectives of their various stakeholders
• The IIA Model Charter sets out baseline policies and expectations on maintaining objectivity
• The CAE develops an internal audit policy manual
• Categories of threats to objectivity include:
  • Self-review
  • Social pressure
  • Major economic interest
  • Personal relationship
  • Familiarity
  • Cultural, racial, and gender biases
  • Cognitive biases

Section C: Proficiency and Due Professional Care

• Section C is designed to help the reader to:
  • Identify and describe the required knowledge, skills, and competencies for an internal audit activity and how an organization develops and/or procures them
  • Identify and describe the required knowledge, skills, and competencies that meet the requirements for an individual internal auditor to perform his/her individual responsibilities
  • Explain how to exercise due professional care in an internal audit activity
  • Describe the importance of professional development and formal certification for internal auditors
  • Explain how an individual internal auditor’s competency is demonstrated through continuing professional development

Knowledge, Skills, and Competencies

• Skills, knowledge, and competencies important to the profession of internal audit must be developed and maintained or sourced from an external provider

Internal Audit Knowledge, Skills, and Competencies

• Due professional care requires that the internal audit activity can rely on all internal auditors to apply the care and skill of a reasonably prudent and competent and auditor
• The activities encompass:
  • Current activities
  • Trends
  • Emerging issues
• The CAE may help ensure the internal audit activity’s overall proficiency in this regard
• Individual proficiency is usually developed throughout an auditor’s career
• Auditors must be aware of the continuing education requirements
• For internal auditors, due professional care requires compliance with the IIA’s Code of Ethics
• The CAE establishes policies and procedures for internal auditors to perform engagements with proficiency and due professional care as part of managing the internal audit activities
• The IIA’s Global Internal Audit Competency Framework may be used to establish the criteria to assess the proficiency of internal auditors
• The CAE generally thinks about the alignment between the knowledge, skills, and other competencies needed to complete the internal audit plan and the resources available among the internal audit activity and other providers of assurance and consulting services
• Conformance can include:
  • Competency assessments of the internal audit activity
  • Records of recruitment and training strategy, job descriptions, and resumes.
  • Internal policies and procedures and workpaper templates
  • Evidence that policies and procedures were communicated and signed acknowledgment
  • Annual declaration of The IIA’s Code of Ethics and the code of conduct
  • Engagement plans, demonstrating allocation of staff

Knowledge and Competency

• Internal Auditors can show that they possess the knowledge and competencies required
• Organizations and individuals may use competency assessment tools to identify missing competencies

Demonstrating Proficiency

• Internal auditors are encouraged to demonstrate their proficiency by obtaining appropriate professional certifications and qualifications
• In order to follow standards, CAE or audit managements may look into details of upcoming assignments with potential team members, including individuals and departments involved, so the CAE can explore conflicts of interest