Global Internal Audit Standards 2024 PDF
Document Details
Uploaded by GlamorousBauhaus4437
2024
Tags
Summary
This document provides the Global Internal Audit Standards for 2024. It details the principles and standards for internal audit roles, including ethics, competency, and professional care. It's a comprehensive framework for those in the internal audit field.
Full Transcript
y nl O e Us n al so er rP Fo 1 ©2024, The Institute of Internal Auditors. All Rights Reserved. For individual personal u...
y nl O e Us n al so er rP Fo 1 ©2024, The Institute of Internal Auditors. All Rights Reserved. For individual personal use only. y nl O e l Us na so er rP Fo Published January 9, 2024 The Global Internal Audit Standards and related materials are protected by copyright law and are operated by The Institute of Internal Auditors, Inc. (“The IIA”). ©2024 The IIA. All rights reserved. No part of the materials including branding, graphics, or logos, available in this publication may be copied, photocopied, reproduced, translated or reduced to any physical, electronic medium, or machine-readable form, in whole or in part, without specific permission from the Office of the General Counsel of The IIA, [email protected]. Distribution for commercial purposes is strictly prohibited. For more information, please read our statement concerning copying, downloading and distribution of materials available on The IIA’s website at www.theiia.org/Copyright. 2 ©2024, The Institute of Internal Auditors. All Rights Reserved. For individual personal use only. Contents Acknowledgements...............................................................................................................................................5 About the International Professional Practices Framework...............................................5 Fundamentals of the Global Internal Audit Standards.............................................................7 Glossary........................................................................................................................................................................10 Domain I: Purpose of Internal Auditing...............................................................................................15 Domain II: Ethics and Professionalism................................................................................................16 Principle 1 Demonstrate Integrity...................................................................................................................16 Standard 1.1 Honesty and Professional Courage...................................................................................17 y Standard 1.2 Organization’s Ethical Expectations................................................................................18 nl Standard 1.3 Legal and Ethical Behavior...................................................................................................19 Principle 2 Maintain Objectivity.....................................................................................................................20 O Standard 2.1 Individual Objectivity............................................................................................................20 e Standard 2.2 Safeguarding Objectivity....................................................................................................22 Us Standard 2.3 Disclosing Impairments to Objectivity.........................................................................24 Principle 3 Demonstrate Competency........................................................................................................25 Standard 3.1 Competency............................................................................................................................26 al Standard 3.2 Continuing Professional Development........................................................................28 n Principle 4 Exercise Due Professional Care................................................................................................29 so Standard 4.1 Conformance with the Global Internal Audit Standards........................................29 Standard 4.2 Due Professional Care..........................................................................................................31 er Standard 4.3 Professional Skepticism.....................................................................................................33 Principle 5 Maintain Confidentiality.............................................................................................................34 rP Standard 5.1 Use of Information.................................................................................................................34 Standard 5.2 Protection of Information..................................................................................................35 Fo Domain III: Governing the Internal Audit Function....................................................................37 Principle 6 Authorized by the Board..............................................................................................................39 Standard 6.1 Internal Audit Mandate.......................................................................................................39 Standard 6.2 Internal Audit Charter.........................................................................................................42 Standard 6.3 Board and Senior Management Support....................................................................44 Principle 7 Positioned Independently..........................................................................................................45 Standard 7.1 Organizational Independence...........................................................................................46 Standard 7.2 Chief Audit Executive Qualifications..............................................................................50 Principle 8 Overseen by the Board.................................................................................................................51 Standard 8.1 Board Interaction...................................................................................................................52 Standard 8.2 Resources................................................................................................................................54 Standard 8.3 Quality.......................................................................................................................................55 3 ©2024, The Institute of Internal Auditors. All Rights Reserved. For individual personal use only. Standard 8.4 External Quality Assessment............................................................................................57 Domain IV: Managing the Internal Audit Function....................................................................60 Principle 9 Plan Strategically...........................................................................................................................60 Standard 9.1 Understanding Governance, Risk Management, and Control Processes.........61 Standard 9.2 Internal Audit Strategy.......................................................................................................63 Standard 9.3 Methodologies......................................................................................................................65 Standard 9.4 Internal Audit Plan...............................................................................................................66 Standard 9.5 Coordination and Reliance...............................................................................................69 Principle 10 Manage Resources.......................................................................................................................71 Standard 10.1 Financial Resource Management...................................................................................72 Standard 10.2 Human Resources Management..................................................................................73 Standard 10.3 Technological Resources..................................................................................................76 y Principle 11 Communicate Effectively.........................................................................................................77 nl Standard 11.1 Building Relationships and Communicating with Stakeholders........................77 O Standard 11.2 Effective Communication.................................................................................................79 Standard 11.3 Communicating Results...................................................................................................80 e Standard 11.4 Errors and Omissions..........................................................................................................83 Us Standard 11.5 Communicating the Acceptance of Risks.................................................................84 Principle 12 Enhance Quality...........................................................................................................................85 al Standard 12.1 Internal Quality Assessment............................................................................................86 Standard 12.2 Performance Measurement...........................................................................................88 n Standard 12.3 Oversee and Improve Engagement Performance.................................................90 so Domain V: Performing Internal Audit Services.............................................................................92 er Principle 13 Plan Engagements Effectively................................................................................................93 Standard 13.1 Engagement Communication.........................................................................................93 rP Standard 13.2 Engagement Risk Assessment.......................................................................................95 Standard 13.3 Engagement Objectives and Scope............................................................................98 Fo Standard 13.4 Evaluation Criteria............................................................................................................100 Standard 13.5 Engagement Resources..................................................................................................101 Standard 13.6 Work Program....................................................................................................................103 Principle 14 Conduct Engagement Work...................................................................................................104 Standard 14.1 Gathering Information for Analyses and Evaluation............................................104 Standard 14.2 Analyses and Potential Engagement Findings.....................................................106 Standard 14.3 Evaluation of Findings.....................................................................................................107 Standard 14.4 Recommendations and Action Plans.......................................................................109 Standard 14.5 Engagement Conclusions...............................................................................................110 Standard 14.6 Engagement Documentation.........................................................................................111 Principle 15 Communicate Engagement Results and Monitor Action Plans...............................112 Standard 15.1 Final Engagement Communication...........................................................................113 Standard 15.2 Confirming the Implementation of Recommendations or Action Plans.....114 Applying the Global Internal Audit Standards in the Public Sector...........................116 4 ©2024, The Institute of Internal Auditors. All Rights Reserved. For individual personal use only. Acknowledgements The Institute of Internal Auditors is grateful to the stakeholders that provided guidance and assistance in the development of the Global Internal Audit Standards™. The IIA particularly recognizes members of the International Internal Audit Standards Board – a global group of internal auditors who have generously volunteered their time and expertise to ensure the Standards elevate the professional practice of internal auditing. The IIA thanks the International Professional Practices Framework Oversight Council for its essential role in ensuring the standard-setting process serves the public interest, the Professional Certifications Board for its advice, and IIA staff and technical advisors for ensuring the successful implementation and management of all aspects of the project. y About the International Professional nl Practices Framework O e Us A framework provides a structural blueprint and coherent system that facilitates the consistent development, interpretation, and application of a body of knowledge useful to a discipline or profession. The International Professional Practices Framework (IPPF)® organizes the authoritative body of knowledge, al promulgated by The Institute of Internal Auditors, for the professional practice of internal auditing. The n IPPF includes Global Internal Audit Standards, Topical Requirements, and Global Guidance. so The IPPF addresses current internal audit practices while enabling practitioners and stakeholders globally to be flexible and responsive to the ongoing needs for high-quality internal auditing in diverse environments er and organizations of different purposes, sizes, and structures. rP Global Internal Audit Standards guide the worldwide professional practice of internal auditing Fo and serve as a basis for evaluating and elevating the quality of the internal audit function. At the heart of the Standards are 15 guiding principles that enable effective internal auditing. Each principle is supported by standards that contain requirements, considerations for implementation, and examples of evidence of conformance. Together, these elements help Mandatory internal auditors achieve the principles and fulfill the Purpose of Internal Auditing. Topical Requirements are designed to enhance the consistency and quality of internal audit services related to specific audit subjects and to support internal auditors performing engagements in those risk areas. Internal auditors must conform with the relevant requirements when the scope of an engagement includes one of the identified topics. Topical Requirements strengthen the ongoing relevance of internal auditing in addressing the evolving risk landscape across industries and sectors. 5 ©2024, The Institute of Internal Auditors. All Rights Reserved. For individual personal use only. Global Guidance supports the Standards by providing nonmandatory information, advice, and best practices for performing internal audit services. It is endorsed by The IIA through formal review and approval processes. Global Practice Guides provide detailed approaches, step-by-step processes, and examples on subjects including: Supplemental Assurance and advisory services. Engagement planning, performance, and communication. Financial services. Fraud and other pervasive risks. Strategy and management of the internal audit function. Public sector. y Sustainability. nl Global Technology Audit Guides (GTAG®) provide auditors with the knowledge to perform O assurance or consulting services related to an organization’s information technology and information security risks and controls. e Us n al so er rP Fo 6 ©2024, The Institute of Internal Auditors. All Rights Reserved. For individual personal use only. Fundamentals of the Global Internal Audit Standards The Institute of Internal Auditors’ Global Internal Audit Standards guide the worldwide professional practice of internal auditing and serve as a basis for evaluating and elevating the quality of the internal audit function. At the heart of the Standards are 15 guiding principles that enable effective internal auditing. Each principle is supported by standards that contain requirements, considerations for implementation, and y examples of evidence of conformance. Together, these elements help internal auditors nl achieve the principles and fulfill the Purpose of Internal Auditing. O e Internal Auditing and the Public Interest Us Public interest encompasses the social and economic interests and overall well-being of a society and the organizations operating within that society (including those of employers, employees, investors, the al business and financial community, clients, customers, regulators, and government). Questions of public interest are context specific and should weigh ethics, fairness, cultural norms and values, and potential n disparate impacts on certain individuals and subgroups of society. so Internal auditing plays a critical role in enhancing an organization’s ability to serve the public interest. While the primary function of internal auditing is to strengthen governance, risk management, and control er processes, its effects extend beyond the organization. Internal auditing contributes to an organization’s overall stability and sustainability by providing assurance on its operational efficiency, reliability of rP reporting, compliance with laws and/or regulations, safeguarding of assets, and ethical culture. This, in turn, fosters public trust and confidence in the organization and the broader systems of which it is a part. Fo The IIA is committed to setting standards with input from the public and to benefit the public. The International Internal Audit Standards Board is responsible for establishing and maintaining the Standards in the interest of the public. This is achieved through an extensive, ongoing due process overseen by an independent body, the IPPF Oversight Council. The process includes soliciting input from and considering the interests of various stakeholders—including internal audit practitioners, industry experts, government bodies, regulatory agencies, public representatives, and others—so that the Standards reflect the diverse needs and priorities of society. Applicability and Elements of the Standards The Global Internal Audit Standards set forth principles, requirements, considerations, and examples for the professional practice of internal auditing globally. The Standards apply to any individual or function that provides internal audit services, whether an organization employs internal auditors directly, contracts them through an external service provider, or both. Organizations receiving internal audit services vary in sector and industry affiliation, purpose, size, complexity, and structure. 7 Fundamentals of the Global Internal Audit Standards ©2024, The Institute of Internal Auditors. All Rights Reserved. For individual personal use only. The Standards apply to the internal audit function and individual internal auditors including the chief audit executive. While the chief audit executive is accountable for the internal audit function’s implementation of and conformance with all principles and standards, all internal auditors are responsible for conforming with the principles and standards relevant to performing their job responsibilities, which are presented primarily in Domain II: Ethics and Professionalism and Domain V: Performing Internal Audit Services. The Standards are organized into five domains: Domain I: Purpose of Internal Auditing. Domain II: Ethics and Professionalism. Domain III: Governing the Internal Audit Function. Domain IV: Managing the Internal Audit Function. Domain V: Performing Internal Audit Services. y Domains II through V contain the following elements: nl Principles: broad descriptions of a related group of requirements and considerations. O Standards, which include: – Requirements: mandatory practices for internal auditing. e Us – Considerations for Implementation: common and preferred practices to consider when implementing the requirements. – Examples of Evidence of Conformance: ways to demonstrate that the requirements of the al Standards have been implemented. n The Standards use the word “must” in the Requirements sections and the words “should” and “may” to specify common and preferred practices in the Considerations for Implementation sections. Each so standard ends with a list of examples of evidence. The examples are neither requirements nor the only ways to demonstrate conformance; rather, they are provided to help internal audit functions prepare for er quality assessments, which rely on demonstrative evidence. The Standards use certain terms as defined in the accompanying glossary. To understand and implement the Standards correctly, it is necessary to rP understand and adopt the specific meanings and usage of the terms as described in the glossary. Fo Demonstrating Conformance with the Standards The requirements, considerations for implementation, and examples of evidence of conformance are designed to help internal auditors conform with the Standards. While conformance with the requirements is expected, internal auditors occasionally may be unable to conform with a requirement yet still achieve the intent of the standard. Circumstances that may necessitate adjustments are often related to resource limitations or specific aspects of a sector, industry, and/or jurisdiction. In these exceptional circumstances, alternative actions should be implemented to meet the intent of the related standard. The chief audit executive is responsible for documenting and conveying the rationale for the deviation and the adopted alternative actions to the appropriate parties. Related requirements and information appear in Standard 4.1 Conformance with Global Internal Audit Standards and Domain III: Governing the Internal Audit Function together with its principles and standards. While the circumstances necessitating adjustments are too varied to list, the following section acknowledges two areas that consistently draw questions: small internal audit functions and those in the public sector. 8 Fundamentals of the Global Internal Audit Standards ©2024, The Institute of Internal Auditors. All Rights Reserved. For individual personal use only. Application in Small Internal Audit Functions The internal audit function’s ability to fully conform with the Standards may be affected by its size or the size of the organization. With limited resources, completing certain tasks may be challenging. Additionally, if the internal audit function comprises only one member, an adequate quality assurance and improvement program will require assistance from outside the internal audit function. (See also Standards 10.1 Financial Resource Management, 12.1 Internal Quality Assessment, and 12.3 Oversee and Improve Engagement Performance.) Application in the Public Sector While the Global Internal Audit Standards apply to all internal audit functions, internal auditors in the public sector work in a political environment under governance, organizational, and funding structures that may differ from those of the private sector. The nature of these structures and related conditions may be affected by the jurisdiction and level of government in which the internal audit function operates. Additionally, y some terminology used in the public sector differs from that of the private sector. These differences may nl affect how internal audit functions in the public sector apply the Standards. The section “Applying the Global Internal Audit Standards in the Public Sector,” which follows Domain V: Performing Internal Audit Services, O describes strategies for conformance amid the circumstances and conditions unique to internal auditing in the public sector. e Us n al so er rP Fo 9 Fundamentals of the Global Internal Audit Standards ©2024, The Institute of Internal Auditors. All Rights Reserved. For individual personal use only. Glossary activity under review – The subject of an internal audit engagement. Examples include an area, entity, operation, function, process, or system. advisory services – Services through which internal auditors provide advice to an organization’s stakeholders without providing assurance or taking on management responsibilities. The nature and scope of advisory services are subject to agreement with relevant stakeholders. Examples include advising on the design and implementation of new policies, processes, systems, and products; providing forensic services; providing training; and facilitating discussions about risks and controls. “Advisory services” are also known as “consulting services.” y assurance – Statement intended to increase the level of stakeholders’ confidence about an organization’s nl governance, risk management, and control processes over an issue, condition, subject matter, or activity under review when compared to established criteria. O assurance services – Services through which internal auditors perform objective assessments to provide e assurance. Examples of assurance services include compliance, financial, operational/performance, and Us technology engagements. Internal auditors may provide limited or reasonable assurance, depending on the nature, timing, and extent of procedures performed. al board – Highest-level body charged with governance, such as: n A board of directors. so An audit committee. A board of governors or trustees. er A group of elected officials or political appointees. Another body that has authority over the relevant governance functions. rP In an organization that has more than one governing body, “board” refers to the body/bodies authorized to provide the internal audit function with the appropriate authority, role, and responsibilities. Fo If none of the above exist, “board” should be read as referring to the group or person that acts as the organization’s highest-level governing body. Examples include the head of the organization and senior management. chief audit executive – The leadership role responsible for effectively managing all aspects of the internal audit function and ensuring the quality performance of internal audit services in accordance with Global Internal Audit Standards. The specific job title and/or responsibilities may vary across organizations. competency – Knowledge, skills, and abilities. compliance – Adherence to laws, regulations, contracts, policies, procedures, and other requirements. conflict of interest – A situation, activity, or relationship that may influence, or appear to influence, an internal auditor’s ability to make objective professional judgments or perform responsibilities objectively. 10 Glossary ©2024, The Institute of Internal Auditors. All Rights Reserved. For individual personal use only. control – Any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. control processes – The policies, procedures, and activities designed and operated to manage risks to be within the level of an organization’s risk tolerance. criteria – In an engagement, specifications of the desired state of the activity under review (also called “evaluation criteria”). engagement – A specific internal audit assignment or project that includes multiple tasks or activities designed to accomplish a specific set of related objectives. See also “assurance services” and “advisory services.” engagement conclusion – Internal auditors’ professional judgment about engagement findings when viewed y collectively. The engagement conclusion should indicate satisfactory or unsatisfactory performance. nl engagement objectives – Statements that articulate the purpose of an engagement and describe the O specific goals to be achieved. e engagement planning – Process during which internal auditors gather information, assess and prioritize Us risks relevant to the activity under review, establish engagement objectives and scope, identify evaluation criteria, and create a work program for an engagement. al engagement results – The findings and conclusion of an engagement. Engagement results may also include recommendations and/or agreed upon action plans. n so engagement supervisor – An internal auditor responsible for supervising an internal audit engagement, which may include training and assisting internal auditors as well as reviewing and approving the engagement work program, workpapers, final communication, and performance. The chief audit executive may be the er engagement supervisor or may delegate such responsibilities. rP engagement work program – A document that identifies the tasks to be performed to achieve the engagement objectives, the methodology and tools necessary, and the internal auditors assigned to perform the tasks. Fo The work program is based on information obtained during engagement planning. external service provider – Resource from outside the organization that provides relevant knowledge, skills, experience, and/or tools to support internal audit services. finding – In an engagement, the determination that a gap exists between the evaluation criteria and the condition of the activity under review. Other terms, such as “observations,” may be used. fraud – Any intentional act characterized by deceit, concealment, dishonesty, misappropriation of assets or information, forgery, or violation of trust perpetrated by individuals or organizations to secure unjust or illegal personal or business advantage. governance – The combination of processes and structures implemented by the board to inform, direct, manage, and monitor the activities of the organization toward the achievement of its objectives. 11 Glossary ©2024, The Institute of Internal Auditors. All Rights Reserved. For individual personal use only. impact – The result or effect of an event. The event may have a positive or negative effect on the entity’s strategy or business objectives. independence – The freedom from conditions that may impair the ability of the internal audit function to carry out internal audit responsibilities in an unbiased manner. inherent risk – The combination of internal and external risk factors that exists in the absence of any management actions. integrity – Behavior characterized by adherence to moral and ethical principles, including demonstrating honesty and the professional courage to act based on relevant facts. internal audit charter – A formal document that includes the internal audit function’s mandate, organizational position, reporting relationships, scope of work, types of services, and other specifications. y nl internal audit function – A professional individual or group responsible for providing an organization with assurance and advisory services. O internal audit mandate –The internal audit function’s authority, role, and responsibilities, which may be e granted by the board and/or laws and regulations. Us internal audit manual – The chief audit executive’s documentation of the methodologies (policies, processes, and procedures) to guide and direct internal auditors within the internal audit function. al internal audit plan – A document, developed by the chief audit executive, that identifies the engagements n and other internal audit services anticipated to be provided during a given period. The plan should be risk- so based and dynamic, reflecting timely adjustments in response to changes affecting the organization. internal auditing – An independent, objective assurance and advisory service designed to add value and er improve an organization’s operations. It helps an organization accomplish its objectives by bringing a rP systematic, disciplined approach to evaluate and improve the effectiveness of governance, risk management, and control processes. Fo likelihood – The possibility that a given event will occur. may – As used in the Considerations for Implementation of the Global Internal Audit Standards, the word “may” describes optional practices to implement the Requirements. methodologies – Policies, processes, and procedures established by the chief audit executive to guide the internal audit function and enhance its effectiveness. must – The Global Internal Audit Standards use the word “must” to specify an unconditional requirement. objectivity – An unbiased mental attitude that allows internal auditors to make professional judgments, fulfill their responsibilities, and achieve the Purpose of Internal Auditing without compromise. outsourcing – Contracting with an independent external provider of internal audit services. Fully outsourcing a function refers to contracting the entire internal audit function, and partially outsourcing (also called “cosourcing”) indicates that only a portion of the services are outsourced. 12 Glossary ©2024, The Institute of Internal Auditors. All Rights Reserved. For individual personal use only. periodically – At regularly occurring intervals, depending on the needs of the organization, including the internal audit function. professional skepticism – Questioning and critically assessing the reliability of information. public sector – Governments and all publicly controlled or publicly funded agencies, enterprises, and other entities that deliver programs, goods, or services to the public. quality assurance and improvement program – A program established by the chief audit executive to evaluate and ensure the internal audit function conforms with the Global Internal Audit Standards, achieves performance objectives, and pursues continuous improvement. The program includes internal and external assessments. residual risk – The portion of inherent risk that remains after management actions are implemented. y nl results of internal audit services – Outcomes, such as engagement conclusions, themes (such as effective practices or root causes), and conclusions at the level of the business unit or organization. O risk – The positive or negative effect of uncertainty on objectives. e Us risk and control matrix – A tool that facilitates the performance of internal auditing. It typically links business objectives, risks, control processes, and key information to support the internal audit process. al risk appetite – The types and amount of risk that an organization is willing to accept in the pursuit of its strategies and objectives. n so risk assessment – The identification and analysis of risks relevant to the achievement of an organization’s objectives. The significance of risks is typically assessed in terms of impact and likelihood. er risk management – A process to identify, assess, manage, and control potential events or situations to rP provide reasonable assurance regarding the achievement of the organization’s objectives. risk tolerance – Acceptable variations in performance related to achieving objectives. Fo root cause – Core issue or underlying reason for the difference between the criteria and the condition of an activity under review. senior management – The highest level of executive management of an organization that is ultimately accountable to the board for executing the organization’s strategic decisions, typically a group of persons that includes the chief executive officer or head of the organization. should – As used in the Considerations for Implementation of the Global Internal Audit Standards, the word “should” describes practices that are preferred but not required. significance – The relative importance of a matter within the context in which it is being considered, including quantitative and qualitative factors, such as magnitude, nature, relevance, and impact. Professional judgment assists internal auditors when evaluating the significance of matters within the context of the relevant objectives. 13 Glossary ©2024, The Institute of Internal Auditors. All Rights Reserved. For individual personal use only. stakeholder – A party with a direct or indirect interest in an organization’s activities and outcomes. Stakeholders may include the board, management, employees, customers, vendors, shareholders, regulatory agencies, financial institutions, external auditors, the public, and others. workpapers – Documentation of the internal audit work done when planning and performing engagements. The documentation provides the supporting information for engagement findings and conclusions. y nl O e Us n al so er rP Fo 14 Glossary ©2024, The Institute of Internal Auditors. All Rights Reserved. For individual personal use only. Domain I: Purpose of Internal Auditing The purpose statement is intended to assist internal auditors and internal audit stakeholders in understanding and articulating the value of internal auditing. Purpose Statement y Internal auditing strengthens the organization’s ability to create, protect, and sustain value by providing the nl board and management with independent, risk-based, and objective assurance, advice, insight, and foresight. O Internal auditing enhances the organization’s: Successful achievement of its objectives. e Governance, risk management, and control processes. Us Decision-making and oversight. Reputation and credibility with its stakeholders. al Ability to serve the public interest. n Internal auditing is most effective when: so It is performed by competent professionals in conformance with the Global Internal Audit Standards, which are set in the public interest. er The internal audit function is independently positioned with direct accountability to the board. rP Internal auditors are free from undue influence and committed to making objective assessments. Fo 15 I: Purpose of Internal Auditing ©2024, The Institute of Internal Auditors. All Rights Reserved. For individual personal use only. Domain II: Ethics and Professionalism The principles and standards in the Ethics and Professionalism domain of the Global Internal Audit Standards replace The IIA’s former Code of Ethics and outline the behavioral expectations for professional internal auditors; including chief audit executives, other individuals, and any entities that provide internal audit services. Conformance with these principles and standards instills trust in the profession of internal auditing, creates an ethical culture within the internal audit function, and provides the basis for reliance on internal auditors’ work and judgment. y All internal auditors are required to conform with the standards of ethics and professionalism. If internal nl auditors are expected to abide by other codes of ethics, behavior, or conduct, such as those of an organization, conformance with the principles and standards of ethics and professionalism contained O herein is still expected. The fact that a particular behavior is not mentioned in these principles and standards does not preclude it from being considered unacceptable or discreditable. e Us While internal auditors are responsible for their own conformance, the chief audit executive is expected to support and promote conformance with the principles and standards in the Ethics and Professionalism domain by providing opportunities for training and guidance. The chief audit executive may choose to al delegate certain responsibilities for managing conformance but retains accountability for the ethics and n professionalism of the internal audit function. so er Principle 1 Demonstrate Integrity rP Internal auditors demonstrate integrity in their work and behavior. Fo Integrity is behavior characterized by adherence to moral and ethical principles, including demonstrating honesty and the courage to act based on relevant facts, even when facing pressure to do otherwise, or when doing so might create potential adverse personal or organizational consequences. In simple terms, internal auditors are expected to tell the truth and do the right thing, even when it is uncomfortable or difficult. Integrity is the foundation of the other principles of ethics and professionalism, including objectivity, competency, due professional care, and confidentiality. The integrity of internal auditors is essential to establishing trust and earning respect. 16 II: Ethics and Professionalism ©2024, The Institute of Internal Auditors. All Rights Reserved. For individual personal use only. Standard 1.1 Honesty and Professional Courage Requirements Internal auditors must perform their work with honesty and professional courage. Internal auditors must be truthful, accurate, clear, open, and respectful in all professional relationships and communications, even when expressing skepticism or offering an opposing viewpoint. Internal auditors must not make false, misleading, or deceptive statements, nor conceal or omit findings or other pertinent information from communications. Internal auditors must disclose all material facts known to them that, if not disclosed, could affect the organization’s ability to make well-informed decisions. y Internal auditors must exhibit professional courage by communicating truthfully and taking nl appropriate action, even when confronted by dilemmas and difficult situations. O The chief audit executive must maintain a work environment where internal auditors feel supported e when expressing legitimate, evidence-based engagement results, whether favorable or unfavorable. Us Considerations for Implementation al Internal auditors should enhance their awareness and understanding of honesty and professional courage n by seeking opportunities to obtain ethics-related continuing professional education. While education helps so create awareness in hypothetical situations, workplace training, mentorship, and supervision allow internal auditors to learn and practice skills such as tact and respectful communication, which are needed to apply er professional courage effectively in real situations. When internal auditors encounter situations that challenge their honesty or professional courage, they should discuss the circumstances with a supervisor to determine rP the best course of action. To support internal auditors, the chief audit executive should arrange opportunities for education and training Fo as well as discussions of hypothetical and real situations that require making ethical choices. Effective management of the internal audit function includes proper engagement supervision and periodic reviews of internal auditors’ performance. For example, when approving work programs or reviewing engagement workpapers, an engagement supervisor may provide appropriate guidance to help internal auditors address potential or encountered situations that could pose a threat to their honesty and integrity. As part of evaluating internal auditors’ performance, the chief audit executive may solicit feedback about their honesty and professional courage from the stakeholders with whom internal auditors interact. Examples of Evidence of Conformance A training plan that includes ethics education and training. Documents that evidence internal auditors’ attendance or participation in ethics education and training. Performance evaluations showing honesty and professional courage as objectives. Feedback from key stakeholders regarding the honesty and courage of internal auditors. 17 II: Ethics and Professionalism ©2024, The Institute of Internal Auditors. All Rights Reserved. For individual personal use only. Standard 1.2 Organization’s Ethical Expectations Requirements Internal auditors must understand, respect, meet, and contribute to the legitimate and ethical expectations of the organization and must be able to recognize conduct that is contrary to those expectations. Internal auditors must encourage and promote an ethics-based culture in the organization. If internal auditors identify behavior within the organization that is inconsistent with the organization’s ethical expectations, they must report the concern according to applicable policies and procedures. y nl Considerations for Implementation O An organization’s ethical expectations usually are documented in a code of ethics, code of conduct, and/ or policies related to professional behavior and ethical conduct. Such policies, along with the organization’s e objectives and processes for promoting its ethics and values, provide the basis for an ethical culture. Us The internal audit plan may include assessments of the organization’s ethics-related risks to determine whether existing policies and control processes adequately and effectively address those risks. For example, the al organization’s policies may specify the criteria and process for handling and communicating about ethics-related issues, the parties that should receive the communication, and the protocol for escalating unresolved issues. n The chief audit executive also should determine a methodology for addressing ethical issues and discuss the so methodology with the board and senior management to ensure alignment of the approaches. er Internal auditors should consider ethics-related risks and controls during individual engagements. If internal auditors identify behavior within the organization that is inconsistent with the organization’s ethical expectations, rP they should communicate the concerns according to the methodology established by the chief audit executive, which takes into account the organization’s policies and processes as well as laws and/or regulations. Fo If internal auditors determine that a member of senior management has behaved in a manner that is inconsistent with the organization’s ethical expectations — whether documented in a code of conduct, code of ethics, or otherwise — the chief audit executive should report the violation to the board. If an ethics-related concern involves the chairman of the board, the chief audit executive should report the concern to the entire board. Internal auditors should follow up on ethics-related issues involving the board or senior management and validate that appropriate actions were taken to address the concern. Examples of Evidence of Conformance Records of internal auditors’ participation in workshops, training events, or meetings where ethical expectations and issues were discussed. Forms signed by individual internal auditors acknowledging their understanding of and commitment to follow ethics policies and procedures of the organization. 18 II: Ethics and Professionalism ©2024, The Institute of Internal Auditors. All Rights Reserved. For individual personal use only. The internal audit plan, work program, or workpapers showing consideration of the organization’s ethics-related objectives, risks, and control processes. Documentation demonstrating that ethical issues were communicated to the board, senior management, and regulators in accordance with the organization’s policies and relevant laws and/or regulations. Standard 1.3 Legal and Ethical Behavior Requirements Internal auditors must not engage in or be a party to any activity that is illegal or discreditable to the organization or the profession of internal auditing or that may harm the organization or its employees. y nl Internal auditors must understand and abide by the laws and/or regulations relevant to the industry and jurisdictions in which the organization operates, including making disclosures as required. O If internal auditors identify legal or regulatory violations, they must report such incidents to individuals e or entities that have the authority to take appropriate action, as specified in laws, regulations, and Us applicable policies and procedures. al Considerations for Implementation n If organizational policies are not sufficiently specific to address the situations that the internal audit so function encounters, then the chief audit executive may develop and implement a methodology that specifies the actions internal auditors are expected to take in response to legal or regulatory violations of er which they become aware. The methodology may include a procedure for validating that adequate actions are taken to address the violation. rP The chief audit executive should establish a methodology to ensure that internal auditors are properly Fo supervised, conform with the Global Internal Audit Standards, and behave in alignment with ethical and professional values. Examples of discreditable behaviors include but are not limited to: Bullying, harassment, or discrimination. Lying, deceiving, or intentionally misleading others, including misrepresenting one’s competency or qualifications (such as claiming to hold a certification or displaying credentials when the designation is expired or inactive, has been revoked, or was never earned). Intentionally issuing false reports or communications or allowing or encouraging others to do so, including minimizing, concealing, or omitting internal audit findings, conclusions, or ratings from engagement reports or overall assessments. Overlooking illegal activities that the organization may tolerate or condone. Soliciting or disclosing confidential information without proper authorization. Performing internal audit services with undeclared impairments to objectivity or independence. 19 II: Ethics and Professionalism ©2024, The Institute of Internal Auditors. All Rights Reserved. For individual personal use only. Stating that the internal audit function is operating in conformance with the Global Internal Audit Standards when the assertion is not supported. Failing to accept responsibility for mistakes. Examples of Evidence of Conformance Records of internal auditors’ participation in training on laws, regulations, and ethical and professional behavior. Internal auditors’ acknowledgments of their understanding of and commitment to act in accordance with relevant legal and professional expectations. Documented methodologies for handling illegal or discreditable behavior by internal auditors and legal or regulatory violations by individuals within the organization. Documented communication between internal auditors and their supervisors and/or legal counsel y that address concerns about illegal or unprofessional actions. nl Sign-off that workpapers were reviewed. O Final engagement communication, if applicable. Principle 2 Maintain Objectivity e Us Internal auditors maintain an impartial and unbiased attitude when performing internal audit al services and making decisions. n Objectivity is an unbiased mental attitude that allows internal auditors to make professional judgments, so fulfill their responsibilities, and achieve the Purpose of Internal Auditing without compromise. An independently positioned internal audit function supports internal auditors’ ability to maintain objectivity. er Standard 2.1 Individual Objectivity rP Fo Requirements Internal auditors must maintain professional objectivity when performing all aspects of internal audit services. Professional objectivity requires internal auditors to apply an impartial and unbiased mindset and make judgments based on balanced assessments of all relevant circumstances. Internal auditors must be aware of and manage potential biases. 20 II: Ethics and Professionalism ©2024, The Institute of Internal Auditors. All Rights Reserved. For individual personal use only. Considerations for Implementation Objectivity means internal auditors perform their work without compromise or subordination of judgment to others. The Global Internal Audit Standards, along with the policies established and training arranged by the chief audit executive, support objectivity by providing requirements, procedures, and guidance that set forth a systematic and disciplined approach for gathering and evaluating information to provide a balanced assessment of the activity under review. Training may help internal auditors to better understand objectivity- impairing scenarios and how best to address them. Making objective assessments requires an impartial mindset, free from bias and undue influence, which is essential to providing objective assurance and advice to the board and senior management. Internal auditors should develop awareness of the ways in which situations, activities, and relationships may affect their ability to be objective. Internal auditors should consider the human tendency to misinterpret information or make assumptions or y mistakes, which impairs the ability to evaluate information and evidence objectively. nl O Examples of biases include but are not limited to: Self-review bias – lack of critical perspective when reviewing one’s own work, which may lead to e overlooking mistakes or shortcomings. Us Familiarity bias – making assumptions based on past experiences, which may compromise professional skepticism. Prejudice or unconscious bias – misinterpretation of information, based on predisposed ideas about al culture, ethnicity, gender, ideology, race, or other characteristics, which may cause inaccurate judgments. n Examples of Evidence of Conformance so References in the internal audit charter to internal auditors’ responsibility for maintaining objectivity. er Policies and procedures related to objectivity. rP Records of planned and completed objectivity training, including list of participants. Attestation forms that confirm internal auditors’ awareness of objectivity’s importance and the Fo obligation to disclose any potential impairments. Documented disclosures of potential conflicts of interest or other impairments to objectivity. Notes from supervisory reviews and mentoring of internal auditors. 21 II: Ethics and Professionalism ©2024, The Institute of Internal Auditors. All Rights Reserved. For individual personal use only. Standard 2.2 Safeguarding Objectivity Requirements Internal auditors must recognize and avoid or mitigate actual, potential, and perceived impairments to objectivity. Internal auditors must not accept any tangible or intangible item, such as a gift, reward, or favor, that may impair or be presumed to impair objectivity. Internal auditors must avoid conflicts of interest and must not be unduly influenced by their own interests or the interests of others, including senior management or others in a position of authority, y or by the political environment or other aspects of their surroundings. nl When performing internal audit services: O Internal auditors must refrain from assessing specific activities for which they were previously responsible. Objectivity is presumed to be impaired if an internal auditor e provides assurance services for an activity for which the internal auditor had responsibility Us within the previous 12 months. If the internal audit function is to provide assurance services where it had previously performed advisory services, the chief audit executive must confirm that the nature of al the advisory services does not impair objectivity and must assign resources such that individual objectivity is managed. Assurance engagements for functions over which the n chief audit executive has responsibility must be overseen by an independent party outside so the internal audit function. If internal auditors are to provide advisory services relating to activities for which they had er previous responsibilities, they must disclose potential impairments to the party requesting the services before accepting the engagement. rP The chief audit executive must establish methodologies to address impairments to objectivity. Internal auditors must discuss impairments and take appropriate actions according to relevant Fo methodologies. Considerations for Implementation Objectivity is impaired when situations, activities, or relationships may influence internal auditors’ judgments and decisions in a way that may change internal audit findings and conclusions. Impairments to objectivity may exist, in fact or appearance, even when they are unintended. Objectivity may be perceived by others to be impaired, even when no impairment has occurred in fact. Internal auditors should apply judgment regarding additional circumstances that may impair or be presumed to impair objectivity. Conflicts of interest are situations in which an internal auditor has a competing professional or personal interest that may make it difficult to fulfill internal audit duties impartially. Conflicts of interest may create the appearance of impropriety that could undermine the confidence in an internal auditor, the internal 22 II: Ethics and Professionalism ©2024, The Institute of Internal Auditors. All Rights Reserved. For individual personal use only. audit function, and the internal audit profession, even if no unethical or improper acts result. Examples of conflicts of interest include situations, activities, and relationships that may, in fact or appearance: Oppose or compete with the interests of the organization. Create the potential for undue financial or other personal gain. Be established solely to protect oneself from potential or actual loss or harm. Be nepotistic or provide favoritism to certain individuals. The internal audit function’s methodologies should specify the expectations and requirements for internal auditors related to: Receiving gifts, favors, and rewards. Identifying situations that may impair objectivity. Responding appropriately upon becoming aware of an impairment. y Many organizations have a policy related to the acceptance of gifts, rewards, and favors, such as a policy nl limiting the value of gifts that can be accepted. Because of the importance of objectivity in the practice of internal auditing, the chief audit executive may have a policy that is more restrictive than that of the O organization. Internal auditors should follow the more restrictive policy and carefully consider whether accepting a gift, reward, or favor may be perceived to affect their judgment or be given in exchange for e producing favorable internal audit findings, conclusions, or results. Us The policies of the organization and/or the internal audit function may prohibit specific activities or relationships that could create conflicts of interest. Internal auditors should be aware that close personal al relationships outside work and relationships involving financial ties, such as investments, may be or appear to be conflicts of interest. n so The chief audit executive should take precautions to reduce the potential impairments to objectivity that may result from the design of performance evaluations and remuneration arrangements, bonuses, and er incentives. Examples of remuneration arrangements that may impair objectivity include: Basing performance evaluations and remuneration primarily on surveys of or input from the rP management of the activity under review. Measuring performance against the number of findings identified during engagements, the revenue Fo growth of the activity under review, or the cost savings or job eliminations imposed upon the activity under review. Allowing management to provide indirect compensation in the form of gifts and gratuities. Internal auditors should apply their understanding of objectivity and relevant policies and procedures to evaluate whether any situations, activities, or relationships may impair, or may be presumed to impair, their objectivity. The perceptions of other people should be considered. The requirements for staffing and supervising engagements are intended to ensure that the internal auditors assigned to an engagement were not recently responsible for any aspect of the activity under review, which may bias their view, give them a vested interest in a particular outcome, or create the perception or appearance that their objectivity is impaired. For each engagement, the internal auditors performing and supervising the engagement should be independent from the activity under review. When planning resources for an engagement, the chief audit executive or a designated supervisor should discuss the engagement with internal auditors to identify any current or potential impairments to objectivity. 23 II: Ethics and Professionalism ©2024, The Institute of Internal Auditors. All Rights Reserved. For individual personal use only. The discussion should include consideration of any impairments previously disclosed. As part of the process for supervising engagements, workpapers are reviewed to ensure findings and conclusions are adequately supported. Engagement supervision also provides opportunities for more experienced internal auditors to provide feedback and mentoring regarding potential objectivity concerns. (See also Standards 12.3 Oversee and Improve Engagement Performance and 13.5 Engagement Resources.) If an impairment is unavoidable, it should be disclosed and mitigated as described in Standard 2.3 Disclosing Impairments to Objectivity. Examples of Evidence of Conformance Policies and procedures for identifying potential impairments and necessary safeguards. Records of objectivity training. Documentation through which internal auditors attest that they either have no known impairments or have disclosed potential impairments. y Sources of feedback on the perception of internal auditors’ objectivity, such as surveys of the nl internal audit function’s stakeholders. O Notes from supervisory reviews. Remuneration plan. e Minutes of board meetings where impairments to objectivity were discussed. Us Plans showing alternative provisions to fulfill the internal audit plan activities where impairments to objectivity were unavoidable. al Results of external quality assessments performed by an independent assessor. n Standard 2.3 Disclosing Impairments to Objectivity so er Requirements rP If objectivity is impaired in fact or appearance, the details of the impairment must be disclosed promptly to the appropriate parties. Fo If internal auditors become aware of an impairment that may affect their objectivity, they must disclose the impairment to the chief audit executive or a designated supervisor. If the chief audit executive determines that an impairment is affecting an internal auditor’s ability to perform duties objectively, the chief audit executive must discuss the impairment with the management of the activity under review, the board, and/or senior management and determine the appropriate actions to resolve the situation. If an impairment that affects the reliability or perceived reliability of the engagement findings, recommendations, and/or conclusions is discovered after an engagement has been completed, the chief audit executive must discuss the concern with the management of the activity under review, the board, senior management, and/or other affected stakeholders and determine the appropriate actions to resolve the situation. (See also Standard 11.4 Errors and Omissions.) If the objectivity of the chief audit executive is impaired in fact or appearance, the chief audit executive must disclose the impairment to the board. (See also Standard 7.1 Organizational Independence.) 24 II: Ethics and Professionalism ©2024, The Institute of Internal Auditors. All Rights Reserved. For individual personal use only. Considerations for Implementation The requirements for disclosing impairments to objectivity are typically defined in the internal audit function’s methodologies and describe the actions to be taken to address each impairment to objectivity. The general approach to disclosing and mitigating impairments to objectivity is typically determined by the chief audit executive in agreement with the board and senior management. If an impairment to objectivity cannot be avoided, the chief audit executive may consider options to manage the impairment, including: Reassigning internal auditors to remove the impaired internal auditor from the engagement. Rescheduling an engagement to ensure it is properly staffed. Adjusting the scope of an engagement. Outsourcing the performance or supervision of the engagement. y When a concern arises during engagement planning that relates solely to the perception of an impairment, nl the chief audit executive may choose to discuss the concern with the management of the activity under review and/or senior management, explain why the risk exposure is minimal and how it will be managed, O and document the discussion and the final decision about how to proceed. e Standard 7.1 Organizational Independence provides additional requirements and information related to the Us chief audit executive assuming roles or responsibilities beyond internal auditing. Examples of Evidence of Conformance n al Internal audit methodologies for disclosing objectivity impairments. so Documentation disclosing the presence or affirming the absence of objectivity impairments. Records of the disclosure of objectivity impairments and the response from and/or approval of the er mitigation by appropriate parties. rP Principle 3 Demonstrate Competency Fo Internal auditors apply the knowledge, skills, and abilities to fulfill their roles and responsibilities successfully. Demonstrating competency requires developing and applying the knowledge, skills, and abilities to provide internal audit services. Because internal auditors provide a diverse array of services, the competencies needed by each internal auditor vary. In addition to possessing or obtaining the competencies needed to perform services, internal auditors improve the effectiveness and quality of services by pursuing professional development. 25 II: Ethics and Professionalism ©2024, The Institute of Internal Auditors. All Rights Reserved. For individual personal use only. Standard 3.1 Competency Requirements Internal auditors must possess or obtain the competencies to perform their responsibilities successfully. The required competencies include the knowledge, skills, and abilities suitable for one’s job position and responsibilities commensurate with their level of experience. Internal auditors must possess or develop knowledge of The IIA’s Global Internal Audit Standards. Internal auditors must engage only in those services for which they have or can attain the necessary competencies. y Each internal auditor is responsible for continually developing and applying the competencies necessary to fulfill their professional responsibilities. Additionally, the chief audit executive must nl ensure that the internal audit function collectively possesses the competencies to perform the internal O audit services described in the internal audit charter or must obtain the necessary competencies. (See also Standards 7.2 Chief Audit Executive Qualifications and 10.2 Human Resources Management.) e Us Considerations for Implementation al Internal auditors should develop competencies related to: n Communication and collaboration. so Governance, risk management, and control processes. Business functions, such as financial management and information technology. er Pervasive risks, such as fraud. Tools and techniques for gathering, analyzing, and evaluating data. rP The risks and potential impacts of various economic, environmental, legal, political, and social conditions. Fo Laws, regulations, and practices relevant to the organization, sector, and industry. Trends and emerging issues relevant to the organization and internal auditing. Supervision and leadership. To develop and demonstrate competencies, internal auditors may: Obtain appropriate professional credentials, such as the Certified Internal Auditor® designation and other certifications and credentials. Identify opportunities for improvement and competencies that need development, based on feedback provided by stakeholders, peers, and supervisors. Seek relevant training not only in internal audit methodologies but also on business activities relevant to the organization. Training opportunities may include enrolling in courses, working with a mentor, or being assigned new tasks under supervision during an engagement. While internal auditors are responsible for ensuring their individual professional development and may assess their own skills and opportunities for development, the chief audit executive should support the professional development of internal auditors. The chief audit executive may establish minimum 26 II: Ethics and Professionalism ©2024, The Institute of Internal Auditors. All Rights Reserved. For individual personal use only. expectations for professional development and should encourage the pursuit of professional qualifications. The chief audit executive should include funding for training and professional development in the internal audit budget and provide opportunities internally as well as externally, through continuing professional education, training, and conferences. (See also Standards 10.1 Financial Resource Management and 10.2 Human Resources Management.) To ensure the internal audit function collectively possesses the competencies to perform the internal audit services, the chief audit executive should: Maintain knowledge of internal auditors’ competencies to be used when assigning work, identifying training needs, and recruiting internal auditors to fill open positions. Participate in the performance reviews of individual internal auditors. Identify areas in which the competencies of the internal audit function should be improved. Encourage internal auditors’ intellectual curiosity and invest in training and other opportunities to y improve internal audit performance. nl Understand the competencies of other providers of assurance and advisory services and consider relying upon those providers as a source of additional or specialty competencies not available within O the internal audit function. Consider contracting with an independent, external service provider when the internal audit e function collectively does not possess the competencies to perform requested services. Us Effectively implement a quality assurance and improvement program. Examples of Evidence of Conformance n al Documentation listing the certifications, education, experience, work history, and other qualifications so of internal auditors. Internal auditors’ self-assessments of their competencies and plans for professional development. er Documentation of internal auditors’ completion of continuing professional education, such as courses, conference sessions, workshops, and seminars. rP Documented performance reviews of internal auditors. Documented supervisory reviews of engagements, post-engagement surveys completed by internal Fo audit stakeholders, and other forms of feedback indicating competencies exhibited by individual internal auditors and the internal audit function. The results of internal and external quality assessments. Documentation of relevant competencies necessary to fulfill the internal audit plan, an analysis of resource gaps, and the identification of the training and budget necessary to fill the gaps. Documentation such as an assurance map that indicates the competencies of other providers of assurance and advisory services upon which the internal audit function may rely. 27 II: Ethics and Professionalism ©2024, The Institute of Internal Auditors. All Rights Reserved. For individual personal use only. Standard 3.2 Continuing Professional Development Requirements Internal auditors must maintain and continually develop their competencies to improve the effectiveness and quality of internal audit services. Internal auditors must pursue continuing professional development including education and training. Practicing internal auditors who have attained professional internal audit certifications must follow the continuing professional education policies and fulfill the requirements applicable to their certifications. Considerations for Implementation y nl Continuing professional development may include self-study, on-the-job training, opportunities to learn
