Global Internal Audit Standards 2024 PDF

1 ©2024, The Institute of Internal Auditors. All Rights Reserved. For individual personal use only. Published January 9, 2024 The Global Internal Audit Standards and related materials are protected by copyright law and are operated by The Institute of Internal Auditors, Inc. (“The IIA”). ©2024 The IIA. All rights reserved. No part of the materials including branding, graphics, or logos, available in this publication may be copied, photocopied, reproduced, translated or reduced to any physical, electronic medium, or machine-readable form, in whole or in part, without specific permission from the Office of the General Counsel of The IIA, [email protected]. Distribution for commercial purposes is strictly prohibited. For more information, please read our statement concerning copying, downloading and distribution of materials available on The IIA’s website at www.theiia.org/Copyright. 2 ©2024, The Institute of Internal Auditors. All Rights Reserved. For individual personal use only. Contents Acknowledgements...............................................................................................................................................5 About the International Professional Practices Framework...............................................5 Fundamentals of the Global Internal Audit Standards.............................................................7 Glossary........................................................................................................................................................................10 Domain I: Purpose of Internal Auditing...............................................................................................15 Domain II: Ethics and Professionalism................................................................................................16 Principle 1 Demonstrate Integrity...................................................................................................................16 Standard 1.1 Honesty and Professional Courage...................................................................................17 Standard 1.2 Organization’s Ethical Expectations................................................................................18 Standard 1.3 Legal and Ethical Behavior...................................................................................................19 Principle 2 Maintain Objectivity.....................................................................................................................20 Standard 2.1 Individual Objectivity............................................................................................................20 Standard 2.2 Safeguarding Objectivity....................................................................................................22 Standard 2.3 Disclosing Impairments to Objectivity.........................................................................24 Principle 3 Demonstrate Competency........................................................................................................25 Standard 3.1 Competency............................................................................................................................26 Standard 3.2 Continuing Professional Development........................................................................28 Principle 4 Exercise Due Professional Care................................................................................................29 Standard 4.1 Conformance with the Global Internal Audit Standards........................................29 Standard 4.2 Due Professional Care..........................................................................................................31 Standard 4.3 Professional Skepticism.....................................................................................................33 Principle 5 Maintain Confidentiality.............................................................................................................34 Standard 5.1 Use of Information.................................................................................................................34 Standard 5.2 Protection of Information..................................................................................................35 Domain III: Governing the Internal Audit Function....................................................................37 Principle 6 Authorized by the Board..............................................................................................................39 Standard 6.1 Internal Audit Mandate.......................................................................................................39 Standard 6.2 Internal Audit Charter.........................................................................................................42 Standard 6.3 Board and Senior Management Support....................................................................44 Principle 7 Positioned Independently..........................................................................................................45 Standard 7.1 Organizational Independence...........................................................................................46 Standard 7.2 Chief Audit Executive Qualifications..............................................................................50 Principle 8 Overseen by the Board.................................................................................................................51 Standard 8.1 Board Interaction...................................................................................................................52 Standard 8.2 Resources................................................................................................................................54 Standard 8.3 Quality.......................................................................................................................................55 3 ©2024, The Institute of Internal Auditors. All Rights Reserved. For individual personal use only. Standard 8.4 External Quality Assessment............................................................................................57 Domain IV: Managing the Internal Audit Function....................................................................60 Principle 9 Plan Strategically...........................................................................................................................60 Standard 9.1 Understanding Governance, Risk Management, and Control Processes.........61 Standard 9.2 Internal Audit Strategy.......................................................................................................63 Standard 9.3 Methodologies......................................................................................................................65 Standard 9.4 Internal Audit Plan...............................................................................................................66 Standard 9.5 Coordination and Reliance...............................................................................................69 Principle 10 Manage Resources.......................................................................................................................71 Standard 10.1 Financial Resource Management...................................................................................72 Standard 10.2 Human Resources Management..................................................................................73 Standard 10.3 Technological Resources..................................................................................................76 Principle 11 Communicate Effectively.........................................................................................................77 Standard 11.1 Building Relationships and Communicating with Stakeholders........................77 Standard 11.2 Effective Communication.................................................................................................79 Standard 11.3 Communicating Results...................................................................................................80 Standard 11.4 Errors and Omissions..........................................................................................................83 Standard 11.5 Communicating the Acceptance of Risks.................................................................84 Principle 12 Enhance Quality...........................................................................................................................85 Standard 12.1 Internal Quality Assessment............................................................................................86 Standard 12.2 Performance Measurement...........................................................................................88 Standard 12.3 Oversee and Improve Engagement Performance.................................................90 Domain V: Performing Internal Audit Services.............................................................................92 Principle 13 Plan Engagements Effectively................................................................................................93 Standard 13.1 Engagement Communication.........................................................................................93 Standard 13.2 Engagement Risk Assessment.......................................................................................95 Standard 13.3 Engagement Objectives and Scope............................................................................98 Standard 13.4 Evaluation Criteria............................................................................................................100 Standard 13.5 Engagement Resources..................................................................................................101 Standard 13.6 Work Program....................................................................................................................103 Principle 14 Conduct Engagement Work...................................................................................................104 Standard 14.1 Gathering Information for Analyses and Evaluation............................................104 Standard 14.2 Analyses and Potential Engagement Findings.....................................................106 Standard 14.3 Evaluation of Findings.....................................................................................................107 Standard 14.4 Recommendations and Action Plans.......................................................................109 Standard 14.5 Engagement Conclusions...............................................................................................110 Standard 14.6 Engagement Documentation.........................................................................................111 Principle 15 Communicate Engagement Results and Monitor Action Plans...............................112 Standard 15.1 Final Engagement Communication...........................................................................113 Standard 15.2 Confirming the Implementation of Recommendations or Action Plans.....114 Applying the Global Internal Audit Standards in the Public Sector...........................116 4 ©2024, The Institute of Internal Auditors. All Rights Reserved. For individual personal use only. Acknowledgements The Institute of Internal Auditors is grateful to the stakeholders that provided guidance and assistance in the development of the Global Internal Audit Standards™. The IIA particularly recognizes members of the International Internal Audit Standards Board – a global group of internal auditors who have generously volunteered their time and expertise to ensure the Standards elevate the professional practice of internal auditing. The IIA thanks the International Professional Practices Framework Oversight Council for its essential role in ensuring the standard-setting process serves the public interest, the Professional Certifications Board for its advice, and IIA staff and technical advisors for ensuring the successful implementation and management of all aspects of the project. About the International Professional Practices Framework A framework provides a structural blueprint and coherent system that facilitates the consistent development, interpretation, and application of a body of knowledge useful to a discipline or profession. The International Professional Practices Framework (IPPF)® organizes the authoritative body of knowledge, promulgated by The Institute of Internal Auditors, for the professional practice of internal auditing. The IPPF includes Global Internal Audit Standards, Topical Requirements, and Global Guidance. The IPPF addresses current internal audit practices while enabling practitioners and stakeholders globally to be flexible and responsive to the ongoing needs for high-quality internal auditing in diverse environments and organizations of different purposes, sizes, and structures. Global Internal Audit Standards guide the worldwide professional practice of internal auditing and serve as a basis for evaluating and elevating the quality of the internal audit function. At the heart of the Standards are 15 guiding principles that enable effective internal auditing. Each principle is supported by standards that contain requirements, considerations for implementation, and examples of evidence of conformance. Together, these elements help Mandatory internal auditors achieve the principles and fulfill the Purpose of Internal Auditing. Topical Requirements are designed to enhance the consistency and quality of internal audit services related to specific audit subjects and to support internal auditors performing engagements in those risk areas. Internal auditors must conform with the relevant requirements when the scope of an engagement includes one of the identified topics. Topical Requirements strengthen the ongoing relevance of internal auditing in addressing the evolving risk landscape across industries and sectors. 5 ©2024, The Institute of Internal Auditors. All Rights Reserved. For individual personal use only. Global Guidance supports the Standards by providing nonmandatory information, advice, and best practices for performing internal audit services. It is endorsed by The IIA through formal review and approval processes. Global Practice Guides provide detailed approaches, step-by-step processes, and examples on subjects including: Supplemental Assurance and advisory services. Engagement planning, performance, and communication. Financial services. Fraud and other pervasive risks. Strategy and management of the internal audit function. Public sector. Sustainability. Global Technology Audit Guides (GTAG®) provide auditors with the knowledge to perform assurance or consulting services related to an organization’s information technology and information security risks and controls. 6 ©2024, The Institute of Internal Auditors. All Rights Reserved. For individual personal use only. Fundamentals of the Global Internal Audit Standards The Institute of Internal Auditors’ Global Internal Audit Standards guide the worldwide professional practice of internal auditing and serve as a basis for evaluating and elevating the quality of the internal audit function. At the heart of the Standards are 15 guiding principles that enable effective internal auditing. Each principle is supported by standards that contain requirements, considerations for implementation, and examples of evidence of conformance. Together, these elements help internal auditors achieve the principles and fulfill the Purpose of Internal Auditing. Internal Auditing and the Public Interest Public interest encompasses the social and economic interests and overall well-being of a society and the organizations operating within that society (including those of employers, employees, investors, the business and financial community, clients, customers, regulators, and government). Questions of public interest are context specific and should weigh ethics, fairness, cultural norms and values, and potential disparate impacts on certain individuals and subgroups of society. Internal auditing plays a critical role in enhancing an organization’s ability to serve the public interest. While the primary function of internal auditing is to strengthen governance, risk management, and control processes, its effects extend beyond the organization. Internal auditing contributes to an organization’s overall stability and sustainability by providing assurance on its operational efficiency, reliability of reporting, compliance with laws and/or regulations, safeguarding of assets, and ethical culture. This, in turn, fosters public trust and confidence in the organization and the broader systems of which it is a part. The IIA is committed to setting standards with input from the public and to benefit the public. The International Internal Audit Standards Board is responsible for establishing and maintaining the Standards in the interest of the public. This is achieved through an extensive, ongoing due process overseen by an independent body, the IPPF Oversight Council. The process includes soliciting input from and considering the interests of various stakeholders—including internal audit practitioners, industry experts, government bodies, regulatory agencies, public representatives, and others—so that the Standards reflect the diverse needs and priorities of society. Applicability and Elements of the Standards The Global Internal Audit Standards set forth principles, requirements, considerations, and examples for the professional practice of internal auditing globally. The Standards apply to any individual or function that provides internal audit services, whether an organization employs internal auditors directly, contracts them through an external service provider, or both. Organizations receiving internal audit services vary in sector and industry affiliation, purpose, size, complexity, and structure. 7 Fundamentals of the Global Internal Audit Standards ©2024, The Institute of Internal Auditors. All Rights Reserved. For individual personal use only. The Standards apply to the internal audit function and individual internal auditors including the chief audit executive. While the chief audit executive is accountable for the internal audit function’s implementation of and conformance with all principles and standards, all internal auditors are responsible for conforming with the principles and standards relevant to performing their job responsibilities, which are presented primarily in Domain II: Ethics and Professionalism and Domain V: Performing Internal Audit Services. The Standards are organized into five domains: Domain I: Purpose of Internal Auditing. Domain II: Ethics and Professionalism. Domain III: Governing the Internal Audit Function. Domain IV: Managing the Internal Audit Function. Domain V: Performing Internal Audit Services. Domains II through V contain the following elements: Principles: broad descriptions of a related group of requirements and considerations. Standards, which include: – Requirements: mandatory practices for internal auditing. – Considerations for Implementation: common and preferred practices to consider when implementing the requirements. – Examples of Evidence of Conformance: ways to demonstrate that the requirements of the Standards have been implemented. The Standards use the word “must” in the Requirements sections and the words “should” and “may” to specify common and preferred practices in the Considerations for Implementation sections. Each standard ends with a list of examples of evidence. The examples are neither requirements nor the only ways to demonstrate conformance; rather, they are provided to help internal audit functions prepare for quality assessments, which rely on demonstrative evidence. The Standards use certain terms as defined in the accompanying glossary. To understand and implement the Standards correctly, it is necessary to understand and adopt the specific meanings and usage of the terms as described in the glossary. Demonstrating Conformance with the Standards The requirements, considerations for implementation, and examples of evidence of conformance are designed to help internal auditors conform with the Standards. While conformance with the requirements is expected, internal auditors occasionally may be unable to conform with a requirement yet still achieve the intent of the standard. Circumstances that may necessitate adjustments are often related to resource limitations or specific aspects of a sector, industry, and/or jurisdiction. In these exceptional circumstances, alternative actions should be implemented to meet the intent of the related standard. The chief audit executive is responsible for documenting and conveying the rationale for the deviation and the adopted alternative actions to the appropriate parties. Related requirements and information appear in Standard 4.1 Conformance with Global Internal Audit Standards and Domain III: Governing the Internal Audit Function together with its principles and standards. While the circumstances necessitating adjustments are too varied to list, the following section acknowledges two areas that consistently draw questions: small internal audit functions and those in the public sector. 8 Fundamentals of the Global Internal Audit Standards ©2024, The Institute of Internal Auditors. All Rights Reserved. For individual personal use only. Application in Small Internal Audit Functions The internal audit function’s ability to fully conform with the Standards may be affected by its size or the size of the organization. With limited resources, completing certain tasks may be challenging. Additionally, if the internal audit function comprises only one member, an adequate quality assurance and improvement program will require assistance from outside the internal audit function. (See also Standards 10.1 Financial Resource Management, 12.1 Internal Quality Assessment, and 12.3 Oversee and Improve Engagement Performance.) Application in the Public Sector While the Global Internal Audit Standards apply to all internal audit functions, internal auditors in the public sector work in a political environment under governance, organizational, and funding structures that may differ from those of the private sector. The nature of these structures and related conditions may be affected by the jurisdiction and level of government in which the internal audit function operates. Additionally, some terminology used in the public sector differs from that of the private sector. These differences may affect how internal audit functions in the public sector apply the Standards. The section “Applying the Global Internal Audit Standards in the Public Sector,” which follows Domain V: Performing Internal Audit Services, describes strategies for conformance amid the circumstances and conditions unique to internal auditing in the public sector. 9 Fundamentals of the Global Internal Audit Standards ©2024, The Institute of Internal Auditors. All Rights Reserved. For individual personal use only. Glossary activity under review – The subject of an internal audit engagement. Examples include an area, entity, operation, function, process, or system. advisory services – Services through which internal auditors provide advice to an organization’s stakeholders without providing assurance or taking on management responsibilities. The nature and scope of advisory services are subject to agreement with relevant stakeholders. Examples include advising on the design and implementation of new policies, processes, systems, and products; providing forensic services; providing training; and facilitating discussions about risks and controls. “Advisory services” are also known as “consulting services.” assurance – Statement intended to increase the level of stakeholders’ confidence about an organization’s governance, risk management, and control processes over an issue, condition, subject matter, or activity under review when compared to established criteria. assurance services – Services through which internal auditors perform objective assessments to provide assurance. Examples of assurance services include compliance, financial, operational/performance, and technology engagements. Internal auditors may provide limited or reasonable assurance, depending on the nature, timing, and extent of procedures performed. board – Highest-level body charged with governance, such as: A board of directors. An audit committee. A board of governors or trustees. A group of elected officials or political appointees. Another body that has authority over the relevant governance functions. In an organization that has more than one governing body, “board” refers to the body/bodies authorized to provide the internal audit function with the appropriate authority, role, and responsibilities. If none of the above exist, “board” should be read as referring to the group or person that acts as the organization’s highest-level governing body. Examples include the head of the organization and senior management. chief audit executive – The leadership role responsible for effectively managing all aspects of the internal audit function and ensuring the quality performance of internal audit services in accordance with Global Internal Audit Standards. The specific job title and/or responsibilities may vary across organizations. competency – Knowledge, skills, and abilities. compliance – Adherence to laws, regulations, contracts, policies, procedures, and other requirements. conflict of interest – A situation, activity, or relationship that may influence, or appear to influence, an internal auditor’s ability to make objective professional judgments or perform responsibilities objectively. 10 Glossary ©2024, The Institute of Internal Auditors. All Rights Reserved. For individual personal use only. control – Any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. control processes – The policies, procedures, and activities designed and operated to manage risks to be within the level of an organization’s risk tolerance. criteria – In an engagement, specifications of the desired state of the activity under review (also called “evaluation criteria”). engagement – A specific internal audit assignment or project that includes multiple tasks or activities designed to accomplish a specific set of related objectives. See also “assurance services” and “advisory services.” engagement conclusion – Internal auditors’ professional judgment about engagement findings when viewed collectively. The engagement conclusion should indicate satisfactory or unsatisfactory performance. engagement objectives – Statements that articulate the purpose of an engagement and describe the specific goals to be achieved. engagement planning – Process during which internal auditors gather information, assess and prioritize risks relevant to the activity under review, establish engagement objectives and scope, identify evaluation criteria, and create a work program for an engagement. engagement results – The findings and conclusion of an engagement. Engagement results may also include recommendations and/or agreed upon action plans. engagement supervisor – An internal auditor responsible for supervising an internal audit engagement, which may include training and assisting internal auditors as well as reviewing and approving the engagement work program, workpapers, final communication, and performance. The chief audit executive may be the engagement supervisor or may delegate such responsibilities. engagement work program – A document that identifies the tasks to be performed to achieve the engagement objectives, the methodology and tools necessary, and the internal auditors assigned to perform the tasks. The work program is based on information obtained during engagement planning. external service provider – Resource from outside the organization that provides relevant knowledge, skills, experience, and/or tools to support internal audit services. finding – In an engagement, the determination that a gap exists between the evaluation criteria and the condition of the activity under review. Other terms, such as “observations,” may be used. fraud – Any intentional act characterized by deceit, concealment, dishonesty, misappropriation of assets or information, forgery, or violation of trust perpetrated by individuals or organizations to secure unjust or illegal personal or business advantage. governance – The combination of processes and structures implemented by the board to inform, direct, manage, and monitor the activities of the organization toward the achievement of its objectives. 11 Glossary ©2024, The Institute of Internal Auditors. All Rights Reserved. For individual personal use only. impact – The result or effect of an event. The event may have a positive or negative effect on the entity’s strategy or business objectives. independence – The freedom from conditions that may impair the ability of the internal audit function to carry out internal audit responsibilities in an unbiased manner. inherent risk – The combination of internal and external risk factors that exists in the absence of any management actions. integrity – Behavior characterized by adherence to moral and ethical principles, including demonstrating honesty and the professional courage to act based on relevant facts. internal audit charter – A formal document that includes the internal audit function’s mandate, organizational position, reporting relationships, scope of work, types of services, and other specifications. internal audit function – A professional individual or group responsible for providing an organization with assurance and advisory services. internal audit mandate –The internal audit function’s authority, role, and responsibilities, which may be granted by the board and/or laws and regulations. internal audit manual – The chief audit executive’s documentation of the methodologies (policies, processes, and procedures) to guide and direct internal auditors within the internal audit function. internal audit plan – A document, developed by the chief audit executive, that identifies the engagements and other internal audit services anticipated to be provided during a given period. The plan should be risk- based and dynamic, reflecting timely adjustments in response to changes affecting the organization. internal auditing – An independent, objective assurance and advisory service designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of governance, risk management, and control processes. likelihood – The possibility that a given event will occur. may – As used in the Considerations for Implementation of the Global Internal Audit Standards, the word “may” describes optional practices to implement the Requirements. methodologies – Policies, processes, and procedures established by the chief audit executive to guide the internal audit function and enhance its effectiveness. must – The Global Internal Audit Standards use the word “must” to specify an unconditional requirement. objectivity – An unbiased mental attitude that allows internal auditors to make professional judgments, fulfill their responsibilities, and achieve the Purpose of Internal Auditing without compromise. outsourcing – Contracting with an independent external provider of internal audit services. Fully outsourcing a function refers to contracting the entire internal audit function, and partially outsourcing (also called “cosourcing”) indicates that only a portion of the services are outsourced. 12 Glossary ©2024, The Institute of Internal Auditors. All Rights Reserved. For individual personal use only. periodically – At regularly occurring intervals, depending on the needs of the organization, including the internal audit function. professional skepticism – Questioning and critically assessing the reliability of information. public sector – Governments and all publicly controlled or publicly funded agencies, enterprises, and other entities that deliver programs, goods, or services to the public. quality assurance and improvement program – A program established by the chief audit executive to evaluate and ensure the internal audit function conforms with the Global Internal Audit Standards, achieves performance objectives, and pursues continuous improvement. The program includes internal and external assessments. residual risk – The portion of inherent risk that remains after management actions are implemented. results of internal audit services – Outcomes, such as engagement conclusions, themes (such as effective practices or root causes), and conclusions at the level of the business unit or organization. risk – The positive or negative effect of uncertainty on objectives. risk and control matrix – A tool that facilitates the performance of internal auditing. It typically links business objectives, risks, control processes, and key information to support the internal audit process. risk appetite – The types and amount of risk that an organization is willing to accept in the pursuit of its strategies and objectives. risk assessment – The identification and analysis of risks relevant to the achievement of an organization’s objectives. The significance of risks is typically assessed in terms of impact and likelihood. risk management – A process to identify, assess, manage, and control potential events or situations to provide reasonable assurance regarding the achievement of the organization’s objectives. risk tolerance – Acceptable variations in performance related to achieving objectives. root cause – Core issue or underlying reason for the difference between the criteria and the condition of an activity under review. senior management – The highest level of executive management of an organization that is ultimately accountable to the board for executing the organization’s strategic decisions, typically a group of persons that includes the chief executive officer or head of the organization. should – As used in the Considerations for Implementation of the Global Internal Audit Standards, the word “should” describes practices that are preferred but not required. significance – The relative importance of a matter within the context in which it is being considered, including quantitative and qualitative factors, such as magnitude, nature, relevance, and impact. Professional judgment assists internal auditors when evaluating the significance of matters within the context of the relevant objectives. 13 Glossary ©2024, The Institute of Internal Auditors. All Rights Reserved. For individual personal use only. stakeholder – A party with a direct or indirect interest in an organization’s activities and outcomes. Stakeholders may include the board, management, employees, customers, vendors, shareholders, regulatory agencies, financial institutions, external auditors, the public, and others. workpapers – Documentation of the internal audit work done when planning and performing engagements. The documentation provides the supporting information for engagement findings and conclusions. 14 Glossary ©2024, The Institute of Internal Auditors. All Rights Reserved. For individual personal use only. Domain I: Purpose of Internal Auditing The purpose statement is intended to assist internal auditors and internal audit stakeholders in understanding and articulating the value of internal auditing. Purpose Statement Internal auditing strengthens the organization’s ability to create, protect, and sustain value by providing the board and management with independent, risk-based, and objective assurance, advice, insight, and foresight. Internal auditing enhances the organization’s: Successful achievement of its objectives. Governance, risk management, and control processes. Decision-making and oversight. Reputation and credibility with its stakeholders. Ability to serve the public interest. Internal auditing is most effective when: It is performed by competent professionals in conformance with the Global Internal Audit Standards, which are set in the public interest. The internal audit function is independently positioned with direct accountability to the board. Internal auditors are free from undue influence and committed to making objective assessments. 15 I: Purpose of Internal Auditing ©2024, The Institute of Internal Auditors. All Rights Reserved. For individual personal use only. Domain II: Ethics and Professionalism The principles and standards in the Ethics and Professionalism domain of the Global Internal Audit Standards replace The IIA’s former Code of Ethics and outline the behavioral expectations for professional internal auditors; including chief audit executives, other individuals, and any entities that provide internal audit services. Conformance with these principles and standards instills trust in the profession of internal auditing, creates an ethical culture within the internal audit function, and provides the basis for reliance on internal auditors’ work and judgment. All internal auditors are required to conform with the standards of ethics and professionalism. If internal auditors are expected to abide by other codes of ethics, behavior, or conduct, such as those of an organization, conformance with the principles and standards of ethics and professionalism contained herein is still expected. The fact that a particular behavior is not mentioned in these principles and standards does not preclude it from being considered unacceptable or discreditable. While internal auditors are responsible for their own conformance, the chief audit executive is expected to support and promote conformance with the principles and standards in the Ethics and Professionalism domain by providing opportunities for training and guidance. The chief audit executive may choose to delegate certain responsibilities for managing conformance but retains accountability for the ethics and professionalism of the internal audit function. Principle 1 Demonstrate Integrity Internal auditors demonstrate integrity in their work and behavior. Integrity is behavior characterized by adherence to moral and ethical principles, including demonstrating honesty and the courage to act based on relevant facts, even when facing pressure to do otherwise, or when doing so might create potential adverse personal or organizational consequences. In simple terms, internal auditors are expected to tell the truth and do the right thing, even when it is uncomfortable or difficult. Integrity is the foundation of the other principles of ethics and professionalism, including objectivity, competency, due professional care, and confidentiality. The integrity of internal auditors is essential to establishing trust and earning respect. 16 II: Ethics and Professionalism ©2024, The Institute of Internal Auditors. All Rights Reserved. For individual personal use only. Standard 1.1 Honesty and Professional Courage Requirements Internal auditors must perform their work with honesty and professional courage. Internal auditors must be truthful, accurate, clear, open, and respectful in all professional relationships and communications, even when expressing skepticism or offering an opposing viewpoint. Internal auditors must not make false, misleading, or deceptive statements, nor conceal or omit findings or other pertinent information from communications. Internal auditors must disclose all material facts known to them that, if not disclosed, could affect the organization’s ability to make well-informed decisions. Internal auditors must exhibit professional courage by communicating truthfully and taking appropriate action, even when confronted by dilemmas and difficult situations. The chief audit executive must maintain a work environment where internal auditors feel supported when expressing legitimate, evidence-based engagement results, whether favorable or unfavorable. Considerations for Implementation Internal auditors should enhance their awareness and understanding of honesty and professional courage by seeking opportunities to obtain ethics-related continuing professional education. While education helps create awareness in hypothetical situations, workplace training, mentorship, and supervision allow internal auditors to learn and practice skills such as tact and respectful communication, which are needed to apply professional courage effectively in real situations. When internal auditors encounter situations that challenge their honesty or professional courage, they should discuss the circumstances with a supervisor to determine the best course of action. To support internal auditors, the chief audit executive should arrange opportunities for education and training as well as discussions of hypothetical and real situations that require making ethical choices. Effective management of the internal audit function includes proper engagement supervision and periodic reviews of internal auditors’ performance. For example, when approving work programs or reviewing engagement workpapers, an engagement supervisor may provide appropriate guidance to help internal auditors address potential or encountered situations that could pose a threat to their honesty and integrity. As part of evaluating internal auditors’ performance, the chief audit executive may solicit feedback about their honesty and professional courage from the stakeholders with whom internal auditors interact. Examples of Evidence of Conformance A training plan that includes ethics education and training. Documents that evidence internal auditors’ attendance or participation in ethics education and training. Performance evaluations showing honesty and professional courage as objectives. Feedback from key stakeholders regarding the honesty and courage of internal auditors. 17 II: Ethics and Professionalism ©2024, The Institute of Internal Auditors. All Rights Reserved. For individual personal use only. Standard 1.2 Organization’s Ethical Expectations Requirements Internal auditors must understand, respect, meet, and contribute to the legitimate and ethical expectations of the organization and must be able to recognize conduct that is contrary to those expectations. Internal auditors must encourage and promote an ethics-based culture in the organization. If internal auditors identify behavior within the organization that is inconsistent with the organization’s ethical expectations, they must report the concern according to applicable policies and procedures. Considerations for Implementation An organization’s ethical expectations usually are documented in a code of ethics, code of conduct, and/ or policies related to professional behavior and ethical conduct. Such policies, along with the organization’s objectives and processes for promoting its ethics and values, provide the basis for an ethical culture. The internal audit plan may include assessments of the organization’s ethics-related risks to determine whether existing policies and control processes adequately and effectively address those risks. For example, the organization’s policies may specify the criteria and process for handling and communicating about ethics-related issues, the parties that should receive the communication, and the protocol for escalating unresolved issues. The chief audit executive also should determine a methodology for addressing ethical issues and discuss the methodology with the board and senior management to ensure alignment of the approaches. Internal auditors should consider ethics-related risks and controls during individual engagements. If internal auditors identify behavior within the organization that is inconsistent with the organization’s ethical expectations, they should communicate the concerns according to the methodology established by the chief audit executive, which takes into account the organization’s policies and processes as well as laws and/or regulations. If internal auditors determine that a member of senior management has behaved in a manner that is inconsistent with the organization’s ethical expectations — whether documented in a code of conduct, code of ethics, or otherwise — the chief audit executive should report the violation to the board. If an ethics-related concern involves the chairman of the board, the chief audit executive should report the concern to the entire board. Internal auditors should follow up on ethics-related issues involving the board or senior management and validate that appropriate actions were taken to address the concern. Examples of Evidence of Conformance Records of internal auditors’ participation in workshops, training events, or meetings where ethical expectations and issues were discussed. Forms signed by individual internal auditors acknowledging their understanding of and commitment to follow ethics policies and procedures of the organization. 18 II: Ethics and Professionalism ©2024, The Institute of Internal Auditors. All Rights Reserved. For individual personal use only. The internal audit plan, work program, or workpapers showing consideration of the organization’s ethics-related objectives, risks, and control processes. Documentation demonstrating that ethical issues were communicated to the board, senior management, and regulators in accordance with the organization’s policies and relevant laws and/or regulations. Standard 1.3 Legal and Ethical Behavior Requirements Internal auditors must not engage in or be a party to any activity that is illegal or discreditable to the organization or the profession of internal auditing or that may harm the organization or its employees. Internal auditors must understand and abide by the laws and/or regulations relevant to the industry and jurisdictions in which the organization operates, including making disclosures as required. If internal auditors identify legal or regulatory violations, they must report such incidents to individuals or entities that have the authority to take appropriate action, as specified in laws, regulations, and applicable policies and procedures. Considerations for Implementation If organizational policies are not sufficiently specific to address the situations that the internal audit function encounters, then the chief audit executive may develop and implement a methodology that specifies the actions internal auditors are expected to take in response to legal or regulatory violations of which they become aware. The methodology may include a procedure for validating that adequate actions are taken to address the violation. The chief audit executive should establish a methodology to ensure that internal auditors are properly supervised, conform with the Global Internal Audit Standards, and behave in alignment with ethical and professional values. Examples of discreditable behaviors include but are not limited to: Bullying, harassment, or discrimination. Lying, deceiving, or intentionally misleading others, including misrepresenting one’s competency or qualifications (such as claiming to hold a certification or displaying credentials when the designation is expired or inactive, has been revoked, or was never earned). Intentionally issuing false reports or communications or allowing or encouraging others to do so, including minimizing, concealing, or omitting internal audit findings, conclusions, or ratings from engagement reports or overall assessments. Overlooking illegal activities that the organization may tolerate or condone. Soliciting or disclosing confidential information without proper authorization. Performing internal audit services with undeclared impairments to objectivity or independence. 19 II: Ethics and Professionalism ©2024, The Institute of Internal Auditors. All Rights Reserved. For individual personal use only. Stating that the internal audit function is operating in conformance with the Global Internal Audit Standards when the assertion is not supported. Failing to accept responsibility for mistakes. Examples of Evidence of Conformance Records of internal auditors’ participation in training on laws, regulations, and ethical and professional behavior. Internal auditors’ acknowledgments of their understanding of and commitment to act in accordance with relevant legal and professional expectations. Documented methodologies for handling illegal or discreditable behavior by internal auditors and legal or regulatory violations by individuals within the organization. Documented communication between internal auditors and their supervisors and/or legal counsel that address concerns about illegal or unprofessional actions. Sign-off that workpapers were reviewed. Final engagement communication, if applicable. Principle 2 Maintain Objectivity Internal auditors maintain an impartial and unbiased attitude when performing internal audit services and making decisions. Objectivity is an unbiased mental attitude that allows internal auditors to make professional judgments, fulfill their responsibilities, and achieve the Purpose of Internal Auditing without compromise. An independently positioned internal audit function supports internal auditors’ ability to maintain objectivity. Standard 2.1 Individual Objectivity Requirements Internal auditors must maintain professional objectivity when performing all aspects of internal audit services. Professional objectivity requires internal auditors to apply an impartial and unbiased mindset and make judgments based on balanced assessments of all relevant circumstances. Internal auditors must be aware of and manage potential biases. 20 II: Ethics and Professionalism ©2024, The Institute of Internal Auditors. All Rights Reserved. For individual personal use only. Considerations for Implementation Objectivity means internal auditors perform their work without compromise or subordination of judgment to others. The Global Internal Audit Standards, along with the policies established and training arranged by the chief audit executive, support objectivity by providing requirements, procedures, and guidance that set forth a systematic and disciplined approach for gathering and evaluating information to provide a balanced assessment of the activity under review. Training may help internal auditors to better understand objectivity- impairing scenarios and how best to address them. Making objective assessments requires an impartial mindset, free from bias and undue influence, which is essential to providing objective assurance and advice to the board and senior management. Internal auditors should develop awareness of the ways in which situations, activities, and relationships may affect their ability to be objective. Internal auditors should consider the human tendency to misinterpret information or make assumptions or mistakes, which impairs the ability to evaluate information and evidence objectively. Examples of biases include but are not limited to: Self-review bias – lack of critical perspective when reviewing one’s own work, which may lead to overlooking mistakes or shortcomings. Familiarity bias – making assumptions based on past experiences, which may compromise professional skepticism. Prejudice or unconscious bias – misinterpretation of information, based on predisposed ideas about culture, ethnicity, gender, ideology, race, or other characteristics, which may cause inaccurate judgments. Examples of Evidence of Conformance References in the internal audit charter to internal auditors’ responsibility for maintaining objectivity. Policies and procedures related to objectivity. Records of planned and completed objectivity training, including list of participants. Attestation forms that confirm internal auditors’ awareness of objectivity’s importance and the obligation to disclose any potential impairments. Documented disclosures of potential conflicts of interest or other impairments to objectivity. Notes from supervisory reviews and mentoring of internal auditors. 21 II: Ethics and Professionalism ©2024, The Institute of Internal Auditors. All Rights Reserved. For individual personal use only. Standard 2.2 Safeguarding Objectivity Requirements Internal auditors must recognize and avoid or mitigate actual, potential, and perceived impairments to objectivity. Internal auditors must not accept any tangible or intangible item, such as a gift, reward, or favor, that may impair or be presumed to impair objectivity. Internal auditors must avoid conflicts of interest and must not be unduly influenced by their own interests or the interests of others, including senior management or others in a position of authority, or by the political environment or other aspects of their surroundings. When performing internal audit services: Internal auditors must refrain from assessing specific activities for which they were previously responsible. Objectivity is presumed to be impaired if an internal auditor provides assurance services for an activity for which the internal auditor had responsibility within the previous 12 months. If the internal audit function is to provide assurance services where it had previously performed advisory services, the chief audit executive must confirm that the nature of the advisory services does not impair objectivity and must assign resources such that individual objectivity is managed. Assurance engagements for functions over which the chief audit executive has responsibility must be overseen by an independent party outside the internal audit function. If internal auditors are to provide advisory services relating to activities for which they had previous responsibilities, they must disclose potential impairments to the party requesting the services before accepting the engagement. The chief audit executive must establish methodologies to address impairments to objectivity. Internal auditors must discuss impairments and take appropriate actions according to relevant methodologies. Considerations for Implementation Objectivity is impaired when situations, activities, or relationships may influence internal auditors’ judgments and decisions in a way that may change internal audit findings and conclusions. Impairments to objectivity may exist, in fact or appearance, even when they are unintended. Objectivity may be perceived by others to be impaired, even when no impairment has occurred in fact. Internal auditors should apply judgment regarding additional circumstances that may impair or be presumed to impair objectivity. Conflicts of interest are situations in which an internal auditor has a competing professional or personal interest that may make it difficult to fulfill internal audit duties impartially. Conflicts of interest may create the appearance of impropriety that could undermine the confidence in an internal auditor, the internal 22 II: Ethics and Professionalism ©2024, The Institute of Internal Auditors. All Rights Reserved. For individual personal use only. audit function, and the internal audit profession, even if no unethical or improper acts result. Examples of conflicts of interest include situations, activities, and relationships that may, in fact or appearance: Oppose or compete with the interests of the organization. Create the potential for undue financial or other personal gain. Be established solely to protect oneself from potential or actual loss or harm. Be nepotistic or provide favoritism to certain individuals. The internal audit function’s methodologies should specify the expectations and requirements for internal auditors related to: Receiving gifts, favors, and rewards. Identifying situations that may impair objectivity. Responding appropriately upon becoming aware of an impairment. Many organizations have a policy related to the acceptance of gifts, rewards, and favors, such as a policy limiting the value of gifts that can be accepted. Because of the importance of objectivity in the practice of internal auditing, the chief audit executive may have a policy that is more restrictive than that of the organization. Internal auditors should follow the more restrictive policy and carefully consider whether accepting a gift, reward, or favor may be perceived to affect their judgment or be given in exchange for producing favorable internal audit findings, conclusions, or results. The policies of the organization and/or the internal audit function may prohibit specific activities or relationships that could create conflicts of interest. Internal auditors should be aware that close personal relationships outside work and relationships involving financial ties, such as investments, may be or appear to be conflicts of interest. The chief audit executive should take precautions to reduce the potential impairments to objectivity that may result from the design of performance evaluations and remuneration arrangements, bonuses, and incentives. Examples of remuneration arrangements that may impair objectivity include: Basing performance evaluations and remuneration primarily on surveys of or input from the management of the activity under review. Measuring performance against the number of findings identified during engagements, the revenue growth of the activity under review, or the cost savings or job eliminations imposed upon the activity under review. Allowing management to provide indirect compensation in the form of gifts and gratuities. Internal auditors should apply their understanding of objectivity and relevant policies and procedures to evaluate whether any situations, activities, or relationships may impair, or may be presumed to impair, their objectivity. The perceptions of other people should be considered. The requirements for staffing and supervising engagements are intended to ensure that the internal auditors assigned to an engagement were not recently responsible for any aspect of the activity under review, which may bias their view, give them a vested interest in a particular outcome, or create the perception or appearance that their objectivity is impaired. For each engagement, the internal auditors performing and supervising the engagement should be independent from the activity under review. When planning resources for an engagement, the chief audit executive or a designated supervisor should discuss the engagement with internal auditors to identify any current or potential impairments to objectivity. 23 II: Ethics and Professionalism ©2024, The Institute of Internal Auditors. All Rights Reserved. For individual personal use only. The discussion should include consideration of any impairments previously disclosed. As part of the process for supervising engagements, workpapers are reviewed to ensure findings and conclusions are adequately supported. Engagement supervision also provides opportunities for more experienced internal auditors to provide feedback and mentoring regarding potential objectivity concerns. (See also Standards 12.3 Oversee and Improve Engagement Performance and 13.5 Engagement Resources.) If an impairment is unavoidable, it should be disclosed and mitigated as described in Standard 2.3 Disclosing Impairments to Objectivity. Examples of Evidence of Conformance Policies and procedures for identifying potential impairments and necessary safeguards. Records of objectivity training. Documentation through which internal auditors attest that they either have no known impairments or have disclosed potential impairments. Sources of feedback on the perception of internal auditors’ objectivity, such as surveys of the internal audit function’s stakeholders. Notes from supervisory reviews. Remuneration plan. Minutes of board meetings where impairments to objectivity were discussed. Plans showing alternative provisions to fulfill the internal audit plan activities where impairments to objectivity were unavoidable. Results of external quality assessments performed by an independent assessor. Standard 2.3 Disclosing Impairments to Objectivity Requirements If objectivity is impaired in fact or appearance, the details of the impairment must be disclosed promptly to the appropriate parties. If internal auditors become aware of an impairment that may affect their objectivity, they must disclose the impairment to the chief audit executive or a designated supervisor. If the chief audit executive determines that an impairment is affecting an internal auditor’s ability to perform duties objectively, the chief audit executive must discuss the impairment with the management of the activity under review, the board, and/or senior management and determine the appropriate actions to resolve the situation. If an impairment that affects the reliability or perceived reliability of the engagement findings, recommendations, and/or conclusions is discovered after an engagement has been completed, the chief audit executive must discuss the concern with the management of the activity under review, the board, senior management, and/or other affected stakeholders and determine the appropriate actions to resolve the situation. (See also Standard 11.4 Errors and Omissions.) If the objectivity of the chief audit executive is impaired in fact or appearance, the chief audit executive must disclose the impairment to the board. (See also Standard 7.1 Organizational Independence.) 24 II: Ethics and Professionalism ©2024, The Institute of Internal Auditors. All Rights Reserved. For individual personal use only. Considerations for Implementation The requirements for disclosing impairments to objectivity are typically defined in the internal audit function’s methodologies and describe the actions to be taken to address each impairment to objectivity. The general approach to disclosing and mitigating impairments to objectivity is typically determined by the chief audit executive in agreement with the board and senior management. If an impairment to objectivity cannot be avoided, the chief audit executive may consider options to manage the impairment, including: Reassigning internal auditors to remove the impaired internal auditor from the engagement. Rescheduling an engagement to ensure it is properly staffed. Adjusting the scope of an engagement. Outsourcing the performance or supervision of the engagement. When a concern arises during engagement planning that relates solely to the perception of an impairment, the chief audit executive may choose to discuss the concern with the management of the activity under review and/or senior management, explain why the risk exposure is minimal and how it will be managed, and document the discussion and the final decision about how to proceed. Standard 7.1 Organizational Independence provides additional requirements and information related to the chief audit executive assuming roles or responsibilities beyond internal auditing. Examples of Evidence of Conformance Internal audit methodologies for disclosing objectivity impairments. Documentation disclosing the presence or affirming the absence of objectivity impairments. Records of the disclosure of objectivity impairments and the response from and/or approval of the mitigation by appropriate parties. Principle 3 Demonstrate Competency Internal auditors apply the knowledge, skills, and abilities to fulfill their roles and responsibilities successfully. Demonstrating competency requires developing and applying the knowledge, skills, and abilities to provide internal audit services. Because internal auditors provide a diverse array of services, the competencies needed by each internal auditor vary. In addition to possessing or obtaining the competencies needed to perform services, internal auditors improve the effectiveness and quality of services by pursuing professional development. 25 II: Ethics and Professionalism ©2024, The Institute of Internal Auditors. All Rights Reserved. For individual personal use only. Standard 3.1 Competency Requirements Internal auditors must possess or obtain the competencies to perform their responsibilities successfully. The required competencies include the knowledge, skills, and abilities suitable for one’s job position and responsibilities commensurate with their level of experience. Internal auditors must possess or develop knowledge of The IIA’s Global Internal Audit Standards. Internal auditors must engage only in those services for which they have or can attain the necessary competencies. Each internal auditor is responsible for continually developing and applying the competencies necessary to fulfill their professional responsibilities. Additionally, the chief audit executive must ensure that the internal audit function collectively possesses the competencies to perform the internal audit services described in the internal audit charter or must obtain the necessary competencies. (See also Standards 7.2 Chief Audit Executive Qualifications and 10.2 Human Resources Management.) Considerations for Implementation Internal auditors should develop competencies related to: Communication and collaboration. Governance, risk management, and control processes. Business functions, such as financial management and information technology. Pervasive risks, such as fraud. Tools and techniques for gathering, analyzing, and evaluating data. The risks and potential impacts of various economic, environmental, legal, political, and social conditions. Laws, regulations, and practices relevant to the organization, sector, and industry. Trends and emerging issues relevant to the organization and internal auditing. Supervision and leadership. To develop and demonstrate competencies, internal auditors may: Obtain appropriate professional credentials, such as the Certified Internal Auditor® designation and other certifications and credentials. Identify opportunities for improvement and competencies that need development, based on feedback provided by stakeholders, peers, and supervisors. Seek relevant training not only in internal audit methodologies but also on business activities relevant to the organization. Training opportunities may include enrolling in courses, working with a mentor, or being assigned new tasks under supervision during an engagement. While internal auditors are responsible for ensuring their individual professional development and may assess their own skills and opportunities for development, the chief audit executive should support the professional development of internal auditors. The chief audit executive may establish minimum 26 II: Ethics and Professionalism ©2024, The Institute of Internal Auditors. All Rights Reserved. For individual personal use only. expectations for professional development and should encourage the pursuit of professional qualifications. The chief audit executive should include funding for training and professional development in the internal audit budget and provide opportunities internally as well as externally, through continuing professional education, training, and conferences. (See also Standards 10.1 Financial Resource Management and 10.2 Human Resources Management.) To ensure the internal audit function collectively possesses the competencies to perform the internal audit services, the chief audit executive should: Maintain knowledge of internal auditors’ competencies to be used when assigning work, identifying training needs, and recruiting internal auditors to fill open positions. Participate in the performance reviews of individual internal auditors. Identify areas in which the competencies of the internal audit function should be improved. Encourage internal auditors’ intellectual curiosity and invest in training and other opportunities to improve internal audit performance. Understand the competencies of other providers of assurance and advisory services and consider relying upon those providers as a source of additional or specialty competencies not available within the internal audit function. Consider contracting with an independent, external service provider when the internal audit function collectively does not possess the competencies to perform requested services. Effectively implement a quality assurance and improvement program. Examples of Evidence of Conformance Documentation listing the certifications, education, experience, work history, and other qualifications of internal auditors. Internal auditors’ self-assessments of their competencies and plans for professional development. Documentation of internal auditors’ completion of continuing professional education, such as courses, conference sessions, workshops, and seminars. Documented performance reviews of internal auditors. Documented supervisory reviews of engagements, post-engagement surveys completed by internal audit stakeholders, and other forms of feedback indicating competencies exhibited by individual internal auditors and the internal audit function. The results of internal and external quality assessments. Documentation of relevant competencies necessary to fulfill the internal audit plan, an analysis of resource gaps, and the identification of the training and budget necessary to fill the gaps. Documentation such as an assurance map that indicates the competencies of other providers of assurance and advisory services upon which the internal audit function may rely. 27 II: Ethics and Professionalism ©2024, The Institute of Internal Auditors. All Rights Reserved. For individual personal use only. Standard 3.2 Continuing Professional Development Requirements Internal auditors must maintain and continually develop their competencies to improve the effectiveness and quality of internal audit services. Internal auditors must pursue continuing professional development including education and training. Practicing internal auditors who have attained professional internal audit certifications must follow the continuing professional education policies and fulfill the requirements applicable to their certifications. Considerations for Implementation Continuing professional development may include self-study, on-the-job training, opportunities to learn new skills on special assignments (such as rotational programs), mentorship, supervisory feedback, and free and paid education. To improve the quality of performing internal audit services, internal auditors should seek opportunities to learn about trends and best practices as well as emerging topics, risks, trends, and changes that may affect the organizations for which they work and the internal audit profession. Internal auditors are responsible for developing their competencies and should seek opportunities to learn. However, the chief audit executive is responsible for the competencies of the internal audit function and should budget and plan for opportunities to train and educate internal audit staff. For example, internal auditors can develop new knowledge when properly supervised and assigned to engagements involving processes or areas with which they have had limited experience. Internal auditors should seek and welcome opportunities for supervision and mentorship through which they can receive robust feedback, guidance, and insight. Many professional credentials require a minimum number of hours of continuing professional education within specific periods, such as annually. The chief audit executive should consider implementing a plan that requires internal auditors to obtain specific types and quantities of continuing professional education. Internal auditors possessing credentials, such as the Certified Internal Auditor® designation, should be aware of the specific requirements of the certifying body’s policy for maintaining their credentials. Failing to fulfill such requirements may result in consequences, including jeopardizing internal auditors’ permission to use the credentials. All internal auditors should develop a plan and schedule for ongoing training and education. As part of the required continuing professional education, The IIA requires holders of its certifications to complete ethics training. While this requirement is linked specifically to IIA certifications, all internal audit professionals should obtain ethics-focused continuing professional education or training regularly. News service subscriptions, webinars, and professional events provide internal auditors with opportunities to stay abreast of current developments in the internal audit profession and industries relevant to the organizations for which they work. Training may be used to introduce new technology or changes in internal audit practices. 28 II: Ethics and Professionalism ©2024, The Institute of Internal Auditors. All Rights Reserved. For individual personal use only. Professional development initiatives should include a regular review and assessment of internal auditors’ career paths and needs for professional development. The chief audit executive should ensure plans and budgets for training reflect a balance between investing in developing the competencies of the internal audit function as a whole and providing internal auditors with opportunities to achieve their individual goals to grow professionally. Examples of Evidence of Conformance Documented plans for attending training events, professional conferences, and other continuing professional education. Records of internal auditors’ completed continuing professional education and credentials obtained. Internal auditors’ performance reviews and/or plans for professional development. Evidence of active involvement in The IIA and other relevant professional organizations, such as volunteer service. Principle 4 Exercise Due Professional Care Internal auditors apply due professional care in planning and performing internal audit services. The standards that embody exercising due professional care require: Conformance with the Global Internal Audit Standards. Consideration of the nature, circumstances, and requirements of the work to be performed. Application of professional skepticism to critically assess and evaluate information. Due professional care requires planning and performing internal audit services with the diligence, judgment, and skepticism possessed by prudent and competent internal auditors. When exercising due professional care, internal auditors perform in the best interests of those receiving internal audit services but are not expected to be infallible. Standard 4.1 Conformance with the Global Internal Audit Standards Requirements Internal auditors must plan and perform internal audit services in accordance with the Global Internal Audit Standards. The internal audit function’s methodologies must be established, documented, and maintained in alignment with the Standards. Internal auditors must follow the Standards and the internal audit function’s methodologies when planning and performing internal audit services and communicating results. 29 II: Ethics and Professionalism ©2024, The Institute of Internal Auditors. All Rights Reserved. For individual personal use only. If the Standards are used in conjunction with requirements issued by other authoritative bodies, internal audit communications must also cite the use of the other requirements, as appropriate. If laws or regulations prohibit internal auditors or the internal audit function from conforming with any part of the Standards, conformance with all other parts of the Standards is required and appropriate disclosures must be made. When internal auditors are unable to conform with a requirement, the chief audit executive must document and communicate a description of the circumstance, alternative actions taken, the impact of the actions, and the rationale. Requirements related to disclosing nonconformance with the Standards are described in Standards 8.3 Quality, 12.1 Internal Quality Assessment, and 15.1 Final Engagement Communication. Considerations for Implementation The chief audit executive should review the Standards when changes occur and align the internal audit function’s methodologies accordingly. If inconsistencies exist between the Standards and requirements issued by other authoritative bodies, internal auditors and the internal audit function may be required to or may choose to conform with the more stringent requirements. The chief audit executive or a designated engagement supervisor should ensure that engagement work programs align with the requirements of the Standards and that internal audit engagements are conducted in accordance with the Standards’ requirements. While conformance with the requirements is expected, internal auditors or the internal audit function may occasionally be unable to conform with a requirement yet may take alternative actions to achieve the related principle. Such circumstances are usually related to specific sectors, industries, and jurisdictions. By documenting the circumstance, alternative actions taken, the impact, and the rationale, the chief audit executive provides information to support the external quality assessment such that the internal audit function may be able to achieve conformance with a principle, even when conformance with a standard is not possible. If internal auditors are unable to conform with a standard when performing an internal audit engagement, they should discuss with the chief audit executive or a designated supervisor the reason for the nonconformance and the effect of the nonconformance on the engagement. The chief audit executive or supervisor should provide guidance regarding to whom and how to communicate the nonconformance. (See Standard 15.1 Final Engagement Communication.) Additionally, laws, regulations, internal audit methodologies, and organizational policies may provide specifications for determining when and how nonconformance is to be disclosed. Examples of Evidence of Conformance Documentation of the internal audit function’s methodologies and an indication of when they were last updated. If applicable, final engagement communications and communications with the board and senior management where nonconformance has been disclosed. 30 II: Ethics and Professionalism ©2024, The Institute of Internal Auditors. All Rights Reserved. For individual personal use only. Documentation referencing the laws and/or regulations with which internal auditors were required to comply that prevented their conformance with the Standards. Documentation referencing authoritative requirements to which the internal audit function adheres in addition to the Standards. Results of the quality assurance and improvement program. Standard 4.2 Due Professional Care Requirements Internal auditors must exercise due professional care by assessing the nature, circumstances, and requirements of the services to be provided, including: The organization’s strategy and objectives. The interests of those for whom internal audit services are provided and the interests of other stakeholders. Adequacy and effectiveness of governance, risk management, and control processes. Cost relative to potential benefits of the internal audit services to be performed. Extent and timeliness of work needed to achieve the engagement’s objectives. Relative complexity, materiality, or significance of risks to the activity under review. Probability of significant errors, fraud, noncompliance, and other risks that might affect objectives, operations, or resources. Use of appropriate techniques, tools, and technology. Considerations for Implementation To perform services with due professional care requires that internal auditors consider and understand the Purpose of Internal Auditing and the nature of the internal audit services to be provided. Internal auditors should start by understanding the internal audit charter, the internal audit plan, and the factors that help determine which engagements are included in the plan. When planning and performing internal audit services, internal auditors also consider the interests of the organization’s customers and other stakeholders (including the public) affected by the organization’s actions. Such interests include stakeholders’ expectations (such as fair and honest business practices), needs (such as safety), and potential exposure to underlying risks that may not be obviously related to the organization’s strategy and objectives. The considerations in due professional care comprise the circumstances and aspects of risk that the chief audit executive must consider when performing the risk assessment on which the internal audit plan is based. Relevant circumstances include the organization’s strategy and objectives and the adequacy and effectiveness of the organization’s governance, risk management, and control processes. Additionally, internal auditors consider these circumstances relative to an activity under review during engagement planning, as described in Domain V: Performing Internal Audit Services. The complexity, materiality, and significance of risks being evaluated is relative. A risk may not be material or significant to the organization but may be material or significant in an engagement or to an activity under review. 31 II: Ethics and Professionalism ©2024, The Institute of Internal Auditors. All Rights Reserved. For individual personal use only. Thus, understanding the complexity, materiality, and significance in context is necessary to properly assess relevant risks and determine which risks should be prioritized for further evaluation. Due professional care also requires weighing the costs (such as resource requirements) of the internal audit services against the benefits that may result. For example, if the controls in an activity under review are not adequately designed, the benefits of fully evaluating the effectiveness of those controls are not likely to be worth the costs. Internal auditors seek to provide the most value or benefit for the organization’s investment in internal audit services. Additionally, thorough planning requires internal auditors to consider the techniques, tools, technology, and extent and timeliness of work needed to achieve the engagement objectives most efficiently. Internal auditors, especially the chief audit executive, should consider the use of data analysis software and other technology that support the review and evaluation processes. Proper engagement supervision and a quality assurance and improvement program promote due professional care. (See also Standards 8.3 Quality, 8.4 External Quality Assessment, and Principle 12 Enhance Quality and its standards.) Examples of Evidence of Conformance Planning notes documenting the strategy and objectives of the organization and activity under review. Documented assessments of governance, risk management, and control processes. Notes showing assessment of risks including errors, noncompliance, and fraud. Notes from meetings or discussions of the potential costs and benefits of internal audit services and the extent and timeliness of engagement work. Workpapers indicating supervisory review of engagements. Internal auditors’ performance reviews. Notes from meetings, training, or other discussion of due professional care. Feedback from stakeholders solicited through surveys or other tools. Internal and external assessments performed as part of the internal audit function’s quality assurance and improvement program. 32 II: Ethics and Professionalism ©2024, The Institute of Internal Auditors. All Rights Reserved. For individual personal use only. Standard 4.3 Professional Skepticism Requirements Internal auditors must exercise professional skepticism when planning and performing internal audit services. To exercise professional skepticism, internal auditors must: Maintain an attitude that includes inquisitiveness. Critically assess the reliability of information. Be straightforward and honest when raising concerns and asking questions about inconsistent information. Seek additional evidence to make a judgment about information and statements that might be incomplete, inconsistent, false, or misleading. Considerations for Implementation Professional skepticism enables internal auditors to make objective judgments based on facts, information, and logic, rather than trust or belief. Skepticism is the attitude of always questioning or doubting the validity and truthfulness of claims, statements, and other information. Internal auditors apply professional skepticism when they seek evidence to support and validate statements made by management, rather than simply trusting the information presented as true or genuine without question or doubt. Professional skepticism requires curiosity and the willingness to explore beyond the surface level of a given topic. When gathering and analyzing information, internal auditors should

Global Internal Audit Standards 2024 PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue