THE INTERNATIONAL PROFESSIONAL PRACTICES FRAMEWORK, AUTHORITATIVE GUIDANCE FOR THE INTERNAL AUDIT PROFESSION 2·17 The care and skill expected of a reasonably prudent and competent internal auditor.

Due Professional Care

The knowledge, skills, and other competencies needed to fulfill internal audit responsibilities.

Proficiency

(continued next page) a) Exemplifies quality and continuous improvement of the internal audit activity Ill. IPPF: Applies the International Professional Practices Framework (IPPF)

d) Foster the professional growth of others c) Manage internal audit resources b) Risk-based audit plan

II. Internal Audit Management: Develops and manages the internal audit function a) Advocate internal audit and its value

I. Professional Ethics: Promotes and applies professional ethics a) Foster the ethical climate of the organization

EXHIBIT 2-6

THE IIA GLOBAL INTERNAL AUDIT COMPETENCY

2-18 INTERNAL AUDITING, ASSURANCE & ADVISORY SERVICES

Source, The IIA's Global Internal Audit Competency Framework (Lake Mary, FL The Institute of Internal Auditors, 2014).

a) Support an environment that embraces change across the organization b) Create and support an environment that embraces change within the inter-

nal audit activity

c) Pursue personal and professional development goals

X. Improvement and Innovation: Embraces change and drives improvement and innovation

IX. Internal Audit Delivery: Delivers internal audit engagements

a) Perform effective planning to ensure a quality audit engagement b) Perform effective fieldwork to ensure a quality audit engagement c) Effectively document and organize audit evidence to support the audit

engagement results

d) Identify the root causes of issues in the audit engagement e) Organize, adapt, and effectively express audit findings

f) Establish a follow-up process to monitor completion of management actions VIII. Critical Thinking: Applies process analysis, business intelligence, and

problem-solving techniques

a) Select and use tools and techniques to obtain relevant data/information b) Select and use research, business intelligence, and problem-solving tech-

niques to analyze and solve complex situations

c) Assist management in identifying practical solutions to address issues VII. Persuasion and Collaboration: Persuades and motivates others through

collaboration and cooperation

a) Collaborate with others to remove organizational barriers b) Utilize techniques to persuade and reach consensus c) Demonstrate effective leadership to achieve desired results VI. Communication: Communicates with impact

a) Use effective verbal communication skills b) Use effective written communication skills

b) Understand the strategic risks to the organization's control environment and governance processes

c) Understand the risks of macro and micro economic factors on the organiza- tion's industry

V. Business Acumen: Maintains expertise of the business environment, indus·

try practices, and specific organizational factors

a) Understand the organization's business risks and related internal control activities

IV. Governance, Risk, and Control: Applies a thorough understanding of gover- nance, risk, and control appropriate to the organization

a) Apply the governance, risk, and control frameworks in audit activities b) Support a culture of fraud risk awareness at all levels of the organization

EXHIBIT 2-6

THE IIA GLOBAL INTERNAL AUDIT COMPETENCY FRAMEWORK - 10 coi:~E COMPETENCIES ( .. ^t>t'I)

TH[ INTERNATIONAL PROf'ESSIONALPRACTICES FRAMEWORK, AUTHORITATIVE GUIDANCE FOR THE INTERNAL AUDIT PROFESSION 2·-'19

Adequacy and effectiveness of governance, risk management, and control pro- cesses;

Relative complexity, materiality, or significance of matters to which assurance procedures are applied;

Extent of work needed to achieve the engagement's objectives;

The Standards prescribe what needs to be considered in determining the appro- priate level of care for assurance and consulting engagements. Standard 1220.Al indicates that internal auditors must consider the following for assurance engage- ments: "the

Standard 1220: Due Professional Care requires internal auditors to "apply the care and skill expected of a reasonably prudent and competent internal auditor." This does not mean that internal auditors can never make mistakes or imperfect judg- ments, but rather that they will demonstrate the level of concern and competence expected of a professional. Due care also does not mean that internal auditors will examine every transaction, visit every location, or speak with every employee of the engagement auditee or customer. It does, however, mean that they will put forth the same level of effort as other internal audit professionals would in similar situations.

Proficiency applies to the internal audit function as a whole as well as to the indi- vidual internal auditor. The CAE is responsible for ensuring that the internal audit function possesses the knowledge, skills, and other competencies required to fulfill the function's responsibilities as specified in its charter. In cases in which the func- tion lacks competencies required to perform all or part of an assurance engage- ment, the CAE "must obtain competent advice and assistance" from other sources (Standard 1210.Al). Chapter 9 discusses how such advice and assistance may be obtained from outside service providers. When the internal audit function is asked to perform a consulting engagement for which the internal audit function docs not possess the necessary competencies, the CAE "must either decline the consulting engagement or obtain competent advice and assistance" (Standard 1210.Cl).

Likewise, Standard 1210.A3 states that "Internal auditors must have suffi- cient knowledge of key information technology risks and controls and available technology-based audit techniques to perform their assigned work." However, every internal auditor need not possess "the expertise of an internal auditor whose primary responsibility is information technology auditing." Chapter 7, "Informa- tion Technology Risks and Controls," covers the nature oflT risks and the controls that organizations can implement to mitigate these risks in detail. Chapter 10,

"Audit Evidence and Working Papers," provides an overview of computer-assisted audit techniques. The website that accompanies this textbook contains access to and instructions for ACL, CaseWare IDEA, and TeamMate Analytics, the three most widely used commercially available audit software programs.

One specific competency that is required by the Standards is knowledge oJ' fraud risks. Standard 12JO.A2 states that "J n tern al auditors must have sufficicn t knowl- edge to evaluate the risk of fraud and the manner in which it is managed

by

the organization ... "They are not expected, however, "to have the expertise of a per- son whose primary responsibility is detecting and investigating fraud." Chapter n,

"Risk of Fraud and Illegal Acts," covers the nature of fraud risks and the controls that organizations can put in place to mitigate these risks in detail.

2-20 INTERNAL AUDITING, ASSURANCE & ADVISORY SERVICES

Quality Assurance and Tmprovement Programs. The basic concept of quality assurance for internal au.dit services is the same as it is for the manufacturing of products or the delivery of other types of services. Quality assurance instills confidence that the product or service possesses the essential features and char- acteristics it is intended to have. For example, quality assurance associated with manufacturing a particular metal bolt would focus on ensuring that the bolt is made in accordance with the prescribed engineering specifications. In a similar vein, an internal audit function's quality assurance and improvement program "is designed to enable an evaluation of the internal audit [function's] conformance with the Standards and an evaluation of whether internal auditors apply the Code of Ethics. The program also assesses the efficiency and effectiveness of the inter- nal audit [function] and identifies opportunities for improvement" (Interpretation to Standard 1300: Quality Assurance and Improvement Program).

Standard 1230: Continuing Professional Development states that "Internal auditors must enhance their knowledge, skills, and other competencies through continuing professional development." Individuals aspiring to become internal auditors and internal auditors who have not yet achieved professional certification should pur- sue education, training, and experience programs that qualify them to obtain one or more certifications relevant to their professional responsibilities. As discussed in chapter 1, certifications sponsored by The IIA include the Certified Internal Audi- tor (CIA), Certified Government Auditing Professional (CGAP), Certified Finan- cial Services Auditor (CFSA), the Certification in Control Self-Assessment (CCSA), the Certification in Risk Management Assurance (CRMA), and the Qualification in Internal Audit Lead rship (QIAL). ther professional organizations als spon- sor certifications that internal audit professionals may fin ] worthwhile to pursue.

Examples include the Certified Information Systems Auditor (CISA) c rtification sponsored by ISACA (previously known as the Information Systems Audit and Con- trol Association) and th Certif cl Fraud Examiner (CFE) certification spon .or d by the Association of ertified Fraud •.xarniners (ACFE). Internal auditors pos- scssing professional certifications n eel to rn et spe .ified continuing professional education requirements to retain their certifications. This standard complements rule

,J, ..

'3 ofThe IIA's Code of Ethics, which requires internal auditors to continually improve their prof iency and the effectiveness and quality of their servi s.

Standard 1220.Cl indicates that internal auditors must consider the following for consulting engagements: "the

• Needs and expectations of [customers], including the nature, timing, and com- munication of engagement results;

• Relative complexity and extent of work needed to achieve the engagement's objectives; and

• Cost of the consulting engagement in relation to potential benefits."

Internal auditors also must consider "the use of technology-based audit and other data analysis techniques" (Standard 1220.A2) and "be alert to the significant risks that might affect objectives, operations, or resources" (Standard 1220.A3).

• Probability of significant errors, fraud, or noncompliance; and

• Cost of assurance in relation to potential benefits."

Instills confidence that the product or service possesses the essential fea- tures and characteristics it is intended to have

Quality Assurance

---

- Certified Internal Auditor (CIA) - Certified Government Auditing

Professional (CGAP)

- Certified Financial Services Auditor (CFSA)

- Certification in Control Self- Assessment ( CCSA)

- Certification in Risk Management Assurance (CRMA)

- Qualification in Internal Audit Leadership (QIAL)

Certifications Sponsored

by The IIA:

THE INTERNATIONAL PROFESSIONAL PRACTICES FRAMEWORK, AUTHORITATIVE GUIDANCE FOR THE INTERNAL AUDIT PROFESSION 2-21 Standard 1310: Requirements of the Quality Assurance and Improvement Pro-

gram states that "The quality assurance and improvement program must include both internal and external assessments." "Internal assessments must include:

• Ongoing monitoring of the performance of the internal audit [function]; and

• Periodic self-assessment or assessments by other persons within the organi- zation with sufficient knowledge of internal audit practices" (Standard 1311:

Internal Assessments).

"The chief audit executive must develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit [function]"

(Standard 1300: Quality Assurance and Improvement Program). The CAE also

"must communicate the results of the quality assurance and improvement pro- gram to senior management and the board" (Standard 1320: Reporting on the Quality Assurance and Improvement Program) and may state that the internal audit function conforms with the Standards "only if supported by the results of the quality assurance and improvement program" (Standard 1321: Use of "Conforms with the International Standards for the Professional Practice of Internal Audit- ing"). "When non conformance with the Code of Ethics or the Standards impacts the overall scope or operation of the internal audit [function], the chief audit exec- utive must disclose the nonconformance and the impact to senior management and the board" (Standard 1322: Disclosure ofNonconformance).