2-10 INTERNAL AUDITING, ASSURANCE & ADVISORY SERVICES

4. Foster improved organizational processes and operations."

2. Provide a framework for performing and promoting a broad range of value-added internal auditing.

3. Establish the basis for the evaluation of internal audit performance.

"The purpose of the Standards is to:

I. Guide adherence with the mandatory elements of the International Profes- sional Practices Framework.

The Introduction to the Standards further points out that "The Standards apply to individual internal auditors and internal audit activities." Each internal auditor is accountable for conforming with the Standards related to individual objectiv- ity, proficiency, and due professional care. In addition, each internal auditor is accountable for conforming with the Standards that are relevant to the perfor- mance of his or her job responsibilities. The CAE is "accountable for the internal audit activity's overall conformance with the Standards."

The International Standards for the Professional Practice

THE INTERNATIONAL PROFESSIONAL PRACTICES FRAMEWORK, AUTHORITATIVE GUIDANCE FOR THE INTERNAL AUDIT PROFESSION 2·11 - Attribute Standards

- Performance Standards

Two Categories

of

Standards

Assurance Services. An objective examination of evidence for the purpose of providing an independent assessment on governance, risk management, and con- trol processes for the organization. Examples may include financial, performance, compliance, system security, and due diligence engagements.

Assurance and Consulting Services

The two types of internal audit services-assurance and consulting-were intro- duced in chapter ¹ and defined in the Glossary to the Standards as follows:

The Standards are organized using a system of numbers and letters. Attribute Standards make up the 1000 series and Performance Standards the 2000 series.

The Attribute Standards and Performance Standards apply equally to both assur- ance and consulting activities. The Implementation Standards are presented directly under the related Attribute and Performance Standards and are indicated by an "It' if they pertain to assurance services or by a "C" if they pertain to consult- ing services. This system is illustrated in exhibit 2-3.

Implementation Standards " ... expand upon the Attribute and Performance Stan- dards by providing the requirements applicable to assurance ... or consulting ...

activities," which is why they are not considered a third category of Standards.

(Introduction to the International Standards)

• Attribute Standards "address the attributes of organizations and individuals performing internal auditing."

• Performance Standards "describe the nature of internal auditing and provide quality criteria against which the performance of these services can be measured."

There are two categories of Standards:

The Standards includes a Glossary of terms that have been given specific mean- ings. The Standards, their interpretations, and terms defined in the Glossary must be considered together to understand and apply the Standards correctly. The Standards is reproduced in its entirety in appendix A of this textbook.

For example, in Standard 2040: Policies and Procedures the standard is: "The chief audit executive must establish policies and procedures to guide the internal audit activity." The interpretation is: "The form and content of policies and proce- dures are dependent upon the size and structure of the internal audit activity and the complexity of its work." In this case, the interpretation explains that the appro- priate form and content of policies and procedures will vary across internal audit functions because of size, organizational structure, and types of services provided.

"The Standards are a set of principles-focused, mandatory requirements consist- ing of:

Statements of core requirements for the professional practice of internal audit- ing and for evaluating the effectiveness of performance that are internationally applicable at organizational and individual levels [italics added].

Interpretations, clarifying terms or concepts within the Standards [italics added]."

2·12 INTERNAL AUDITING, ASSURANCE & ADVISORY SERVICES

Customer

•

•

Internal Auditor

Consulting Services

I '

Auditee

I• - •

..

I Internal Auditor

' .

( \

..--- .

-~

· User ^I

Assurance Services I .. X I ·I I U I T ') ,1

/\ s ~)

l.J I?/\ N ( ;

r.

A i'·l I ) c;

o

^{l'·I ~-. I.) I .}

r

^{I N ( J}

s

^{L I<}

v«: ^{i: '..,}

- ~ ^- -

The Third Assurance Standard

. ^- -

Due Professional Care Proficiency and Due

Professional Care

1220.A3

Assuranee Services Attribute Standard

Internal auditors must apply the care and skill expected of a reasonably prudent and competent internal auditor. Due professional care does not imply infallibility.

1220.A3- Internal auditors must be alert to the significant risks that might affect objectives, operations, or resources. However, assurance procedures alone, even when performed with due professional care, do not guarantee that all significant risks will be identified.

1220 - Due Professional Care

E '< -· '. 2 ' -_- 2 - ~

r_ ', .: ST ::: ,:. -1 0 ~· ·:::, .:: -v- .- :: '\ ~· :V: 3 :.:: .;> : '\, G S \. ST E M

.,: -: ~ ·~ !~ ~ ~ .: :.~ ^{7· - ~. :. __}

;;·.C:

Consulting Services. Advisory and related [customer] service activities, the nature and scope of which are agreed with the [customer], are intended to add value and improve an organization's governance, risk management, and control processes without the internal auditor assuming management responsibility.

Examples include counsel, advice, facilitation, and training.

THE INTERNATIONAL PROFESSIONAL PRACTICES FRAMEWORK, AUTHORITATIVE GUIDANCE FOR THE INTERNAL AUDIT PROFESSION 2-13

I

I

Coverage of the Implementation Standards is integrated in the following discus- sion of Attribute Standards and Performance Standards.

While the Standards treats each engagement as either an assurance or a consult- ing engagement, practice engagements usually have elements of both assurance and operational improvement. The Value Proposition (exhibit 1-1 from chapter 1) can be applied at the function or the engagement level. At the engagement level, value comes from objective assurance and objective insight. Some engagements are designed primarily to provide assurance, although they may also generate insight as well through recommendations and advice for management. Likewise, while consulting engagements are designed primarily to generate insight into an operation or process, they may provide at least limited assurance regarding the effectiveness of managing risks in that area. In terms of which set of Implementa- tion Standards apply to an engagement, if the primary objective is assurance, then the Assurance Implementation Standards would apply. If the primary objective of the engagement is insight (that is, improvement of the organization's effectiveness and efficiency), the Consulting Implementation Standards would apply with the understanding that a lower level of assurance is obtained from the engagement when the Assurance Implementation Standards have not been followed. Engage- ments are sometimes structured such that there are both significant assurance and insight objectives. Such engagements are referred to as blended engagements.

The issues involved in structuring blended engagements are discussed further in chapter 15, "The Consulting Engagement."

The relative complexity of assurance engagements is reflected in the Standards.

The internal audit function must plan and perform an assurance engagement and report the engagement results in a manner that meets the needs of the third- party users who are not involved directly in the engagement. Moreover, the inter- nal audit function must take care to avoid any potential conflicts of interest with these users. Many of the attributes and practices required by the Standards and Code of Ethics are particularly concerned with keeping the interests of assurance service providers and the third-party users aligned. Accordingly, the Implementa- tion Standards for assurance services are more stringent and numerous than the Implementation Standards for consulting services.

The structural difference between assurance and consulting engagements is not as obvious and is illustrated in exhibit 2-4. The structure of consulting engagements is relatively simple. They typically involve two parties: 1) the party requesting and receiving the advice-the customer, and 2) the party providing the advice-the internal audit function. The internal audit function works directly with the cus- tomer to tailor the engagement to meet the customer's needs. The structure of assurance engagements is more complex. They typically involve three parties:

1) the party directly responsible for the process, system, or other subject matter being assessed-the auditee, 2) the party making the assessment-the internal audit function, and 3) the party/parties using the assessment-the user(s). The users of the internal audit function's assessment are not involved directly in the engagement and in some cases are not identified explicitly.

The difference in purpose between these two types of services is clear. Assurance engagements are performed to provide independent assessments. Consulting engagements are performed to provide advisory, training, and facilitation services.

2-14 INTERNAL AUDITING, ASSURANCE & ADVISORY SERVICES

The extent to which an internal function can be independent depends on the rela- tive status of the function within the organization. Standard 1110: Organizational Independence states that "The chief audit executive must report to a level within the organization that allows the internal audit [function] to fulfill its responsibil- ities ... and confirm to the board, at least annually, the organizational indepen- dence of the internal audit [function]." Standard 1111: Direct Interaction with the Board requires the CAE to "communicate and interact directly with the board."

Positioning the internal audit function at a high level within the organization It is important to note that independence and objectivity are two distinct, yet interrelated, concepts that are fundamental to providing value-adding internal audit services-the internal audit function must be independent and individual internal auditors must be objective. Whereas independence is an attribute of the internal audit function, objectivity is an attribute of the individual auditor. This is a subtle, yet extremely important, distinction.

Objectivity. An unbiased mental attitude that allows internal auditors to perform engagements in such a manner that they believe in their work product and that no quality compromises are made. Objectivity requires that internal auditors do not subordinate their judgment on audit matters to others.

Independence and Objectivity. "The internal audit [function] must be indepen- dent, and internal auditors must be objective in performing their work" (Standard 1100: Independence and Objectivity). The Glossary to the Standards defines inde- pendence and objectivity as follows:

Independence. The freedom from conditions that threaten the ability of the internal audit activity to carry out internal audit responsibilities in an unbiased manner.

Purpose, Authority, and Responsibility. The internal audit function must have a charter that clearly states the function's purpose, authority, and responsibili- ties and specifies the nature of the assurance and consulting services the function provides. The charter must be consistent with the Mission of Internal Audit. It also must acknowledge the internal audit function's responsibility to adhere to the Core Principles, the Definition of Internal Auditing, the Code of Ethics, and the Standards. Such information may be documented in the form of a service contract when internal audit services are outsourced to a third-party service pro- vider. The CAE "must periodically review the internal audit charter and present it to senior management and the board for approval" (Standard 1000: Purpose, Authority, and Responsibility). Final. approval of the charter is the responsibility of the board. More information about the internal audit charter is presented in chapter 9, "Managing the Internal Audit Function."

1000 - Purpose, Authority, and Responsibility 1100 - Independence and Objectivity

1200 - Proficiency and Due Professional Care 1300 - Quality Assurance and Improvement Program