THE INTERNATIONAL PROFESSIONAL PRACTICES FRAMEWORK: AUTHORITATIVE GUIDANCE FOR THE INTERNAL AUDIT PROFESSION 2-27 The portion of inherent risk that remains alter management executes its risk responses (sometimes referred to as net risk).
Residual Risk
The IIA's mandatory guidance (the Core Principles, the Code of Ethics, the Stan- dards, and the Definition oflnternal Auditing) is relatively general in nature because
2-28 INTERNAL AUDITING, ASSURANCE & ADVISORY SERVICES
The final section of the guide, "Consideration for Demonstrating Conformance,"
addresses how the internal audit function can show its implementation of the standard. For IG 1110/0rganization Independence (shown in exhibit 2-9), imple- mentation of the standard could be demonstrated through documents such as the internal audit charter, the audit committee charter, organizational charts, and the CAE's job description. CAE hiring documents, including who interviewed the final CAE candidates as well as CAE's performance evaluation, particularly with evidence of audit committee input, also would demonstrate conformance with this standard. Audit committee agendas, reports, and minutes can show appropriate communications of internal audit plans, budgets, and performance, providing an indication of organizational independence.
The next section of the guide, "Considerations for Implementation," deals with specific issues of implementation for the specific standard. For example, in this section for IG 1120/Individual Objectivity, the suggestion is made that to manage individual internal audit objectivity, the CAE could establish an internal audit pol- icy manual that would describe the expectation and requirements for an unbiased mindset for every internal auditor. IG 1120 then proceeds to outline what elements might be included in such a policy. In IG 1120, other issues are also addressed, such as the fact that performance and compensation practices can have a signifi- cant negative impact on an individual auditor's objectivity.
First, the standard is presented, including the interpretation, and then there is a section titled "Getting Started," which brings together the relevant mandatory elements of the IPPF that pertain to the specific standard the guide addresses (spe- cific Core Principles, elements of the Code of Ethics, and other Standards). For example, in IG 1210/Proficiency, the guide notes that for the overall function, profi- ciency is a responsibility of the CAE and that the 2000 series of standards address the details of managing the function and its resources, and that these standards should also be considered in approaching this standard. In the case of Standard 1210, the guide also directs the reader to The II~s Global Internal Audit Compe- tency Framework, which sets out the core competencies needed for members of the function for various occupational levels. This section also outlines information the CAE may want to compile when considering how to implement the standard.
Implementation Guidance. The Implementation Guidance component of the IPPF is provided in the Implementation Guides. These guides are not intended to give detailed processes and procedures but to provide potential or acceptable approaches to achieving conformance with the Standards. Each of the Standards has an Implementation Guide (IG) and each guide has the same basic structure as shown in exhibit 2-9.
Recommended guidance (Implementation Guidance and Supplemental Guidance) provides more specific, nonmandatory guidance. In some cases, recommended guidance may not be applicable to all internal audit functions. In other cases, it may represent only one of many acceptable alternatives. However, this guidance is authoritative in the sense that The IIA has endorsed it through a formal endorse- ment process, which includes review for consistency with the mandatory guidance.
it is applicable to all internal audit activities. Internal audit assurance and consult- ing engagements are conducted in a wide variety of organizations, by in-house inter- nal audit functions or outside service providers, in a centralized or decentralized organizational structure, and in diverse cultures and legal environments.
Implementation Guides assist internal auditors in applying the Standards.
They collectively address the approach, methodologies, and consid- erations for internal auditing.
Implementation Guides
2-29
THE INTERNATIONAL PROFESSIONAL PRACTICES FRAtvlEWORK, AUTHORITATIVE GUIDANCE FOR THE INTERNAL AUDIT PROFESSION (continued next page)
Functional oversight requires the board to create the right working conditions to permit the operation of an independent and effective internal audit activity.
As noted, the board assumes responsibility for approving the internal audit charter, the internal audit plan, the budget and resource plan, the evaluation and compensa- tion of the CAE, and the appointment and removal of the CAE. Further, the board monitors the ability of internal audit to operate independently. It does so by asking the CAE and members of management questions regarding internal audit scope, resource limitations, or other pressures or hindrances on internal audit.
As noted above, the CAE works with the board and senior management to deter- mine organizational placement of internal audit, including the CAE's reporting relationships. To ensure effective organizational independence, the CAE has a direct functional reporting line to the board. Generally, the CAE also has an administrative, or "dotted," reporting line to a member of senior management.
A functional reporting line to the board provides the CAE with direct board access for sensitive matters and enables sufficient organizational status. It ensures that the CAE has unrestricted access to the board, typically the highest level of governance in the organization.
CONSIDERATIONS FOR IMPLEMENTATION
The standard requires the chief audit executive (CAE) to report to a level within the organization that allows internal audit to fulfill its responsibilities. Therefore, it is necessary to consider the organizational placement and supervisory oversight/
reporting lines of internal audit to ensure organizational independence.
The CAE does not solely determine the organizational placement of internal audit, the CAE's reporting relationships, or the nature of board or senior management supervision; the CAE needs help from the board and senior management to address these items effectively. Typically, the CAE, the board, and senior management reach a shared understanding of internal audit's responsibility, authority, and expectations, as well as the role of the board and senior management in overseeing internal audit.
Generally, the internal audit charter documents the decisions reached on organiza- tional placement and reporting lines.
It may also be helpful for the CAE to be aware of regulatory requirements for both internal audit positioning and CAE reporting lines.
GETTING STARTED
Standard mo - Organizational Independence: The chief audit executive must report to a level within the organization that allows the internal audit activity to fulfill its responsibilities. The chief audit executive must confirm to the board, at least annu- ally, the organizational independence of the internal audit activity.
Interpretation: Organizational independence is effectively achieved when the chief audit executive reports functionally to the board. Examples of functional reporting to the board involve ....
THE STANDARD
Example of Implementation Guides - Standard
mo
EXHIBIT 2··9
STRUCTURE OF IMPLENENTATION GUIDES
2-30 INTERNAL AUDITING, ASSURANCE & ADVISORY SERVICES
Supplemental Guidance. This component of the IPPF provides guidance for delivering internal audit services. This guidance, like the Implementation Guides, is not mandatory but is recommended and goes through an endorsement pro- cess. Supplemental Guidance is not organized by standard or other mandatory elements of the IPPF. Rather, the guidance addresses topic areas, industry sec- tor specific issues, processes and procedures, various tools and techniques, and examples of deliverables. Exhibit 2-10 provides a number of examples of available The International Internal Audit Standards Board is responsible for developing the Implementation Guides. These Guides do not undergo a process of public exposure but are approved by the Professional Practices Advisory Council prior to issuance. The Implementation Guides are available to IIA members at no cost on The IIA's website and in the published edition of the IPPF.
There are several documents that may demonstrate conformance with this standard, including the internal audit charter and the audit committee charter, which would describe the audit committee's oversight duties. The CA E's job description and per- formance evaluation would note reporting relationships and supervisory oversight. If available, CAE hiring documentation may include who interviewed the CAE and who made the hiring decision. Further, an internal audit policy manual that addresses pol- icies like independence and board communication requirements or an organization chart with reporting responsibilities may demonstrate conformance. Board reports, meeting minutes, and agendas can demonstrate that internal audit has appropriately communicated items such as the internal audit plan, budget, and performance, as well as the state of organizational independence.
CONSIDERATIONS FOR DEMONSTRATING CONFORMANCE
CAEs who find themselves with a board that does not assume these important functional oversight duties may share Standard mo and recommended governance practices - including board responsibilities - with the board to pursue a stronger functional relationship over time.
To facilitate board oversight, the CAE routinely provides the board with performance updates, generally at quarterly meetings of the board. Often, the CAE is involved in crafting board meeting agendas and can plan for sufficient time to discuss internal audit performance relative to plan as well as other matters, including key findings or emerging risks that warrant the board's attention. Further, to ensure that organizational independence is discussed annually, as required by this standard, the CAE will often create a standing board agenda item for a specific board meeting each year.
Generally, the CAE also has an administrative reporting line to senior management, which further enables the requisite stature and authority of internal audit to fulfill responsibilities. For example, the CAE typically would not report to a controller, accounting manager, or mid-level functional manager. To enhance stature and cred- ibility, The IIA recommends that the CAE report administratively to the chief execu- tive officer (CEO) so that the CAE is clearly in a senior position, with the author.ity to perform duties unimpeded.
EXHIBIT 2-9
STRUCTURE OF IMPLEMENTATION GUIDES (cont.)
THE INTERNATIONAL PROFESSIONAL PRACTICES FRAMEWORK, AUTHORITATIVE GUIDANCE FOR THE INTERNAL AUDIT PROFESSION 2-31
Applying The \\A's International Professional Practices Framework as a Professional Services Firm
Other
Assessing Organizational Governance in the Public Sector Creating an Internal Audit Competency Process for the Public Sector
Public Sector
GAIT Methodology
GAIT for IT General Control Deficiency Assessment GAIT for Business and IT Risk
Guide to the Assessment of IT Risk (GAIT)
Information Technology Risk and Controls, znd Edition Auditing IT Projects
Information Technology Outsourcing, 2nd Edition Identity and Access Management
Continuous Auditing: Coordinating Continuous Auditing and Monitoring to Provide Continuous Assurance, 2nd Edition
Auditing User-Developed Applications
Fraud Prevention and Detection in an Automated World Information Security Governance
Auditing Smart Devices: An Internal Auditor's Guide to Understanding and Auditing Smart Devices
Auditing IT Governance Data Analysis Technologies
Assessing Cybersecurity Risk: Roles of the Three Lines of Defense
Global Technology Audit Guides (GTAGs)
Evaluating Corporate Social Responsibility/Sustainable Development
Formulating and Expressing Internal Audit Opinions Business Continuity Management
Auditing Anti-Bribery and Anti-Corruption Programs Selecting, Using, and Creating Maturity Models: A Tool for Assurance and Consulting Engagements
Developing the Internal Audit Strategic Plan Auditing Privacy Risks
Evaluating Ethics-Related Programs and Activities Coordinating Risk Management and Assurance
Reliance by Internal Audit on Other Assurance Providers Interaction with the Board
Internal Audit and the Second Line of Defense
General
EXHIBIT 2-10
SUPPLEMENTAL GUIDANCE - SELECTED EXAMPLES Other Guidance. Guidance that is not a part of the IPPF but may be useful for internal audit practitioners and their stakeholders is occasionally produced by The IIA. These documents can be found on The IIA's website under "Standards
& Guidance" and "Topics and Resources." Currently, topics covered include issues
Supplemental Guidance is produced by a number of IIA committees: the Guid- ance Development Committee (general guidance to support the IPPF globally), the Information Technology Guidance Committee (information technology- related IPPF guidance), the Financial Services Guidance Committee (IPPF guid- ance in support of financial service sector auditors globally), and the Public Sector Guidance Committee (IPPF guidance to support internal auditors in the govern- mental sector globally). The various materials that make up Supplemental Guid- ance are available to IIA members at no cost on The IIA's website and are available for purchase in The IIA's online bookstore.
Supplemental Guidance. As can be seen in the exhibit, a significant amount of the Supplement Guidance deals with IT, both as a subject of audit and as an audit tool, and with the assessment ofIT risks.
2-32 INTERNAL AUDITING: ASSURANCE & ADVISORY SERVICES
International Internal Audit Standards Board. The International Internal Audit Standards Board's mission is to develop, issue, and maintain the Standards and strategically direct the development of implementation guidance in support of the Standards by identifying, prioritizing, commissioning, and ultimately approving guidance specifically geared to helping internal audit practitioners achieve conformance with the Standards. The board is required to complete a review of the existing Standards every three years. New standards or modifica- tions to existing standards are initiated with this board and require a 90-day Professional Responsibilities and Ethics Committee. The Professional Respon- sibilities and Ethics Committee's mission is to promote an understanding of, and to identify ways to promote the importance of, the professional responsibilities of practicing internal auditors, certificate holders, and certificate candidates, includ- ing adherence with the Code of Ethics and conformance with the Standards. It serves the global profession of internal auditing by maintaining and updating The IIA's Code of Ethics; promoting an understanding of, and compliance with, The IIA's Code of Ethics; maintaining and updating the Competency Framework, with a periodic review to validate competencies; and promotion of conformance with the Standards. The committee is required to complete a formal review of the existing Code of Ethics every three years. Any changes in the Code of Ethics, such as adding additional rules, must be initiated by this committee. Prior to adoption of changes to the Code of Ethics, revisions will be made available for a 90-day exposure period for public comment. Final approval of changes to the Code of Eth- ics rests with The IIA's Board of Directors. The committee membership comprises experienced internal audit leaders from around the globe. Members are required to be CIAs.
• Professional Responsibilities and Ethics Committee (PPAC)
• International Internal Audit Standards Board (PPAC)
• Guidance Development Committee (PGAC)
• Information Technology Guidance Committee (PGAC)
• Financial Services Guidance Committee (PGAC)
• Public Sector Guidance Committee (PGAC)
The Professional Practices Advisory Council (PPAC) and the Professional Guid- ance Advisory Council (PGAC) are responsible for coordinating the initiation, development, issuance, and maintenance of the authoritative guidance that makes up the IPPF. These Councils comprise The IIA's vice president of professional guidance and the chairs of The IIA's six global technical committees. These com- mittees are:
The IPPF is not intended to be a static body of guidance. It will continue to evolve as the profession responds to a continuously changing environment.