HOW THE INTERNATIONAL. PROFESSIONAL PRACTICES FRAMEWORK IS KEPT CURRENT
U. S. GAO
THE INTERNATIONAL PROFESSIONAL PRACTICES FRAMEWORK, AUTHORITATIVE GUIDANCE FOR THE INTERNAL AUDIT PROFESSION 2-37
Issues international audit standards adopted by a· number of countries.
IFAC
Issue standards for audits of
companies' financial statements in the United States.
PCAOB and AICPA
Issues standards to address the needs of environmental, health, and safety audit professionals.
BEAC
Other Relevant Guidance. Guidance promulgated by other professional organi- zations also is relevant to internal auditors. For example:
• The International Standards Organization (ISO) sets standards for quality, environmental audits, and risk management.
• The Committee of Sponsoring Organizations of the Treadway Commission (COSO) has issued frameworks pertaining specifically to internal control, risk management, and fraud deterrence.
• The Society of Corporate Compliance and Ethics (SCCE) provides guidance for ethics and compliance practitioners.
Standards for Financial Audits. The U.S. Public Company Accounting Over- sight Board (PCAOB) and the American Institute of Certified Public Accountants (AICPA) currently set the standards for audits of companies' financial statements in the United States. Standards for audits of companies' financial statements are set separately in other countries as well. However, as is the case with accounting standards, there are initiatives underway to unify the financial audit standards among certain countries. For example, the International Auditing and Assur- ance Standards Board (IAASB), which is a part of the International Federation of Accountants (IFAC), has issued international audit standards that are being adopted by a number of countries. Although these standards pertain directly to independent audits of companies' financial statements, they can have a bearing on internal audit work, particularly those standards pertaining to the coordination of work between internal audit functions and outside independent auditors.
Standards for the Professional Practice of Environmental, Health, and Safety Auditing. The Board of Environmental, Health, and Safety Auditor Certifications (BEAC) has developed Standards for the Professional Practice of Environmental, Health, and Safety Auditing to address the needs of environmental, health, and safety audit professionals. Some organizations have functions other than the inter- nal audit function that provide assurance that the organization is complying with environmental protection, health, and safety laws and regulations. Other orga- nizations consider such assurances to be within the scope of their internal audit functions' responsibilities. When internal audit functions perform environmental, health, and safety audit engagements, they can use the BEAC Standards to direct their work. The BEAC Standards are consistent with The IIA's Standards.
the IPPF called ITAF (Information Technology Assurance Framework) for pro- viding guidance to assurance professionals providing assurance on information systems. The ITAF is very similar in nature to The IIA's IPPF except for the fact that they are directed to a much more specific practice. The ITAF framework con- sists of "Standards," "Guidelines," and "IT Audit and Assurance Tools and Tech- niques" for conducting information systems audits. ISACA's "Guidelines" provide more specific information about how to apply their "Standards" and require jus- tification for departure from them when appropriate. "IT Audit and Assurance Tools and Techniques" provide examples of what an information systems audi- tor might do in performing an internal audit engagement, but these procedures are not required. There is not, at present, any incompatibility between The IIA's Standards and ISACA's Standards. However, internal audit functions whose work involves a significant portion of information systems audits should be aware of the ISACA guidance and consider adopting this guidance for their information systems audit work.
2-38 INTERNAL AUDITING, ASSURANCE & ADVISORY SERVICES
The IPPF, especially the Standards and Implementation Guidance, will be referred to extensively throughout the remainder of this book.
The Core Principles set out what it takes for an internal audit function to be effec- tive. The Code of Ethics articulates the ethical principles and behavioral norms relevant to the practice of internal auditing. The Attribute Standards prescribe the attributes that internal audit functions and individual internal auditors must have to deliver assurance and consulting services effectively. The Performance Standards provide authoritative guidance on managing the internal audit func- tion and conducting assurance and consulting engagements. The Implementation Standards expand upon the Attribute and Performance Standards by providing guidance that is specifically applicable to either assurance services or consulting services. Implementation Guidance and Supplemental Guidance provide guid- ance that is helpful to internal auditors in implementing the Core Principles, the Code of Ethics, the Standards, and the Definition of Internal Auditing. Finally, standards promulgated by other organizations that are relevant to internal audi- tors were discussed.
This chapter covered in detail The IIA's IPPF. This framework contains two cat- egories of authoritative guidance-mandatory and recommended-that enable internal audit functions to fulfill the mission of enhancing and protecting orga- nizational value. Mandatory guidance includes the Core Principles, the Code of Ethics, the Standards, and the Definition of Internal Auditing. Recommended guidance includes Implementation Guidance and Supplemental Guidance. The process through which The IIA maintains and develops the IPPF also was dis- cussed, as was guidance of relevance to internal auditors that is promulgated by professional organizations other than The IIA.
SUMMARY
These are just a few of the many organizations that promulgate guidance of rel- evance to internal auditors. Internal auditors must be cognizant of these orga- nizations and the nature of the guidance they issue. Internal auditors practicing in specific countries or in certain industries must be knowledgeable of existing guidance other than The IIA's IPPF that is relevant to their work.
• The Health Care Compliance Association (HCCA) provides guidance for com- pliance professionals specifically operating in the healthcare industry.
The Basel Committee on Banking Supervision has specific requirements (referred to as Basel 1, Basel 2, and Basel 3) for internal audits of banking and financial institutions' risk management and rating systems.
THE INTERNATIONAL PROFESSIONAL PRACTICES FRAMEWORK, AUTHORITATIVE GUIDANCE FOR THE INTERNAL AUDIT PROFESSION 2-39 18. What organizations, other than The IIA,
promulgate guidance that is pertinent to internal auditors?
17. What is the role of the IPPF Oversight Council?
16. What are the responsibilities of The IIA's
Professional Practices and Professional Guidance Advisory Councils?
15. What is the role of Supplemental Guidance in the IPPF?
c. Communicating results.
14. What is the relationship between Standards and the Implementation Guidance?
a. Engagement planning.
b. Performing the engagement.
13. Identify the Performance Standards that pertain specifically to:
12. What are the seven main sections of the Performance Standards?
11. What is the purpose of the internal audit function's quality assurance and improvement program?
10. What does "proficiency" mean? What does "due professional care" mean?
9. Explain what is meant by the term "conflicts of interest." How do conflicts of interest arise?
8. What is the definition of independence as it pertains to an internal audit function? What is the definition of objectivity as it pertains to individual internal auditors?
7. Explain the difference between assurance and consulting services. Why does each type of service have its own Implementation Standards?
6. What is the purpose of The IIA's Standards?
Explain the difference between Attribute and Performance Standards.
5. Identify the four principles of the Code of Ethics.
Why should internal auditors strive to comply with these principles?
4. What is the purpose of The IIA's Code of Ethics?
3. Contrast the mission statement with the Definition of Internal Auditing. What, if anything, does the mission statement add?
2. What are the six components of the IPPF? Which components constitute mandatory guidance?
Which components constitute recommended guidance?
I. What are the circumstances that precipitated the need for internal audit-type activities?
6. In which of the following situations does the internal auditor potentially lack objectivity?
a. A payroll accounting employee assists an internal auditor in verifying the physical inventory of small motors.
b. An internal auditor discusses a significant issue with the vice president to whom the auditee reports prior to drafting the audit report.
c. An internal auditor recommends standards of control and performance measures for a contract with a service organization f~r the processing of payroll and employee benefits.
d. A former purchasing assistant performs a review of internal controls over purchasing four months after being transferred to the internal audit department.
5. The IIA's Standards require internal auditors to exercise due professional care while conducting assurance engagements. Which of the following is not something an internal auditor is required to consider in determining what constitutes the exercise of due care in an assurance engagement of treasury operations?
a. The audit committee has requested assurance on the treasury function's compliance with a new policy on use of financial instruments.
b. Treasury management has not instituted any risk management policies.
c. The independent outside auditors have requested to see the engagement report and working papers.
d. The treasury function just completed
implementation of a new real-time investment tracking system.
a. Integrity.
b. Objectivity.
c. Confidentiality.
d. Privacy.
2-40 INTERNAL AUDITING, ASSURANCE & ADVISORY SERVICES
4. An internal auditor is auditing a division in which the division's chief financial officer (CFO) is a close, personal friend. The auditor learns that the friend is to be replaced after a series of critical contract negotiations with the Department of Defense.
The auditor relays this information to the friend.
Which principle of The IIA's Code of Ethics has been violated?
a. Preparing, for a fee, a division manager's personal tax returns.
b. Appearing on a local radio show to discuss retirement planning and tax issues.
c. Receiving a stipend for teaching an evening tax class at the local junior college.
d. Working on weekends for a friend who has a small CPA firm.
3. An internal auditor provides income tax services during the tax season. For which of the following activities would the auditor most likely be
considered in violation of The IIA's Code of Ethics?
I. Implementation Guides.
II. The Code of Ethics.
III. The Definition of Internal Auditing.
IV. The Standards.
a. I, II, and IV.
b. II and IV.
c. II, III, and IV.
d. I, II, III, and IV.
2. Which of the following are "mandatory guidance" in The IIA's IPPF?
1. A primary purpose of the Standards is to:
a. Promote coordination of internal and external audit efforts.
b. Establish a basis for evaluating internal audit performance.
c. Develop consistency in internal audit practices.
d. Provide a codification of existing practices.
Select the best answer for each of the following questions.
MULTIPLE-CHOICE
QUESTIONS
THE INTERNATIONAL PROFESSIONAL PRACTICES FRAMEWORK: AUTHORITATIVE GUIDANCE FOR THE INTERNAL AUDIT PROFESSION 2-41 13. To determine what needs to be done regarding
follow-up on an assurance engagement the internal audit staff just completed, one would consult:
a. The Attribute Standards: Assurance Services Implementation Standards.
b. The Performance Standards: Consulting Services Implementation Standards.
c. The Attribute Standards: Consulting Services Implementation Standards.
d. The Performance Standards: Assurance Services Implementation Standards.
a. Staffing and supervision.
b. Organizational status and objectivity.
c. Human relations and communications.
d. Quality assurance and internal review.
12. According to the Standards, how is the independence of the internal audit function achieved?
11. Which of the following is a Core Principle for the Professional Practice of Internal Auditing?
a. Maintain confidentiality.
b. Promote an ethical culture in the internal audit profession.
c. Develop consistency in internal audit practices.
d. Is appropriately positioned and adequately resourced.
c. Obtain an annual representation from management acknowledging management's responsibility for the design and implementation of internal controls to prevent illegal acts.
d. Assess whether the IT governance of the organization sustains and supports the organization's strategies and objectives.
10. Which of the following are required of the internal audit function per the Standards?
a. Evaluate the effectiveness of the audit committee annually.
b. Issue an overall opinion on the adequacy of the organization's system of internal controls annually.
9. Which of the following types of IPPF guidance require(s) public exposure?
I. A new Implementation Guide.
II. A new standard.
III. New Supplemental Guidance for auditing cybersecurity.
IV. A new definition in the Standards Glossary.
a. III only.
b. II and IV.
c. II, III, and IV.
d. I, II, III, and IV.
8. According to the Standards, which of the following must the internal audit manager think about when considering appropriate due care while planning an assurance engagement?
a. The opportunity to cross-train internal audit staff.
b. The cost of assurance in relationship to potential benefits.
c. Job openings in the area that may be of interest to internal auditors assigned to the engagement.
d. The potential to deliver consulting services to the au di tee.
a. I only.
b. I and IL c. I and III.
d. I, II, and III.
I. Statements.
IL Interpretations.
III. Glossary.
7, Which of the following is/are components of the Standards?