2-14 INTERNAL AUDITING, ASSURANCE & ADVISORY SERVICES

The extent to which an internal function can be independent depends on the rela- tive status of the function within the organization. Standard 1110: Organizational Independence states that "The chief audit executive must report to a level within the organization that allows the internal audit [function] to fulfill its responsibil- ities ... and confirm to the board, at least annually, the organizational indepen- dence of the internal audit [function]." Standard 1111: Direct Interaction with the Board requires the CAE to "communicate and interact directly with the board."

Positioning the internal audit function at a high level within the organization It is important to note that independence and objectivity are two distinct, yet interrelated, concepts that are fundamental to providing value-adding internal audit services-the internal audit function must be independent and individual internal auditors must be objective. Whereas independence is an attribute of the internal audit function, objectivity is an attribute of the individual auditor. This is a subtle, yet extremely important, distinction.

Objectivity. An unbiased mental attitude that allows internal auditors to perform engagements in such a manner that they believe in their work product and that no quality compromises are made. Objectivity requires that internal auditors do not subordinate their judgment on audit matters to others.

Independence and Objectivity. "The internal audit [function] must be indepen- dent, and internal auditors must be objective in performing their work" (Standard 1100: Independence and Objectivity). The Glossary to the Standards defines inde- pendence and objectivity as follows:

Independence. The freedom from conditions that threaten the ability of the internal audit activity to carry out internal audit responsibilities in an unbiased manner.

Purpose, Authority, and Responsibility. The internal audit function must have a charter that clearly states the function's purpose, authority, and responsibili- ties and specifies the nature of the assurance and consulting services the function provides. The charter must be consistent with the Mission of Internal Audit. It also must acknowledge the internal audit function's responsibility to adhere to the Core Principles, the Definition of Internal Auditing, the Code of Ethics, and the Standards. Such information may be documented in the form of a service contract when internal audit services are outsourced to a third-party service pro- vider. The CAE "must periodically review the internal audit charter and present it to senior management and the board for approval" (Standard 1000: Purpose, Authority, and Responsibility). Final. approval of the charter is the responsibility of the board. More information about the internal audit charter is presented in chapter 9, "Managing the Internal Audit Function."

1000 - Purpose, Authority, and Responsibility 1100 - Independence and Objectivity

1200 - Proficiency and Due Professional Care 1300 - Quality Assurance and Improvement Program

THE INTERNATIONAL PROFESSIONAL PRACTICES FRAMEWORK, AUTHORITATIVE GUIDANCE FOR THE INTERNAL AUDIT PROFESSION 2-15

Conflicts of interest impair independence and objectivity. A conflict of interest is

"a situation in which an internal auditor, who is in a position of trust, has a com- peting professional or personal interest" (Interpretation of Standard 1120: Indi- vidual Objectivity). Potential conflicts of interest often arise as a result of naturally occurring events, such as:

H A senior manager from another area of the organization is asked to be the CAE.

r, An employee moves into the internal audit function from another area of the organization or rotates through the internal audit function as part of his or her training regimen.

As shown in exhibit 2-5, independence and objectivity is one of three pillars sup- porting effective internal audit services. Organizational independence of the internal audit function facilitates the objectivity of individual auditors. Objectiv- ity is a state of mind and is defined as freedom from bias. It involves the use of facts without distortions by personal feelings or prejudices. ³ In an applied sense, it would mean that two people with the same level of expertise and facing the same facts and circumstances will come to similar conclusions.

>-

....

'>

_QI

:..:;

...

u l'U

QI

u

~ >-

0 ^{u l'U} c

~ ^{c QI} _'iii ⁰

QI

·u

_en

u .:.i:: QI

c 0

....

QI

...

0

""C a.

...

c a.

QI QI

a. ^:,

QI Cl

""C

c

Effective Internal Audit Services ,: • _: ; :. I•;- :- ~

- -. ~ -:- " .::. c ~ : · ·_

^{1.. -. ~}

^{.3 ,:. ;:} E

^:-=

:= EC TI V E

. r-: - .::. o ~ ': ·- .:: ,) : , t--:- ~ ): i-:: . ' : :: 31

facilitates broad audit coverage and promotes due consideration of engagement outcomes. Conversely, positioning the internal audit function lower within the organization greatly increases the risk of conflicts of interest that impair the func- tion's ability to provide objective assessments and advice. For example, it would be difficult for an internal audit function to assess objectively the controls over financial reporting if the CAE reports to the controller who is responsible for the design adequacy and operating effectiveness of those controls.

2-16 INTERNAL AUDITING, ASSURANCE & ADVISORY SERVICES

The standards pertaining to consulting services are not as stringent. Standard 1130.Cl states that "Internal auditors may provide consulting services relating to operations for which they had previous responsibilities." Per Standard 1130.C2, The CAE is responsible for guarding the internal audit function against potential conflicts of interest. Standard 1130.Al states that "Internal auditors must refrain from assessing specific operations for which they were previously responsible.

Objectivity is presumed to be impaired if an internal auditor provides assurance services for an activity for which the internal auditor had responsibility within the previous year." Standard 1130.A2 states that "Assurance engagements for func- tions over which the chief audit executive has responsibility must be overseen by a party outside the internal audit [function]."

Personal relationships cause conflicts of interest when internal auditors perform engagements in areas of the organization in which relatives or close friends work as managers or employees. Such relationships may tempt internal auditors to overlook problems or soften negative conclusions.

• A manager or employee gives a gift to, or does a favor for, the internal auditor, thus placing pressure on the internal auditor to reciprocate.

• The internal audit function's compensation structure awards bonuses based on the number of observations internal auditors include in their reports.

Independence and objectivity also can be undermined by incentives and personal relationships. Incentives involve conditions in which internal auditors have eco- nomic stakes in the outcomes of their work that could impair their judgment.

Examples of such conditions include:

• The auditee's management promises to offer the internal auditor a job or sup- port a promotion of the auditor if the engagement goes well and no problems are found.

Task-related threats to independence and objectivity arise from the nature of the work itself. For example, an individual who recently joined the internal audit func- tion might be asked to audit the area for which they were previously responsible.

This individual would, in effect, be auditing his or her own work. Objectivity is threatened in such situations because people sometimes have trouble recognizing or acknowledging personal deficiencies or errors in their own work. Human beings exhibit an unconscious "self-serving bias" that is a cognitive weakness. Research has shown, for example, that people are not as good at identifying weaknesses in systems they design as they are in identifying weaknesses in systems designed by others.⁴

• The CAE manages functions in addition to internal audit, such as risk manage- ment, information security, or compliance.

• An internal auditor with specialized accounting expertise is asked to assume a temporary accounting position.

• An internal auditor with management experience is asked to fill a vacated man- agement position while the organization searches for a suitable replacement.

• An internal auditor is asked to design control policies and procedures in an area of the organization that does not have the requisite expertise to address existing control deficiencies.

Any relationship that is, or appears to be, not in the best interest of the organization.

Conflict of Interest

THE INTERNATIONAL PROFESSIONAL PRACTICES FRAMEWORK, AUTHORITATIVE GUIDANCE FOR THE INTERNAL AUDIT PROFESSION 2·17 The care and skill expected of a reasonably prudent and competent internal auditor.

Due Professional Care

The knowledge, skills, and other competencies needed to fulfill internal audit responsibilities.

Proficiency

(continued next page) a) Exemplifies quality and continuous improvement of the internal audit activity Ill. IPPF: Applies the International Professional Practices Framework (IPPF)

d) Foster the professional growth of others c) Manage internal audit resources b) Risk-based audit plan

II. Internal Audit Management: Develops and manages the internal audit function a) Advocate internal audit and its value

I. Professional Ethics: Promotes and applies professional ethics a) Foster the ethical climate of the organization

EXHIBIT 2-6

THE IIA GLOBAL INTERNAL AUDIT COMPETENCY