states what the profession and the internal audit function strives to achieve whereas the definition describes what internal audit is. As in the mission, the defi- nition recognizes that the ultimate goal of the internal audit profession as a whole, and individual internal audit functions in particular, is to add value to the organi- zation by providing assurance and consulting services. Specifically, these services provide value through the evaluation and improvement of the effectiveness of the organization's risk management, control, and governance processes. Of course, adding value is not an option in most organizations. Management expects and demands all functions in the organization to create visible value. By explicitly stat- ing that the internal audit function is "designed to add value and improve" these processes, the definition underscores the profession's commitment to serving the needs of the organization.
The Definition
The IPPF provides the following Definition of Internal Auditing:
Internal auditing is an independent, objective assurance and consulting activ- ity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, con- trol, and governance processes.
• Demonstrates integrity.
• Demonstrates competence and due professional care.
• Is objective and free from undue influence (independent).
• Aligns with the strategies, objectives, and risks of the organization.
• Is appropriately positioned and adequately resourced.
• Demonstrates quality and continuous improvement.
• Communicates effectively.
• Provides risk-based assurance.
• Is insightful, proactive, and future-focused.
• Promotes organizational improvement.
EXHIBIT 2-2
CORE PRlf\lCIPLES FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING
2-8 INTERNAL AUDITING, ASSURANCE & ADVISORY SERVICES
Objectivity. According to the Code of Ethics, "Internal auditors exhibit the high- est level of professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined. Internal auditors make a balanced assessment of all the relevant circumstances and are not unduly influ- enced by their own interests or by others in forming judgments."
Integrity is the "price of admission" for internal auditors. It is. so fundamental that, without it, an individual cannot serve as an internal audit professional. For exam- ple, how could a stakeholder rely on an internal audit report that contains inten- tionally false or deceptive statements? Or, would stakeholders be comfortable if an internal auditor was fired from a previous job for committing fraud? Internal auditors must model the ethical values of the organization to gain the trust and respect needed to fulfill their professional responsibilities.
1.4. Shall respect and contribute to the legitimate and ethical objectives of the organization."
The Rules of Conduct associated with the integrity principle state that "Internal auditors:
1.1. Shall perform their work with honesty, diligence, and responsibility.
1.2. Shall observe the law and make disclosures expected by the law and the profession.
1.3. Shall not knowingly be a party to any illegal activity, or engage in acts that are discreditable to the profession of internal auditing or to the organization.
Integrity. According to the Code of Ethics, "The integrity of internal auditors establishes trust and thus provides the basis for reliance on their judgment."
The Principles of th Code express the four ideals internal audit professionals should aspire lo maintain in conducting their w rl and represent th core values that internal auditors must uphold to earn the trust of those who rely on their ser- vices. The Ru] s of endue describ 12 behavioral norms that internal auditors should follow to put the Principles into practice. Whi l some might have differing views about how specif · engagements are .arried out or whether internal audit services are better provided by external providers or an internal function it is hard
to
imagine there is anyone who would not want internal audit professionals to follow these four Principle· of the Code and 12 Rules of onduct as present d and discussed below.The purpose of the Code of Ethics is to promote an ethical culture in the internal audit profession. The Code of Ethics consists of two components: the Principles of the Code (not to be confused with the 10 Core Principles, although there is over- lap) and the Rules of Conduct. These two components go beyond the Definition of Internal Auditing by expanding upon the necessary attributes and behaviors of the individuals providing internal audit services.
The Code of Ethics
The definition's reference to independence and objectivity and the systematic, dis- ciplined approach provides the foundation for performing internal audit services.
These elements are discussed further in the remaining components of the IPPF.
The integrity of internal auditors establishes trust and thus provides the basis for reliance on their judg- ment.
Integrity
---
THE INTERNATIONAL PROFESSIONAL PRACTICES FRAMEWORK, AUTHORITATIVE GUIDANCE FOR THE INTERNAL AUDIT PROFESSION 2-9 Internal auditors respect the value and ownership of information they receive and do not disclose information without appropriate authority unless there is a legal or professional obligation to do so.
Confidentiality
Competency. Finally, the Code of Ethics requires that "Internal auditors apply the knowledge, skills, and experience needed in the performance of internal audit services."
In providing internal audit services, the internal auditor needs unrestricted access to all relevant data. To grant such access, management must have confidence that the internal auditor will not inappropriately disclose or use data in such a man- ner that harms the organization, violates laws or regulations, or results in per- sonal gain. Similarly, internal auditors must protect data within their possession to ensure confidential information is not inadvertently disclosed to inappropriate parties. For instance, passwords, encryption, and other security measures should be used when carrying personally identifiable information on a laptop. Likewise, an internal auditor who is aware of material nonpublic information cannot dis- close it to outsiders or use it for personal gain (such as insider trading).
3.2. Shall not use information for any personal gain or in any manner that would be contrary to the law or detrimental to the legitimate and ethical objectives of the organization."
3.1. Shall be prudent in the use and protection of information acquired in the course of their duties.
The Rules of Conduct associated with the confidentiality principle state that
"Internal auditors:
Confidentiality. The Code of Ethics also requires that "Internal auditors respect the value and ownership of information they receive and do not disclose information with- out appropriate authority unless there is a legal or professional obligation to do so."
Objectivity is a fundamental attribute of internal auditing. In performing their work, internal auditors must be aware of potential threats to their objectivity, such as personal relationships or conflicts of interest. For example, accepting gifts from auditees, auditing an operation in which their spouse works, or agreeing with the divisional manager to transfer to the division at the end of the audit would be per- ceived as impairing an internal auditor's objectivity. Moreover, internal auditors must be objective in their communications and avoid misleading language. For example, it is inappropriate to state that inventory controls were at the same level of effectiveness as in the last audit but neglect to point out that such controls were assessed as unsatisfactory at that time.
2.1. Shall not participate in any activity or relationship that may impair or be presumed to impair their unbiased assessment. This participation includes those activities or relationships that may be in conflict with the interests of the organization.
2.2. Shall not accept anything that may impair or be presumed to impair their professional judgment.
2.3. Shall disclose all material facts known to them that, if not disclosed, may distort the reporting of activities under review."
The Rules of Conduct associated with the objectivity principle state that "Internal auditors:
2-10 INTERNAL AUDITING, ASSURANCE & ADVISORY SERVICES
4. Foster improved organizational processes and operations."
2. Provide a framework for performing and promoting a broad range of value-added internal auditing.
3. Establish the basis for the evaluation of internal audit performance.
"The purpose of the Standards is to:
I. Guide adherence with the mandatory elements of the International Profes- sional Practices Framework.
The Introduction to the Standards further points out that "The Standards apply to individual internal auditors and internal audit activities." Each internal auditor is accountable for conforming with the Standards related to individual objectiv- ity, proficiency, and due professional care. In addition, each internal auditor is accountable for conforming with the Standards that are relevant to the perfor- mance of his or her job responsibilities. The CAE is "accountable for the internal audit activity's overall conformance with the Standards."