Chapter 1.docx
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Chapter 1.docx as PDF for free.
More details
- Words: 4,015
- Pages: 12
1
STUDY UNIT ONE MANDATORY GUIDANCE
1.1 1.2 1.3 1.4 1.5 1.6 1.7 1.8
Applicable Guidance ...................................................................................................................... 1 Codes of Ethical Conduct for Professionals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Internal Audit Ethics -- Introduction and Principles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Internal Audit Ethics -- Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Internal Audit Ethics -- Objectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Internal Audit Ethics -- Confidentiality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Internal Audit Ethics -- Competency ........................................................................................... 10 Internal Audit Charter .................................................................................................................. 10
I. MANDATORY GUIDANCE (35%–45%)
A. Definition of Internal Auditing 1. Define purpose, authority, and responsibility of the internal audit activity B. Code of Ethics 1. Abide by and promote compliance with The IIA Code of Ethics C. International Standards 1. Comply with The IIA’s Attribute Standards a. Determine if the purpose, authority, and responsibility of the internal audit activity are documented in the audit charter, approved by the Board, and communicated to the engagement clients b. Demonstrate an understanding of the purpose, authority, and responsibility of the internal audit activity 2. 3. 4. 5. 6. 7.
.
Maintain independence and objectivity Determine if the required knowledge, skills, and competencies are available Develop and/or procure necessary knowledge, skills, and competencies collectively required by the internal audit activity Exercise due professional care Promote continuing professional development Promote quality assurance and improvement of the internal audit activity
1.1 APPLICABLE GUIDANCE 1.
International Professional Practices Framework (IPPF) The Institute of Internal Auditors (The IIA) defines the mission of internal audit as follows:
“To enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight.” Facilitating the achievement of this mission is the IPPF.
The IPPF contains mandatory guidance and strongly recommended guidance.
2.
Mandatory Guidance Adherence to the mandatory guidance is essential for the professional practice of internal auditing. The mandatory guidance consists of four elements: the Core Principles for the Professional Practice of Internal Auditing, the Definition of Internal Auditing, the Code of Ethics and the Standards. The Core Principles and the Definition of Internal Auditing are incorporated in the Code of Ethics and the Standards. Thus, conformance with the Code and the Standards demonstrates conformance with all mandatory elements of the IPPF. I.
The Core Principles are the basis for internal audit effectiveness. The internal audit function is effective if all principles are present and operating effectively. The following are the Core Principles: a) b) c) d) e) f) g) h) i) j)
.
Demonstrates integrity. Demonstrates competence and due professional care. Is objective and free from undue influence (independent). Aligns with the strategies, objectives, and risks of the organization. Is appropriately positioned and adequately resourced. Demonstrates quality and continuous improvement. Communicates effectively. Provides risk-based assurance. Is insightful, proactive, and future-focused. Promotes organizational improvement.
3
SU 1: Mandatory Guidance
II.
The Definition of Internal Auditing is a concise statement of the role of the internal audit activity in the organization.
Definition of Internal Auditing Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. III.
Code of Ethics (Subunits 1.2 through 1.7)
IV.
The Standards: It was formally known as the International Standards for the Professional Practice of Internal Auditing. It serves the following four purposes described by The IIA:
Purpose of the Standards 1. Guide adherence to the mandatory elements of the International Professional Practices Framework. 2. Provide a framework for performing and promoting a broad range of value-added internal auditing services. 3. Establish the basis for the evaluation of internal audit performance. 4. Foster improved organizational processes and operations. The Standards are vital to the practice of internal auditing: Attribute Standards, numbered in the 1000s, govern the responsibilities, attitudes, and actions of the organization’s internal audit activity and the people who serve as internal auditors. Performance Standards, numbered in the 2000s, govern the nature of internal auditing and provide quality criteria for evaluating the internal audit function’s performance. Interpretations are provided by The IIA to clarify terms and concepts referred to in Attribute or Performance Standards. Implementation Standards expand upon the individual Attribute or Performance Standards that apply to all internal audit engagements. Each Implementation Standard describes the requirements of either an assurance or a consulting engagement. 3.
Strongly Recommended Guidance Strongly recommended guidance has been developed by The IIA through a formal approval process. They describe practices for effective implementation of the Core Principles, the Definition of Internal Auditing, the Code of Ethics, and the Standards. The two strongly recommended elements of the IPPF are (a) Implementation Guidance and (b) Supplemental Guidance.
.
4
SU 1: Mandatory Guidance
4.
Purpose, Authority, and Responsibility of the Internal Audit Activity a.
Purpose As defined in The IIA Glossary, the purpose of the internal audit activity is to provide “independent, objective assurance and consulting services designed to add value and improve an organization’s operations.
The internal audit activity helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of governance, risk management and control processes.” b. Authority The support of management and the board is crucial when inevitable conflicts arise between the internal audit activity and the department or function under review. Thus, the internal audit activity should be empowered to require auditees to grant access to all records, personnel, and physical properties relevant to the performance of every engagement. A formal charter for the internal audit activity that defines the internal audit activity’s purpose, authority, and responsibility must be adopted, and it should contain a grant of sufficient authority. Final approval of the charter resides with the board. c. Responsibility The internal audit activity’s responsibility is to provide the organization with assurance and consulting services that will add value and improve the organization’s operations. Specifically, the internal audit activity must evaluate and improve the effectiveness of the organization’s governance, risk management, and control processes.
5.
Compliance with U.S. Laws As part of its role in organizational governance, risk management, and control, the internal audit activity is responsible for evaluating (and recommending improvements to) compliance with relevant laws. Common examples of such laws are (a) Regulations regarding the discharge of pollutants and (b) Workplace safety rules. An internal auditor in the U.S. should be aware of the Racketeer Influenced and Corrupt Organizations Act, the Foreign Corrupt Practices Act, and the SarbanesOxley Act.
6.
The Racketeer Influenced and Corrupt Organizations Act of 1970 In 1970, Congress passed the Racketeer Influenced and Corrupt Organizations (RICO) Act to combat the problem of organized crime. The act’s goals were to eliminate organized crime by concentrating on the transfer of illegal monies. RICO has both civil and criminal provisions. The criminal portion provides for fines and prison sentences, and the civil portion provides for the awarding of treble damages and attorney’s fees to the successful plaintiff.
.
RICO specifically makes the following activities unlawful: Conspiring to commit any of the following offenses: Using income derived from a pattern of racketeering activity to acquire an interest in an enterprise Acquiring or maintaining an interest in an enterprise through a pattern of racketeering activity Conducting the affairs of an enterprise through a pattern of racketeering activity. Despite the intent of the RICO Act to be used against organized crime groups, it has had unforeseen consequences i.e. it has been used against Wall Street insider traders, Major League Baseball, anti-abortion protesters, and public accounting firms. 7.
The Foreign Corrupt Practices Act of 1977 The Foreign Corrupt Practices Act (FCPA) was enacted in 1977 in response to the flood of bribes handed out by U.S. companies to foreign government officials, a phenomenon that came to light during the Watergate investigations of 1973-74. The FCPA contains two sets of provisions: I.
All public companies must devise and maintain a system of internal accounting control, regardless of whether they have foreign operations. II. Public companies may not make corrupt payments to any foreign official, foreign political party or official thereof, or candidate for political office in a foreign country. As under RICO, individuals found in violation of the FCPA are subject to both a fine and imprisonment. A corporation may be assessed a fine as well. 8.
The Sarbanes-Oxley Act of 2002 The Sarbanes-Oxley Act of 2002 (SOX) was a response to the numerous financial reporting scandals of late 2001 and early 2002. SOX impose specific governance practices on issuers of publicly traded securities. I. II. III.
Each member of the issuer’s audit committee must be an independent member of the board of directors.
At least one member of the audit committee must be a financial expert. The audit committee must be directly responsible for appointing, compensating, and overseeing the work of the independent auditor. IV. The independent auditor must report directly to the audit committee, not to management. SOX also imposes specific reporting requirements, among them a provision that the issuer’s CEO and CFO must certify the effectiveness of the system of internal control. Criminal penalties were provided for those who conceal or destroy accounting or other records in an attempt to obstruct an investigation.
.
9.
Compliance with Control Frameworks The following five frameworks, developed in different nations, are widely accepted methods for implementing effective systems of internal control. 1. The COSO Framework: It is also known formally as Internal Control -- Integrated Framework, is the most prominent control framework in the United States.
2.
3.
4.
5.
.
Published in 1992 and most recently modified in 2013, the COSO Framework was issued by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission (named for James C. Treadway, its first chairman). CoCo (Criteria of Control): It is known formally as Guidance on Control. It was published in 1995 by the Canadian Institute of Chartered Accountants (CICA). The Turnbull Report (Internal Control: Guidance for Directors on the Combined Code): It is named for Nigel Turnbull, chair of the committee that drafted the report. It was originally published in 1999 by the Financial Reporting Council (FRC) of the UK and re-released as Internal Control: Revised Guide for Directors on the Combined Code in 2005. COBIT(Control Objectives for Information and Related Technology): It is the best- known framework specifically for IT controls. Version 5 of this document was published in 2012 by the Information Systems Audit and Control Associations (ISACA). eSAC (Electronic Systems Assurance and Control): It is an alternative control model for IT. It is a publication of The Institute of Internal Auditors Research Foundation.
1.2 CODES OF ETHICAL CONDUCT FOR PROFESSIONALS 1
Reasons for Codes of Ethical Conduct The primary purpose of a code of ethical conduct for a professional organization is to promote an ethical culture among professionals who serve others. Additional functions of a code of ethical conduct for a professional organization include a. Communicating acceptable values to all members, b. Establishing objective standards against which individuals can measure their own performance, and c. Communicating the organization’s values to outsiders.
2. Aspects of Codes of Ethical Conduct The mere existence of a code of ethical conduct does not ensure that its principles are followed or that those outside the organization will believe that it is trustworthy. A measure of the cohesion and professionalism of an organization is the degree of voluntary compliance with its adopted code. A code of ethical conduct worded so as to reduce the likelihood of members being sued for substandard work would not earn the confidence of the public. A code of ethical conduct can help establish minimum standards of competence, but it is impossible to require equality of competence by all members of a profession. To be effective, the code must provide for disciplinary action for violators. 3. Typical Components of a Code of Ethical Conduct A code of ethical conduct for professionals should contain at least the following: These four elements are the core principles of The IIA’s Code of Ethics. a. Integrity. A refusal to compromise professional values for personal gain. Another facet of integrity is performance of professional duties in accordance with relevant laws. b. Objectivity. A commitment to providing stakeholders with unbiased information. Another facet of objectivity is a commitment to independence from conflicts of economic or professional interest. c. Confidentiality. A refusal to use organizational information for private gain. d. Competency. A commitment to acquiring and maintaining an appropriate level of knowledge and skill.
.
1.3 INTERNAL AUDIT ETHICS -- INTRODUCTION AND PRINCIPLES Introduction The IIA incorporates the Definition of Internal Auditing into the Introduction to the Code of Ethics and specifies the reasons for establishing the Code.
Introduction to The IIA’s Code of Ethics The purpose of The Institute’s Code of Ethics is to promote an ethical culture in the profession of internal auditing. Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. A code of ethics is necessary and appropriate for the profession of internal auditing, founded as it is on the trust placed in its objective assurance about governance, risk management, and control. The Institute’s Code of Ethics extends beyond the Definition of Internal Auditing to include two essential components: 1.
Principles that are relevant to the profession and practice of internal auditing.
2.
Rules of Conduct that describe behavior norms expected of internal auditors. These rules are an aid to interpreting the Principles into practical applications and are intended to guide the ethical conduct of internal auditors.
“Internal auditors” refers to Institute members, recipients of or candidates for IIA professional certifications, and those who perform internal audit services within the Definition of Internal Auditing. Applicability The provisions of the Code are applied broadly to all organizations and persons who perform internal audit services, not just CIAs and members of The IIA.
Applicability and Enforcement of the Code of Ethics This Code of Ethics applies to both entities and individuals that perform internal audit services. For IIA members and recipients of or candidates for IIA professional certifications, breaches of the Code of Ethics will be evaluated and administered according to The Institute’s Bylaws and Administrative Directives. The fact that a particular conduct is not mentioned in the Rules of Conduct does not prevent it from being unacceptable or discreditable, and therefore, the member, certification holder, or candidate can be liable for disciplinary action.
.
Violations of rules of ethics should be reported to The IIA’s board of directors. Core Principles: The Rules of Conduct in the Code are organized based on the principles of integrity, objectivity, confidentiality, and competency. I.
II.
III.
IV.
Integrity: The integrity of internal auditors establishes trust and thus provides the basis for reliance on their judgment. Objectivity: Internal auditors exhibit the highest level of professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined. Internal auditors make a balanced assessment of all the relevant circumstances and are not unduly influenced by their own interests or by others in forming judgments. Confidentiality. Internal auditors respect the value and ownership of information they receive and do not disclose information without appropriate authority unless there is a legal or professional obligation to do so. Competency. Internal auditors apply the knowledge, skills, and experience needed in the performance of internal audit services.
1.4 INTERNAL AUDIT ETHICS -- INTEGRITY Rules of Conduct – Integrity
Rules of Conduct – Integrity Internal auditors: 1.1. Shall perform their work with honesty, diligence, and responsibility. 1.2. Shall observe the law and make disclosures expected by the law and the profession. 1.3. Shall not knowingly be a party to any illegal activity, or engage in acts that are discreditable to the profession of internal auditing or to the organization. 1.4. Shall respect and contribute to the legitimate and ethical objectives of the organization.
.
1.5 INTERNAL AUDIT ETHICS -- OBJECTIVITY
Rules of Conduct – Objectivity
Rules of Conduct – Objectivity Internal auditors: 2.1. Shall not participate in any activity or relationship that may impair or be presumed to impair their unbiased assessment. This participation includes those activities or relationships that may be in conflict with the interests of the organization. 2.2. Shall not accept anything that may impair or be presumed to impair their professional judgment. 2.3. Shall disclose all material facts known to them that, if not disclosed, may distort the reporting of activities under review. For example, if management override of an important control creates exposure to a material risk, the internal auditor is ethically obligated to report the matter to senior officials charged with performing the governance function.
Conflict of Interest Policy A conflict of interest policy should:
Prohibit the transfer of benefits between an employee and those with whom the organization deals Prohibit the use of organizational information for private gain
1.6 INTERNAL AUDIT ETHICS -- CONFIDENTIALITY
Rules of Conduct – Confidentiality
Rules of Conduct – Confidentiality Internal auditors: 3.1. Shall be prudent in the use and protection of information acquired in the course of their duties. 3.2. Shall not use information for any personal gain or in any manner that would be contrary to the law or detrimental to the legitimate and ethical objectives of the organization.
1.7 INTERNAL AUDIT ETHICS -- COMPETENCY
Rules of Conduct – Competency
Rules of Conduct – Competency Internal auditors: 4.1. Shall engage only in those services for which they have the necessary knowledge, skills, and experience. 4.2. Shall perform internal audit services in accordance with the International Standards for the Professional Practice of Internal Auditing (Standards). 4.3. Shall continually improve their proficiency and the effectiveness and quality of their services. ■
.
.
1.8 INTERNAL AUDIT CHARTER
Attribute Standard 1000 Purpose, Authority, and Responsibility The purpose, authority, and responsibility of the internal audit activity must be formally defined in an internal audit charter, consistent with the Mission of Internal Audit and the mandatory elements of the International Professional Practices Framework (the Core Principles for the Professional Practice of Internal Auditing, the Code of Ethics, the Standards, and the Definition of Internal Auditing). The chief audit executive must periodically review the internal audit charter and present it to senior management and the board for approval. Internal Audit Charter
The following Interpretation was issued by The IIA: Interpretation of Standard 1000
The internal audit charter is a formal document that defines the internal audit activity’s purpose, authority, and responsibility. The internal audit charter establishes the internal audit activity’s position within the organization, including the nature of the chief audit executive’s functional reporting relationship with the board; authorizes access to records, personnel, and physical properties relevant to the performance of engagements; and defines the scope of internal audit activities. Final approval of the internal audit charter resides with the board.
An auditee must not be able to place a scope limitation on the internal audit activity by refusing to make relevant records, personnel, and physical properties available to the internal auditors.
Engagement clients must be informed of the internal audit activity’s purpose, authority, and responsibility to prevent misunderstandings about access to records and personnel.
IG 1000, Purpose, Authority, and Responsibility, further addresses the charter: a. “To create [the internal audit charter], the chief audit executive (CAE) must understand the Mission of Internal Audit and the mandatory elements of The IIA’s International Professional Practices Framework (IPPF) — including the Core Principles for the Professional Practice of Internal Auditing, the Code of Ethics, the International Standards for the Professional Practice of Internal Auditing, and the Definition of Internal Auditing. b. This understanding provides the foundation for a discussion among the CAE, senior management, and the board to mutually agree upon: i. Internal audit objectives and responsibilities ii. The expectations for the internal audit activity iii. The CAE’s functional and administrative reporting lines iv. The level of authority (including access to records, physical property, and personnel) required for the internal audit activity to perform engagements and fulfill its agreed-upon objectives and responsibilities c. The CAE may need to confer with the organization’s legal counsel or the board secretary regarding the preferred format for charters and how to effectively and efficiently submit the proposed internal audit charter for board approval.
.
d. Once drafted, the proposed internal audit charter should be discussed with senior management and the board to confirm that it accurately describes the agreed-upon role and expectations or to identify desired changes. Once the draft has been accepted, the CAE formally presents it during a board meeting to be discussed and approve. e. The minutes of the board meetings during which the CAE initially discusses and then formally presents the internal audit charter provide documentation of conformance. In addition, the CAE retains the approved charter.”
The charter itself must refer to the mandatory guidance portion of the IPPF.
Attribute Standard 1010 Recognizing Mandatory Guidance in the Internal Audit Charter The mandatory nature of the Core Principles for the Professional Practice of Internal Auditing, the Code of Ethics, the Standards, and the Definition of Internal Auditing must be recognized in the internal audit charter. The chief audit executive should discuss the Mission of Internal Audit and the mandatory elements of the International Professional Practices Framework with senior management and the board.
Key Definitions from the Glossary The complete IIA Glossary is in Appendix A. The definitions do not need to be memorized, but they are useful to exam candidates and practitioners. Chief audit executive (CAE): It describes the role of a person in a senior position responsible for effectively managing the internal audit activity in accordance with the internal audit charter and the mandatory elements of the International Professional Practices Framework. The chief audit executive or others reporting to the chief audit executive will have appropriate professional certifications and qualifications. The specific job title or responsibilities of the chief audit executive may vary across organizations. The board: It is the highest-level governing body (e.g., a board of directors, a supervisory board, or a board of governors or trustees) charged with the responsibility to direct and/or oversee the organization’s activities and hold senior management accountable. Although governance arrangements vary among jurisdictions and sectors, typically the board includes members who are not part of management. If a board does not exist, the word “board” in the Standards refers to a group or person charged with governance of the organization. Furthermore, “board” in the Standards may refer to a committee or another body to which the governing body has delegated certain functions (e.g., an audit committee).
.
STUDY UNIT ONE MANDATORY GUIDANCE
1.1 1.2 1.3 1.4 1.5 1.6 1.7 1.8
Applicable Guidance ...................................................................................................................... 1 Codes of Ethical Conduct for Professionals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Internal Audit Ethics -- Introduction and Principles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Internal Audit Ethics -- Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Internal Audit Ethics -- Objectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Internal Audit Ethics -- Confidentiality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Internal Audit Ethics -- Competency ........................................................................................... 10 Internal Audit Charter .................................................................................................................. 10
I. MANDATORY GUIDANCE (35%–45%)
A. Definition of Internal Auditing 1. Define purpose, authority, and responsibility of the internal audit activity B. Code of Ethics 1. Abide by and promote compliance with The IIA Code of Ethics C. International Standards 1. Comply with The IIA’s Attribute Standards a. Determine if the purpose, authority, and responsibility of the internal audit activity are documented in the audit charter, approved by the Board, and communicated to the engagement clients b. Demonstrate an understanding of the purpose, authority, and responsibility of the internal audit activity 2. 3. 4. 5. 6. 7.
.
Maintain independence and objectivity Determine if the required knowledge, skills, and competencies are available Develop and/or procure necessary knowledge, skills, and competencies collectively required by the internal audit activity Exercise due professional care Promote continuing professional development Promote quality assurance and improvement of the internal audit activity
1.1 APPLICABLE GUIDANCE 1.
International Professional Practices Framework (IPPF) The Institute of Internal Auditors (The IIA) defines the mission of internal audit as follows:
“To enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight.” Facilitating the achievement of this mission is the IPPF.
The IPPF contains mandatory guidance and strongly recommended guidance.
2.
Mandatory Guidance Adherence to the mandatory guidance is essential for the professional practice of internal auditing. The mandatory guidance consists of four elements: the Core Principles for the Professional Practice of Internal Auditing, the Definition of Internal Auditing, the Code of Ethics and the Standards. The Core Principles and the Definition of Internal Auditing are incorporated in the Code of Ethics and the Standards. Thus, conformance with the Code and the Standards demonstrates conformance with all mandatory elements of the IPPF. I.
The Core Principles are the basis for internal audit effectiveness. The internal audit function is effective if all principles are present and operating effectively. The following are the Core Principles: a) b) c) d) e) f) g) h) i) j)
.
Demonstrates integrity. Demonstrates competence and due professional care. Is objective and free from undue influence (independent). Aligns with the strategies, objectives, and risks of the organization. Is appropriately positioned and adequately resourced. Demonstrates quality and continuous improvement. Communicates effectively. Provides risk-based assurance. Is insightful, proactive, and future-focused. Promotes organizational improvement.
3
SU 1: Mandatory Guidance
II.
The Definition of Internal Auditing is a concise statement of the role of the internal audit activity in the organization.
Definition of Internal Auditing Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. III.
Code of Ethics (Subunits 1.2 through 1.7)
IV.
The Standards: It was formally known as the International Standards for the Professional Practice of Internal Auditing. It serves the following four purposes described by The IIA:
Purpose of the Standards 1. Guide adherence to the mandatory elements of the International Professional Practices Framework. 2. Provide a framework for performing and promoting a broad range of value-added internal auditing services. 3. Establish the basis for the evaluation of internal audit performance. 4. Foster improved organizational processes and operations. The Standards are vital to the practice of internal auditing: Attribute Standards, numbered in the 1000s, govern the responsibilities, attitudes, and actions of the organization’s internal audit activity and the people who serve as internal auditors. Performance Standards, numbered in the 2000s, govern the nature of internal auditing and provide quality criteria for evaluating the internal audit function’s performance. Interpretations are provided by The IIA to clarify terms and concepts referred to in Attribute or Performance Standards. Implementation Standards expand upon the individual Attribute or Performance Standards that apply to all internal audit engagements. Each Implementation Standard describes the requirements of either an assurance or a consulting engagement. 3.
Strongly Recommended Guidance Strongly recommended guidance has been developed by The IIA through a formal approval process. They describe practices for effective implementation of the Core Principles, the Definition of Internal Auditing, the Code of Ethics, and the Standards. The two strongly recommended elements of the IPPF are (a) Implementation Guidance and (b) Supplemental Guidance.
.
4
SU 1: Mandatory Guidance
4.
Purpose, Authority, and Responsibility of the Internal Audit Activity a.
Purpose As defined in The IIA Glossary, the purpose of the internal audit activity is to provide “independent, objective assurance and consulting services designed to add value and improve an organization’s operations.
The internal audit activity helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of governance, risk management and control processes.” b. Authority The support of management and the board is crucial when inevitable conflicts arise between the internal audit activity and the department or function under review. Thus, the internal audit activity should be empowered to require auditees to grant access to all records, personnel, and physical properties relevant to the performance of every engagement. A formal charter for the internal audit activity that defines the internal audit activity’s purpose, authority, and responsibility must be adopted, and it should contain a grant of sufficient authority. Final approval of the charter resides with the board. c. Responsibility The internal audit activity’s responsibility is to provide the organization with assurance and consulting services that will add value and improve the organization’s operations. Specifically, the internal audit activity must evaluate and improve the effectiveness of the organization’s governance, risk management, and control processes.
5.
Compliance with U.S. Laws As part of its role in organizational governance, risk management, and control, the internal audit activity is responsible for evaluating (and recommending improvements to) compliance with relevant laws. Common examples of such laws are (a) Regulations regarding the discharge of pollutants and (b) Workplace safety rules. An internal auditor in the U.S. should be aware of the Racketeer Influenced and Corrupt Organizations Act, the Foreign Corrupt Practices Act, and the SarbanesOxley Act.
6.
The Racketeer Influenced and Corrupt Organizations Act of 1970 In 1970, Congress passed the Racketeer Influenced and Corrupt Organizations (RICO) Act to combat the problem of organized crime. The act’s goals were to eliminate organized crime by concentrating on the transfer of illegal monies. RICO has both civil and criminal provisions. The criminal portion provides for fines and prison sentences, and the civil portion provides for the awarding of treble damages and attorney’s fees to the successful plaintiff.
.
RICO specifically makes the following activities unlawful: Conspiring to commit any of the following offenses: Using income derived from a pattern of racketeering activity to acquire an interest in an enterprise Acquiring or maintaining an interest in an enterprise through a pattern of racketeering activity Conducting the affairs of an enterprise through a pattern of racketeering activity. Despite the intent of the RICO Act to be used against organized crime groups, it has had unforeseen consequences i.e. it has been used against Wall Street insider traders, Major League Baseball, anti-abortion protesters, and public accounting firms. 7.
The Foreign Corrupt Practices Act of 1977 The Foreign Corrupt Practices Act (FCPA) was enacted in 1977 in response to the flood of bribes handed out by U.S. companies to foreign government officials, a phenomenon that came to light during the Watergate investigations of 1973-74. The FCPA contains two sets of provisions: I.
All public companies must devise and maintain a system of internal accounting control, regardless of whether they have foreign operations. II. Public companies may not make corrupt payments to any foreign official, foreign political party or official thereof, or candidate for political office in a foreign country. As under RICO, individuals found in violation of the FCPA are subject to both a fine and imprisonment. A corporation may be assessed a fine as well. 8.
The Sarbanes-Oxley Act of 2002 The Sarbanes-Oxley Act of 2002 (SOX) was a response to the numerous financial reporting scandals of late 2001 and early 2002. SOX impose specific governance practices on issuers of publicly traded securities. I. II. III.
Each member of the issuer’s audit committee must be an independent member of the board of directors.
At least one member of the audit committee must be a financial expert. The audit committee must be directly responsible for appointing, compensating, and overseeing the work of the independent auditor. IV. The independent auditor must report directly to the audit committee, not to management. SOX also imposes specific reporting requirements, among them a provision that the issuer’s CEO and CFO must certify the effectiveness of the system of internal control. Criminal penalties were provided for those who conceal or destroy accounting or other records in an attempt to obstruct an investigation.
.
9.
Compliance with Control Frameworks The following five frameworks, developed in different nations, are widely accepted methods for implementing effective systems of internal control. 1. The COSO Framework: It is also known formally as Internal Control -- Integrated Framework, is the most prominent control framework in the United States.
2.
3.
4.
5.
.
Published in 1992 and most recently modified in 2013, the COSO Framework was issued by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission (named for James C. Treadway, its first chairman). CoCo (Criteria of Control): It is known formally as Guidance on Control. It was published in 1995 by the Canadian Institute of Chartered Accountants (CICA). The Turnbull Report (Internal Control: Guidance for Directors on the Combined Code): It is named for Nigel Turnbull, chair of the committee that drafted the report. It was originally published in 1999 by the Financial Reporting Council (FRC) of the UK and re-released as Internal Control: Revised Guide for Directors on the Combined Code in 2005. COBIT(Control Objectives for Information and Related Technology): It is the best- known framework specifically for IT controls. Version 5 of this document was published in 2012 by the Information Systems Audit and Control Associations (ISACA). eSAC (Electronic Systems Assurance and Control): It is an alternative control model for IT. It is a publication of The Institute of Internal Auditors Research Foundation.
1.2 CODES OF ETHICAL CONDUCT FOR PROFESSIONALS 1
Reasons for Codes of Ethical Conduct The primary purpose of a code of ethical conduct for a professional organization is to promote an ethical culture among professionals who serve others. Additional functions of a code of ethical conduct for a professional organization include a. Communicating acceptable values to all members, b. Establishing objective standards against which individuals can measure their own performance, and c. Communicating the organization’s values to outsiders.
2. Aspects of Codes of Ethical Conduct The mere existence of a code of ethical conduct does not ensure that its principles are followed or that those outside the organization will believe that it is trustworthy. A measure of the cohesion and professionalism of an organization is the degree of voluntary compliance with its adopted code. A code of ethical conduct worded so as to reduce the likelihood of members being sued for substandard work would not earn the confidence of the public. A code of ethical conduct can help establish minimum standards of competence, but it is impossible to require equality of competence by all members of a profession. To be effective, the code must provide for disciplinary action for violators. 3. Typical Components of a Code of Ethical Conduct A code of ethical conduct for professionals should contain at least the following: These four elements are the core principles of The IIA’s Code of Ethics. a. Integrity. A refusal to compromise professional values for personal gain. Another facet of integrity is performance of professional duties in accordance with relevant laws. b. Objectivity. A commitment to providing stakeholders with unbiased information. Another facet of objectivity is a commitment to independence from conflicts of economic or professional interest. c. Confidentiality. A refusal to use organizational information for private gain. d. Competency. A commitment to acquiring and maintaining an appropriate level of knowledge and skill.
.
1.3 INTERNAL AUDIT ETHICS -- INTRODUCTION AND PRINCIPLES Introduction The IIA incorporates the Definition of Internal Auditing into the Introduction to the Code of Ethics and specifies the reasons for establishing the Code.
Introduction to The IIA’s Code of Ethics The purpose of The Institute’s Code of Ethics is to promote an ethical culture in the profession of internal auditing. Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. A code of ethics is necessary and appropriate for the profession of internal auditing, founded as it is on the trust placed in its objective assurance about governance, risk management, and control. The Institute’s Code of Ethics extends beyond the Definition of Internal Auditing to include two essential components: 1.
Principles that are relevant to the profession and practice of internal auditing.
2.
Rules of Conduct that describe behavior norms expected of internal auditors. These rules are an aid to interpreting the Principles into practical applications and are intended to guide the ethical conduct of internal auditors.
“Internal auditors” refers to Institute members, recipients of or candidates for IIA professional certifications, and those who perform internal audit services within the Definition of Internal Auditing. Applicability The provisions of the Code are applied broadly to all organizations and persons who perform internal audit services, not just CIAs and members of The IIA.
Applicability and Enforcement of the Code of Ethics This Code of Ethics applies to both entities and individuals that perform internal audit services. For IIA members and recipients of or candidates for IIA professional certifications, breaches of the Code of Ethics will be evaluated and administered according to The Institute’s Bylaws and Administrative Directives. The fact that a particular conduct is not mentioned in the Rules of Conduct does not prevent it from being unacceptable or discreditable, and therefore, the member, certification holder, or candidate can be liable for disciplinary action.
.
Violations of rules of ethics should be reported to The IIA’s board of directors. Core Principles: The Rules of Conduct in the Code are organized based on the principles of integrity, objectivity, confidentiality, and competency. I.
II.
III.
IV.
Integrity: The integrity of internal auditors establishes trust and thus provides the basis for reliance on their judgment. Objectivity: Internal auditors exhibit the highest level of professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined. Internal auditors make a balanced assessment of all the relevant circumstances and are not unduly influenced by their own interests or by others in forming judgments. Confidentiality. Internal auditors respect the value and ownership of information they receive and do not disclose information without appropriate authority unless there is a legal or professional obligation to do so. Competency. Internal auditors apply the knowledge, skills, and experience needed in the performance of internal audit services.
1.4 INTERNAL AUDIT ETHICS -- INTEGRITY Rules of Conduct – Integrity
Rules of Conduct – Integrity Internal auditors: 1.1. Shall perform their work with honesty, diligence, and responsibility. 1.2. Shall observe the law and make disclosures expected by the law and the profession. 1.3. Shall not knowingly be a party to any illegal activity, or engage in acts that are discreditable to the profession of internal auditing or to the organization. 1.4. Shall respect and contribute to the legitimate and ethical objectives of the organization.
.
1.5 INTERNAL AUDIT ETHICS -- OBJECTIVITY
Rules of Conduct – Objectivity
Rules of Conduct – Objectivity Internal auditors: 2.1. Shall not participate in any activity or relationship that may impair or be presumed to impair their unbiased assessment. This participation includes those activities or relationships that may be in conflict with the interests of the organization. 2.2. Shall not accept anything that may impair or be presumed to impair their professional judgment. 2.3. Shall disclose all material facts known to them that, if not disclosed, may distort the reporting of activities under review. For example, if management override of an important control creates exposure to a material risk, the internal auditor is ethically obligated to report the matter to senior officials charged with performing the governance function.
Conflict of Interest Policy A conflict of interest policy should:
Prohibit the transfer of benefits between an employee and those with whom the organization deals Prohibit the use of organizational information for private gain
1.6 INTERNAL AUDIT ETHICS -- CONFIDENTIALITY
Rules of Conduct – Confidentiality
Rules of Conduct – Confidentiality Internal auditors: 3.1. Shall be prudent in the use and protection of information acquired in the course of their duties. 3.2. Shall not use information for any personal gain or in any manner that would be contrary to the law or detrimental to the legitimate and ethical objectives of the organization.
1.7 INTERNAL AUDIT ETHICS -- COMPETENCY
Rules of Conduct – Competency
Rules of Conduct – Competency Internal auditors: 4.1. Shall engage only in those services for which they have the necessary knowledge, skills, and experience. 4.2. Shall perform internal audit services in accordance with the International Standards for the Professional Practice of Internal Auditing (Standards). 4.3. Shall continually improve their proficiency and the effectiveness and quality of their services. ■
.
.
1.8 INTERNAL AUDIT CHARTER
Attribute Standard 1000 Purpose, Authority, and Responsibility The purpose, authority, and responsibility of the internal audit activity must be formally defined in an internal audit charter, consistent with the Mission of Internal Audit and the mandatory elements of the International Professional Practices Framework (the Core Principles for the Professional Practice of Internal Auditing, the Code of Ethics, the Standards, and the Definition of Internal Auditing). The chief audit executive must periodically review the internal audit charter and present it to senior management and the board for approval. Internal Audit Charter
The following Interpretation was issued by The IIA: Interpretation of Standard 1000
The internal audit charter is a formal document that defines the internal audit activity’s purpose, authority, and responsibility. The internal audit charter establishes the internal audit activity’s position within the organization, including the nature of the chief audit executive’s functional reporting relationship with the board; authorizes access to records, personnel, and physical properties relevant to the performance of engagements; and defines the scope of internal audit activities. Final approval of the internal audit charter resides with the board.
An auditee must not be able to place a scope limitation on the internal audit activity by refusing to make relevant records, personnel, and physical properties available to the internal auditors.
Engagement clients must be informed of the internal audit activity’s purpose, authority, and responsibility to prevent misunderstandings about access to records and personnel.
IG 1000, Purpose, Authority, and Responsibility, further addresses the charter: a. “To create [the internal audit charter], the chief audit executive (CAE) must understand the Mission of Internal Audit and the mandatory elements of The IIA’s International Professional Practices Framework (IPPF) — including the Core Principles for the Professional Practice of Internal Auditing, the Code of Ethics, the International Standards for the Professional Practice of Internal Auditing, and the Definition of Internal Auditing. b. This understanding provides the foundation for a discussion among the CAE, senior management, and the board to mutually agree upon: i. Internal audit objectives and responsibilities ii. The expectations for the internal audit activity iii. The CAE’s functional and administrative reporting lines iv. The level of authority (including access to records, physical property, and personnel) required for the internal audit activity to perform engagements and fulfill its agreed-upon objectives and responsibilities c. The CAE may need to confer with the organization’s legal counsel or the board secretary regarding the preferred format for charters and how to effectively and efficiently submit the proposed internal audit charter for board approval.
.
d. Once drafted, the proposed internal audit charter should be discussed with senior management and the board to confirm that it accurately describes the agreed-upon role and expectations or to identify desired changes. Once the draft has been accepted, the CAE formally presents it during a board meeting to be discussed and approve. e. The minutes of the board meetings during which the CAE initially discusses and then formally presents the internal audit charter provide documentation of conformance. In addition, the CAE retains the approved charter.”
The charter itself must refer to the mandatory guidance portion of the IPPF.
Attribute Standard 1010 Recognizing Mandatory Guidance in the Internal Audit Charter The mandatory nature of the Core Principles for the Professional Practice of Internal Auditing, the Code of Ethics, the Standards, and the Definition of Internal Auditing must be recognized in the internal audit charter. The chief audit executive should discuss the Mission of Internal Audit and the mandatory elements of the International Professional Practices Framework with senior management and the board.
Key Definitions from the Glossary The complete IIA Glossary is in Appendix A. The definitions do not need to be memorized, but they are useful to exam candidates and practitioners. Chief audit executive (CAE): It describes the role of a person in a senior position responsible for effectively managing the internal audit activity in accordance with the internal audit charter and the mandatory elements of the International Professional Practices Framework. The chief audit executive or others reporting to the chief audit executive will have appropriate professional certifications and qualifications. The specific job title or responsibilities of the chief audit executive may vary across organizations. The board: It is the highest-level governing body (e.g., a board of directors, a supervisory board, or a board of governors or trustees) charged with the responsibility to direct and/or oversee the organization’s activities and hold senior management accountable. Although governance arrangements vary among jurisdictions and sectors, typically the board includes members who are not part of management. If a board does not exist, the word “board” in the Standards refers to a group or person charged with governance of the organization. Furthermore, “board” in the Standards may refer to a committee or another body to which the governing body has delegated certain functions (e.g., an audit committee).
.
Related Documents
Gfpi-f-019_formato_guia_de_aprendizaje.1docx(2).docx
November 2019 132
Chapter
May 2020 60
Chapter
November 2019 76
Chapter
October 2019 79
Chapter Five Chapter Five
July 2020 48
Chapter 1 - Chapter 2
June 2020 62More Documents from ""
Sm-n935f_ds_um_mea_eng_rev.1.0_170927.pdf
November 2019 11
Chapter 1.docx
November 2019 12
Apna Time Aayega Lyrics.docx
November 2019 9
Doori Lyrics.docx
November 2019 20
