WIXLIB

THEPROFESSIONALPRACTICESFRAMEWORKThe material on this CD-ROM wasconverted from the layout intended forthe hard copy, bound book. The fileshave been modified slightly to removeblank pages. You may see breaks in thepagination and it may appear you aremissing a page. Blank pages wereintentionally removed. No content wasremoved or relocated.

DisclosureCopyright 2005 by The Institute of Internal Auditors (IIA), 247 Maitland Avenue,Altamonte Springs, Florida 32701-4201. All rights reserved. Printed in the UnitedStates of America. No part of this publication may be reproduced, stored in a retrievalsystem, or transmitted in any form by any means — electronic, mechanical, photocopying, recording, or otherwise — without prior written permission of the publisher.The IIA publishes this document for informational and educational purposes. Thisdocument is intended to provide information, but is not a substitute for legal or accounting advice. The IIA does not provide such advice and makes no warranty as to anylegal or accounting results through its publication of this document. When legal oraccounting issues arise, professional assistance should be sought and retained.The Professional Practices Framework for Internal Auditing (PPF) was designed byThe IIA Board of Directors' Guidance Task Force to appropriately organize the fullrange of existing and developing practice guidance for the profession. Based on thedefinition of internal auditing, the PPF comprises Ethics and Standards, PracticeAdvisories, and Development and Practice Aids, and paves the way to world-classinternal auditing. This guidance fits into the Framework under the heading Development and Practice Aids.The mission of The IIA Research Foundation (IIARF) is to be the global leader insponsoring, disseminating, and promoting research and knowledge resources to enhancethe development and effectiveness of the internal auditing profession.The Institute of Internal AuditorsGlobal Practices Center247 Maitland AvenueAltamonte Springs, FL 32701-4201 USAPhone: 1-407-937-1362FAX: 1-407-937-1101E-mail: standards@theiia.orgISBN 0-89413-569-405083 01/05Second Printing

Contents iiiCONTENTSPreface . xxiAcknowledgments . xxvDefinition of Internal Auditing .xxviiCode of Ethics . xxixInternational Standards for the Professional Practiceof Internal Auditing (Standards)Introduction . 3Attribute Standards . 71000 – Purpose, Authority, and Responsibility . 71100 – Independence and Objectivity . 71110 – Organizational Independence . 71120 – Individual Objectivity . 71130 – Impairments to Independenceor Objectivity . 81200 – Proficiency and Due Professional Care . 81210 – Proficiency . 81220 – Due Professional Care . 91230 – Continuing ProfessionalDevelopment . 101300 – Quality Assurance and ImprovementProgram . 111310 – Quality Program Assessments . 111311 – Internal Assessments . 111312 – External Assessments . 111320 – Reporting on the Quality Program . 111330 – Use of “Conducted in Accordancewith the Standards” . 121340 – Disclosure of Noncompliance . 12

iv The Professional Practices FrameworkPerformance Standards . 132000 – Managing the Internal Audit Activity . 132010 – Planning . 132020 – Communication and Approval . 132030 – Resource Management . 142040 – Policies and Procedures . 142050 – Coordination . 142060 – Reporting to the Board andSenior Management . 142100 – Nature of Work . 142110 – Risk Management . 142120 – Control . 152130 – Governance . 172200 – Engagement Planning . 172201 – Planning Considerations . 172210 – Engagement Objectives . 182220 – Engagement Scope . 192230 – Engagement Resource Allocation . 192240 – Engagement Work Program . 192300 – Performing the Engagement . 202310 – Identifying Information . 202320 – Analysis and Evaluation . 202330 – Recording Information . 202340 – Engagement Supervision . 212400 – Communicating Results . 212410 – Criteria for Communicating . 212420 – Quality of Communications . 222421 – Errors and Omissions . 222430 – Engagement Disclosure ofNoncompliance with the Standards . 222440 – Disseminating Results . 222500 – Monitoring Progress . 232600 – Resolution of Management’s Acceptanceof Risks . 23Glossary . 25

Contents vPractice AdvisoriesAttribute StandardsPA 1000-1Internal Audit Charter . 33PA 1000.C1-1 Principles Guiding the Performanceof Consulting Activities ofInternal Auditors . 35PA 1000.C1-2 Additional Considerations for FormalConsulting Engagements . 41PA 1100-1Independence and Objectivity . 51PA 1110-1Organizational Independence . 53PA 1110-2Chief Audit Executive (CAE)Reporting Lines . 55PA 1110.A1-1 Disclosing Reasons for InformationRequests . 61PA 1120-1Individual Objectivity . 63PA 1130-1Impairments to Independence orObjectivity . 65PA 1130.A1-1 Assessing Operations for WhichInternal Auditors Were PreviouslyResponsible . 67PA 1130.A1-2 Internal Auditing’s Responsibilityfor Other (Non-audit) Functions . 71PA 1200-1Proficiency and Due ProfessionalCare . 75PA 1210-1Proficiency . 77PA 1210.A1-1 Obtaining Services to Support orComplement the Internal AuditActivity . 81PA 1210.A2-1 Identification of Fraud . 87PA 1210.A2-2 Responsibility for Fraud Detection . 95PA 1220-1Due Professional Care . 97PA 1230-1Continuing Professional Development . 99PA 1300-1Quality Assurance and ImprovementProgram . 101PA 1310-1Quality Program Assessments . 105

vi The Professional Practices FrameworkPA 1311-1PA 1312-1PA 1312-2PA 1320-1PA 1330-1PerformancePA 2000-1PA 2010-1PA 2010-2PA 2020-1PA 2030-1PA 2040-1PA 2050-1PA 2050-2PA 2060-1PA 2060-2PA 2100-1PA 2100-2PA 2100-3PA 2100-4PA 2100-5PA 2100-6PA 2100-7Internal Assessments . 109External Assessments . 113External Assessments Self-assessmentwith Independent Validation . 119Reporting on the Quality Program . 123Use of “Conducted in Accordancewith the Standards” . 125StandardsManaging the Internal Audit Activity . 127Planning . 129Linking the Audit Plan to Riskand Exposures . 131Communication and Approval . 135Resource Management . 137Policies and Procedures . 139Coordination . 141Acquisition of External Audit Services . 147Reporting to Board and SeniorManagement . 153Relationship with the AuditCommittee . 155Nature of Work . 161Information Security . 165Internal Auditing’s Role in theRisk Management Process . 167Internal Auditing’s Role inOrganizations Without a RiskManagement Process . 171Legal Considerations in EvaluatingRegulatory Compliance Programs . 175Control and Audit Implications ofE-commerce Activities . 185Internal Auditing’s Role inIdentifying and ReportingEnvironmental Risks . 195

Contents viiPA 2100-8PA 2110-1PA 2110-2PA 2120.A1-1PA 2120.A1-2PA 2120.A1-3PA 2120.A1-4PA 2120.A4-1PA 2130-1PA 2200-1PA 2210-1PA 2210.A1-1PA 2230-1PA 2240-1PA 2240.A1-1PA 2300-1PA 2310-1PA 2320-1PA 2330-1PA 2330.A1-1PA 2330.A1-2Internal Auditing’s Role inEvaluating an Organization’s PrivacyFramework . 201Assessing the Adequacy of RiskManagement Processes . 205Internal Auditing’s Role in theBusiness Continuity Process . 211Assessing and Reporting on ControlProcesses . 217Using Control Self-assessment forAssessing the Adequacy of ControlProcesses . 223Internal Auditing’s Role in QuarterlyFinancial Reporting, Disclosures, andManagement Certifications . 231Auditing the Financial ReportingProcess . 239Control Criteria . 249Role of the Internal Audit Activityand Internal Auditor in the EthicalCulture of an Organization . 251Engagement Planning . 257Engagement Objectives . 261Risk Assessment in EngagementPlanning . 263Engagement Resource Allocation . 267Engagement Work Program . 269Approval of Work Programs . 271Internal Auditing’s Use of PersonalInformation in Conducting Audits . 273Identifying Information . 275Analysis and Evaluation . 277Recording Information . 281Control of Engagement Records . 285Legal Considerations in GrantingAccess to Engagement Records . 287

viii The Professional Practices FrameworkPA 2330.A2-1 Retention of Records . 293PA 2340-1Engagement Supervision . 295PA 2400-1Legal Considerations inCommunicating Results . 299PA 2410-1Communication Criteria . 303PA 2420-1Quality of Communications . 309PA 2440-1Recipients of Engagement Results . 311PA 2440-2Communications Outside theOrganization . 313PA 2440-3Communicating Sensitive InformationWithin and Outside the Chainof Command . 317PA 2500-1Monitoring Progress . 325PA 2500.A1-1 Follow-up Process . 327PA 2600-1Management’s Acceptance of Risks . 329Topical Index to Practice AdvisoriesAudit CharterPA 1000-1Internal Audit Charter . 33PA 1000.C1-1 Principles Guiding the Performanceof Consulting Activities ofInternal Auditors . 35PA 1000.C1-2 Additional Considerations for FormalConsulting Engagements . 41PA 1110-2Chief Audit Executive (CAE)Reporting Lines . 55PA 1130.A1-2 Internal Auditing’s Responsibilityfor Other (Non-audit) Functions . 71PA 1310-1Quality Program Assessments . 105PA 2010-1Planning . 129PA 2060-2Relationship with the AuditCommittee . 155PA 2100-3Internal Auditing’s Role in theRisk Management Process . 167

Contents ixPA 2100-4Internal Auditing’s Role inOrganizations Without a RiskManagement Process . 171PA 2330.A1-2 Legal Considerations in GrantingAccess to Engagement Records . 287PA 2440-2Communications Outside theOrganization . 313PA 2500.A1-1 Follow-up Process . 327Assumption of Non-audit DutiesPA 1000.C1-2 Additional Considerations for FormalConsulting Engagements . 41PA 1130.A1-1 Assessing Operations for WhichInternal Auditors Were PreviouslyResponsible . 67PA 1130.A1-2 Internal Auditing’s Responsibilityfor Other (Non-audit) Functions . 71PA 2100-3Internal Auditing’s Role in theRisk Management Process . 167PA 2100-4Internal Auditing’s Role inOrganizations Without a RiskManagement Process . 171AssurancePA 1000.C1-1 Principles Guiding the Performanceof Consulting Activities ofInternal Auditors . 35PA 1000.C1-2 Additional Considerations for FormalConsulting Engagements . 41PA 1210.A2-1 Identification of Fraud . 87PA 1210.A2-2 Responsibility for Fraud Detection . 95PA 1220-1Due Professional Care . 97PA 2010-2Linking the Audit Plan to Riskand Exposures . 131

x The Professional Practices FrameworkPA 2100-1PA 2100-2PA 2100-3PA 2100-5PA 2100-6PA 2100-7PA 2100-8PA 2110-1PA 2110-2PA 2120.A1-1PA 2120.A1-2PA 2120.A1-3PA 2120.A1-4PA 2120.A4-1Nature of Work . 161Information Security . 165Internal Auditing’s Role in theRisk Management Process . 167Legal Considerations in EvaluatingRegulatory Compliance Programs . 175Control and Audit Implications ofE-commerce Activities . 185Internal Auditing’s Role inIdentifying and ReportingEnvironmental Risks . 195Internal Auditing’s Role inEvaluating an Organization’s PrivacyFramework . 201Assessing the Adequacy of RiskManagement Processes . 205Internal Auditing’s Role in theBusiness Continuity Process . 211Assessing and Reporting on ControlProcesses . 217Using Control Self-assessment forAssessing the Adequacy of ControlProcesses . 223Internal Auditing’s Role in QuarterlyFinancial Reporting, Disclosures, andManagement Certifications . 231Auditing the Financial ReportingProcess . 239Control Criteria . 249Board and Senior Management ReportingPA 1000-1Internal Audit Charter . 33PA 1000.C1-1 Principles Guiding the Performanceof Consulting Activities ofInternal Auditors . 35