IPPF Standards

avatar
Created by
Jinny D

Cards (75)

  • 2000 Managing the Internal Audit Activity:
    The chief audit executive must effectively manage the internal audit activity to ensure it adds value to the organization.
  • 2000 The internal audit activity is effectively managed when?
    • It achieves the purpose and responsibility included in the internal audit charter.
    • It conforms with the Standards.
    • Its individual members conform with the Code of Ethics and the Standards.
    • It considers trends and emerging issues that could impact the organization.
  • 2000 When does the internal audit activity add value to the organisation and its stakeholders:
    • when it considers strategies, objectives, and risks;
    • strives to offer ways to enhance GRC processes;
    • and objectively provides relevant assurance.
  • 2010 Planning:
    The chief audit executive must establish a risk-based plan to determine the priorities of the internal audit activity, consistent with the organization’s goals.
  • 2010 Planning Interpretation?
    To develop the risk-based plan, the CAE:
    • consults with senior management and the board
    • obtains an understanding of the organization’s strategies, key business objectives, associated risks, and risk management processes.
    • reviews and adjusts the plan, as necessary, in response to changes in the organization’s business, risks, operations, programs, systems, and controls.
  • 2010 Planning A.1:
    The internal audit activity’s plan of engagements must be based on a documented risk assessment, undertaken at least annually. The input of senior management and the board must be considered in this process.
  • 2010 Planning A.2:
    The chief audit executive must identify and consider the expectations of senior management, the board, and other stakeholders for internal audit opinions and other conclusions.
  • 2010 Planning C.1:
    The chief audit executive should consider accepting proposed consulting engagements based on the engagement’s potential to improve risk management, add value, and improve the organization’s operations. Accepted engagements must be included in the plan.
  • 2020 Communicating and Approval:
    • The chief audit executive must communicate the internal audit activity’s plans and resource requirements, including significant interim changes, to senior management and the board for review and approval.
    • The chief audit executive must also communicate the impact of resource limitations.
  • 2030 Resource Management:
    The chief audit executive must ensure that internal audit resources are appropriate, sufficient, and effectively deployed to achieve the approved plan.
  • 2030 Resource Management Interpretation:
    • Appropriate refers to the mix of knowledge, skills, and other competencies needed to perform the plan.
    • Sufficient refers to the quantity of resources needed to accomplish the plan.
    • Resources are effectively deployed when they are used in a way that optimizes the achievement of the approved plan.
  • 2040 Policies and Procedures:
    The chief audit executive must establish policies and procedures to guide the internal audit activity.
  • 2040 Policies and Procedures Interpretation:
    The form and content of policies and procedures are dependent upon the size and structure of the internal audit activity and the complexity of its work.
  • 2050 Coordination and Reliance:
    The chief audit executive should share information, coordinate activities, and consider relying upon the work of other internal and external assurance and consulting service providers to ensure proper coverage and minimize duplication of efforts.
  • 2050 Coordination and Reliance Interpretation:
    • The CAE may rely on the work of other assurance and consulting service providers.
    • A consistent process for the basis of reliance should be established
    • CAE should consider the competency, objectivity, and due professional care of the service providers.
    • CAE should understand the scope, objectives, and results of the work performed by other services.
    • Where reliance is placed, the CAE is still accountable and responsible for ensuring adequate support for conclusions and opinions reached by the internal audit activity.
  • 2060 Reporting to Senior Management and the Board?
    The CAE must report periodically to senior management and the board on:
    • the IA activity’s purpose, authority, responsibility,
    • performance relative to its plan
    • its conformance with the Code of Ethics and the Standards.
    • significant risk and control issues, including fraud risks, governance issues, and other matters that require the attention of senior management and/or the board.
  • 2060 Reporting to Senior Management and the Board - Interpretation:
    The frequency and content of reporting are determined collaboratively by the CAE, SM, and the board, and also depends on the importance of the information & the urgency of the actions to be taken.
    Reporting and communication include information: audit charter, independence, plan, and progress against plan, resource requirement, results of audit activities, conformance with code of ethics and standards, and action plans to address the significant conformance issues, management response to risks may be unacceptable.
  • 2070 External Service Provider and Organisational Responsibility for Internal Auditing
    When an external service provider serves as the internal audit activity, the provider must make the organization aware that the organization has the responsibility for maintaining an effective internal audit activity
  • 2070 External Service Provider and Organisational Responsibility for Internal Auditing - Interpretation:
    This responsibility is demonstrated through the QAIP which assesses conformance with the Code of Ethics and the Standards.
  • 2200 Engagement Planning:
    Internal auditors must develop and document a plan for each engagement, including the engagement’s objectives, scope, timing, and resource allocations. The plan must consider the organization’s strategies, objectives, and risks relevant to the engagement.
  • 2210 Engagement Planning Considerations:
    In planning the engagement, internal auditors must consider:
    • The strategies and objectives and how the activity controls its performance.
    • The significant risks to the activity’s objectives, resources, and operations and how the impact of risk is kept to an acceptable level.
    • The adequacy and effectiveness of the activity’s GRC processes compared to a relevant framework or model.
    • The opportunities for making significant improvements to the activity’s GRC processes.
  • 2201 Engagement Planning Consideration A.1:
    When planning an engagement for parties outside the organization, internal auditors must establish a written understanding with them about objectives, scope, respective responsibilities, and other expectations, including restrictions on distribution of the results of the engagement and access to engagement records.
  • 2201 Engagement Planning Consideration C.1:
    Internal auditors must establish an understanding with consulting engagement clients about objectives, scope, respective responsibilities, and other client expectations. For significant consulting engagements, this understanding must be documented.
  • 2210 Engagement Objectives
    Objectives must be established for each engagement.
  • 2210 Engagement objectives A.1:
    Internal auditors must conduct a preliminary assessment of the risks relevant to the activity under review. Engagement objectives must reflect the results of this assessment
  • 2210 Engagement objectives A.2:
    Internal auditors must consider the probability of significant errors, fraud, noncompliance, and other exposures when developing the engagement objectives.
  • 2210 Engagement objectives A.3:
    Adequate criteria are needed to evaluate GRC. Internal auditors must ascertain the extent to which management and/or the board has established adequate criteria to determine whether objectives and goals have been accomplished. If adequate, internal auditors must use such criteria in their evaluation. If inadequate, internal auditors must identify appropriate evaluation criteria through discussion with management and/or the board.
  • 2210 Engagement Objectives - Criteria Types
    • Internal (e.g., policies and procedures of the organization).
    • External (e.g., laws and regulations imposed by statutory bodies).
    • Leading practices (e.g., industry and professional guidance).
  • 2210 Engagement Objectives C.1?
    Consulting engagement objectives must address GRC processes to the extent agreed upon with the client.
  • 2210 Engagement Objective C.2?
    Consulting engagement objectives must be consistent with the organization's values, strategies, and objectives.
  • 2220 Engagement Scope
    The established scope must be sufficient to achieve the objectives of the engagement.
  • 2220 Engagement Scope A.1:
    The scope of the engagement must include consideration of relevant systems, records, personnel, and physical properties, including those under the control of third parties.
  • 2220 Engagement Scope A.2:
    If significant consulting opportunities arise during an assurance engagement, a specific written understanding as to the objectives, scope, respective responsibilities, and other expectations should be reached and the results of the consulting engagement communicated in accordance with consulting standards.
  • 2220 Engagement Scope C.1?
    In performing consulting engagements, internal auditors must ensure that the scope of the engagement is sufficient to address the agreed-upon objectives. If internal auditors develop reservations about the scope during the engagement, these reservations must be discussed with the client to determine whether to continue with the engagement.
  • 2220 Engagement Scope C.2?
    During consulting engagements, internal auditors must address controls consistent with the engagement’s objectives and be alert to significant control issues.
  • 2230 Engagement Resource Allocation?
    Internal auditors must determine appropriate and sufficient resources to achieve engagement objectives based on an evaluation of the nature and complexity of each engagement, time constraints, and available resources.
  • 2230 Engagement Resource Allocation - Interpretation:
    Appropriate - same as the 2030 resource management interpretation; sufficient is different in that - the quantity of resources needed to accomplish the engagement with due professional care.
  • 2240 Engagement Work Program?
    Internal auditors must develop and document work programs that achieve the engagement objectives.
  • 2240 Engagement Work Program A.1?
    Work programs must include the procedures for identifying, analyzing, evaluating, and documenting information during the engagement. The work program must be approved prior to its implementation, and any adjustments approved promptly.
  • 2240 Engagement Work Program C.1:
    Work programs for consulting engagements may vary in form and content depending upon the nature of the engagement.