IPPF Practice Guide Overview

The International Professional Practices Framework (IPPF)®

Practice Guide OverviewSetting the bar for internal audit efficiency, effectiveness, and professionalism

• Easy-AccessReferenceforPracticeGuides

• Relevant,ValuableandDetailedGuidance

• IIAMemberBenefit

About The IPPFTheInternationalProfessionalPracticesFramework(IPPF)istheconceptualframeworkthatorganizesauthoritativeguidancepromulgatedbyTheInstituteofInternalAuditor(IIA).Itcomprises:

Mandatory Guidance

•DefinitionofInternalAuditing

•CodeofEthics

•International Standards

Strongly Recommended Guidance

•PositionPapers

•PracticeAdvisories

•PracticeGuides

TheIPPFsetsthebarforinternalauditefficiency,effectiveness,andprofessionalism,guidinginternalauditprofessionalsthroughouttheworld.AsanIIAmember,TheIIAGuidanceisacomplimentaryserviceofyourmembership.

About Practice Guides IIAPracticeGuidesprovidedetailedguidanceforconductinginternalauditactivities.Theyrepresentstrongly recommended guidancethatincludesdetailedprocessesandprocedures,suchastoolsandtechniques,programs, andstep-by-stepapproachesforeffectiveimplementationofTheIIAmandatoryguidance.

Thisbrochureisausefulquickreferencetounderstandthemostrecentguidereleases.Alloftheguidesincludedin thisreferencetoolareavailableas a free download to members at www.globaliia.org/standards-guidance. Guides are available for purchase for nonmembers through The IIA Research Foundation Bookstore. Download your copies today!

To learn more and download the IPPF, go to

www.globaliia.org/standards-guidance.

Practice Guide – Independence And Objectivity

Theimportanceofindependenceandobjectivity,whichhasalwaysbeensignificantforinternalauditors,continuestoincreaseamongthechallengesfacinginternalauditactivitiesintheconstantlychangingbusinessenvironment.Anever-growingnumberofstakeholders,bothinsideandoutsideanorganization,continuetodemandgreatertranspar-ency,increaseddisclosures,expandedinternalauditservices,increasedprofessionalism,improvedcoordinationamonginternalandexternalauditors,greaterresponsibilities,andmoreaccountabilityfrominternalauditprofessionals.Thispracticeguidewasdevelopedtoaddressthesechangesandincreasedexpectations.

IndependenceandobjectivityareintegralpartsofthemandatoryguidanceofTheIIA’sInternationalProfessionalPrac-ticesFramework(IPPF).ObjectivityisalsooneofthefourkeyprinciplesofTheIIA’sCodeofEthics(Code),whichdefinestherulesofconductthatsupporttheseprinciples.

Thepurposeofthispracticeguideisto:• HighlightIIAguidanceonindependenceandobjectivity.• Discusspotentiallyconfusingaspectsencompassingindependenceandobjectivity.• Identifyactivitiesthatsupportindependenceandobjectivity.• Identifyvariousconsiderationsandpotentialchallengesrelatedtoindependenceandobjectivity.• Provideframeworksformanagingindependenceandobjectivity.

To download the entire practice guide, go to

www.globaliia.org/standards-guidance. The guides are free for members

and available for purchase for non-members through The IIA Research

Foundation Bookstore.

Practice Guide – Interaction With The Board

Boardsandinternalauditorshaveinterlockinggoals.Astrongworkingrelationshipbetweenthetwoisessentialfortheinternalauditactivitytofulfillitsresponsibilitiestonotonlytheboard,butalsoseniormanagement,shareholders,andotherstakeholders,asappropriate.Thechiefauditexecutive(CAE)oftenreportsdirectlytotheboard,dependingontheorganization’sgovernancestructure.Aneffectiveinternalauditactivityprovidestheboardassuranceandsuggestsimprovementopportunitiesrelatedtotheorganization’sgovernance,riskmanagement,andrelatedinternalcontrols.

Thepurposeofthispracticeguideistoassistthechiefauditexecutive(CAE)inmeetingtherequirementsoftheInter-nationalProfessionalPracticesFramework(IPPF)asitrelatestointeractingandcommunicatingwiththeboard.TheIPPF’sGlossarydefinestheboardas“anorganization’sgoverningbody,suchasaboardofdirectors,supervisoryboard,headofanagencyorlegislativebody,boardofgovernorsortrusteesofanonprofitorganization,oranyotherdesignatedbodyoftheorganization,includingtheauditcommitteetowhomthechiefauditexecutivemayfunctionallyreport.”





Practice Guide – Auditing The Control Environment

Thecontrolenvironmentisthefoundationofaneffectivesystemofinternalcontrol.Mostofthewell-publicizedfailures(includingnotonlyEnronandWorldCom,butalsothegovernancefailuresthatledtothe2008financialcrisis)were,atleastinpart,theresultofweakcontrolenvironments.Intheabsenceofademonstrablyeffectivecontrolenvironment,nolevelof“designandoperating”effectivenessofcontrolswithinbusinessandITprocessescanprovidemeaningfulassurancetostakeholdersoftheintegrityofanorganization’sinternalcontrolstructure.

Thecontrolenvironmentincludesthefollowingelements:•Integrityandethicalvalues.•Managementphilosophyandoperatingstyle.•Organizationalstructure.•Assignmentofauthorityandresponsibility.•Humanresourcepoliciesandpractices.•Competenceofpersonnel.

ThepurposeofthisPracticeGuideistoprovideguidancetotheinternalauditoronthesignificanceofthecontrolenvironment;howtodeterminewhichelementsofthecontrolenvironmentshouldbeaddressedbyengagementsintheperiodicauditplan;howtoscope,staff,andplansuchengagements;andwhichitemstoconsiderinperformingrelatedauditwork,includingevaluatingandreportingdeficiencies.





Practice Guide – Assisting Small Internal Audit Activities In Implementing The International Standards For The Professional Practice Of

Internal Auditing

Thispracticeguideprovidesaworkingdefinitionofthetermsmallinternalauditactivity.TheguideacknowledgesthechallengesthatCAEsandauditleadershipinsmallauditactivitiesmayfaceinimplementingtheStandards,providessuggestionsformeetingthosechallenges,anddiscussesthebenefitsofusingtheStandards.

Typically,asmallinternalauditactivitywillhaveoneormoreofthesecharacteristics:•Onetofiveauditors.•Productiveinternalaudithoursbelow7,500ayear.•Limitedlevelofco-sourcingorout-sourcing.

Beingsmalldoesnotequatetobeingineffectiveorunderresourced.Inmanycircumstances,asmallinternalauditactivityisappropriatelystructuredforthesizeandrisksattributabletothebusinessitserves.However,smallerauditactivitiesmayhavechallengesnottypicallyfacedbylargerauditactivitiesthathavegreatereconomiesofscale.

Thispracticeguideprovidesspecificexamplesandleadingpractices,relevanttotheCAEandauditmanagementofsmallinternalauditactivities,onhowtobestapproachimplementationoftheStandards.





Practice Guide – Assessing The Adequacy Of Risk Management

Overthelastfewyears,theimportanceofmanagingriskaspartofstrongcorporategovernancehasbeenincreasinglyacknowledged.Organizationsareunderpressuretoidentifythesignificantbusinessriskstheyface—social,ethical,andenvironmentalaswellasstrategic,financial,andoperational—andtoexplainhowtheymanagethem.Theuseofenterprise-wideriskmanagementframeworkshasexpandedasorganizationsrecognizetheadvantagesofcoordinatedapproachestoriskmanagement.

RiskmanagementisdefinedintheGlossaryoftheInternationalStandardsfortheProfessionalPracticeofInternalAuditing(Standards)as“aprocesstoidentify,assess,manage,andcontrolpotentialeventsorsituationstoprovidereasonableassuranceregardingtheachievementoftheorganization’sobjectives.”Acomprehensiveriskmanagementframeworkprovidesanend-to-endlinkbetweenobjectives,strategy,andexecutionofstrategy,risks,controls,andas-suranceacrossalllevelsintheorganization.

ThispracticeguideusesISO31000asabasisfortheriskmanagementframework.Otherframeworksmaybeusedtoperformtheriskassessment.Thisguidancedoesnotimplyimplicitorexplicitendorsementofthisoranyotherframework.





Practice Guide – Measuring Internal Audit Effectiveness And Efficiency

Internalauditingplaysacriticalroleinthegovernanceandoperationofanorganization.Wheneffectivelyimplemented,operated,andmanaged,itisanimportantelementinhelpinganorganizationachieveitsobjectives.Organizationsthateffectivelyuseinternalauditingarebetterabletoidentifybusinessrisksandprocessandsysteminefficiencies,takeappropriatecorrectiveaction,andultimatelysupportcontinuousimprovement.Tomaintainandenhanceinternalaudit-ing’scredibility;however,itseffectivenessandefficiencymustbemonitored.

Thispracticeguideprovidesguidancetointernalauditactivitiesonmeasuringtheireffectivenessandefficiencyandthelevelofcustomerservicetheyprovidetostakeholders.

Effectivenessandefficiencymeasurementscanbequantitativeandqualitativeandexamplesofauditactivityperfor-mancemeasuresmayinclude:

• Achievementofkeygoalsandobjectives.• Evaluationofprogressagainstauditactivityplan.• Improvementinstaffproductivity.• Increaseinefficiencyoftheauditprocess.• Increaseinnumberofactionplansforprocessimprovements.• Adequacyofengagementplanningandsupervision.• Effectivenessinmeetingstakeholders’needs.





Practice Guide – CAEs – Appointment, Performance Evaluation And Termination

Intoday’sbusinessenvironment,wherethereisincreasingfocusongovernance,riskmanagement,andcontrol,ap-pointingaCAEisacriticalundertakingforanyorganization.Thisimperativeactivityisoneofthekeyresponsibilitiesoftheorganization’sboard.TheCAEwillhaveahighdegreeofinteractionwithseniormanagementandtheboardandthusneedstodemonstratetherightattributesandskillsfortheposition.

TheCAE’suniqueroleintheorganizationrequiresindependenceandobjectivitywhilealsodemonstratinganabilitytopartnerwithintheorganizationtoaddvaluetoitsoperations.IndependenceandobjectivityarefundamentaltotheCAE’srolebecausetheindividualmustbewillingtoraisedifficultissueswithbothseniormanagementandtheboard,evenifthatprovesunpopular.Tomaintaincredibility,CAEsmustdemonstratetheabilitytoescalatedifficultissuestoanappropriateleveltoensuretheyareadequatelyaddressed.Inaddition,aCAEexhibitstheattributesofintegrity,intellectualcuriosity,andafocusonauditquality.

Thispracticeguidediscussesthetypesofconsiderationsseniormanagementandboardsofdirectorswouldtypicallyaddresswhenappointing,evaluating,orterminatingachiefauditexecutive(CAE).





Practice Guide – Auditing Executive Compensation and Benefits (ECB)

AuditingthestructureandoperationofECBprogramsisalegitimateandappropriateroleforinternalauditing.Ifariskassessmentindicatesareviewiswarranted,thechiefauditexecutive(CAE)shouldaddECBtotheauditplan,whichtheboardwillreviewandapprove.Internalauditingwillchoosetheauditapproachanddesignrisk-basedauditprocedures.Thispracticeguideprovidesdiscussionsrelatingtosuchanauditandincludesseveralconsiderationsthatmayberelevanttoanorganization’sbusinessactivitiesorriskprofile.

StronggovernancesystemsareneededforECBprograms,asmanagementoftenisinthepositionofbothdesigningandrecommendingitsowncompensation.Thereareseveralspecificrisksinternalauditorsshouldconsider,includingemploymentmarket,compliance,financialreporting,reputation,operating,andexternalbusinessrelationshiprisks.ECBprogramsalsoaresubjecttofraudrisk.

Thisguidewillassistinternalauditorswithanexplanationoftheauditapproach,auditconsiderationssuchasaccesstoinformationandprivilegedcommunications,aswellastheskillsandknowledgenecessarytoserveontheauditteam.Asectiononauditprogramdevelopmentincludesvariousconcepts,potentialtests,andquestionstohelpaudi-torscreateanauditprogram.





Practice Guide – Evaluating Corporate Social Responsibility/Sustainable Development (CSR)

CSRpresentssignificantrisksandopportunitiesformanyorganizations.Stakeholdersexpectboardsandmanagementtoacceptresponsibilityandimplementstrategiesandcontrolstomanagetheirimpactonsocietyandtheenvironment,toengagestakeholdersintheirendeavors,andtoinformthepublicabouttheirresults.TheproliferationofregulationandvoluntarystandardshasmadeCSRmanagementacomplexendeavor.

InternalauditorsshouldunderstandtherisksandcontrolsrelatedtoCSRobjectives.Whereappropriate,theCAEshouldplantoaudit,facilitatecontrolself-assessments,verifyresults,and/orconsultonthevarioussubjects.Internalauditorsshouldmaintaintheskillsandknowledgenecessarytounderstandandevaluatethegovernance,risks,andcontrolsofCSRstrategies.

Thisguidewillassistinternalauditorsinunderstandingthefollowing:• TherisksassociatedwithCSRactivitiesandhowtousesuchknowledgeinauditplanning• TheapproachestoevaluatingCSRactivitiesandconsiderationsindevelopingtheinternalauditprogram• Auditconsiderationssuchasuseoftheauditopinion,independenceandobjectivity,andtypesofresources





Practice Guide – Internal Auditing And Fraud

Fraudencompassesawiderangeofirregularitiesandillegalactscharacterizedbyintentionaldeceptionormisrep-resentationandcannegativelyimpactorganizationsinmanywaysincludingfinancial,reputation,psychologicalandsocialimplications.Accordingtovarioussurveys,monetarylossesfromfraudaresignificant.However,thefullcostoffraudisimmeasurableintermsoftime,productivity,andreputationincludingcustomerrelationships.Dependingontheseverityoftheloss,organizationscanbeirreparablyharmedduetothefinancialimpactoffraudactivity.Therefore,itisimportantfororganizationstohaveastrongfraudprogramthatincludesawareness,prevention,anddetectionprograms,aswellasafraudriskassessmentprocesstoidentifyfraudriskswithintheorganization.

Thisguidewilldiscussfraudandprovidegeneralguidancetohelpinternalauditorscomplywithprofessional Standardsincluding:

• Fraudawareness• Fraudrolesandresponsibilities• Fraudriskassessment• Fraudpreventionanddetection.• Fraudinvestigation.• Forminganopiniononinternalcontrolsrelatedtofraud





Practice Guide – Auditing External Business Relationships (EBRs)

OrganizationsconductbusinesswithEBRsforavarietyofreasons.Organizationsmayseekbenefitslikeenhancingrevenuesthroughlicensinganddistributionarrangements,reducingcostsinareasofanorganization’sthatareoutsideofitscorecompetencies,oraugmentingexistingresourcesfocusedonitscorecompetencies.However,withthesebusi-nessrelationshipsalsocomesinherentandcontrolrisksassociatedwithworkingwithexternalbusinesspartners.

Theorganizationisresponsibleforriskmanagementactivitiesencompassingtaskssuchasselectionofbusinesspartners,contracteffectiveness,partner/customercontractmanagementcontrols,contractcompliancemonitoringandreporting,andbusinessrelationshipmanagement.Withoutpropercontrolsinplacetoaddresstherisksassociatedwiththeseresponsibilities,theorganizationmayloserevenueorincurhighercosts,aswellashaveinefficientoperations,misreporting,andevendamagedbrand,inadditiontoimpactedbusinessrelationships.

InternalauditorsneedtounderstandalltheelementsassociatedwithEBRs,frominitiatingarelationship,contractinganddefiningarelationship,procurement,managingandmonitoringthecontinuedrelationship,andfinallydiscontinu-ingtherelationship.

ThisguideprovidesinternalauditorswithguidanceinauditingEBRs.Managementalsomayusethisguideinmanag-ingandmonitoringtherisksassociatedwiththeserelationships.





Practice Guide – Formulating And Expressing Internal Audit Opinions

Internalauditorsarebeingaskedbytheboard,management,andotherstakeholderstoprovideopinionsaspartofeachindividualauditreportaswellasontheoveralladequacyofgovernance,riskmanagement,andcontrolwithintheorganization.Theserequestsmaybeforanassuranceoropinionatabroadlevelfortheorganizationasawhole(macro-levelopinion)oronindividualcomponentsoftheorganization’soperations(micro-levelopinion).

Theneedforauditopinionsandtheabilityofinternalauditingtoexpressthemdependsonseveralcircumstances,includingunderstandingtheneedsofstakeholders;determiningthescope,nature,timing,andextentofauditworkrequired;ensuringtherearesufficientresourcestocompletethework;andassessingtheresultsoftheworkperformed.

Stakeholderrequirementsforinternalauditopinions,includingthelevelofassurancerequired,shouldbeclarifiedbytheCAEwithseniormanagementandtheboard.

Thisdocumentprovidespracticalguidancetointernalauditorswhowishtoformandexpressanopiniononsomeorallofanorganization’sgovernance,riskmanagement,andinternalcontrolsystems.





Additional IIA Guidance and Publications

GTAG® (Global Technology Audit Guide)TheGTAGseries,aspartofpracticeguides,arewritteninstraightforwardbusinesslanguageto addressatimelyissuerelatedtoITmanagement,control,andsecurity.

GAIT (Guide to the Assessment of IT Risk)TheGAITseries,aspartofpracticeguides,describestherelationshipsamongbusinessrisk,key controlswithinbusinessprocesses,automatedcontrolsandothercriticalITfunctionality,andkeycontrolswithinITgeneralcontrols.

Educational Products – IIARF BookstoreThefollowingbooksareavailabletohelpyouunderstandandapplytheStandards:

International Professional Practices Framework ThenewIPPFcontainstheStandards,aglossary,theCodeofEthics,PracticeAdvisories,PositionPapers,andPracticeGuides.

Implementing the Professional Practices Framework, 3rd Edition ThishandbookservesasapracticalguideforapplyingtheIPPFandoutlinesthespecificactionsneededtocomplywiththeStandards.

Independence and Objectivity: A Framework for Internal Auditors Thisreportexplainsthecriticalissuesassociatedwithauditorobjectivityandincludesaframeworktousewhenconfrontingchallengesandopportunities.

Available at www.globaliia.org/bookstore.

The IIA guides the international profession with not only Standards, but numerous additional resources to implement best practices in our ever-changing and growing field:

guides, advisories, papers, educational products, and tools. Go to www.globaliia.org/standards-guidance

to learn more and download.

The Institute of Internal Auditors – Global Headquarters 247MaitlandAvenue/AltamonteSprings,FL32701-4201Phone:+1-407-937-1111/www.globaliia.org

11/1

1103

1/PM

/jP

Documents

IPPF Practice Guide Overview