IPPF

THE CODE OF ETHICS IPPF OVERVIEW GLOSSARY

The internal audit profession is founded on the trust placed in its Add Value Compliance External Service Provider Must
Statement of internal auditing’s Help a wide range of interested Value is provided by improving opportunities to achieve Adherence to policies, plans, procedures, laws, A person or firm outside of the organization that The Standards use the word “must” to specify an
objective assurance about governance, risk management, and control. fundamental purpose, nature, parties — including those not in organizational objectives, identifying operational regulations, contracts, or other requirements. has special knowledge, skill, and experience in a unconditional requirement.
As such, The IIA’s Code of Ethics, comprising Principles and Rules and scope: the internal audit profession — to: improvement, and/or reducing risk exposure through particular discipline.

Position • Understand significant both assurance and consulting services. Conflict of Interest Objectivity

of Conduct, is necessary and appropriate. Its purpose is to promote Internal auditing is an
an ethical culture in the profession of internal auditing. It extends independent, objective
assurance and consulting
beyond the definition of internal auditing to include principles that
are relevant to the profession and practice of internal auditing and Definition
activity designed to add value
and improve an organization’s
governance, risk, and
Papers control issues.
• Delineate internal
audit-related roles and
responsibilities.
International Professional
Any relationship that is, or appears to be, not in the Fraud An unbiased mental attitude that allows internal
Adequate Control
Present if management has planned and organized
best interest of the organization. A conflict of interest
would prejudice an individual’s ability to perform his
Any illegal act characterized by deceit, concealment,
or violation of trust. These acts are not dependent
auditors to perform engagements in such a
manner that they have an honest belief in their
(designed) in a manner that provides reasonable
assurance that the organization’s risks have been
managed effectively and that the organization’s
or her duties and responsibilities objectively.

operations. It helps an
rules of conduct that describe behavior norms and provide practical
organization accomplish
applications to guide the ethical conduct of internal auditors. its objectives by bringing
a systematic, disciplined
Breaches of The IIA’s Code of Ethics by members and certification approach to evaluate and
improve the effectiveness of
candidates or holders are evaluated and administered according to The
risk management, control,
IIA’s Bylaws and Administrative Directives. The fact that a particular and governance processes.
conduct is not mentioned in the Rules of Conduct does not prevent it
• Principles and expectations
from being unacceptable or discreditable, resulting in disciplinary action.
governing behavior of individuals
and organizations in the conduct
Professional internal auditors are expected to apply and uphold the
Code of of internal auditing.
principles of integrity, objectivity, confidentiality, and competency.
Integrity establishes trust and thus provides the basis for reliance Ethics • Minimum requirements for
conduct and behavioral
expectations, rather than
on internal auditors’ judgment. They exhibit the highest level of
specific activities.
professional objectivity in gathering, evaluating, and communicating
information about the activity or process being examined. Internal • Basic requirements for the
professional practice of internal
• Address approach, methodology,
and considerations, but
not detailed processes
and procedures.
• Provide concise and timely
Practice assistance to internal auditors
in conforming to the Code
Advisories of Ethics and Standards and
promoting good practices.
• Relate to international-, country-,
or industry-specific issues;
specific types of engagements;
and legal or regulatory issues.
Provide information on how to
conduct internal audit activities,
including detailed:
Practice • Processes and procedures.
goals and objectives will be achieved efficiently
and economically.
Assurance Services
An objective examination of evidence for the
purpose of providing an independent assessment
on governance, risk management, and control
processes for the organization. Examples may
include financial, performance, compliance,
system security, and due diligence engagements.
Board
A board is an organization’s governing body, such
as a board of directors, supervisory board, head of
an agency or legislative body, board of governors
or trustees of a nonprofit organization, or any other
designated body of the organization, including the
audit committee to whom the chief audit executive
may functionally report.
Charter
The internal audit charter is a formal document
Consulting Services
Advisory and related client service activities, the
nature and scope of which are agreed with the
client, are intended to add value and improve an
organization’s governance, risk management, and
control processes without the internal auditor
assuming management responsibility. Examples
include counsel, advice, facilitation, and training.
Control
Any action taken by management, the board, and
other parties to manage risk and increase the
likelihood that established objectives and goals
will be achieved. Management plans, organizes,
and directs the performance of sufficient actions
to provide reasonable assurance that objectives
and goals will be achieved.
Control Environment
The attitude and actions of the board and management
regarding the significance of control within the
organization. The control environment provides the
discipline and structure for the achievement of the
upon the threat of violence or physical force. Frauds
are perpetrated by parties and organizations to
obtain money, property, or services; to avoid
payment or loss of services; or to secure personal
or business advantage.
Governance
The combination of processes and structures
implemented by the board to inform, direct, manage,
and monitor the activities of the organization toward
the achievement of its objectives.
Impairment
Impairment to organizational independence
and individual objectivity may include personal
conflicts of interest, scope limitations, restrictions
on access to records, personnel, and properties;
and resource limitations (funding).
Independence
The freedom from conditions that threaten
objectivity or the appearance of objectivity. Such
threats to objectivity must be managed at the
individual auditor, engagement, functional, and
organizational levels.
work product and that no significant quality
compromises are made. Objectivity requires
internal auditors not to subordinate their judgment
Practices Framework
on audit matters to others.
Residual Risk
The risk remaining after management takes
action to reduce the impact and likelihood of an
adverse event.
Risk
The possibility of an event occurring that will have
an impact on the achievement of objectives. Risk
is measured in terms of impact and likelihood.
Risk Appetite
The level of risk that an organization is willing
to accept.
Risk Management
A process to identify, assess, manage, and
control potential events or situations to provide
reasonable assurance regarding the achievement
of the organization’s objectives.

auditors make a balanced assessment of all the relevant circumstances
and are not unduly influenced by their own interests or by others in
Mandatory Guidance
Developed following the
appropriate due process,
including public exposure. Conformance
with the principles set forth in mandatory
guidance is essential for the professional
practice of internal auditing.
Strongly Recommended Guidance
Describes practices for the ef fective
implementation of T he IIA’s Code
of Ethics, the Definition of Internal
Auditing, and the International
Standards for the Professional Practice
of Internal Auditing (Standards). The
guidance is endorsed by The IIA, and
auditing and for evaluating Guides • Tools and techniques.
• Programs.
that defines the internal audit activity’s purpose,
authority, and responsibility. The internal audit
primary objectives of the system of internal control. The
control environment includes the following elements: Information Technology (IT) Controls
Should
The Standards use the word “should” where
effectiveness of performance.
• Step-by-step approaches. charter establishes the internal audit activity’s • I ntegrity and ethical values Controls that support business management conformance is expected unless, when applying
position within the organization; authorizes access •M  anagement’s philosophy and governance as well as provide general and
forming judgments. They • Internationally applicable • Examples of deliverables. professional judgment, circumstances justify
to records, personnel, and physical properties and operating style technical controls over information technology
at both individual and relevant to the performance of engagements; and •O  rganizational structure
deviation.
respect the value and organization levels. infrastructures such as applications, information,
defines the scope of internal audit activities. •A  ssignment of authority infrastructure, and people.
ownership of information Significance
International • Principle-focused guidance
Chief Audit Executive (CAE) •H
and responsibility
 uman resource policies and practices The relative importance of a matter within the
they receive and do not for performing and promoting Information Technology (IT) Governance context in which it is being considered, including
disclose information
Standards internal auditing: A chief audit executive is a senior position within
the organization responsible for internal audit
• C ompetence of personnel
Consists of the leadership, organizational structures, quantitative and qualitative factors, such as
and processes that ensure that the enterprise’s magnitude, nature, effect, relevance, and impact.
−− Attribute standards. activities. Normally, this would be the internal Control Processes information technology sustains and supports the
without appropriate audit director. In the case where internal audit The policies, procedures, and activities that are
Professional judgment assists internal auditors
−− Performance standards. Online Resources activities are obtained from external service part of a control framework, designed to ensure
organization’s strategies and objectives. when evaluating the significance of matters within
authority unless there   the context of the relevant objectives.
−− Implementation standards. All of the International Standards for providers, the chief audit executive is the person that risks are contained within the risk tolerances
Internal Audit Activity  
is a legal or professional responsible for overseeing the service contract and established by the risk management process.
A department, division, team of consultants, or
−− Interpretations that clarify the Professional Practice of Internal the overall quality assurance of these activities, Standard
obligation to do so. They terms or concepts within reporting to senior management and the board
other practitioner(s) that provides independent, A professional pronouncement promulgated by
Auditing, the other mandatory guidance, Engagement objective assurance and consulting services the Internal Audit Standards Board that delineates
apply the knowledge, the statements. regarding internal audit activities, and follow-up of A specific internal audit assignment, task, or designed to add value and improve an organization’s the requirements for performing a broad range of
and an ever-growing repository of strongly engagement results. The term also includes titles review activity, such as an internal audit, control
skills, and experience such as general auditor, head of internal audit, chief self-assessment review, fraud examination, or
operations. The internal audit activity helps an internal audit activities, and for evaluating internal
recommended guidance are available online. organization accomplish its objectives by bringing audit performance.
internal auditor, and inspector general. consultancy. An engagement may include multiple
needed in the performance a systematic, disciplined approach to evaluate
For more information, visit the Professional tasks or activities designed to accomplish a specific and improve the effectiveness of governance, risk
Technology-based Audit Techniques
of internal audit services. Code of Ethics set of related objectives. management, and control processes.
Guidance section of The IIA’s Web site or The Code of Ethics of The Institute of Internal Any automated audit tool, such as generalized
Auditors (IIA) comprises Principles relevant to the audit software, test data generators, computerized
For the complete Code e-mail guidance@theiia.org. To purchase Engagement Objectives International Professional Practices audit programs, specialized audit utilities, and
profession and practice of internal auditing, and Broad statements developed by internal auditors that
of Ethics, refer to the hard copies of the entire IPPF, visit Rules of Conduct that describe behavior expected define intended engagement accomplishments.
Framework (IPPF) computer-assisted audit techniques (CAATs).
of internal auditors. The Code of Ethics applies to The conceptual framework that organizes the
Professional Guidance The IIA Research Foundation’s online both parties and entities that provide internal audit authoritative guidance promulgated by The
Engagement Work Program IIA. Authoritative Guidance comprises two
section of The IIA’s Web services. The purpose of the Code of Ethics is to
Bookstore or e-mail custserv@theiia.org. promote an ethical culture in the global profession
A document that lists the procedures to be followed categories – (1) mandatory and (2) endorsed
08728/BSP

conformance is strongly recommended. site at www.theiia.org.

www.theiia.org of internal auditing.
during an engagement, designed to achieve the
engagement plan.
and strongly recommended.
AuthorItAtive Guidance
 AUTHORITATIVE GUIDANCE FOR The International Standards for the Professional Practice of Internal Auditing
PROFESSIONAL INTERNAL AUDITING
A trustworthy, global guidance-setting body, The Insitute of Internal
1200 Proficiency and Due Professional Care 2200 Engagement Planning 2400 Communicating Results
Auditors (IIA) provides for internal audit professionals all around ATTRIBUTE STANDARDS PERFORMANCE STANDARDS
the world authoritative guidance organized in the International 2201 Planning Considerations 2410 Criteria for Communicating
1210 Proficiency
Professional Practices Framework (IPPF) as mandatory and strongly 1000 Purpose, Authority, and Responsibility 2000 Managing the Internal Audit Activity Planning engagements Final communication of
2201.A1 2410.A1
CAE acquiring necessary competencies with external parties engagement results
recommended guidance. Purpose, authority, and 1210.A1 2010 Planning
1000.A1 for assurance engagements
responsibility for assurance Agreement with clients on Acknowledgement of
2010.A1 Annual risk assessment 2201.C1 2410.A2
engagement scope and objectives satisfactory performance
1210.A2 Identification of fraud indicators
Purpose, authority, and 2010.C1 Acceptance of consulting engagements 2210 Engagement Objectives Releasing results to parties
1000.C1 2410.A3
responsibility for consulting Information technology risk outside the organization
1210.A3 2020 Communication and Approval 2210.A1 Preliminary assessment of risks
controls and tools
Recognition of the Definition of Internal Communicating results of
2030 Resource Management Probability of significant errors 2410.C1
1010 Auditing, the Code of Ethics, and the 2210.A2 consulting engagements
CAE acquiring necessary competencies and other exposures
Standards in the Internal Audit Charter 1210.C1 2040 Policies and Procedures
for consulting engagements 2420 Quality of Communications
2050 Coordination 2210.A3 Setting criteria to evaluate controls
1100 Independence & Objectivity 1220 Due Professional Care 2421 Errors and Omissions
Reporting to Senior Management Focusing consulting engagements
2060 2210.C1 on governance, risk management, Use of “Conforms to (or in conformance
1110 Organizational Independence 1220.A1 Scoping for assurance engagements and the Board
and control with) the International Standards
2430
2100 Nature of Work for the Professional Practice of
1110.A1 Interference Use of technology-based 2220 Engagement Scope Internal Auditing.”
1220.A2
audit techniques 2110 Governance
1111 Direct Interaction with the Board 2220.A1 Scope of assurance engagement Engagement Disclosure of
2110.A1 Evaluation of ethics programs 2431
1220.A3 Risk identification Consulting opportunities during Nonconformance
1120 Individual Objectivity 2220.A2
2110.A2 Assessing information technology governance assurance engagement 2440 Disseminating Results
1220.C1 Scoping for consulting engagements
Impairment to Independence Consistency with organization’s 2220.C1 Scope of consulting engagement CAE responsibility for
1130 2110.C1 2440.A1
or Objectivity 1230 Continuing Professional Development values and goals when consulting communication of results
2230 Engagement Resource Allocation
2120 Risk Management Assessment of conditions for releasing
Impairment due to former Quality Assurance and 2240 Engagement Work Program 2440.A2
1130.A1 1300 results outside the organization
responsibilities Improvement Program 2120.A1 Evaluating organization’s risk exposure
2240.A1 Procedure for managing information
CAE responsibility for communication
Audit of functions for which 2120.A2 Evaluating fraud risks 2440.C1
1130.A2 Requirement for the Quality Assurance Work program for consulting of results for consulting engagements
CAE is responsible 1310 2240.C1
and Improvement Program 2120.C1 Reviewing risk during consulting engagements
To ensure clarity about the IPPF and elevate the importance of Communication of significant issues
2440.C2
1130.C1 Scope of impairment for consulting 2120.C2 Risk knowledge gained during consulting 2300 Performing the Engagement identified when consulting
conforming to the International Standards for the Professional Practice 1311 Internal Assessment
of Internal Auditing (Standards), this document depicts the comprehensive Limitation of involvement 2310 Identifying Information 2500 Monitoring Progress
Disclosure of impairment 1312 External Assessment 2120.C3
1130.C2 in risk management
guidance hierarchy for the internal audit profession, specifically when consulting 2320 Analysis and Evaluation 2500.A1 Establishing a follow-up process
Reporting on the Quality Assurance 2130 Control
providing an overview of the mandatory components of the framework. 1320 2330 Documenting Information Monitoring disposition of results
and Improvement Program 2500.C1
Evaluating adequacy and for consulting engagements
The document has been developed primarily for internal auditors — 2130.A1 Controlling access to
effectiveness of controls 2330.A1
IIA members, candidates for or holders of IIA professional certifications, Use of “Conforms to (or in conformance engagement records Resolution of Senior Management’s
2600
with) the International Standards Assessing achievement of Acceptance of Risks
such as the Certified Internal Auditor® (CIA®); and other individuals 1321 2130.A2 2330.A2 Retention requirements
for the Professional Practice of goals and objectives
and entities — who provide internal audit work as defined by the LEGEND Internal Auditing.” Information retention and release
Assessing consistency of results 2330.C1
2130.A3 policies for consulting engagements
definition of internal auditing. However, it should prove useful STANDARD* with goals and objectives
1322 Disclosure of Nonconformance
and informative to oversight entities, executive management, and ASSURANCE IMPLEMENTATION STANDARD 2130.C1 Reviewing controls when consulting 2340 Engagement Supervision

other stakeholders of professional internal auditing and effective CONSULTING IMPLEMENTATION STANDARD Knowledge of controls gained
2130.C2
organizational governance. *Black and red in this chart are used to identify each series and its related Standards.
from consulting engagements