Table of

Contents
What’s New.................................................................................................................................. x

Acknowledgments.................................................................................................................... xiv

About The IPPF......................................................................................................................... xv

Definition of Internal Auditing........................................................................................... 2

Code of Ethics......................................................................................................................... 4
Principles................................................................................................................................ 5
Rules of Conduct.................................................................................................................... 6

International Standards for the Professional Practice of

Internal Auditing (Standards)
Introduction......................................................................................................................... 11
Attribute Standards
1000 – Purpose, Authority, and Responsibility.................................................................. 15
1010 – Recognition of the Definition of Internal Auditing,
the Code of Ethics, and the Standards in the
Internal Audit Charter............................................................................................ 15
1100 – Independence and Objectivity................................................................................ 16
1110 – Organizational Independence................................................................................. 16
1111 – Direct Interaction With the Board......................................................................... 17
1120 – Individual Objectivity.............................................................................................. 17
1130 – Impairment to Independence or Objectivity.......................................................... 18
1200 – Proficiency and Due Professional Care.................................................................. 19
1210 – Proficiency................................................................................................................ 19

Table of Contents iii

001_014ippf2011_4R_Rvsd.indd 3 11/29/10 2:49 PM

 Table of
Contents
1220 – Due Professional Care............................................................................................. 20
1230 – Continuing Professional Development................................................................... 21
1300 – Quality Assurance and Improvement Program..................................................... 21
1310 – Requirements of the Quality Assurance and Improvement Program.................. 22
1311 – Internal Assessments.............................................................................................. 22
1312 – External Assessments............................................................................................. 23.
1320 – Reporting on the Quality Assurance and Improvement Program........................ 24
1321 – Use of “Conforms with the International Standards for the
Professional Practice of Internal Auditing”............................................................ 24.
1322 – Disclosure of Nonconformance............................................................................... 25

Performance Standards
2000 – Managing the Internal Audit Activity................................................................... 26
2010 – Planning.................................................................................................................. 26
2020 – Communication and Approval................................................................................ 27.
2030 – Resource Management............................................................................................ 27
2040 – Policies and Procedures.......................................................................................... 28
2050 – Coordination............................................................................................................ 28.
2060 – Reporting to Senior Management and the Board.................................................. 28.
2070 – External Service Provider and Organizational Responsibility
for Internal Aiditing................................................................................................ 29
2100 – Nature of Work........................................................................................................ 29.
2110 – Governance.............................................................................................................. 29
2120 – Risk Management................................................................................................... 30
2130 – Control..................................................................................................................... 31
2200 – Engagement Planning............................................................................................ 32
2201 – Planning Considerations........................................................................................ 32
2210 – Engagement Objectives.......................................................................................... 33
2220 – Engagement Scope.................................................................................................. 34
2230 – Engagement Resource Allocation........................................................................... 34

iv International Professional Practices Framework

001_014ippf2011_4R_Rvsd.indd 4 11/29/10 2:49 PM

 2240 – Engagement Work Program................................................................................... 35.
2300 – Performing the Engagement................................................................................... 35
2310 – Identifying Information.......................................................................................... 35
2320 – Analysis and Evaluation......................................................................................... 36.
2330 – Documenting Information...................................................................................... 36.
2340 – Engagement Supervision........................................................................................ 37
2400 – Communicating Results.......................................................................................... 37.
2410 – Criteria for Communicating................................................................................... 35
2420 – Quality of Communications.................................................................................... 38
2421 – Errors and Omissions............................................................................................. 38
2430 – Use of “Conducted in Conformance with the International
Standards for the Professional Practice of Internal Auditing”.............................. 38
2431 – Engagement Disclosure of Nonconformance......................................................... 39
2440 – Disseminating Results............................................................................................ 39.
2450 – Overall Opinions..................................................................................................... 40.
2500 – Monitoring Progress................................................................................................ 40 .
2600 – Resolution of Senior Management’s Acceptance of Risks..................................... 41

Glossary................................................................................................................................ 42

Practice Advisories
Attribute Standards
PA 1000-1 Internal Audit Charter............................................................................... 47
PA 1110-1 Organizational Independence..................................................................... 49.
PA 1111-1 Board Interaction........................................................................................ 51
PA 1120-1 Individual Objectivity................................................................................. 53
PA 1130-1 Impairment to Independence or Objectivity.............................................. 55
PA 1130.A1-1 Assessing Operations for Which Internal Auditors Were
Previously Responsible............................................................................... 57
PA 1130.A2-1 Internal Audit’s Responsibility for Other (Non-audit) Functions............ 59

Table of Contents v

001_014ippf2011_4R_Rvsd.indd 5 11/29/10 2:49 PM

 Table of
Contents
PA 1200-1 Proficiency and Due Professional Care...................................................... 63
PA 1210-1 Proficiency................................................................................................... 65
PA 1210.A1-1 Obtaining External Service Providers to Support or Complement
the Internal Audit Activity......................................................................... 67
PA 1220-1 Due Professional Care................................................................................. 73
PA 1230-1 Continuing Professional Development....................................................... 75
PA 1300-1 Quality Assurance and Improvement Program......................................... 77
PA 1310-1 Requirements of the Quality Assurance and
Improvement Program................................................................................ 79
PA 1311-1 Internal Assessments.................................................................................. 81
PA 1312-1 External Assessments................................................................................. 83
PA 1312-2 External Assessments: Self-assessment With Independent
Validation..................................................................................................... 89
PA 1321-1 Use of “Conforms with the International Standards for the
Professional Practice of Internal Auditing”................................................ 93

Performance Standards
PA 2010-1 Linking the Audit Plan to Risk and Exposures......................................... 95
PA 2010-2 Using the Risk Management Process in Internal Audit Planning........... 97
PA 2020-1 Communication and Approval.................................................................. 103
PA 2030-1 Resource Management.............................................................................. 105
PA 2040-1 Policies and Procedures............................................................................ 107
PA 2050-1 Coordination.............................................................................................. 109
PA 2050-2 Assurance Maps........................................................................................ 113
PA 2050-3 Relying on the Work of Other Assurance Providers................................ 119
PA 2060-1 Reporting to Senior Management and the Board.................................... 123
PA 2110-1 Governance: Definition............................................................................. 125
PA 2110-2 Governance: Relationship with Risk and Control................................... 127
PA 2110-3 Governance: Assessments......................................................................... 129
PA 2120-1 Assessing the Adequacy of Risk Management Processes....................... 131
PA 2120-2 Managing the Risk of the Internal Audit Activity................................... 135
vi International Professional Practices Framework

001_014ippf2011_4R_Rvsd.indd 6 11/29/10 2:49 PM

 PA 2130-1 Assessing the Adequacy of Control Processes......................................... 143
PA 2130.A1-1 Information Reliability and Integrity...................................................... 147
PA 2130.A1-2 Evaluating an Organization’s Privacy Framework................................. 149
PA 2200-1 Engagement Planning.............................................................................. 153
PA 2200-2 Using a Top-down, Risk-based Approach to Identify the Controls to be .....
Assessed in an Internal Audit Engagement............................................ 155
PA 2210-1 Engagement Objectives............................................................................ 159
PA 2210.A1-1 Risk Assessment in Engagement Planning............................................. 161
PA 2230-1 Engagement Resource Allocation............................................................. 163
PA 2240-1 Engagement Work Program..................................................................... 165
PA 2300-1 Use of Personal Information in Conducting Engagements..................... 167
PA 2320-1 Analytical Procedures............................................................................... 169
PA 2330-1 Documenting Information........................................................................ 173
PA 2330.A1-1 Control of Engagement Records............................................................... 175
PA 2330.A1-2 Granting Access to Engagement Records................................................ 177
PA 2330.A2-1 Retention of Records................................................................................. 181
PA 2340-1 Engagement Supervision.......................................................................... 183
PA 2400-1 Legal Considerations in Communicating Results................................... 187
PA 2410-1 Communication Criteria........................................................................... 191
PA 2420-1 Quality of Communications...................................................................... 195
PA 2440-1 Disseminating Results.............................................................................. 197
PA 2440-2 Communicating Sensitive Information Within and Outside the
Chain of Command.................................................................................... 199
PA 2440.A2-1 Communications Outside the Organization............................................ 203
PA 2500-1 Monitoring Progress.................................................................................. 205
PA 2500.A1-1 Follow-up Process...................................................................................... 207

Translation or Adaptation of the International Professional Practices Framework

and its Related Guidance (Administrative Directive No. 2)................................................. 210

Table of Contents vii

001_014ippf2011_4R_Rvsd.indd 7 11/29/10 2:49 PM

 Table of
Contents
CD-ROM Table of Contents

Definition of Internal Auditing

Code of Ethics
International Standards for the Professional Practice of
Internal Auditing
Position Papers
The Role of Internal Auditing in Enterprise-wide Risk Management
The Role of Internal Auditing in Resourcing the Internal Audit Activity

Practice Advisories
Practice Guides
Auditing Executive Compensation and Benefits
Auditing External Business Relationships
CAEs - Appointment, Performance Evaluation and Termination
Evaluating Corporate Social Responsibility/Sustainable Development
Formulating and Expressing Internal Audit Opinions
Internal Auditing and Fraud

Global Technology Audit Guides (GTAG®)

GTAG 1 – Information Technology Controls

GTAG 2 – Change and Patch Management Controls: Critical for

Organizational Success

viii International Professional Practices Framework

001_014ippf2011_4R_Rvsd.indd 8 11/29/10 2:49 PM

 CD-ROM
GTAG 3 – Continuous Auditing: Implications for Assurance, Monitoring,
and Risk Assessment

GTAG 4 – Management of IT Auditing

GTAG 5 – Managing and Auditing Privacy Risks

GTAG 6 – Managing and Auditing IT Vulnerabilities

GTAG 7 – Information Technology Outsourcing

GTAG 8 – Auditing Application Controls

GTAG 9 – Identity and Access Management

GTAG 10 – Business Continuity Management

GTAG 11 – Developing the IT Audit Plan

GTAG 12 – Auditing IT Projects

GTAG 13 – Fraud Prevention and Detection in an Automated World

GTAG 14 – Auditing User-developed Applications

GTAG 15 – Information Security Governance

Guide to the Assessment of IT Risk (GAIT)

The GAIT Methodology
GAIT for IT General Control Deficiency Assessment
GAIT for Business and IT Risk (GAIT-R)
Case Studies Using GAIT-R to Scope PCI Compliance

CD-ROM Table of Contents ix

001_014ippf2011_4R_Rvsd.indd 9 11/29/10 2:49 PM