CIA CIA1 SU1 Outline

1
STUDY UNIT ONE
FOUNDATIONS OF INTERNAL AUDITING
1.1 Applicable Guidance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

1.2 Ethics -- Introduction and Principles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
1.3 Ethics -- Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
1.4 Ethics -- Objectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
1.5 Ethics -- Confidentiality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
1.6 Ethics -- Competency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
1.7 Internal Audit Charter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
This study unit covers Domain I: Foundations of Internal Auditing from The IIA’s CIA Exam
Syllabus. This domain makes up 15% of Part 1 of the CIA exam and is tested at the basic and
proficient cognitive levels.
The learning objectives of Study Unit 1 are
● Interpret The IIA’s Mission of Internal Audit, Definition of Internal Auditing, and Core Principles
for the Professional Practice of Internal Auditing, as well as the purpose, authority, and
responsibility of the internal audit activity
● Explain the requirements of an internal audit charter (required components, board approval,
communication of the charter, etc.)
● Interpret the difference between assurance and consulting services provided by the internal
audit activity
● Demonstrate conformance with The IIA Code of Ethics
Internal auditors perform assurance and consulting activities designed to evaluate and improve the
effectiveness of the entity’s governance, risk management, and internal control processes using a
systematic, disciplined, and risk-based approach. This may include evaluation of internal control,
examination of financial and operating information, review of compliance with laws and regulations,
and the assessment of fraud risk.
Copyright © 2022 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact copyright@gleim.com.
2 SU 1: Foundations of Internal Auditing
1.1 APPLICABLE GUIDANCE
International Professional Practices Framework (IPPF)

The Institute of Internal Auditors (The IIA) defines the mission of internal audit as follows:
● “To enhance and protect organizational value by providing risk-based and objective
assurance, advice, and insight.”
● Facilitating the achievement of this mission is the IPPF.
The IPPF contains mandatory guidance and recommended guidance.
Figure 1-1
SU 1: Foundations of Internal Auditing 3
Mandatory Guidance
Adherence to the mandatory guidance is essential for the professional practice of internal auditing.
● The mandatory guidance consists of four elements:

1. The Core Principles for the Professional Practice of Internal Auditing
2. The Definition of Internal Auditing
3. The Code of Ethics
4. The Standards
● The Core Principles and the Definition of Internal Auditing are reflected in the Code of Ethics
and the Standards. Thus, conformance with the Code and the Standards demonstrates
conformance with all mandatory elements of the IPPF.
● If the Standards are used with requirements of other authoritative bodies, internal audit
communications also may cite the other requirements. But, if the Standards and other
requirements are inconsistent, internal auditors must conform with the Standards and may
conform with the other requirements if they are more restrictive.
Figure 1-2
Element 1 of 4
The Core Principles are the basis for internal audit effectiveness. The internal audit function
is effective if all principles are present and operating effectively. The following are the 10 Core
Principles:
1. “Demonstrates integrity.
2. Demonstrates competence and due professional care.
3. Is objective and free from undue influence (independent).
4. Aligns with the strategies, objectives, and risks of the organization.
5. Is appropriately positioned and adequately resourced.
6. Demonstrates quality and continuous improvement.
7. Communicates effectively.
8. Provides risk-based assurance.
9. Is insightful, proactive, and future-focused.
10. Promotes organizational improvement.”
Figure 1-3
Element 2 of 4
The Definition of Internal Auditing is a concise statement of the role of the internal audit activity in
the organization.
“Internal auditing is an independent, objective assurance and consulting activity designed to

add value and improve an organization’s operations. It helps an organization accomplish
its objectives by bringing a systematic, disciplined approach to evaluate and improve the
effectiveness of risk management, control, and governance processes.”
Figure 1-4
Element 3 of 4
The Code of Ethics is covered in detail in later subunits.
Figure 1-5
Element 4 of 4
The Standards (known formally as the International Standards for the Professional Practice of
Internal Auditing) serve the following four purposes described by The IIA:
1. “Guide adherence with the mandatory elements of the International Professional Practices
Framework.
2. Provide a framework for performing and promoting a broad range of value-added internal
auditing services.
3. Establish the basis for the evaluation of internal audit performance.
4. Foster improved organizational processes and operations.”
The Standards are vital to the practice of internal auditing, but CIA candidates need not memorize
them. However, the principles they establish should be thoroughly understood and appropriately
applied.
Figure 1-6
Types of Standards
Attribute Standards describe the characteristics of organizations and parties providing

internal auditing services. They govern the responsibilities, attitudes, and actions of the
organization’s internal audit activity and the people who serve as internal auditors. Attribute
Standards are displayed in green boxes throughout this text to emphasize their importance.
Performance Standards describe the nature of internal auditing and provide quality criteria
for evaluation of internal audit performance. They govern the nature of internal auditing and
provide quality criteria for evaluating the internal audit function’s performance.
Interpretations of Attribute or Performance Standards are provided by The IIA to clarify terms
and concepts. They are displayed in blue boxes.
Implementation Standards apply to specific types of engagements. They expand upon the
individual Attribute or Performance Standards by providing the requirements applicable to
assurance (A) or consulting (C) services. They are displayed in gray boxes throughout this
text.
Recommended Guidance
Implementation Guidance and Supplemental Guidance constitute recommended guidance.
They describe practices for effective implementation of the mandatory elements of the IPPF:
(1) the Core Principles, (2) the Definition of Internal Auditing, (3) the Code of Ethics, and (4) the
Standards.
Figure 1-7
Purpose, Authority, and Responsibility of the Internal

Audit Activity
Each organization’s internal audit charter lays out the purpose, authority, and responsibility of the
internal audit activity for that organization.
Purpose
The purpose of the internal audit activity is to provide “independent, objective assurance and
consulting services designed to add value and improve an organization’s operations.
● The internal audit activity helps an organization accomplish its objectives by bringing a
systematic, disciplined approach to evaluate and improve the effectiveness of governance,
risk management and control processes” (The IIA Glossary).
There are two general types of internal audit activities: assurance services and consulting services.
1. Assurance services involve the internal auditor’s objective assessment of evidence to

provide opinions or conclusions regarding an entity, operation, function, process, system, or
other subject matters. It is an objective examination of evidence for the purpose of providing
an independent assessment of governance, risk management, and control processes for the
organization.
■ The nature and scope of an assurance engagement are determined by the internal
auditor.
■ Generally, the process owner, the internal auditor, and the user are the three
participants in assurance services.
1. The process owner is the person or group directly involved with the entity,
operation, function, process, system, or other subject matter.
2. The internal auditor is the person or group making the assessment).
3. The user is the person or group using the assessment.
■ Examples of assurance services include
► Financial
► Performance
► Compliance
► System security
► Due diligence
2. Consulting services are advisory in nature and generally are performed at the specific
request of an engagement client. Consulting services are activities intended to add value and
improve an organization’s governance, risk management, and control processes without the
internal auditor’s assumption of management responsibility.
■ The nature and scope of the consulting engagement are subject to agreement with the
engagement client.
■ Generally, the internal auditor and the engagement client are the two participants in
consulting services.
1. The internal auditor is the person or group offering the advice.
● When performing consulting services, the internal auditor should maintain
objectivity and not assume management responsibility.
2. The engagement client is the person or group seeking and receiving the advice.
■ Consulting services include providing counsel, advice, facilitation, and training.
Authority
The board of directors adopts a formal charter that grants sufficient authority to a chief audit
executive and the internal audit activity.
The support of management and the board is crucial when inevitable conflicts arise between the
internal audit activity and the department or function under review. Thus, the internal audit activity
should be empowered to require auditees to grant access to all records, personnel, and physical
properties relevant to the performance of every engagement.
● A formal charter that defines the internal audit activity’s authority must be adopted. The
authority granted should be sufficient. Final approval of the charter resides with the board.
Responsibility
The internal audit activity’s responsibility also is defined in the charter. It should provide the
organization with assurance and consulting services that will add value and improve the
organization’s operations.
● Specifically, the internal audit activity must evaluate and improve the effectiveness of the
organization’s governance, risk management, and control processes.
1.2 ETHICS -- INTRODUCTION AND PRINCIPLES
Author’s Note: The gray boxes throughout the rest of this study unit are quotes from The IIA’s Code of
Ethics.
Introduction
The IIA incorporates the Definition of Internal Auditing into the Introduction to the Code of Ethics
and specifies the reasons for establishing the Code.
Introduction to The IIA’s Code of Ethics

The purpose of The Institute’s Code of Ethics is to promote an ethical culture in the profession of
internal auditing.
Internal auditing is an independent, objective assurance and consulting activity designed
to add value and improve an organization’s operations. It helps an organization accomplish
its objectives by bringing a systematic, disciplined approach to evaluate and improve the
effectiveness of risk management, control, and governance processes.
A code of ethics is necessary and appropriate for the profession of internal auditing, founded as it is
on the trust placed in its objective assurance about governance, risk management, and control.
The Institute’s Code of Ethics extends beyond the Definition of Internal Auditing to include two
essential components:
1. Principles that are relevant to the profession and practice of internal auditing.
2. Rules of Conduct that describe behavior norms expected of internal auditors. These rules
are an aid to interpreting the Principles into practical applications and are intended to guide
the ethical conduct of internal auditors.
“Internal auditors” refers to Institute members, recipients of or candidates for IIA professional
certifications, and those who perform internal audit services within the Definition of Internal
Auditing.
Applicability
The provisions of the Code are applied broadly to all organizations and persons who perform
internal audit services, not just CIAs and members of The IIA.
Applicability and Enforcement of the Code of Ethics

This Code of Ethics applies to both entities and individuals that perform internal audit services.
For IIA members and recipients of or candidates for IIA professional certifications, breaches of
the Code of Ethics will be evaluated and administered according to The Institute’s Bylaws and
Administrative Directives. The fact that a particular conduct is not mentioned in the Rules of
Conduct does not prevent it from being unacceptable or discreditable, and therefore, the member,
certification holder, or candidate can be liable for disciplinary action.
● Violations of rules of ethics should be reported to The IIA’s board of directors.
Principles
The Rules of Conduct in the Code are organized based on the principles of integrity, objectivity,
confidentiality, and competency.
Principles
Internal auditors are expected to apply and uphold the following principles:
1. Integrity
The integrity of internal auditors establishes trust and thus provides the basis for reliance on
their judgment.
2. Objectivity
Internal auditors exhibit the highest level of professional objectivity in gathering, evaluating,
and communicating information about the activity or process being examined. Internal auditors
make a balanced assessment of all the relevant circumstances and are not unduly influenced
by their own interests or by others in forming judgments.
3. Confidentiality
Internal auditors respect the value and ownership of information they receive and do not
disclose information without appropriate authority unless there is a legal or professional
obligation to do so.
4. Competency
Internal auditors apply the knowledge, skills, and experience needed in the performance of
internal audit services.
Rules of Conduct
1. Integrity
Internal auditors:
1.1. Shall perform their work with honesty, diligence, and responsibility.
1.2. Shall observe the law and make disclosures expected by the law and the profession.
1.3. Shall not knowingly be a party to any illegal activity, or engage in acts that are
discreditable to the profession of internal auditing or to the organization.
1.4. Shall respect and contribute to the legitimate and ethical objectives of the organization.
2. Objectivity
Internal auditors:
2.1. Shall not participate in any activity or relationship that may impair or be presumed
to impair their unbiased assessment. This participation includes those activities or
relationships that may be in conflict with the interests of the organization.
2.2. Shall not accept anything that may impair or be presumed to impair their professional
judgment.
2.3. Shall disclose all material facts known to them that, if not disclosed, may distort the
reporting of activities under review.
3. Confidentiality
Internal auditors:
3.1. Shall be prudent in the use and protection of information acquired in the course of their
duties.
3.2. Shall not use information for any personal gain or in any manner that would be contrary to
the law or detrimental to the legitimate and ethical objectives of the organization.
4. Competency
Internal auditors:
4.1. Shall engage only in those services for which they have the necessary knowledge, skills,
and experience.
4.2. Shall perform internal audit services in accordance with the International Standards for the
Professional Practice of Internal Auditing.
4.3. Shall continually improve their proficiency and the effectiveness and quality of their
services.
To remember the above principles on the CIA exam, use the memory aid I Only Carry Cash.
1.3 ETHICS -- INTEGRITY
Rules of Conduct – Integrity

Integrity
Internal auditors:
1.1. Shall perform their work with honesty, diligence, and responsibility.
1.2. Shall observe the law and make disclosures expected by the law and the profession.
1.3. Shall not knowingly be a party to any illegal activity, or engage in acts that are
discreditable to the profession of internal auditing or to the organization.
1.4. Shall respect and contribute to the legitimate and ethical objectives of the organization.
Further guidance on integrity is provided in Implementation Guide, Code of Ethics: Integrity.
● “Integrity is the foundation of the other three principles in The IIA’s Code of Ethics.
Objectivity, confidentiality, and competency all depend on integrity. Integrity also underpins
the Standards.”
● The chief audit executive’s (CAE’s) responsibility for implementing integrity includes the
following:
■ “[T]he CAE should cultivate a culture of integrity by acting with integrity and adhering to
the Code of Ethics.”
■ “The CAE also establishes policies and procedures to guide the internal audit
activity . . . to show diligence and responsibility.”
■ “[T]he CAE also may emphasize the importance of integrity by providing training that
demonstrates integrity and other ethical principles in action.”
● For internal auditors, “the best attempts to identify and measure integrity likely involve astute
awareness and understanding of the Code of Ethics’ rules of conduct for integrity, the IPPF’s
Mandatory Guidance, and supporting practices.”
● “For internal auditors, behaviors that may not be illegal but may be discreditable include:
■ Behavior that may be considered bullying, harassing, or discriminatory.
■ Failing to accept responsibility for making mistakes.
■ Issuing false reports or permitting others to do so.
■ Lying.
■ Making claims about one’s competency in a manner that is deceptive, false, or
misleading.
■ Making disparaging comments about the organization, fellow employees, or its
stakeholders, either in person or via media (e.g., in publications or social media posts).
■ Minimizing, concealing, or omitting observations or unsatisfactory conclusions and

ratings from engagement reports or overall assessments.
■ Noncompliance with the Standards and other IPPF Mandatory Guidance.
► Performing internal audit services with undeclared impairments to independence
and objectivity.
► Performing internal audit services for which one is not competent.
► Soliciting or disclosing confidential information without proper authorization.
► Stating that the internal audit activity is operating in conformance with the
Standards when the assertion is not supported by the results of the quality
assurance and improvement program.
■ Overlooking illegal activities that the organization may tolerate or condone.
■ Using the CIA designation or other credentials after they have expired or been revoked.”
How to Comply with the Integrity Rule

Maintenance, and reporting on, a quality assurance and improvement program (QAIP) by the CAE
and participation of internal auditors in continuing professional education (CPE)
Internal auditor accountability demonstrated by the following:

● The organization’s ethics policies or code of conduct
● Relevant laws and regulations
● The IIA’s Code of Ethics
● IPPF Mandatory Guidance
Diligent supervision of engagements and performance of the self-assessments required by the

Standards demonstrate the integrity of the internal audit activity as a whole.
EXAMPLE 1-1 Conformance with the Integrity Rule
An internal auditor is working for a cosmetics manufacturer that may be inappropriately testing cosmetics
on animals. If, out of loyalty to the employer, no information about the testing is gathered, the auditor
violated the Rules of Conduct by
● Knowingly becoming a party to an illegal act,

● Engaging in an act discreditable to the profession,
● Failing to make disclosures expected by the law, and
● Not performing the work diligently.
1.4 ETHICS -- OBJECTIVITY
Rules of Conduct – Objectivity

Objectivity
Internal auditors:
2.1. Shall not participate in any activity or relationship that may impair or be presumed
to impair their unbiased assessment. This participation includes those activities or
relationships that may be in conflict with the interests of the organization.
2.2. Shall not accept anything that may impair or be presumed to impair their professional
judgment.
2.3. Shall disclose all material facts known to them that, if not disclosed, may distort the
reporting of activities under review.
The objectivity principle is a frequently tested ethics topic. Being able to apply the rules of
conduct related to objectivity to scenarios will increase your success on the exam. To do
this, a higher level of understanding beyond memorization is required.
A material ownership interest in a competitor is allowable. An internal auditor seldom can during the
course of employment take action to enhance the value of the ownership interest.
For example, if management override of an important control creates exposure to a material

risk, the internal auditor is ethically obligated to report the matter to senior officials charged with
performing the governance function. Disclosure is not limited by time constraints.
An internal auditor cannot assure anonymity. Information communicated to an internal auditor is

not deemed to be privileged. However, promising merely to attempt to keep the source of the
information confidential is allowed.
Disclosure is not required when the internal auditor gathers sufficient information to dispel the
suspicion of fraud.
The CAE should share information and coordinate activities with other internal and external
providers of relevant assurance and consulting services.
Conflict of Interest Policy

A conflict of interest policy should prohibit the transfer of benefits between an employee and those
with whom the organization deals.
Examples of violations of Rules 2.1., 2.2., and 2.3. include the following:
● Rule of Conduct 2.1.

1. Excessive individual fraternizing outside of work with the organization’s employees,
management, third-party suppliers, and vendors.
2. Certain dealings in commercial properties (excluding rental activity).
3. Sales of services or products by the internal auditor to the organization.
4. Participation in non-public service organizations may not be allowed, for example,
serving as a consultant to third parties (vendors, suppliers, etc.) with which the
organization conducts business.
5. Performing an audit in a department managed by a family member.
6. Accepting a bonus based on work accomplished during an audit.
7. Assuming management responsibilities and auditing an area in which the auditor had
such responsibilities within 1 year.

1. Accepting gifts, meals, trips, and special treatment that exceed policy limits or are not
disclosed and approved
2. Working in a non-audit position and accepting gifts not permitted by IIA code of conduct

1. Intentional omission of disclosures of illegal activity from final engagement
communications
2. Withholding pertinent information
3. Not communicating pertinent information to the chief audit executive
4. Distorting facts reported in final engagement communications
Conformance with objectivity is demonstrated by the following:
● The CAE provides relevant policies and procedures for the internal audit activity.
● The CAE requires internal auditors attend meetings or training sessions about objectivity (for
example, CPE).
● The CAE documents the rationale for allocation of resources to the internal audit plan,
including potential impairments.
● Other evidence may include documentation of research into potential conflicts of interest
involving outsourced and cosourced activities.
● Approval of the CAE or a designated engagement supervisor of engagement workpapers may

evidence that internal auditors have conducted a balanced assessment.
● Feedback from post-engagement surveys and supervisory reviews of engagements may

provide additional evidence that the internal auditors’ work appeared to be performed
objectively.
● Assessments as part of the internal audit activity’s quality assurance and improvement
program also lend support that appropriate objectivity was used in arriving at internal audit
conclusions and opinions.
EXAMPLE 1-2 Conformance with the Objectivity Rule
At the end of the year, an internal auditing team made observations and recommendations that an
organization can use to improve operating efficiency. To express gratitude, the division manager
presented the internal audit team with a gift of moderate value. The internal audit team meets to discuss
whether to accept the gift. The following reasons for accepting or not accepting the gift were discussed:
One auditor said, “we should accept the gift because its value is insignificant.”
Another auditor said, “we should not accept the gift until after we submit our final engagement
communication.”
A third auditor said, “we should not accept the gift.”
The lead auditor considered the opinions of the other auditors and the intent of the Rules of Conduct.
The lead auditor then decided that acceptance of the gift would be inappropriate because of the
presumed impairment of the internal auditor’s professional judgment.
1.5 ETHICS -- CONFIDENTIALITY
Rules of Conduct – Confidentiality

Confidentiality
Internal auditors:
3.1. Shall be prudent in the use and protection of information acquired in the course of their
duties.
3.2. Shall not use information for any personal gain or in any manner that would be contrary to
the law or detrimental to the legitimate and ethical objectives of the organization.
Further guidance on confidentiality is provided in Implementation Guide, Code of Ethics:

Confidentiality:
● “Organizations usually issue information security policies to protect the data they acquire,
use, and produce and to ensure compliance with the laws and regulations that pertain to the
industry and jurisdiction within which they operate.”
■ “To protect proprietary information, policies and procedures may require internal
auditors to take the following precautions, even when handling information internally:
► Collect only the data required to perform the assigned engagement and use this
information only for the engagement’s intended purposes.
► Protect information from intentional or unintentional disclosure through the use of
controls such as data encryption, email distribution restrictions, and restriction of
physical access to the information.
► Eliminate copies of or access to such data when it is no longer needed.”
● “To better understand the effects of legal and regulatory requirements and protections (e.g.,
legal privilege or attorney-client privilege), the chief audit executive (CAE) should consult
with legal counsel. The organization’s policies and procedures may require that specific
authorities review and approve business information before external release.”
● “Rule of Conduct 3.2 emphasizes that internal auditors must not use any information for
personal gain.
● For example, internal auditors should not use insider financial, strategic, or operational
knowledge of an organization to bring about personal financial gain by purchasing or selling
shares in the organization.
● Another example is releasing insider knowledge to journalists or via other media without
proper authorization. Using insider information to develop a competitive product or selling
proprietary information to a competitor also violates this confidentiality rule.
● Furthermore, internal auditors should not abuse their privilege to access information, such as
using access to customer records to look up a neighbor’s recent purchases or to view the
health records of a celebrity.”
● Conformance with confidentiality is demonstrated as follows:

■ “The CAE may demonstrate support of internal audit confidentiality through evidence
of policies, processes, procedures, and training materials implemented to cover
confidentiality as it applies to the internal audit activity and the organization.”
■ “Regarding the release of engagement results, reports, or related information, the CAE
demonstrates conformance with the confidentiality principle and rules of conduct
by documenting and retaining records of disclosures approved by legal counsel, if
applicable, and by senior management and the board.”
■ “Internal auditors demonstrate conformance with engagement record confidentiality by
documenting distribution restrictions in engagement workpapers and reports and by
retaining authorizations of all disclosures and approved distribution lists.”
■ Given no reports or investigations of individual auditors’ violations of policies,
procedures, and rules related to confidentiality, the internal audit activity as a whole
most likely is in conformance with the principle.
EXAMPLE 1-3 Conformance with the Confidentiality Rule
Which of the following violate(s) The IIA’s Code of Ethics?

● Investigating a lead sales person’s expense reports based on rumors of overstatement.
■ Investigating potential instances of fraud is within the internal auditor’s normal
responsibilities. It is not a violation.
● Purchasing stock in a target organization after reading company reports that it may be
acquired.
■ Rule of Conduct 3.2 states, “Internal auditors shall not use information for any personal
gain.” The stock purchase is a violation.
● Disclosing confidential information in response to a court order.
■ The principle of confidentiality permits the disclosure of confidential information given a
legal or professional obligation to do so. This disclosure is not a violation.
1.6 ETHICS -- COMPETENCY
Rules of Conduct – Competency

Competency
Internal auditors:
4.1. Shall engage only in those services for which they have the necessary knowledge, skills,
and experience.
4.2. Shall perform internal audit services in accordance with the International Standards for the
Professional Practice of Internal Auditing.
4.3. Shall continually improve their proficiency and the effectiveness and quality of their
services.
Further guidance on competency is provided in Implementation Guide, Code of Ethics:

Competency:
● Conformance with competency is demonstrated by the following:

■ “The CAE may demonstrate a culture supportive of competency and the continual
improvement of proficiency, effectiveness, and quality through evidence that:
► Engagements have been properly resourced and supervised.
► Feedback has been solicited from internal audit stakeholders and sufficiently
considered.
► Performance reviews of internal auditors have been conducted regularly.
► Opportunities for training, mentoring, and professional education have been
provided.
► A quality assurance and improvement program is active.
► Internal audit services are performed in conformance with the IPPF’s Mandatory
Guidance.”
● “The knowledge, skills, and experience of individual internal auditors may be evidenced, in
part, through
1. Credentialed qualifications, such as university degrees and certifications, and
2. Relevant work history as detailed on the internal auditor’s resume, which the CAE or the
organization’s human resources department should have on file.”
● “[I]nternal auditors may maintain documentation of a skills self-assessment, a plan for

professional development, and the completion of continuing professional education/
development courses or trainings.”
● To expand their competencies, internal auditors may provide evidence of experiences

undertaken, for example, specific work assignments (that is, on-the-job training) or
volunteering in professional organizations.
● Also, pursuing and completing professional education, whether for new certifications or
continuing professional education, further evidences internal auditors’ commitment to
continual improvement of their proficiency and the effectiveness and quality of their services.
EXAMPLE 1-4 Conformance with the Competency Rule
Which of the following violate(s) The IIA’s Code of Ethics?

● After obtaining evidence that an employee is embezzling funds, the internal auditor
interrogates the suspect. The organization has a security department.
■ Internal auditors generally lack the knowledge, skills, or experience regarding
interrogation of suspects possessed by security specialists. The lack of proficiency
most likely is a violation.
● An internal auditor has been assigned to perform an engagement in the warehousing
department next year. The auditor currently has no expertise in this area but accepted the
assignment and plans to take continuing professional education courses in warehousing.
■ The internal auditor plans to acquire the required knowledge and skills prior to the start
of this engagement. The internal auditor most likely did not violate the Code of Ethics.
1.7 INTERNAL AUDIT CHARTER
Internal Audit Charter
Attribute Standard 1000

Purpose, Authority, and Responsibility
The purpose, authority, and responsibility of the internal audit activity must be
formally defined in an internal audit charter, consistent with the Mission of Internal
Audit and the mandatory elements of the International Professional Practices
Framework (the Core Principles for the Professional Practice of Internal Auditing,
the Code of Ethics, the Standards, and the Definition of Internal Auditing). The chief
audit executive must periodically review the internal audit charter and present it to
senior management and the board for approval.
The following Interpretation was issued by The IIA:
Interpretation of Standard 1000

The internal audit charter is a formal document that defines the internal audit activity’s
purpose, authority, and responsibility. The internal audit charter establishes the internal
audit activity’s position within the organization, including the nature of the chief audit
executive’s functional reporting relationship with the board; authorizes access to records,
personnel, and physical properties relevant to the performance of engagements; and
defines the scope of internal audit activities. Final approval of the internal audit charter
resides with the board.
Engagement clients must be informed of the internal audit activity’s purpose, authority, and
responsibility to prevent misunderstandings about access to records and personnel.
An auditee must not be able to place a scope limitation on the internal audit activity by refusing to
make relevant records, personnel, and physical properties available to the internal auditors.
Implementation Guide 1000, Purpose, Authority, and Responsibility, further addresses the charter.
● “To create [the internal audit charter], the chief audit executive (CAE) must understand the
Mission of Internal Audit and the mandatory elements of The IIA’s International Professional
Practices Framework (IPPF), including
■ The Core Principles for the Professional Practice of Internal Auditing,
■ The Code of Ethics,
■ The International Standards for the Professional Practice of Internal Auditing, and
■ The Definition of Internal Auditing.
● The charter is the understanding that provides the foundation for a discussion among the
CAE, senior management, and the board to mutually agree upon
■ Internal audit objectives and responsibilities
■ The expectations for the internal audit activity
■ The CAE’s functional and administrative reporting lines
■ The level of authority (including access to physical property, personnel, and records)
required for the internal audit activity to perform engagements and fulfill its agreed-
upon objectives and responsibilities”
● “The CAE may need to confer with the organization’s legal counsel or the board secretary
regarding the preferred format for charters and how to effectively and efficiently submit the
proposed internal audit charter for board approval.
● Once drafted, the proposed internal audit charter should be discussed with senior
management and the board to confirm that it accurately describes the agreed-upon role and
expectations or to identify desired changes. Once the draft has been accepted, the CAE
formally presents it during a board meeting to be discussed and approve.
● The minutes of the board meetings during which the CAE initially discusses and then formally
presents the internal audit charter provide documentation of conformance. In addition, the
CAE retains the approved charter.”
The charter must define the nature of assurance and consulting services provided by the internal
audit activity. Two Implementation Standards state this.
Implementation Standard 1000.A1

The nature of assurance services provided to the organization must be defined in
the internal audit charter. If assurances are to be provided to parties outside the
organization, the nature of these assurances must also be defined in the internal
audit charter.
Implementation Standard 1000.C1

The nature of consulting services must be defined in the internal audit charter.
The charter also must refer to the four elements of the mandatory guidance portion of the IPPF:
(1) the Core Principles, (2) the Code of Ethics, (3) the Standards, and (4) the Definition of Internal
Auditing.
Attribute Standard 1010

Recognizing Mandatory Guidance in the Internal Audit Charter
The mandatory nature of the Core Principles for the Professional Practice of
Internal Auditing, the Code of Ethics, the Standards, and the Definition of Internal
Auditing must be recognized in the internal audit charter. The chief audit executive
should discuss the Mission of Internal Audit and the mandatory elements of the
International Professional Practices Framework with senior management and the
board.
The IIA’s model internal audit charter is available from The IIA; however, it is restricted to IIA
members only.
Key Definitions from the Glossary

The complete IIA Glossary is in Appendix A. The definitions do not need to be memorized, but they
should be understood so candidates can apply them to multiple-choice questions.
Chief audit executive (CAE) describes the role of a person in a senior position responsible for
effectively managing the internal audit activity in accordance with the internal audit charter and the
mandatory elements of the International Professional Practices Framework.
● The chief audit executive or others reporting to the chief audit executive will have appropriate
professional certifications and qualifications.
● The specific job title or responsibilities of the chief audit executive may vary across
organizations.
The board is the highest-level governing body (e.g., a board of directors, a supervisory board,
or a board of governors or trustees) charged with the responsibility to direct or oversee the
organization’s activities and hold senior management accountable.
● Although governance arrangements vary among jurisdictions and sectors, typically the board
includes members who are not part of management.
● If a board does not exist, the word “board” in the Standards refers to a group or person
charged with governance of the organization.
● Furthermore, “board” in the Standards may refer to a committee or another body to which the
governing body has delegated certain functions (e.g., an audit committee).

CIA CIA1 SU1 Outline

Uploaded by

Document Informationclick to expand document information

Copyright:

Available Formats

CIA CIA1 SU1 Outline

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CIA CIA1 SU1 Outline

Uploaded by

Copyright:

Available Formats

1

STUDY UNIT ONE

FOUNDATIONS OF INTERNAL AUDITING

1.1 Applicable Guidance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

The learning objectives of Study Unit 1 are

● Demonstrate conformance with The IIA Code of Ethics

1.1 APPLICABLE GUIDANCE

International Professional Practices Framework (IPPF)

● Facilitating the achievement of this mission is the IPPF.

The IPPF contains mandatory guidance and recommended guidance.

● The mandatory guidance consists of four elements:

“Internal auditing is an independent, objective assurance and consulting activity designed to

The Code of Ethics is covered in detail in later subunits.

3. Establish the basis for the evaluation of internal audit performance.

4. Foster improved organizational processes and operations.”

Attribute Standards describe the characteristics of organizations and parties providing

Purpose, Authority, and Responsibility of the Internal

1. Assurance services involve the internal auditor’s objective assessment of evidence to

1.2 ETHICS -- INTRODUCTION AND PRINCIPLES

Introduction to The IIA’s Code of Ethics

Applicability and Enforcement of the Code of Ethics

● Violations of rules of ethics should be reported to The IIA’s board of directors.

1.3 ETHICS -- INTEGRITY

Rules of Conduct – Integrity

Further guidance on integrity is provided in Implementation Guide, Code of Ethics: Integrity.

■ Minimizing, concealing, or omitting observations or unsatisfactory conclusions and

How to Comply with the Integrity Rule

Internal auditor accountability demonstrated by the following:

Diligent supervision of engagements and performance of the self-assessments required by the

EXAMPLE 1-1 Conformance with the Integrity Rule

● Knowingly becoming a party to an illegal act,

1.4 ETHICS -- OBJECTIVITY

Rules of Conduct – Objectivity

For example, if management override of an important control creates exposure to a material

An internal auditor cannot assure anonymity. Information communicated to an internal auditor is

Conflict of Interest Policy

● Rule of Conduct 2.1.

● Rule of Conduct 2.2.

● Rule of Conduct 2.3.

Conformance with objectivity is demonstrated by the following:

● Approval of the CAE or a designated engagement supervisor of engagement workpapers may

● Feedback from post-engagement surveys and supervisory reviews of engagements may

EXAMPLE 1-2 Conformance with the Objectivity Rule

1.5 ETHICS -- CONFIDENTIALITY

Rules of Conduct – Confidentiality

Further guidance on confidentiality is provided in Implementation Guide, Code of Ethics:

● Conformance with confidentiality is demonstrated as follows:

EXAMPLE 1-3 Conformance with the Confidentiality Rule

Which of the following violate(s) The IIA’s Code of Ethics?

1.6 ETHICS -- COMPETENCY

Rules of Conduct – Competency

Further guidance on competency is provided in Implementation Guide, Code of Ethics:

● Conformance with competency is demonstrated by the following:

● “[I]nternal auditors may maintain documentation of a skills self-assessment, a plan for

● To expand their competencies, internal auditors may provide evidence of experiences

EXAMPLE 1-4 Conformance with the Competency Rule

Which of the following violate(s) The IIA’s Code of Ethics?