2. charter, independence, and objectivity

STUDY UNIT TWOCHARTER, INDEPENDENCE, AND OBJECTIVITY

2.1 Charter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12.2 Independence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142.3 Objectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202.4 Independence and Objectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212.5 Study Unit 2 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

The purpose, authority, and responsibility of internal auditing should be adequate to enable theinternal audit activity to accomplish its objectives. For that reason, the purpose, authority, andresponsibility should be stated in a written charter and periodically reassessed.

Internal auditing is an independent, objective assurance and consulting activity designed to addvalue and improve an organization’s operations. Accordingly, the Standards require the internal auditactivity to be independent and the internal auditors to be objective in performing their work. Thus,independence is an attribute of an organizational unit, and objectivity is an attribute of individuals. Inthis context, independence means that internal auditors can carry out their duties freely andobjectively. Objectivity means independence in mental attitude.

Core Concepts■ The purpose, authority, and responsibility of the internal audit activity should be defined in a formal

charter.■ The nature of assurance and consulting services should be defined in the charter.■ The internal audit activity should be independent, and the internal auditor should be objective.■ The chief audit executive should report functionally to the audit committee.■ Impairment of independence or objectivity should be disclosed.■ Internal auditors should not assess operations for which they were previously responsible.

2.1 CHARTER

1. This subunit concerns the content of the charter of the internal audit activity. One GeneralAttribute Standard, an Assurance Implementation Standard, a Consulting ImplementationStandard, and four Practice Advisories currently address this topic.

2. 1000 Purpose, Authority, and Responsibility – The purpose, authority, andresponsibility of the internal audit activity should be formally defined in a charter,consistent with the Standards, and approved by the board.*

*The term “board” here and elsewhere in pronouncements of The IIA includes “anorganization’s governing body, such as a board of directors, supervisory board,head of an agency or legislative body, board of governors or trustees of a non-profit organization, or any other designated body of the organization, includingthe audit committee, to whom the chief audit executive may functionally report”(Glossary).

1

Copyright © 2008 Gleim Publications, Inc. and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com

http://www.gleim.com

a. PRACTICE ADVISORY 1000-1: INTERNAL AUDIT CHARTER

1. The purpose, authority, and responsibility of the internal audit activity should bedefined in a charter. The chief audit executive should seek approval of thecharter by senior management as well as acceptance by the board, auditcommittee, or appropriate governing authority. The charter should (a) establishthe internal audit activity’s position within the organization; (b) authorizeaccess to records, personnel, and physical properties relevant to theperformance of engagements; and (c) define the scope of internal auditactivities.

2. The internal audit activity’s charter should be in writing. A written statementprovides formal communication for review and approval by management and foracceptance by the board. It also facilitates a periodic assessment of theadequacy of the internal audit activity’s purpose, authority, and responsibility.Providing a formal, written document containing the charter of the internal auditactivity is critical in managing the auditing function within the organization.The purpose, authority, and responsibility should be defined and communicatedto establish the role of the internal audit activity and to provide a basis formanagement and the board to use in evaluating the operations of the function.If a question should arise, the charter also provides a formal, written agreementwith management and the board about the role and responsibilities of theinternal audit activity within the organization.

3. The chief audit executive should periodically assess whether the purpose,authority, and responsibility, as defined in the charter, continue to be adequateto enable the internal audit activity to accomplish its objectives. The result ofthis periodic assessment should be communicated to senior management andthe board.

PA Summary

● The purpose, authority, and responsibility of the IAA (internal audit activity)should be defined in a formal written charter approved by senior management andaccepted by the board.

● The charter establishes the position of the IAA, authorizes access relevant toengagement performance, and defines the scope of its activities.

● A charter is critical in managing the auditing function. It establishes the IAA’s roleand provides a basis for its evaluation.

● The CAE should periodically reassess the adequacy of the charter. The resultshould be communicated to senior management and the board.

3. 1000.A1 – The nature of assurance services provided to the organization should be definedin the audit charter. If assurances are to be provided to parties outside the organization,the nature of these assurances should also be defined in the charter.

4. 1000.C1 – The nature of consulting services should be defined in the audit charter.

a. PRACTICE ADVISORY 1000.C1-1: PRINCIPLES GUIDING THE PERFORMANCEOF CONSULTING ACTIVITIES OF INTERNAL AUDITORS

1. Value Proposition – The value proposition of the internal audit activity isrealized within every organization that employs internal auditors in a mannerthat suits the culture and resources of that organization. That value propositionis captured in the definition of internal auditing and includes assurance andconsulting activities designed to add value to the organization by bringing asystematic, disciplined approach to the areas of governance, risk, and control.

2 SU 2: Charter, Independence, and Objectivity



2. Consistency with Internal Audit Definition – A disciplined, systematicevaluation methodology is incorporated in each internal audit activity. The list ofservices can generally be incorporated into the broad categories of assuranceand consulting. However, the services may also include evolving forms ofvalue-adding services that are consistent with the broad definition of internalauditing.

3. Audit Activities Beyond Assurance and Consulting – There are multipleinternal auditing services. Assurance and consulting are not mutually exclusiveand do not preclude other auditing services, such as investigations andnonauditing roles. Many audit services will have both an assurance andconsultative (advising) role.

4. Interrelationship between Assurance and Consulting – Internal auditconsulting enriches value-adding internal auditing. While consulting is often thedirect result of assurance services, it should also be recognized that assurancecould also be generated from consulting engagements.

5. Empower Consulting Through the Internal Audit Charter – Internal auditorshave traditionally performed many types of consulting services, including theanalysis of controls built into developing systems, analysis of security products,serving on task forces to analyze operations and make recommendations, andso forth. The board (or audit committee) should empower the internal auditactivity to perform additional services if they do not represent a conflict ofinterest or detract from its obligations to the committee. That empowermentshould be reflected in the internal audit charter.

6. Objectivity – Consulting services may enhance the auditor’s understanding ofbusiness processes or issues related to an assurance engagement and donot necessarily impair the auditor’s or the internal audit activity’s objectivity.Internal auditing is not a management decision-making function. Decisions toadopt or implement recommendations made as a result of an internal auditingadvisory service should be made by management. Therefore, internal auditingobjectivity should not be impaired by the decisions made by management.

7. Internal Audit Foundation for Consulting Services – Much of consulting is anatural extension of assurance and investigative services and may representinformal or formal advice, analysis, or assessments. The internal audit activityis uniquely positioned to perform this type of consulting work based on (a) itsadherence to the highest standards of objectivity and (b) its breadth ofknowledge about organizational processes, risk, and strategies.

8. Communication of Fundamental Information – A primary internal auditingvalue is to provide assurance to senior management and audit committeedirectors. Consulting engagements cannot be performed in a manner thatmasks information that in the judgment of the chief audit executive (CAE) shouldbe presented to senior executives and board members. All consulting is to beunderstood in that context.

9. Principles of Consulting Understood by the Organization – Organizationsmust have ground rules for the performance of consulting services that areunderstood by all members of an organization, and these rules should becodified in the audit charter approved by the audit committee and promulgatedin the organization.

SU 2: Charter, Independence, and Objectivity 3



10. Formal Consulting Engagements – Management often engages outsideconsultants for formal consulting engagements that last a significant period oftime. However, an organization may find that the internal audit activity isuniquely qualified for some formal consulting tasks. If an internal audit activityundertakes to perform a formal consulting engagement, the internal audit groupshould bring a systematic, disciplined approach to the conduct of theengagement.

11. CAE Responsibilities – Consulting services permit the CAE to enter intodialogue with management to address specific managerial issues. In thisdialogue, the breadth of the engagement and time frames are made responsiveto management needs. However, the CAE retains the prerogative of settingthe audit techniques and the right of reporting to senior executives and auditcommittee members when the nature and materiality of results pose significantrisks to the organization.

12. Criteria for Resolving Conflicts or Evolving Issues – An internal auditor isfirst and foremost an internal auditor. Thus, in the performance of all services,the internal auditor is guided by The IIA Code of Ethics and the Attribute andPerformance Standards of the International Standards for the ProfessionalPractice of Internal Auditing. The resolution of any unforeseen conflicts oractivities should be consistent with the Code of Ethics and Standards.

PA Summary

● The value proposition of the IAA is realized in a way suiting the organization’sculture and resources. It is reflected in the definition of internal auditing. Itextends to assurance, consulting, and other evolving forms of value-addingservices, including nonaudit roles, investigations, and activities that combineassurance and consulting. Moreover, consulting may result from assurance orvice versa.

● The IAA performs consulting, e.g., analysis of controls in systems development.The board and charter should therefore empower consulting that is not a conflict ofinterest. Consulting may enhance understanding of business processes and doesnot necessarily impair objectivity because management makes decisions aboutadoption of IAA recommendations.

● Consulting is often an extension of assurance. It may consist of formal (informal)advice, analysis, or assessments. The IAA is uniquely positioned to do such workbecause of its objectivity and breadth of knowledge.

● A primary IAA value is to provide assurance to senior management and the auditcommittee. Consulting must not conceal information that should be reported aspart of that function.

● The organization’s rules for consulting should be understood by all itsmembers. They should be codified in the charter.

● Instead of hiring outsiders for formal consulting tasks, the organization may findthat the IAA is uniquely qualified for some of these engagements. In formalconsulting, the IAA should adopt a systematic, disciplined approach.

● The breadth and time frame of an engagement are based on managerial needs.But the CAE should set audit techniques and be able to report to senior managersand the board when results indicate significant risk.

● Internal auditors should follow the Code of Ethics and the Standards whenperforming all services, even those involving unforeseen conflicts and activities.




b. PRACTICE ADVISORY 1000.C1-2: ADDITIONAL CONSIDERATIONS FORFORMAL CONSULTING ENGAGEMENTS

The following is the portion of this comprehensive Practice Advisory relevant toStandard 1000.C1:

Definition of Consulting Services

1. The Glossary in the Standards defines “consulting services” as follows:“Advisory and related client service activities, the nature and scope of which areagreed with the client and which are intended to add value and improve anorganization’s governance, risk management, and control processes without theinternal auditor assuming management responsibility. Examples includecounsel, advice, facilitation, and training.”

2. The chief audit executive should determine the methodology to use forclassifying engagements within the organization. In some circumstances, itmay be appropriate to conduct a “blended” engagement that incorporateselements of both consulting and assurance activities into one consolidatedapproach. In other cases, it may be appropriate to distinguish between theassurance and consulting components of the engagement.

3. Internal auditors may conduct consulting services as part of their normal orroutine activities as well as in response to requests by management. Eachorganization should consider the type of consulting activities to be offered anddetermine if specific policies or procedures should be developed for each typeof activity. Possible categories could include:

● Formal consulting engagements – planned and subject to writtenagreement.

● Informal consulting engagements – routine activities, such asparticipation on standing committees, limited-life projects, ad-hocmeetings, and routine information exchange.

● Special consulting engagements – participation on a merger andacquisition team or system conversion team.

● Emergency consulting engagements – participation on a teamestablished for recovery or maintenance of operations after a disaster orother extraordinary business event or a team assembled to supplytemporary help to meet a special request or unusual deadline.

4. Auditors generally should not agree to conduct a consulting engagement simplyto circumvent, or to allow others to circumvent, requirements that wouldnormally apply to an assurance engagement if the service in question is moreappropriately conducted as an assurance engagement. This does not precludeadjusting methodologies if services once conducted as assurance engagementsare deemed more suitable to being performed as a consulting engagement.




PA Summary

● The Glossary in the Standards defines “consulting services.” The CAE determinesthe methods for classifying engagements. Blended rather than separateassurance and consulting engagements may be appropriate.

● Consulting may be done as a routine IAA function or in response to requests bymanagement.

● Consulting engagements may be formal, informal, special, and emergency. Formalengagements are planned and subject to written agreement. Informalengagements are routine, such as ad-hoc meetings and routine informationexchange. An example of a special engagement is participation on a systemconversion team. Emergency engagements involve participation on a teamestablished (1) for recovery operations after an extraordinary business event or(2) to supply temporary help to meet a special request or unusual deadline.

● Consulting should not be done to avoid the requirements of an assuranceengagement. But adjusting methods is appropriate if services once conducted asassurance engagements are more suitably performed as consulting engagements.

c. PRACTICE ADVISORY 1000.C1-3: ADDITIONAL CONSIDERATIONS FORCONSULTING ENGAGEMENTS IN GOVERNMENT ORGANIZATIONALSETTINGS

1. This Practice Advisory provides guidance for government audit organizationsconducting work in compliance with IIA Standards, but whose local governancerules, audit standards, policies, or legislation more strictly limit non-assurance(consulting) services. The parameters within which an organization plans toprovide non-assurance (consulting) services should be included in the internalaudit charter. They should be supported by the policies and procedures of theinternal audit activity. The guidance in this PA may assist organizations indeveloping relevant language and policies to manage the provision ofnon-assurance (consulting) services.

2. Core Elements of the Role of Auditors. Through their assurance (audit)engagements, auditors help to ensure that management is accountable formeeting organizational objectives and complying with internal and externalrequirements for how operations and activities are carried out. Although theseengagements can include an “assistance” dimension through the inclusion ofrecommendations for improvement, the auditor does not bear ultimateresponsibility for making or authorizing the improvement. Should an auditortake responsibility for implementing or authorizing operationalimprovements, whether recommended in the course of an audit (assurance)engagement, or as a separate non-audit (consulting) engagement, the auditor isvery likely jeopardizing the independence and objectivity that are essential tothe role of audit.




Even when assisting an organization through non-audit (consulting) activities,auditors should keep their activities within boundaries that define the coreelements of the audit function. These core elements include:

● Auditors should be independent. They should avoid relationships andsituations that compromise their objectivity.

● Auditors should not audit their own work.● Auditors should not perform management functions or make

management decisions.1

The elements are “core” because they support the fundamental valueproposition of audit, namely, the principle that an objective third party isattesting to (or providing assurance to) the credibility of management’sassertions. Accordingly, to protect their ability to provide assurance, auditorsmust minimize potential threats to auditor independence that can arise when thesame audit function is also providing non-audit (consulting) services.

In addition to the core elements above, other threats to auditor independencehave been identified, including the conduct of non-audit (consulting) work that

● Creates a mutuality of interest; or● Places auditors in the role of advocate for the company.2

3. Governing Rules. Specific jurisdictional rules that set restrictions on the workof auditors outside the audit (assurance) role may apply only to auditorsconducting the external (financial statement or statutory) audit, or they mayapply to auditors performing all types of audits. Moreover, the rules may havebeen established in the audit function’s enabling legislation, imposed byoversight or regulatory bodies, or included in codes of ethics or auditingstandards required for audits of specific organizations or jurisdictions.3 It is theChief Audit Executive’s responsibility to ensure that the audit function’s charterand its policies and procedures comply with relevant governing rules.

Moreover, even where the audit function is not subject to governing rules thatrestrict non-audit (consulting) services, CAEs will nevertheless need to ensurethat the quality assurance system is designed to manage or minimize threatsto auditor independence or objectivity. Otherwise, non-audit (consulting)assignments could have the long-term effect of compromising the auditfunction’s ability to carry out its audit (assurance) role. In addition, an auditfunction’s engagement in non-audit (consulting) work that compromises itsindependence could prevent other auditors from relying on the audit function’swork.

1This principle has been articulated by numerous standard-setting bodies, including guidance published

by IAASB/IFAC in its Code of Professional Ethics and the U.S. Government Accountability Office in itsGenerally Accepted Government Auditing Standards.2

This risk is raised in the January 2003 Smith Report on Audit Committees and Combined CodeGuidance, appointed by the Financial Reporting Council, and is addressed in guidance published byICAEW (Institute of Chartered Accountants in England and Wales), among others.3

Examples of specific restrictions include U.K.’s Government Internal Audit Standard 2.4.2, whichstates: “Objectivity is presumed to be impaired when individual auditors review any activity in which theyhave previously had executive responsibility, or in which they have provided consultancy advice.” Thisstandard is supplemented by Good Practice Guidance on Consultancy, which states: “In this role it isimportant that the internal auditor offers advice to management and does not undertake the task onbehalf of, or as a substitute for, management. Acceptance by management of the advice offered by theinternal auditor does not transfer or reduce management’s accountability for their own areas ofresponsibility.” (3.5.3)




4. Activities that Compromise Objectivity or Independence. Auditors’ ability toengage in non-audit (consulting) work without compromising their independencedepends to some extent on where they “draw the line” between assisting orconsulting in the sense of advising, versus assisting by doing work that is theresponsibility of management. For example, providing advice on appropriatecontrols during system design with the clear understanding that managementhas responsibility for accepting or rejecting the advice would have a limitedimpact on the auditor’s objectivity toward that system in the future. By contrast,if the auditor led the system design team, decided which controls to select, oroversaw the implementation of the recommended controls, the auditor’s futureability to objectively evaluate that system would be significantly impaired.However, other non-audit assignments may not be as clear-cut. Accordingly,audit functions need to develop procedures for reviewing potential non-audit(consulting) assignments and determining whether they present a threat toindependence or objectivity. The review used to determine the effect onfuture independence and objectivity should be documented. Thisdocumentation should be provided to external quality control reviewers duringthe QAR engagement.

5. Processes for Minimizing Threats to Objectivity or Independence. Theaudit function should implement controls that assist in reducing the potentialfor non-audit (consulting) projects to compromise objectivity of individualauditors, or the independence of the audit function as a whole. Techniques mayinclude:

a. Charter language defining non-audit (consulting) service parameters.b. Policies and procedures limiting type, nature, or level of participation in

non-audit (consulting) projects.c. Use of a screening process for non-audit (consulting) projects, with limits

on accepting engagements that might threaten objectivity.d. Segregation of non-audit (consulting) units from units conducting audits

(assurance engagements) within the same audit function.e. Rotation of auditors on engagements.f. Employing outside providers for carrying out non-audit (consulting)

engagements, or for conducting assurance engagements in activitieswhere the audit function’s prior involvement in non-audit (consulting) workhas been determined to impair objectivity/independence.

g. Disclosure in audit reports where objectivity was impaired by participationin a prior non-audit (consulting) project.

Attachment A provides examples of relevant language for some of these typesof control techniques.




Attachment AExample Language for Control Techniques Minimizing Threats to Auditor Independence

Charter language defining non-audit (consulting) service parameters. Charter language willestablish the boundaries within which the audit function will operate but is not expected to detail thespecific services that would or would not be provided. Accordingly, if a baseline for independence hasbeen described elsewhere in the Charter document, or is included in specifically applicable auditingstandards that are referenced; the Charter may need only to include a reference to those otherrequirements to set parameters for services to be provided. Three examples below show languageused in two cases where non-audit (consulting) services are limited to those where independence orobjectivity should not be compromised, and for a case where the audit function may be called upon todo work that is normally management’s responsibility.

■ Where the audit function will be limiting non-audit (consulting) services to those that do notcompromise objectivity or independence:

“The auditor may also assist the mayor, the City Council, and management staff in carrying outtheir responsibilities by providing them with objective and timely information on the conduct of cityoperations or advising on appropriate management controls, in accordance with [title ofapplicable] Auditing Standards.”

“The internal audit department may perform other non-audit functions, consistent with otherprovisions of this Charter, and prepare and submit such other reports as may be assigned by theCommission.”

■ Where the audit function will be providing a full range of non-audit services, even if certain suchservices may threaten objectivity or independence for audit work:

“The auditor may from time to time be called upon to participate in non-audit activities of theAgency, to assist the Executive Director and managers in carrying out their responsibilities, asauthorized by the Audit Committee.”

Policies and procedures limiting type, nature, and/or level of participation in non-audit(consulting) projects; or establishing controls that minimize future threats to objectivity orindependence from participation in non-audit engagements. If auditors do perform managementfunctions for the organization, the audit unit should establish relevant policies and procedures.Specifically, policies should prohibit those individuals from planning, conducting, or reviewing futureaudits of the subject matter involving the non-audit (consulting) service. Moreover, if the audit functionperforms a non-audit (consulting) engagement that will impair the entire audit function’s independenceor objectivity, the audit function’s oversight entity (e.g., the audit committee) should be notified beforethe engagement begins that audit independence will be impaired on any future audit work performedwithin the area. Should the audit function proceed to conduct an audit in the activity where theimpairment exists, this impairment should be identified in the audit report.

These prohibitions can be relaxed if there are significant changes to the subject matter area after theassistance work was performed or if the assistance work involved some established de minimumsstandard, such as “under 40 hours.”

The example policy and procedure below describes non-audit (consulting) services, and includeslanguage (see underlined text) that limits the services to within parameters that minimize threats toobjectivity and independence of the auditors.

Policy: In addition to audit services, the Auditor’s Office provides three other types of services tomanagers in the jurisdiction, or at the request of the Commission—Quality Assurance for projectsin process, Consulting and Training, and Control Self Assessment facilitated workshops.




Parameters for each type of service are detailed below.

Quality Assurance Services:

In providing quality assurance services, the Office of City Auditor will monitor and assist ongoingprojects by assessing if:

● project objectives will be achieved and are reasonable;● all options have been identified and thoroughly analyzed;● quantitative and qualitative analyses are complete and accurate;● a project plan has been established and project staff are adhering to the plan; and● best practices used by other jurisdictions to accomplish project objectives might be adopted

in the City.

Consulting Services and Training:

Audit staff is available to provide assistance and training to City staff in designing managementaccountability systems and re-engineering operations. Audit staff is advisory only andmanagement must accept responsibility for implementing any suggestions.

Control Self Assessment Facilitated Workshops:

In this audit process, an employee team meets with auditors to hold structured discussions onhow to achieve its objectives in the most efficient and effective way. Action plans, rather than aformal audit report, are developed to address any obstacles to the objective(s). Employee teammembers are responsible for implementing action plan steps.

The example procedures on the next page contain language that clarifies actions to be taken by theaudit function when non-audit (consulting) engagements are accepted that threaten independence andobjectivity on future assurance (audit) engagements:

When the audit function is requested by the Audit Committee to conduct non-audit engagementsthat are determined by the CAE to impair the audit function’s independence or an individualauditor’s objectivity for conducting subsequent audit work, the following procedures will be carriedout:

1. Prior to commencing the non-audit engagement, the CAE will communicate in writing withthe Audit Committee that the requested engagement will impair independence or objectivity;describe the nature of the impairment; and indicate the consequences of the impairment forfuture audit engagements (e.g., that the audit function must decline future audits in the area,or the Audit Committee will need to contract with a third-party provider to conduct futureaudits). The CAE should request a response in writing from the Audit Committee, directingthe audit function either to proceed with the non-audit engagement, or to decline it.

2. If the Audit Committee directs the audit function to proceed with the non-audit engagement,the CAE will document the impairment in:

● The non-audit engagement’s documentation, with a copy to management responsiblefor the non-audit engagement;

● The audit function’s annual project planning procedures; and● The audit function’s communications with external quality assurance providers at its

next quality assurance review.




If the Audit Committee directs the audit function to conduct an audit that includes in its scopeactivities or operations that were part of a prior non-audit engagement conducted by the auditfunction, about which the CAE previously determined that the non-audit engagement wouldcreate an impairment for future audit work, the following procedures should be carried out:

1. Prior to commencing the audit engagement, the CAE will communicate in writing with theAudit Committee, provide notice and description of the impairment, and indicate options forcarrying out the work with a maximum of objectivity (e.g., contracting with a third-partyprovider, or requesting the assistance of auditors from partner or regulatory entities).

2. If the Audit Committee directs the audit function to proceed with the audit engagement, theCAE will document the impairment in:

● The audit engagement’s planning documentation; and● The audit engagement’s final report.

3. In addition, the CAE shall disclose the occurrence and provide full documentation to theaudit function’s external quality assurance providers at its next quality assurance review.

Screening process for non-audit (consulting) projects. When accepting and performing consultingwork, auditors should document their rationale for providing consulting services and demonstrate theirjudgment that the services do not violate the core elements of the audit role. This information shouldbe disclosed to external quality assurance reviewers. One example policy for screening is below:

1. Upon receipt of a request for non-audit (consulting) services, the Internal Audit Departmentwill consider whether providing such services would create a personal impairment either infact or appearance that would adversely affect either the assigned auditor’s objectivity or tothe department’s independence for conducting subsequent audits within the same area. Ifthe engagement is determined to constitute an impairment to independence or objectivity,the request should be declined. If declined, the factors and final conclusion will bedocumented in a memorandum addressed to the requestor of the services.

2. Before performing non-audit (consulting) services, the auditor in charge will document anunderstanding with the requestor(s) that the requestor(s) are responsible for the outcome ofthe work; and, therefore, has a responsibility to be in a position in fact and appearance tomake an informed judgment on the results of the non-audit (consulting) work. The InternalAudit Department will establish an agreement with the requestor(s) concerning the objec-tive, scope, and limitations imposed on the non-audit (consulting) engagement services.




PA Summary

● A government IAA’s provision of consulting services may be limited by local law,audit standards, etc. The parameters of these services should be defined in itscharter and supported by its policies and procedures.

● Assurance services help ensure management’s accountability. These servicesinclude an assistance dimension when auditors recommend operationalimprovements. But auditors jeopardize their independence and objectivity bybeing responsible for implementing or authorizing improvements, even thosearising from consulting.

● When consulting, auditors should stay within the bounds of the core elements ofthe audit function. These give credibility to the auditors’ attestation tomanagement assertions. Core elements support the principle that an objectivethird party is providing assurance about the assertions. The core elements thatprotect auditors’ ability to give assurance are (1) independence, (2) objectivity,(3) not auditing one’s own work, and (4) not performing functions or makingdecisions that are managerial.

● Other threats to auditor independence include consulting work that (1) creates amutuality of interest or (2) positions auditors as advocates for the organization.

● Governing rules may restrict the IAA’s consulting services. These rules may applyto external auditors or all auditors. They may be based on law, regulation, a codeof ethics, or audit standards. The CAE should ensure that the IAA’s charter,policies, and procedures comply with the governing rules.

● Even if restrictive governing rules do not apply, the quality assurance systemshould minimize threats to auditor independence or objectivity posed byconsulting. Otherwise, the IAA’s assurance role and the ability of other auditors torely on its work may be compromised. Avoiding these threats depends in parton distinguishing between (1) merely advising and (2) assuming managementresponsibilities.

● The IAA should have documented procedures for review of threats toindependence and objectivity. The documentation should be available to externalquality control reviewers.

● The IAA should implement controls to reduce the potential threats to auditorindependence or objectivity posed by consulting. These controls may include

■ Charter language defining consulting service parameters■ Policies and procedures limiting type, nature, or level of participation in

consulting■ Screening consulting projects, with limits on engagements threatening

objectivity■ Segregation of consulting units from assurance units in the audit function■ Rotation of auditors■ Employing outside providers for (1) consulting or (2) assurance engagements

involving activities subject to prior consulting work that impaired objectivity orindependence

■ Disclosure in audit reports when objectivity was impaired by participation in aprior consulting project




5. The following is an outline of an example charter provided by The IIA:

a. The mission of the internal audit activity (IAA) is stated in terms of the definition ofinternal auditing.

b. The scope of work of the IAA is to determine whether risk management, control, andgovernance processes are adequate and functioning to ensure that

1) Risks are appropriately identified and managed.2) Interaction with governance groups occurs as needed.3) Significant information is accurate, reliable, and timely.4) Employees’ actions comply with applicable requirements.5) Resources are acquired economically, used efficiently, and adequately

protected.6) Programs, plans, and objectives are achieved.7) Quality and continuous improvement are fostered in control processes.8) Significant regulatory issues are recognized and addressed.

c. Internal auditors may identify opportunities for improvement of managementcontrol, profitability, and the organization’s image. They should be communicated toappropriate management.

d. The chief audit executive is accountable to management and the audit committee to

1) Provide an annual assessment of the adequacy and effectiveness of theorganization’s risk management and control processes.

2) Report significant control issues, including potential improvements, and report onsuch issues through resolution.

3) Periodically report on the status and results of the annual audit plan and thesufficiency of IAA resources.

4) Coordinate and oversee other control and monitoring functions.e. To provide for the independence of the IAA, its personnel should report to the chief

audit executive, who reports functionally to the audit committee and administrativelyto the CEO. Reports to the audit committee should include a regular report oninternal audit personnel.

f. The responsibility of the IAA is to

1) Develop a risk-based, flexible annual audit plan that includes management’sconcerns. It should be submitted to the audit committee for review andapproval and periodic updates.

2) Implement the annual audit plan, including any special tasks or projectsrequested by management and the audit committee.

3) Maintain a professional audit staff with sufficient knowledge, skills, experience,and professional certifications.

4) Assess significant merging/consolidating functions and new or changingservices, processes, operations, and control processes at the time of theirdevelopment, implementation, or expansion.

5) Issue periodic reports to the audit committee and management summarizingresults of audit activities.

6) Inform the audit committee of emerging trends and practices in auditing.7) Provide a list of significant measurement goals and results of audit activities to

the audit committee.8) Assist in the investigation of significant suspected fraud and report the results.9) Consider the scope of work of the external auditors and regulators to provide

optimal audit coverage at a reasonable cost.




g. The chief audit executive and staff of the IAA are authorized to

1) Have unrestricted access to all functions, records, property, and personnel.2) Have full and free access to the audit committee.3) Allocate resources, set frequencies, select subjects, determine scopes of work,

and apply the techniques required to accomplish audit objectives.4) Obtain the necessary assistance of auditee personnel and other specialized

services from within or outside the organization.h. The chief audit executive and staff of the IAA are not authorized to

1) Perform any operational duties for the organization or its affiliates.2) Initiate or approve accounting transactions external to the IAA.3) Direct the activities of any organization employee not employed by the IAA or

assigned to assist the internal auditors.i. The IAA should meet or exceed the International Standards for the Professional

Practice of Internal Auditing.

6. An alternative to staffing an internal audit activity is to outsource internal auditing functions.

a. To a large organization, the primary advantage of outsourcing is that large outsideservice providers ordinarily have offices in various locations. Thus, engagementrequirements in distant locations are more easily accommodated.

b. The disadvantages are that internal auditors tend to be more familiar with theorganization, and they are more readily available to the organization because theyare unaffected by other priorities, such as other clients.

1) Another disadvantage is that legal requirements may prevent the external auditfirm from providing internal audit services.

c. Cosourcing is an approach in which the internal audit activity obtains external aid inperforming certain activities.

2.2 INDEPENDENCE

1. Independence and objectivity are closely related. This subunit primarily addresses theindependence attribute of the internal audit activity. It describes the appropriate reportinglevel of the internal audit activity and states that it should be free from interference. Thesesubjects are covered in one General Attribute Standard, one Specific Attribute Standard,one Assurance Implementation Standard, and four Practice Advisories.

2. 1100 Independence and Objectivity – The internal audit activity should beindependent, and internal auditors should be objective in performing their work.

a. PRACTICE ADVISORY 1100-1: INDEPENDENCE AND OBJECTIVITY

1. Internal auditors are independent when they can carry out their work freely andobjectively. Independence permits internal auditors to render the impartial andunbiased judgments essential to the proper conduct of engagements. It isachieved through organizational status and objectivity.

PA Summary

Internal auditors are independent when they can carry out their work freely andobjectively. Independence permits internal auditors to render the impartial andunbiased judgments essential to the proper conduct of engagements. It is achievedthrough organizational status and objectivity.




3. 1110 Organizational Independence – The chief audit executive should report to a levelwithin the organization that allows the internal audit activity to fulfill itsresponsibilities.

a. PRACTICE ADVISORY 1110-1: ORGANIZATIONAL INDEPENDENCE

1. Internal auditors should have the support of senior management and of theboard so that they can gain the cooperation of engagement clients and performtheir work free from interference.

2. The chief audit executive should be responsible to an individual in theorganization with sufficient authority to promote independence and to ensurebroad engagement coverage, adequate consideration of engagementcommunications, and appropriate action on engagement recommendations.

3. Ideally, the chief audit executive should report functionally to the auditcommittee, board of directors, or other appropriate governing authority, andadministratively to the chief executive officer of the organization.

4. The chief audit executive should have direct communication with the board,audit committee, or other appropriate governing authority. Regularcommunication with the board helps assure independence and provides ameans for the board and the chief audit executive to keep each other informedon matters of mutual interest.

5. Direct communication occurs when the chief audit executive regularly attendsand participates in meetings of the board, audit committee, or other appropriategoverning authority that relate to its oversight responsibilities for auditing,financial reporting, organizational governance, and control. The chief auditexecutive’s attendance and participation at these meetings provide anopportunity to exchange information concerning the plans and activities of theinternal audit activity. The chief audit executive should meet privately with theboard, audit committee, or other appropriate governing authority at leastannually.

6. Independence is enhanced when the board concurs in the appointment orremoval of the chief audit executive.

PA Summary

● The IAA should be supported by senior management and the board to gain thecooperation of clients and work free from interference.

● The CAE should be responsible to an individual with sufficient authority topromote independence and to ensure broad coverage, consideration ofcommunications, and appropriate action on recommendations.

● The CAE should report functionally to the governing authority andadministratively to the CEO.

● The CAE should communicate directly and regularly with the governing authority.Direct communication involves attendance at meetings of the governing authorityrelating to its oversight of auditing, financial reporting, governance, and control.The CAE should meet privately with the governing authority at least annually.

● The board should concur in appointment or removal of the CAE.




b. PRACTICE ADVISORY 1110-2: CHIEF AUDIT EXECUTIVE (CAE) REPORTINGLINES

1. The IIA’s International Standards for the Professional Practice of InternalAuditing (Standards) require that the chief audit executive (CAE) report to alevel within the organization that allows the internal audit activity to fulfill itsresponsibilities. The Institute believes strongly that to achieve necessaryindependence, the CAE should report functionally to the audit committee or itsequivalent. For administrative purposes, in most circumstances, the CAEshould report directly to the chief executive officer of the organization. Thefollowing descriptions of what The IIA considers “functional reporting” and“administrative reporting” are provided to help focus the discussion in thispractice advisory.

● Functional Reporting – The functional reporting line for the internal auditfunction is the ultimate source of its independence and authority. Assuch, The IIA recommends that the CAE report functionally to the auditcommittee, board of directors, or other appropriate governing authority. Inthis context, report functionally means that the governing authority should

■ approve the overall charter of the internal audit function.■ approve the internal audit risk assessment and related audit plan.■ receive communications from the CAE on the results of the internal

audit activities or other matters that the CAE determines arenecessary, including private meetings with the CAE withoutmanagement present.

■ approve all decisions regarding the appointment or removal of theCAE.

■ approve the annual compensation and salary adjustment of theCAE.

■ make appropriate inquiries of management and the CAE todetermine whether there are scope or budgetary limitations thatimpede the ability of the internal audit function to execute itsresponsibilities.

● Administrative Reporting – Administrative reporting is the reportingrelationship within the organization’s management structure thatfacilitates the day-to-day operations of the internal audit function.Administrative reporting typically includes:

■ budgeting and management accounting.■ human resource administration including personnel evaluations and

compensation.■ internal communications and information flows.■ administration of the organization’s internal policies and procedures.

2. This advisory focuses on considerations in establishing or evaluating CAEreporting lines. Appropriate reporting lines are critical to achieve theindependence, objectivity, and organizational stature for an internal auditfunction necessary to effectively fulfill its obligations. CAE reporting lines arealso critical to ensuring the appropriate flow of information and access to keyexecutives and managers that are the foundations of risk assessment andreporting of results of audit activities. Conversely, any reporting relationship thatimpedes the independence and effective operations of the internal audit functionshould be viewed by the CAE as a serious scope limitation, which should bebrought to the attention of the audit committee or its equivalent.




3. This advisory also recognizes that CAE reporting lines are affected by thenature of the organization (public or private as well as relative size); commonpractices of each country; growing complexity of organizations (joint ventures,multinational corporations with subsidiaries); and the trend towards internalaudit groups providing value-added services with increased collaboration onpriorities and scope with their clients. Accordingly, while The IIA believes thatthere is an ideal reporting structure with functional reporting to the AuditCommittee and administrative reporting to the CEO, other relationships canbe effective if there are clear distinctions between the functional andadministrative reporting lines and appropriate activities are in each line toensure that the independence and scope of activities is maintained. Internalauditors are expected to use professional judgment to determine the extent towhich the guidance provided in this advisory should be applied in each givensituation.

4. The Standards stress the importance of the chief audit executive reporting toan individual with sufficient authority to promote independence and to ensurebroad audit coverage. The Standards are purposely somewhat generic aboutreporting relationships, however, because they are designed to be applicable atall organizations regardless of size or any other factors. Factors that make “onesize fits all” unattainable include organization size and type of organization(private, governmental, corporate). Accordingly, the CAE should consider thefollowing attributes in evaluating the appropriateness of the administrativereporting line.

● Does the individual have sufficient authority and stature to ensure theeffectiveness of the function?

● Does the individual have an appropriate control and governance mindsetto assist the CAE in their role?

● Does the individual have the time and interest to actively support the CAEon audit issues?

● Does the individual understand the functional reporting relationship andsupport it?

5. The individual responsible for the administrative reporting line also may beresponsible for other activities in the organization that are subject to internalaudit. For example, some CAEs report administratively to the Chief FinancialOfficer, who is also responsible for the organization’s accounting functions. Insuch a case, the CAE should ensure that independence is maintained.Moreover, the internal audit function should be free to audit and report on anyactivity, assuming that engagement provides coverage the CAE deems to beappropriate for the audit plan. This principle applies even when the activityreports to the same administrator as the internal audit function. Any limitationin scope or reporting of results of these activities should be brought to theattention of the audit committee.

6. Under the recent move to a stricter legislative and regulatory climateregarding financial reporting around the globe, the CAE’s reporting lines shouldbe appropriate to enable the internal audit activity to meet any increased needsof the audit committee or other significant stakeholders. Increasingly, theCAE is being asked to take a more significant role in the organization’s govern-ance and risk management activities. The reporting lines of the CAE shouldfacilitate the ability of the internal audit activity to meet these expectations.




7. Regardless of which reporting relationship the organization chooses, severalkey actions can help assure that the reporting lines support and enable theeffectiveness and independence of the internal auditing activity.

● Functional Reporting:

■ The functional reporting line should go directly to the AuditCommittee or its equivalent to ensure the appropriate level ofindependence and communication.

■ The CAE should meet privately with the audit committee or itsequivalent, without management present, to reinforce theindependence and nature of this reporting relationship.

■ The audit committee should have the final authority to review andapprove the annual audit plan and all major changes to the plan.

■ At all times, the CAE should have open and direct access to thechair of the audit committee and its members; or the chair of theboard or full board if appropriate.

■ At least once a year, the audit committee should review theperformance of the CAE and approve the annual compensation andsalary adjustment.

■ The charter for the internal audit function should clearly articulateboth the functional and administrative reporting lines for the functionas well as the principle activities directed up each line.

● Administrative Reporting:

■ The administrative reporting line of the CAE should be to the CEOor another executive with sufficient authority to afford the internalaudit function appropriate support to accomplish its day-to-dayactivities. This support should include positioning the function andthe CAE in the organization’s structure in a manner that affordsappropriate stature for the function within the organization.Reporting too low in an organization can negatively impact thestature and effectiveness of the internal audit function.

■ The administrative reporting line should not have ultimateauthority over the scope or reporting of results of the internal auditactivity.

■ The administrative reporting line should facilitate open and directcommunications with executive and line management. The CAEshould be able to communicate directly with any level ofmanagement including the CEO.

■ The administrative reporting line should enable adequatecommunications and information flow so that the CAE and theinternal audit function have an adequate and timely flow ofinformation concerning the activities, plans, and businessinitiatives of the organization.

■ Budgetary controls and considerations imposed by theadministrative reporting line should not impede the ability of theinternal audit function to accomplish its mission.

8. CAEs should also consider their relationships with other control andmonitoring functions (risk management, compliance, security, legal, ethics,environmental, external audit) and facilitate the reporting of material risk andcontrol issues to the audit committee.




PA Summary

● To achieve necessary independence, the CAE should report functionally to theaudit committee or its equivalent. For administrative purposes, the CAE shouldreport directly to the CEO. The functional reporting line is the ultimate source ofthe IAA’s independence and authority. Thus, the governing authority should(1) approve the IAA’s charter and its risk assessment and related audit plan;(2) receive communications on the results of IAA activities or other necessarymatters, including private meetings with the CAE without management;(3) approve decisions about appointing, removing, and compensating the CAE;and (4) inquire of management and the CAE about scope or budgetary limits onthe IAA’s ability to do its job.

● Administrative reporting facilitates daily operations of the IAA. It typicallyconcerns budgeting, management accounting, managing human resources,internal communications, and administration of internal policies and procedures.

● CAE reporting lines are critical to establishing the IAA’s independence, objectivity,status, information flow, and access to key persons. Reporting relationshipsimpairing independence and effective operations are serious scope limitations.

● Reporting lines are affected by the size of the entity, local practices, greatercomplexity of organizations, and the trend toward IAA collaboration with clients.Lines other than the ideal may be effective, given clear distinctions between thefunctional and administrative, with appropriate activities in each line. Internalauditors must use professional judgment about such matters.

● The CAE considers various attributes in evaluating the administrative line,including whether the individual (1) has sufficient authority to ensure theeffectiveness of the IAA, (2) has an appropriate control and governance mindset,(3) actively supports the CAE, and (4) understands and supports the functionalreporting relationship.

● Independence may be threatened if the individual responsible for theadministrative line also is responsible for audited activities. In such a case, theCAE should ensure that independence is maintained. Moreover, the IAA shouldbe free to audit and report on any activity, assuming engagement coverage isappropriate for the audit plan. This principle applies even when the activity reportsto the same administrator. Any limitation on scope or reporting should bereported to the audit committee.

● CAE reporting lines should support the greater regulatory needs of the auditcommittee and other stakeholders and the greater involvement of the CAE ingovernance and risk management.

● Certain key actions regarding functional reporting support the IAA’seffectiveness, for example, (1) audit committee authority to approve the final auditplan and review the CAE’s performance, (2) CAE access to the audit committee orboard, (3) annual audit committee review of CAE performance and approval ofCAE compensation, and (4) stating reporting lines in the IAA charter.

● Administrative reporting should include positioning the IAA and the CAE in theorganization’s structure to afford it appropriate status. The administrativereporting line also should not have ultimate authority over the scope or reportingof results. Moreover, it should facilitate open and direct communications withexecutive and line management and enable adequate and timely flow ofinformation about the organization. Finally, budgetary controls andconsiderations imposed by the administrative reporting line should not impede theability of the IAA to accomplish its mission.

● The CAE considers relationships with other control functions and facilitatesreporting of material issues.




4. 1110.A1 – The internal audit activity should be free from interference in determining thescope of internal auditing, performing work, and communicating results.

a. PRACTICE ADVISORY 1110.A1-1: DISCLOSING REASONS FOR INFORMATIONREQUESTS

1. At times, an internal auditor may be asked by the engagement client or otherparties to explain why a document is relevant to an engagement. Disclosure ornondisclosure during the engagement of the reasons documents are neededshould be determined based on the circumstances. Significant irregularitiesmay dictate a less open environment than would normally be conducive to acooperative engagement. However, that is a judgment that should be made bythe chief audit executive in light of the specific circumstances.

PA Summary

The specific circumstances determine whether the auditor should disclose during theengagement the reasons for a document request. Significant irregularities may dictate aless open environment than would normally be conducive to a cooperative engagement.

2.3 OBJECTIVITY

1. This subunit addresses objectivity, which is covered in one General Attribute Standard, oneSpecific Attribute Standard, and two Practice Advisories.

2. 1100 Independence and Objectivity – The internal audit activity should beindependent, and internal auditors should be objective in performing their work.

a. Practice Advisory 1100-1 (see Subunit 2.2) states that independence is achievedthrough objectivity as well as organizational status.

3. 1120 Individual Objectivity – Internal auditors should have an impartial, unbiasedattitude and avoid conflicts of interest.

a. PRACTICE ADVISORY 1120-1: INDIVIDUAL OBJECTIVITY

1. Objectivity is an independent mental attitude that internal auditors shouldmaintain in performing engagements. Internal auditors are not to subordinatetheir judgment on engagement matters to that of others.

2. Objectivity requires internal auditors to perform engagements in such a mannerthat they have an honest belief in their work product and that no significantquality compromises are made. Internal auditors are not to be placed insituations in which they feel unable to make objective professional judgments.

3. Staff assignments should be made so that potential and actual conflicts ofinterest and bias are avoided. The chief audit executive should periodicallyobtain from the internal auditing staff information concerning potential conflictsof interest and bias. Staff assignments of internal auditors should be rotatedperiodically whenever it is practicable to do so.

4. The results of internal auditing work should be reviewed before the relatedengagement communications are released to provide reasonable assurancethat the work was performed objectively.




5. It is unethical for an internal auditor to accept a fee or gift from an employee,client, customer, supplier, or business associate. Accepting a fee or gift maycreate an appearance that the auditor’s objectivity has been impaired. Theappearance that objectivity has been impaired may apply to current and futureengagements conducted by the auditor. The status of engagements should notbe considered as justification for receiving fees or gifts. The receipt ofpromotional items (such as pens, calendars, or samples) that are available tothe general public and have minimal value should not hinder internal auditors’professional judgments. Internal auditors should report the offer of all materialfees or gifts immediately to their supervisors.

PA Summary

● Objectivity is an independent mental attitude. Auditors must not subordinatetheir judgments on engagement matters. They must have an honest belief intheir work product and make no significant quality compromises.

● Staff assignments should be made to avoid conflicts of interest and bias. Staffassignments should be rotated periodically whenever it is practicable.

● Work should be reviewed before release of communications to give reasonableassurance of objective performance.

● Accepting a fee or gift from an employee, client, customer, supplier, or businessassociate is unethical. It may create an appearance that objectivity has beenimpaired in current and future engagements. But the receipt of low-valuepromotional items that are available to the public should not hinder professionaljudgments. Internal auditors should report the offer of all material itemsimmediately.

2.4 INDEPENDENCE AND OBJECTIVITY

1. Most of the materials in this subunit apply to the independence of the internal audit activityand the objectivity of the individual internal auditor. These pronouncements consist of oneSpecific Attribute Standard, two Assurance Implementation Standards, two ConsultingImplementation Standards, and four Practice Advisories.

2. 1130 Impairments to Independence or Objectivity – If independence or objectivity isimpaired in fact or appearance, the details of the impairment should be disclosedto appropriate parties. The nature of the disclosure will depend upon theimpairment.

a. PRACTICE ADVISORY 1130-1: IMPAIRMENTS TO INDEPENDENCE OROBJECTIVITY

1. Internal auditors should report to the chief audit executive any situations inwhich a conflict of interest or bias is present or may reasonably be inferred.The chief audit executive should then reassign such auditors.




2. A scope limitation is a restriction placed upon the internal audit activity thatprecludes the audit activity from accomplishing its objectives and plans. Amongother things, a scope limitation may restrict the:

● Scope defined in the charter.● Internal audit activity’s access to records, personnel, and physical

properties relevant to the performance of engagements.● Approved engagement work schedule.● Performance of necessary engagement procedures.● Approved staffing plan and financial budget.

3. A scope limitation along with its potential effect should be communicated,preferably in writing, to the board, audit committee, or other appropriategoverning authority.

4. The chief audit executive should consider whether it is appropriate to inform theboard, audit committee, or other appropriate governing authority regardingscope limitations that were previously communicated to and accepted bythe board, audit committee, or other appropriate governing authority. This maybe necessary, particularly when there have been organization, board, seniormanagement, or other changes.

PA Summary

● Any conflict of interest or bias should be reported. The CAE should thenreassign such auditors.

● A scope limitation on the IAA precludes it from accomplishing its objectives andplans. A scope limitation may restrict the (1) scope defined in the charter;(2) IAA’s access to records, personnel, and physical properties; (3) approvedwork schedule; (4) performance of procedures; and (5) approved staffing planand financial budget. A scope limitation should be reported, preferably in writing,to the governing authority.

● The CAE must consider whether to report scope limitations previously acceptedby the governing authority.

3. 1130.A1 – Internal auditors should refrain from assessing specific operations for which theywere previously responsible. Objectivity is presumed to be impaired if an internal auditorprovides assurance services for an activity for which the internal auditor had responsibilitywithin the previous year.

a. PRACTICE ADVISORY 1130.A1-1: ASSESSING OPERATIONS FOR WHICHINTERNAL AUDITORS WERE PREVIOUSLY RESPONSIBLE

1. Internal auditors should not assume operating responsibilities. If seniormanagement directs internal auditors to perform nonaudit work, it should beunderstood that they are not functioning as internal auditors. Moreover,objectivity is presumed to be impaired when internal auditors perform anassurance review of any activity for which they had authority or responsibilitywithin the past year. This impairment should be considered whencommunicating audit engagement results.




● If internal auditors are directed to perform nonaudit duties that may impairobjectivity, such as preparation of bank reconciliations, the chief auditexecutive should inform senior management and the board that thisactivity is not an assurance audit activity; and, therefore, audit-relatedconclusions should not be drawn.

● In addition, when operating responsibilities are assigned to the internalaudit activity, special attention must be given to ensure objectivity when asubsequent assurance engagement in the related operating area isundertaken. Objectivity is presumed to be impaired when internal auditorsaudit any activity for which they had authority or responsibility within thepast year. These facts should be clearly stated when communicating theresults of an audit engagement relating to an area where an auditor hadoperating responsibilities.

2. At any point that assigned activities involve the assumption of operatingauthority, audit objectivity would be presumed to be impaired with respect to thatactivity.

3. Persons transferred to or temporarily engaged by the internal auditactivity should not be assigned to audit those activities they previouslyperformed until a reasonable period of time (at least one year) has elapsed.Such assignments are presumed to impair objectivity, and additionalconsideration should be exercised when supervising the engagement work andcommunicating engagement results.

4. The internal auditor’s objectivity is not adversely affected when the auditorrecommends standards of control for systems or reviews proceduresbefore they are implemented. The auditor’s objectivity is considered to beimpaired if the auditor designs, installs, drafts procedures for, or operatessuch systems.

5. The occasional performance of nonaudit work by the internal auditor, withfull disclosure in the reporting process, would not necessarily impairindependence. However, it would require careful consideration bymanagement and the internal auditor to avoid adversely affecting the internalauditor’s objectivity.

PA Summary

● Internal auditors should not assume operating responsibilities. If seniormanagement directs internal auditors to perform nonaudit work, they are notfunctioning as internal auditors. Objectivity is impaired when they perform anassurance review of an activity for which they were responsible within the pastyear. This impairment should be considered when communicating auditengagement results.

● Persons transferred to or temporarily engaged by the IAA should not beassigned to audit activities they previously performed until a reasonable period (atleast one year) has elapsed. This circumstance should be considered whensupervising the work and communicating results.

● Internal auditors may recommend control standards or review proceduresbefore they are implemented without impairing objectivity.

● Occasional nonaudit work, with disclosure, does not necessarily impairindependence. But careful consideration is needed to avoid impairingobjectivity.




b. PRACTICE ADVISORY 1130.A1-2: INTERNAL AUDIT RESPONSIBILITY FOROTHER (NON-AUDIT) FUNCTIONS

1. Some internal auditors have been assigned or accepted non-audit dutiesbecause of a variety of business reasons that make sense to management ofthe organization. Internal auditors are more frequently being asked to performroles and responsibilities that may impair independence or objectivity. Giventhe increasing demand on organizations, both public and private, to developmore efficient and effective operations with fewer resources, some internal auditactivities are being directed to assume responsibility for operations that aresubject to periodic internal auditing assessments.

2. When the internal audit activity or individual internal auditor is responsible for, ormanagement is considering assigning, an operation that it might audit, theinternal auditor’s independence and objectivity may be impaired. The internalauditor should consider the following factors in assessing the impact onindependence and objectivity:

● The requirements of The IIA Code of Ethics and International Standardsfor the Professional Practice of Internal Auditing (Standards);

● Expectations of stakeholders that may include the shareholders, board ofdirectors, audit committee, management, legislative bodies, public entities,regulatory bodies, and public interest groups;

● Allowances or restrictions contained in the internal audit activity charter;● Disclosures required by the Standards; and● Subsequent audit coverage of the activities or responsibilities accepted

by the internal auditor.

3. Internal auditors should consider the following factors to determine anappropriate course of action when presented with the opportunity of acceptingresponsibility for a non-audit function:

● The IIA Code of Ethics and Standards require the internal audit activityto be independent and internal auditors to be objective in performing theirwork.

■ If possible, internal auditors should avoid accepting responsibilityfor non-audit functions or duties that are subject to periodicinternal auditing assessments. If this is not possible, then;

■ Impairment to independence and objectivity are required to bedisclosed to appropriate parties, and the nature of the disclosuredepends upon the impairment.

■ Objectivity is presumed to be impaired if an auditor providesassurance services for an activity for which the auditor hadresponsibility within the previous year.

■ If on occasion management directs internal auditors to perform non-audit work, it should be understood that they are not functioningas internal auditors.

● Expectations of stakeholders, including regulatory or legal requirements,should be evaluated and assessed in relation to the potential impairment.




● If the internal audit activity charter contains specific restrictions or limitinglanguage regarding the assignment of non-audit functions to the internalauditor, then these restrictions should be disclosed and discussed withmanagement. If management insists on such an assignment, the auditorshould disclose and discuss this matter with the audit committee orappropriate governing body. If the charter is silent on this matter, theguidance noted in the following points should be considered. All thepoints noted below are subordinated to the language of the charter.

● Assessment – The results of the assessment should be discussed withmanagement, the audit committee, or other appropriate stakeholders. Adetermination should be made regarding a number of issues, some ofwhich affect one another:

■ The significance of the operational function to the organization(in terms of revenue, expenses, reputation, and influence) should beevaluated.

■ The length or duration of the assignment and scope ofresponsibility should be evaluated.

■ Adequacy of separation of duties should be evaluated.■ The potential impairment to objectivity or independence or the

appearance of such impairment should be considered whenreporting audit results.

● Audit of the Function and Disclosure – Given that the internal auditactivity has operational responsibilities and that operation is part of theaudit plan, there are several avenues for the auditor to consider.

■ The audit may be performed by a contracted, third party entity; byexternal auditors; or by the internal audit function. In the firsttwo situations, impairment of objectivity is minimized by the use ofauditors outside of the organization. In the latter case, objectivitywould be impaired.

■ Individual auditors with operational responsibility should notparticipate in the audit of the operation. If possible, auditorsconducting the assessment should be supervised by, and report theresults of the assessment to, those whose independence orobjectivity is not impaired.

■ Disclosure should be made regarding the operationalresponsibilities of the auditor for the function, the significance of theoperation to the organization (in terms of revenue, expenses, orother pertinent information), and the relationship of those whoaudited the function.

■ Disclosure of the internal auditor’s operational responsibilitiesshould be made in the related engagement communication and inthe auditor’s standard communication to the audit committee orother governing body.




PA Summary

● Some IAAs increasingly are being directed to assume responsibility foroperations that are subject to periodic internal auditing assessments.Internal auditors should assess the effect on independence and objectivity oftaking responsibility for an operation subject to audit. The assessment requiresconsideration of the Code of Ethics, the Standards (including disclosures), thecharter, stakeholder expectations, and future audit coverage.

● If possible, internal auditors should avoid accepting responsibility for nonauditduties subject to periodic internal auditing assessments. If this is not possible,disclosure of any impairment to appropriate parties is required.

● Expectations of stakeholders, including regulatory or legal requirements, should beassessed in relation to the impairment.

● If the IAA charter contains specific restrictions on assignment of nonaudit duties,they should be disclosed and discussed with management. If managementinsists on the assignment, the auditor should discuss the matter with the governingbody.

● If the charter is silent about its responsibility for nonaudit functions, theassessment of the effect on independence and objectivity should address the(1) significance of the function, (2) scope of responsibility, (3) separation of duties,and (4) potential impairment.

● If the IAA charter is silent about its responsibility for an audited function, thefollowing are additional considerations: (1) who will perform the audit,(2) exclusion of responsible individuals from the audit, (3) disclosures to be made,and (4) the ways in which disclosures should be communicated.

4. 1130.A2 – Assurance engagements for functions over which the chief audit executive hasresponsibility should be overseen by a party outside the internal audit activity.

5. 1130.C1 – Internal auditors may provide consulting services relating to operations for whichthey had previous responsibilities.

6. 1130.C2 – If internal auditors have potential impairments to independence or objectivityrelating to proposed consulting services, disclosure should be made to the engagementclient prior to accepting the engagement.

a. PRACTICE ADVISORY 1000.C1-2: ADDITIONAL CONSIDERATIONS FORFORMAL CONSULTING ENGAGEMENTS

The following is the portion of this comprehensive Practice Advisory relevant toStandards 1130.C1 and 1130.C2:

Independence and Objectivity in Consulting Engagements

5. Internal auditors are sometimes requested to provide consulting servicesrelating to operations for which they had previous responsibilities or hadconducted assurance services. Prior to offering consulting services, the ChiefAudit Executive should confirm that the board understands and approves theconcept of providing consulting services. Once approved, the internal auditcharter should be amended to include authority and responsibilities forconsulting activities, and the internal audit activity should develop appropriatepolicies and procedures for conducting such engagements.




6. Internal auditors should maintain their objectivity when drawing conclusionsand offering advice to management. If impairments to independence orobjectivity exist prior to commencement of the consulting engagement, orsubsequently develop during the engagement, disclosure should be madeimmediately to management.

7. Independence and objectivity may be impaired if assurance services areprovided within one year after a formal consulting engagement. Steps canbe taken to minimize the effects of impairment by assigning different auditors toperform each of the services, establishing independent management andsupervision, defining separate accountability for the results of the projects, anddisclosing the presumed impairment. Management should be responsible foraccepting and implementing recommendations.

8. Care should be taken, particularly involving consulting engagements that areongoing or continuous in nature, so that internal auditors do not inappropriatelyor unintentionally assume management responsibilities that were notintended in the original objectives and scope of the engagement.

PA Summary

● The board should approve, and the charter should provide authority for, consultingservices relating to operations for which internal auditors had (1) previousresponsibility or (2) performed assurance services. The IAA should have policiesand procedures for these services.

● Objectivity should be maintained, and impairment of objectivity or independenceshould be disclosed. Impairment may occur if an assurance service isperformed within a year. Steps should be taken to minimize the effects ofimpairment, and management should be responsible for implementingrecommendations.

● Internal auditors should not inappropriately assume managementresponsibilities.

2.5 STUDY UNIT 2 SUMMARY

1. The purpose, authority, and responsibility of the internal audit activity should be formallydefined in a charter, consistent with the Standards, and approved by the board.

2. The nature of assurance services provided to the organization should be defined in the auditcharter. If assurances are to be provided to parties outside the organization, the nature ofthese assurances should also be defined in the charter. The nature of consulting servicesalso should be defined in the charter.

3. The Glossary in the Standards defines “consulting services” as follows: “Advisory andrelated client service activities, the nature and scope of which are agreed with the clientand which are intended to add value and improve an organization’s governance, riskmanagement, and control processes without the internal auditor assuming managementresponsibility. Examples include counsel, advice, facilitation, and training.”

4. The internal audit activity should be independent, and internal auditors should be objective inperforming their work.




5. The chief audit executive should report to a level within the organization that allows theinternal audit activity to fulfill its responsibilities.

6. The internal audit activity should be free from interference in determining the scope ofinternal auditing, performing work, and communicating results.

7. Internal auditors should have an impartial, unbiased attitude and avoid conflicts of interest.

8. Internal auditors should refrain from assessing specific operations for which they werepreviously responsible. Objectivity is presumed to be impaired if an internal auditorprovides assurance services for an activity for which the internal auditor had responsibilitywithin the previous year.

9. Assurance engagements for functions over which the chief audit executive has responsibilityshould be overseen by a party outside the internal audit activity.

10. Internal auditors may provide consulting services relating to operations for which they hadprevious responsibilities.

11. If internal auditors have potential impairments to independence or objectivity relating toproposed consulting services, disclosure should be made to the engagement client prior toaccepting the engagement.




2. charter, independence, and objectivity

Documents