The internal audit activity adds value to the organization (and its stakeholders) when it provides objective and relevant assurance, and contributes to the effectiveness and efficiency of governance, risk management, and control processes.
Present if management has planned and organized (designed) in a manner that provides reasonable assurance that the organization's risks have been managed effectively and that the organization's goals and objectives will be achieved efficiently and economically.
An objective examination of evidence for the purpose of providing an independent assessment on governance, risk management, and control processes for the organization. Examples may include financial, performance, compliance, system security, and due diligence engagements.
In a database, fields relating to entities.
An examination of individual's or organization's activities, typically by an independent party.
An audit program is a checklist of the audit procedures that must be followed by an auditor in order to complete an audit.
The risk that information maybe materially incorrect, even though the audit opinion states that the financial reports are free of any material misstatements.
A person or organization that is audited.
An auditor is a person authorized to review and verify the accuracy of financial records and ensure that companies comply with tax laws.
The highest level governing body (e.g., a board of directors, a supervisory board, or a board of governors or trustees) charged with the responsibility to direct and/or oversee the organization’s activities and hold senior management accountable. Although governance arrangements vary among jurisdictions and sectors, typically the board includes members who are not part of management. If a board does not exist, the word “board” in the Standards refers to a group or person charged with governance of the organization. Furthermore, “board” in the Standards may refer to a committee or another body to which the governing body has delegated certain functions (e.g., an audit committee).
The internal audit charter is a formal document that defines the internal audit activity's purpose, authority, and responsibility. The internal audit charter establishes the internal audit activity's position within the organization; authorizes access to records, personnel, and physical properties relevant to the performance of engagements; and defines the scope of internal audit activities.
Chief Audit Executive
Chief Audit Executive (CAE) describes the role of a person in a senior position responsible for effectively managing the internal audit activity in accordance with the internal audit charter and the mandatory elements of the International Professional Practices Framework. The chief audit executive or others reporting to the chief audit executive will have appropriate professional certifications and qualifications. The specific job title and/or responsibilities of the chief audit executive may vary across organizations.
Code of Ethics
The Code of Ethics of The Institute of Internal Auditors (IIA) are principles relevant to the profession and practice of internal auditing, and Rules of Conduct that describe behavior expected of internal auditors. The Code of Ethics applies to both parties and entities that provide internal audit services. The purpose of the Code of Ethics is to promote an ethical culture in the global profession of internal auditing.
Adherence to policies, plans, procedures, laws, regulations, contracts, or other requirements.
Computer Aided Audit Technology (CAATs)
CAATs is the practice of using computers to automate the IT audit processes.
Conflict of Interest
Any relationship that is, or appears to be, not in the best interest of the organization. A conflict of interest would prejudice an individual’s ability to perform his or her duties and responsibilities objectively.
Advisory and related client service activities, the nature and scope of which are agreed with the client, are intended to add value and improve the university’s governance, risk management, and control processes without the Internal Auditor assuming management responsibility. Examples include counsel, advice, facilitation, training and aggregating information on best practices.
Advisory and related client service activities, the nature and scope of which are agreed with the client, are intended to add value and improve an organization's governance, risk management, and control processes without the internal auditor assuming management responsibility. Examples include counsel, advice, facilitation, and training.
Any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. Management plans, organizes, and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved.
The attitude and actions of the board and management regarding the importance of control within the organization. The control environment provides the discipline and structure for the achievement of the primary objectives of the system of internal control.
The policies, procedures (both manual and automated), and activities that are part of a control framework, designed and operated to ensure that risks are contained within the level that an organization is willing to accept.
Risk that a misstatement due to error or fraud that could occur in an assertion and that could be material, individually or in combination with other misstatements, will not be prevented or detected on a timely basis by the company's internal control. Control risk is a function of the effectiveness of the design and operation of internal control.
Core Principles for the Professional Practice of Internal Auditing
The Core Principles for the Professional Practice of Internal Auditing are the foundation for the International Professional Practices Framework and support internal audit effectiveness.
Due Professional Care
Calls for the application of the care and skill expected of a reasonably prudent and competent auditor in similar circumstances. Due professional care is exercised when audits are carried out in accordance with standards set for the profession.
A specific internal audit assignment, task, or review activity, such as an internal audit, control self-assessment review, fraud examination, or consultancy. An engagement may include multiple tasks or activities designed to accomplish a specific set of related objectives.
Broad statements developed by internal auditors that define intended engagement accomplishments.
The rating, conclusion, and/or other description of results of an individual internal audit engagement, relating to those aspects within the objectives and scope of the engagement.
Engagement Work Program
A document that lists the procedures to be followed during an engagement, designed to achieve the engagement plan
An inventory of the political, economic, social, and technological forces that influence the mission and goals of an organization, and how it functions.
External Service Provider
A person or firm outside of the organization that has special knowledge, skill, and experience in a particular discipline.
The evaluation phase of the audit is referred to as fieldwork. This phase includes assessing the adequacy of internal controls and compliance, testing of transactions, records, and resources, and performing other procedures necessary to accomplish the objectives of the audit.
The results of the audit.
Any illegal act characterized by deceit, concealment, or violation of trust. These acts are not dependent upon the threat of violence or physical force. Frauds are perpetrated by parties and organizations to obtain money, property, or services; to avoid payment or loss of services; or to secure personal or business advantage.
The combination of processes and structures implemented by the board to inform, direct, manage, and monitor the activities of the organization toward the achievement of its objectives.
Impairment to organizational independence and individual objectivity may include personal conflict of interest, scope limitations, restrictions on access to records, personnel, and properties, and resource limitations (funding).
The freedom from conditions that threaten the ability of the internal audit activity to carry out internal audit responsibilities in an unbiased manner.
Information Technology Controls
Controls that support business management and governance as well as provide general and technical controls over information technology infrastructures such as applications, information, infrastructure, and people.
Information Technology Governance
Consists of the leadership, organizational structures, and processes that ensure that the enterprise’s information technology supports the organization’s strategies and objectives.
is the risk to the university in the absence of any actions management might take to alter the risk's likelihood or impact.
An independent, objective assurance and consulting activity designed to add value and improve an organization's operations; brings a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
Internal Audit Activity
A department, division, team of consultants, or other practitioner(s) that provides independent, objective assurance and consulting services designed to add value and improve an organization’s operations. The internal audit activity helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of governance, risk management and control processes.
Internal Audit Charter
An internal audit charter is a formal document that defines internal audit's purpose, authority, responsibility and position within an organization.
Internal Audit Function
The role of internal audit is to provide independent assurance that an organisation's risk management, governance and internal control processes are operating effectively.
Control activities designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting an compliance, including policies that establish what should and should not be done and procedures that are the actions to implement the policies. Control activities either deter undesirable acts or prevent errors from occurring (preventative) or find undesirable acts or errors after they've occurred and provide evidence as to whether the preventative controls are effective (detective). Internal controls can be automated by software or manually performed.
International Professional Practices Framework (IPPF)
The conceptual framework that organizes the authoritative guidance promulgated by The IIA. Authoritative guidance is composed of two categories – (1) mandatory and (2) recommended.
Consists of the leadership, organizational structures, and processes that ensure that the enterprise's information technology supports the organization's strategies and objectives.
Management assertions are claims made by members of management regarding certain aspects of a business.
a formal mechanism that helps ensure that evaluations are used, contributing to organizational effectiveness, learning and accountability.
a process that assesses a participant’s exposure to potentially harmful situations and develops a plan to prevent such exposure and to address it quickly if it occurs.
The Standards use the word “must” to specify an unconditional requirement.
An unbiased mental attitude that allows internal auditors to perform engagements in such a manner that they believe in their work product and that no quality compromises are made. Objectivity requires that internal auditors do not subordinate their judgment on audit matters to others.
The rating, conclusion, and/or other description of results provided by the chief audit executive addressing, at a broad level, governance, risk management, and/or control processes of the organization. An overall opinion is the professional judgment of the chief audit executive based on the results of a number of individual engagements and other activities for a specific time interval.
An attitude that includes a questioning mind and a critical assessment of evidence.
The possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact and likelihood.
The amount of risk, on a broad level, that an organization is willing to accept in pursuit of value; it reflects the enterprise's risk management philosophy and in turn influences the university's culture and operating style. The first expression of risk appetite is the university's mission and vision.
A process to identify, assess, manage, and control potential events or situations to provide reasonable assurance regarding the achievement of the organization’s objectives.
The Standards use the word “should” where conformance is expected unless, when applying professional judgment, circumstances justify deviation.
The relative importance of a matter within the context in which it is being considered, including quantitative and qualitative factors, such as magnitude, nature, effect, relevance, and impact. Professional judgment assists internal auditors when evaluating the significance of matters within the context of the relevant objectives.
A professional pronouncement promulgated by the International Internal Audit Standards Board that delineates the requirements for performing a broad range of internal audit activities and for evaluating internal audit performance.
Technology-based Audit Techniques
Any automated audit tool, such as generalized audit software, test data generators, computerized audit programs, specialized audit utilities, and computer-assisted audit techniques (CAATs).