Internal Audit Code of Ethics - Principles
Internal auditors are expected to apply and uphold the following principles:
- Integrity The integrity of internal auditors establishes trust and thus provides the basis for reliance on their judgment.
- Confidentiality Internal auditors respect the value and ownership of information they receive and do not disclose information without appropriate authority unless there is a legal or professional obligation to do so.
- Competency Internal auditors apply the knowledge, skills, and experience needed in the performance of internal audit services.
Definition of Internal Auditing
Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
Professional Standards for Internal Audit
The Audit Services Unit of the Clerk & Comptroller's Inspector General Department Internal Auditors will adhere to the generally accepted principles and standards developed for offices of inspector general approved by the Association of Inspectors General (AIG). In addition, our office will conduct audits in conformance with the Institute of Internal Auditor’s (IIA) International Standards for the Professional Practice of Internal Auditing (Red Book).
Internal Audit FAQs
What is an Internal Audit?
”Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
Internal audits performed by the Inspector General (IG) Department and the internal audit activity is designed to provide assurance and give management an independent, objective assessment of department programs, activities, or functions. An audit may evaluate whether:
- Business unit strategic goals and objectives are organizationally aligned, and successfully met;
- Results and objectives are achieved efficiently and effectively;
- Operations comply with laws, policies, procedures, and regulations;
- Financial and operating information is accurate, complete, and reliable;
- Satisfactory internal controls in place to mitigate risk;
- Governance processes are effective and efficient;
- Sufficient internal controls in place to safeguard against fraud, waste, and abuse.
Internal Audits are performed by qualified certified professionals with a general overview and understanding of the organization. Standard 1210 – Proficiency
“Internal auditors must possess the knowledge, skills, and other competencies needed to perform their individual responsibilities. The internal audit activity collectively must possess or obtain the knowledge, skills, and other competencies needed to perform its responsibilities.”2
INDEPENDENCE:The IG Department’s Charter establishes independence of the internal audit activity by a reporting relationship directly to the organization's most senior level; The Lee County Clerk of Circuit Court & Comptroller (LCCC). Specifically, the Chief Internal Audit Officer/Inspector General reports to the LCCC for strategic direction, reinforcement, and accountability. The Charter assures that Internal Auditors have unrestricted access to records and personnel as necessary, and are allowed to employ appropriate examining techniques without impediment. Standard 1110 - Organizational Independence
“The chief audit executive must report to a level within the organization that allows the internal audit activity to fulfill its responsibilities. The chief audit executive must confirm to the board, at least annually, the organizational independence of the internal audit activity.”3
OBJECTIVITY:To maintain objectivity, internal auditors have no personal or professional involvement with or allegiance to the area being audited; and should maintain an un-biased and impartial mindset in regard to all engagements.
Independence in fact and appearance and objectivity are two critical components of an effective internal audit activity.
What is the difference between internal audit and external audit?
Internal audit professionals have backgrounds in various academic disciplines, and no single discipline is required.
According to The IIA, an internal audit engagement is:
- A specific internal audit assignment, task, or review activity, such as an internal audit, control self- assessment review, fraud examination, or consultancy. An engagement may include multiple tasks or activities designed to accomplish a specific set of related objectives.
- Internal auditors are employed by the organization, but are independent of the activities they audit.
- Because independence is imperative to be effective, the internal auditor ideally reports directly to the board.
- Internal auditors must conform with The IIA’s International Standards for the Professional Practice of Internal Auditing.
On the other hand, external auditors are professional accountants.
According to the International Federation of Accountants (IFAC), an external audit engagement is:
- A reasonable assurance engagement in which a professional accountant in public practice expresses an opinion whether financial statements are prepared, in all material respects (or gives a true and fair view or are presented fairly, in all material respects), in accordance with an applicable financial reporting framework, such as an engagement conducted in accordance with International Standards on Auditing. This includes a Statutory Audit, which is an audit required by legislation or other regulation.
- Unlike internal auditors, external auditors are not employees of the organization — they are third parties, and therefore, have no vested interest in the organization.
- Globally, external auditors are guided by the International Auditing and Assurance Standards Board (IAASB) International Standards on Auditing. 4
How long will an internal audit take?
It depends on the scope of an audit. An audit can last for a period from weeks to a year or longer. The assigned auditor(s) provide an estimate of the time they need to complete the audit after the planning phase is finished. Timely responses to audit requests support timely completion of audits.
Will the audit disrupt my department’s everyday activity?
An audit may affect a department's routine to some extent. We always attempt to minimize any interruptions to the normal work schedule to the extent possible.
What will the audit team need from me?
Cooperation and communication are important to perform a successful audit.
May I dispute audit observations and recommendations?
Yes. After the draft report is issued for response, the manager of the program or operational unit has 10 business working days to respond in writing to any observations and recommendations. A response that disagrees should state: “We do not concur” and explain the reason for the disagreement. We strive to reach consensus and to this end, we meet with management and staff during the course of the audit to discuss potential observations and recommendations.
We also hold an exit conference with senior management and may modify the draft report based on information and input provided.
May I request an audit?
We rely on management and staff input to help us identify areas that would benefit from an internal audit. Management may request an audit as part of their annual risk assessment. Some issues may require a formal audit. However, the IG Department also conducts consulting engagements and provides ad hoc advisory/technical assistance services. For example, if you have recently assumed new or additional supervisory responsibilities, an audit or management review can help assess whether internal controls in your area are adequate and operating as intended. An audit or management review can assess the effectiveness of controls when new systems or procedures are implemented. Department managers and staff may contact the Inspector General Department to discuss how we can best serve their business unit’s needs.
May I take corrective action before the audit review is concluded?
We encourage management to take corrective action as soon as possible—even before the audit field work is concluded. This corrective action may be noted in the final audit report. Internal audit Standards require that we monitor and provide periodic reports on the status of management’s action taken in response to internal audit report recommendations.
May I request that an audit be postponed due to other work priorities?
We schedule an entrance conference with management to discuss logistics for conducting the audit prior to beginning field work. The IG Audit Team is respectful of your time and seeks to minimize disruptions to our audit client’s operations. It may be possible to postpone work on a part of the audit or otherwise adjust our audit schedule.
What is internal auditing's role in preventing, detecting, and investigating fraud, waste, and abuse?
Internal auditors support management's efforts to establish a culture that embraces ethics, honesty, and integrity. They assist management with the evaluation of internal controls used to detect or mitigate fraud, evaluate the organization's assessment of fraud risk, and are involved in fraud investigations.
Although it is management's responsibility to design internal controls to prevent, detect, and mitigate fraud, the internal auditors are the appropriate resource for assessing the effectiveness of what management has implemented. Therefore, depending on directives from management, the board, audit committee, or other governing body, internal auditors might play a variety of consulting, assurance, collaborative, advisory, oversight, and investigative roles in an organization's fraud management process.
Competent professional internal auditors are highly proficient in techniques used to evaluate internal controls. That proficiency, coupled with their understanding of the indicators of fraud, enables them to assess an organization's fraud risks and advise management of the necessary steps to take when indicators are present.
1. www.theiia.org Definition of Internal Auditing
2. www.theiia.org International Professional Practices Framework IPPF guide, more commonly known as the Red Book. Standard 1210-Proficiency
3. www.theiia.org: International Professional Practices Framework (IPPF) guide, more commonly known as the Red Book. Standard 1110 - Organizational Independence
4. IIA The Institute of Internal Auditors: Global: Issue 8 - GLOBAL PERSPECTIVES AND INSIGHTS Internal Audit and External Audit Distinctive Roles in Organizational Governance
What to expect from an Internal Audit
“Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”1
The internal audit process is a collaborative effort between management of the business unit or activity being reviewed and the audit team. Full participation is essential to the success of the project. Open communication is promoted at every phase of the review to ensure management’s continuing involvement in the process. The process is composed of many interrelated phases, each vital to the success of the overall audit. Internal auditing is a catalyst for improving an organization's governance, risk management and internal controls by providing insight and recommendations based on analyses and assessments of data and business processes.
The Inspector General Department’s Internal Audit function conforms to the Institute of Internal Auditor’s (IIA) International Standards for the Professional Practice of Internal Auditing (Red Book) and the Association of Inspectors General (AIG) Principles and Standards for Offices of Inspector General (Green Book).
Internal Auditors must exercise professional, objective, and independent judgment. “Internal auditors must apply the care and skill expected of a reasonably prudent and competent internal auditor. Due professional care does not imply infallibility.”2
Internal Audits are designed to add value to local governments, their citizens, and other stakeholders. The information below provides insight into the steps of an Internal Audit project. We consider our audits to be a collaborative process between the audit client and the audit team. While every audit project is unique, the following phases are common to most:
Intent to Audit Memo/Pre-audit meeting: Announces the commencement of the audit to management and the business unit.
Entrance Meeting: We contact management to schedule an introductory meeting to discuss any concerns they may have, (What keeps you up at night?) their perception of risk associated with the business unit, and any areas or business functions that they would like reviewed. During the meeting, the audit scope and objectives, logistics (facilities, availability of personnel, primary contacts, etc.….), and the projected time frame for the review is discussed.
Department level Risk Surveys: After the introductory meeting, a department level risk assessment may be completed by the primary contact(s) to obtain information that provides a comprehensive overview of the department. Risk Surveys help define the audit scope and the key areas to focus on during the review.
Evaluating Internal Controls: The control assessment involves a series of process related questions which are customized for the operations and functions and are directed to the responsible personnel identified. Members of the audit team may revise the planned audit scope based on the outcome of the control assessment.
Audit Testing: The audit team conducts tests to assess the effectiveness and efficiency of key processes and internal controls.
Planning & Scope: Each audit engagement begins with a research phase during which we collaboratively identify areas of department level/business unit risk, review past audit reports, available information pertaining to the department, and industry related best practices. This phase may only require limited departmental involvement as we have unconstrained access to independently gather information.
Fieldwork: During this phase, the audit team performs detailed reviews of identified risk areas, department processes, and procedures. This may include interviewing key personnel, personnel outside of the business area, reviewing policy and procedures, financial and budgeting activity, administrative and business procedures, critical departmental functions, information technology, rules, laws, and regulations, and other activities specific to each department. We keep management informed of our progress and discuss observations and concerns with them as they are identified.
Final Fieldwork discussion: Meet with management to discuss observations and recommendations. There should be no surprises at the end of an audit. The audit teams keeps management informed throughout the audit and lets them know of any potential observations or recommendations. If there is any information that may clarify a potential audit observation, please let the auditor know this during the audit – do not wait until the final exit meeting.
Draft Report: After fieldwork and testing is complete, and observations and recommendations have been reviewed with the audit client, a draft report is prepared. The draft report observations are provided to management for review during the final fieldwork meeting.
Exit Meeting: The draft report is updated to reflect feedback provided after reviewing the report. The exit meeting provides an opportunity to discuss and gain consensus on the wording of observations and recommendations in the draft report, and to agree on achievable management action plans and reasonable completion dates.
Management Response: Responses are to include action plans (as applicable) to improve processes or mitigate identified risks, the parties responsible for carrying out the action plan, and the anticipated date of action plan completion.
Report Publication & Distribution: The final report is delivered to the audit client, senior management, other interested parties, and is published on LeeClerk.org.
Follow-Up: For audit reports that contain observations that recommend corrective actions, management formulates action plans. Agreed upon recommendations are expected to be implemented by the agreed-upon completion date. Management is notified that the follow up report is approaching its due date, and we request that they provide us with updates and information to demonstrate completion. We review the information provided and determine whether the observation is resolved. If the management action plan has been appropriately implemented, we document that it is complete. If it requires additional measures for completion, we work with management to take the necessary steps or obtain the appropriate documentation to resolve the observation. We are required to report on complete and incomplete management action plans. It is the responsibility of department management to ensure internal controls are implemented and are effective in mitigating risks affecting operations.
1. www.theiia.org: Definition of Internal Auditing.
2. Internal Standards for the Professional Practice of Internal Auditing (Standards), #1220 - Due Professional Care
Professional Standards for Investigation
The Public Integrity Unit of the Clerk & Comptroller's Inspector General Department Investigator’s will adhere to the generally accepted principles and standards developed for offices of inspector general approved by the Association of Inspectors General (AIG). In addition, our office will conduct investigations in accordance with the Association of Inspectors General (AIG) Principles and Standards for Offices of Inspector General (Green Book) and The Florida Inspectors General Standards Manual by the Commission for Florida Law Enforcement Accreditation, Inc. (CFA).