International Standards for the

Professional Practice of Internal Auditing

 Purpose of the Standards

• Delineate basic principles that represent the

practice of internal auditing.
• Provide a framework for performing and
promoting a broad range of value-added internal
auditing.
• Establish the basis for the evaluation of internal
audit performance.
• Foster improved organizational processes and
operations.
 Structure of the Standards
• .Attribute Standards address the attributes of
organizations and individuals performing internal
auditing.
• Performance Standards describe the nature of
internal auditing and provide quality criteria against
which the performance of these services can be
measured.
• Implementation Standards are also provided to
expand upon the Attribute and Performance
standards, by providing the requirements applicable
to assurance (A) or consulting (C) activities.
 Attribute Standards

• 1000 - Purpose, Authority, and Responsibility

The purpose, authority, and responsibility of
the internal audit activity must be formally
defined in an internal audit charter, consistent
with the Definition of Internal Auditing, the
Code of Ethics, and the Standards. The chief
audit executive must periodically review the
internal audit charter and present it to senior
management and the board for approval.
 Attribute Standards
• 1010 - Recognition of the Definition of Intern
al Auditing, the Code of Ethics, and the
Standards in the Internal Audit Charter
The mandatory nature of the Definition of
Internal Auditing, the Code of Ethics, and the
Standards must be recognized in the internal
audit charter. The chief audit executive should
discuss the Definition of Internal Auditing, the
Code of Ethics, and the Standards with senior
management and the board. 
 Attribute Standards
• 1100 - Independence and Objectivity
The internal audit activity must be
independent, and internal auditors must be
objective in performing their work.
 Attribute Standards
• 1110 - Organizational Independence
The chief audit executive must report to a
level within the organization that allows the
internal audit activity to fulfill its
responsibilities. The chief audit executive must
confirm to the board, at least annually, the
organizational independence of the internal
audit activity.
 Attribute Standards
• 1111 - Direct Interaction with the Board
The chief audit executive must communicate
and interact directly with the board.
 Attribute Standards
• 1120 - Individual Objectivity
Internal auditors must have an impartial,
unbiased attitude and avoid any conflict of
interest.
 Attribute Standards
• 1130 - Impairment to Independence or Objec
tivity

If independence or objectivity is impaired in

fact or appearance, the details of the
impairment must be disclosed to appropriate
parties. The nature of the disclosure will
depend upon the impairment.
 Attribute Standards
• 1200 - Proficiency and Due Professional Care
Engagements must be performed with
proficiency and due professional care.
 Attribute Standards
• 1210 - Proficiency
Internal auditors must possess the knowledge,
skills, and other competencies needed to
perform their individual responsibilities. The
internal audit activity collectively must
possess or obtain the knowledge, skills, and
other competencies needed to perform its
responsibilities. 
 Attribute Standards
• 1220 - Due Professional Care
Internal auditors must apply the care and skill
expected of a reasonably prudent and
competent internal auditor. Due professional
care does not imply infallibility. 
 Attribute Standards
• 1230 - Continuing Professional Development
Internal auditors must enhance their
knowledge, skills, and other competencies
through continuing professional
development. 
 Attribute Standards
• 1300 - Quality Assurance and Improvement P
rogram

The chief audit executive must develop and

maintain a quality assurance and
improvement program that covers all aspects
of the internal audit activity.
 Attribute Standards
• 1310 - Requirements of the Quality Assuranc
e and Improvement Program
The quality assurance and improvement
program must include both internal and
external assessments.
 Attribute Standards
• 1311 - Internal Assessments
Internal assessments must include:
Ongoing monitoring of the performance of the
internal audit activity; and Periodic reviews
performed through self-assessment or by other
persons within the organization with sufficient
knowledge of internal audit practices. 
 Attribute Standards
• 1312 - External Assessments
External assessments must be conducted at
least once every five years by a qualified,
independent reviewer or review team from
outside the organization.
 Attribute Standards
• 1320 - Reporting on the Quality Assurance an
d Improvement Program

The chief audit executive must communicate

the results of the quality assurance and
improvement program to senior management
and the board. 
 Attribute Standards
• 1321 - Use of "Conforms with the
International Standards for the Professional P
ractice of Internal Auditing
"
The chief audit executive may state that the
internal audit activity conforms with the
International Standards for the Professional
Practice of Internal Auditing only if the results
of the quality assurance and improvement
program support this statement.  
 Attribute Standards
• 1322 - Disclosure of Nonconformance
When nonconformance with the Definition of
Internal Auditing, the Code of Ethics, or the
Standards impacts the overall scope or
operation of the internal audit activity, the
chief audit executive must disclose the
nonconformance and the impact to senior
management and the board.
 Performance Standards
• 2000 - Managing the Internal Audit Activity
The chief audit executive must effectively
manage the internal audit activity to ensure it
adds value to the organization. 
• The internal audit activity is effectively managed when:
• The results of the internal audit activity’s work achieve the
purpose and responsibility included in the internal audit
charter;
• The internal audit activity conforms with the Definition of
Internal Auditing and the Standards;
• andThe individuals who are part of the internal audit
activity demonstrate conformance with the Code of Ethics
and the Standards.
• The internal audit activity adds value to the organization
(and its stakeholders) when it provides objective and
relevant assurance, and contributes to the effectiveness
and efficiency of governance, risk management, and
control processes.
 Performance Standards
• 2010 - Planning
The chief audit executive must establish risk-
based plans to determine the priorities of the
internal audit activity, consistent with the
organization's goals. 
 Performance Standards
• 2020 - Communication and Approval
The chief audit executive must communicate
the internal audit activity's plans and resource
requirements, including significant interim
changes, to senior management and the board
for review and approval. The chief audit
executive must also communicate the impact
of resource limitations.
 Performance Standards
• 2030 - Resource Management
The chief audit executive must ensure that
internal audit resources are appropriate,
sufficient, and effectively deployed to achieve
the approved plan.
 Performance Standards
• 2040 - Policies and Procedures
The chief audit executive must establish
policies and procedures to guide the internal
audit activity.
 Performance Standards
• 2050 - Coordination
The chief audit executive should share
information and coordinate activities with
other internal and external providers of
assurance and consulting services to ensure
proper coverage and minimize duplication of
efforts.
 Performance Standards
• 2060 - Reporting to Senior Management and the Bo
ard

The chief audit executive must report periodically to

senior management and the board on the internal
audit activity's purpose, authority, responsibility,
and performance relative to its plan. Reporting must
also include significant risk exposures and control
issues, including fraud risks, governance issues, and
other matters needed or requested by senior
management and the board.
 Performance Standards
• 2070 - External Service Provider and
Organizational Responsibility for Internal
Auditing
When an external service provider serves as
the internal audit activity, the provider must
make the organization aware that the
organization has the responsibility for
maintaining an effective internal audit activity.
 Performance Standards
• 2100 - Nature of Work
The internal audit activity must evaluate and
contribute to the improvement of governance,
risk management, and control processes using
a systematic and disciplined approach.
 Performance Standards

• 2110 - GovernanceThe internal audit activity must assess and

make appropriate recommendations for improving the
governance process in its accomplishment of the following
objectives:
• Promoting appropriate ethics and values within the organization;
• Ensuring effective organizational performance management and
accountability;
• Communicating risk and control information to appropriate areas
of the organization; and
• Coordinating the activities of and communicating information
among the board, external and internal auditors, and
management. 
 Performance Standards
• 2120 - Risk ManagementThe internal audit
activity must evaluate the effectiveness and
contribute to the improvement of risk
management processes.
 Performance Standards
• 2130 - ControlThe internal audit activity must
assist the organization in maintaining effective
controls by evaluating their effectiveness and
efficiency and by promoting continuous
improvement. 
 Performance Standards
• 2200 - Engagement Planning
Internal auditors must develop and document
a plan for each engagement, including the
engagement's objectives, scope, timing, and
resource allocations. 
 Performance Standards
• 2201 - Planning ConsiderationsIn planning the engagement,
internal auditors must consider:
• The objectives of the activity being reviewed and the means by
which the activity controls its performance;
• The significant risks to the activity, its objectives, resources, and
operations and the means by which the potential impact of risk
is kept to an acceptable level;
• The adequacy and effectiveness of the activity's risk
management and control processes compared to a relevant
control framework or model; and
• The opportunities for making significant improvements to the
activity's risk management and control processes. 
 Performance Standards
• 2210 - Engagement ObjectivesObjectives
must be established for each engagement. 
 Performance Standards
• 2220 - Engagement Scope
The established scope must be sufficient to
satisfy the objectives of the engagement. 
• The scope of the engagement must include
consideration of relevant systems, records,
personnel, and physical properties, including
those under the control of third parties. 
 Performance Standards
• 2230 - Engagement Resource Allocation
Internal auditors must determine appropriate
and sufficient resources to achieve
engagement objectives based on an
evaluation of the nature and complexity of
each engagement, time constraints, and
available resources. 
 Performance Standards
• 2240 - Engagement Work Program Internal
auditors must develop and document work
programs that achieve the engagement
objectives. 
 Performance Standards
• 2300 - Performing the Engagement Internal
auditors must identify, analyze, evaluate, and
document sufficient information to achieve
the engagement's objectives. 
 Performance Standards
• 2310 - Identifying Information
Internal auditors must identify sufficient,
reliable, relevant, and useful information to
achieve the engagement's objectives.
 Performance Standards
• 2320 - Analysis and EvaluationInternal
auditors must base conclusions and
engagement results on appropriate analyses
and evaluations. 
 Performance Standards
• 2330 - Documenting Information Internal
auditors must document relevant information
to support the conclusions and engagement
results. 
 Performance Standards
• 2340 - Engagement Supervision
Engagements must be properly supervised to
ensure objectives are achieved, quality is
assured, and staff is developed. 
 Performance Standards
• 2400 - Communicating ResultsInternal
auditors must communicate the results of
engagements. 
 Performance Standards
• 2410 - Criteria for Communicating
Communications must include the
engagement's objectives and scope as well as
applicable conclusions, recommendations, and
action plans. 
 Performance Standards
• 2420 - Quality of Communications
Communications must be accurate, objective,
clear, concise, constructive, complete, and
timely. 
 Performance Standards
• 2421 - Errors and Omissions
If a final communication contains a significant
error or omission, the chief audit executive
must communicate corrected information to
all parties who received the original
communication. 
 Performance Standards
• 2430 - Use of "Conducted in Conformance wit
h the
International Standards for the Professional P
ractice of Internal Auditing
"
Internal auditors may report that their
engagements are "conducted in conformance
with the International Standards for the
Professional Practice of Internal Auditing", only
if the results of the quality assurance and
improvement program support the statement. 
 Performance Standards
• 2431 - Engagement Disclosure of Nonconformance
When nonconformance with the Definition of Internal
Auditing, the Code of Ethics or the Standards impacts a
specific engagement, communication of the results must
disclose the:
• Principle or rule of conduct of the Code of Ethics or
Standard(s) with which full conformance was not achieved;
• Reason(s) for nonconformance; and
• Impact of nonconformance on the engagement and the
communicated engagement results. 
 Performance Standards
• 2440 - Disseminating Results
The chief audit executive must communicate
results to the appropriate parties. 
 Performance Standards
• 2450 – Overall Opinions
When an overall opinion is issued, it must take
into account the expectations of senior
management, the board, and other
stakeholders and must be supported by
sufficient, reliable, relevant, and useful
information. 
 Performance Standards
• 2500 - Monitoring ProgressThe chief audit
executive must establish and maintain a
system to monitor the disposition of results
communicated to management. 
• Establish a follow-up process to monitor and
ensure that management actions have been
effectively implemented or that senior
management has accepted the risk of not
taking action. 
 Performance Standards
• 2600 - Resolution of Senior Management's Ac
ceptance of Risks
When the chief audit executive believes that
senior management has accepted a level of
residual risk that may be unacceptable to the
organization, the chief audit executive must
discuss the matter with senior management. If
the decision regarding residual risk is not
resolved, the chief audit executive must report
the matter to the board for resolution.
 Performance Standards
• 2070 – External Service Provider and
Organizational Responsibility for Internal
Auditing  
When an external service provider serves as
the internal audit activity, the provider must
make the organization aware that the
organization has the responsibility for
maintaining an effective internal audit
activity.