Internal Auditing: Fundamental Principles and Best Practices (Portfolio 5406)

Bloomberg Tax Portfolio 5406-2nd, Internal Auditing: Fundamental Principles and Best Practices, analyzes the development of internal auditing, the importance and visibility of which have expanded as a result of the increased emphasis on corporate governance since enactment of the Sarbanes-Oxley Act of 2002.

To access this Portfolio, take a free trial to the Bloomberg Tax Financial Accounting Resource Center.

Bloomberg Financial Accounting

This Portfolio is available with a subscription to Bloomberg Financial Accounting, a comprehensive accounting research solution including more than 70 Accounting Portfolios, practice tools, primary sources and timely news.


Bloomberg Tax Portfolio 5406-2nd, Internal Auditing: Fundamental Principles and Best Practices, analyzes the development of internal auditing, the importance and visibility of which have expanded as a result of the increased emphasis on corporate governance since enactment of the Sarbanes-Oxley Act of 2002. The work also describes best practices useful in accomplishing internal auditing's expanded mission.

This Portfolio is organized as follows. Section I describes its purpose and scope. Section II surveys the practice of internal auditing. Section III relates the historical development of internal auditing practices, from the earliest traditional views, through ‘modern’ perceptions, to the contemporary consideration of internal auditing as a part of governance. Section III also traces the historical development of internal auditing guidance, primarily the pronouncements of The Institute of Internal Auditors (IIA).

Section IV describes outside influences that have affected the development and practice of internal auditing. These influences include rules of stock exchanges, the U.S. Sentencing Guidelines and recommendations of prominent groups. Section V discusses the various provisions of the Sarbanes-Oxley Act of 2002 and implementing regulations pertinent to internal auditing.

The critically important relationship of internal auditing to the audit committee and board of directors is described in Section VI. This section describes ongoing communications that a company's Chief Audit Executive (CAE) should have with the audit committee. The section also explains the CAE's responsibility to develop an appropriate annual internal auditing work plan for approval by the senior management and the audit committee as a condition precedent to the audit committee supporting allocation of adequate resources. Section VII identifies the most important attributes and key best practices that distinguish a first class internal audit activity. These distinguishing characteristics relate to the charter of the activity and various hallmarks including independence of both the activity and the individual auditor. The section continues by detailing how the activity performs its mission; subjects include planning and scheduling audits for best results, staffing the activity (including cosourcing and outsourcing), and managing internal audits. Sections VIII, IX, X, and XI explore in greater depth four subjects of importance to internal auditing: Risk Management, Governance, Internal Control, and Fraud.

This Portfolio may be cited as APP 5406, Internal Auditing: Fundamental Principles and Best Practices.


Curtis C. Verschoor, CIA, CPA, Ed.D.

Curtis C. Verschoor, CIA, CPA, CFE, CMA, Ed.D. in Business, Northern Illinois University; M.B.A. and B.B.A., University of Michigan at Ann Arbor. Dr. Verschoor is a former Corporate Controller of both the Colgate-Palmolive Company and Baxter International, the former CFO of a diversified public corporation, and former Chief Internal Audit Executive of The Singer Company. He was also the National Director of Education at Touche Ross & Co., predecessor of Deloitte. Dr. Verschoor consults, authors, speaks, and serves as an expert witness on auditing subjects. He serves on the board of directors of nonprofit organizations and is a contributing editor for several academic and practitioner journals. Dr. Verschoor is the Ledger & Quill Research Professor in the School of Accountancy and Management Information Systems and Wicklander Research Fellow in the Institute for Business and Professional Ethics at DePaul University; a Research Scholar in the Center for Business Ethics at Bentley College; a Fellow of the Corporate Governance Center at Kennesaw State University, and an Honorary Visiting Professor in the Centre for Research in Corporate Governance at the Sir John Cass Business School. He serves several professional organizations including membership on the Professional Conferences Committee of the Institute of Internal Auditors (IIA) and on the Ethics Committee of the Institute of Management Accountants. Dr. Verschoor's books include: Audit Committee Essentials (John Wiley & Sons, Inc. 2008) and numerous articles for the IIARF.

Mortimer A. Dittenhofer, CIA, Ph.D.

Mortimer A. Dittenhofer, CIA, CGFM, Ph.D., Business Administration, American University; M.B.A., Northwestern University; B.S., Accounting, Macalester College. Dr. Dittenhofer practiced internal auditing at Sears Roebuck and Company and in the federal government at the Atomic Energy Commission and is the former executive director of the Association of Government Accountants. At the U.S. Government Accounting Office, he chaired the work group that developed the first edition of the Government Auditing Standards, also known as the “Yellow Book.” Dr. Dittenhofer formerly served as the Director of Master of Accounting Program in Internal Auditing at Florida International University, where he is Emeritus Professor of Accounting. He has authored or coauthored numerous articles, books and textbooks on auditing, including Sawyer's Internal Auditing, (5th ed., IIARF 2004).

Table of Contents

Portfolio Description



Detailed Analysis

I. Purpose and Scope of Portfolio

A. Purpose of Portfolio

B. Scope of Portfolio

1. Organization

2. Limitations on Scope

II. The Practice of Internal Auditing

Introductory Material

A. Definitions of Internal Auditing

1. Overall Definitions

2. Components of Current Definition

B. Major Categories of Services

1. Distinguishing Characteristics

2. Assurance Services

3. Consulting Services

C. Major Characteristics of Internal Auditing

1. Elements of Professionalism

2. Variations Among Internal Auditing Functions

3. Staffing of an Internal Audit Activity

a. Establish a Dedicated In-house Internal Audit Team

b. Maintain Dedicated In-house Internal Audit Team Augmented by Rotational Staffing

c. Maintain Dedicated In-house Internal Audit Team Augmented by Cosourcing

d. Outsource Internal Audit Activity to an External Provider

4. Characteristics of the Chief Audit Executive (CAE)

5. Practice Objectives of Internal Auditing

D. Internal Auditing Compared With External Auditing

1. Major Focus and Approach

2. Regulatory Influences

3. Independence

4. Objectivity

5. Work Products - Reports

6. Responsibilities to Detect Fraud

7. Techniques Used by External and Internal Auditors

E. Participation of Internal Auditing in an Integrated Audit

1. External Auditor Responsibilities Concerning Reliance on Internal Auditors

a. Gaining an Understanding of the Internal Audit Function

b. Assessing Competence and Objectivity

c. External Auditor Responsibility Notwithstanding Reliance on Internal Auditing

2. Application of General Principles to Audits of Internal Controls Over Financial Reporting

a. In General

b. Implications

3. Using Internal Auditing in the Performance of a Walkthrough

F. Specialized Internal Auditors

G. Trends Shaping the Future of Internal Auditing

III. Development of Internal Auditing Practices and Guidance

Introductory Material

A. Development of Practices

1. "Traditional" vs. "Modern" Practices

a. "Traditional" Internal Auditing: Prior to the Early 1970s

b. "Modern" Internal Auditing: Circa Mid-1970s

2. Internal Auditing Extended Beyond Serving Management

3. Internal Auditing as a Part of Governance

B. Role of The Institute of Internal Auditors Inc. (IIA)

1. History and Organization of the IIA

2. Functions Performed by the IIA

a. Professional Practices Framework

b. Ethics and Discipline

c. Other Professional Services

d. Certified Internal Auditor Program

C. IIA Codes of Ethics

1. Original Code of Ethics (1968)

2. Code of Ethics (Revised 1988)

3. Code of Ethics (2000)

a. Principles

b. Rules of Conduct

D. Statements of Responsibilities

1. Responsibility Statement (1947)

2. Responsibility Statement (Revised 1957)

3. Responsibility Statement (Revised 1971)

4. Responsibility Statement (Revised 1981)

5. Responsibility Statement (Revised 1990)

E. IIA Professional Standards

1. Professional Standards for the Practice of Internal Auditing (1978)

a. General Standards

b. Specific Standards

c. Guidelines

2. Revisions of Professional Standards and Guidelines (1983-1997)

3. Codifications of Professional Standards (1989, 1993, 1995, 1998)

F. IIA Professional Practices Framework (2001)

G. IIA International Professional Practices Framework (2009)

1. IIA Professional Standards

a. Attribute Standards

b. Performance Standards

c. Implementation Standards

2. Practice Advisories

3. Position Papers and Practice Guides

H. Educational Materials

IV. Outside Influences Affecting Internal Auditing

Introductory Material

A. New York Stock Exchange Requirement for an Internal Audit Activity

1. Substantive Rule

2. Enforcement Mechanism

B. Legislation Concerning Evaluation of Internal or Disclosure Controls

1. The Federal Deposit Insurance Corporation Improvement Act of 1991 (FDICIA) and the Banking Industry

2. Foreign Corrupt Practices Act of 1977

C. Support in Compliance With Governance Processes

1. Ethics and the U.S. Sentencing Guidelines

2. Initiatives from Caremark Derivative Litigation

3. Industry Specific Initiatives

a. Agricultural Industry

b. Defense Industry

c. Health Care Industry

D. Recommendations of Prominent Groups on Internal Auditing

1. Report of the Conference Board Commission on Public Trust and Private Enterprise

2. Report of the National Commission on Fraudulent Financial Reporting (Treadway Commission)

3. Conclusions

V. Influences of the Sarbanes-Oxley Act

Introductory Material

A. Relevant Provisions of the Act

B. Certification of Financial Reports and Related Disclosure Controls

1. Disclosure of Corporate Responsibility for Financial Reports

2. Internal Auditing's Role in Management's Certification

a. Assist Management in Certification of Disclosures

i. Disclosure Committee

ii. Possible Independence Issues

b. Recommend Improvements in Quarterly Reporting

C. Management Report on Internal Controls Over Financial Reporting

1. Sarbanes-Oxley § 404(a), Management's Assessment of Internal Controls

2. SEC Implementing Rules

3. Internal Auditing's Role in an Entity's Compliance With § 404

D. External Auditor Attestation of Management's Assessment Concerning Internal Controls

E. Disclosure of Code of Ethics Including Compliance Provisions

1. Sarbanes-Oxley § 406, Code of Ethics for Senior Financial Officers

2. Stock Exchange Requirements Relating to Code of Conduct


b. National Association of Securities Dealers Automated Quotations (NASDAQ)

3. Internal Auditing's Role in Complying With § 406 and the Stock Exchange Requirements

F. Confidential Anonymous Reporting by Employees

1. Mandated Protection of Whistle-blowers

2. Internal Auditing's Role in Establishing and Monitoring the Whistle-blowing Process

G. Audit Committee Financial Expert

1. Sarbanes-Oxley § 407, Disclosure of Audit Committee Financial Expert

2. Internal Auditing's Role in Disclosure of the Audit Committee Financial Expert

H. Other Impacts of Sarbanes-Oxley on Internal Auditing

1. Evaluating Membership of Audit Committee

2. Evaluating the Performance of the Audit Committee and Supporting Its Actions

3. Providing Assurance About Sarbanes-Oxley Compliance

4. Providing Assurance About Compliance With External Auditor Requirements

VI. Relationships With the Audit Committee and Board of Directors

Introductory Material

A. Reporting Relationship to the Audit Committee and Board

1. Importance of Reporting to the Board (Audit Committee)

2. Relationship Between Reporting Lines and Independence

B. Key Interactions With the Board and Audit Committee

1. Significant Categories of Interactions With the Audit Committee

2. Importance of Audit Committee and Internal Auditing Charters

3. American Institute of Certified Public Accountants (AICPA) Guidance for Audit Committee Evaluation of Internal Auditing

C. Communicating With the Audit Committee

1. Ongoing Communications

2. Follow-up Communications

D. Developing the Annual Internal Auditing Work Plan

1. Objective

2. Professional Guidance on Planning

E. Communicating Plans and Resource Requirements to the Audit Committee and Board of Directors

F. Communicating Information Concerning Fraud to the Audit Committee

VII. Best Practices for Accomplishing the Mission of Internal Auditing

Introductory Material

A. The Internal Auditing Charter

1. Professional Guidance on the Internal Auditing Charter

a. Adoption

b. Ongoing Assessment

2. Scope of Services

a. In General

b. Scope Limitations

3. Nature of Services

a. Internal Auditing Should Provide Systematic and Disciplined Services

B. Ethics, Independence, and Objectivity

1. Definitions

2. American Institute of Certified Public Accountants (AICPA) Code of Professional Conduct and the Institute of Internal Auditing (IIA) Code of Ethics

3. Principles From Other Codes of Ethics

a. U.S. Government Accountability Office

b. Health Care Compliance Association

c. International Federation of Accountants

4. Enforcement of Ethical Standards

5. Independence in the Performance of Assurance or Consulting Services

6. Independence and Objectivity for the Individual Auditor and the Audit Activity

a. IIA Guidance for the Individual Auditor

b. Guidance for the Internal Audit Activity as a Whole

7. Impairments to the Independence or Objectivity of the Internal Audit Activity

a. IIA Guidance on Impairments

b. Comparison to Government Auditing Standards

8. Objectivity

9. Recommendations on Independence and Objectivity by Blue Ribbon Committee on Audit Committee Effectiveness

C. Risk Management, Control, and Governance Responsibilities

1. Risk Management

a. Responsibilities

b. Professional Guidance Generally

c. Coordination With Enterprise Risk Management

2. Internal Control

a. Responsibilities

b. Professional Guidance

3. Governance

a. Responsibilities

b. Professional Guidance

4. Internal Auditing Responsibilities for Compliance

5. Information Technology Aspects of Internal Auditing Responsibilities

D. Organization of the Internal Audit Activity

E. Planning and Scheduling Tasks of the Internal Audit Activity

1. Professional Guidance

a. In General

b. Coordination With External Auditor

2. Long-Range Planning

a. General Considerations

b. Typically Significant Elements

3. Short-Range Planning

F. Staffing the Internal Audit Activity

1. Required Knowledge and Skills

2. Personal Qualities

3. Staffing the Activity With Contract Auditors

a. Relative Advantages and Disadvantages

b. Professional Guidance

G. Engagement Planning

H. Engagement Processes and Objectives

I. Control in the Internal Audit Activity

J. Work Paper Standards

K. Monitoring Progress on Reported Recommendations

L. Quality Assessment and Improvement

M. Six Methodologies of Internal Audit Field Work

N. Elements of Internal Audit Field Work

1. The Preliminary Survey

a. Initial Study

b. Interviewing

c. Walk-Through

d. The Report

2. The Audit Program

3. Testing

4. Analytical Review

a. Uses

b. Types

5. Sampling

6. Audit Evidence

7. Work Papers

8. Audit Findings

9. Exit Interview or Conference

O. Communicating Results of Internal Audit Engagements

1. Variations

2. Common Elements

3. Recommended Practices

4. Importance of Follow-up

P. Communicating Sensitive Information

Q. Information Protected by Attorney-Client Privilege

VIII. Risk Management

Introductory Material

A. Types of Risks

B. Measurement of Risk Exposure

C. Definition of Risk Management

D. Significance of Risk in Evaluating Internal Control

E. Examples of Risk Mitigation Methods

F. Audit Approaches to Risk Management Engagements

G. Behavioral Aspects of Risk Management Engagements

H. Risk Management Engagement Audit Techniques

I. Information Technology Aspects of Risk Management Engagements

IX. Internal Control

Introductory Material

A. The Concept of Control

B. Definitions of Control

1. COSO Definition

2. IIA Definitions

3. Other Definitions of Internal Control

C. How Controls Work

1. Design of Controls

2. Control Techniques

D. Control Evaluation Techniques

1. Evolution of Techniques for Assessing Controls

2. Sources of control evaluation techniques

a. Techniques Contained in IIA Professional Guidance

b. Techniques From COSO

c. Techniques From Other Sources

E. Self-Assessment of Controls

F. Internal Control and Consulting Services

G. Evaluation of Characteristics of Controls

H. Why Controls May Not Work

X. Corporate Governance

Introductory Material

A. Concepts Represented by the Term ‘Governance'

B. Governance Evaluation Techniques

1. Techniques Contained in Professional Guidance

2. Work of the Open Compliance & Ethics Group (OCEG)

C. Best Corporate Governance Practices

D. Conditions Under Which Governance Might Fail

E. Tone at the Top

F. Exposures and Risks Relating to Corporate Governance

G. Internal Controls and Governance

XI. Fraud

Introductory Material

A. Definitions

B. Characteristics of Fraud

C. The Role of Internal Auditing

D. Fraud Detection and Prevention

E. Management Fraud

F. Behavioral Aspects of Fraud

G. Managing Fraud Risk

H. Conclusion

Working Papers



Working Papers


Worksheet 1 Glossary of Terms - Glossary Defining Significant Terms and Acronyms Used in Portfolio

Worksheet 2 The Institute of Internal Auditors Inc., Code of Ethics

Worksheet 3 History and Organization of The Institute of Internal Auditors Inc. (IIA)

Worksheet 4 U.S. Government Accountability Office Report 08-166, IRS's Fiscal Years 2007 and 2006 Financial Statements

Worksheet 5 IIA International Standards for the Professional Practice of Internal Auditing and Their Interpretations

Worksheet 6 Listing of IIA Practice Advisories

Worksheet 7 Listing of Global Technology Audit Guides (GTAG)®

Worksheet 8 Sample Disclosure Committee Charter

Worksheet 9 Microsoft Corporation Audit Committee Charter (Excerpts)

Worksheet 10 Sample Audit Committee Charter

Worksheet 11 Evaluating the Internal Audit Team: Guidelines and Questions

Worksheet 12 Internal Audit Department Charter of Domtar Corporation

Worksheet 13 ALLTEL, Internal Control System Survey

Worksheet 14 EL PASO Control Assessment Survey

Worksheet 15 Example of an Internal Audit Report (Highway Transportation Department)

Worksheet 16 Example of an Internal Audit Report (Bank)

Worksheet 17 Report to Senior Management and The Audit Committee



Federal Statutes



IIA Professional Practices Framework

International Standards for the Professional Practice of Internal Auditing

Selected Performance Standards

Selected Implementation Standards

Selected Practice Advisories

Selected Position Papers

Selected Practice Guides

Selected Practice Guides - GAIT (Guide to the Assessment of IT Risk)

Selected Practice Guides- GTAG® (Global Technology Audit Guide)

Books and Non-Periodical Materials