State Internal Audit Advisory Board
Internal Auditing Standards and Requirements in the State of Illinois Review Course
Based on 2017 IIA Standards

IIA Attribute Standard 1200 – Proficiency and Due Professional Care

 

1200 – Proficiency and Due Professional Care
Engagements must be performed with proficiency and due professional care.

1210 – Proficiency
Internal auditors must possess the knowledge, skills, and other competencies needed to perform their individual responsibilities. The internal audit activity collectively must possess or obtain the knowledge, skills, and other competencies needed to perform its responsibilities.

Interpretation:
Proficiency is a collective term that refers to the knowledge, skills, and other competencies required of internal auditors to effectively carry out their professional responsibilities. It encompasses consideration of current activities, trends, and emerging issues, to enable relevant advice and recommendations. Internal auditors are encouraged to demonstrate their proficiency by obtaining appropriate professional certifications and qualifications, such as the Certified Internal Auditor designation and other designations offered by The Institute of Internal Auditors and other appropriate professional organizations.

1210.A1 – The chief audit executive must obtain competent advice and assistance if the internal auditors lack the knowledge, skills, or other competencies needed to perform all or part of the engagement.

1210.A2 – Internal auditors must have sufficient knowledge to evaluate the risk of fraud and the manner in which it is managed by the organization, but are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud.

1210.A3 – Internal auditors must have sufficient knowledge of key information technology risks and controls and available technology-based audit techniques to perform their assigned work. However, not all internal auditors are expected to have the expertise of an internal auditor whose primary responsibility is information technology auditing.

1210.C1 – The chief audit executive must decline the consulting engagement or obtain competent advice and assistance if the internal auditors lack the knowledge, skills, or other competencies needed to perform all or part of the engagement.

1220 – Due Professional Care
Internal auditors must apply the care and skill expected of a reasonably prudent and competent internal auditor. Due professional care does not imply infallibility.

1220.A1 – Internal auditors must exercise due professional care by considering the:

  • Extent of work needed to achieve the engagement’s objectives;
  • Relative complexity, materiality, or significance of matters to which assurance procedures are applied;
  • Adequacy and effectiveness of governance, risk management, and control processes;
  • Probability of significant errors, fraud, or noncompliance; and
  • Cost of assurance in relation to potential benefits.

1220.A2 In exercising due professional care internal auditors must consider the use of technology-based audit and other data analysis techniques.

1220.A3 – Internal auditors must be alert to the significant risks that might affect objectives, operations, or resources. However, assurance procedures alone, even when performed with due professional care, do not guarantee that all significant risks will be identified.

1220.C1 – Internal auditors must exercise due professional care during a consulting engagement by considering the:

  • Needs and expectations of clients, including the nature, timing, and communication of engagement results;
  • Relative complexity and extent of work needed to achieve the engagement’s objectives; and
  • Cost of the consulting engagement in relation to potential benefits.

1230 – Continuing Professional Development
Internal auditors must enhance their knowledge, skills, and other competencies through continuing professional development.

SIAAB Requirements:

In accordance with the IIA’s International Professional Practice Framework (IPPF), SIAAB believes that proficiency and due professional care are the responsibility of the chief internal auditor and each internal auditor. As such, the chief internal auditor ensures that persons assigned to each engagement collectively possess the necessary knowledge, skills, and other competencies to conduct the engagement appropriately.

The knowledge, skills, and other competencies referred to in the standard include:

  • Proficiency in applying internal audit standards, procedures, and techniques in performing engagements. Proficiency means the ability to apply knowledge to situations likely to been countered and to deal with them appropriately without extensive recourse to technical research and assistance.
  • Proficiency in accounting principles and techniques if internal auditors work extensively with financial records and reports.
  • Knowledge to identify the indicators of fraud.
  • Knowledge of key information technology risks and controls and available technology based audit techniques.
  • An understanding of management principles to recognize and evaluate the materiality and significance of deviations from good business practices. An understanding means the ability to apply broad knowledge to situations likely to be encountered, to recognize significant deviations, and to be able to carry out the research necessary to arrive at reasonable solutions.
  • An appreciation of the fundamentals of business subjects such as accounting, economics, commercial law, taxation, finance, quantitative methods, information technology, risk management, and fraud. An appreciation means the ability to recognize the existence of problems or potential problems and to identify the additional research to be undertaken or the assistance to be obtained.
  • Skills in dealing with people, understanding human relations, and maintaining satisfactory relationships with engagement clients.
  • Skills in oral and written communications to clearly and effectively convey such matters as engagement objectives, evaluations, conclusions, and recommendations.

Suitable criteria of education and experience for filling internal audit positions is established by the chief internal auditor who gives due consideration to the scope of work and level of responsibility and obtains reasonable assurance as to each prospective auditor’s qualifications and proficiency.

The internal audit activity needs to collectively possess the knowledge, skills and other competencies essential to the practice of the profession within the organization. The chief internal auditor may obtain assistance from experts outside the internal audit activity to support or complement areas where the internal audit activity is not sufficiently proficient.

Internal auditors are responsible for maintaining their knowledge and skills and should update their knowledge and skills related to improvements and current developments in internal auditing standards, procedures, and techniques. Auditors involved in the planning, directing, performing fieldwork or reporting on an audit or attestation engagement need to maintain their professional competence through continuing professional education (CPE). SIAAB uses the General Accounting Office’s Government Auditing Standards 2018 Revision, Chapter 4, Competence and Continuing Professional Education as the basis for determining appropriate CPE.

Accordingly, SIAAB requires that all internal auditors must complete a minimum of 80 hours of CPE that directly enhances the auditor’s professional proficiency to perform audits or attestation engagements. At least 24 of the 80 hours of CPE should be in subjects directly related to government auditing, the government environment or the specific or unique environment in which the audited entity operates. At least 20 hours of the 80 hours required should be completed in any one year of the two year period. At least 4 of the 80 hours of CPE should be in subjects related to ethics.

The 80 hours of CPE, 24 hours of government CPE, and 4 hours of ethics CPE must be satisfied during two successive (non-rolling) calendar years. Internal auditors hired after the beginning of an audit organization’s two year CPE period should complete a prorated number of CPE hours based on the number of full six-month intervals remaining in the CPE period (SIAAB Bylaws - Article II Section V – CPE).

Internal auditors employed on a part-time of temporary basis may be exempt from the CPE requirements, as long as they are under the supervision of another auditor who is conformant with the CPE requirements.

Auditors required to take the 80 total hours of CPE should complete at least 20 hours of CPE in each year of the two year period. The 20 hour minimum for each CPE year would not apply when a prorated number of hours are being used to cover a partial two-year CPE period.

When an auditor becomes nonconformant with CPE requirements, the auditor has a grace period of two months to make up the deficiency. If the auditor fails to make up the deficiency within two months (i.e., prior to March 1), they should either work under the supervision of another auditor who is conformant, or disclose the nonconformance in their audit reports. Any CPE hours completed toward a deficiency in one period should be documented in the CPE records and should not be counted toward the requirements for the next two-year period.

The chief internal auditor is responsible for establishing and implementing a program to ensure that staff auditors meet the CPE requirements. In cases where a portion of the internal audit activity is contracted out, the chief internal auditor must ensure that individuals assigned to such internal audit services have obtained the appropriate continuing professional education.

Chief internal auditors are responsible for maintaining documentation of the CPE hours completed by each auditor subject to CPE requirements. The audit organization’s records, which may be kept electronically as appropriate, should include the following information for each CPE program or activity attended or completed by an auditor:

  1. The name of the organization providing the CPE;
  2. The title of the training program, including the subject matter or field of study;
  3. The dates attended for group programs or dates completed for individual study programs;
  4. The number of CPE hours earned toward the 80 hours and 24 hours requirements;
  5. Any reasons for specific exceptions granted to the CPE requirement; and
  6. Evidence of completion of CPE, such as a certificate or other evidence of completion from the CPE provider for group and individual-study programs, if provided; documentation of CPE courses presented or copies of course materials developed by or for speakers, instructors, or discussion leaders, along with a written statement supporting the number of CPE hours claimed; or a copy of the published book, article, or other material that name the writer as author or contributor, or a written statement from the writer supporting the number of CPE hours claimed.

The chief internal auditor is required to maintain the CPE records for at least six years.

From: The IIA’s International Professional Practices Framework Copyright 2017 by The Institute of Internal Auditors, Inc., 1035 Greenwood Blvd, Suite 401, Lake Mary, FL 32746. Reprinted with permission.

Please close this window to return to Ability LMS to take the quiz for this lesson.