Code of Ethics

Introduction
The purpose of The Institute's Code of Ethics is to promote an ethical
culture in the profession of internal auditing.

Internal auditing is an independent, objective assurance and

consulting activity designed to add value and improve an
organization's operations. It helps an organization accomplish its
objectives by bringing a systematic, disciplined approach to evaluate
and improve the effectiveness of risk management, control, and
governance processes.

A code of ethics is necessary and appropriate for the profession of

internal auditing, founded as it is on the trust placed in its objective
assurance about risk management, control, and governance. The
Institute's Code of Ethics extends beyond the definition of internal
auditing to include two essential components:

1. Principles that are relevant to the profession and practice of

internal auditing;
2. Rules of Conduct that describe behavior norms expected of
internal auditors. These rules are an aid to interpreting the
Principles into practical applications and are intended to guide
the ethical conduct of internal auditors.

The Code of Ethics together with The Institute's Professional Practices

Framework and other relevant Institute pronouncements provide
guidance to internal auditors serving others. "Internal auditors" refers
to Institute members, recipients of or candidates for IIA professional
certifications, and those who provide internal auditing services within
the definition of internal auditing.

Applicability and Enforcement

This Code of Ethics applies to both individuals and entities that provide
internal auditing services.

For Institute members and recipients of or candidates for IIA

professional certifications, breaches of the Code of Ethics will be
evaluated and administered according to The Institute's Bylaws and
Administrative Guidelines. The fact that a particular conduct is not
mentioned in the Rules of Conduct does not prevent it from being
unacceptable or discreditable, and therefore, the member, certification
holder, or candidate can be liable for disciplinary action.
Principles
Internal auditors are expected to apply and uphold the following
principles:

• Integrity

The integrity of internal auditors establishes trust and thus provides

the basis for reliance on their judgment.

• Objectivity

Internal auditors exhibit the highest level of professional objectivity in

gathering, evaluating, and communicating information about the
activity or process being examined. Internal auditors make a balanced
assessment of all the relevant circumstances and are not unduly
influenced by their own interests or by others in forming judgments

• Confidentiality

Internal auditors respect the value and ownership of information they

receive and do not disclose information without appropriate authority
unless there is a legal or professional obligation to do so.

• Competency

Internal auditors apply the knowledge, skills, and experience needed in

the performance of internal auditing services.

Rules of Conduct

1. Integrity
Internal auditors:

1.1. Shall perform their work with honesty, diligence, and

responsibility.

1.2. Shall observe the law and make disclosures expected by the law
and the profession.

1.3. Shall not knowingly be a party to any illegal activity, or engage in

acts that are discreditable to the profession of internal auditing or to
the organization.

1.4. Shall respect and contribute to the legitimate and ethical

objectives of the organization.
2. Objectivity
Internal auditors:

2.1. Shall not participate in any activity or relationship that may impair
or be presumed to impair their unbiased assessment. This participation
includes those activities or relationships that may be in conflict with
the interests of the organization.

2.2 Shall not accept anything that may impair or be presumed to

impair their professional judgment.

2.3 Shall disclose all material facts known to them that, if not
disclosed, may distort the reporting of activities under review.

3. Confidentiality
Internal auditors:

3.1 Shall be prudent in the use and protection of information acquired

in the course of their duties.

3.2 Shall not use information for any personal gain or in any manner
that would be contrary to the law or detrimental to the legitimate and
ethical objectives of the organization.

4. Competency
Internal auditors:

4.1. Shall engage only in those services for which they have the
necessary knowledge, skills, and experience.

4.2 Shall perform internal auditing services in accordance with the

International Standards for the Professional Practice of Internal
Auditing.

4.3 Shall continually improve their proficiency and the effectiveness

and quality of their services.

Adopted by The IIA Board of Directors, June 17, 2000

Copyright © 2000 by The Institute of Internal Auditors, 247 Maitland

Avenue, Altamonte Springs, Florida 32701-4201.
Standards for the Professional Practice of Internal Auditing

International Standards for the Professional Practice of Internal Auditing

Note: Changes effective January 2007 are highlighted in bold italics

to allow readers to easily identify modifications and assist in the
translation process.

Introduction

Internal audit activities are performed in diverse legal and cultural

environments; within organizations that vary in purpose, size,
complexity, and structure; and by persons within or outside the
organization. While differences may affect the practice of internal
auditing in each environment, compliance with the International
Standards for the Professional Practice of Internal Auditing
(Standards) is essential if the responsibilities of internal auditors are to
be met. If internal auditors are prohibited by laws or regulations from
complying with certain parts of the Standards, they should comply
with all other parts of the Standards and make appropriate disclosures.

The purpose of the Standards is to:

1. Delineate basic principles that represent the practice of internal

auditing as it should be.
2. Provide a framework for performing and promoting a broad
range of value-added internal audit activities.
3. Establish the basis for the evaluation of internal audit
performance.
4. Foster improved organizational processes and operations.

The Standards consist of Attribute, Performance, and Implementation

Standards. Attribute Standards address the attributes of organizations
and individuals performing internal audit services. The Performance
Standards describe the nature of internal audit services and provide
quality criteria against which the performance of these services can be
measured. The Attribute and Performance Standards apply to all
internal audit services. The Implementation Standards expand upon
the Attribute and Performance Standards, providing guidance
applicable in specific types of engagements. These standards
ultimately may deal with industry-specific, regional, or specialty types
of audit services.
There is one set of Attribute and Performance Standards; however,
there are multiple sets of Implementation Standards: a set for each of
the major types of internal audit activity. The Implementation
Standards have been established for assurance (A) and consulting (C)
activities.

Assurance services involve the internal auditor's objective assessment

of evidence to provide an independent opinion or conclusions
regarding a process, system, or other subject matter. The nature and
scope of the assurance engagement are determined by the internal
auditor. There are generally three parties involved in assurance
services: (1) the person or group directly involved with the process,
system, or other subject matter - the process owner, (2) the person or
group making the assessment - the internal auditor, and (3) the
person or group using the assessment - the user.

Consulting services are advisory in nature, and are generally

performed at the specific request of an engagement client. The nature
and scope of the consulting engagement are subject to agreement
with the engagement client. Consulting services generally involve two
parties: (1) the person or group offering the advice - the internal
auditor, and (2) the person or group seeking and receiving the advice
- the engagement client. When performing consulting services the
internal auditor should maintain objectivity and not assume
management responsibility.

The Standards employ terms that have been given specific meanings
that are included in the Glossary.

The development and issuance of the Standards is an ongoing process.

The Internal Auditing Standards Board engages in extensive
consultation and discussion prior to the issuance of the Standards. This
includes worldwide solicitation for public comment through the
exposure draft process. All exposure drafts are posted on The IIA's
Web site as well as being distributed to all IIA institutes.

Suggestions and comments regarding the Standards can be sent to:

The Institute of Internal Auditors

Professional Practices Department
247 Maitland Avenue
Altamonte Springs, FL 32701-4201, USA
E-mail: [email protected]
Web: http://www.theiia.org
Attribute Standards

1000 - Purpose, Authority, and Responsibility

The purpose, authority, and responsibility of the internal audit activity
should be formally defined in a charter, consistent with the Standards,
and approved by the board.

1000.A1 - The nature of assurance services provided to the

organization should be defined in the audit charter. If assurances are
to be provided to parties outside the organization, the nature of these
assurances should also be defined in the charter.

1000.C1 - The nature of consulting services should be defined in the

audit charter.

1100 - Independence and Objectivity

The internal audit activity should be independent, and internal auditors
should be objective in performing their work.

1110 - Organizational Independence

The chief audit executive should report to a level within the
organization that allows the internal audit activity to fulfill its
responsibilities.

1110.A1 - The internal audit activity should be free from interference

in determining the scope of internal auditing, performing work, and
communicating results.

1120 - Individual Objectivity

Internal auditors should have an impartial, unbiased attitude and avoid
conflicts of interest.

1130 - Impairments to Independence or Objectivity

If independence or objectivity is impaired in fact or appearance, the
details of the impairment should be disclosed to appropriate parties.
The nature of the disclosure will depend upon the impairment.

1130.A1 - Internal auditors should refrain from assessing specific

operations for which they were previously responsible. Objectivity is
presumed to be impaired if an internal auditor provides assurance
services for an activity for which the internal auditor had responsibility
within the previous year.
1130.A2 - Assurance engagements for functions over which the chief
audit executive has responsibility should be overseen by a party
outside the internal audit activity.

1130.C1 - Internal auditors may provide consulting services relating

to operations for which they had previous responsibilities.

1130.C2 - If internal auditors have potential impairments to

independence or objectivity relating to proposed consulting services,
disclosure should be made to the engagement client prior to accepting
the engagement.

1200 - Proficiency and Due Professional Care

Engagements should be performed with proficiency and due
professional care.

1210 - Proficiency
Internal auditors should possess the knowledge, skills, and other
competencies needed to perform their individual responsibilities. The
internal audit activity collectively should possess or obtain the
knowledge, skills, and other competencies needed to perform its
responsibilities.

1210.A1 - The chief audit executive should obtain competent advice

and assistance if the internal audit staff lacks the knowledge, skills, or
other competencies needed to perform all or part of the engagement.

1210.A2 - The internal auditor should have sufficient knowledge to

identify the indicators of fraud but is not expected to have the
expertise of a person whose primary responsibility is detecting and
investigating fraud.

1210.A3 - Internal auditors should have knowledge of key information

technology risks and controls and available technology-based audit
techniques to perform their assigned work. However, not all internal
auditors are expected to have the expertise of an internal auditor
whose primary responsibility is information technology auditing.

1210.C1 - The chief audit executive should decline the consulting

engagement or obtain competent advice and assistance if the internal
audit staff lacks the knowledge, skills, or other competencies needed
to perform all or part of the engagement.
1220 - Due Professional Care
Internal auditors should apply the care and skill expected of a
reasonably prudent and competent internal auditor. Due professional
care does not imply infallibility.

1220.A1 - The internal auditor should exercise due professional care

by considering the:

• Extent of work needed to achieve the engagement's

objectives.
• Relative complexity, materiality, or significance of
matters to which assurance procedures are applied.
• Adequacy and effectiveness of risk management,
control, and governance processes.
• Probability of significant errors, irregularities, or
noncompliance.
• Cost of assurance in relation to potential benefits.

1220.A2 - In exercising due professional care the internal auditor

should consider the use of computer-assisted audit tools and other
data analysis techniques.

1220.A3 - The internal auditor should be alert to the significant risks

that might affect objectives, operations, or resources. However,
assurance procedures alone, even when performed with due
professional care, do not guarantee that all significant risks will be
identified.

1220.C1 - The internal auditor should exercise due professional care

during a consulting engagement by considering the:

• Needs and expectations of clients, including the

nature, timing, and communication of engagement results.
• Relative complexity and extent of work needed to
achieve the engagement's objectives.
• Cost of the consulting engagement in relation to
potential benefits.

1230 - Continuing Professional Development

Internal auditors should enhance their knowledge, skills, and other
competencies through continuing professional development.

1300 - Quality Assurance and Improvement Program

The chief audit executive should develop and maintain a quality
assurance and improvement program that covers all aspects of the
internal audit activity and continuously monitors its effectiveness. This
program includes periodic internal and external quality assessments
and ongoing internal monitoring. Each part of the program should be
designed to help the internal auditing activity add value and improve
the organization's operations and to provide assurance that the
internal audit activity is in conformity with the Standards and the Code
of Ethics.

1310 - Quality Program Assessments

The internal audit activity should adopt a process to monitor and
assess the overall effectiveness of the quality program. The process
should include both internal and external assessments.

1311 - Internal Assessments

Internal assessments should include:

• Ongoing reviews of the performance of the internal audit

activity; and
• Periodic reviews performed through self-assessment or by other
persons within the organization, with knowledge of internal audit
practices and the Standards.

1312 - External Assessments

External assessments should be conducted at least once every
five years by a qualified, independent reviewer or review team
from outside the organization. The potential need for more
frequent external assessments as well as the qualifications and
independence of the external reviewer or review team,
including any potential conflict of interest, should be discussed
by the CAE with the Board. Such discussions should also
consider the size, complexity and industry of the organization
in relation to the experience of the reviewer or review team.

1320 - Reporting on the Quality Program

The chief audit executive should communicate the results of external
assessments to the board.

1330 - Use of "Conducted in Accordance with the Standards"

Internal auditors are encouraged to report that their activities are
"conducted in accordance with the International Standards for the
Professional Practice of Internal Auditing." However, internal auditors
may use the statement only if assessments of the quality improvement
program demonstrate that the internal audit activity is in compliance
with the Standards.

1340 - Disclosure of Noncompliance

Although the internal audit activity should achieve full compliance with
the Standards and internal auditors with the Code of Ethics, there may
be instances in which full compliance is not achieved. When
noncompliance impacts the overall scope or operation of the internal
audit activity, disclosure should be made to senior management and
the board.

Performance Standards

2000 - Managing the Internal Audit Activity

The chief audit executive should effectively manage the internal audit
activity to ensure it adds value to the organization.

2010 - Planning
The chief audit executive should establish risk-based plans to
determine the priorities of the internal audit activity, consistent with
the organization's goals.

2010.A1 - The internal audit activity's plan of engagements should be

based on a risk assessment, undertaken at least annually. The input of
senior management and the board should be considered in this
process.

2010.C1 - The chief audit executive should consider accepting

proposed consulting engagements based on the engagement's
potential to improve management of risks, add value, and improve the
organization's operations. Those engagements that have been
accepted should be included in the plan.

2020 - Communication and Approval

The chief audit executive should communicate the internal audit
activity's plans and resource requirements, including significant interim
changes, to senior management and to the board for review and
approval. The chief audit executive should also communicate the
impact of resource limitations.

2030 - Resource Management

The chief audit executive should ensure that internal audit resources
are appropriate, sufficient, and effectively deployed to achieve the
approved plan.

2040 - Policies and Procedures

The chief audit executive should establish policies and procedures to
guide the internal audit activity.

2050 - Coordination
The chief audit executive should share information and coordinate
activities with other internal and external providers of relevant
assurance and consulting services to ensure proper coverage and
minimize duplication of efforts.

2060 - Reporting to the Board and Senior Management

The chief audit executive should report periodically to the board and
senior management on the internal audit activity's purpose, authority,
responsibility, and performance relative to its plan. Reporting should
also include significant risk exposures and control issues, corporate
governance issues, and other matters needed or requested by the
board and senior management.

2100 - Nature of Work

The internal audit activity should evaluate and contribute to the
improvement of risk management, control, and governance processes
using a systematic and disciplined approach.

2110 - Risk Management

The internal audit activity should assist the organization by identifying
and evaluating significant exposures to risk and contributing to the
improvement of risk management and control systems.

2110.A1 - The internal audit activity should monitor and evaluate the
effectiveness of the organization's risk management system.

2110.A2 - The internal audit activity should evaluate risk exposures

relating to the organization's governance, operations, and information
systems regarding the

• Reliability and integrity of financial and operational

information.
• Effectiveness and efficiency of operations.
• Safeguarding of assets.
• Compliance with laws, regulations, and contracts.
2110.C1 - During consulting engagements, internal auditors should
address risk consistent with the engagement's objectives and be alert
to the existence of other significant risks.

2110.C2 - Internal auditors should incorporate knowledge of risks

gained from consulting engagements into the process of identifying
and evaluating significant risk exposures of the organization.

2120 - Control
The internal audit activity should assist the organization in maintaining
effective controls by evaluating their effectiveness and efficiency and
by promoting continuous improvement.

2120.A1 - Based on the results of the risk assessment, the internal

audit activity should evaluate the adequacy and effectiveness of
controls encompassing the organization's governance, operations, and
information systems. This should include:

• Reliability and integrity of financial and operational

information.
• Effectiveness and efficiency of operations.
• Safeguarding of assets.
• Compliance with laws, regulations, and contracts.

2120.A2 - Internal auditors should ascertain the extent to which

operating and program goals and objectives have been established
and conform to those of the organization.

2120.A3 - Internal auditors should review operations and programs to

ascertain the extent to which results are consistent with established
goals and objectives to determine whether operations and programs
are being implemented or performed as intended.

2120.A4 - Adequate criteria are needed to evaluate controls. Internal

auditors should ascertain the extent to which management has
established adequate criteria to determine whether objectives and
goals have been accomplished. If adequate, internal auditors should
use such criteria in their evaluation. If inadequate, internal auditors
should work with management to develop appropriate evaluation
criteria.

2120.C1 - During consulting engagements, internal auditors should

address controls consistent with the engagement's objectives and be
alert to the existence of any significant control weaknesses.
2120.C2 - Internal auditors should incorporate knowledge of controls
gained from consulting engagements into the process of identifying
and evaluating significant risk exposures of the organization.

2130 - Governance
The internal audit activity should assess and make appropriate
recommendations for improving the governance process in its
accomplishment of the following objectives:

• Promoting appropriate ethics and values within the organization.

• Ensuring effective organizational performance management and
accountability.
• Effectively communicating risk and control information to
appropriate areas of the organization.
• Effectively coordinating the activities of and communicating
information among the board, external and internal auditors and
management.

2130.A1 - The internal audit activity should evaluate the design,

implementation, and effectiveness of the organization's ethics-related
objectives, programs and activities.

2130.C1 - Consulting engagement objectives should be consistent

with the overall values and goals of the organization.

2200 - Engagement Planning

Internal auditors should develop and record a plan for each
engagement, including the scope, objectives, timing and resource
allocations.

2201 - Planning Considerations

In planning the engagement, internal auditors should consider:

• The objectives of the activity being reviewed and the means by

which the activity controls its performance.
• The significant risks to the activity, its objectives, resources, and
operations and the means by which the potential impact of risk
is kept to an acceptable level.
• The adequacy and effectiveness of the activity's risk
management and control systems compared to a relevant
control framework or model.
• The opportunities for making significant improvements to the
activity's risk management and control systems.
2201.A1 - When planning an engagement for parties outside the
organization, internal auditors should establish a written
understanding with them about objectives, scope, respective
responsibilities and other expectations, including restrictions on
distribution of the results of the engagement and access to
engagement records.

2201.C1 - Internal auditors should establish an understanding with

consulting engagement clients about objectives, scope, respective
responsibilities, and other client expectations. For significant
engagements, this understanding should be documented.

2210 - Engagement Objectives

Objectives should be established for each engagement.

2210.A1 - Internal auditors should conduct a preliminary assessment

of the risks relevant to the activity under review. Engagement
objectives should reflect the results of this assessment.

2210.A2 - The internal auditor should consider the probability of

significant errors, irregularities, noncompliance, and other exposures
when developing the engagement objectives.

2210.C1 - Consulting engagement objectives should address risks,

controls, and governance processes to the extent agreed upon with
the client.

2220 - Engagement Scope

The established scope should be sufficient to satisfy the objectives of
the engagement.

2220.A1 - The scope of the engagement should include consideration

of relevant systems, records, personnel, and physical properties,
including those under the control of third parties.

2220.A2 - If significant consulting opportunities arise during an

assurance engagement, a specific written understanding as to the
objectives, scope, respective responsibilities and other expectations
should be reached and the results of the consulting engagement
communicated in accordance with consulting standards.

2220.C1 - In performing consulting engagements, internal auditors

should ensure that the scope of the engagement is sufficient to
address the agreed-upon objectives. If internal auditors develop
reservations about the scope during the engagement, these
reservations should be discussed with the client to determine whether
to continue with the engagement.

2230 - Engagement Resource Allocation

Internal auditors should determine appropriate resources to achieve
engagement objectives. Staffing should be based on an evaluation of
the nature and complexity of each engagement, time constraints, and
available resources.

2240 - Engagement Work Program

Internal auditors should develop work programs that achieve the
engagement objectives. These work programs should be recorded.

2240.A1 - Work programs should establish the procedures for

identifying, analyzing, evaluating, and recording information during the
engagement. The work program should be approved prior to its
implementation, and any adjustments approved promptly.

2240.C1 - Work programs for consulting engagements may vary in

form and content depending upon the nature of the engagement.

2300 - Performing the Engagement

Internal auditors should identify, analyze, evaluate, and record
sufficient information to achieve the engagement's objectives.

2310 - Identifying Information

Internal auditors should identify sufficient, reliable, relevant, and
useful information to achieve the engagement's objectives.

2320 - Analysis and Evaluation

Internal auditors should base conclusions and engagement results on
appropriate analyses and evaluations.

2330 - Recording Information

Internal auditors should record relevant information to support the
conclusions and engagement results.

2330.A1 - The chief audit executive should control access to

engagement records. The chief audit executive should obtain the
approval of senior management and/or legal counsel prior to releasing
such records to external parties, as appropriate.
2330.A2 - The chief audit executive should develop retention
requirements for engagement records. These retention requirements
should be consistent with the organization's guidelines and any
pertinent regulatory or other requirements.

2330.C1 - The chief audit executive should develop policies governing

the custody and retention of engagement records, as well as their
release to internal and external parties. These policies should be
consistent with the organization's guidelines and any pertinent
regulatory or other requirements.

2340 - Engagement Supervision

Engagements should be properly supervised to ensure objectives are
achieved, quality is assured, and staff is developed.

2400 - Communicating Results

Internal auditors should communicate the engagement results.

2410 - Criteria for Communicating

Communications should include the engagement's objectives and
scope as well as applicable conclusions, recommendations, and action
plans.

2410.A1 - Final communication of engagement results should, where

appropriate, contain the internal auditor's overall opinion and or
conclusions.

2410.A2 - Internal auditors are encouraged to acknowledge

satisfactory performance in engagement communications.

2410.A3 - When releasing engagement results to parties outside the

organization, the communication should include limitations on
distribution and use of the results.

2410.C1 - Communication of the progress and results of consulting

engagements will vary in form and content depending upon the nature
of the engagement and the needs of the client.

2420 - Quality of Communications

Communications should be accurate, objective, clear, concise,
constructive, complete, and timely.

2421 - Errors and Omissions

If a final communication contains a significant error or omission, the
chief audit executive should communicate corrected information to all
parties who received the original communication.

2430 - Engagement Disclosure of Noncompliance with the

Standards
When noncompliance with the Standards impacts a specific
engagement, communication of the results should disclose the:

• Standard(s) with which full compliance was not achieved,

• Reason(s) for noncompliance, and
• Impact of noncompliance on the engagement.

2440 - Disseminating Results

The chief audit executive should communicate results to the
appropriate parties.

2440.A1 - The chief audit executive is responsible for communicating

the final results to parties who can ensure that the results are given
due consideration.

2440.A2 - If not otherwise mandated by legal, statutory or regulatory

requirements, prior to releasing results to parties outside the
organization, the chief audit executive should:

• Assess the potential risk to the organization.

• Consult with senior management and/or legal
counsel as appropriate
• Control dissemination by restricting the use of the
results.

2440.C1 - The chief audit executive is responsible for communicating

the final results of consulting engagements to clients.

2440.C2 - During consulting engagements, risk management, control,

and governance issues may be identified. Whenever these issues are
significant to the organization, they should be communicated to senior
management and the board.

2500 - Monitoring Progress

The chief audit executive should establish and maintain a system to
monitor the disposition of results communicated to management.

2500.A1 - The chief audit executive should establish a follow-up

process to monitor and ensure that management actions have been
effectively implemented or that senior management has accepted the
risk of not taking action.

2500.C1 - The internal audit activity should monitor the disposition of

results of consulting engagements to the extent agreed upon with the
client.

2600 - Resolution of Management's Acceptance of Risks

When the chief audit executive believes that senior management has
accepted a level of residual risk that may be unacceptable to the
organization, the chief audit executive should discuss the matter with
senior management. If the decision regarding residual risk is not
resolved, the chief audit executive and senior management should
report the matter to the board for resolution.

Glossary
Add Value - Value is provided by improving opportunities to achieve
organizational objectives, identifying operational improvement, and/or
reducing risk exposure through both assurance and consulting
services.
Adequate Control - Present if management has planned and
organized (designed) in a manner that provides reasonable assurance
that the organization's risks have been managed effectively and that
the organization's goals and objectives will be achieved efficiently and
economically.
Assurance Services - An objective examination of evidence for the
purpose of providing an independent assessment on risk management,
control, or governance processes for the organization. Examples may
include financial, performance, compliance, system security, and due
diligence engagements.
Board - A board is an organization's governing body, such as a board
of directors, supervisory board, head of an agency or legislative body,
board of governors or trustees of a non profit organization, or any
other designated body of the organization, including the audit
committee, to whom the chief audit executive may functionally report.
Charter - The charter of the internal audit activity is a formal written
document that defines the activity's purpose, authority, and
responsibility. The charter should (a) establish the internal audit
activity's position within the organization; (b) authorize access to
records, personnel, and physical properties relevant to the
performance of engagements; and (c) define the scope of internal
audit activities.
Chief Audit Executive - Top position within the organization
responsible for internal audit activities. Normally, this would be the
internal audit director. In the case where internal audit activities are
obtained from outside service providers, the chief audit executive is
the person responsible for overseeing the service contract and the
overall quality assurance of these activities, reporting to senior
management and the board regarding internal audit activities, and
follow-up of engagement results. The term also includes such titles as
general auditor, chief internal auditor, and inspector general.
Code of Ethics - The Code of Ethics of The Institute of Internal
Auditors (IIA) are Principles relevant to the profession and practice of
internal auditing, and Rules of Conduct that describe behavior
expected of internal auditors. The Code of Ethics applies to both
parties and entities that provide internal audit services. The purpose
of the Code of Ethics is to promote an ethical culture in the global
profession of internal auditing.
Compliance - Conformity and adherence to policies, plans,
procedures, laws, regulations, contracts, or other requirements.

Conflict of Interest - Any relationship that is or appears to be not in

the best interest of the organization. A conflict of interest would
prejudice an individual's ability to perform his or her duties and
responsibilities objectively.

Consulting Services - Advisory and related client service activities,

the nature and scope of which are agreed with the client and which are
intended to add value and improve an organization's governance, risk
management, and control processes without the internal auditor
assuming management responsibility. Examples include counsel,
advice, facilitation and training.
Control - Any action taken by management, the board, and other
parties to manage risk and increase the likelihood that established
objectives and goals will be achieved. Management plans, organizes,
and directs the performance of sufficient actions to provide reasonable
assurance that objectives and goals will be achieved.
Control Environment - The attitude and actions of the board and
management regarding the significance of control within the
organization. The control environment provides the discipline and
structure for the achievement of the primary objectives of the system
of internal control. The control environment includes the following
elements:

• Integrity and ethical values.

• Management's philosophy and operating style.
 • Organizational structure.
• Assignment of authority and responsibility.
• Human resource policies and practices.
• Competence of personnel.

Control Processes - The policies, procedures, and activities that are

part of a control framework, designed to ensure that risks are
contained within the risk tolerances established by the risk
management process.
Engagement - A specific internal audit assignment, task, or review
activity, such as an internal audit, Control Self-Assessment review,
fraud examination, or consultancy. An engagement may include
multiple tasks or activities designed to accomplish a specific set of
related objectives.
Engagement Objectives - Broad statements developed by internal
auditors that define intended engagement accomplishments.
Engagement Work Program - A document that lists the procedures
to be followed during an engagement, designed to achieve the
engagement plan.
External Service Provider - A person or firm, outside of the
organization, who has special knowledge, skill, and experience in a
particular discipline.
Fraud - Any illegal acts characterized by deceit, concealment or
violation of trust. These acts are not dependent upon the application
of threat of violence or of physical force. Frauds are perpetrated by
parties and organizations to obtain money, property or services; to
avoid payment or loss of services; or to secure personal or business
advantage.
Governance - The combination of processes and structures
implemented by the board in order to inform, direct, manage and
monitor the activities of the organization toward the achievement of its
objectives.
Impairments - Impairments to individual objectivity and
organizational independence may include personal conflicts of interest,
scope limitations, restrictions on access to records, personnel, and
properties, and resource limitations (funding).
Independence - The freedom from conditions that threaten
objectivity or the appearance of objectivity. Such threats to objectivity
must be managed at the individual auditor, engagement, functional
and organizational levels.
Internal Audit Activity - A department, division, team of
consultants, or other practitioner(s) that provides independent,
objective assurance and consulting services designed to add value and
improve an organization's operations. The internal audit activity helps
an organization accomplish its objectives by bringing a systematic,
disciplined approach to evaluate and improve the effectiveness of risk
management, control, and governance processes.
Objectivity - An unbiased mental attitude that allows internal
auditors to perform engagements in such a manner that they have an
honest belief in their work product and that no significant quality
compromises are made. Objectivity requires internal auditors not to
subordinate their judgment on audit matters to that of others.
Residual Risks - The risk remaining after management takes action
to reduce the impact and likelihood of an adverse event, including
control activities in responding to a risk.
Risk - The possibility of an event occurring that will have an impact
on the achievement of objectives. Risk is measured in terms of impact
and likelihood.
Risk Management - A process to identify, assess, manage, and
control potential events or situations, to provide reasonable assurance
regarding the achievement of the organization's objectives.
Should - The use of the word "should" in the Standards represents a
mandatory obligation.
Standard - A professional pronouncement promulgated by the
Internal Auditing Standards Board that delineates the requirements for
performing a broad range of internal audit activities, and for evaluating
internal audit performance.
 TANTANGAN UNTUK MENJADI SEORANG AUDITOR INTERNAL YANG
PROFESIONAL (CHALLENGE TO BE THE PROFESSIONAL INTERNAL
AUDITOR)

Makalah (Paper) ini telah dipresentasikan pada acara Seminar (Kuliah

Umum) di STIE Trisakti Jakarta pada hari Sabtu tanggal 8 Desember 2007

Oleh : Muh. Arief Effendi, SE, MSi,Ak, QIA *)

A. Pendahuluan

Pengertian audit internal menurut “Professional Practices Framework”:

International Standards for The Professional Practice of Internal Audit, IIA
( 2004) adalah suatu aktivitas independen, yang memberikan jaminan keyakinan
serta konsultasi (consulting) yang dirancang untuk memberikan suatu nilai
tambah (to add value) serta meningkatkan (improve) kegiatan operasi organisasi.
Internal auditing membantu organisasi dalam usaha mencapai tujuannya dengan
cara memberikan suatu pendekatan disiplin yang sistematis untuk mengevaluasi
dan meningkatkan efektifitas manajemen risiko (risk management), pengendalian
(control) dan proses tata kelola (governance processes).

B. Perkembangan Profesi

Profesi audit internal mengalami perkembangan cukup berarti pada

awal abad 21, sejak munculnya kasus Enron & Worldcom yang
menghebohkan kalangan dunia usaha. Meskipun reputasi audit
internal sempat terpuruk oleh berbagai kasus kolapsnya beberapa
perusahaan tersebut yang melibatkan peran auditor, namun profesi
auditor internal ternyata semakin hari semakin dihargai dalam
organisasi.Saat ini profesi auditor internal turut berperan dalam
implementasi Good Corporate Governance (GCG) di perusahaan
maupun Good Government Governance (GGG) di pemerintahan.

C. Kebutuhan tenaga Internal Auditor

Profesi auditor internal sangat dibutuhkan oleh suatu organisasi

apapun, baik perusahaan swasta, BUMN/BUMD, perusahaan
multinasional, perusahaan asing, pemerintahan, lembaga pendidikan
dan Organisasi Nir Laba. Dalam melakukan rekrutmen terhadap tenaga
auditor internal untuk suatu organisasi, selain dapat diambil dari
karyawan / staf dari bagian / Divisi lain, juga diperoleh dari pihak luar
organisasi, baik yang telah berpengalaman maupun yang baru lulus
dari perguruan tinggi (fresh graduate). Persaingan untuk
memperebutkan posisi auditor internal ternyata lebih ketat
dibandingkan posisi tenaga staf akuntansi (accounting staff) atau
auditor untuk Kantor Akuntan Publik (KAP), sebab auditor internal
dapat diperebutkan oleh lulusan dari berbagai disiplin ilmu serta
berbagai pengalaman kerja.

Berikut beberapa organisasi yang memerlukan tenaga auditor

internal :

NO. ORGANISASI UNIT KERJA

1 BUMN / BUMD Satuan Pengawasan Intern (SPI)
2 Departemen / Lembaga  Inspektorat Jenderal Departemen.
Pemerintah  Unit Pengawasan Lembaga
 Badan Pengawasan Keuangan &
Pembangunan (BPKP)
3 Pemerintah Daerah (PEMDA)  Badan Pengawasan Daerah (Bawasda)

4 Lembaga Pendidikan / Universitas  Badan Audit Internal

 Dewan Audit
5 Perusahaan (Swasta, Multi  Dept. Audit Internal
Nasional, Asing)
6 Lembaga Swadaya Masyarakat  Unit Audit Internal
(LSM)

D. Standar Profesi

1. Nasional

Konsorsium Organisasi Profesi Audit Internal pada tanggal 12 Mei 2004

telah menetapkan Standar Profesi Audit Internal (SPAI) dan wajib
diterapkan semua anggota organisasi profesi yang tergabung dalam
konsorsium dan mulai berlaku tanggal 1 Januari 2005. Konsorsium
merekomendasikan anggota IIA Indonesia Chapter, Forum Komunikasi
Satuan Pengawasan Intern (FK SPI) BUMN/BUMD, Yayasan Pendidikan
Internal Audit (YPIA), Dewan Sertifikasi Qualified Internal Auditor (QIA)
dan Perhimpunan Auditor Internal Indonesia (PAII) agar segera
memasukkan (mengadopsi) jiwa yang terdapat dalam butir-butir
standar ini kedalam Audit Charter, pedoman, kebijakan serta prosedur
audit internal yang ada pada organisasi masing-masing.

2. Internasional

The Standards for The Professional Practice of Internal Auditing (SPPIA)

tahun 2002 yang ditetapkan oleh The Institute of Internal Auditors
mulai berlaku efektif pada tanggal 1 Januari 2002 merupakan revisi
dari SPPIA tahun 1999.

Tujuan dari SPPIA adalah :

• Menggambarkan dengan jelas bahwa prinsip dasar dari

pelaksanaan audit internal diterapkan.

• Menyiapkan kerangka pelaksanaan dan promosi aktivitas audit

internal yang lebih luas dengan nilai tambah.

• Menetapkan basis pengukuran pada pelaksanaan audit internal.

• Membantu perkembangan organisasi dalam proses dan operasinya.

Auditor internal merupakan suatu profesi yang memiliki peranan

tertentu yang menjunjung tinggi standar terhadap mutu (kualitas)
pekerjaannya. Kepatuhan / ketaatan terhadap SPPIA adalah sangat
penting supaya terdapat kesamaan dalam wewenang, fungsi dan
tanggungjawab para auditor internal.

E. Kode Etik

Profesi audit internal memiliki kode etik profesi yang harus ditaati dan
dijalankan oleh segenap auditor internal. Kode etik tersebut memuat
standar perilaku sebagai pedoman bagi seluruh auditor internal.

1. Nasional.
Konsorsium Organisasi Profesi Auditor Internal (2004) telah
menetapkan kode etik bagi para auditor internal yang terdiri dari 10
hal sebagai berikut :

a. Auditor internal harus menunjukkan kejujuran, obyektivitas dan

kesanggupan dalam melaksanakan tugas dan memenuhi
tanggungjawab profesinya.

b. Auditor internal harus menunjukkan loyalitas terhadap

organisasinya atau terhadap pihak yang dilayani. Namun demikian,
auditor internal tidak boleh secara sadar terlibat dalam kegiatan-
kegiatan yang menyimpang atau melanggar hukum.

c. Auditor internal tidak boleh secara sadar terlibat dalam tindakan

atau kegiatan yang dapat mendiskreditkan profesi audit internal atau
mendiskreditkan organisasinya.

d. Auditor internal harus menahan diri dari kegiatan-kegiatan yang

dapat menibulkan konflik dengan kepentingan organisasinya atau
kegiatan-kegiatan yang dapat menimbulkan prasangka, yang
meragukan kemampuannya untuk dapat melaksanakan tugas dan
memenuhi tanggungjawab profesinya secara obyektif.

e. Auditor internal tidak boleh menerima sesuatu dalam bentuk

apapun dari karyawan, klien, pelanggan, pemasok ataupun mitra bisnis
organisasinya, yang dapat atau patut diduga dapat mempengaruhi
pertimbangan profesionalnya.

f. Auditor internal hanya melakukan jasa-jasa yang dapat

diselesikan dengan menggunakan kompetensi profesional yang
dimilikinya.

g. Auditor internal harus mengusahakan berbagai upaya agar

senantiasa memenuhi Standar Profesi Audit Internal.

h. Auditor internal harus bersikap hati-hati dan bijaksana dalam

menggunakan informasi yang diperoleh dalam pelaksanaan tugasnya.
Auditor internal tidak boleh menggunakan informasi rahasia (i) untuk
mendapatkan keuntungan pribadi, (ii) secara melanggar hukum, (iii)
yang dapat menimbulkan kerugian terhadap organisasinya.

i. Dalam melaporkan hasil pekerjaannya, auditor internal harus

mengungkapkan semua fakta-fakta penting yang diketahuinya, yaitu
fakta-fakta yang jika tidak diungkap dapat (i) mendistorsi laporan atas
kegiatan yang direview, atau (ii) menutupi adanya praktik-praktik yang
melanggar hukum.
j. Auditor internal harus senantiasa meningkatkan kompetensi serta
efektivitas dan kualitas pelaksanaan tugasnya. Auditor internal wajib
mengikuti pendidikan profesional berkelanjutan.

2. Internasional

Terdapat 4 (empat) prinsip yang harus dipegang teguh dan diterapkan

oleh auditor internal menurut IIA yaitu : Integrity , Objectivity,
Confidentiality dan Competency

THE INSTITUTE OF INTERNAL AUDITORSCODE OF ETHICS –

ROLE OF CONDUCT

(Adopted by The IIA Board of Directors, June 17, 2000)

NO ROLE OF INTERNAL AUDITOR SHALL :

CONDUCT
1 Integrity • perform their work with honesty,
diligence, and responsibility.
• observe the law and make disclosures
expected by the law and the profession.
• not knowingly be a party to any illegal
activity, or engage in acts that are
discreditable to the profession of
internal auditing or to the organization.
• respect and contribute to the
legitimate and ethical objectives of the
organization.
2 Objectivity • not participate in any activity or
relationship that may impair or be presumed
to impair their unbiased assessment.
• not accept anything that may impair or
be presumed to impair their professional
judgment.
• disclose all material facts known to
them that, if not disclosed, may distort
the reporting of activities under review.
3 Confidentialit • be prudent in the use and protection of
information acquired in the course of their
y
duties.
• not use information for any personal
gain or in any manner that would be
contrary to the law or detrimental to the
legitimate and ethical objectives of the
organization.
4 Competency • engage only in those services for which
they have the necessary knowledge, skills,
and experience.
• perform internal auditing services in
accordance with the International
Standards for the Professional Practice of
Internal Auditing.
• continually improve their proficiency
and the effectiveness and quality of their
services.

F. Organisasi Profesi
1. Nasional.

a. Forum Komunikasi Satuan Pengawasan Intern (FK SPI)

Forum ini awalnya bernama FKSPI BUMN/BUMD karena anggotanya

para auditor internal yang bekerja pada Satuan Pengawasan Intern
(SPI) di BUMN/BUMD. Sehubungan dengan keanggotaan yang terbuka
bagi auditor intern yang bekerja di sektor perusahaan swasta, multi
nasional maupun asing maka berubah menjadi FK SPI.

b. Perhimpunan Auditor Internal Indonesia (PAII)

Organisasi ini menghimpun para auditor internal yang telah memiliki

gelar Qualified Internal Auditor (QIA).

c. Asosiasi Auditor Internal (AAI)

Anggota AAI tersebar di seluruh Indonesia baik yang berasal dari

BUMN/BUMD/Swasta. AAI juga membuka keanggotaan dengan auditor
internal dari perguruan tinggi berstatus Badan Hukum Milik Negara
dan perusahaan baik BUMN/BUMD maupun privat.

Visi AAI adalah menjadi organisasi profesi terdepan sebagai agen

perubahan di bidang audit intern. Sedangkan misi AAI yaitu :

1). Menyediakan wadah untuk meningkatkan kompetensi dan

integritas anggota secara berkesinambungan;

2). Mendorong pemberdayakan fungsi dan peran auditor internal;

3). Meningkatkan kualitas auditor internal sesuai tuntutan

perkembangan lingkungan dan standar profesi;

4). Membangun komitmen anggota dalam pengembangan

profesionalisme audit intern.

AAI akan menyelenggarakan Ujian Sertifikasi Auditor Internal untuk

meningkatkan penguasaan auditor atas pengetahuan dan komptensi
teknis dibidang pelaporan keuangan (financial reporting), Corporate
Governance, dan pengawasan perusahaan (corporate control). Juga
dalam hal Pencegahan Kecurangan (Fraud Prevention), Pendeteksian
Kecurangan (Fraud Detection), dan Penginvestigasian Kecurangan
(Fraud Investigation). Ke depan AAI akan menjadi Lembaga Sertifikasi
Profesi (LSF) untuk profesi auditor internal.

2. Internasional
Satu-satunya organisasi profesi yang menghimpun para auditor
internal se dunia adalah The Institute of Internal Auditor (IIA). Masing-
masing Negara memiliki perwakilan IIA yang beranggotakan pemegang
gelar Certified Internal Auditor (CIA), Indonesia juga memiliki yaitu IIA
Indonesia Chapter. Setiap tahun IIA mengadakan konferensi
internasional yang dihadiri oleh para auditor internal se dunia. Pada
tanggal 8-11 Juli 2007, telah diselenggarakan konferensi internasional
(International Conference) para auditor internal di Amsterdam,
Belanda.

G. Sertifikasi

1. Nasional.

a. Qualified Internal Auditor (QIA)

QIA adalah gelar kualifikasi dalam bidang internal auditing, yang

merupakan simbol profesionalisme dari individu yang menyandang
gelar tersebut. Gelar QIA juga merupakan pengakuan bahwa
penyandang gelar telah memiliki pengetahuan dan keterampilan yang
sejajar dengan kualifikasi internal auditor kelas dunia. QIA diberikan
oleh Dewan Sertifikasi yang terdiri dari unsur-unsur organisasi profesi
internal audit terkemuka di Indonesia yaitu unsur Badan Pengawasan
Keuangan & Pembangunan (BPKP), Forum Komunikasi Satuan
Pengawasan Intern , The Institute of Internal Auditor (IIA) Indonesia
Chapter, Perhimpunan Auditor Internal Indonesia (PAII), YPIA dan
akademisi serta praktisi bisnis yang memiliki kompetensi dan
komitmen terhadap internal auditing. Sampai saat ini, YPIA adalah
satu-satunya lembaga yang diberi wewenang oleh Dewan Sertifikasi
untuk menyelenggarakan pendidikan dan Ujian Sertifikasi QIA.

Gelar QIA dapat diperoleh oleh seorang auditor setelah menjalani

serangkaian pelatihan / ujian sertifikasi dan dinyatakan lulus yang
dilaksanakan oleh Institut Pendidikan Audit Manajemen / Yayasan
Pendidikan Internal Audit (YPIA) yang terdiri dari 5 (lima) jenjang,
sebagai berikut :

♦ Pelatihan Audit Intern Tingkat Dasar I.

♦ Pelatihan Audit Intern Tingkat Dasar II

♦ Pelatihan Audit Intern Tingkat Lanjutan I

♦ Pelatihan Audit Intern Tingkat Lanjutan II

♦ Pelatihan Audit Intern Tingkat Manajerial.

b. Professional Internal Auditor (PIA)

Pusat Pengembangan Akuntansi & Keuangan Sekolah Tinggi Akuntansi

Negara (PPAK STAN) memberikan pengakuan berupa pemberian
sertifikat Professional Internal Auditor (PIA) terhadap peserta
Pendidikan & Pelatihan (diklat) auditor internal yang telah
menyelesaikan 5 tahapan diklat auditor internal yaitu :

1). Diklat Dasar-dasar Audit.

2). Diklat Audit Operasional.

3). Diklat Psikologi dan Komunikasi Audit.

4). Diklat Audit Kecurangan.

5). Diklat Pengelolaan Tugas-tugas Audit.

Selain kepada peserta diklat yang telah mengikuti kelima tahapan

diklat tersebut, sertifikat Professional Internal Auditor juga diberikan
bagi para Kepala Satuan Pengawas Intern dan Kepala Badan Pengawas
Daerah yang telah mengikuti Diklat Khusus yang diselenggarakan oleh
PPAK STAN.

2. Internasional

Certified Internal Auditor (CIA) merupakan satu-satunya sertifikasi

bidang audit internal yang diakui secara internasional. Gelar CIA saat
ini dijadikan sebagai salah satu pengakuan atas integritas,
profesionalisme dan kompetensi pemegangnya di bidang audit
internal. Pemegang sertifikat CIA akan mendapat pengakuan yang
tinggi karena program CIA terkenal memiliki standar pengetahuan,
integritas dan profesionalisme yang tinggi pula. Sertifikasi yang
dikeluarkan oleh The Institute of Internal Auditors (The IIA) ini diberikan
kepada kandidat yang telah lulus dalam 4 (empat) bagian (part) ujian,
sbb :

NEW CIA EXAM (Effective as of May 2004)

PART The Internal A. Comply with the IIA’s Atribute 125 multiple
Standard (15 – 25 %).
I Audit choice
Activity’s B. Establish a Risk-based Plan to questions.
Determine the Priorities of the Internal
Role in Audit Activity (15 – 25 %).
Governance C. Understand the Internal Audit
, Risk and Activity’s Role in Organizational
 Governance (10-20%).
D. Perform Other Internal Audit Roles
andResponsibilities (0-10%).
Control. E. Governance, Risk and Control
Knowledge Elements (15-25%).
F. Plan Engagements (15-25%)
PART Conducting A. Conduct Engagement (25-35%). 125 multiple
II the Internal B. Conduct Spesific Engagement (25- choice
Audit 35%). questions.
Engagemen C. Monitor Engagement Outcome (5-
15%).
t
D. Fraud Knowledge Elements (5-
15%).
E. Engagement Tools (15-25%).
PART Business A. Business Processes (15-25%). 125 multiple
III Analysis & B. Financial Accounting & Finance choice
Information (15-25%). questions.
Technology C. Managerial Accounting (10-20%).
D. Regulatory, Legal & Economics (5-
15%).
E. Information Technology – IT (30-
40%).
PART Business A. Strategic Management (20-30%). 125 multiple
IV Managemen B. Global Business Environtments choice
t Skills (15-25%). questions.
C. Organization Behavior (20-30%).
D. Management Skills (20-30%).
E. Negotiating (5-15%).

H. Pendidikan Profesi berkelanjutan (Continued Profession Education)

Sebagai sebuah profesi, organisasi profesi internal auditor

mensyaratkan para anggotanya untuk selalu meningkatkan
pengetahuan & ketrampilan melalui Pendidikan Profesi
berkelanjutan (PPL). Pemegang gelar QIA yang dikeluarkan
oleh Dewan sertifikasi QIA harus menjalani PPL sbb :

NILAI KREDIT PPL QIA

NO JALUR KREDIT PPL NILAI KREDIT

1 PENDIDIKAN 1. Peserta seminar / pelatihan / 10 Jam / hari
workshop di Dalam Negeri.
2. Peserta seminar / 20 Jam / hari
pelatihan / workshop di Luar
Negeri.
3. Moderator seminar. 20 Jam
4. Pembicara seminar. 40 Jam
5. Pengajar Pelatihan Bidang sesuai jam efektif mengajar.
Auditing (Related to Auditing).
6. Kegiatan pembinaan & Sesuai jam efektif.
 pengembangan auditor di
Kantor Sendiri.
2 PUBLIKASI 1. Penulisan artikel. 20 jam / tiap artikel.
2. Penulisan Diktat (Modul). 30 jam / tiap diktat (modul).
3. Penterjemahan Buku 30 jam / tiap buku
4. Penulisan Buku 60 jam / tiap buku
5. Editor / penyunting 30 jam / tiap buku
penulisan buku.
3 PRAKTISI Praktek sebagai auditor dalam 1 Diberi kredit sesuai dengan
tahun penuh . jam penugasan, dengan
kedit max 30 jam per tahun

I. Tantangan Internal Auditor Abad 21 (Challenge of The 21st Century Internal

Auditor). Beberapa tantangan yang harus dihadapi auditor internal pada abad 21 antara lain
sbb :

1. Orientasi berbasiskan risiko (Risk- based Orientation).

Auditor internal harus merubah pendekatan dari audit secara konvensional menuju audit
berbasiskan risiko (risk based audit approach). Pola audit yang didasarkan atas pendekatan
risiko yang dilakukan oleh auditor internal lebih difokuskan terhadap masalah parameter risk
assesment yang diformulasikan pada risk based audit plan. Berdasarkan risk assesment
tersebut dapat diketahui risk matrix, sehingga dapat membantu auditor internal untuk
menyusun risk audit matrix.

Manfaat yang akan diperoleh auditor internal apabila menggunakan risk based audit
approach, antara lain auditor internal akan lebih efisien & efektif dalam melakukan audit,
sehingga dapat meningkatkan kinerja Departemen Audit internal. Auditor internal juga harus
berubah dari paradigma lama menuju paradigma baru, yang ditandai dengan perubahan
orientasi dan peran profesi internal auditor. Perbedaan pokok antara paradigma lama dengan
paradigma baru sebagai berikut :

URAIAN PARADIGMA PARADIGMA BARU

LAMA
Peran Watchdog Konsultan & Katalis
Pendekatan Detektif (mendeteksi Prefentif (mencegah masalah)
masalah)
Sikap Seperti Polisi Sebagai mitra bisnis / customer
Ketaatan / Semua policy / Hanya policy yang relevan
kepatuhan kebijakan
Fokus Kelemahan / Penyelesaian (solusi) yang
penyimpangan konstruktif
Komunikasi terbatas Reguler
dengan
manajemen
Audit Financial / compliance Financial, compliance, operasional
audit audit.
Jenjang karir Sempit (hanya Berkembang luas (dapat berkarir di
auditor) bagian / fungsi lain)

2. Perspektif global (Global Perspective).

Auditor internal harus berpandangan luas dan dalam menilai sesuatu

secara global bukan secara sempit (mikro). Pada era globalisasi saat
ini, sudah tidak ada lagi batas-batas antar negara dalam menjalankan
bisnis.
3. Governance Expertise.

Auditor internal harus melaksanakan prinsip tata kelola perusahaan

yang baik yaitu Good Corporate Governance (GCG) serta tata
pemerintahan yang baik yaitu Good Goverment Governance (GGG).
Auditor internal harus memiliki pengetahuan yang cukup tentang GCG
& GGG. Auditor internal berperanan penting dalam implementasi GCG
di perusahaan dan GGG di pemerintahan. Efektivitas sistem
pengendalian internal dan auditor internal merupakan salah satu
kriteria penilaian dalam implementasi GCG.Para auditor internal harus
menggunakan kompetensi yang dimiliki dan agar bekerja secara
profesional sehingga dapat bernilai tambah (added value) bagi
organisasinya. Agar auditor internal bernilai tambah, maka hendaknya
dapat melakukan asesmen atas :

a. Operational & quality efefctiveness.

b. Business Risk

c. Business & process control.

d. Process & business efficiencies.

e. Cost reduction opportunities.

f. Waste elimination opportunities.

g. Corporate governance efectiveness.

4. Technologically Adept.

Auditor internal harus senantiasa mengikuti perkembangan teknologi,

terutama Teknologi Informasi. Auditor internal harus memiliki
technology proficiency, misalnya ahli dibidang Audit Sistem Informasi
(System Information Audit). Apabila diperlukan auditor internal dapat
mengambil gelar sertifikasi Certified Information System Audit (CISA).
Selain itu auditor internal harus dapat menggunakan kemampuan di
bidang teknologi (technologicall skills) untuk menganalisis / mitigasi
risiko, perbaikan proses ( improve process) dan evaluasi efisiensi
(upgrade efficiency).

5. Business Acumen.

Auditor internal harus memiliki jiwa entrepeneurship yang tinggi,

sehingga mengikuti setiap perkembangan dalam proses bisnis
(business process). Pada masa lalu auditor internal lebih
mengedepankan perannya sebagai watchdog, saat ini auditor internal
diharapkan lebih berperan sebagai mitra bisnis (business partner) bagi
manajemen dan lebih berorientasi untuk memberikan kepuasan
kepada jajaran manajemen sebagai pelanggan (customer
satisfaction).

6. Berpikir kreatif & solusi masalah (Creative Thinking &

Problem Solving).

Auditor internal harus selalu berpikir positif dan inovatif serta lebih
berorientasi pada pemecahan masalah. Untuk menjadi problem solver
auditor internal memerlukan pengalaman bertahun-tahun melakukan
audit berbagai fungsi / unit kerja suatu organisasi / perusahaan.

7. Strong Ethical Compass.

Auditor internal harus selalu menjaga kode etik dan moralitas yang
berlandaskan ajaran agama dalam menjalankan tugas, sehingga
terhindar dari perilaku yang tidak terpuji.

8. Communication Skills.

Pekerjaan auditor internal berhubungan erat dengan unit organisasi

lain, yaitu manajemen, komite audit, auditor eksternal (Kantor Akuntan
Publik), oleh karena itu auditor internal harus menjalin komunikasi
yang baik dengan pihak-pihak lain tersebut. Dalam hal ini, auditor
internal perlu memiliki kemampuan dalam bidang komunikasi, baik
lisan maupun tertulis.

J. Kesimpulan

Untuk menjadi auditor internal yang profesional terdapat beberapa hal

yang perlu dilaksanakan oleh para auditor internal, sbb :

1. Auditor internal melaksanakan standar profesional serta kode

etik profesi yang ditetapkan oleh organisasi profesi secara
konsisten.
2. Auditor internal harus senantiasa mengikuti perkembangan
mutakhir lingkungan bisnis yang sangat cepat serta teknologi
informasi yang pesat.
3. Auditor internal harus selalu mengikuti perkembangan terbaru
tentang konsep & teknik dalam internal auditing melalui
Pendidikan profesi berkelanjutan (PPL).
4. Auditor internal harus selalu meningkatkan kemampuan dibidang
komunikasi (communication skills) baik lisan maupun tertulis.
DAFTAR PUSTAKA

Brown, Brian G., “ The Global Practice of Internal Auditing”, Intitute of

Internal Auditor (IIA), 2006.

Chambers, Richard F., ”Improving Integrity and Fighting Corruption

With Strong Internal Audit”, Intitute of Internal Auditor (IIA) Learning
Center, IIA, 2004.

Effendi, M. Arief, “Paradigma Baru Internal Auditor”, Auditor, Jakarta,

Edisi No. 05 Tahun 2002.

Effendi, M. Arief, “Risk Based Internal Auditing” , Media Akuntansi,

Jakarta, Edisi April 2003

Effendi, M. Arief, ”Value Added Internal Auditing”, Auditor, Jakarta,

Edisi No. 08 Tahun 2003

Institute of Internal Auditors, Applying COSO’s Enterprise Risk

Management — Integrated Framework, September 29, 2004.

Konsorsium Organisasi Profesi Audit Internal, “Standar Profesi Audit

Internal”, Yayasan Pendidikan Internal Audit (YPIA), Jakarta, cetakan
pertama, 2004.

Lapelosa, Michael, “Modern Integrated Audit Approach”,

Internal Auditing Seminar, IIA, 2007.

Moeller, Robert , “Brink’s Modern Internal Auditing”, 6th Edition, John

Wiley & Sons, 2005.

Sawyer, Lawrence B. et. all, Sawyer’s Internal Auditing, The

Practice of Modern Internal Auditing, 5th Edition, IIA, 2003.

www.auditor-internal.com

www.iia2007.com

www.internalauditing.or.id

www.ppak-stan.com

www.pleier.com/pubs.htm

www.theiia.org/certification/certified-internal-auditor
*) Muh. Arief Effendi, SE, MSi, Ak, QIA adalah Senior Auditor Operasional PT.
Krakatau Steel, Dosen Luar Biasa pada beberapa Perguruan Tinggi di Jakarta (FE
Universitas Trisakti, STIE Trisakti, FE Universitas Mercu Buana & Program Magister
Akuntansi Universitas Budi Luhur)