Essentials of

Internal Auditing
Section III
 Section III: Proficiency and
Due Professional Care
• Topic A: Required Knowledge, Skills,
and Competencies for the Internal
Audit Activity
• Topic B: Required Knowledge, Skills,
and Competencies for the Internal
Auditor
• Topic C: Due Professional Care
• Topic D: Continuing Professional
Development
www.LearnCIA.com
v6.0 Part 1, Section III III-2
 Proficiency and Due Professional Care

Proficiency Due Professional Care

• Knowledge, skills, and • Comprehend objectives and

competencies needed to carry scope of audit engagements
out professional responsibilities • Required competencies
• Consider current/emerging • Understand IPPF’s systematic
issues and disciplined approach
• Education, experience, • Organization-specific policies
certification, continuing
education

www.LearnCIA.com
v6.0 Part 1, Section III, Section Introduction III-3
 Requisite Knowledge, Skills,
and Competencies
Examples
Body of Knowledge required to
Knowledge perform technical audits
information
Proficiency Language/communica-
Skills tion skills, data analytics
level
Exceptional
Competencies Interpersonal skills
performance
www.LearnCIA.com
v6.0 Part 1, Section III, Topic A III-4
 Engagement Staffing Options
In-house auditing A dedicated audit team with requisite resources.
Co-sourcing A combination of internal staffing and external out-
sourcing; external provider supports CAE and team with
supplementary specialist skills.
Total out-sourcing Out-sourcing 100% of the internal audit activity to an
external provider; CAE may or may not be employee.
Subcontracting Securing a specific individual to perform a specific
(staff augmentation) engagement or part of an engagement.
Secondment Borrowing an employee from another part of the
(guest auditor) organization to work in the audit activity for a specified
period of time.

www.LearnCIA.com
v6.0 Part 1, Section III, Topic A III-5
 Practice Question
Who is ultimately responsible for ensuring that
the internal audit activity is staffed appropriately?
A. Audit committee
B. Chief audit executive (CAE)
C. Board
D. Human resources

www.LearnCIA.com
v6.0 Part 1, Section III, Topic A III-6
 Practice Question
Who is ultimately responsible for ensuring that
the internal audit activity is staffed appropriately?
A. Audit committee
B. Chief audit executive (CAE)
C. Board
D. Human resources

Answer: B. The CAE is responsible for determining levels of education

and experience for the organization’s internal audit positions.

www.LearnCIA.com
v6.0 Part 1, Section III, Topic A III-7
 Co-Sourcing and Out-Sourcing
Advantages Disadvantages
• Frees internal resources • Can cost more
• Provides flexibility • Results in loss of in-house
• Can improve efficiency and capabilities and expertise
effectiveness • Can undermine morale
• Can reduce expenses • Requires active responsibility,
• Can expand coverage oversight, and coordination
• May improve quality and/or • Could increase privacy and
timeliness confidentiality issues
• Provides additional skill sets • Can undermine career pathing

www.LearnCIA.com
v6.0 Part 1, Section III, Topic A III-8
 Practice Question
The CAE must hire an outside service provider to
support the internal audit activity with statistical
analysis responsibilities. This best describes
A. co-sourcing.
B. out-sourcing.
C. joint venture.
D. alliance.

www.LearnCIA.com
v6.0 Part 1, Section III, Topic A III-9
 Practice Question
The CAE must hire an outside service provider to
support the internal audit activity with statistical
analysis responsibilities. This best describes
A. co-sourcing.
B. out-sourcing.
C. joint venture.
D. alliance.
Answer: A. In co-sourcing, an external provider supplements the
internal audit function; in out-sourcing, an outside firm is paid to handle
the responsibility.
www.LearnCIA.com
v6.0 Part 1, Section III, Topic A III-10
 CAE Responsibilities for
Outside Service Providers
• Provider has right knowledge, skills, and competencies?
– Credentials, professional organization membership, adherence to code of
ethics, reputation, experience, education and training, industry knowledge.
• Provider maintains independence and objectivity?
– Verify that has no relationships that will prevent provider from rendering
impartial/unbiased judgment and opinions.
• Review work objectives, scope, access, etc.
• Document matters in engagement letter or contract.
• Reference compliance with The IIA’s Standards (as applicable).

www.LearnCIA.com
v6.0 Part 1, Section III, Topic A III-11
 Detecting/Investigating Fraud
Implementation Standard
1210.A2
“Internal auditors must have sufficient knowledge to
evaluate the risk of fraud and the manner in which it
is managed by the organization, but are not
expected to have the expertise of a person whose
primary responsibility is detecting and investigating
fraud.”

www.LearnCIA.com
v6.0 Part 1, Section III, Topic A III-12
 Information Technology Considerations
Implementation Standard
1210.A3
“Internal auditors must have sufficient knowledge of
key information technology [IT] risks and controls
and available technology-based audit techniques to
perform their assigned work. However, not all
internal auditors are expected to have the expertise
of an internal auditor whose primary responsibility
is IT auditing.”

www.LearnCIA.com
v6.0 Part 1, Section III, Topic A III-13
 Internal Audit Competency Framework
Improvement and Innovation
Internal Audit Delivery
Personal Skills
Persuasion and
Communication Critical Thinking
Collaboration

Technical Expertise
Governance, Risk, Business
IPPF
and Control Acumen

Internal Audit Management

Professional Ethics

www.LearnCIA.com
v6.0 Part 1, Section III, Topic B III-14
 Characteristics of Due Professional Care
What Is Due What Are the
Professional Care? Implications?
• Application of the care and skill • Internal auditors must be
expected of a reasonably prudent independent, competent, and
and competent internal auditor in objective.
the same or similar circumstances. • Audit work must be planned and
• Requires internal auditors to act supervised.
responsibly. • Audit reports must be objective, clear,
• Exercised when internal audits are concise, constructive, and timely.
performed in accordance with the • Internal auditors must follow up on
Standards. reported audit findings.

www.LearnCIA.com
v6.0 Part 1, Section III, Topic C III-15
 Discussion Question
Does due professional care imply that
auditors need to exhibit extraordinary
performance or give absolute assurance?

www.LearnCIA.com
v6.0 Part 1, Section III, Topic C III-16
 Discussion Question
Does due professional care imply that
auditors need to exhibit extraordinary
performance or give absolute assurance?

Answer: No
• Due professional care implies reasonable care and competence,
not infallibility or extraordinary performance.
• Conduct examinations and verifications to a reasonable extent.
• Internal auditors cannot give absolute assurance that
noncompliance or irregularities do not exist.

www.LearnCIA.com
v6.0 Part 1, Section III, Topic C III-17
 Practice Question
Which statement exemplifies due professional care
in an assurance engagement?
A. Understanding that some areas should be
audited like clockwork, regardless of risk
B. Recognizing the needs of management
C. Being alert to significant risks that might affect
objectives, operations, or resources
D. Following your basic audit program verbatim

www.LearnCIA.com
v6.0 Part 1, Section III, Topic C III-18
 Practice Question
Which statement exemplifies due professional care
in an assurance engagement?
A. Understanding that some areas should be
audited like clockwork, regardless of risk
B. Recognizing the needs of management
C. Being alert to significant risks that might affect
objectives, operations, or resources
D. Following your basic audit program verbatim

Answer: C. See Implementation Standard 1220.A3. Plans should be risk-

based and adapted to the process being audited.

www.LearnCIA.com
v6.0 Part 1, Section III, Topic C III-19
 Practice Question
How does due professional care in a consulting
engagement differ from that in an assurance
engagement?
A. More applicable standards
B. Prioritized client needs and expectations
C. Fewer potential benefits derived from engagement
D. Less complexity to achieve objectives

www.LearnCIA.com
v6.0 Part 1, Section III, Topic C III-20
 Practice Question
How does due professional care in a consulting
engagement differ from that in an assurance
engagement?
A. More applicable standards
B. Prioritized client needs and expectations
C. Fewer potential benefits derived from engagement
D. Less complexity to achieve objectives

Answer: B. Many of the same considerations apply. However, the needs

and expectations of clients have increased significance.

www.LearnCIA.com
v6.0 Part 1, Section III, Topic C III-21
 Continuing Professional Development
Description General Examples The IIA Offerings
Continuing • Occupational assignments • Seminars
education to • Mentoring • Conferences
enhance and • Networking • Web-based
maintain • Training training
proficiency. • Research projects • Vision University
Keep current on • Collective wisdom
standards, • Formal education
procedures, • Conferences
techniques, and • Membership/participation in
IPPF guidance. professional societies
• Certification/recertification

www.LearnCIA.com
v6.0 Part 1, Section III, Topic D III-22
 Certification
Description Achieved By
Systematic measurement of • Graduation from accredited or
characteristics such as education and approved training program
experience that results in recognition • Completion of a specified amount
of an individual as one who meets or type of work experience
suggested knowledge and other • Acceptable performance on
minimum requirements qualifying examination

www.LearnCIA.com
v6.0 Part 1, Section III, Topic D III-23
 End of Section III

Questions?

www.LearnCIA.com
v6.0 Part 1, Section III III-24