Domains II and V Frequently Asked Questions
The continued success of our ongoing webinars that focuses on the new 2024 Global Internal Audit Standards has prompted a list of the most frequently asked questions from those that have attended these presentations. We’ve asked Liz Sandwith to review these questions and provide her informed responses for additional consideration and clarity specific to her presentation on Domains II and V – Ethics and Professionalism and Performing Internal Audit Services.
Domain II: Ethics and Professionalism
Principle 1 - Demonstrate Integrity - Honesty and Courage - Standard 1.1
Q: The concept of professional courage isn't defined. What is the meaning of professional courage? How do you develop professional courage? How do we evidence honesty and professional courage during a quality assessment / external quality assessment? What are some examples of evidence of professional courage, (in relation to Standard 1.1)? Will interviews and feedback from management suffice?
A: Internal auditors should enhance their awareness and understanding of honesty and professional courage by seeking opportunities to obtain ethics-related continuing professional education.
While education helps create awareness in hypothetical situations, workplace training, mentorship, and supervision allow internal auditors to learn and practice skills such as tact and respectful communication, which are needed to apply professional courage effectively in real situations.
When internal auditors encounter situations that challenge their honesty or professional courage, they should discuss the circumstances with a supervisor to determine the best course of action.
Evidence of conformance, in relation to Standard 1.1 includes:
- A training plan that includes ethics education and training.
- Documents that evidence internal auditors’ attendance or participation in ethics education and training.
- Performance evaluations showing honesty and professional courage as objectives.
- Feedback from key stakeholders regarding the honesty and courage of internal auditors.
Principle 2 - Maintain Objectivity – Standards 2.1., 2.2, and 2.3
Q: What happens when the governance of internal audit is not independent? What is the difference between independence and objectivity?
If your audit committee is comprised of organizational officers and there are no external members, would this still be in compliance with the new standards around objectivity and independence? How does internal audit maintain its independence and objectivity? How often should attestation forms occur?
A: Objectivity is an unbiased mental attitude that allows internal auditors to make professional judgments, fulfill their responsibilities, and achieve the Purpose of Internal Auditing without compromise.
An independently positioned internal audit function supports internal auditors’ ability to maintain objectivity.
Objectivity means internal auditors perform their work without compromise or subordination of judgment to others.
The Global Internal Audit Standards, along with the policies established and training arranged by the chief audit executive, support objectivity by providing requirements, procedures, and guidance that set forth a systematic and disciplined approach for gathering and evaluating information to provide a balanced assessment of the activity under review.
Training may help internal auditors to better understand objectivity-impairing scenarios and how best to address them.
Reference is made under evidence of conformance to use of attestation forms to confirm internal auditors' awareness of objectivity's importance. A periodic timeline would be appropriate, at least annually and perhaps more frequently if appropriate.
Principle 3 – Demonstrate Competency – Standards 3.1 and 3.2
Q: Will the IIA's internal audit competency framework be updated this year to reflect the requirements of the Global Internal Audit Standards?
Does documenting cross training of internal auditors on essential technical and risk areas help ensure competency?
What are some examples of conformance?
A: Demonstrating competency requires developing and applying the knowledge, skills, and abilities to provide internal audit services. Because internal auditors provide a diverse array of services, the competencies needed by each internal auditor vary. In addition to possessing or obtaining the competencies needed to perform services, internal auditors improve the effectiveness and quality of services by pursuing professional development.
The IIA is intending to issue an updated Competency Framework aligned to the Global Internal Audit Standards later in 2024.
Examples of Evidence of Conformance include:
- Documentation listing the certifications, education, experience, work history, and other qualifications of internal auditors.
- Internal auditors’ self-assessments of their competencies and plans for professional development.
- Documentation of internal auditors’ completion of continuing professional education, such as courses, conference sessions, workshops, and seminars.
- Documented performance reviews of internal auditors.
- Documented supervisory reviews of engagements, post-engagement surveys completed by internal audit stakeholders, and other forms of feedback indicating competencies exhibited by individual internal auditors and the internal audit function.
- The results of internal and external quality assessments.
- Documentation of relevant competencies necessary to fulfill the internal audit plan, an analysis of resource gaps, and the identification of the training and budget necessary to fill the gaps.
- Documentation such as an assurance map that indicates the competencies of other providers of assurance and advisory services upon which the internal audit function may rely.
Principle 4 – Exercise Due Professional Care – Conformance with the Global Internal Audit Standards – Standard 4.1
Q: Can members conform with the Standards if they do not undergo external assessments? Are outsourced internal audit functions required to comply with the Standards?
What are some examples of evidence of conformance with the Standards?
How is conformance with the Standards assessed if the internal auditor isn’t a member of IIA?
A: The chief audit executive or a designated engagement supervisor should ensure that engagement work programs align with the requirements of the Standards and that internal audit engagements are conducted in accordance with the Standards’ requirements.
While conformance with the requirements is expected, internal auditors or the internal audit function may occasionally be unable to conform with a requirement yet may take alternative actions to achieve the related principle.
Such circumstances are usually related to specific sectors, industries, and jurisdictions.
By documenting the circumstance, alternative actions taken, the impact, and the rationale, the chief audit executive provides information to support the external quality assessment such that the internal audit function may be able to achieve conformance with a principle, even when conformance with a standard is not possible.
Examples of Evidence of Conformance include:
- Documentation of the internal audit function’s methodologies and an indication of when they were last updated.
- If applicable, final engagement communications and communications with the Board and senior management where nonconformance has been disclosed.
- Documentation referencing the laws and/or regulations with which internal auditors were required to comply that prevented their conformance with the Standards.
- Documentation referencing authoritative requirements to which the internal audit function adheres in addition to the Standards.
- Results of the quality assurance and improvement program.
The IIA Standards Board is very clear the Standards are applicable to all practicing internal auditors irrespective of whether they are members of the IIA.
There is also an expectation that is required in the Standards every internal audit function will undertake an internal annual assessment and, every 5 years, an external quality assessment, thus evidencing conformance with the Standards.
Principle 4 – Exercise Due Professional Care – Professional Skepticism – Standard 4.3
Q: Professional skepticism isn’t just about trust and verify but rather maintaining our professional challenge and obtaining the appropriate level of assurance required situation by situation.
What does professional skepticism mean for internal auditors and why is it important?
How do internal auditors apply professional skepticism?
What does professional skepticism mean for internal auditors and why is it important?
A: A good point. Professional skepticism enables internal auditors to make objective judgments based on facts, information, and logic, rather than trust or belief.
Skepticism is the attitude of always questioning or doubting the validity and truthfulness of claims, statements, and other information. Internal auditors apply professional skepticism when they seek evidence to support and validate statements made by management, rather than simply trusting the information presented as true or genuine without question or doubt.
Professional skepticism requires curiosity and the willingness to explore beyond the surface level of a given topic.
Examples of Evidence of Conformance include:
- Records of relevant training planned and completed, including a list of participants.
- Workpapers identifying an internal auditor’s approach to evaluate and validate information gathered during an engagement.
- Documentation that false or misleading information was handled as an engagement finding.
- Workpapers and engagement communications, reviewed and signed or initialled by the engagement supervisor.
Principle 5 – Maintain Confidentiality – Standards 5.1 and 5.2
Q: If a regulator requests an internal audit report, should we as internal audit provide such a report to the regulator?
Do we need to anonymize data within the internal audit function or only outside the internal audit function?
A: Because internal auditors have unrestricted access to the data, records, and other information necessary to fulfill the internal audit mandate, they often receive information that is confidential, proprietary, and/or personally identifiable.
This includes information in physical and digital form as well as information derived from oral communication, such as formal or informal meeting discussions.
Internal auditors must respect the value and ownership of information they receive by using it only for professional purposes and protecting it from unauthorized access or disclosure, internally and externally.
Requests for internal audit reports from external third parties would usually seek advice from the legal team, unless there are laws that require disclosure e.g., United Kingdom Freedom of Information legislation.
Domain V: Performing Internal Audit Services
Principle 13 - Plan Engagements Effectively - Standard 13.1 Engagement Communication – Changes to Scope
Q: Have you ever experienced a change in scope of the audit in the middle of an audit exercise?
How should changes to the objectives or scope be communicated?
A: To ensure effective communication, a variety of methods should be used: formal, informal, written, and oral. Engagement communications may occur through scheduled meetings, presentations, emails and other documents, and informal discussions.
Requirements for the quality and content of engagement communications should be established by the chief audit executive in alignment with the expectations of the Board and senior management and documented in internal audit methodologies.
Ongoing communication throughout the engagement between internal auditors and the management of the activity under review is essential for transmitting information that requires immediate attention and updating relevant parties about engagement progress or changes to the objectives or scope.
I have indeed needed to change the scope during an internal audit engagement. The significance of the change in relation to the scope will influence the response. For example, is the change of scope related to bringing into the scope something that was previously shown as being out of scope, then I would always re-issue the terms of reference / letter of engagement. If it is a relatively minor amendment to the existing scope, then I would include it in an e-mail sent to all relevant stakeholders.
Principle 13 - Plan Engagements Effectively - Standard 13.2 Engagement Risk Assessment
Q: Should internal audit share the engagement risk assessment results with management of the activity being audited during the planning phase? Is it best practice to adopt such an approach as the Standards seem to encourage this?
Regarding the engagement risk assessment, should reliance be placed on the completed internal audit universe risk assessment to determine the annual audit plan?
A: Internal auditors should consult with the engagement supervisor and the operational manager in the activity under review while planning. Such a collaborative approach will strengthen the risk assessment and help the internal auditor understand the objectives and risks associated with the activity under review.
To develop an understanding of the activity under review and assess relevant risks, internal auditors should start by understanding the internal audit plan, the discussions that led to its development, and the reason the engagement was included. Engagements included in the internal audit plan may arise from the internal audit function’s organization wide risk assessment or from stakeholder requests.Surveys, interviews, physical inspections, and process walk-throughs allow internal auditors to observe the current conditions in the activity under review.
Determining the significance of risks requires internal auditors to apply their knowledge, experience, and critical thinking to make judgments about the organization, the activity under review, and the engagement purpose and context. As part of due professional care, internal auditors should consider input from the management of the activity under review to gain insight into the business objectives, significant risks, and controls. Establishing a mutual understanding of the risks of the activity under review increases the usefulness of the engagement risk assessment. To ensure that the audit universe and risk assessment cover the organization’s key risks, the internal audit function should independently review and validate the key risks that were identified within the organization’s risk management system.
Principle 14 – Conduct Engagement Work – Standard 14.3 - Evaluation of Findings - Root cause
Q: The root cause should be identified during the audit and reported in the cause section of the audit report. Is it required to have the root cause in the audit recommendations?
Should we have a list of root causes that can be standardized for all areas across the company?
In our audits, we always conduct root cause analysis. Do we also need to perform a 'root cause analysis' for advisory engagements, like system pre-implementation reviews?
A: To develop engagement findings, internal auditors compare the established criteria to the existing condition in the activity under review.
The evaluation should explore:
- The root cause of the difference, which often relates to a control deficiency and is a direct reason the condition exists.
- To the extent feasible, internal auditors should determine the root cause, which is an underlying or deeper issue that contributed to the condition.
- At its simplest, determining the root cause involves asking a series of questions about why the difference exists.
- Identifying the root cause involves collaboration with management, who may be in a better position to understand the underlying causes for the difference
Standard 11.3 Communicating Results – States that the findings and conclusions of multiple engagements, when viewed holistically, may reveal patterns or trends, such as root causes, communications to the Board and senior management should include significant control weaknesses and robust root cause analysis.
An example of conformance would include a workpaper that lists the criteria, condition, root cause (when possible), effect (risk or potential exposure), and a prioritization of each finding. Domain V covers both assurance and advisory engagements and, as such, reference to root cause applies to both types of internal audit services.
Principle 14 – Conduct Engagement Work – Standard 14.5 - Engagement Conclusions
Q: Will the final report require a statement confirming that the report conforms with the IIA Standards be required (and/or a statement of the gaps relative to the IIA Standards)?
For conclusion, do you need to express your conclusion on the overall engagement, or could this be expressed by each audit process we test?
A: The chief audit executive’s methodologies for the internal audit function may provide a rating scale indicating whether reasonable assurance exists regarding the effectiveness of controls.
For example, a scale may indicate satisfactory, partially satisfactory, needs improvement, or unsatisfactory depending on the internal auditors’ assessments.
A statement that the engagement is conducted in conformance with the Global Internal Audit Standards should be included in the final engagement communication.
The conclusion may add context regarding the impacts of the findings within the activity under review and the organization.
For example, some findings may have a significant impact on achieving goals or managing risks at an activity level, but not at an organizational level.
Internal auditors must develop an engagement conclusion that summarizes the engagement results relative to the engagement objectives and management’s objectives. The engagement conclusion must summarize the internal auditors’ professional judgment about the overall significance of the aggregated engagement findings.
Principle 15 - Communicate Engagement Results and Monitor Action – Standard 15.1 – Communicating Engagement Results
Q: Will the final report require a statement confirming that the report conforms with the IIA Standards be required (and/or a statement of the gaps relative to the IIA Standards)?
Does communicating internal audit’s engagement results necessarily mean providing a standard report to senior management or Board or audit committee?
A: A statement that the engagement is conducted in conformance with the Global Internal Audit Standards should be included in the final engagement communication.
Indicating that the internal audit engagement conformed with the Standards is appropriate only if supported by the results of engagement supervision and the quality assurance and improvement program.
The style and format of final engagement communication varies across organizations. The chief audit executive may provide templates and procedures.
When issued as a report, the final communication may include the following components, in addition to the requirements:
- Title.
- Background (brief synopsis of the activity under review).
- Recognition (positive aspects of activity under review and/or appreciation of cooperation).
- Distribution list.
Examples of Evidence of Conformance include:
- Written final communications.
- Slides and/or meeting notes of presentations when final communication is oral.
- Documentation indicating that the final communication was reviewed and approved.
- Documentation that requirements for communicating with the activity under review were met.
Custom and practice within the internal audit profession is continuously evolving with one-page dashboard type reports becoming increasing popular.
Principle 15 - Communicate Engagement Results and Monitor Action – Standard 15.2 – Confirming the Implementation of Recommendations or Action Plans – Follow-Up
Q: To what extend does internal audit need to follow up recommendations? i.e., re-perform them?
Should internal audit be held accountable for long, outstanding audit issues?
Who should ideally conduct the follow ups? Could it be the same team that was conducting the audit or some other personnel within the audit function?
Can you have a process to which you need to follow up in ‘x’ amount of time according to finding risk?
A: The methodology for confirming the implementation of management’s action plans should include criteria for determining when to perform follow-up assessments to confirm that management’s action plans have effectively addressed findings.
Follow-up assessments may be performed for completed action plans selectively, depending on the risk’s significance.
Under certain circumstances, regulators may require reporting on management’s action plans.
Examples of Evidence of Conformance include:
- A routinely updated tracking system (for example, a spreadsheet, database, or other tool) that contains the finding, associated corrective action plan, status, and internal audit’s confirmation.
- Corrective action status reports prepared for the Board and senior management.
There are mixed views as to who should undertake the follow-up process. In some organizations it is the auditors who undertook the engagement, in others it is a separate team within the internal audit function not involved in the engagement, and yet in other organizations it may be the corporate governance team. It is important is to ensure that agreed actions have been implemented and achieved the required outcome.
Principle 15 - Communicate Engagement Results and Monitor Action – Standard 15.2 – Confirming the Implementation of Recommendations or Action Plans – Acceptance of Risk
Q: Requires the chief audit executive to determine if senior management’s delay or inaction means they have accepted a risk that exceeds the risk tolerance. In such a scenario, what should we do?
What should internal auditors do if management has not progressed in implementing actions according to completion dates?
When following up on "implementation of our recommendations," if the business responds that they accept a risk, why would we as internal auditors challenge that as we are not the "business domain" expert?
Who is responsible for determining if senior management has accepted a risk that exceeds the risk tolerance?
A: If management decides on an alternative action plan and internal auditors agree that the alternative plan is satisfactory or better than the original action plan, then progress on the alternative plan should be tracked until completion.
If management has not progressed in implementing the actions according to the established completion dates, internal auditors must obtain and document an explanation from management and discuss the issue with the chief audit executive.
The chief audit executive is responsible for determining whether senior management, by delay or inaction, has accepted a risk that exceeds the risk tolerance.
Standard 11.5 covers Communicating Acceptance of Risks - The chief audit executive may discuss and seek the Board’s agreement on methodologies for documenting and communicating the acceptance of risks that exceed the risk appetite or risk tolerance.
In addition to the requirements in the Standards, methodologies should consider the organization’s risk management process, policies, and procedures.
Building relationships and maintaining communication with stakeholders are additional means of remaining apprised of risk management activities including management’s acceptance of risk.
General Questions
Topical Requirements
Q: Does the IIA have a list of all the topics it plans to create Topical Requirements for? Is there a schedule of when they will be released?
For Topical Requirements, the prior webinar stated that portions of the topical requirement can apply to any audit.
With one Topical Requirement, this is reasonable. But as more requirements are created, how practical is it for auditors to stay on top of all the different Topical Requirements and all the different sections within them to be able to identify relevant sections?
Does each engagement with a cybersecurity impact need to demonstrate the Topical Requirements have been considered and provide a rationale why it was not tested?
A: The current list as shared in the IIA webinar 11 June 2024:
- Cybersecurity (in process – pilot project)
- Third-party Risk Management
- Culture
- Business Resilience
- Anti-Corruption / Bribery
- People Management
- Fraud Risk Management
- Sustainability: ESG
Additional Topical Requirements will be developed. (Exact topics and dates to be determined)
The June 11, 2024 webinar provided examples of use of the topical requirements:
Example 1: Cybersecurity is identified for an internal audit engagement.
In this example, since the subject of a Topical Requirement has been identified during the internal audit planning process, then the requirements outlined in the Topical Requirement must be included during the engagement to assess that subject. If the cybersecurity engagement does not include all the requirements in the Cybersecurity Topical Requirement, internal auditors must document and retain the rationale for not including those specific requirements.
Is the Cybersecurity Topical Requirement Required? YES.
Example 2: The subject of cybersecurity is not identified during the internal audit planning process.
In this example, the topic of cybersecurity is not identified, and therefore, the Cybersecurity Topical Requirement does not apply. While most organizations commonly identify cybersecurity as a higher-risk topic, every organization is unique. Therefore, not every organization will assess cybersecurity as one of its higher-risk areas, and it is possible that cybersecurity may not be a topic on the internal audit plan.
Is the Cybersecurity Topical Requirement Required? NO. And no documentation is needed to justify the exclusion.
Example 3: An internal audit engagement is being performed that is not focused on cybersecurity but contains cyber related risks. Internal auditors identify elements of cybersecurity risks during an audit of the accounts payable process, such as the online / web-based submission of the initial purchase order (PO) request.
In this example, internal auditors should review the Cybersecurity Topical Requirement and determine which requirements are applicable, such as the internal controls in place to limit and restrict users to the web-based PO process.
Is the Cybersecurity Topical Requirement Required? YES. Relevant requirements are applicable. Document the rationale for not including the other requirements of the Cybersecurity Topical Requirement in the engagement workpapers.
Transition Period for the Global Internal Audit Standards
Q: Do we have a transition period for the implementation of the new 2024 Standards?
Can internal audit functions start adopting the Standards now?
When will the new Standards become effective?
A: The new Global Internal Audit Standards, released January 9, 2024, will become effective January 9, 2025.
Internal audit functions may start adopting the Standards now.
The transition period is in effect 2024
External Quality Assessment / Quality Assessment
Q: Will quality assessment span the two standards if one would be due in 2025?
If we don't think we will be completely in line with the Standards until early next year, and we request an EQA at the end of 2025, will the EQA be limited to audit activity solely from the start of the new standards at start of 2025?
For EQA, are we concentrating more on Conformance or our Performance to implementing the standards?
A: The Board and chief audit executive may determine that it is appropriate to conduct an external quality assessment more frequently than every five years.
There are several reasons to consider a more frequent review, including changes in leadership (for example, senior management or the chief audit executive), significant changes in internal audit methodologies, the merger of two or more internal audit functions, or significant staff turnover.
Additionally, some organizations, such as those in highly regulated industries may prefer or be required to increase the frequency or scope of the external quality assessments.
Once we move into 2025 then any EQA will be undertaken against the new Global Internal Audit Standards.
If it is likely that your internal audit function won’t be able to conform with the new Standards until perhaps later in 2025, then good practice would be to create an action place detailing the various Standards and a conformance date and share it with your audit committee and senior management.
The external quality assessment (EQA) will seek to establish conformance with the Standards but will also seek to assess an internal audit function’s maturity, which may give the chief audit executive, Board, audit committee, and senior management additional insight by benchmarking against other organizations or leading practices.
Quality Assessment Manual
Q: Do you have information on the new Quality Assessment Manual? Is it coming out soon?
A: The Standards will be effective for quality assessments January 9, 2025, 12 months after the date of the Standards publication. Learn more by watching the “What the New Standards Mean to Quality Assessments” webinar.
Options for conducting your next external quality assessment:
- If your next assessment is due in 2024, you should proceed with your assessment when due under the existing IPPF.
- If your assessment is due in 2025, you can choose to accelerate your assessment under the existing IPPF in 2024. The IIA recommends adding a supplementary gap/readiness assessment to assess how well your function is prepared to implement the new Standards.
- Gap/readiness assessments may be scheduled at any point to help your internal audit function prepare to implement the new Standards effectively.
As far as I am aware, I believe the new Quality Manual will be issued later in 2024.
Agile
Q: Will agile audit approach work with the new Global Internal Audit Standards? If no, what are the challenges in adopting the new Standards?
A: Agile is about ways of working and will certainly work with the Global Internal Audit Standards. The key elements of an agile approach are:
Improved stakeholder satisfaction
Instead of getting results all at once at the end of the audit, stakeholders are getting actionable information as they go. Consequently, they’re often able to address findings before a report is even issued.
Prioritizing risks
Are there risks hidden beneath the surface? Agile’s iterative approach creates purposeful feedback loops to help keep internal audit aware of sudden changes and pivot accordingly.
More work in less time
Teams are often able to get work done sooner by starting with the most important risks, limiting the number of tasks in progress, and continuously reevaluating the plan. Frequent feedback with the client improves focus and allows the team to spend less time on smaller risks.
The three elements above will work effectively with the new Standards.
Insight and foresight
Q: What's a practical example of how internal audit can deliver on the new concepts of insight and foresight?
A: Insight is also used much more generally. It describes the way we develop a clear and in-depth understanding of a particular subject or situation that enables us to solve problems. We have all experienced an ‘Aha’ moment, the spark of inspiration when we solve a difficult question or problem.
Awareness - The first stage is awareness, the identification of some kind of problem to be solved. We haven’t yet thought hard enough about the problem, but we know there is an issue to resolve. In the workplace this might be duplicate payments occurring in the payment process, an increasing number of customer complaints, failing to deliver projects on time, etc.
Reflection - Studies have shown that during the reflection stage, we are not trying to solve the problem. We are creating links and tapping into more intelligence than the three to five pieces of information we can hold in our working memory. This is why we often have our best ideas when we are not actively thinking about the issue.
Illumination - In practical terms, it seems that to help people have insights (the illumination stage), we need to encourage them to reflect more, and think less, or at least less logically.
Motivation - Finally, the 'Aha' moment is a strong motivator. So, the best way to bring about insight and change is not to think about people’s issues for them but to help them reflect more deeply and support them in their ability to generate connections.
Foresight - Instead of solely looking at past data, internal auditors assess future scenarios, helping businesses prepare for upcoming challenges and capitalize on emerging trends. Foresight has been described as the ability to contemplate key risks and challenges that organizations could conceivably face, so that those perspectives can be shared with management and the Board.
This way, we help our clients prepare for challenges or opportunities before they materialize. Foresight enables us to warn of pending disasters that may befall our organizations in the event management is ignoring strategic or business risks. Of course, management might choose to ignore the foresight that internal auditors provide. But at least the flag will have been waved.
Delegation of authority and responsibility
Q: Can a CAE designate his/her responsibilities to the senior staff member regarding the objectives and scope?
Can individual internal auditors be delegated responsibilities for maintaining communication with management of key functions?
Who is responsible for reviewing and approving final engagement communications?
Can supervisory responsibilities be delegated to other individuals?
A: The chief audit executive may delegate appropriate responsibilities to other qualified professionals in the internal audit function but retains ultimate accountability.
The chief audit executive may delegate individual internal auditors to be responsible for maintaining ongoing communication with the management of key functions such as business segment leaders, global operations, information technology, finance, compliance, and human resources.
The chief audit executive must review and approve final engagement communications, which include engagement conclusions, and decide to whom and how they will be disseminated before they are issued. If these duties are delegated to other internal auditors, the chief audit executive retains overall responsibility.
Supervisory responsibilities may be delegated to appropriate and qualified individuals, but the chief audit executive retains ultimate responsibility.
Links to Relevant Documentation on the IIA website
-
Members Only
- Public Access
