Standards for the Professional Practice of Internal Auditing

International Standards for the Professional Practice of Internal Auditing

Note: Changes effective January 2007 are highlighted in bold italics to allow readers to easily
identify modifications and assist in the translation process.

Introduction
Internal auditing is an independent, objective assurance and consulting activity designed to add
value and improve an organization's operations. It helps an organization accomplish its objectives
by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk
management, control, and governance processes.

Internal audit activities are performed in diverse legal and cultural environments; within
organizations that vary in purpose, size, complexity, and structure; and by persons within or
outside the organization. While differences may affect the practice of internal auditing in each
environment, compliance with the International Standards for the Professional Practice of Internal
Auditing is essential if the responsibilities of internal auditors are to be met. If internal auditors are
prohibited by laws or regulations from complying with certain parts of the Standards, they should
comply with all other parts of the Standards and make appropriate disclosures.

Assurance services involve the internal auditor's objective assessment of evidence to provide an
independent opinion or conclusions regarding a process, system or other subject matter. The nature
and scope of the assurance engagement are determined by the internal auditor. There are generally
three parties involved in assurance services: (1) the person or group directly involved with the
process, system or other subject matter - the process owner, (2) the person or group making the
assessment - the internal auditor, and (3) the person or group using the assessment - the user.

Consulting services are advisory in nature, and are generally performed at the specific request of an
engagement client. The nature and scope of the consulting engagement are subject to agreement
with the engagement client. Consulting services generally involve two parties: (1) the person or
group offering the advice - the internal auditor, and (2) the person or group seeking and receiving
the advice - the engagement client. When performing consulting services the internal auditor
should maintain objectivity and not assume management responsibility.

The purpose of the Standards is to:

1. Delineate basic principles that represent the practice of internal auditing as it should be.
2. Provide a framework for performing and promoting a broad range of value-added internal
audit activities.
3. Establish the basis for the evaluation of internal audit performance.
4. Foster improved organizational processes and operations.

The Standards consist of Attribute Standards, Performance Standards, and Implementation

Standards. The Attribute Standards address the characteristics of organizations and parties
performing internal audit activities. The Performance Standards describe the nature of internal audit
activities and provide quality criteria against which the performance of these services can be
evaluated. While the Attribute and Performance Standards apply to all internal audit services, the
Implementation Standards apply to specific types of engagements.

1 of 13
There is one set of Attribute and Performance Standards, however, there are multiple sets of
Implementation Standards: a set for each of the major types of internal audit activity. The
Implementation Standards have been established for assurance (A) and consulting (C) activities.

The Standards are part of the Professional Practices Framework. The Professional Practices
Framework includes the Definition of Internal Auditing, the Code of Ethics, the Standards, and other
guidance. Guidance regarding how the Standards might be applied is included in Practice Advisories
that are issued by the Professional Issues Committee.

The Standards employ terms that have been given specific meanings that are included in the
Glossary.

The development and issuance of the Standards is an ongoing process. The Internal Auditing
Standards Board engages in extensive consultation and discussion prior to the issuance of the
Standards. This includes worldwide solicitation for public comment through the exposure draft
process.

All exposure drafts are posted on The IIA's Web site as well as being distributed to all IIA Affiliates.
Suggestions and comments regarding the Standards can be sent to:

The Institute of Internal Auditors

Professional Practices
247 Maitland Avenue
Altamonte Springs, FL 32701-4201, USA
E-mail: [email protected]
Web: http://www.theiia.org

Attribute Standards

1000 - Purpose, Authority, and Responsibility

The purpose, authority, and responsibility of the internal audit activity should be formally defined in
a charter, consistent with the Standards, and approved by the board.

1000.A1 - The nature of assurance services provided to the organization should be defined in the
audit charter. If assurances are to be provided to parties outside the organization, the nature of
these assurances should also be defined in the charter.

1000.C1 - The nature of consulting services should be defined in the audit charter.

1100 - Independence and Objectivity

The internal audit activity should be independent, and internal auditors should be objective in
performing their work.

1110 - Organizational Independence

The chief audit executive should report to a level within the organization that allows the internal
audit activity to fulfill its responsibilities.

1110.A1 - The internal audit activity should be free from interference in determining the scope of
internal auditing, performing work, and communicating results.

2 of 13
1120 - Individual Objectivity
Internal auditors should have an impartial, unbiased attitude and avoid conflicts of interest.

1130 - Impairments to Independence or Objectivity

If independence or objectivity is impaired in fact or appearance, the details of the impairment
should be disclosed to appropriate parties. The nature of the disclosure will depend upon the
impairment.

1130.A1 - Internal auditors should refrain from assessing specific operations for which they were
previously responsible. Objectivity is presumed to be impaired if an internal auditor provides
assurance services for an activity for which the internal auditor had responsibility within the
previous year.

1130.A2 - Assurance engagements for functions over which the chief audit executive has
responsibility should be overseen by a party outside the internal audit activity.

1130.C1 - Internal auditors may provide consulting services relating to operations for which they
had previous responsibilities.

1130.C2 - If internal auditors have potential impairments to independence or objectivity relating to

proposed consulting services, disclosure should be made to the engagement client prior to accepting
the engagement.

1200 - Proficiency and Due Professional Care

Engagements should be performed with proficiency and due professional care.

1210 - Proficiency
Internal auditors should possess the knowledge, skills, and other competencies needed to perform
their individual responsibilities. The internal audit activity collectively should possess or obtain the
knowledge, skills, and other competencies needed to perform its responsibilities.

1210.A1 - The chief audit executive should obtain competent advice and assistance if the internal
audit staff lacks the knowledge, skills, or other competencies needed to perform all or part of the
engagement.

1210.A2 - The internal auditor should have sufficient knowledge to identify the indicators of fraud
but is not expected to have the expertise of a person whose primary responsibility is detecting and
investigating fraud.

1210.A3 - Internal auditors should have knowledge of key information technology risks and
controls and available technology-based audit techniques to perform their assigned work. However,
not all internal auditors are expected to have the expertise of an internal auditor whose primary
responsibility is information technology auditing.

1210.C1 - The chief audit executive should decline the consulting engagement or obtain competent
advice and assistance if the internal audit staff lacks the knowledge, skills, or other competencies
needed to perform all or part of the engagement.

1220 - Due Professional Care

Internal auditors should apply the care and skill expected of a reasonably prudent and competent
internal auditor. Due professional care does not imply infallibility.

3 of 13
 1220.A1 - The internal auditor should exercise due professional care by considering the:

• Extent of work needed to achieve the engagement's objectives.

• Relative complexity, materiality, or significance of matters to which assurance procedures
are applied.
• Adequacy and effectiveness of risk management, control, and governance processes.
• Probability of significant errors, irregularities, or noncompliance.
• Cost of assurance in relation to potential benefits.

1220.A2 - In exercising due professional care the internal auditor should consider the use of
computer-assisted audit tools and other data analysis techniques.

1220.A3 - The internal auditor should be alert to the significant risks that might affect objectives,
operations, or resources. However, assurance procedures alone, even when performed with due
professional care, do not guarantee that all significant risks will be identified.

1220.C1 - The internal auditor should exercise due professional care during a consulting
engagement by considering the:

• Needs and expectations of clients, including the nature, timing, and communication of
engagement results.
• Relative complexity and extent of work needed to achieve the engagement's objectives.
• Cost of the consulting engagement in relation to potential benefits.

1230 - Continuing Professional Development

Internal auditors should enhance their knowledge, skills, and other competencies through
continuing professional development.

1300 - Quality Assurance and Improvement Program

The chief audit executive should develop and maintain a quality assurance and improvement
program that covers all aspects of the internal audit activity and continuously monitors its
effectiveness. This program includes periodic internal and external quality assessments and ongoing
internal monitoring. Each part of the program should be designed to help the internal auditing
activity add value and improve the organization's operations and to provide assurance that the
internal audit activity is in conformity with the Standards and the Code of Ethics.

1310 - Quality Program Assessments

The internal audit activity should adopt a process to monitor and assess the overall effectiveness of
the quality program. The process should include both internal and external assessments.

1311 - Internal Assessments

Internal assessments should include:

• Ongoing reviews of the performance of the internal audit activity; and

• Periodic reviews performed through self-assessment or by other persons within the
organization, with knowledge of internal audit practices and the Standards.

1312 - External Assessments

External assessments should be conducted at least once every five years by a qualified,
independent reviewer or review team from outside the organization. The potential need
for more frequent external assessments as well as the qualifications and independence of
the external reviewer or review team, including any potential conflict of interest, should

4 of 13
be discussed by the CAE with the Board. Such discussions should also consider the size,
complexity and industry of the organization in relation to the experience of the reviewer
or review team.

1320 - Reporting on the Quality Program

The chief audit executive should communicate the results of external assessments to the board.

1330 - Use of "Conducted in Accordance with the Standards"

Internal auditors are encouraged to report that their activities are "conducted in accordance with
the International Standards for the Professional Practice of Internal Auditing." However, internal
auditors may use the statement only if assessments of the quality improvement program
demonstrate that the internal audit activity is in compliance with the Standards.

1340 - Disclosure of Noncompliance

Although the internal audit activity should achieve full compliance with the Standards and internal
auditors with the Code of Ethics, there may be instances in which full compliance is not
achieved. When noncompliance impacts the overall scope or operation of the internal audit activity,
disclosure should be made to senior management and the board.

Performance Standards

2000 - Managing the Internal Audit Activity

The chief audit executive should effectively manage the internal audit activity to ensure it adds
value to the organization.

2010 - Planning
The chief audit executive should establish risk-based plans to determine the priorities of the internal
audit activity, consistent with the organization's goals.

2010.A1 - The internal audit activity's plan of engagements should be based on a risk assessment,
undertaken at least annually. The input of senior management and the board should be considered
in this process.

2010.C1 - The chief audit executive should consider accepting proposed consulting engagements
based on the engagement's potential to improve management of risks, add value, and improve the
organization's operations. Those engagements that have been accepted should be included in the
plan.

2020 - Communication and Approval

The chief audit executive should communicate the internal audit activity's plans and resource
requirements, including significant interim changes, to senior management and to the board for
review and approval. The chief audit executive should also communicate the impact of resource
limitations.

2030 - Resource Management

The chief audit executive should ensure that internal audit resources are appropriate, sufficient, and
effectively deployed to achieve the approved plan.

2040 - Policies and Procedures

The chief audit executive should establish policies and procedures to guide the internal audit
activity.

5 of 13
 2050 - Coordination
The chief audit executive should share information and coordinate activities with other internal and
external providers of relevant assurance and consulting services to ensure proper coverage and
minimize duplication of efforts.

2060 - Reporting to the Board and Senior Management

The chief audit executive should report periodically to the board and senior management on the
internal audit activity's purpose, authority, responsibility, and performance relative to its plan.
Reporting should also include significant risk exposures and control issues, corporate governance
issues, and other matters needed or requested by the board and senior management.

2100 - Nature of Work

The internal audit activity should evaluate and contribute to the improvement of risk management,
control, and governance processes using a systematic and disciplined approach.

2110 - Risk Management

The internal audit activity should assist the organization by identifying and evaluating significant
exposures to risk and contributing to the improvement of risk management and control systems.

2110.A1 - The internal audit activity should monitor and evaluate the effectiveness of the
organization's risk management system.

2110.A2 - The internal audit activity should evaluate risk exposures relating to the organization's
governance, operations, and information systems regarding the

• Reliability and integrity of financial and operational information.

• Effectiveness and efficiency of operations.
• Safeguarding of assets.
• Compliance with laws, regulations, and contracts.

2110.C1 - During consulting engagements, internal auditors should address risk consistent with the
engagement's objectives and be alert to the existence of other significant risks.

2110.C2 - Internal auditors should incorporate knowledge of risks gained from consulting
engagements into the process of identifying and evaluating significant risk exposures of the
organization.

2120 - Control
The internal audit activity should assist the organization in maintaining effective controls by
evaluating their effectiveness and efficiency and by promoting continuous improvement.

2120.A1 - Based on the results of the risk assessment, the internal audit activity should evaluate
the adequacy and effectiveness of controls encompassing the organization's governance,
operations, and information systems. This should include:

• Reliability and integrity of financial and operational information.

• Effectiveness and efficiency of operations.
• Safeguarding of assets.
• Compliance with laws, regulations, and contracts.

2120.A2 - Internal auditors should ascertain the extent to which operating and program goals and
objectives have been established and conform to those of the organization.

6 of 13
 2120.A3 - Internal auditors should review operations and programs to ascertain the extent to
which results are consistent with established goals and objectives to determine whether operations
and programs are being implemented or performed as intended.

2120.A4 - Adequate criteria are needed to evaluate controls. Internal auditors should ascertain the
extent to which management has established adequate criteria to determine whether objectives and
goals have been accomplished. If adequate, internal auditors should use such criteria in their
evaluation. If inadequate, internal auditors should work with management to develop appropriate
evaluation criteria.

2120.C1 - During consulting engagements, internal auditors should address controls consistent
with the engagement's objectives and be alert to the existence of any significant control
weaknesses.

2120.C2 - Internal auditors should incorporate knowledge of controls gained from consulting
engagements into the process of identifying and evaluating significant risk exposures of the
organization.

2130 - Governance
The internal audit activity should assess and make appropriate recommendations for improving the
governance process in its accomplishment of the following objectives:

• Promoting appropriate ethics and values within the organization.

• Ensuring effective organizational performance management and accountability.
• Effectively communicating risk and control information to appropriate areas of the
organization.
• Effectively coordinating the activities of and communicating information among the board,
external and internal auditors and management.

2130.A1 - The internal audit activity should evaluate the design, implementation, and effectiveness
of the organization's ethics-related objectives, programs and activities.

2130.C1 - Consulting engagement objectives should be consistent with the overall values and goals
of the organization.

2200 - Engagement Planning

Internal auditors should develop and record a plan for each engagement, including the scope,
objectives, timing and resource allocations.

2201 - Planning Considerations

In planning the engagement, internal auditors should consider:

• The objectives of the activity being reviewed and the means by which the activity controls
its performance.
• The significant risks to the activity, its objectives, resources, and operations and the means
by which the potential impact of risk is kept to an acceptable level.
• The adequacy and effectiveness of the activity's risk management and control systems
compared to a relevant control framework or model.
• The opportunities for making significant improvements to the activity's risk management
and control systems.

7 of 13
2201.A1 - When planning an engagement for parties outside the organization, internal auditors
should establish a written understanding with them about objectives, scope, respective
responsibilities and other expectations, including restrictions on distribution of the results of the
engagement and access to engagement records.

2201.C1 - Internal auditors should establish an understanding with consulting engagement clients
about objectives, scope, respective responsibilities, and other client expectations. For significant
engagements, this understanding should be documented.

2210 - Engagement Objectives

Objectives should be established for each engagement.

2210.A1 - Internal auditors should conduct a preliminary assessment of the risks relevant to the
activity under review. Engagement objectives should reflect the results of this assessment.

2210.A2 - The internal auditor should consider the probability of significant errors, irregularities,
noncompliance, and other exposures when developing the engagement objectives.

2210.C1 - Consulting engagement objectives should address risks, controls, and governance
processes to the extent agreed upon with the client.

2220 - Engagement Scope

The established scope should be sufficient to satisfy the objectives of the engagement.

2220.A1 - The scope of the engagement should include consideration of relevant systems, records,
personnel, and physical properties, including those under the control of third parties.

2220.A2 - If significant consulting opportunities arise during an assurance engagement, a specific

written understanding as to the objectives, scope, respective responsibilities and other expectations
should be reached and the results of the consulting engagement communicated in accordance with
consulting standards.

2220.C1 - In performing consulting engagements, internal auditors should ensure that the scope of
the engagement is sufficient to address the agreed-upon objectives. If internal auditors develop
reservations about the scope during the engagement, these reservations should be discussed with
the client to determine whether to continue with the engagement.

2230 - Engagement Resource Allocation

Internal auditors should determine appropriate resources to achieve engagement objectives.
Staffing should be based on an evaluation of the nature and complexity of each engagement, time
constraints, and available resources.

2240 - Engagement Work Program

Internal auditors should develop work programs that achieve the engagement objectives. These
work programs should be recorded.

2240.A1 - Work programs should establish the procedures for identifying, analyzing, evaluating,
and recording information during the engagement. The work program should be approved prior to
its implementation, and any adjustments approved promptly.

8 of 13
2240.C1 - Work programs for consulting engagements may vary in form and content depending
upon the nature of the engagement.

2300 - Performing the Engagement

Internal auditors should identify, analyze, evaluate, and record sufficient information to achieve the
engagement's objectives.

2310 - Identifying Information

Internal auditors should identify sufficient, reliable, relevant, and useful information to achieve the
engagement's objectives.

2320 - Analysis and Evaluation

Internal auditors should base conclusions and engagement results on appropriate analyses and
evaluations.

2330 - Recording Information

Internal auditors should record relevant information to support the conclusions and engagement
results.

2330.A1 - The chief audit executive should control access to engagement records. The chief audit
executive should obtain the approval of senior management and/or legal counsel prior to releasing
such records to external parties, as appropriate.

2330.A2 - The chief audit executive should develop retention requirements for engagement
records. These retention requirements should be consistent with the organization's guidelines and
any pertinent regulatory or other requirements.

2330.C1 - The chief audit executive should develop policies governing the custody and retention of
engagement records, as well as their release to internal and external parties. These policies should
be consistent with the organization's guidelines and any pertinent regulatory or other requirements.

2340 - Engagement Supervision

Engagements should be properly supervised to ensure objectives are achieved, quality is assured,
and staff is developed.

2400 - Communicating Results

Internal auditors should communicate the engagement results.

2410 - Criteria for Communicating

Communications should include the engagement's objectives and scope as well as applicable
conclusions, recommendations, and action plans.

2410.A1 - Final communication of engagement results should, where appropriate, contain the
internal auditor's overall opinion and or conclusions.

2410.A2 - Internal auditors are encouraged to acknowledge satisfactory performance in

engagement communications.

2410.A3 - When releasing engagement results to parties outside the organization, the
communication should include limitations on distribution and use of the results.

9 of 13
 2410.C1 - Communication of the progress and results of consulting engagements will vary in form
and content depending upon the nature of the engagement and the needs of the client.

2420 - Quality of Communications

Communications should be accurate, objective, clear, concise, constructive, complete, and timely.

2421 - Errors and Omissions

If a final communication contains a significant error or omission, the chief audit executive should
communicate corrected information to all parties who received the original communication.

2430 - Engagement Disclosure of Noncompliance with the Standards

When noncompliance with the Standards impacts a specific engagement, communication of the
results should disclose the:

• Standard(s) with which full compliance was not achieved,

• Reason(s) for noncompliance, and
• Impact of noncompliance on the engagement.

2440 - Disseminating Results

The chief audit executive should communicate results to the appropriate parties.

2440.A1 - The chief audit executive is responsible for communicating the final results to parties
who can ensure that the results are given due consideration.

2440.A2 - If not otherwise mandated by legal, statutory or regulatory requirements, prior to

releasing results to parties outside the organization, the chief audit executive should:

• Assess the potential risk to the organization.

• Consult with senior management and/or legal counsel as appropriate
• Control dissemination by restricting the use of the results.

2440.C1 - The chief audit executive is responsible for communicating the final results of consulting
engagements to clients.

2440.C2 - During consulting engagements, risk management, control, and governance issues may
be identified. Whenever these issues are significant to the organization, they should be
communicated to senior management and the board.

2500 - Monitoring Progress

The chief audit executive should establish and maintain a system to monitor the disposition of
results communicated to management.

2500.A1 - The chief audit executive should establish a follow-up process to monitor and ensure
that management actions have been effectively implemented or that senior management has
accepted the risk of not taking action.

2500.C1 - The internal audit activity should monitor the disposition of results of consulting
engagements to the extent agreed upon with the client.

2600 - Resolution of Management's Acceptance of Risks

When the chief audit executive believes that senior management has accepted a level of residual

10 of 13
risk that may be unacceptable to the organization, the chief audit executive should discuss the
matter with senior management. If the decision regarding residual risk is not resolved, the chief
audit executive and senior management should report the matter to the board for resolution.

Glossary
Add Value - Value is provided by improving opportunities to achieve organizational objectives,
identifying operational improvement, and/or reducing risk exposure through both assurance and
consulting services.

Adequate Control - Present if management has planned and organized (designed) in a manner
that provides reasonable assurance that the organization's risks have been managed effectively and
that the organization's goals and objectives will be achieved efficiently and economically.

Assurance Services - An objective examination of evidence for the purpose of providing an

independent assessment on risk management, control, or governance processes for the
organization. Examples may include financial, performance, compliance, system security, and due
diligence engagements.

Board - A board is an organization's governing body, such as a board of directors, supervisory

board, head of an agency or legislative body, board of governors or trustees of a non profit
organization, or any other designated body of the organization, including the audit committee, to
whom the chief audit executive may functionally report.

Charter - The charter of the internal audit activity is a formal written document that defines the
activity's purpose, authority, and responsibility. The charter should (a) establish the internal audit
activity's position within the organization; (b) authorize access to records, personnel, and physical
properties relevant to the performance of engagements; and (c) define the scope of internal audit
activities.

Chief Audit Executive - Top position within the organization responsible for internal audit
activities. Normally, this would be the internal audit director. In the case where internal audit
activities are obtained from outside service providers, the chief audit executive is the person
responsible for overseeing the service contract and the overall quality assurance of these activities,
reporting to senior management and the board regarding internal audit activities, and follow-up of
engagement results. The term also includes such titles as general auditor, chief internal auditor,
and inspector general.

Code of Ethics - The Code of Ethics of The Institute of Internal Auditors (IIA) are Principles
relevant to the profession and practice of internal auditing, and Rules of Conduct that describe
behavior expected of internal auditors. The Code of Ethics applies to both parties and entities that
provide internal audit services. The purpose of the Code of Ethics is to promote an ethical culture in
the global profession of internal auditing.

Compliance - Conformity and adherence to policies, plans, procedures, laws, regulations,

contracts, or other requirements.

Conflict of Interest - Any relationship that is or appears to be not in the best interest of the
organization. A conflict of interest would prejudice an individual's ability to perform his or her
duties and responsibilities objectively.

11 of 13
 Consulting Services - Advisory and related client service activities, the nature and scope of which
are agreed with the client and which are intended to add value and improve an organization's
governance, risk management, and control processes without the internal auditor assuming
management responsibility. Examples include counsel, advice, facilitation and training.

Control - Any action taken by management, the board, and other parties to manage risk and
increase the likelihood that established objectives and goals will be achieved. Management plans,
organizes, and directs the performance of sufficient actions to provide reasonable assurance that
objectives and goals will be achieved.

Control Environment - The attitude and actions of the board and management regarding the
significance of control within the organization. The control environment provides the discipline and
structure for the achievement of the primary objectives of the system of internal control. The
control environment includes the following elements:

• Integrity and ethical values.

• Management's philosophy and operating style.
• Organizational structure.
• Assignment of authority and responsibility.
• Human resource policies and practices.
• Competence of personnel.

Control Processes - The policies, procedures, and activities that are part of a control framework,
designed to ensure that risks are contained within the risk tolerances established by the risk
management process.

Engagement - A specific internal audit assignment, task, or review activity, such as an internal
audit, Control Self-Assessment review, fraud examination, or consultancy. An engagement may
include multiple tasks or activities designed to accomplish a specific set of related objectives.

Engagement Objectives - Broad statements developed by internal auditors that define intended
engagement accomplishments.

Engagement Work Program - A document that lists the procedures to be followed during an
engagement, designed to achieve the engagement plan.

External Service Provider - A person or firm, outside of the organization, who has special
knowledge, skill, and experience in a particular discipline.

Fraud - Any illegal acts characterized by deceit, concealment or violation of trust. These acts are
not dependent upon the application of threat of violence or of physical force. Frauds are
perpetrated by parties and organizations to obtain money, property or services; to avoid payment
or loss of services; or to secure personal or business advantage.

Governance - The combination of processes and structures implemented by the board in order to
inform, direct, manage and monitor the activities of the organization toward the achievement of its
objectives.

Impairments - Impairments to individual objectivity and organizational independence may include

personal conflicts of interest, scope limitations, restrictions on access to records, personnel, and
properties, and resource limitations (funding).

12 of 13
Independence - The freedom from conditions that threaten objectivity or the appearance of
objectivity. Such threats to objectivity must be managed at the individual auditor, engagement,
functional and organizational levels.

Internal Audit Activity - A department, division, team of consultants, or other practitioner(s) that
provides independent, objective assurance and consulting services designed to add value and
improve an organization's operations. The internal audit activity helps an organization accomplish
its objectives by bringing a systematic, disciplined approach to evaluate and improve the
effectiveness of risk management, control, and governance processes.

Objectivity - An unbiased mental attitude that allows internal auditors to perform engagements in
such a manner that they have an honest belief in their work product and that no significant quality
compromises are made. Objectivity requires internal auditors not to subordinate their judgment on
audit matters to that of others.

Residual Risks - The risk remaining after management takes action to reduce the impact and
likelihood of an adverse event, including control activities in responding to a risk.

Risk - The possibility of an event occurring that will have an impact on the achievement of
objectives. Risk is measured in terms of impact and likelihood.

Risk Management - A process to identify, assess, manage, and control potential events or
situations, to provide reasonable assurance regarding the achievement of the organization's
objectives.

Should - The use of the word "should" in the Standards represents a mandatory obligation.

Standard - A professional pronouncement promulgated by the Internal Auditing Standards Board

that delineates the requirements for performing a broad range of internal audit activities, and for
evaluating internal audit performance.

13 of 13