The differencess between

IPPF (2017) and IPPF (2004)

Azzahra Dita, Elisabeth Maha,
Farah Widia & Vilia Putri
Elements of IPPF:
The Mission of Internal Auditor
1000 - Purpose, Authority, and Responsibility
2004 2017 Implication

“The purpose, authority, and “The purpose, authority, and responsibility Revise the internal audit charter
responsibility of the ointernal audit of the internal audit activity must be by considering the mission of
formally defined in an internal audit
activity must be formally defined in internal audit and the core
charter, consistent with the mission of
an internal audit charter, consistent internal audit and the mandatory principles for the professional of
with the standards, and approved by elements of International Professional internal auditing.
the board of directors. Separate Practices Framework (the core principles
implementation standards here for the professional of internal auditing,
state that internal auditing the code of ethics, the standards, and the
assurance and consulting services definition of internal auditing). The Chief
audit executive must perodically review
must be defined in the internal audit the internal audit charter and present it to
charter” senior management and the board for
approval”
1000.A1 - Purpose, Authority, and Responsibility
2004 2017 Implication

“The nature of assurance services Revise the internal audit charter

provided to the organization must by considering the mission of
be defined in the internal audit internal audit and the core
charter. If assurances are to be principles for the professional of
provided to parties outside the internal auditing.
organization, the nature of these
There is no explanation assurances must also be defined in
the internal audit charter.”
1000.C1 - Purpose, Authority, and Responsibility
2004 2017 Implication

“The nature of consulting services There is an explanation for nature

must be defined in the internal audit of consulting services in the
charter.” internal audit charter.

There is no explanation
1010 - Recognizing mandatory guidance in the internal audit carther

2004 2017 Implication

“the mandatory nature of the core Revise the internal audit charter
principles for the professional by considering the mission of
practice of internal auditing, the internal audit and the core
code of ethics, the standards, and principles for the professional of
the definition of internal auditing internal auditing.
must be recognized in the internal
There is no explanation audit charter. The chief audit
executive should discuss the mission
of internal audit and the mandatory
elements of the IPPF with senior
management and the board.”
1110.A1 - Organizational independence

2004 2017 Implication

“The internal audit activity must be If there is any interference, the

free from interference in CAE must dicslose such
determining the scope of internal interference to the board and
auditing, performing work, and discuss the implication of
communicating results. The chief interference.
audit executive must disclose such
There is no explanation interference to the board and
discuss the implications”
1111 - Direct intraction with the board

2004 2017 Implication

“The chief audit executive must CAE must make a good

communicate and interact directly communication and interaction
with the board.” with the board directly to do an
internal auditing.

There is no explanation
1112- CAE roles beyond internal auditing

2004 2017 Implication

“where the chief audit executive has Safeguars like statement in

or is expected to have a roles and/or organization policy and code of
responsibilities that fall outside of ethic, audit committee charter,
internal auditing, safeguards must mission of internal audit, internal
be in place to limit impairments to audit charter must be made if
independence or objectivity.” CAE have a roles and/or
There is no explanation responsibilities beyond internal
auditing.
1130.A2 - Impairment to independence or objectivity

2004 2017 Implication

“Assurance engagements for An external party of internal audit

functions over which the chief audit activity must oversee an
executive has responsibility must be assurance engagement which the
overseen by a party outside the CAE has responsibility for the
internal audit activity.“ activity previously.

There is no explanation
1130.A3 - Impairment to independence or objectivity

2004 2017 Implication

“The internal audit activity may If there is no impairment to

provide assurance services where it independence or objectivity, the
had previously performed consulting internal audit activity may provide
services, provided the nature of the assurance services for the
consulting did not impair objectivity previous consulting services.
and provided individual objectivity is
There is no explanation managed when assigning resources
to the engagement.”
1130.C1 - Impairment to independence or objectivity

2004 2017 Implication

“Internal auditors may provide Internal auditor can provide a

consulting services relating to consulting service for the activity
operations for which they had which they had responsibilities
previous responsibilities.” previously.

There is no explanation
1130.C2 - Impairment to independence or objectivity

2004 2017 Implication

“If internal auditors have potential A potential impairments to

impairments to independence or independence and objectivity
objectivity relating to proposed must be diclosed before
consulting services, disclosure must accepting the engagement.
be made to the engagement client
prior to accepting the engagement.”
There is no explanation
 1210-Proficiency
2004 2017 Implication

There is no explanation Internal auditors must To perfom engagement,

possess the knowledge, internal auditor must have
skills, and other the knowledge, skills, and
competencies needed to other competencies.
perform their individual
responsibilities. The internal
audit activity collectively
must possess or obtain the
knowledge, skills, and other
competencies needed to
perform its responsibilities

Sources: Moeller, 2016 Sources: The Institute of Internal Auditor, 2016

1210.C1 - Proficiency
2004 2017 Implications

There is no explanation The chief audit executive Consulting engagement

must decline the must be perform with
consulting engagement or Internal Auditor’s knowledge,
obtain competent advice skills, or other competencies
and assistance if the needed.
internal auditors lack the CAE must decline or obtain
knowledge, skills, or other competent advice if Internal
competencies needed to Auditor lack of it.
perform all or part of the
engagement.

Sources: Moeller, 2016 Sources: The Institute of Internal Auditor, 2016

1220.C1 Due Professional Care
2004 2017 Implications

There is no explanation Internal auditors must exercise During a consulting engagement,

due professional care during a Internal Auditor must exercise due
consulting engagement by profesionalcare by considering
considering the: needs and expectations clients,
● Needs and expectations of complexity and extent of work,
clients, including the nature, and cost of the consulting .
timing, and communication
of engagement results.
● Relative complexity and
extent of work needed to
achieve the engagement’s
objectives.
● Cost of the consulting
engagement in relation to
potential

Sources: Moeller, 2016 Sources: The Institute of Internal Auditor, 2016

1320 – Reporting on the Quality Assurance and Improvement Program
2004 2017 Implications
There is no explanations “The chief audit executive must “Internal Audit must communicate
communicate the results of the the quality assurance and
quality assurance and improvement program to Senior
improvement program to senior Management and the Board.
management and the board. Disclosures must include:
Disclosure should include: ● The scope and frequency of
● The scope and frequency of both internal assessment and
the internal and external external assessment
assessments. ● Qualifications and
● The qualifications and independence of assessors
independence of the assessor(s) or assessment teams,
or assessment team, including including potential conflicts
potential conflicts of interest. of interest
● Conclusions of assessors. ● Assessor's conclusions
● Corrective action plans.” ● Corrective follow-up plans.”

Sources: Moeller, 2016 Sources: The Institute of Internal Auditor, 2016

1320 - Reporting on quality assurance and improvement program

2004 2017 Implication

“The chief audit executive must CAE have to communicate the

communicate the results of the quality results of the quality assurance
assurance and improvement program and improvement program
to senior management and the board. include:
Disclosure should include: ● The scope and frequency of both the
● The scope and frequency of both the internal and external assessments
internal and external assessments ● The qualifications and independence
There is no explanation ● The qualifications and independence of the assessor(s) or assessment
of the assessor(s) or assessment team, including potential conflicts of
team, including potential conflicts of interest
interest ● Conclusions of assessors
● Conclusions of assessors ● Corrective action plans
● Corrective action plans.”
1322-Disclosure of Nonconformance
2004 2017 Implication

“When nonconformance with the CAE discloses the

Code of Ethics or the Standards nonconformance and the impact
impacts the overall scope or to senior management and the
operation of the internal audit board
activity, the chief audit
There is no explanation executive must disclose the
nonconformance and the
impact to senior management
and the board.”
2000 - Managing the internal audit activity
2004 2017 Implication

“The CAE must effectively manage the internal The internal auditors are
audit activity to ensure it adds value to the
expected to have sufficient
organization.
Interpretation: analytical and research skills. The
•It achieves the purpose and responsibility internal audit activity must be
included in the internal audit charter integrated with organizational’s
“The CAE must effectively manage •It conforms with the standards strategies and objectives. The
•Its individual members conform with the
the internal audit activity to ensure code of ethics and the standards
internal auditors are expect to
it adds value to the enterprise” •It considers trends and emerging issues that play more roles in providing
could impact the organization consulting service.
The internal audit activity adds value to the
organization and its stakeholders when it
considers strategies, objectives, and risks;
strives to offer ways to enhance governance,
risk management, and control processes; and
objectively provides relevant assurance.”
2010.A1- Planning
2004 2017 Implication

“The internal audit activity’s Engagement planning

plan of engagements must be documentation must be based on
based on a documented risk assessment, which is
risk assessment, undertaken at undertaken at least annualy
least annually. The input of
There is no explanation senior management and the
board must be considered in this
process”
2010.A2- Planning
2004 2017 Implication

“The chief audit executive must Expectation of senior, the board,

identify and consider the and other stakeholders for
expectations of senior internal audit opinions and other
management, the board, and conclusions must be identified by
other stakeholders for internal CAE
There is no explanation audit opinions and other
conclusions”
2010.C1 - Planning
2004 2017 Implication

“The chief audit executive should Acceptance of proposed

consider accepting proposed consulting engagements by CAE
consulting engagements based based on the engagements’s
on the engagement’s potential to potential to improve management
improve management of risks, of risks, add value, and improve
There is no explanation add value, and improve the the organization’s operations and
organization’s operations. must be included in the plan.
Accepted engagements must be
included in the plan.”
2020 - Communication and Approval
2004 2017 Implication

“The chief audit executive must there is a must communication

communicate the internal audit done by the CAE, about
activity’s plans and resource activity’s plans and resource
requirements, including requirements, including
significant interim changes, to significant interim changes, to
There is no explanation senior management and the senior management and the
board for review and approval. board for review and approval,
The chief audit executive must following with the impact of
also communicate the impact of resource limitations
resource limitations”
2030 - Resource Management
2004 2017 Implication

“The chief audit executive must ensure Internal audit resources must be
that internal audit resources are ensured by the CAE that are
appropriate, sufficient, and effectively
appropriate, sufficient, and
deployed to achieve the approved
plan” effectively deployed.
Appropriate refers to mix of
There is no explanation Interpretation: knowledge, skills, and other
competencies
Appropriate refers to the mix of Sufficient refers to the quantity of
knowledge, skills, and other resources needed to accomplish
competencies needed to perform the the plan
plan. Sufficient refers to the quantity of
resources needed to accomplish the
Deployed refers to optimalization
plan. Resources are effectively of using resources in a way to
deployed when they are used in a way achieve the plan
that optimizes the achievement of the
approved plan
2050 - Coordination and Reliance
2004 2017 Implication

There is no explaination “The chief audit executive Information must be

should share information, shared,
coordinate activities, and CAE in coordinate
consider relying upon the activities may rely on the
work of other internal and work of assurance and
external assurance and consulting services.
consulting service providers
to ensure proper coverage
and minimize duplication
of efforts.”

Sources: Moeller, 2016 Sources: The Institute of Internal Auditor, 2016

 2060 - Reporting to Senior Management and the Board
2004 2017 Implication

“The chief audit “The chief audit executive CAE in reporting and
executive should report must report periodically to communication to senior
senior management and management and the
periodically to the board
the board on the internal board must include:”
and senior management audit activity’s purpose, ● "The audit charter.
on the internal audit authority, responsibility, and ● Independence of the
activity’s purpose, performance relative to its internal audit activity.
authority, responsibility, plan and on its ● The audit plan and
and performance conformance with the progress against the
Code of Ethics and the plan.
relative to its plan.”
Standards.” ● Resource
requirements…”
Sources: Moeller, 2016 Sources: The Institute of Internal Auditor, 2016
 2060 - Reporting to Senior Management and the Board
2004 2017 Implication

“Reporting must also “Reporting must also ● “Results of audit activities.

include include significant risk and ● Conformance with the
significant risk exposures control issues, including Code of Ethics and the
and control issues, fraud risks, governance Standards, and action
issues, and other matters plans to address any
corporate governance
that require the attention significant conformance
issues, and other of senior management issues.
matters needed or and/or the board.” ● Management’s response to
requested by the board risk that, in the chief audit
and senior management.” executive’s judgment, may
be unacceptable to the
organization...”
Sources: Moeller, 2016 Sources: The Institute of Internal Auditor, 2016
2060 - Reporting to Senior Management and the Board
2004 2017 Implication

“The chief audit executive’s reporting “... and conformance with

and communication to senior the Code of Ethics and the
management and the board must include Standards.”
information about:
● The audit charter.
● Independence of the internal audit
activity.
● The audit plan and progress against
the plan.
● Resource requirements...”

Sources: Moeller, 2016 Sources: The Institute of Internal Auditor, 2016

2060 - Reporting to Senior Management and the Board

2004 2017 Implication

“...
● Results of audit activities.
● Conformance with the Code of
Ethics and the Standards, and action
plans to address any significant
conformance issues.
● Management’s response to risk that,
in the chief audit executive’s
judgment, may be unacceptable to
the organization.”

Sources: Moeller, 2016 Sources: The Institute of Internal Auditor, 2016

2070 - External Service Provider and Organizational Responsibility for
Internal Auditing
2004 2017 Implication

There is no explanation “When an external service External sevice for internal

provider serves as the internal audit must have awareness
audit activity, the provider that the organization has
must make the organization the responsibility for
aware that the organization
maintaining an effective
has the responsibility for
maintaining an effective internal audit activity
internal audit activity.”

Sources: Moeller, 2016 Sources: The Institute of Internal Auditor, 2016

2070 - External Service Provider and Organizational Responsibility for
Internal Auditing
2004 2017 Implication

There is no explanation “When an external service External sevice for internal

provider serves as the internal audit must have awareness
audit activity, the provider that the organization has
must make the organization the responsibility for
aware that the organization
maintaining an effective
has the responsibility for
maintaining an effective internal audit activity
internal audit activity.”

Sources: Moeller, 2016 Sources: The Institute of Internal Auditor, 2016

2100 - Nature of Work
2004 2017 Implication

“Internal audit activity “The internal audit activity Internal audit

includes evaluations and must evaluate and contribute 1. Internal auditors in their
contributions to the to the improvement of the assignments emphasize
improvement of risk organization’s governance, more on using a risk-based
management, control, and risk management, and control
approach
governance systems using “a processes using a systematic,
systematic and disciplined disciplined, and risk-based 2. Internal auditors are
approach.” approach. Internal audit emphasized to be more
credibility and value are proactive and insightful
enhanced when auditors are
proactive and their
evaluations offer new
insights and consider future
Sources: Moeller, 2016
impact.” Sources: The Institute of Internal
Auditor, 2016
2110- Governance
2004 2017 Implication

“... “The internal audit activity Internal audit

● Promoting appropriate must assess and make ● Internal auditors are
ethics and values within appropriate recommendations expected to have
the enterprise; to improve the organization’s strategic
● Ensuring effective governance processes for:
● operational knowledge
organizational ● Making strategic and
performance management operational decisions. of the organization to
and accountability; ● Overseeing risk become a strategic
● Communicating risk and management and partner of the
control information to control. organization.
appropriate areas of the ● Promoting appropriate
enterprise; and ethics and values within
the organization.
Sources: The Institute of Internal
Sources: Moeller, 2016 Auditor, 2016
2110- Governance
2004 2017 Implication

● Ensuring effective
● Coordinating the activities organizational performance
of and communicating management and
information among the accountability.
board, external and ● Communicating risk and
internal auditors, and control information to
appropriate areas of the
management.”
organization.
● Coordinating the activities
of, and communicating
information among, the
board, external and internal
auditors, other assurance
providers, and management.
Sources: Moeller, 2016
2130 - Control
2004 2017 Implication

“The internal audit activity Internal audit activity

must assist the must assist the
organization in organization in
maintaining effective maintaining effective
There is no explanation
controls by evaluating controls by evaluating
their effectiveness and their effectiveness and
efficiency and by efficiency and showing
promoting continuous continuous improvement.
improvement”
2200 - Engagement Planning
2004 2017 Implication

“Internal auditors must “Internal auditors must

develop and record a plan develop and document a Internal Auditors must
for plan for each documenting the planning
each engagement, engagement, including of the assignment by
including the scope, the engagement’s considering the
objectives, timing, and objectives, scope, timing, organization's strategy,
resource allocations” and resource allocations. objectives and risks
The plan must consider relevant to the
the organization’s assignment.
strategies, objectives,
and risks relevant to the
engagement.”
2201 - Planning Consideartions
2004 2017 Implication

“In planning an audit “... Internal auditors are

engagement, internal auditors ● The strategies and expected to have
should consider: objectives of the activity
● The objectives of the
organizational strategic
being reviewed and the
activity being reviewed and knowledge
means by which the
the means by which the
activity controls its
activity controls its
performance.
performance.
● The significant risks to the ● The significant risks to the
activity, its objectives, activity’s objectives,
resources, and operations, resources, and operations
and the means by which the and the means by which
potential impact of risk is the potential impact of risk
kept to an acceptable is kept to an acceptable
level. level.
2201 - Planning Considerations
2004 2017 Implication

● “The adequacy and ● “The adequacy and No implication

effectiveness of the effectiveness of the
activity’s risk management activity’s governance,
and internal control risk management, and
processes compared to a control processes
relevant control framework compared to a relevant
or model. framework or model.
● The opportunities for ● The opportunities for
making significant making significant
improvements to the improvements to the
activity’s risk management activity’s governance,
and control processes. risk management, and
control processes.

●
2210.A3 - Engagement Objectives
2004 2017 Implication

“Adequate criteria are needed to evaluate “Adequate criteria are needed to evaluate
governance, risk management, and governance, risk management, and
Additional interpretations
controls. Internal auditors must ascertain controls. Internal auditors must ascertain of the types of criteria:
the extent to which management and/or the extent to which management and/or
the board the board has established adequate internal, external, and
has established adequate criteria to criteria to determine whether objectives recommended practices
determine whether objectives and goals and goals have been accomplished. If
have been adequate, internal auditors must use such
accomplished. If adequate, internal criteria in their evaluation. If inadequate,
auditors must use such criteria in their internal auditors must identify appropriate
evaluation. If inadequate, internal auditors evaluation criteria through discussion with
must identify appropriate evaluation criteria management and/or the board.”
through discussion with management
and/or the board.” Interpretation:
Types of criteria may include:
Internal (e.g., policies and procedures of
the organization). External (e.g., laws and
regulations imposed by statutory bodies).
Leading practices (e.g., industry and
professional guidance).
2230 - Engagement Resource Allocation
2004 2017 Implication

“ Internal auditors must determine “Internal auditors must determine Additional interpretations
the appropriate resources appropriate and sufficient accordingly refer to a combination
necessary to achieve the audit resources to achieve of knowledge, skills, and other
engagement objectives. Staffing engagement objectives based on competencies.
must be based on an evaluation an evaluation of the nature and
of the nature and complexity of complexity of each engagement,
each engagement, time time constraints, and available
constraints, and available resources.”
resources.”
Interpretation:

Appropriate refers to the mix of

knowledge, skills, and other
competencies needed to perform the
engagement. Sufficient refers to the
quantity of resources needed to
accomplish the engagement with
due professional care.
2330 - Documenting Information

2004 2017 Implication

“ Internal auditors must record “Internal auditors must Internal auditors must explain
relevant information to support document sufficient, reliable, reliability and adequacy of
the conclusions and engagement relevant, and useful informations that support the
results. “ information to support the conclusion in the working paper
engagement results and
conclusions.”
2410 - Criteria of Communicating

2004 2017 Implication

“ Internal auditors must “Communications must include No implication, just simplification

communicate their engagement the engagement’s objectives, of words
results, including the audit’s scope, and results.”
objectives and scope as well as
applicable conclusions,
recommendations, action plans,
and the internal auditor’s overall
opinion and/or conclusions.”
2410.A1 - Criteria of Communicating

2004 2017 Implication

“ Final communication of “Final communication of engagement Internal auditors are more

results must include applicable
engagement results must, where emphasized to improve the
conclusions, as well as applicable
appropriate, contain the internal recommendations and/or action plans. mindset of consultation in provide
auditor’s overall opinion and/or Where appropriate, the internal recommendation so the
conclusions” auditors’ opinion should be provided. recommendation can be applied.
An opinion must take into account the
expectations of senior management, the
board, and other stakeholders and must
be supported by sufficient, reliable,
relevant, and useful information.”
Interpretations: Opinions at the
engagement level may be ratings,
conclusions, or other descriptions of the
results. Such an engagement may be in
relation to controls around a specific
process, risk, or business unit. The
formulation of such opinions requires
consideration of the engagement results
and their significance
2430 - Use of “Conducted in Conformance with the International Standards for the Professional Practice
of Internal Auditing”
2004 2017 Implication

“ Internal auditors are “Indicating that engagements are No implication, just a change of
encouraged to report that their conducted in conformance with words.
engagements are “conducted in the International Standards for
conformance with the the Professional Practice of
International Standards for the Internal Auditing” is appropriate
Professional Practice of Internal only if supported by the results of
Auditing.” However, internal the quality assurance and
auditors may use the statement improvement program.”
only if the results of the quality
assurance and improvement
program demonstrate that the
internal audit activity conforms to
the Standards
2431 - Engagement Disclosure of Nonconformance

2004 2017 Implication

“ When noncompliance with the “When nonconformance with Nonconformance only with the
Standards impacts a specific the Code of Ethics or the Code of Ethics or Standards only.
engagement, communication of Standards impacts a specific
the results must disclose the: engagement, communication of
■ Principle or rule of conduct of the results must disclose the:
the Code of Ethics or Standard(s) ● Principle(s) or rule(s) of
with which full conformance was conduct of the Code of Ethics
not made; or the Standard(s) with which
■ Reason(s) for noncompliance; full conformance was not
and achieved.
■ Impact of noncompliance on the ● Reason(s) for
engagement. nonconformance.
● Impact of nonconformance on
the engagement and the
communicated engagement
results.”
2450 - Overall Opinions

2004 2017 Implication

“When an overall opinion Internal auditor must take

is issued, it must take into account the
into account the strategies, objectives, and
strategies, objectives, risks of the organization;
There is no explanation and risks of the and the expectations of
organization; and the senior management, the
expectations of senior board when issuing an
management, the board, opinion.
and other.”
2130.A1 - Control
2004 2017 Implication

“The internal audit activity must evaluate Internal auditor must evaluate
the adequacy and effectiveness of the adequacy and effectiveness
controls in responding to risks within the of controls in responding to risks
organization’s governance, operations, within organization’s governance,
and information systems regarding the: operations, and information
systems.
There is no - Achievement of the organization’s
explanation strategic objectives
- Reliability and integrity of financial
and operational information
- Effectiveness and efficiency of
operations and programs
- Safeguarding of assets
- Compliance with laws, regulations,
policies, procedures, and
contracts.”
2130.C1 - Control
2004 2017 Implication

Internal auditor must

“Internal auditors must
incorporate knowledge of
incorporate knowledge of control that gainde form
controls gained from consulting engagements
There is no consulting engagements into into evaluation of the
explanation evaluation of the organization’s control
organization’s control processes
processes.”
2210.C2 - Engagements Objectives
2004 2017 Implication

In order to conduct
“Consulting engagement
consulting engagement
objectives must be consistent objectives, it must
with the organization's consistent with the
There is no values, strategies, and organization’s values,
explanation objectives.” startegis, and objectives.
2240.A1 - Engagement Work Program
2004 2017 Implication

Internal auditor must

“Work programs must include
conduct work programs
the procedures for identifying, which include the
analyzing, evaluating, and procedures for identifying,
There is no documenting information analyzing, evaluating and
explanation during the engagement. The documenting information
work program must be during the engagement.
approved prior to its Work programs must be
approved before
implementation, and any
implementation and any
adjustments approved adjustments approved
promptly.” promptly.
2240.C1 - Engagement Work Program
2004 2017 Implication

Internal auditor must

“Work programs for
know the nature of
consulting engagements engagement in order to
may vary in form and conduct work programs
There is no content depending upon the for consulting
explanation nature of the engagement.” engagements.
2050 - Coordination and Reliance
2004 2017 Implication

CAE should share

“The chief audit executive
information, coordinate
should share information, activities, and consider
coordinate activities, and relying upon the work of
There is no consider relying upon the the other internal and
explanation work of other internal and external assurance and
external assurance and consulting service
consulting service providers providers to ensure
proper coverage and
to ensure proper coverage
minimize duplication of
and minimize duplication of efforts.
efforts.”
● Moeller, Robert R. 2016. Brink’s Modern
Internal Auditing : A Common Body of
Knowledge - Eighth Edition. New Jersey :
John Wiley & Sons, Inc.
● Prahasto, Abdiansyah. 2017. IPPF dan
Standar IIA Terbaru serta Implikasinya
terhadap Aktivitas Internal Audit. Retrieved
from
https://www.slideshare.net/AbdiansyahP
rahasto/ippf-dan-standar-iia-terbaru-201
7-serta-implikasinya-terhadap-aktivitas-i
Refererences
nternal-audit
● The Institute of Internal Audit. 2017.
International Standards For The
Professional Practice Of Internal Auditing
(Standards). Retrieved from
https://na.theiia.org/standards-guidance/
Public%20Documents/IPPF-Standards-20
17.pdf