With the guidance of the original legislation, as interpreted by Senator Harmer, and
The International Standards for the Professional Practice of Internal Auditing (Institute of Internal Auditors), A&AS uses a variety of audit techniques in its review of campus programs/resources. These audit techniques are commonly referred to as:
California Government Code Section 1236 (July 1983) requires that all state agencies that have their own internal auditors to:
... utilize the general and specified standards of internal auditing prescribed by the Institute of Internal Auditors (IIA).
In January 2009, the IIA issued the
International Professional Practices Framework (IPPF) with two categories of guidance: Mandatory and Strongly Recommended. The three mandatory elements are the Definition of Internal Auditing, the Code of Ethics, and the International Standards for the Professional Practice of Internal Auditing (Standards). The three strongly recommended elements are Position Papers, Practice Advisories, and Practice Guides.
The definition of internal auditing states the fundamental purpose, nature, and scope as follows:
"Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes."
The Code of Ethics states the principles and expectations governing behavior of individuals and organizations in the conduct of internal auditing. It describes the minimum requirements for conduct, and behavioral expectations rather than specific activities.
The Standards are principle-focused and provide a framework for performing and promoting internal auditing. The Standards consist of statements of basic requirements for the professional practice of internal auditing and for evaluating the effectiveness of its performance; and interpretations, which clarify terms or concepts within the statements.
Section 2100 of the Standards outlines the nature of work of A&AS and states that the internal audit activity must evaluate and contribute to the improvement of governance, risk management, and control processes using a systematic and disciplined approach. This includes:
2110 Governance – The internal audit activity must assess and make appropriate recommendations for improving the governance process in its accomplishment of the following objectives:
The internal audit activity must evaluate the design, implementation, and effectiveness of the organization’s ethics-related objectives, programs, and activities; and assess whether the information technology governance of the organization supports the organization’s strategies and objectives.
2120 Risk Management – The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes. The internal audit activity must evaluate risk exposures relating to the organization’s governance, operations, and information systems regarding the:
The internal audit activity must evaluate the potential for the occurrence of fraud and how the organization manages fraud risk.
2130 Control – The internal audit activity must assist the organization in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement. The internal audit activity must evaluate the adequacy and effectiveness of controls in responding to risks within the organization’s governance, operations, and information systems regarding the: