Principle 3 Demonstrate Competency

Internal auditors apply the knowledge, skills, and abilities to fulfill their roles and responsibilities successfully.

Demonstrating competency requires developing and applying the knowledge, skills, and abilities to provide internal audit services. Because internal auditors provide a diverse array of services, the competencies needed by each internal auditor vary. In addition to possessing or obtaining the competencies needed to perform services, internal auditors improve the effectiveness and quality of services by pursuing professional development. 

Standard 3.1 Competency

Requirements

Internal auditors must possess or obtain the competencies to perform their responsibilities successfully. The required competencies include the knowledge, skills, and abilities suitable for one’s job position and responsibilities commensurate with their level of experience. Internal auditors must possess or develop knowledge of The IIA’s Global Internal Audit Standards.

Internal auditors must engage only in those services for which they have or can attain the necessary competencies.

Each internal auditor is responsible for continually developing and applying the competencies necessary to fulfill their professional responsibilities. Additionally, the chief audit executive must ensure that the internal audit function collectively possesses the competencies to perform the internal audit services described in the internal audit charter or must obtain the necessary competencies. (See also Standards 7.2 Chief Audit Executive Qualifications and 10.2 Human Resources Management.)

Considerations for Implementation 

Internal auditors should develop competencies related to:

• Communication and collaboration.
• Governance, risk management, and control processes.
• Business functions, such as financial management and information technology.
• Pervasive risks, such as fraud.
• Tools and techniques for gathering, analyzing, and evaluating data.
• The risks and potential impacts of various economic, environmental, legal, political, and social conditions.
• Laws, regulations, and practices relevant to the organization, sector, and industry.
• Trends and emerging issues relevant to the organization and internal auditing.
• Supervision and leadership.

To develop and demonstrate competencies, internal auditors may:

• Obtain appropriate professional credentials, such as the Certified Internal Auditor® designation and other certifications and credentials.
• Identify opportunities for improvement and competencies that need development, based on feedback provided by stakeholders, peers, and supervisors.
• Seek relevant training not only in internal audit methodologies but also on business activities relevant to the organization. Training opportunities may include enrolling in courses, working with a mentor, or being assigned new tasks under supervision during an engagement.

While internal auditors are responsible for ensuring their individual professional development and may assess their own skills and opportunities for development, the chief audit executive should support the professional development of internal auditors. The chief audit executive may establish minimum expectations for professional development and should encourage the pursuit of professional qualifications. The chief audit executive should include funding for training and professional development in the internal audit budget and provide opportunities internally as well as externally, through continuing professional education, training, and conferences. (See also Standards 10.1 Financial Resource Management and 10.2 Human Resources Management.)

To ensure the internal audit function collectively possesses the competencies to perform the internal audit services, the chief audit executive should:

• Maintain knowledge of internal auditors’ competencies to be used when assigning work, identifying training needs, and recruiting internal auditors to fill open positions.
• Participate in the performance reviews of individual internal auditors.
• Identify areas in which the competencies of the internal audit function should be improved.
• Encourage internal auditors’ intellectual curiosity and invest in training and other opportunities to improve internal audit performance.
• Understand the competencies of other providers of assurance and advisory services and consider relying upon those providers as a source of additional or specialty competencies not available within the internal audit function.
• Consider contracting with an independent, external service provider when the internal audit function collectively does not possess the competencies to perform requested services.
• Effectively implement a quality assurance and improvement program.

Examples of Evidence of Conformance

• Documentation listing the certifications, education, experience, work history, and other qualifications of internal auditors.
• Internal auditors’ self-assessments of their competencies and plans for professional development.
• Documentation of internal auditors’ completion of continuing professional education, such as courses, conference sessions, workshops, and seminars.
• Documented performance reviews of internal auditors.
• Documented supervisory reviews of engagements, post-engagement surveys completed by internal audit stakeholders, and other forms of feedback indicating competencies exhibited by individual internal auditors and the internal audit function.
• The results of internal and external quality assessments.
• Documentation of relevant competencies necessary to fulfill the internal audit plan, an analysis of resource gaps, and the identification of the training and budget necessary to fill the gaps.
• Documentation such as an assurance map that indicates the competencies of other providers of assurance and advisory services upon which the internal audit function may rely.

Standard 3.2 Continuing Professional Development

Requirements

Internal auditors must maintain and continually develop their competencies to improve the effectiveness and quality of internal audit services. Internal auditors must pursue continuing professional development including education and training. Practicing internal auditors who have attained professional internal audit certifications must follow the continuing professional education policies and fulfill the requirements applicable to their certifications.

Considerations for Implementation

Continuing professional development may include self-study, on-the-job training, opportunities to learn new skills on special assignments (such as rotational programs), mentorship, supervisory feedback, and free and paid education. To improve the quality of performing internal audit services, internal auditors should seek opportunities to learn about trends and best practices as well as emerging topics, risks, trends, and changes that may affect the organizations for which they work and the internal audit profession.

Internal auditors are responsible for developing their competencies and should seek opportunities to learn.  However, the chief audit executive is responsible for the competencies of the internal audit function and should budget and plan for opportunities to train and educate internal audit staff. For example, internal auditors can develop new knowledge when properly supervised and assigned to engagements involving processes or areas with which they have had limited experience. Internal auditors should seek and welcome opportunities for supervision and mentorship through which they can receive robust feedback, guidance, and insight.

Many professional credentials require a minimum number of hours of continuing professional education within specific periods, such as annually. The chief audit executive should consider implementing a plan that requires internal auditors to obtain specific types and quantities of continuing professional education.

Internal auditors possessing credentials, such as the Certified Internal Auditor® designation, should be aware of the specific requirements of the certifying body’s policy for maintaining their credentials. Failing to fulfill such requirements may result in consequences, including jeopardizing internal auditors’ permission to use the credentials. All internal auditors should develop a plan and schedule for ongoing training and education. As part of the required continuing professional education, The IIA requires holders of its certifications to complete ethics training. While this requirement is linked specifically to IIA certifications, all internal audit professionals should obtain ethics-focused continuing professional education or training regularly.

News service subscriptions, webinars, and professional events provide internal auditors with opportunities to stay abreast of current developments in the internal audit profession and industries relevant to the organizations for which they work. Training may be used to introduce new technology or changes in internal audit practices.

Professional development initiatives should include a regular review and assessment of internal auditors’ career paths and needs for professional development. The chief audit executive should ensure plans and budgets for training reflect a balance between investing in developing the competencies of the internal audit function as a whole and providing internal auditors with opportunities to achieve their individual goals to grow professionally.

Examples of Evidence of Conformance

• Documented plans for attending training events, professional conferences, and other continuing professional education.
• Records of internal auditors’ completed continuing professional education and credentials obtained.
• Internal auditors’ performance reviews and/or plans for professional development.
• Evidence of active involvement in The IIA and other relevant professional organizations, such as volunteer service.

SIAAB Requirements

SIAAB requires that all internal auditors must complete a minimum of 80 hours of CPE that directly enhances the auditor’s professional proficiency to perform audits or attestation engagements.  At least 24 of the 80 hours of CPE should be in subjects directly related to government auditing, the government environment or the specific or unique environment in which the audited entity operates.  At least 20 hours of the 80 hours required should be completed in any one year of the two-year period.  At least 4 of the 80 hours of CPE should be in subjects related to ethics.

The 80 hours of CPE, 24 hours of government CPE, and 4 hours of ethics CPE must be satisfied during two successive (non-rolling) calendar years.  Internal auditors hired after the beginning of an audit organization’s two year CPE period should complete a prorated number of CPE hours based on the number of full six-month intervals remaining in the CPE period (SIAAB Bylaws - Article II Section V – CPE).

Internal auditors employed on a part-time of temporary basis may be exempt from the CPE requirements, as long as they are under the supervision of another auditor who is conformant with the CPE requirements.

Auditors required to take the 80 total hours of CPE should complete at least 20 hours of CPE in each year of the two-year period.  The 20-hour minimum for each CPE year would not apply when a prorated number of hours are being used to cover a partial two-year CPE period.

When an auditor becomes nonconformant with CPE requirements, the auditor has a grace period of two months to make up the deficiency.  If the auditor fails to make up the deficiency within two months (i.e., prior to March 1), they should either work under the supervision of another auditor who is conformant or disclose the nonconformance in their audit reports.  Any CPE hours completed toward a deficiency in one period should be documented in the CPE records and should not be counted toward the requirements for the next two-year period.

The chief internal auditor is responsible for establishing and implementing a program to ensure that staff auditors meet the CPE requirements.  In cases where a portion of the internal audit activity is contracted out, the chief internal auditor must ensure that individuals assigned to such internal audit services have obtained the appropriate continuing professional education.

Chief internal auditors are responsible for maintaining documentation of the CPE hours completed by each auditor subject to CPE requirements. The audit organization’s records, which may be kept electronically as appropriate, should include the following information for each CPE program or activity attended or completed by an auditor:

1. The name of the organization providing the CPE;
2. The title of the training program, including the subject matter or field of study;
3. The dates attended for group programs or dates completed for individual study programs;
4. The number of CPE hours earned toward the 80 hours and 24 hours requirements;
5. Any reasons for specific exceptions granted to the CPE requirement; and
6. Evidence of completion of CPE, such as a certificate or other evidence of completion from the CPE provider for group and individual-study programs, if provided; documentation of CPE courses presented or copies of course materials developed by or for speakers, instructors, or discussion leaders, along with a written statement supporting the number of CPE hours claimed; or a copy of the published book, article, or other material that name the writer as author or contributor, or a written statement from the writer supporting the number of CPE hours claimed.

The chief internal auditor is required to maintain the CPE records for at least six years.

Copyright 2024 by The Institute of Internal Auditors, Inc., 1035 Greenwood Blvd, Suite 401, Lake Mary, FL 32746. Reprinted with permission.

Please close this window to return to Ability LMS and take the quiz.