FROM THE MINISTRY OF FINANCE INTERNAL AUDIT COORDINATION BOARD:
(Official Gazette: 22.02.2017 / 29987)
PUBLIC INTERNAL AUDIT STANDARDS
In Article 64 of Law No. 5018 on Public Financial Management and Control, it is stipulated that "internal auditors shall perform their duties in accordance with the control and audit standards recognized internationally and determined by the Internal Audit Coordination Board."
The Public Internal Audit Standards (Standards) determined by the Internal Audit Coordination Board (Board) with Decision No. 14 dated 8.7.2011 have been updated by the Board's Decision No. 10 dated 29.12.2016. According to Law No. 5018 and the Regulation on the Working Procedures and Principles of Internal Auditors, internal audit unit heads and internal auditors are required to comply with these Standards.
The International Institute of Internal Auditors (IIA) "International Professional Practices Framework" served as the basis for these Standards. The Standards define the fundamental principles of internal audit application, provide a framework for implementation, establish criteria needed to evaluate the quality of internal audit, and aim to enhance the added value of internal audit by supporting the development of institutional transactions and processes.
To ensure the acceptance of the quality of internal audit within the administration and externally, it is of great importance that internal auditors have a good understanding of these Standards and adhere to them in the execution of audit activities.
In cases not covered by the Standards, it is recommended to follow the Practice Advisories set by the International Institute of Internal Auditors (IIA).
The Standards consist of Qualitative Standards and Operational Standards. Qualitative and Performance Standards showing the requirements applicable to assurance/audit (A) and consulting (C) activities have been prepared to be applied to the entirety of internal audit activities within an institution.
The expression "top-level manager" used in the Standards should be understood as the highest authority in the units indicated in the organization laws of the administrations (such as main service, auxiliary service, advisory, and audit units).
QUALITATIVE STANDARDS
1000 - Purpose, Authority, and Responsibilities
The purpose, authority, and responsibilities of the internal audit activity must be determined for each public administration in accordance with the Internal Audit Definition, Professional Ethics Rules, and Public Internal Audit Standards (Standards), and approved by the top manager. The internal audit unit head is required to periodically review and present the internal audit directive to the top manager for approval.
1000.G1 - The nature of the assurance services provided to the administration must be specified in the internal audit directive. If assurance services are to be provided to external parties, the nature of these services must also be explained in the directive.
1000.D1 - The nature of the consulting services must be specified in the internal audit directive.
1010 - Inclusion of the Internal Audit Definition, Professional Ethics, and Standards in the Internal Audit Directive
The internal audit directive must include compliance with the Internal Audit Definition, Professional Ethics, and Standards. The internal audit unit head must explain the Internal Audit Definition, Professional Ethics, and Public Internal Audit Standards to the top manager and top management.
1100 - Independence and Objectivity
The internal audit activity must be independent and internal auditors must be objective in performing their duties.
1110 - Organizational Independence
The internal audit unit head is required to report directly to the top manager.
1110.G1 - The internal audit activity must be free from any intervention concerning the determination, conduct, and disclosure of the scope and results of internal audit. In such a case, the internal audit unit head must inform the top manager and explain its effects.
1111 - Direct Interaction with the Top Manager
The internal audit unit head must interact directly with the top manager.
1112 - Additional Responsibilities of the Internal Audit Unit Head Beyond Internal Audit
In cases where the internal audit unit head has or is expected to have responsibilities and/or duties beyond internal audit, measures must be taken to ensure that independence or objectivity is preserved.
1120 - Individual Objectivity
Internal auditors must act impartially and without bias and avoid all conflicts of interest.
1130 - Impairment to Independence or Objectivity
When independence or objectivity is impaired or appears to be impaired, the situation must be disclosed to the relevant parties. The scope of this disclosure depends on the nature of the impairing factor.
1130.G1 - Internal auditors are assumed to avoid performing audit work on activities they were previously responsible for. It is assumed that an internal auditor's expertise in carrying out the audit work regarding an administrative activity for which they were previously responsible would compromise their objectivity.
1130.G2 - The internal audit activity can provide assurance services to locations where it previously performed consulting services, but it is essential to ensure objectivity during the engagement and that the quality of consulting services provided does not compromise objectivity.
1130.D1 - Internal auditors can provide consulting services for administrative activities for which they were previously responsible.
1130.D2 - Internal auditors must disclose any factors that could impair their independence and objectivity to the requester of consulting services before accepting the engagement if such factors exist.
1200 - Competence, Due Professional Care, and Attention
Duties must be carried out by competent individuals with due professional care and attention.
1210 - Proficiency
Internal auditors must have the knowledge, skills, and other qualities required to fulfill their personal responsibilities. The internal audit activity must have the knowledge, skills, and other qualities required to fulfill institutional responsibilities or acquire them.
1210.G1 - Internal auditors are required to seek competent advice and assistance from within or outside the administration to ensure that the audit objectives are met when they do not have all the necessary knowledge, skills, or other qualities to perform the entire engagement.
1210.G2 - Internal auditors must have sufficient knowledge about the risks associated with information technology and the associated controls and technology-based audit techniques to assess these risks and their management. However, all internal auditors are not expected to have the expertise of auditors whose primary responsibility is information technology audit.
1210.D1 - In cases where internal auditors do not have the knowledge, skills, or other qualities required to partially or completely carry out the engagement, the internal audit unit head must either refuse the consulting engagement or seek and provide adequate advice and assistance.
1220 - Due Professional Care and Attention
Internal auditors must be cautious and proficient and exhibit the maximum due professional care and attention within reasonable limits. The maximum professional care and attention does not mean no mistakes will be made.
1220.G1 - When exhibiting maximum professional care and attention, internal auditors must consider the following:
• The extent of the work required to achieve the objectives of the engagement.
• The relative complexity, necessity, or significance of the subjects to which assurance procedures are applied.
• The effectiveness and sufficiency of corporate governance, risk management, and control processes.
• The possibility of significant errors, irregularities, or violations.
• The cost of assurance compared to potential benefits.
1220.G2 - While demonstrating maximum professional care and attention, internal auditors should consider the use of technology-assisted audit and other data analysis techniques.
1220.G3 - Internal auditors must exercise caution against significant risks that could affect the objectives, activities, or resources. However, the exercise of assurance activities with maximum professional care and attention does not guarantee that all significant risks can be identified.
1220.D1 - During a consulting engagement, internal auditors must exhibit maximum professional care and attention while considering:
• The nature, timing, and reporting of the engagement results, including the needs and expectations of the requestors of consulting services.
• The extent and relative complexity of the work required to achieve the objectives of the engagement.
• The cost of the consulting engagement compared to potential benefits.
1230 - Continuing Professional Development
Internal auditors must continually enhance and strengthen their existing knowledge, skills, and other qualifications through continuous professional development.
1300 - Quality Assurance and Improvement Program
The internal audit unit head is required to prepare and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity.
1310 - Requirements of the Quality Assurance and Improvement Program
The quality assurance and improvement program must include both internal and external assessments.
1311 - Internal Assessments
Internal assessments must include:
• Continuous monitoring of the performance of the internal audit activity. • Periodic reviews conducted by persons with sufficient knowledge of internal audit practices either through self-assessment or within the organization.
1312 - External Assessments
External assessments must be conducted by a qualified and independent review expert or team from outside the organization, as determined by the Internal Audit Coordination Board (Board), at least once every five years.
The Chief of the internal audit unit must discuss the following points with the senior management and the Board:
• The need for increased frequency of external assessments. • Independence of the external review expert or team, considering the possibility of conflicts of interest.
1320 - Reporting on the Quality Assurance and Improvement Program
The Chief of the internal audit unit must report the results of the quality assurance and improvement program to the senior management and the Board. This report should include:
• The scope and frequency of both internal and external assessments.
• Qualifications and independence of the assessors, taking into account potential conflicts of interest.
• Findings of the assessors.
• Action plans. Additionally, the Chief of the internal audit unit must present the results of external assessments to ministries and subordinate agencies.
1321 - Use of the Statement "Conforms with Public Internal Audit Standards"
The Chief of the internal audit unit can state in reports that the internal audit activities conform to Public Internal Audit Standards, provided that the quality assurance and improvement program's results, which encompass internal and external quality assessments, support this claim.
1322 - Reporting of Discrepancies
In the event that discrepancies contrary to the Definition of Internal Auditing, the Code of Ethics, or the Standards are identified based on internal quality assessments, the Chief of the internal audit unit must report such discrepancies and their effects to the senior management and the Board.
WORKİNG STANDARDS
2000 - Managing the Internal Audit Activity
The Chief of the internal audit unit is responsible for effectively managing the internal audit activity to ensure it adds value to the organization.
2010 - Planning
The Chief of the internal audit unit must make risk-based plans that prioritize internal audit activities in alignment with the organization's objectives.
2010.G1 - The internal audit plan must be based on a written risk assessment conducted at least annually. Input from senior management and top-level executives must be obtained as part of this process.
2010.G2 - The Chief of the internal audit unit must consider the views and expectations of top-level executives and involve them in the preparation of the internal audit plan. Additionally, the organization's Strategic Plan and the Public Internal Audit Strategy Document must be considered when preparing the internal audit plan.
2010.D1 - The Chief of the internal audit unit should consider accepting requested consulting engagements by evaluating their potential to enhance risk management, create value, and improve activities. Accepted engagements must be included in the internal audit plan.
2020 - Communication and Approval
The Chief of the internal audit unit must communicate to the senior management, including significant changes, the plans and resource requirements of internal audit activities for review and approval. The Chief of the internal audit unit must also inform the senior management of the impacts of resource limitations.
2030 - Resource Management
The Chief of the internal audit unit is responsible for ensuring that internal audit resources are adequate and effectively utilized to implement the approved plan.
2040 - Policies and Procedures
The Chief of the internal audit unit is responsible for establishing policies and procedures to guide the internal audit activity.
2050 - Coordination
To minimize unnecessary duplication of efforts and to define the work's scope optimally, the Chief of the internal audit unit must share necessary information with the external audit and carry out activities in a coordinated manner.
2060 - Reporting to Senior Management and the Minister
The Chief of the internal audit unit must periodically report the purpose, duties, authority, and the results of implementing the internal audit plan to senior management and to ministries and subordinate agencies.
These reports must include significant risks and control issues, including the possibility of misuse of resources, corporate governance issues, and other issues that senior management and the minister may need or request.
2100 - Nature of Work
The internal audit activity must assess and contribute to the improvement of corporate governance, risk management, and control processes systematically, discipline, and with a risk-based approach. The reliability and value of the internal audit activity increase when internal auditors are proactive, provide new perspectives during their tasks, and consider future impacts.
2110 - Corporate Governance
The internal audit activity must assess and make necessary recommendations to improve the corporate governance process to achieve the following objectives:
• Making strategic and operational decisions.
• Overseeing risk management and control.
• Developing the necessary ethical values within the organization.
• Ensuring effective corporate performance management and accountability.
• Conveying risk and control information to the relevant areas of the organization.
• Promoting cooperation between senior management, top-level management, internal and external auditors, and sharing the necessary information among them.
2110.D1 - The internal audit activity must assess the design, implementation, and effectiveness of the organization's goals, programs, and activities related to ethics.
2110.D2 - The internal audit activity must assess whether the management of information technology supports the organization's strategy and objectives.
2120 - Risk Management
The internal audit activity must assess the effectiveness of risk management processes and contribute to their improvement.
2120.G1 - The internal audit activity must evaluate the organization's management processes, activities, and information systems with respect to the following risks:
• The reliability and accuracy of financial and operational information.
• The effectiveness and efficiency of programs and activities.
• The safeguarding of assets.
• Compliance with legislation, policies, and procedures, and contracts.
2120.G2 - The internal audit activity must assess the likelihood of misappropriation and how the organization manages the risk of misappropriation.
2120.D1 - Internal auditors must assess and be cautious about risks associated with the purpose of the task and other significant risks during consulting engagements.
2120.D2 - Internal auditors must use risk information obtained from consulting engagements to evaluate the organization's risk management processes.
2120.D3 - Internal auditors must avoid assuming management responsibilities for actively managing risks when providing advisory services on establishing or improving risk management processes.
2130 - Control
The internal audit activity must assess the effectiveness and efficiency of controls and encourage their continuous improvement to assist the organization in having effective controls.
2130.G1 - The internal audit activity must assess the adequacy and effectiveness of the organization's current controls against risks related to the following:
• The reliability and accuracy of financial and operational information.
• The effectiveness and efficiency of programs and activities.
• The safeguarding of assets.
• Compliance with legislation, policies, and procedures, and contracts.
2130.D1 - Internal auditors must use control information obtained from consulting engagements to evaluate the organization's control processes.
2220 - Scope of Work
The scope of the engagement must be sufficient to achieve the objectives of the engagement.
2220.G1 - The scope of the engagement must include the consideration of relevant systems, records, personnel, and tangible assets (including those owned by third parties).
2220.G2 - In the event of significant consulting opportunities arising during an assurance engagement, a written agreement regarding the objectives, scope, mutual responsibilities, and other expectations of the engagement must be prepared, and the results of the consulting engagement must be reported in accordance with consulting standards.
2220.D1 - When conducting consulting engagements, internal auditors must ensure that the scope of the engagement is consistent with the agreed-upon objectives. If there are concerns about the scope during the engagement, they must be discussed with the relevant manager to determine whether the engagement should continue.
2220.D2 - During consulting engagements, internal auditors must be cautious about significant controls and control weaknesses that are consistent with the objectives of the engagement.
2230 - Assignment Resource Allocation
Internal auditors must identify appropriate and adequate resources to achieve the objectives of the engagement, taking into account the nature, complexity, time constraints, and available resources of the engagement.
2240 - Engagement Work Program
Internal auditors must prepare and document work programs that will enable them to achieve the objectives of the engagement.
2240.G1 - Work programs must include procedures for information gathering, analysis, evaluation, and documentation that will be applied during the engagement. Work programs must be approved before fieldwork begins and must be promptly approved for any changes made to the program.
2240.D1 - The form and content of work programs prepared for consulting engagements may vary depending on the nature of the engagement.
2300 - Performing the Engagement
Internal auditors must gather, analyze, evaluate, and document sufficient information to achieve the objectives of the engagement.
2310 - Identifying Information
Internal auditors must identify sufficient, reliable, relevant, and useful information to achieve the objectives of the engagement.
2320 - Analysis and Evaluation
Internal auditors must base their conclusions and engagement results on appropriate analysis and evaluation.
2330 - Recording Information
Internal auditors must document sufficient, relevant, reliable, and useful information to support the findings and engagement results.
2330.G1 - The chief of the internal audit unit must control access to engagement records. Before releasing these records to external parties, the chief of the internal audit unit must obtain the approval of senior management and/or legal counsel, if necessary.
2330.G2 - The chief of the internal audit unit must establish policies regarding the retention of engagement records, regardless of the medium in which the records are stored. These policies must be in accordance with the organization's core principles and relevant regulations.
2330.D1 - The chief of the internal audit unit must establish policies regarding the maintenance, storage, and provision of consulting engagement records. These policies must be in accordance with the organization's regulations and relevant legislation.
2340 - Engagement Supervision
Engagements must be supervised in a manner that ensures the achievement of engagement objectives, the assurance of quality, and the professional development of internal auditors.
2400 - Reporting the Results
Internal auditors must report the results of the engagement.
2410 - Reporting Criteria
Reports must include the results obtained, applicable recommendations and action plans, as well as the objectives and scope of the engagement.
2410.G1 - Reports showing the results of the engagement must also include the opinions and conclusions of the internal auditor. These opinions and conclusions must take into account the expectations of senior management and top-level executives and must be supported by useful, relevant, adequate, and reliable information.
2410.G2 - Internal auditors are encouraged to include best practices and successful performance related to the audited activity in audit reports.
2410.G3 - When reporting the results of the engagement to external parties, the notification must also include limitations on the distribution and use of the results.
2410.D1 - The form and content of reporting the results of consulting engagements may vary depending on the nature of the engagement and the needs of the relevant manager.
2420 - Report Quality
Reports must be accurate, objective, clear, concise, constructive, and complete and must be submitted in a timely manner.
2421 - Errors and Omissions
If an engagement report contains a significant error or omission, the chief of the internal audit unit must provide corrected information to all parties who received the report.
2430 - Use of the Term "Conducted in Compliance with Public Internal Audit Standards"
Internal auditors may include a statement in their reports that the engagements were "Conducted in Compliance with Public Internal Audit Standards," provided that this is supported by the results of a Quality Assurance and Improvement Program that covers both internal and external quality assessments.
2431 - Disclosing Nonconformities
When a nonconformity with the Definition of Internal Auditing, the Code of Ethics, or the Standards affects a specific engagement, the engagement results must include a special explanation as follows:
• The specific Standard and/or Code of Ethics with which full compliance was not achieved.
• The reasons for the nonconformity.
• The impact of the nonconformity on the engagement and the reporting of engagement results.
2440 - Dissemination of Results
The chief of the internal audit unit must disseminate the results of engagements to relevant parties.
2440.G1 - The chief of the internal audit unit is responsible for reporting engagement results to the managers responsible for implementing audit recommendations.
2440.G2 - The chief of the internal audit unit must meet the following conditions before transmitting the results of the engagement to external parties unless otherwise legally regulated:
• Assess potential risks for the organization.
• Consult with the senior executive and/or legal counsel as appropriate.
• Control the distribution of results by limiting their use.
2440.D1 - The chief of the internal audit unit is responsible for reporting the results of consulting engagements to relevant managers.
2440.D2 - During consulting engagements, issues related to corporate governance, risk management, and control may be identified. These issues must be reported to senior management and top-level executives when they become important for the organization.
2450 - Overall Opinions
If an overall opinion is to be expressed, the organization's strategies, objectives, and risks must be considered, and the opinion must be supported by useful, relevant, adequate, and reliable information, taking into account the expectations of senior management and top-level executives.
2500 - Monitoring Progress
The chief of the internal audit unit must establish and implement a system to monitor the implementation status of the results reported to management.
2500.G1 - The chief of the internal audit unit must establish a follow-up process aimed at ensuring that the actions taken by senior management are effectively implemented, or they must be willing to assume the risk of senior management not taking the necessary actions and monitor developments.
2500.D1 - The chief of the internal audit unit must, to the extent agreed upon with relevant managers, monitor the results of consulting engagements.
2600 - Management's Acceptance of Residual Risks
If the chief of the internal audit unit concludes that senior management is accepting an unacceptable level of residual risk for the organization, they must discuss the matter with senior management. If an agreement cannot be reached regarding residual risk, the chief of the internal audit unit must report the matter to top management for resolution.
This summarizes the key points from the sections you provided on the "International Standards for the Professional Practice of Internal Auditing." If you need further information or have specific questions about any of these sections, please feel free to ask.