IIA Approves Revised Standards

By Anne Rosivach

The Institute of Internal Auditors (IIA) has issued revisions to the International Standards for the Professional Practice of Internal Auditing (Standards) that will go into effect January 1, 2013. The standards are mandatory under the IIA's International Professional Practices Framework (IPPF).
The proposed standards were exposed for comment in February. After reviewing comments and input from stakeholders, the International Internal Audit Standards Board (IIASB) approved the final revisions for issuance in October.
"The changes will help internal audit focus on timely risks, stay aligned with exemplary practices, and maintain the appropriate stature," said Andy Dahle, chairman IIASB. "The standards are principles based, and global, something that is very exciting for our profession." 
Dahle and Warren Hersh, vice chairman IIASB and auditor general New Jersey Transit, presented the revisions and recommended best practices for implementation during a recent IIA webcast. Throughout the webcast, Dahle and Hersh referred to slides that showed a mock-up of the revisions and the percentages of positive and negative comments received for each change.
The IIASB is required to review the standards every three years to enable them to remain current, relevant, and timely for the profession, but "In reality, we are always reviewing the standards." Hersh said.  
Most of the eighteen revisions to the standards "clarify the responsibilities of the chief audit executive (CAE) or clarify some other issues that have come up over the years," Hersh said.
The revisions:
  • Clarify responsibilities for conforming with the standards. 
  • Increase the focus on quality assurance and improvement 
  • Clarify the CAE's role to communicate unacceptable risk 
  • Explicitly require timely audit plan adjustments 
  • Emphasize coverage of risks to strategic objectives 
  • Make changes to glossary terms 
The following wording was added to the Introduction of the Standards
The Standards apply to individual internal auditors and internal audit activities. All internal auditors are accountable for conforming with the Standards related to individual objectivity, proficiency, and due professional care. In addition, internal auditors are accountable for conforming with the Standards, which are relevant to the performance of their job responsibilities. Chief audit executives are accountable for overall conformance with the Standards.
Recommended best practices for Standard 1110 - Organizational Independence include: 
  • Board or audit committee approve the risk assessment and related audit plans 
  • Private meetings with the CAE and audit committee / board chair 
  • Frequent interactions with board outside formal board meetings
Standard 1312 - External Assessments now reads: 
External assessments must be conducted at least once every five years by a qualified, independent assessor or assessment team from outside the organization. The chief audit executive must discuss with the board:
  • The form and frequency of external assessments; and
  • The qualifications and independence of the external assessor or assessment team, including any potential conflict of interest.
"An external assessment reinforces the value of your department," Hersh said. "The CAEs must be an advocate for this."
Standard 2010 - Planning now reads: "The chief audit executive must establish a risk-based plan to determine the priorities of the internal audit activity, consistent with the organization's goals."
The interpretation of Standard 2010 provided by IIA says, in part, "The chief audit executive must review and adjust the plan, as necessary, in response to changes in the organization's business, risks, operations, programs, systems, and controls."
The revised standards clarify and enhance the role of internal audit in evaluating strategic risk and communicating management's acceptance of risk.
The revisions added language [in italics below] to Standard 2120 - Risk Management - to include responsibility to assess strategic risk: "The internal audit activity must evaluate risk exposures relating to the organization's governance, operations, and information systems regarding the achievement of the organization's strategic objectives.
While internal audit cannot make decisions regarding strategic planning, they are allowed to serve as catalysts, both Dahle and Hersh said. Best practices in this area would include internal audit having "a seat at the table," addressing the organization's key strategic risks, and serving on IT development teams. 
The language of Statement 2600 - Communicating the Acceptance of Risks (formerly "Resolution of Senior Management's Acceptance of Risks)" - has been changed to read:
When the chief audit executive concludes that management has accepted a level of risk that may be unacceptable to the organization, the chief audit executive must discuss the matter with senior management. If the chief audit executive determines that the matter has not been resolved, the chief audit executive must communicate the matter to the board.
The CAE makes an assessment of residual risk and communicates that assessment; however, the presenters emphasized that the CAE does not own that risk.
Related articles:

You may like these other stories...

IRS must take oath on Lerner emails: judgeMackenzie Weinger of Politico reported on Thursday that a federal judge ordered the IRS to explain under oath how it lost emails connected to Lois Lerner, the ex-IRS official at the...
Credit Suisse says pension assets at risk unless court delays sentencingJohn Letzing of the Wall Street Journal reported on Wednesday that Credit Suisse Group AG says its management of billions of dollars in assets for...
The prospect of International Financial Reporting Standards (IFRS) being fully adopted in the United States in the near future are growing less likely, as the Financial Accounting Standards Board (FASB) and the International...

Upcoming CPE Webinars

Jul 16
Hand off work to others with finesse and success. Kristen Rampe, CPA will share how to ensure delegated work is properly handled from start to finish in this content-rich one hour webinar.
Jul 17
This webcast will cover the preparation of the statement of cash flows and focus on accounting and disclosure policies for other important issues described below.
Jul 23
We can’t deny a great divide exists between the expectations and workplace needs of Baby Boomers and Millennials. To create thriving organizational performance, we need to shift the way in which we groom future leaders.
Jul 24
In this presentation Excel expert David Ringstrom, CPA revisits the Excel feature you should be using, but probably aren't. The Table feature offers the ability to both boost the integrity of your spreadsheets, but reduce maintenance as well.