By Anne Rosivach
The Institute of Internal Auditors (IIA)
has issued revisions to the International Standards for the Professional Practice of Internal Auditing (Standards)
that will go into effect January 1, 2013. The standards are mandatory under the IIA's International Professional Practices Framework (IPPF).
The proposed standards were exposed for comment in February. After reviewing comments and input from stakeholders, the International Internal Audit Standards Board (IIASB) approved the final revisions for issuance in October.
"The changes will help internal audit focus on timely risks, stay aligned with exemplary practices, and maintain the appropriate stature," said Andy Dahle, chairman IIASB. "The standards are principles based, and global, something that is very exciting for our profession."
Dahle and Warren Hersh, vice chairman IIASB and auditor general New Jersey Transit, presented the revisions and recommended best practices for implementation during a recent IIA webcast. Throughout the webcast, Dahle and Hersh referred to slides that showed a mock-up of the revisions and the percentages of positive and negative comments received for each change.
The IIASB is required to review the standards every three years to enable them to remain current, relevant, and timely for the profession, but "In reality, we are always reviewing the standards." Hersh said.
Most of the eighteen revisions to the standards "clarify the responsibilities of the chief audit executive (CAE) or clarify some other issues that have come up over the years," Hersh said.
- Clarify responsibilities for conforming with the standards.
- Increase the focus on quality assurance and improvement
- Clarify the CAE's role to communicate unacceptable risk
- Explicitly require timely audit plan adjustments
- Emphasize coverage of risks to strategic objectives
- Make changes to glossary terms
The following wording was added to the Introduction of the Standards:
The Standards apply to individual internal auditors and internal audit activities. All internal auditors are accountable for conforming with the Standards related to individual objectivity, proficiency, and due professional care. In addition, internal auditors are accountable for conforming with the Standards, which are relevant to the performance of their job responsibilities. Chief audit executives are accountable for overall conformance with the Standards.
Recommended best practices for Standard 1110 - Organizational Independence include:
- Board or audit committee approve the risk assessment and related audit plans
- Private meetings with the CAE and audit committee / board chair
- Frequent interactions with board outside formal board meetings
Standard 1312 - External Assessments now reads:
External assessments must be conducted at least once every five years by a qualified, independent assessor or assessment team from outside the organization. The chief audit executive must discuss with the board:
- The form and frequency of external assessments; and
- The qualifications and independence of the external assessor or assessment team, including any potential conflict of interest.
"An external assessment reinforces the value of your department," Hersh said. "The CAEs must be an advocate for this."
Standard 2010 - Planning now reads: "The chief audit executive must establish a risk-based plan to determine the priorities of the internal audit activity, consistent with the organization's goals."
The interpretation of Standard 2010 provided by IIA says, in part, "The chief audit executive must review and adjust the plan, as necessary, in response to changes in the organization's business, risks, operations, programs, systems, and controls."
The revised standards clarify and enhance the role of internal audit in evaluating strategic risk and communicating management's acceptance of risk.
The revisions added language [in italics below] to Standard 2120 - Risk Management - to include responsibility to assess strategic risk: "The internal audit activity must evaluate risk exposures relating to the organization's governance, operations, and information systems regarding the achievement of the organization's strategic objectives."
While internal audit cannot make decisions regarding strategic planning, they are allowed to serve as catalysts, both Dahle and Hersh said. Best practices in this area would include internal audit having "a seat at the table," addressing the organization's key strategic risks, and serving on IT development teams.
The language of Statement 2600 - Communicating the Acceptance of Risks (formerly "Resolution of Senior Management's Acceptance of Risks)" - has been changed to read:
When the chief audit executive concludes that management has accepted a level of risk that may be unacceptable to the organization, the chief audit executive must discuss the matter with senior management. If the chief audit executive determines that the matter has not been resolved, the chief audit executive must communicate the matter to the board.
The CAE makes an assessment of residual risk and communicates that assessment; however, the presenters emphasized that the CAE does not own that risk.