International Standards for the Professional Practice of Internal Auditing
Proposed changes by topic – February 2010
Introduction
The Internal Audit Standards Board of the global Institute of Internal Auditors is responsible for
reviewing the International Standards for the Professional Practice of Internal Auditing and for
proposing changes and additions that keep them relevant to internal auditing and its stakeholders.
On 15 February 2010, the Standards Board is releasing proposed changes for a 90-day exposure
period. Internal auditors and stakeholders are invited to vote on the proposals and to send
comments to the Standards Board.
This document sets out the proposed changes by topic, providing the reasons for the changes. At
the end of the document, the reader will find information on how to comment.
Value of internal auditing
The Definition of Internal Auditing uses the phrase, “to add value”. While no-one argues that
internal auditing should be valuable to its organisations, there is controversy about this phrase.
Some people take it to mean that value comes only from the improving part of the internal auditor
work: from cost savings or improvements to operational effectiveness. The existing definition in the
glossary of “Add value” seems to promote this view. On the other hand, many internal auditors
promote the value of internal auditing around the function of assurance and, in the UK and Ireland,
we have various surveys which support the idea that board directors and others responsible for
governance believe that the greatest value internal auditors providing is objective assurance on the
effectiveness of governance and the management of risk.
Therefore, the Standards Board is proposing a change to the definition of “Add Value”. This would
be a change to the glossary entry of that name and also the Standards Board is proposing to add
the definition to the interpretation of Performance Standard 2000. The proposed new definition is:
“The internal audit activity adds value to the organization when it provides objective and
relevant assurance, and contributes to the effectiveness and efficiency of governance, risk
management and control processes.”
Providing opinions
Around the world, more and more internal auditors are providing opinions, both at engagement and
at an overall level. Other internal auditors want to do this. The existing Standards permit internal
auditors to give opinions.
Given the variety in governance structures and other aspects that influence the context of internal
auditors’ work, the Standards Board does not believe it is appropriate to require all internal auditors
to provide opinions all the time. However, the Standards Board wants to provide guidance to
ensure that stakeholders can rely on an internal auditor’s opinion, if it is given.
The Standards Board is proposing additional standards and adding extra wording in this area.
Firstly, given the variety of structures and, therefore, the needs of the board and senior
management, internal auditors must establish during their planning the expectations of these
groups. There is a proposed new standard in the 2000 Managing the Internal Audit Activity section:
“Implementation Standard 2010.A2
“The chief audit executive must determine stakeholder expectations for internal audit
opinions and other conclusions, including the levels of assurance required, by discussion
with senior management and the board.”
The Institute of Internal Auditors – UK and Ireland Ltd
15 February 2010
Page 1
2010 Exposure Standards By Topic
International Standards for the Professional Practice of Internal Auditing
Proposed changes by topic – February 2010
Secondly, changes to the 2400 Communicating Results section set out the requirements for the
work internal auditors must do if they wish to provide either an engagement-level or an overall
opinion. The wording of Performance Standard 2400 has been changed slightly to indicate that this
section is not just about communicating results engagement by engagement.
“Performance Standard 2400 Communicating Results
“Internal auditors must communicate the results of engagements.”
Then, the Standards Board is proposing additional requirements for Implementation Standard
2410.A1. This includes an interpretation, contrary to the International Professional Practices
Framework, which set out that interpretations would exist only for Attribute or Performance
Standards.
“Implementation Standard 2410.A1
“Final communication of engagement results must, where appropriate, contain internal
auditors’ opinion and/or conclusions. When an opinion and/or conclusion is issued it must
address the expectations as agreed with the board, senior management and other
stakeholders and must be supported by sufficient, reliable, relevant and useful information.
“Interpretation:
“Opinions at the engagement level may be ratings, conclusions or other descriptions of the
results. Such an engagement may be in relation to controls around a specific process, risk
or business unit. The formulation of such opinions requires consideration of the engagement
results and their significance.”
In addition, the Standards Board is proposing a new standard seting out the requirements for
overall opinions.
“Performance Standard 2450 Overall Opinions
“When an overall opinion is issued, it must cover an appropriate time period and it must
address the expectations as agreed with the board, senior management and other
stakeholders and must be supported by sufficient, reliable, relevant and useful information.
“Interpretation:
“The communication will identify:
•
• The scope including the time period to which the opinion pertains
•
• Scope limitations.
•
• Consideration of all related projects including the reliance on other assurance
providers.
•
• The risk or control framework or other criteria used as a basis for the overall opinion.
•
• The overall opinion, judgment or conclusion reached.
“The overall opinion may be unqualified, qualified or adverse. When you have a qualified or
adverse opinion, the cause of the qualification or adverse opinion must be stated”
The Institute of Internal Auditors – UK and Ireland Ltd
15 February 2010
Page 2
2010 Exposure Standards By Topic
International Standards for the Professional Practice of Internal Auditing
Proposed changes by topic – February 2010
Chief Audit Executive (CAE)
In the 2008 exposure, the Standards Board proposed an interpretation of the term “Chief Audit
Executive”. Respondents voted against that interpretation.
The role of CAE is very important to the professional practice of internal auditing. It is the person in
this role who is accountable for the performance of internal auditing. Therefore, the Institute
believes that we need a clear definition of the term. The Standards Board has reviewed the existing
definition and gathered evidence from CAEs and service providers through a survey and interviews
before discussing the issues involved. As a result of this work, the Standards Board is now
proposing a change to the existing definition of the CAE.
New definition of CAE (goes in the glossary)
“Chief Audit Executive
“Chief audit executive describes a person in a senior position responsible for effectively
managing the internal audit activity in accordance with the internal audit charter and the
Definition, the Code of Ethics and the Standards. Normally, the chief audit executive would
be a Certified Internal Auditor or have Certified Internal Auditors reporting to them. The
specific job title of the chief audit executive may vary across organizations.”
Organisational independence of the internal audit activity
This proposal is related to the changes to the definition of the chief audit executive but it also has
wider implications for the independence of the whole internal audit activity.
Attribute Standard 1110 currently requires that “the chief audit executive must report to a level
within the organisation that allows the internal audit activity to fulfil its responsibilities.” The
Standards Board is proposing an interpretation of this standard, which states that functional
reporting to the board is the right level. In addition, the Standards Board is proposing a change to
the interpretation to Attribute Standard 1000 to show that the internal audit charter includes
information on this functional reporting relationship with the board.
Attribute Standard 1110 Organisational Independence
The Standards Board proposes a new interpretation of this standard to emphasis the importance of
the relationship between the CAE and the board:
“Interpretation
“Organizational independence is effectively achieved when the chief audit executive reports
functionally to the board. Examples of functional reporting to the board involve the board:
• approving the internal audit charter,
• approving the risk based internal audit plan,
• receiving communications from the chief audit executive on the internal audit activity’s
performance relative to its plan and other matters,
• approving decisions regarding the appointment and removal of the chief audit
executive, and
• making appropriate inquiries of management and the chief audit executive to
determine whether there are inappropriate scope or resource limitations.”
The Institute of Internal Auditors – UK and Ireland Ltd
15 February 2010
Page 3
2010 Exposure Standards By Topic
International Standards for the Professional Practice of Internal Auditing
Proposed changes by topic – February 2010
Attribute Standard 1000 Purpose, Authority and Responsibility
The Standards Board proposes an addition to the interpretation of the internal audit charter. The
resulting interpretation will be:
“The internal audit charter is a formal document that defines the internal audit activity's
purpose, authority and responsibility. The internal audit charter establishes the internal audit
activity's position within the organisation, including the nature of the chief audit executive’s
functional reporting relationship with the board; authorises access to records, personnel and
physical properties relevant to the performance of engagements; and defines the scope of
internal audit activities. Final approval of the internal audit charter resides with the board.”
External service providers
There has been a great deal of discussion between service providers and the Institute about the
role of external service providers and the challenges they face in conforming with Standards. One
of the topics discussed was the extent to which an external service provider can be responsible for
an organisation’s internal auditing.
The generally accepted position related to outsourcing any activity is that an organisation can
outsource an activity but cannot outsource the responsibility for that activity. If that is the general
case, then it holds true that the organisation must retain the responsibility for internal auditing, even
if it outsources the whole function.
The Standards Board provides standards for internal auditors, not for organisation’s management
or boards. Therefore, the Standards Board is proposing a new standard for the external provider of
internal audit services. The external provider cannot force management to take responsibility but it
can make the organisation aware of its responsibilities. This is the gist of the new standard, which
reads:
“Performance Standard 2070 External Service Provider and Organisational
Responsibility for Internal Audit
“When an external service provider performs the internal audit activity, the provider must
make the organisation aware that it has the responsibility for maintaining an effective
internal audit activity.
“Interpretation
“This responsibility is demonstrated through the quality assessment and improvement
programme which assesses conformance with the Definition of Internal Auditing, the Code
of Ethics, and the International Standards. “
The Institute of Internal Auditors – UK and Ireland Ltd
15 February 2010
Page 4
2010 Exposure Standards By Topic
International Standards for the Professional Practice of Internal Auditing
Proposed changes by topic – February 2010
Internal auditing’s role in evaluating risk management
The Nature of Work section expands on the Definition of Internal Auditing to explain what the
internal audit activity must do in relation to the organisation’s risk management processes: the
“internal audit activity must evaluate the effectiveness and contribute to the improvement of risk
management processes” (Performance Standard 2120 Risk Management).
The Standards Board has received information that some regulators or other stakeholders have
interpreted this to mean that internal auditors will be able to complete this evaluation as part of a
single engagement. Given the scope of the work involved, this is highly unlikely. Therefore, the
Standards Board wishes to clarify that the evaluation of the management of risk may include the
results of many pieces of work, pulled together and providing a cumulative view.
The Standards Board is proposing to add a penultimate paragraph to the interpretation of
Performance Standard 2120 Risk Management, as follows:
“The internal audit activity gathers the information to support this assessment during multiple
engagements. The results of these engagements, when viewed together, provide an
understanding of the organisation’s risk management and its effectiveness.”
Quality assurance and improvement programmes
During the 2008 exposure process, Institute members asked for additional guidance on two of the
standards in the 1300 area.
The more significant point relates to more guidance on what is meant by the phrases “conforms
with International Standards for the Professional Practice of Internal Auditing” and “if the results of
the quality assurance and improvement programme support this statement” in Attribute Standard
1321. The Standards Board is proposing to add an interpretation covering these points.
In addition, members found the first paragraph of the interpretation to Attribute Standard 1312
difficult to understand. The Standards Board has attempted to simplify the language without in
anyway changing the intention.
Attribute Standard 1321
The standard currently states:
“The chief audit executive may state that the internal audit activity conforms with the International
Standards for the Professional Practice of Internal Auditing only if the results of the quality
assurance and improvement programme support this statement.”
The Standards Board is proposing to add the following interpretation to the standard:
“Interpretation:
“The internal audit activity conforms with the International Standards when it achieves the
outcomes described in the Definition of Internal Auditing, Code of Ethics and International
Standards.
“The results of the quality assurance and improvement programme include the results of
both internal and external assessments. All internal audit activities will have the results of
internal assessments. Internal audit activities in existence for at least five years will also
have the results of external assessments.”
The Institute of Internal Auditors – UK and Ireland Ltd
15 February 2010
Page 5
2010 Exposure Standards By Topic
International Standards for the Professional Practice of Internal Auditing
Proposed changes by topic – February 2010
The first paragraph reinforces the idea that the mandatory elements of the International
Professional Practices Framework set out principles of professional internal auditing. They apply to
internal auditors in all countries and all industries and sectors. It is the professional responsibility of
internal auditors to understand the required outcomes and to decide how to apply these principles
in their organisation.
The second paragraph makes clear that the “results” discussed in this standard are the same ones
that are included in Attribute Standard 1320. The external assessment has hogged the limelight to
a certain extent; but the internal assessment is just as important, and may be more important in
terms of continuous improvement. In order to say that the internal audit activity is conforming with
international professional standards, the chief audit executive must ensure there is a QA
programme and that the results show that the activity is conforming with those standards.
The Standards Board believes that external assessments are extremely useful – even for a new
department – in setting benchmarks and encourages internal audit activities to commission them as
often as possible. However, the requirement for an external assessment is only once every five
years so, as long as the internal audit activity is not in breach of that requirement AND the internal
assessments show good results, the Standards Board believes that the internal audit activity should
have the right to state that they are conforming with international standards.
Attribute Standard 1312 External Assessments
The standard requires that reviewers or review teams be qualified. The first paragraph of the
existing interpretation provides guidance on what “qualified” means in this context. There are
several factors to consider:
•
Two areas of knowledge are important: the professional practice of internal auditing and the
external assessment process.
•
There are two ways of demonstrating competence: formal learning and experience.
•
Experience is more valuable when it occurred in similar organisations – similar in size,
complexity, sector or industry, technical issues etc.
•
If you are considering a review team, you have the luxury that it is the team as a whole that
has to be competent so not every member of the team has to demonstrate every competence.
•
Given all these factors that are taken into account when assessing whether a reviewer is
qualified, it is a matter of professional judgment. It is the chief audit executive who has the
professional responsibility to consider all of these factors and to assess whether the proposed
reviewer or review team demonstrates all the competencies that are necessary.
Explaining all of these elements in a simple manner is not easy. The Standards Board proposes
the following new wording, which should be accepted only if members and stakeholders agree that
it is clearer:
“A qualified reviewer or review team demonstrates competence in two areas: the
professional practice of internal auditing and the external assessment process. Competence
can be demonstrated through a mixture of experience and of theoretical learning.
Experience gained in organizations of similar size, complexity, sector or industry, and of
similar technical issues, is more valuable than less relevant experience. In the case of a
review team, not all members of the team need to have all the competencies; it is the team
as a whole that is qualified. The chief audit executive uses professional judgment when
assessing whether a reviewer or review team demonstrates sufficient competence to be
qualified.”
The Institute of Internal Auditors – UK and Ireland Ltd
15 February 2010
Page 6
2010 Exposure Standards By Topic
International Standards for the Professional Practice of Internal Auditing
Proposed changes by topic – February 2010
Operating programmes and goals
Within the Nature of Work section, there are two implementation standards that talk about operating
programmes and goals but that use the “should” form: 2130.A2 and 2130.A3. The Standards Board
believes that the importance of programmes should be recognised for all internal audit activities.
Therefore, the Standards Board proposes to add “and programmes” to both 2120.A1 and 2130.A1
and, if that is approved, to delete 2130.A2 and 2130.A3 because they will then be duplicating the
overall requirement.
Smaller points of consistency or simplification of wording
Definition of independence
The January 2009 changes introduced an interpretation of “independence” to Attribute Standard
1100. In reading that through again, the Standards Board noted that the interpretation uses the
phrase “or the chief audit executive” even though the standard deals with the independence of the
activity only, not that of the CAE. The Standards Board, therefore proposes removing the reference
to the CAE in the interpretation.
In addition, the glossary definition of “independence” was left unchanged and was, therefore,
inconsistent. The Standards Board is proposing to change the glossary definition to be consistent
with the interpretation part of Attribute Standard 1100. However, it is not completely consistent
since the proposed wording is a half-way house between the old glossary and the interpretation.
The glossary entry will now read;
“Independence
“The freedom from conditions that threaten objectivity (sic) of the internal audit activity or the
chief audit executive to carry out internal audit responsibilities in an unbiased manner. Such
threats to independence must be managed at the individual auditor, engagement, functional
and organisational levels.””
Definition of objectivity
The January 2009 changes introduced an interpretation of “objectivity” to Attribute Standard 1100
and made the glossary definition of “objectivity” consistent with the interpretation. These definitions
stated that “objectivity is an unbiased mental attitude that allows internal auditors to perform
engagements in such a manner that they believe in their work product and that no quality
compromises are made”. The Standards Board proposes to change the Glossary entry to:
“Objectivity is an unbiased point of view that allows internal auditors to perform
engagements in such a manner that they believe in their work product and that no quality
compromises are made.” Et seq
Nature of Work section
The Standards Board and other guidance committees of the Institute are currently developing
substantive guidance to assist internal auditors in evaluating and helping to improve their
organisation’s governance process. In the interim, during the initial review of the existing standards
in the 2110 area and in the rest of the Nature of Work section, the Standards Board identified some
places where the standards were inconsistent or unclear. The Standards Board is proposing
corrections as part of this exposure.
The Institute of Internal Auditors – UK and Ireland Ltd
15 February 2010
Page 7
2010 Exposure Standards By Topic
International Standards for the Professional Practice of Internal Auditing
Proposed changes by topic – February 2010
IT governance
In both 2110.A2 where the Standards introduce the requirement to assess IT governance
and in the glossary definition of IT governance, the existing wording includes the phrase
“sustains and supports the organisation’s strategies and objectives”. The Standards Board
believes that having both verbs in the phrase duplicates rather than adds to the meaning
and is, therefore, proposing removing “sustains and” in both locations.
Implementation Standards that should move to 2200
There are two implementation standards that appear to fit better within the section of the
Performance Standards related to engagement planning. These are 2110.C1, which is
about consulting engagements and their consistency with the organisation’s objectives, and
2130.C1, which is about the need for internal auditors to consider control issues not only
when conducting assurance engagements but also when conducting consulting
engagements. The Standards Board is proposing moving 2110.C1 to 2210.C2 and 2130.C1
to 2220.C1. If the latter move is approved, the existing 2130.C2 will change its number to
2130.C1.
Glossary
As part of an ongoing review of the glossary, the Standards Board proposes the following changes:
1. remove the entry “Adequate Control” because that phrase is not used in the Standards.
2. In the first sentence of the definition of “Control Environment”, change the word
“significance”, which now has a specific technical meaning in those jurisdictions affected by
the Sarbanes-Oxley Act, to “importance”.
How to comment – deadline is 14 May 2010
The IIA – UK and Ireland will be compiling and issuing a collective comment to the Standards
Board. This will seek to form a consensus based on views of members and volunteers of the
Institute. To provide input to that response, go to the IIA – UK and Ireland web site
http://www.iia.org.uk/en/Knowledge_Centre/global_professional_guidance/international-standards/
Or, send an email to technical@iia.org.uk with 2010 Standards Exposure in the subject line.
If you have strong views on any of the proposed changes, you might wish to register them directly
with the Standards Board. The Standards Board is collecting views via an on-line survey and each
vote will carry weight with the Board.
Hints on the Global survey
As with all on-line surveys, you must click through to the end of the survey and click on “Submit” to
register your views.
The voting options are “yes”, “no” and “no opinion”. If you have any reservations about the content
or wording of a standard, vote “no” and provide an explanation.
You do not have to respond to every question but it will be more useful to the Board if you can –
even if you vote “no opinion”.
For the survey, go to:
http://www.theiia.org/guidance/standards-and-guidance/2010-Standards-Exposure/
The Institute of Internal Auditors – UK and Ireland Ltd
15 February 2010
Page 8
2010 Exposure Standards By Topic