The International Standards for the Professional Practice of Internal Auditing (Standards) have been revised effective from January 01, 2017. This is a summary of the main changes.
The International Professional Practice Framework (IPPF) last revised in 2015 was introduced with a new Mission of Internal Audit and the Mandatory Guidance Section was also introduced with 10 Core Principles for the Professional Practice of Internal Auditing. Further, the roles and responsibilities of the CAEs are ever changing considering the business requirements and the CAEs are also entrusted with many other responsibilities beyond internal auditing such as compliance, risk management, etc.
These Standards were amended after considering the revision to IPPF and also considering the additional roles and responsibilities of the CAEs so that the independence is not compromised and the Internal Audit Department adds value to the entity.
The revision to the Standards have occurred under many headings. These are broadly covered in the following two categories:
Amendments to Attribute Standards:
The amendments and its possible effects to this section are covered below:
1000 – Purpose, Authority and Responsibility: The purpose, authority and responsibility of the Internal Audit Department must be defined in the Internal Audit Charter and be consistent with the Mission of Internal Audit and the mandatory elements of IPPF consisting of Core Principles as introduced in the revised IPPF. Thus, a revision to the Internal Audit Charter is demanded incorporating the Mission of Internal Audit and Core Principles.
1110.A1: Organizational Independence – Generally, the Internal Audit Department must be free from any interference in determining the scope of internal auditing, performing work and communicating results. Where an interference exists, the CAE is empowered to disclose such interferences to the board and discuss its implications.
1112 – CAE Roles Beyond Internal Auditing: This new standard added, emphasizes the need to have appropriate safeguards in place when the CAE’s responsibilities extends beyond Internal Auditing. These safeguards are necessitated to limit impairments to independence or objectivity. The external assessors will have to have to ensure that Audit Committee Members are monitoring the independence of the CAE and obtaining assurance (from functions other than Internal Audit) on the areas of responsibilities beyond internal audit.
Interpretation: This new interpretation states that where the CAE is requested to take additional roles and responsibilities beyond internal auditing such as compliance, risk management, etc. and assuming such roles and responsibilities might impair the independence and objectivity of the internal audit activity and internal auditor respectively, so safeguards should be in place to limit such impairments. Board will have additional responsibilities of having appropriate safeguards in place by undertaking oversight activities that would address such potential impairments due to additional roles sought by the CAEs. Board can further conduct periodic evaluation of reporting lines and responsibilities and develop alternative processes for obtaining assurance pertaining to the areas of such additional responsibilities.
1130.A3: This new sub-standard under Standard 1130 (Impairment to Independence and Objectivity) and states that internal audit department can conduct an assurance service to a previously provided consulting engagement. This is possible subject to the consulting service provided earlier did not impair objectivity then and individual objectivity is duly managed while assigning resources to this engagement. Thus, the CAE has to ensure that objectivity is not compromised under such circumstances.
1210 – Proficiency: The Interpretation here is amended by rewording “Professional Proficiency” to “Proficiency”. The definition here is enriched by including consideration of current activities, trends and emerging issues for providing relevant advice and recommendations apart from the existing competencies needed to remain proficient.
1300 – Quality Assurance and Improvement Program: The Interpretation is amended stating that a quality assurance and improvement program should be designed to enable an evaluation whether the Internal Audit Department confirms with the Standards only and whether internal auditors apply the Code of Ethics. A further responsibility is entrusted on the CAE by encouraging Board’s oversight in this quality assurance and improvement program.
1312 – External Assessments: The Interpretation is amended stating the full external assessments or a self-assessment with independent external valuation are modes of accomplishing external assessments. The external assessor is made responsible to conclude its external assessment by stating whether the internal audit department has / has not confirmed with the Code of Ethics and Standards and to support that, the external assessor’s reports can include operational or strategic comments. The CAE is entrusted with the responsibility of encouraging board’s oversight in the external assessment thereby reducing possibilities of perceived or potential conflict of interest.
1320 – Reporting on the Quality Assurance and Improvement Program: The CAE is entrusted with responsibility of having specific disclosures on the reporting on the quality assurance and improvement program. They being:
- Scope and frequency of internal and external assessments,
- Qualifications and independence of assessor(s) and assessment team, including potential conflict of interest
- Assessor’s Conclusions
- Corrective Action Plans
Amendments to Performance Standards:
The amendments and its possible effects to this section are covered below:
2000 – Managing the Internal Audit Activity: The CAE is responsible for effectively managing the Internal Audit Department by always considering the trends and other emerging issues impacting its organization thereby adding value to the organization and its stakeholders. The Internal Audit Department adds value to the organization and its stakeholders when it considers Company’s strategies, objectives, risks and strives to offer ways to enhance governance, risk management and control processes and objectively provide relevant assurance.
2010 – Planning: The Interpretation is partially amended thereby having responsibility on CAE to consult with senior management and board rather than to use his / her own judgement in understanding the organization’s strategies, key business objectives, associated risks and risk management process to develop a risk based plan. The CAE’s role as a Consultant is required only when no risk management framework exists within the entity.
2050 – Coordination and Reliance: The Standard title is added with the word “Reliance.” The CAE is entrusted with the responsibility of sharing information, coordinating activities and consider relying upon the work of other internal and external assurance and consulting service providers to ensure proper coverage and minimize duplication of efforts.
The Interpretation is a new addition. It mentions that where engagement activities require coordination from other assurance and consulting service providers, the CAE can do so, provided a consistent approach for reliance is followed and the competencies, objectivity and due professional care of these service providers are considered. The CAE is expected to have clear understanding of the scope, objectives and results of work performed by such providers. The CAE still remains accountable and responsible even if the reliance is placed on work of others for ensuring adequate support for conclusions and opinions reached by the internal audit activity.
2060 – Reporting to Senior Management and the Board: The CAE is assigned with additional responsibilities on periodically reporting to the Senior Management and Board on the Internal Audit Department’s conformance with the Code of Ethics and the Standards in addition to the department’s purpose, authority, responsibility and performance relative to its plan.
The Interpretation is amended and states that the frequency of the reporting to the Senior Management and the Board is determined in collaboration and not just mere discussion by the Senior Management, Board and the CAE. Thus, the CAE is empowered to collaborate with Senior Management and Board for deciding the frequency and content of the reporting. The CAE is entrusted with the responsibility of reporting and communication to Senior Management and the Board which must include information about:
- The audit charter,
- Independence of the internal audit activity,
- The audit plan and progress against the plan,
- Resource requirements,
- Results of audit activities,
- Conformance with the Code of Ethics and the Standards and action plans to address any significant conformance issues,
- Management’s response to risk that, in the CAE’s judgment, may be unacceptable to the organization.
“The demands on internal audit are evolving rapidly, and The IIA is working diligently to make sure the Standards and IPPF reflect that evolution” – IIA President and CEO Richard Chambers1
2100 – Nature of Work: The Internal Audit Department is entrusted with the responsibility of evaluating and contributing to the improvement of the organization’s governance, risk management and control processes using a systematic, disciplined and risk based approach. The value and creditability of the department enhances when the team is proactive and the evaluation offers gives better insight and forecasts future impact. Thus, Internal Audit Department is made more responsible in providing value adding insights to the entity and improving organization’s governance, risk management and control processes.
2110 – Governance: The Internal Audit Department is entrusted with additional responsibilities on improving the organizations’ governance process by assessing and making appropriate recommendations on the strategic and operational decisions and overseeing the risk management and controls.
2200 – Engagement Planning: The standard is revised to include that the internal auditors have to be well aware of the organizations’ strategies, objectives and relevant risks and must consider the same while planning any engagement.
2201 – Planning Considerations: In planning an engagement, internal auditors must consider organization’s strategies and significant risk to activity’s objectives under review.
2210.A3 – This is a sub-standard under Standard 2210 (Engagement Objectives) and the amendment is that where criteria to evaluate governance, risk management and controls is inadequate, internal auditors must identify appropriate evaluation criteria through discussion with management and the board instead of working with the management and / or board in developing appropriate evaluation criteria as per previous standards. Thus, internal auditors are supposed to use their consulting skills and identify appropriate evaluation criteria by due discussion with management and / or the board rather than working with management / board to develop suitable criteria rather.
A new Interpretation is added stating there are three types of criteria being 1) Internal, 2) External and 3) Leading Practices.
2410 – Criteria for Communicating: The amended standard states that communication must include engagement’s objectives, scope and results.
2410.A1: The amendment done is the final communication of engagement results should mandatorily include applicable conclusions, applicable recommendations and / or action plans. Internal auditor’s opinion should be provided only where appropriate. Previously, internal auditor’s opinion and / or conclusions must be provided only where appropriate. Further, only opinion (and not conclusion as in previous standards) must take account of expectations of senior management, board and other stakeholders.
2430 – Use of “Conducted in Conformance with the International Standards for the Professional Practice of Internal Auditing”: The internal auditors can indicate that engagements are conducted in conformance with the International Standards for the Professional Practice of Internal Auditing if the results of the quality assurance and improvement program support this. Thus, the emphasis is on indication rather than on reporting on the conformance.
2450 – Overall Opinions: The internal auditors have an added responsibility of taking into consideration the organization’s strategies, objectives and also risks when framing an overall opinion. Further, the Interpretation states that a summary of relevant information supporting such opinion must be included in addition to the earlier requirements.