Institute of Internal Auditors - Revised Standards 2017
The Institute of Internal Auditors (IIA Global) has developed standards and guidance for the practice of internal audit.
These are collectively known in the UK as the International Professional Practices Framework (“IPPF”). The IPPF includes mandatory guidance, comprised of the Core Principles, Definition, Code of Ethics and Standards, as well as supplemental recommended guidance.
Whilst observance of the Standards is mandatory on all member of the IIA, ICAS members who work in internal audit and who are not also IIA members will find them of considerable interest. The current edition was revised in October 2016 and is effective from 1 January 2017.
What do the Internal Auditing Standards consist of?
The Standards can be found on the IIA website and are described there as:
“A set of principles-based, mandatory requirements consisting of:
- Statements of core requirements for the professional practice of internal auditing and for evaluating the effectiveness of performance that are internationally applicable at organizational and individual levels.
- Interpretations clarifying terms or concepts within the Standards.”
The Standards consist of two categories, attribute standards and performance standards, which both apply to all internal audit services. Most of the standards are quite short in length.
(a) Attribute Standards
Cover the attributes of organisations and individuals carrying out internal auditing and comprise:
No. | IIA Standard No. | Title |
|---|---|---|
1 | 1000 | Purpose, Authority, and Responsibility |
2 | 1010 | Recognizing Mandatory Guidance in the Internal Audit Charter |
3 | 1100 | Independence and Objectivity |
4 | 1110 | Organisational Independence |
5 | 1111 | Direct Interaction with the Board |
6 | 1112 | Chief Executive Roles Beyond Internal Auditing |
7 | 1120 | Individual Objectivity |
8 | 1130 | Impairment to Independence or Objectivity |
9 | 1200 | Proficiency and Due Professional Care |
10 | 1210 | Proficiency |
11 | 1220 | Due Professional Care |
12 | 1230 | Continuing Professional Development |
13 | 1300 | Quality Assurance and Improvement Program |
14 | 1310 | Requirements of the Quality Assurance and Improvement Program |
15 | 1311 | Internal Assessments |
16 | 1312 | External Assessments |
17 | 1320 | Reporting on the Quality Assurance and Improvement Program |
18 | 1321 | Use of “Conforms with the International Standards for the Professional Practice of Internal Auditing” |
19 | 1322 | Disclosure of Non-conformance |
(b) Performance Standards
These cover the nature of internal auditing and provide quality control criteria against which the performance of these services can be measured and are as follows:
No. | IIA Standard No. | Title |
|---|---|---|
1 | 2000 | Managing the Internal Audit Activity |
2 | 2020 | Communication and Approval |
3 | 2030 | Resource Management |
4 | 2040 | Policies and Procedures |
5 | 2050 | Coordination and Reliance |
6 | 2060 | Reporting to Senior Management and the Board |
7 | 2070 | External Service Provider and Organizational Responsibility for Internal Auditing |
8 | 2100 | Nature of Work |
9 | 2110 | Governance |
10 | 2120 | Risk Management |
11 | 2130 | Control |
12 | 2200 | Engagement Planning |
13 | 2201 | Planning Considerations |
14 | 2210 | Engagement Objectives |
15 | 2220 | Engagement Scope |
16 | 2230 | Engagement Resource Allocation |
17 | 2240 | Engagement Work Program |
18 | 2300 | Performing the Engagement |
19 | 2310 | Identifying Information |
20 | 2320 | Analysis and Evaluation |
21 | 2330 | Documenting Information |
22 | 2340 | Engagement Supervision |
23 | 2400 | Communicating Results |
24 | 2410 | Criteria for Communicating |
25 | 2420 | Quality of Communications |
26 | 2421 | Errors and Omissions |
27 | 2430 | Use of “Conducted in Conformance with the International Standards for the Professional Practice of Internal Auditing” |
28 | 2431 | Engagement Disclosure of Non-conformance |
29 | 2440 | Disseminating Results |
30 | 2450 | Overall Opinions |
31 | 2500 | Monitoring Progress |
32 | 2600 | Communicating the Acceptance of Risks |
What has changed in the Standards?
The changes to the Standards are twofold
(a) Two new Standards have been issued (listed below), both of which deal with the evolving role of internal audit and in particular, of the Chief Audit Executive / Head of Internal Audit. These new standards set expectations for how additional responsibilities should be managed within the internal audit function.
- No. 1112 addresses the common situation where heads of internal audit (called here “chief audit executives”) are asked by management to take on roles beyond the remit of internal audit (such as venturing into compliance or risk management work.). This new Standard says that “Where the chief audit executive has or is expected to have roles and/or responsibilities that fall outside of internal auditing, safeguards must be in place to limit impairments to independence or objectivity.”
It describes these as “Safeguards are those oversight activities, often undertaken by the board, to address these potential impairments and may include such activities as periodically evaluating reporting lines and responsibilities and developing alternative processes to obtain assurance related to the areas of additional responsibility.”
- No. 1130.A3 addresses the potential threat to objectivity where internal audit performs an assurance engagement after previously carrying out consultancy work in that area. This says that “The internal audit activity may provide assurance services where it had previously performed consulting services, provided the nature of the consulting did not impair objectivity and provided individual objectivity is managed when assigning resources to the engagement.”
(b) General updates have also been made to the previously issued Standards.
