Institute of Internal Auditors - Revised Standards 2017
The Institute of Internal Auditors (IIA Global) has developed standards and guidance for the practice of internal audit.
These are collectively known in the UK as the International Professional Practices Framework (“IPPF”). The IPPF includes mandatory guidance, comprised of the Core Principles, Definition, Code of Ethics and Standards, as well as supplemental recommended guidance.
Whilst observance of the Standards is mandatory on all member of the IIA, ICAS members who work in internal audit and who are not also IIA members will find them of considerable interest. The current edition was revised in October 2016 and is effective from 1 January 2017.
What do the Internal Auditing Standards consist of?
The Standards can be found on the IIA website and are described there as:
“A set of principles-based, mandatory requirements consisting of:
- Statements of core requirements for the professional practice of internal auditing and for evaluating the effectiveness of performance that are internationally applicable at organizational and individual levels.
- Interpretations clarifying terms or concepts within the Standards.”
The Standards consist of two categories, attribute standards and performance standards, which both apply to all internal audit services. Most of the standards are quite short in length.
(a) Attribute Standards
Cover the attributes of organisations and individuals carrying out internal auditing and comprise:
IIA Standard No.
Purpose, Authority, and Responsibility
Recognizing Mandatory Guidance in the Internal Audit Charter
Independence and Objectivity
Direct Interaction with the Board
Chief Executive Roles Beyond Internal Auditing
Impairment to Independence or Objectivity
Proficiency and Due Professional Care
Due Professional Care
Continuing Professional Development
Quality Assurance and Improvement Program
Requirements of the Quality Assurance and Improvement Program
Reporting on the Quality Assurance and Improvement Program
Use of “Conforms with the International Standards for the Professional Practice of Internal Auditing”
Disclosure of Non-conformance
(b) Performance Standards
These cover the nature of internal auditing and provide quality control criteria against which the performance of these services can be measured and are as follows:
IIA Standard No.
Managing the Internal Audit Activity
Communication and Approval
Policies and Procedures
Coordination and Reliance
Reporting to Senior Management and the Board
External Service Provider and Organizational Responsibility for Internal Auditing
Nature of Work
Engagement Resource Allocation
Engagement Work Program
Performing the Engagement
Analysis and Evaluation
Criteria for Communicating
Quality of Communications
Errors and Omissions
Use of “Conducted in Conformance with the International Standards for the Professional Practice of Internal Auditing”
Engagement Disclosure of Non-conformance
Communicating the Acceptance of Risks
What has changed in the Standards?
The changes to the Standards are twofold
(a) Two new Standards have been issued (listed below), both of which deal with the evolving role of internal audit and in particular, of the Chief Audit Executive / Head of Internal Audit. These new standards set expectations for how additional responsibilities should be managed within the internal audit function.
- No. 1112 addresses the common situation where heads of internal audit (called here “chief audit executives”) are asked by management to take on roles beyond the remit of internal audit (such as venturing into compliance or risk management work.). This new Standard says that “Where the chief audit executive has or is expected to have roles and/or responsibilities that fall outside of internal auditing, safeguards must be in place to limit impairments to independence or objectivity.”
It describes these as “Safeguards are those oversight activities, often undertaken by the board, to address these potential impairments and may include such activities as periodically evaluating reporting lines and responsibilities and developing alternative processes to obtain assurance related to the areas of additional responsibility.”
- No. 1130.A3 addresses the potential threat to objectivity where internal audit performs an assurance engagement after previously carrying out consultancy work in that area. This says that “The internal audit activity may provide assurance services where it had previously performed consulting services, provided the nature of the consulting did not impair objectivity and provided individual objectivity is managed when assigning resources to the engagement.”
(b) General updates have also been made to the previously issued Standards.