The global IIA announced new standards on 1 October to be applied from 1 January 2017. So since I as CAE member of the UK and Global IIA will have to comply (even though my local standards, the Public Sector Internal Audit Standards, applicable to the the practice of internal auditing in the UK Government, will not be updated quite yet).
So let’s have a look at the changes shall we? 2017 Standards (marked up changes)
The first interesting change is that internal audit is for organisations, not within as previously. This recognises that for many organisations IA is provided externally. Now I have a view that IA is less successful when delivered this way, but even I must recognise that some organisations are small and struggle to maintain a high quality in house service. So this is a sensible change as long as it is not the thin end of the wedge, making IA no longer part of a standard organisation’s control and assurance infrastructure.
The next changes promote the primacy of the Standards over any other standards. This will be interesting in terms of seeing how other local standard setters and bodies react to this. I think the Standards are well established now, so I’m happy with this.
The idea of establishing principles based standards is sensible, losing the mix of compliance and principles as previously. I am a great fan and believe that the best internal audit services mould to their organisations, subject to some unchanging principles, so I am keen on this change.
Updated references to the professional practices frameworks are sensible too. I think the whole package makes sense now, so having the pieces independent of each other no longer does. So this is a sensible change too.
Of particular interest is the IIA’s response to the consultation, saying some respondents misunderstood objectivity and independence. Interesting. It’s worth looking at the glossary for the definitions of each. So for objectivity:
‘An unbiased mental attitude that allows internal auditors to perform engagements in such a manner that they believe in their work product and that no quality compromises are made. Objectivity requires that internal auditors do not subordinate their judgment on audit matters to others.’
Let’s compare this to independence:
‘The freedom from conditions that threaten the ability of the internal audit activity to carry out internal audit responsibilities in an unbiased manner.’
So objectivity is the requirement to form our own view, and independence is / are the conditions that allow us to form our own view. This ties into the edit on page two, that removes independent from opinions and leaves it for the auditor. So the auditor is independent but does not form independent opinions, but rather forms objective opinions. That’s quite an interesting nomenclature change and one that is more than just semantics in my view. I welcome it, for objectivity is a mental attitude, not some organisational or structural comment. Indeed being paid by and working for an organisation as an internal internal audit function does promotes far greater objectivity than being paid for as an external contractor.
There’s an interesting nod at the bottom of page two for us CAEs. We don’t only have to comply for our audit work, but also for the work of the IA services we lead. This is not new, but this ‘additional’ responsibility, now spelled out, is notable.
So – to the attribute standards. 1000 spells out that the mission and all elements of the international professional practices framework must be complied with and included in the IA charter. This will need me to review mine (which is due a refresh anyway), so I would suggest you familiarise yourselves with the mission in particular. Standard 1010 requires that you have this chat with your board, so I would suggest a paper to your next audit committee.
1110.A1 requires us CAEs to report any scope interference to the board. Presumably not every last little intervention, but any significant limitation or change to scopes. I’ve written lots of times about scoping, and I don’t see it as contracting, so reporting adverse interference is fine with me, though I would consider it unlikely to ever come to that.
Standard 1112 – Here’s the great change in my view. This standard recognises that IA can and does do a number of governance activities (because we are best placed and skilled to) outside of just internal auditing. I’ve written about the nonsense paper from the UK IIA prohibiting whistleblowing Whistleblowing – another thing internal audit cannot do? . This puts this nonsense to bed in the standards. For this is all fair game, as long as independence and objectivity are safeguarded and suitable assurance over the performance of this activity is put in place (as the board requires a five year assurance over assurance). Well done Global IIA!
1130.A3 – Another sensible step. If we review something or consult on it, we can audit it subsequently. As long as IA did not get intimately involved in risk treatment decisions in doing the original consultancy and as long as you use another part of the audit team to do it. Another triumph for common sense – well done!
1210 – Another sensible change requiring competency to include currency. This means we need to be current in our knowledge and research for our assignments. This underpins a long-held belief of mine that CPD is continuous. Of course this is obvious, but making it clear in the standards is a great thing in my view.
1300 – A requirement to engage the board and audit committee in continuous improvement of internal audit. A think a good CAE does this anyway, encouraging support input and transparency of performance monitoring to the audit committee. Indeed I’ve been really lucky to have extremely high quality audit committee chairs to support and cajole me to perform. As an audit committee member myself I take this element of my role seriously too, IA risks being unloved and this can risk under-resourcing of and lack of seriousness given to it by the management team.
1312 – Requiring an audit opinion on the audit of the internal auditors seems sensible to me. We as a profession put such store by opinions, so we should be subject to them too. I welcomed mine Generally conforms? Board oversight of this is really important. Both to give the exercise credibility and to allow the Board to engage with the outcome.
2000 – Well done on the Standards picking up that IA is only successful when it is up to date and relevant. This means really understanding the challenges an organisation faces now and in the future.
2050 – Now this is interesting. So we can formally rely on others’ work, and I think that is sensible, but there are two interesting caveats. First the reliance is not blind faith, it’s done with a full knowledge of what scope and quality the assurance is. Second the CAE remains fully accountable for their opinion and cannot pass blame on others. A sensible set of changes as IA is too small to do all assurance The one percent.
2060 – Reporting to the Board – a small but important change here – we should report when the Board needs it, not when they request it. This is a sensible change as IA should push the Board when it needs it, we are and should be more than bystanders when something major goes wrong. I am not a fan of the list of things it must include. This seems odd. Most Boards don’t need all of this information, and most of these data are reported to the audit committee of the board in any case. I would have this as a list of suggestions.
2100 – Another slightly strange addition saying we’re most effective as internal auditors when we are proactive, offer new insights and are forward-looking. Well yes, but does this need to be in the Standards? No. Not really.
2010.A3 – Another not needed list of the obvious. It’s interpretive, but not really needed in the Standards – another edit to remove in my view.
2410.A1 – This is another opportunity missed, leaving assignment work as having to provide conclusions, but not an opinion. The interesting thing here is that assignments must include ‘applicable recommendations and/or action plans’. This is a blow to those auditors who no longer provide any suggestions or recommendations. One to check for some services, otherwise they will no longer comply with the Standards.
2450 – We should support our overall opinions with a summary of the information supporting them. No short opinion with little backup. A number of the professional services firms will need to review their annual report formats in my view. Is this the end of exception reporting? Perhaps or the promotion of a more extreme version of it?
Glossary – The definition of the Board is interesting, particularly with the list of data we are required to present to them – the Audit Committee is also the Board, so perhaps the detailed list of reporting I am critical of would make sense where the Board apparently includes just its sub committees too. This is a bit odd and I think needs be tidied up in the next version of the Standards. If you mean Board, mean it, don’t then widen its definition in the glossary.
So overall, a sensible set of changes to the Standards, which the professional should welcome and not have too much difficulty in applying if they are doing a good job. There’s a few too many lists in here for me that seem odd and out of context for the Standards, but I’ll take those for the other changes, which on balance are positive. So when are you writing your briefing paper for your audit committee?