Please provide comments on the IIA Standards
I strongly support this initiative and ask that you provide your comments.
I have been strongly critical of the last edition of the Standards, without any success. The last version included changing the word “should” to “must”, as the standards are mandatory. However, in the process a serious flaw was introduced.
In several places, the Standards now mandate audit activities regardless of whether they are high risk. While each of these is important, what the Standards should mandate is consideration of them in its risk assessment. It should not say, as they do, that the annual plan must include them.
As they are now, the Standards mandate practices that are not consistent with risk-based auditing – where only activities that represent risks of significance are included in the audit plan. Here are a few examples.
2110 Governance
The internal audit activity must assess and make appropriate recommendations for improving the governance process in its accomplishment of the following objectives:
- Promoting appropriate ethics and values within the organization;
- Ensuring effective organizational performance management and accountability;
- Communicating risk and control information to appropriate areas of the organization; and
- Coordinating the activities of and communicating information among the board, external and internal auditors, and management.
2110.A1 The internal audit activity must evaluate the design, implementation, and effectiveness of the organization’s ethics-related objectives, programs, and activities.
2110.A2 The internal audit activity must assess whether the information technology governance of the organization sustains and supports the organization’s strategies and objectives.
2120 Risk Management
The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes.
If you, as I, want to contribute to the success of the profession of internal auditing, I ask that you provide your comments. In addition to completing the survey, you can submit comments to iia-exposure@theiia.org.
One of my concerns is that the Standards remain principle-based, and not start down the path of extensive rules. One key principle should be that audits are based on a risk-based plan.
Norman, I agree the use of manadates without consideration of risk is a bad idea. Also, there may be other reasons why an internal auditing (IA) organization may not feel it appropriate to perform certain “mandated” reviews. For example, an area may indeed be high risk, but it is not the right time for IA to perform a review as management is aware of deficiencies and is working to address them. We could of course insert ourselves into the area just to comply with Standards, but it may not add any value during remediation.
Good work and excellent article! Cheers.