Home > Risk > Please provide comments on the IIA Standards

Please provide comments on the IIA Standards

February 20, 2010 Leave a comment Go to comments
The IIA has asked for input on the International Standards for the Professional Practice of Internal Auditing. You can access information at http://www.theiia.org/guidance/standards-and-guidance/2010-standards-exposure/.

I strongly support this initiative and ask that you provide your comments.

I have been strongly critical of the last edition of the Standards, without any success. The last version included changing the word “should” to “must”, as the standards are mandatory. However, in the process a serious flaw was introduced.

In several places, the Standards now mandate audit activities regardless of whether they are high risk. While each of these is important, what the Standards should mandate is consideration of them in its risk assessment. It should not say, as they do, that the annual plan must include them.

As they are now, the Standards mandate practices that are not consistent with risk-based auditing – where only activities that represent risks of significance are included in the audit plan. Here are a few examples.

2110 Governance

The internal audit activity must assess and make appropriate recommendations for improving the governance process in its accomplishment of the following objectives:

  • Promoting appropriate ethics and values within the organization;
  • Ensuring effective organizational performance management and accountability;
  • Communicating risk and control information to appropriate areas of the organization; and
  • Coordinating the activities of and communicating information among the board, external and internal auditors, and management.

2110.A1 The internal audit activity must evaluate the design, implementation, and effectiveness of the organization’s ethics-related objectives, programs, and activities.

2110.A2 The internal audit activity must assess whether the information technology governance of the organization sustains and supports the organization’s strategies and objectives.

2120 Risk Management

The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes.

If you, as I, want to contribute to the success of the profession of internal auditing, I ask that you provide your comments. In addition to completing the survey, you can submit comments to iia-exposure@theiia.org.

  1. nmarks
    February 22, 2010 at 7:52 AM

    One of my concerns is that the Standards remain principle-based, and not start down the path of extensive rules. One key principle should be that audits are based on a risk-based plan.

  2. February 22, 2010 at 10:37 AM

    Norman, I agree the use of manadates without consideration of risk is a bad idea. Also, there may be other reasons why an internal auditing (IA) organization may not feel it appropriate to perform certain “mandated” reviews. For example, an area may indeed be high risk, but it is not the right time for IA to perform a review as management is aware of deficiencies and is working to address them. We could of course insert ourselves into the area just to comply with Standards, but it may not add any value during remediation.

  3. March 6, 2010 at 1:19 AM

    Good work and excellent article! Cheers.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: