Home > Risk > Time (again and still) for the IIA Standards to be correcte

Time (again and still) for the IIA Standards to be correcte

This might get me in trouble with IIA leadership (again), but it is important if internal audit is to get promoted from the children’s table of providing assurance on mundane issues that don’t really matter to leaders of the organization to the head table alongside those leaders.

The first part of this piece is on fraud, but it then considers the larger picture.


A read of the latest Position Paper from the Institute of Internal Auditors highlighted a set of problems for me. Fraud and Internal Audit: Assurance over Fraud Controls Fundamental to Success (2019) correctly quotes a couple of IIA Standards (1210.A2 and 2120.A2) but, in my opinion, provides faulty advice.

The paper gets this right:

  • Organizations should have robust internal control procedures to limit the risk of fraud, and internal audit’s role is to assess these controls. [Note: I will come back to the last part of the sentence.]
  • The organization should have a suitable fraud prevention and response plan in place allowing effective limitation and swift response to the identification of fraud and management of the situation. This should include digital data.
  • Internal auditors should not investigate fraud unless they have the specific experience and expertise required to do so.

But it is wrong, as I will explain in a moment, when it says:

  • The risk of fraud should be included in the audit plan and each audit assignment to evaluate the adequacy of anti-fraud controls.
  • The chief audit executive should consider how the risk of fraud is managed across the organization and assess the fraud risk exposure periodically.

There is much more content along these lines.

The IIA is currently a strong supporter of the so-called three lines of defense. In the paper, it (correctly) says that:

It is not internal audit’s direct responsibility to prevent fraud happening within the business. This is the responsibility of management as the first line of defense.

Not only is it management’s responsibility to have appropriate controls to deter, prevent, and detect fraud but it should also be responsible for assessing the risk of fraud.

In other words, internal audit should NOT be automatically held responsible for assessing the risk of fraud – just as it is not responsible for assessing the risks of credit default, an economic downturn, the failure of a new product, or the loss of key employees.

Risk assessment when it comes to fraud should, as it is for all sources of risk to the objectives of the enterprise, be the responsibility of management.

Internal audit can assist management by facilitating a fraud risk assessment. Management should make the decision both on the level of risk and whether it is acceptable. Internal audit can provide their opinion and advice on both.

In an ideal world, management (perhaps through its risk function) will assess the risk of fraud. In that case, the CAE and team should obtain assurance that management’s risk assessment is adequate.

  • If it is adequate, and contrary to this guidance from the IIA, the CAE should place reliance on management’s assessment rather than duplicating it unnecessarily.
  • If it is not adequate, the CAE reports that to top management and the board and provides advice and insight to help management upgrade its risk assessment processes. Internal audit can then (as it does for all enterprise risks) perform its own assessment for the purpose of developing the audit plan.

I have yet to live in an ideal world. Except for when I was both CRO and CAE, there was no risk function and no enterprise risk assessment other than that my team performed. We completed a fraud risk assessment, but it was on behalf of management – consistent with the three lines of defense.

Once the fraud risk assessment has been completed, internal audit has to determine how to consider the risk of fraud in its audit planning.

Contrary to the IIA guidance, attention to fraud risk should not be automatic. Fraud does not have to be included in the audit plan or included in the scope of one or more audits. It should only be addressed when the level of risk justifies it.

If you prioritized all enterprise risks and fraud came in at #20 but you could only perform 15 audits, I would not expect you to include the risk of fraud in an audit. The exception would be when the board requests that you perform such an audit despite the relatively low level of risk (relative to other sources of risk.

I would also not expect you (except when directed by the audit committee) to automatically evaluate the anti-fraud controls in every business unit, as dictated by the IIA guidance. That leads you to auditing what might be a risk to the business unit but is not a risk to the enterprise as a whole.

Audit what happens at a business unit that is a source of risk to the enterprise as a whole.


That brings us to the continuing failure of the IIA Standards to promote an enterprise-level risk-based audit plan.

The Standards are right here, the Interpretation of Standard 2010 – Planning:

To develop the risk-based plan, the chief audit executive consults with senior management and the board and obtains an understanding of the organization’s strategies, key business objectives, associated risks, and risk management processes. The chief audit executive must review and adjust the plan, as necessary, in response to changes in the organization’s business, risks, operations, programs, systems, and controls.

But wrong here (note the highlighted words), in Standard 2201 – Planning Considerations:

In planning the engagement, internal auditors must consider:

  • The strategies and objectives of the activity being reviewed and the means by which the activity controls its performance.
  • The significant risks to the activity’s objectives, resources, and operations and the means by which the potential impact of risk is kept to an acceptable level.
  • The adequacy and effectiveness of the activity’s governance, risk management, and control processes compared to a relevant framework or model.
  • The opportunities for making significant improvements to the activity’s governance, risk management, and control processes.

This is also wrong, in Standard 2210 – Engagement Objectives:

2210.A1 – Internal auditors must conduct a preliminary assessment of the risks relevant to the activity under review. Engagement objectives must reflect the results of this assessment.

Internal audit’s job is to provide the board and top management with assurance, advice, and insight on the achievement of enterprise objectives through the provision of controls over the more significant risks to those objectives.

Have a second look at Standard 2010. It talks, as it should, about the organization, not individual activities (i.e., business units and such) within the organization.

Standards 2201 and 2210 need to be changed.

Otherwise, auditors will continue to follow the traditional processes of:

  • Risk prioritize the audit universe, a list of auditable entities and processes.
  • Build the audit plan to include activities within the entities that rise to the top.
  • Assess the risks to each activity as you define the scope of each audit of an entity.

This leads to providing assurance on what matters to middle management, the people running each individual entity.

It does not provide assurance on enterprise-level risks, what matters to the board and top management.

The better approach is to:

  • Prioritize a risk universe (and discard the audit universe as obsolete).
  • Identify which activities at which entities and in which processes are sources of enterprise-level risks. (For example, if the theft of intellectual property is an enterprise risk of significance, where are the activities and related controls that need to be audited to provide assurance on the enterprise risk?)
  • Build the audit plan with an appropriate combination of entity-level (e.g., corporate) and business unit/process level to provide the assurance, advice, and insight management needs.

I talk about this extensively in Auditing that matters, my seminal book on internal auditing. For example, I discuss the enterprise-level risks of significance to each of my former companies and how they were different from the traditional areas of internal audit attention – but led to internal audit being even more than the trusted advisor suggested by Richard Chambers. I also talk about how to staff the internal audit function to provide advice and insight that matters and how to communicate what matters when it matters to leaders.

I welcome your comments.

  1. May 27, 2019 at 2:38 AM

    Norman, I certainly agree with your comments on the standards and their approach to fraud. I also agree with your comments about planning, but would see the approach as:

    Assess the management’s risk framework to ensure it has determined the organisation’s objectives; identified the opportunities benefiting those objectives and risks threatening those objectives; put in place controls to manage opportunities and risks to a level acceptable to management.

    If the risk framework is not adequate, report this to management and the audit committee. Work with management to improve it. If the risk framework is adequate use management’s assessment of opportunities and risks to build an audit plan which can deliver an opinion as to whether the organisation’s objectives will be achieved, based on the management of opportunities and risks.

    In other words, drive the audit plan out of the objectives/risks/controls database which organisations should have in order to fulfill their statutory commitments. IA should not be setting up their own database (audit universe). My site at http://www.internalaudit.biz provides practical examples of what I would call ‘Objective focused internal auditing’.

  2. Daniel Paul Kalwiji
    May 27, 2019 at 6:10 PM


  3. May 27, 2019 at 10:34 PM

    In the Netherlands, there has been a thorough discussion about the role of the external auditor regarding fraude. So I can imagine that in case the external auditor also relies on the work of the internal auditor, the internal auditor makes his own assessment – independent from management – of the risk of fraude.

  4. May 28, 2019 at 9:33 AM

    Norman Marks, I think your points are great and are definitely important for assurance functions to ponder in their programs and for their value proposition vis-à-vis fraud risks. However I am often worried that the “better” the standards are the more impractical they become and I wonder if the IIA may be seeking to balance that perspective too. I don’t know the workings of their decision making. I do know that this is where maturity models may come in to be somewhat handy but even those have their limitations. My view is that irrespective of where these standards fall, auditor objectivity, functional independence and “adding value” should remain the drivers for the role audit functions play in any area. At the end of the day the role of internal audit is a negotiated position that a Chief Audit Executive and the Audit Committee should be a able to credibly defend.

  5. Anonymous
    May 31, 2019 at 8:16 PM

    I think it is simply a matter of context: “The risk of fraud should be included in the audit plan and each audit assignment to evaluate the adequacy of anti-fraud controls.” … can simply mean to have a process that ensures fraud risk potential is considered in each engagement as appropriate – even to say “N/A – because …..”. IA knows they are an assurance service – and not an operationally responsible management group.

    Also, fraud is a very broad term that can even mean intentionally excluding important monitoring data from escalation reports to mislead others about performance. We often cannot guess what an auditor’s next scope will be, and IA is really great and flexing assessment approaches as appropriate to the circumstance.

    It is also important to let the auditor consider fraud risk and coordinate as appropriate with the others who provide monitoring and assurance. There is also nothing precluding the IA group from assessing the overall risk program and balancing efforts between enterprise-wide versus project-level reviews.

    The problem is this: Ask anyone outside of auditing what the minimum expectation they would expect an auditor to be looking for, and they will say “Fraud”. So the intention of the standard is to ensure fraud risk programs are never easily forgotten for assessment when they really matter. HOW appropriate assurance is accomplished, happens many different ways. There are no wise 1-size-fits-all fraud approaches.

  6. June 2, 2019 at 6:53 PM

    The IIA standards are correct with regard to fraud. They reinforce the fundamental purpose, nature and scope of internal auditing as contained in the definition of internal auditing. The second sentence of that definition is the relevant one as it is the one that addresses exactly and concisely what the definition sets out to state.

    Simply put, any practice contrary to the nature and scope of internal auditing is not an internal audit practice. The detection and investigation of fraud by internal auditors is such a practice. It assumes a management responsibility and does not address the scope of internal auditing. One is NOT operating as an internal auditor when one indulges in those practices.

    Your target is, therefore, not IIA Standards in general but the definition of internal auditing itself, which needs no correction other than expunging the first sentence and adding adequacy to the attributes of internal control to be focused on.

    As a consequence of the 2015 and 2017 revisions which undermined the definition of internal auditing, King 4, having adopted the Three Lines of Defence (3LoD) in King 3, has abandoned it. King 4, having recommended Tim Leech’s Five Lines of Assurance (5LoA) as a replacement of 3LoD, in the end also dumped them. King 4, having added the IIA’s Code of Ethics to the Standards as guidance that organisations must adhere to regarding internal auditing in King 3, now does not refer to any IIA guidance at all.

    Our Public Finance Management Act (PFMA) in South Africa has got it right by allocating the individual responsibility to establish an adequate and effective system of internal control to the executive head of an organisation (and NOT extending it to the finance executive as SOX does) and an individual responsibility to each official (employee) to implement the established system of internal control in his/her area of responsibility.

    The unit of an internal audit engagement is, therefore, the area of responsibility of each employee, from top to bottom, and not organisational risks per se. That ensures that the enterprise-wide focus is automatically addressed.

    Your perspective of enterprise-wide focus encourages abrogation of individual responsibility by all concerned – music to executive heads (where the buck should stop) who want to escape individual responsibility like you did regarding the 2015 and 2017 revisions.

    Lastly, prioritising risks is bad practice. You NEVER prioritise risks! ALL significant risks MUST be addressed! And they can be!

  1. May 27, 2019 at 1:38 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: