Home > Risk > How should the IIA change its Standards and other Guidance?

How should the IIA change its Standards and other Guidance?

The IIA’s Internal Audit Foundation is asking for practitioner member input. You can find the survey here on their web site. It is available through the end of August.

They say:

2021: Research Focus: Assessing Internal Audit Practices

The Foundation has selected this topic to gather perspectives and insights of importance in understanding the global practice of the profession and to understand the current relevance and potential improvements of the International Professional Practices Framework (IPPF) and International Standards for the Professional Practice of Internal Auditing (Standards).

Overall Study Objectives:

  • Assess internal audit practices at the internal audit activity and practitioner levels.
  • Understand the value and relevance of the IPPF and Standards toward ensuring internal audit effectiveness.
  • Ensure continued applicability and effectiveness of the IPPF and Standards.

I started the survey, but when I indicated that I was retired they threw me off because they only want the survey completed by “current practitioners”.

Of course, that will not prevent me from sharing my views – which I shall in this post.

I haven’t seen the questions, so I am making some general rather than specific points.

  • The Standards and other guidance require a “risk-based plan” (Standard 2010 – Planning), which I support. However, the Standards lead you away from identifying risks to the enterprise as a whole and towards risks to individual processes, business units, etc.

This is because Standard 2201 – Planning Considerations asks that the auditor consider “The significant risks to the activity’s objectives, resources, and operations”.

Standard 2210 – Engagement Objectives dictates: “Internal auditors must conduct a preliminary assessment of the risks relevant to the activity under review. Engagement objectives must reflect the results of this assessment”.

The auditor needs to focus on the risks that matter to the enterprise as a whole, and not risks to individual activities within the enterprise. The auditor should strive to audit processes and related controls at an activity that could lead to a failure to achieve enterprise objectives.

  • In a previous iteration of the Standards, the word “should” was globally replaced with “must”. As a result, certain aspects of the organization. For example, Standard 2110 – Governance states:

The internal audit activity must assess and make appropriate recommendations to improve the organization’s governance processes for:

    • Making strategic and operational decisions.
    • Overseeing risk management and control.
    • Promoting appropriate ethics and values within the organization.
    • Ensuring effective organizational performance management and accountability.
    • Communicating risk and control information to appropriate areas of the organization.
    • Coordinating the activities of, and communicating information among, the board, external and internal auditors, other assurance providers, and management.

2110.A1 – The internal audit activity must evaluate the design, implementation, and effectiveness of the organization’s ethics-related objectives, programs, and activities.

2110.A2 – The internal audit activity must assess whether the information technology governance of the organization supports the organization’s strategies and objectives.

While each of these may be high risk, mandating them flies in the face of the risk-based approach.

The correct approach is to require auditors to consider these matters in their risk assessment and audit planning activities, including related projects in the plan when and where justified based on enterprise risk.

  • Several standards mandate work that is neither necessary nor of value. The IIA Standards Board should take a pencil in hand and delete them. We need every internal auditor to be agile, responding promptly to changes in business conditions and risks, and auditing at speed. Excessive bureaucratic red tape does not help you run fast.

For example, Standard 2200 – Engagement Planning states:

Internal auditors must develop and document a plan for each engagement, including the engagement’s objectives, scope, timing, and resource allocations. The plan must consider the organization’s strategies, objectives, and risks relevant to the engagement.

In my many years as CAE, I cannot think of a single audit where all of this was needed. I want my auditors to audit, not write a lot of documents.

Standard 2240 – Engagement Work Program is far too onerous. 2240.A1:

Work programs must include the procedures for identifying, analyzing, evaluating, and documenting information during the engagement. The work program must be approved prior to its implementation, and any adjustments approved promptly.

Why document all of this? I see little value in most cases. Let the auditors go!

  • The approach to risk management needs an overhaul and update, reflecting leading thinking on what constitutes effective risk management. Frankly, this is an area where IIA seems to lag.

For example, the definition of risk management in the Glossary needs to go further. It defines it as:

A process to identify, assess, manage, and control potential events or situations to provide reasonable assurance regarding the achievement of the organization’s objectives.

What is missing is the link to decision-making. Risk management enables the informed and intelligent decisions necessary to achieve enterprise objectives.

  • I would like to see more guidance, including standards, that leads practitioners to limit their scope to what matters, audit at speed, and then communicate effectively and promptly.
  • A number of excellent Practice Guides and Advisories were developed in the past but are no longer available. That is unfortunate since the guidance was very good.
  • Recent GTAGs have been less than satisfactory. They should have never been issued. See previous posts on this blog for details.

I will leave it there. I am, however, open to discussing these and related questions with IIA leaders.

Please share your thoughts as well – with the IIA in their survey and here, as comments to this post.

  1. Bill Spoehr
    August 11, 2021 at 8:56 AM

    As expected, the IIA survey didn’t allow for comments or for any input as to what the standards should focus on, only “agreement” as to whether or not you believed the standards applied to your function and if you followed them.

    But, were we surprised by that? I didn’t think so.

    The IIA continues to lag the “real” world by at least a decade or 2 in considering the speed of business and the skills required to function effectively as an IA department today.

    • Norman Marks
      August 11, 2021 at 9:50 AM

      Bill, it sounds like you would be a valuable addition to the Standards Board!

      • Bill Spoehr
        August 11, 2021 at 10:19 AM

        Norman, you and I would be thrown out of the first meeting as heretics. 🙂

        • August 11, 2021 at 10:20 AM

          Can I come?

        • Norman Marks
          August 11, 2021 at 10:44 AM

          You would be surprised! I was a committee member for many years, including a long stint on the Professional Issues Committee that wrote the Practice Advisories and Guides.

          You and David, in fact all heretics, should apply.

    • August 11, 2021 at 10:05 AM

      Bill, I made a separate submission because of the limitations of the survey. You can send any additional comments to foundation@theiia.org.

  1. August 10, 2021 at 2:39 PM
  2. August 14, 2021 at 9:19 PM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: