Please Provide Comments on the IIA Standards

The IIA has asked for input on the International Standards for the Professional Practice of Internal Auditing (Standards). You can access information here. I strongly support this initiative and ask that you provide your comments.

I have been strongly critical of the last edition of the Standards, without any success. The last version included changing the word “should” to “must,” as the standards are mandatory. However, in the process a serious flaw was introduced.

In several places, the Standards now mandate audit activities regardless of whether they are high risk. While each of these is important, what the Standards should mandate is consideration of them in its risk assessment. It should not say, as they do, that the annual plan must include them.

As they are now, the Standards mandate practices that are not consistent with risk-based auditing — where only activities that represent risks of significance are included in the audit plan. Here are a few examples.

2110 Governance

The internal audit activity must assess and make appropriate recommendations for improving the governance process in its accomplishment of the following objectives:

  • Promoting appropriate ethics and values within the organization;

  • Ensuring effective organizational performance management and accountability;

  • Communicating risk and control information to appropriate areas of the organization; and

  • Coordinating the activities of and communicating information among the board, external and internal auditors, and management.

2110.A1 The internal audit activity must evaluate the design, implementation, and effectiveness of the organization’s ethics-related objectives, programs, and activities.

2110.A2 The internal audit activity must assess whether the information technology governance of the organization sustains and supports the organization’s strategies and objectives.

2120 Risk Management

The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes.

If you want to contribute to the success of the profession of internal auditing, I ask that you provide your comments. In addition to completing the survey, you can submit comments to


Posted on Feb 20, 2010 by Norman Marks

Share This Article:    

  1. Norman:

    I have not yet read the standards well but am just trying to address your point above and overall I would concur with you-the standards should not say that the annual plan must include them but should mandate consideration of them in its risk assessment. You leave it broad because there are many considerations.

    Here are some of them.

    I am assuming that there is one comprehensive risk assessment document generated by the company that will be used by management, the internal auditors, the external auditors and all other relevant stakeholders

    Something could have a high risk (lets use the term-worst credible risk and not inherent risk) but currently have strong mitigation in place to yield a much lower risk (residual risk). You could audit this or not audit this.

    You could have very high financial risk in certain key areas but why necessarily bother if  you know that this will be major focus by external auditors.

    You could have a very low risk item but may wish to audit this as well, right? What if the folks putting this together made some major errors and it should be higher.

    And the above assumes that the company is working off only one risk assessment. What if there is more than one risk assessment?

    Arnold Schanfield




  1. Norman,

    I believe there is progress in proposed revisions to the Standards. However I still believe the changes to 2120 Risk Management are not enough. There is still confusion as to what it means. Below is a copy of my comments on the matter. 

    I have a problem with this entire standard. It comes off as a reaction to the past and does nothing to set Auditors up to be successful in valuing risk management. It needs wholesale help. First where is the definition of risk? Second how do we define good management? Both of those are needed before we can meaningfully evaluate "risk management." I would move more dramatically towards the following:
    2120 - Risk Management
    Risk is the effective of uncertainty on business objectives. (ISO 31000) Management is the function of ensuring that objectives are implemented with accountability in and efficient and effective way. Valuing Risk Management is not black and white; it requires an understanding of the strength and maturity of good management; the people, processes and technology put in place to achieve objectives. Determining whether risk management processes are effective is a judgment resulting from the internal auditor's assessment that:
  1. continued...
    Good Management
    -Organizational objectives support and align with the organization's mission
    -Accountability for achieving organizational objectives is clear
    -Management response to objectives for which they are accountable has resulted in the efficient and effective deployment of people, processes and technology
    Risk Consideration
    -In the deployment of processes to meet objectives management has identified and assessed significant risks
    -Appropriate risk responses were selected to align with the organizations risk appetite and incorporated into the deployment of business processes.
    -Relevant risk information is captured and communicated timely across the organization, enabling staff, management, and the board to carry out their responsibilities.
    The internal audit activity gathers this information during risk assessments, audits, consulting projects and other activities. The results of these engagements, when viewed together provide an understanding of the strengths and vulnerabilities across the organization with regard to the maturity of management and the adequacy of their risk considerations. Strengthening and monitoring risk management activities on an ongoing basis is the accountability of management, supported by internal audit engagement reporting.

    Dan Clayton

Leave a Reply