Please Provide Comments on the IIA Standards
The IIA has asked for input on the International Standards for the Professional Practice of Internal Auditing (Standards). You can access information here. I strongly support this initiative and ask that you provide your comments.
I have been strongly critical of the last edition of the Standards, without any success. The last version included changing the word “should” to “must,” as the standards are mandatory. However, in the process a serious flaw was introduced.
In several places, the Standards now mandate audit activities regardless of whether they are high risk. While each of these is important, what the Standards should mandate is consideration of them in its risk assessment. It should not say, as they do, that the annual plan must include them.
As they are now, the Standards mandate practices that are not consistent with risk-based auditing — where only activities that represent risks of significance are included in the audit plan. Here are a few examples.
2110 Governance
The internal audit activity must assess and make appropriate recommendations for improving the governance process in its accomplishment of the following objectives:
Promoting appropriate ethics and values within the organization;
Ensuring effective organizational performance management and accountability;
Communicating risk and control information to appropriate areas of the organization; and
Coordinating the activities of and communicating information among the board, external and internal auditors, and management.
2110.A1 The internal audit activity must evaluate the design, implementation, and effectiveness of the organization’s ethics-related objectives, programs, and activities.
2110.A2 The internal audit activity must assess whether the information technology governance of the organization sustains and supports the organization’s strategies and objectives.
2120 Risk Management
The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes.
If you want to contribute to the success of the profession of internal auditing, I ask that you provide your comments. In addition to completing the survey, you can submit comments to iia-exposure@theiia.org.
Posted on Feb 20, 2010 by Norman Marks
Share This Article:
Entries
Norman:
I have not yet read the standards well but am just trying to address your point above and overall I would concur with you-the standards should not say that the annual plan must include them but should mandate consideration of them in its risk assessment. You leave it broad because there are many considerations.
Here are some of them.
I am assuming that there is one comprehensive risk assessment document generated by the company that will be used by management, the internal auditors, the external auditors and all other relevant stakeholders
Something could have a high risk (lets use the term-worst credible risk and not inherent risk) but currently have strong mitigation in place to yield a much lower risk (residual risk). You could audit this or not audit this.
You could have very high financial risk in certain key areas but why necessarily bother if you know that this will be major focus by external auditors.
You could have a very low risk item but may wish to audit this as well, right? What if the folks putting this together made some major errors and it should be higher.
And the above assumes that the company is working off only one risk assessment. What if there is more than one risk assessment?
Arnold Schanfield