2010 IIA Standards Update Andrew J. Dahle, CIA, CPA, CISA, CFE

Slides:



Advertisements
Similar presentations
Internal Control–Integrated Framework
Advertisements

PRESENTATION ON MONDAY 7 TH AUGUST, 2006 BY SUDHIR VARMA FCA; CIA(USA) FOR THE INSTITUTE OF INTERNAL AUDITORS – INDIA, DELHI CHAPTER.
Auditing, Assurance and Governance in Local Government
Federal Audit Executive Council (FAEC) June 2012 Bi-Monthly Meeting Heather I. Keister Doris G. Yanger June 14, 2012 Green Book Update.
It’s Time to Talk About Risk and Control
QUALITY ASSURANCE AND IMPROVEMENT PROGRAM (QAIP)
Welcome! Internal Auditing CHAPTER 1. Definition Internal auditing is an independent, objective, assurance and consulting activity designed to add value.
Preparing for an External Quality Assessment of your Quality Assurance and Improvement Program Institute of Internal Auditors El Paso Chapter August 29,
Expanded Version of COSO a presentation by Steve Wadleigh Expanded Version of COSO a presentation by Steve Wadleigh Standards for Internal Control in the.
Quality evaluation and improvement for Internal Audit
Office of Inspector General (OIG) Internal Audit
External Quality Assessments
SAFA- IFAC Regional SMP Forum
Purpose of the Standards
ISA 220 – Quality Control for Audits of Historical Financial Information
Auditing Standards IFTA\IRP Audit Guidance Government Auditing Standards (GAO) Generally Accepted Auditing Standards (GAAS) International Standards on.
Control environment and control activities. Day II Session III and IV.
Internal Auditing and Outsourcing
Session 3 & 4. Institute of Internal Auditors Inc (IIA) was created for internal auditors in 1941 Generally accepted criteria of a profession are: –Adopting.
INTERNAL CONTROL OVER FINANCIAL REPORTING
Introduction In 1992, the Committee Of Sponsoring Organizations of the Treadway Commission (COSO) published Internal Control-Integrated Framework (1992.
Internal Control in a Financial Statement Audit
Standards for Internal Control in the Government Going Green Standards for Internal Control in the Federal Government 1.
Chapter 14 Internal auditing 14-1 Copyright  2010 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia 4e by Grant Gay.
NO FRAUD LEFT BEHIND The Effect of New Risk Assessment Auditing Standards on Schools Runyon Kersteen Ouellette.
Taking the STANDARDS Seriously... what they are and why they are so critically important to internal audit professionalism.
Private & Confidential1 (SIA) 13 Enterprise Risk Management The Standard should be read in the conjunction with the "Preface to the Standards on Internal.
Practice Management Quality Control
The UNIVERSITY of GREENWICH 1 September 2009 L8c Audit and assurance J. E. Spencer-Wood Auditing and assurance Lecture 8c Standards for the Professional.
1 Internal Audit. 2 Definition Is an independent activity established by management to examine and evaluate the organization’s risk management processes.
what is changing, why it’s changing, and the expected outcomes From the PPF to the IPPF.
The New IPPF: What to Know and What Does It Tell Us?
ICAJ/PAB - Improving Compliance with International Standards on Auditing Planning an audit of financial statements 19 July 2014.
Internal Audit Section. Authorized in Section , Florida Statutes Section , Florida Statutes (F.S.), authorizes the Inspector General to review.
Internal Audit Quality Assessment Guide
The International Professional Practices Framework
AUDIT STAFF TRAINING WORKSHOP 13 TH – 14 TH NOVEMBER 2014, HILTON HOTEL NAIROBI AUDIT PLANNING 1.
Page 1 | Proprietary and Copyrighted Information Safeguards Gary Hannaford, Task Force Chair IESBA Meeting New York, USA June 29 – July 1, 2015.
Chapter 6 Internal Control in a Financial Statement Audit McGraw-Hill/IrwinCopyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.
Auditors’ Dilemma – reporting requirements on Internal Financial Controls under the Companies Act 2013 and Clause 49 of the Listing agreement V. Venkataramanan.
SUNY Maritime Internal Control Program. New York State Internal Control Act of 1987 Establish and maintain guidelines for a system of internal controls.
Jean-Pierre Garitte Budapest 29 March 2017
Internal Audit Standards
Hans Nieuwlands CIA CGAP CCSA CEO IIA Netherlands
Joint Seminar : The IPPFs Pascale Vandenbussche ECIIA Secretary General Brussels, May
Update on the Latest Developments in Government Auditing Standards
IIASA Governance Review
How to Survive an External Quality Assessment
Assurance, Related Services and Internal Auditing
Understanding the Principles and Their Effect on the Audit
Internal and Governmental Financial Auditing and Operational Auditing
Kode Etik dan IA Standard Dr Rilla Gantino, SE., AK., MM
PEM PAL IA COP Internal Control Working Group COSO Principles
Office of Internal Audits
A Framework for Control
. . . key messages for CAEs, Senior Management and the Board
Internal Control–Integrated Framework
Following Up on Internal Audit Reports Workshop on IIA Standard 2500
COSO Internal Control s Framework
Alignment of Part 4B with ISAE 3000
Internal control - the IA perspective
IAASB-IESBA Coordination
Independent Internal Audit Quality Reviews
Quality Assurance and Improvement Program
An Update of COSO’s Internal Control–Integrated Framework
Update on the Developments in Government Auditing Standards
Taking the STANDARDS Seriously
An overview of Internal Controls Structure & Mechanism
The GEF Public Involvement Policy
External Quality Assessment of Internal Audit
Presentation transcript:

2010 IIA Standards Update Andrew J. Dahle, CIA, CPA, CISA, CFE Chair – IIA Internal Audit Standards Board Warren Hersh, CIA, CPA, CISA, CFE Member – IIA Internal Audit Standards Board October 26, 2010 1 ©

Session Overview Why The Standards Matter Understanding the International Professional Practices Framework (IPPF) What’s New – IIA 2010 Standards Revisions Questions 2

Why the Standards Matter 3

Standards are Critical Delineate basic principles that represent the practice of internal auditing Framework for performing and promoting a broad range of value-added internal auditing Establish the basis for the evaluation of internal audit performance Foster improved organizational processes and operations 4

Are you just now receiving your first exposure to the Standards? Two Questions Are you just now receiving your first exposure to the Standards? ? Would you say that your organization has implemented most or all of the Standards? ? 5

Understanding the IPPF International Professional Practices Framework Issued January 2009 6

AUTHORITATIVE Guidance Mandatory Non mandatory Strongly recommended Authoritative = A very critical aspect of the change between of PPF and the IPPF is the limitation of the scope of the IPPF to AUTHORITATIVE GUIDANCE only when before the PPF included everything published or issued by the IIA. Authoritative guidance has been developed following strict due process by globally composed technical committees of the IIA under the oversight of the Professional Practices Council Chair. Technical committees are those committees and boards reporting to the Professional Practices Council (Internal Auditing Standards Board, Professional Issues Committee, Advanced Technology Committee, Board of Regents, Committee on Quality, and the Ethics Committee). Authoritative guidance comprises: Mandatory guidance - Compliance is required and the guidance is developed following due process, which includes public exposure. Compliance with the principles set forth in mandatory guidance is essential for the professional practice of internal auditing. Strongly Recommended guidance- Compliance is strongly recommended and the guidance is endorsed by The IIA through formal review and approval process. It describes practices to implement effectively the Code of Ethics and Standards. 7 7

Overview of the IIA Standards Performance Standards: Attribute Standards: Purpose, Authority and Responsibility….…………….(1000) Independence and Objectivity…………………………(1100) Proficiency and Due Professional Care………………(1200) Quality Assurance and Compliance…………………..(1300) Performance Standards: Managing the Internal Auditing Activity………..…….(2000) Nature of Work.……………………………………..….(2100) Engagement Planning……………………………....…(2200) Performing the Engagement………………………….(2300) Communicating Results…………………………….....(2400) Monitoring Progress…………………………………...(2500) Resolution of Management’s Acceptance of Risks...(2600) 8

IIA Standards Revisions Effective January 1, 2011 What’s New? IIA Standards Revisions Effective January 1, 2011 9

Why Change? The Standards must remain current, relevant, and timely for the profession The IPPF process requires that all guidance be reviewed at least once every three years Ongoing changes are a key component of the continued development of the IPPF issued in January 2009 10 10

Standards Exposure Process The 90 days public exposure period: February 15 to May 14, 2010 1,350 responses globally from individuals and 29 from organizations The Internal Audit Standards Board (IASB) analyzed the results of the exposure and determined the disposition of comments. The IASB approved the final release of new/revised Standards at the June 2010 meetings. The Ethics Committee reviewed the final Standards to ensure their consistency with Code of Ethics. The new/revised Standards were released October 19, 2010. The new/revised Standards will be effective January 1, 2011. Term not used in Standards 11

Summary of Changes 3 new Standards 15 changes to existing Standards 2 deletions of the existing Standards 6 changes to existing Glossary terms 26 changes in total 3 new standards – 2 about engagement opinions and 1 about responsibilities when internal audit activity is provided by an external service provider 12 12

Summary of Changes – Topics Define Functional Reporting of Internal Audit to the Board, and Clarify in the Charter (1000, 1110) Clarify when Newer Internal Audit Activities Can State They Conform with Standards (1321) Provide Requirements if Entity Level and Individual Engagement Opinions Are Issued (2010.A2, 2410.A1, 2450) Clarify Risk Management Coverage by Internal Audit (2120) Revise Definition of “Add Value” (2000 and Glossary) Revise Definition of “Chief Audit Executive” (Glossary) and Clarify Responsibilities with External Service Providers (2070) Enhance and Clarify Other Standards and Glossary Terms (throughout) 13 13

Standard 1000 – Change Interpretation 1000 – Purpose, Authority, and Responsibility Interpretation: The Internal Audit Charter is a formal document that defines the internal audit activity's purpose, authority, and responsibility. The internal audit charter establishes the internal audit activity's position within the organization, including the nature of the chief audit executive’s functional reporting relationship with the board; authorizes access to records, personnel, and physical properties relevant to the performance of engagements; and, defines the scope of internal audit activities. Final approval of the Internal Audit Charter resides with the board. Rationale: Increase the clarity of best practices for functional reporting, i.e., to the board (or audit committee) in most organizations. Enhances the clarity in the internal audit charter. The definition of “board” is included in the Glossary. Exposure Results: Yes: 93.1%, No: 4.8%, No Opinion: 2.1% Standards Board Decision: Adopt the exposed change 14

Standard 1100 – New Interpretation 1110 – Organizational Independence Interpretation: Organizational independence is effectively achieved when the chief audit executive reports functionally to the board. Examples of functional reporting to the board involve the board: Approving the internal audit charter; Approving the risk based internal audit plan; Receiving communications from the chief audit executive on the internal audit activity’s performance relative to its plan and other matters; Approving decisions regarding the appointment and removal of the chief audit executive; and, Making appropriate inquiries of management and the chief audit executive to determine whether there are inappropriate scope or resource limitations. Rationale: The description and examples of the nature of functional reporting help clarify and implement the intent of the change made to Standard 1000, Purpose, Authority, and Responsibility. While this guidance has been in The IIA’s Practice Advisories in the past, raising it to Standards level enhances the clarity of the relationship of internal audit and the board as well as the board's role with regard to internal audit. Exposure Results: Yes: 88.7%, No: 8.3%, No Opinion: 3.0% Standards Board Decision: Adopt the exposed change 15

Standard 1312 – Change Interpretation 1312 – External Assessments Interpretation: A qualified reviewer or review team consists of individuals who are competent in the professional practice of internal auditing and the external assessment process. The evaluation of the competency of the reviewer and review team is a judgment that considers the professional internal audit experience and professional credentials of the individuals selected to perform the review. The evaluation of qualifications also considers the size and complexity of the organizations that the reviewers have been associated with in relation to the organization for which the internal audit activity is being assessed, as well as the need for particular sector, industry, or technical knowledge. A qualified reviewer or review team demonstrates competence in two areas: the professional practice of internal auditing and the external assessment process. Competence can be demonstrated through a mixture of experience and theoretical learning. Experience gained in organizations of similar size, complexity, sector or industry, and technical issues is more valuable than less relevant experience. In the case of a review team, not all members of the team need to have all the competencies; it is the team as a whole that is qualified. The chief audit executive uses professional judgment when assessing whether a reviewer or review team demonstrates sufficient competence to be qualified. An independent reviewer or review team means not having either a real or an apparent conflict of interest and not being a part of, or under the control of, the organization to which the internal audit activity belongs. Rationale: The change is in response to comments received during the 2008 exposure process that wording in the Interpretation was not clear, particularly related to qualifications of the overall review team as opposed to qualifications of the individual re view team members. Exposure Results: Yes: 84.1%, No: 9.3%, No Opinion: 6.6% Standards Board Decision: Modify the exposed change 16 16

Standard 1321 – New Interpretation 1321 – Use of “Conforms with the International Standards for the Professional Practice of Internal Auditing” Interpretation: The internal audit activity conforms with the Standards when it achieves the outcomes described in the Definition of Internal Auditing, Code of Ethics, and Standards. The results of the quality assurance and improvement program include the results of both internal and external assessments. All internal audit activities will have the results of internal assessments. Internal audit activities in existence for at least five years will also have the results of external assessments. Rationale: Clarify two phrases in the Standard: “conforms with” and “the results of the QAIP.” Specifically, it clarifies that it is the results of the whole quality assurance and improvement program — ongoing monitoring and periodic reviews as well as external assessments — that must be taken into account. If the internal audit activity is not yet required to have had an external assessment, it will use the results of internal assessments — ongoing monitoring and periodic review. Exposure Results: Yes: 72.1%, No: 15.4%, No Opinion: 12.5% Standards Board Decision: Adopt the exposed change 17

Standard 2000 – Change Interpretation 2000 – Managing the Internal Audit Activity Interpretation: The internal audit activity is effectively managed when: The results of the internal audit activity’s work achieve the purpose and responsibility included in the internal audit charter; The internal audit activity conforms with the Definition of Internal Auditing and the Standards; and The individuals who are part of the internal audit activity demonstrate conformance with the Code of Ethics and the Standards. The internal audit activity adds value to the organization (and its stakeholders) when it provides objective and relevant assurance, and contributes to the effectiveness and efficiency of governance, risk management, and control processes. Rationale: The new addition to the Interpretation emphasizes the importance of and defines adding value to the organizations. Exposure Results: Yes: 87.6%, No: 9.5%, No Opinion: 2.9% Standards Board Decision: Adopt the exposed change 18

NEW Standard 2010.A2 2010.A2 – The chief audit executive must identify and consider the expectations of senior management, the board, and other stakeholders for internal audit opinions and other conclusions. Rationale: Emphasizes the importance for the CAE to understand key stakeholders expectations for opinions at the planning stage. Standard further modified to address exposure comments relative to impairment of independence. Exposure Results: Yes: 72.0%, No: 21.0%, No Opinion: 6.9% Standards Board Decision: Modify the exposed change 19

NEW Standard 2070 2070 – External Service Provider and Organizational Responsibility for Internal Auditing When an external service provider serves as the internal audit activity, the provider must make the organization aware that the organization has the responsibility for maintaining an effective internal audit activity. Interpretation This responsibility is demonstrated through the quality assurance and improvement program which assesses conformance with the Definition of Internal Auditing, the Code of Ethics, and the Standards. Rationale: Many discussions about external service providers and the extent to which they can be responsible for an internal audit function. Standards Board believes that the activity can be outsourced, but not the responsibility. IIA provides Standards for internal audit, not management. The modification reflects exposure draft comments to clarify the wording, i.e., what is meant by “it”. Exposure Results: Yes: 73.0%, No: 15.7%, No Opinion: 11.2% Standards Board Decision: Modify the exposed change 20

Change Standard 2110.C1 2110.C1 2210.C2 – Consulting engagement objectives must be consistent with the overall organization's values, strategies, and objectives goals of the organization. 2210.C2 – Consulting engagement objectives must be consistent with the organization's values, strategies, and objectives. Rationale: Scope and objectives of the organization should be evaluated together during an audit’s planning stages. Addition of an “organization’s values, strategies, and objectives” addresses more specifics than just the stated goals, which could be interpreted in a limited manner. Exposure Results: Yes: 91.0%, No: 3.6%, No Opinion: 5.4% Standards Board Decision: Adopt the exposed change 21

Standard 2120 – Change Interpretation 2120 – Risk Management Interpretation: Determining whether risk management processes are effective is a judgment resulting from the internal auditor’s assessment that: Organizational objectives support and align with the organization’s mission; Significant risks are identified and assessed; Appropriate risk responses are selected that align risks with the organization’s risk appetite; and Relevant risk information is captured and communicated in a timely manner across the organization, enabling staff, management, and the board to carry out their responsibilities. The internal audit activity may gather the information to support this assessment during multiple engagements. The results of these engagements, when viewed together, provide an understanding of the organization’s risk management processes and their effectiveness. Rationale: Wording added to provide practitioners with additional information to use in evaluating the risk management processes. Standards Board wanted clarify that more than one engagement may be performed in support of internal audit’s coverage of risk management of the organization. Exposure Results: Yes: 86.4%, No: 8.9%, No Opinion: 4.7% Standards Board Decision: Modify the exposed change 22

Change Standard 2120.A1 2120.A1 – The internal audit activity must evaluate risk exposures relating to the organization's governance, operations, and information systems regarding the: Reliability and integrity of financial and operational information; Effectiveness and efficiency of operations and programs; Safeguarding of assets; and Compliance with laws, regulations, policies, procedures, and contracts. Rationale: Combining two Standards increases consistency and simplicity. Exposure Results: Yes: 91.4%, No: 5.9%, No Opinion: 2.6% Standards Board Decision: Adopt the exposed change 23

Change Standard 2130.A1 2130.A1 – The internal audit activity must evaluate the adequacy and effectiveness of controls in responding to risks within the organization’s governance, operations, and information systems regarding the: Reliability and integrity of financial and operational information; Effectiveness and efficiency of operations and programs; Safeguarding of assets; and Compliance with laws, regulations, policies, procedures, and contracts. Rationale: Combining two Standards increases consistency and simplicity. Exposure Results: Yes: 91.8%, No: 5.5%, No Opinion: 2.6% Standards Board Decision: Adopt the exposed change 24

Delete Standard 2130.A2 2130.A2 Internal auditors should ascertain the extent to which operating and program goals and objectives have been established and conform to those of the organization. [Now in Standards 2120.A1 and 2130.A1.] Due to proposed additional wording to Standards 2120.A1 and 2130.A1, there will be duplication on overall requirement. Exposure Results: Yes: 89.9%, No: 5.4%, No Opinion: 4.7% Standards Board Decision: Adopt the exposed change 25

Delete Standard 2130.A3 2130.A3 Internal auditors should review operations and programs to ascertain the extent to which results are consistent with established goals and objectives to determine whether operations and programs are being implemented or performed as intended. [Now in Standards 2120.A1 and 2130.A1.] Due to proposed additional wording to Standards 2120.A1 and 2130.A1, there will be duplication on overall requirement. Exposure Results: Yes: 90.2%, No: 5.4%, No Opinion: 4.4% Standards Board Decision: Adopt the exposed change 26

Change Standard 2410.A1 2410.A1 - Final communication of engagement results must, where appropriate, contain the internal auditors’ overall opinion and/or conclusions. When issued, an opinion or conclusion must take account of the expectations of senior management, the board, and other stakeholders and must be supported by sufficient, reliable, relevant, and useful information. Interpretation: Opinions at the engagement level may be ratings, conclusions, or other descriptions of the results. Such an engagement may be in relation to controls around a specific process, risk, or business unit. The formulation of such opinions requires consideration of the engagement results and their significance. Rationale: New Standard on overall opinions does not mandate overall opinions just provides requirements when one is issued. Regarded by many as a critical issue for the internal audit profession. Standards Board believes that it needs to be addressed in the Standards. Standard further modified to address exposure comments relative to impairment of independence. Exposure Results: Yes: 81.4%, No: 13.6%, No Opinion: 5.0% Standards Board Decision: Modify the exposed change 27

NEW Standard 2450 2450 – Overall Opinions When an overall opinion is issued, it must take into account the expectations of senior management, the board, and other stakeholders and must be supported by sufficient, reliable, relevant, and useful information. Interpretation: The communication will identify: The scope, including the time period to which the opinion pertains; Scope limitations; Consideration of all related projects including the reliance on other assurance providers; The risk or control framework or other criteria used as a basis for the overall opinion; and The overall opinion, judgment, or conclusion reached. The reasons for an unfavorable overall opinion must be stated. Rationale: New Standard on overall opinions does not mandate overall opinions just provides requirements when one is issued. Regarded by many as a critical issue for the internal audit profession. Standards Board believes that it needs to be addressed in the Standards. Exposure Results: Yes: 74.9%, No: 19.9%, No Opinion: 5.1% Standards Board Decision: Modify the exposed change 28

Change Definition - Add Value Value is provided by improving opportunities to achieve organizational objectives, identifying operational improvement, and/or reducing risk exposure through both assurance and consulting services. The internal audit activity adds value to the organization (and its stakeholders) when it provides objective and relevant assurance, and contributes to the effectiveness and efficiency of governance, risk management, and control processes. Rationale: Correct wording to make consistent with the Standard 2000 Interpretation. Exposure Results: Yes: 86.2%, No: 11.0%, No Opinion: 2.8% Standards Board Decision: Modify the exposed change 29

- Chief Audit Executive Change Definition - Chief Audit Executive Chief Audit Executive Chief audit executive is a senior position within the organization responsible for internal audit activities. Normally, this would be the internal audit director. In the case where internal audit activities are obtained from external service providers, the chief audit executive is the person responsible for overseeing the service contract and the overall quality assurance of these activities, reporting to senior management and the board regarding internal audit activities, and follow-up of engagement results. The term also includes titles such as general auditor, head of internal audit, chief internal auditor, and inspector general. Chief audit executive describes a person in a senior position responsible for effectively managing the internal audit activity in accordance with the internal audit charter and the Definition of Internal Auditing, the Code of Ethics, and the Standards. The chief audit executive or others reporting to the chief audit executive will have appropriate professional certifications and qualifications. The specific job title of the chief audit executive may vary across organizations. Rationale: The revised definition, combined with Standard 2070, better articulates the roles that: - can and cannot be provided by the external service provider; and, - the responsibility of the organization regardless of whether an external service provider is used. Emphasizes the importance of appropriate certifications and qualifications. Avoided having an incomplete, despite long, list of examples of the CAE's title. Exposure Results: Yes: 67.5%, No: 29.0%, No Opinion: 3.5% Standards Board Decision: Modify the exposed change 30

Change Definition - Independence The freedom from conditions that threaten objectivity or the appearance of objectivity. Such threats to objectivity must be managed at the individual auditor, engagement, functional, and organizational levels. The freedom from conditions that threaten the ability of the internal audit activity to carry out internal audit responsibilities in an unbiased manner. Rationale: Aligns the Glossary with the Standard. Exposure Results: Yes: 84.0%, No: 12.6%, No Opinion: 3.5% Standards Board Decision: Modify the exposed change 31

Other Changes 1100 – Independence and Objectivity 2110.A2 2130.C1: Renumbered as 2220.C2 2130.C2: Renumbered as 2130.C1 2400 – Communicating Results Control Environment Information Technology Governance Objectivity 32 32

Summary of Changes – Topics Define Functional Reporting of Internal Audit to the Board, and Clarify in the Charter (1000, 1110) Clarify when Newer Internal Audit Activities Can State They Conform with Standards (1321) Provide Requirements if Entity Level and Individual Engagement Opinions Are Issued (2010.A2, 2410.A1, 2450) Clarify Risk Management Coverage by Internal Audit (2120) Revise Definition of “Add Value” (2000 and Glossary) Revise Definition of “Chief Audit Executive” (Glossary) and Clarify Responsibilities with External Service Providers (2070) Enhance and Clarify Other Standards and Glossary Terms (throughout) 33 33

Get the Standards - www.theiia.org/standards International Standards for the Professional Practice of Internal Auditing (Standards) 34

Conformance with the Standards is required and essential for the professional practice of internal auditing. 35

QUESTIONS Guidance@theiia.org 36