The international standards for internal auditors are changing. Jackie Cain from the IIA explains the proposed changes, and how you can help shape their final form
Since 2000, the Professional Practices Framework (PPF) has been the conceptual structure used to classify and organise all the guidance developed or endorsed by the Institute of Internal Auditors (IIA). During 2006, a working party reviewed this structure, the content of the guidance, and the processes used to develop new guidance. The outcome of this review was the creation of a new International Professional Practices Framework (IPPF), which the IIA adopted last year.
The IPPF emphasises the global nature of the profession and brings all of its authoritative guidance under one umbrella. It also sets out who can initiate new guidance and who can approve it. It makes the elements of the framework clearer and improves the transparency, timeliness, rigour and accountability of the processes used to develop and approve new guidance.
The implementation of this new framework involves some important changes. Some of the existing International Standards for the Professional Practice of Internal Auditing are going to be revised and updated. The aim is to clarify some points in the standards, not to change their requirements.
However, the IIA is also proposing to use this exposure period as an opportunity to make more substantive changes to the standards in some areas. The IIA has published an exposure draft of the revised standards to give members around the world an opportunity to comment on the proposed changes.
Clarity
One clear finding of the review of the PPF was that there was confusion about what the different parts of the framework were for and, in particular, what was the status of documents such as position papers, which were outside the scope of the original framework. The new IPPF includes six types of material, starting with the definition of internal auditing and ending with practice guides. This represents a reduction in scope from the PPF.
Each type of material is defined so that it should always be clear whether a particular document belongs within the IPPF as a recognised element or not. Furthermore, it is hoped that the new definitions will make the purposes of the different elements clearer and make it easier to distinguish between them.
As before, the definition of internal auditing, the code of ethics and the International Standards for the Professional Practice of Internal Auditing are designated as mandatory. The remaining three elements – position papers, practice advisories and practice guides – are strongly recommended as they are seen to provide authoritative guidance on how to implement the mandatory elements.
Transparency
Until recently, the processes used to develop and approve guidance were not widely understood beyond the volunteer committees and IIA staff who were involved. The new processes will provide transparency and greater accountability.
Firstly, the development processes and the plans of the various guidance-setting groups will be publicly available through the global IIA’s website. The committees and boards that are authorised to approve different elements of the IPPF are clearly identified, as are the voting rules that are used for the approval process and the opportunities for appeal and review. All the mandatory elements are subject to a 90-day public exposure period before final approval.
Secondly, maintenance and review cycles have been identified for each element of the IPPF. This is intended to ensure that guidance is timely and responsive to developments in the wider commercial and governance environment.
Thirdly, in common with other guidance-setting organisations around the world, the global IIA has decided to establish an oversight body to review the rigour and due process followed for setting the international standards in particular.
The Internal Audit Standards Oversight Board (IASOB) will include selected members of the global IIA board of directors and other individuals representing major global organisations or regulators external to the IIA but who represent key stakeholders of internal auditing.
National guidance
Previously, the global procedures did not take into account the guidance that is issued by the national institutes. The new IPPF has remedied that.
Local institutes do not have the right to issue mandatory guidance such as amendments to the definition of internal auditing, the code of ethics and the international standards. This is not a change; it merely codifies the existing situation.
Local institutes are able to develop local guidance that is strongly recommended – such as practice advisories, position papers, and practice guides – and the new procedures ensure that the efforts of volunteers and staff around the world can be properly recognised by the global profession.
The global IIA will review local plans for developing guidance to identify opportunities to coordinate efforts and the potential for new international guidance. Once the guidance is drafted, the local institute will submit it to be reviewed by the relevant technical committee to ensure that it is consistent with the IPPF. After this, the local institute can publish the guidance locally and it will be considered authoritative in the institute’s area of activity.
Such guidance may subsequently be adopted as part of the IPPF, as long as any relevant exposure periods and the usual approval processes are satisfied.
IPPF schedule
The global IIA plans to publish the final version of the IPPF in January 2009. The definition and the code of ethics will not be changed. Existing guidance – such as practice advisories and position papers – will be reviewed to decide where they fit into the framework and whether they need to be re-written. Any that are changed will be subject to the new review and approval processes, including to ensure that they are consistent with the international standards and code of ethics.
The IPPF also provides for the international standards to be enhanced by “interpretations”, which clarify terms or concepts. The Internal Audit Standards Board (IASB) has reviewed all the standards and identified opportunities where an interpretation is likely to be helpful.
All interpretations are considered mandatory guidance and are integrated into each relevant standard. It is necessary to consider both the international standards and their interpretations to understand and apply them correctly. The IASB does not intend that the new interpretations in any way change the existing underlying requirements – they simply clarify existing requirements.
One example is that Attribute Standard 1000 – “Purpose, Authority, and Responsibility” – lays down the requirement that the purpose, authority, and responsibility of the internal audit activity must be formally defined in a charter. The IASB is proposing to add an interpretation of what an internal audit charter is. This states that a charter is: “a formal document that defines the internal audit activity’s purpose, authority, and responsibility. The internal audit charter establishes the internal audit activity’s position within the organisation; authorises access to records, personnel, and physical properties relevant to the performance of engagements; and defines the scope of internal audit activities. Final approval of the internal audit charter resides with the board.”
Big changes?
While the introduction of the new IPPF is not meant to change the substance of the international standards, there are areas where members reading the exposure draft might feel that important changes are being made nonetheless. There are three main reasons for this.
Firstly, as is often the case, extra clarification may make clearer a requirement in a way that was not understood in the past and with which practitioners may not agree. The IASB welcomes hearing from reviewers about any instance where this is the case and whether the reviewers agree or disagree with the change.
Secondly, the IASB has been working over the last few years on changes to the standards as part of its mandate – the ongoing review and discussion of the international standards and basic requirements for the professional practice of internal auditing and for evaluating the effectiveness of its performance.
While waiting for the approval of the new IPPF structure and process in 2007, additions and revisions to the standards were put on hold. Some of these changes have now been approved by the IASB and are included in the exposure draft for comment.
Thirdly, to identify the need for interpretations, the IASB took a fresh look at all the standards. This identified some ambiguities and inconsistencies. Where resulting changes were considered self-evident and useful by the IASB, these have been proposed during this exposure. The discussion about other areas was more complicated with a range of views and so they have been added to the IASB’s work program for the future.
For example, the IASB has been reviewing ways to strengthen internal audit’s independence by providing more opportunities to report directly to the board. This is balanced by the recognition that internal audit must also serve management, so the words “senior management” have been added in several places where internal audit previously interacted only with the board.
The IASB has made several amendments to the 1300 series of standards, those related to quality assurance and improvement programs (QAIP) with the intention of clarifying the requirements.
There are now references to show that the QAIP should assess whether the internal audit function fulfils the requirements of both the definition of internal auditing and the code of ethics, not just of the international standards. The wording has been changed to make it clear that the assessments that form part of the QAIP are of the quality of the activity, not of the QAIP, and to use one consistent phraseology for “conformance with standards”.
The head of internal audit is now requested to report the results of the whole of the QAIP to senior management and the board, not just the results of one part of it, the external quality assessment.
The IASB has also been considering the extent to which the risk of fraud and internal audit’s role in this area should be reflected in the standards.
As a result, changes have been proposed in the following standards: 1210.A1, 1220.A2, 2060 and 2120.A2. In addition, the glossary has been modified to include definitions for risk appetite, significance, and several definitions related to information technology.
The proposed changes to the international standards – including changes to the statements, interpretations and glossary – are nearing the end a 90-day exposure period starting from January 2008. See below for methods to respond.
Jackie Cain is the IIA’s technical director
How to respond to the exposure draft: www.iia.org.uk/en/Knowledge_Centre/Professional_Guidance/Professional_standards/2008_standards_exposure.cfm
A copy of the existing standards: www.iia.org.uk/en/Knowledge_Centre/Professional_Guidance/Professional_standards/
Progress of the IPPF project: www.theiia.org/guidance/standards-and-practices/professional-practicesframework/ippf-project/
For other information email the technical team at: technical@iia.org.uk
This article first appeared in the February edition of Internal Auditing & Business Risk
News