Internal Auditor Standards
Many of us in the accounting profession are familiar with and required to comply with accounting standards developed, issued, and enforced by the American Institute of Certified Public Accountants (AICPA). Did you know the internal audit profession is also governed by standards established by The Institute of Internal Auditors (IIA)? The IIA’s International Standards for the Professional Practice of Internal Auditing (Standards) provide internal auditors with a roadmap for planning and performing the internal audit function for their organization. They also provide the Board of Directors and Audit Committee with a method to evaluate the internal audit function.
The Standards include two categories: Attribute and Performance standards. The Attribute standards relate to the characteristics of the organization and the persons performing the internal audit function. The Performance standards address the nature of internal auditing and the criteria to evaluate the performance of the internal audit function. The Standards and Code of Ethics, both set by the IIA, include the mandatory requirements of the International Professional Practices Framework. All IIA members and Certified Internal Auditors are required to conform to the Standards and Code of Ethics.
Is your bank required to comply with the Standards? The Interagency Policy Statement on the Internal Audit Function and its Outsourcing suggests the Board of Directors consider whether their bank’s internal audit activities are completed in accordance with professional standards, such as the Standards. In addition, the Internal and External Audits handbook issued by the OCC does state internal audit activities should be conducted according to existing professional standards and guidance. The handbook refers to the Standards as an example of professional standards and indicates internal auditors should be familiar with these or similar standards.
Often a bank’s internal audit charter will define the internal audit standards to be followed, whether that be the IIA Standards or some other standards. Management, the Board of Directors, and the Audit Committee are responsible for ensuring the internal audit function does comply with the Standards, if they have been adopted or are required, even if the internal audit function is outsourced.
Compliance With the Standards
So why should you comply with the Standards? Just as the accounting standards provide CPAs with the requirements to comply with accounting rules and professional conduct, the IIA Standards provide internal auditors with the tools and expectations for conducting internal audits. Compliance with the Standards ensures that you internal audit function is effective, the quality of the function is consistent, and the internal audit function is providing value to your bank. When the Standards are not followed, risks may not be identified and therefore controls may not be put in place and tested. The internal audit function provides assurance to your Board of Directors, Audit Committee, and other stakeholders that risks are controlled and the controls are operating as intended. Complying with the Standards could lessen the risk of audit failure or using audit resources inefficiently. Overall the Standards provide the profession with credibility.
Changes to the Standards
Did you know the Standards changed in 2017? The International Internal Audit Standards Board (IIASB) issued revised Standards effective January 1, 2017. The changes included two new standards relating to the Chief Audit Executive’s (CAE’s) role, alignment of the Standards to the Core Principles, and updates to existing standards relating to communications and reporting on the quality assurance and improvement program.
The new standards relating to the CAE include the following:
- On occasion, internal auditors and CAEs receive a request to assist with a project outside of internal auditing. Standard 1112 states, “Where the chief audit executive has or is expected to have roles and/or responsibilities that fall outside of internal auditing, safeguards must be in place to limit impairments to independence or objectivity.” The CAE is required to understand the Code of Ethics and independence and objectivity concepts. The CAE may be requested to perform responsibilities relating to risk management, development of policies and procedures, or assistance with implementing compliance procedures. When these requests occur, the CAE should discuss the role and any independence or objectivity issues with senior management and the Board. The IIA Standards regarding independence and objectivity should be considered and any risks which could impair independence should be discussed, along with any safeguards that could be implemented to mitigate the risks.
- Internal auditors often provide consulting services to an organization, such as providing advice, facilitating, or training, where the internal auditor does not perform any management responsibilities. Standard 1130 covers impairment to independence or objectivity, and 1130.A3 was added to address the situation where an internal auditor may consult in an area and then perform assurance services for the area. Standard 1130.A3 states, “The internal audit activity may provide assurance services where it had previously performed consulting services, provided the nature of the consulting did not impair objectivity and provided individual objectivity is managed when assigning resources to the engagement.” The CAE should take a careful look when planning internal audits to ensure the situation could not be perceived as an impairment of independence or objectivity.
The Standards were also updated to reflect language relating to two Core Principles. The IIA has established ten Core Principles, which are listed below:
- Demonstrates integrity.
- Demonstrates competence and due professional care.
- Is objective and free from undue influence (independent).
- Aligns with the strategies, objectives, and risks of the organization.
- Is appropriately positioned and adequately resourced.
- Demonstrates quality and continuous improvement.
- Communicates effectively.
- Provides risk-based assurance.
- Is insightful, proactive, and future-focused.
- Promotes organizational improvement.
These Core Principles should be in place in an effective internal audit department. The Core Principles relating to alignment with the strategies, objectives, and risks of the organization and insightful, proactive, and future-focused were added to the Standards.
In addition, Standard 2060 – Reporting to Senior Management and the Board was updated to include specific information on what the CAE must provide to senior management and the Board in reports and communication. The information required to be provided includes:
- The audit charter.
- Independence of the internal audit activity.
- The audit plan and progress against the plan.
- Resource requirements.
- Results of audit activities.
- Conformance with the Code of Ethics and the Standards, and action plans to address any significant conformance issues.
- Management’s response to risk that, in the chief audit executive’s judgment, may be unacceptable to the organization.
Standard 1320 – Reporting on the Quality Assurance and Improvement Program (QAIP) has been enhanced to define the items the CAE must communicate regarding the results of the QAIP. The CAE must provide the scope and frequency of internal and external assessments, qualifications and independence of the individual(s) performing the assessment and any conflicts of interest, conclusions of the assessors, and corrective action plans.
How do you know your internal audit function is in compliance with the IIA Standards and provide assurance to your Board and Audit Committee regarding the level of compliance? Standard 1300 – Quality Assurance and Improvement Program requires the CAE to development and maintain a QAIP that covers all aspects of the internal audit function. As part of the QAIP requirements, both internal and external assessments must be performed.
Internal assessments include ongoing monitoring and periodic self-assessments to evaluate compliance with the Standards. Ongoing monitoring addresses the activities of the internal audit function which would include planning and supervision, work practice standards, procedures for workpapers, review of workpapers and reports, and the process for identifying areas for improvement and how they will be addressed. A periodic self-assessment is a validation that ongoing monitoring is taking place and is effective. The self-assessment also provides an evaluation of the internal audit’s compliance with the Standards and the Code of Ethics.
External assessments are required to be completed at least once every five years by an independent party from outside the organization. Conformance with the Standards is validated through the completion of an external assessment and provides the Board, Audit Committee, and other stakeholders with assurance the internal audit function is on the correct path.
The IIA Standards provide the roadmap for internal auditors to follow. Internal and external assessments allow the Board of Directors and/or Audit Committee to be confident the roadmap has been followed.
Where can you go if you have additional questions on internal audit standards or need an internal or external assessment completed? Wipfli offers internal audit consulting and quality assurance assessments for organizations of different types and sizes. Please contact us if you would like more information on the benefits of ensuring your internal audit function is on the correct path.