Norman D. Marks, CPA, CRMA
Congratulations to the IIA’s Standards Board for the substantial upgrade to the draft they released last year. It can never be perfect (and still has flaws that I consider important), but it is 1,000% better and now merits our careful attention. You can find GIAS here on the IIA Global website.
Hal Garyn has shared with us an excellent approach. My only addition would be to consider not only what standards should be adopted as they stand, which should be tailored to our specific needs, and which are not relevant, but also what is missing.
I am not going to write today about the purpose statement, the principles and standards I like, or those that I think do not meet my test of:
No. I am neither here to bury nor to praise the document.
I want to share below a 6 page version that contains only the Purpose Statement, the Principles, and the main part of each Standard. The IIA has released a “Condensed version” of “only” 60+ pages. You can find my more condensed version of less than half that length (it is not an authorized version, but I have not added a single word) here.
I requested permission to create a concise version from two members of the IIA staff. They have neither prohibited me from doing so, nor given me permission. But, I am taking the risk. At the same time, I am giving them permission to use the following.
I hope it is useful.
===================================================================
Internal auditing strengthens the organization’s ability to create, protect, and sustain value by providing the board and management with independent, risk-based, and objective assurance, advice, insight, and foresight.
Internal auditing enhances the organization’s:
Internal auditing is most effective when:
===================================================================
Principle 1: Internal auditors demonstrate integrity in their work and behavior.
Standard 1.1: Internal auditors must perform their work with honesty and professional courage.
Standard 1.2: Internal auditors must understand, respect, meet, and contribute to the legitimate and ethical expectations of the organization and must be able to recognize conduct that is contrary to those expectations.
Standard 1.3: Internal auditors must not engage in or be a party to any activity that is illegal or discreditable to the organization or the profession of internal auditing or that may harm the organization or its employees.
Principle 2: Internal auditors maintain an impartial and unbiased attitude when performing internal audit services and making decisions.
Standard 2.1 Internal auditors must maintain professional objectivity when performing all aspects of internal audit services. Professional objectivity requires internal auditors to apply an impartial and unbiased mindset and make judgments based on balanced assessments of all relevant circumstances.
Standard 2.2: Internal auditors must recognize and avoid or mitigate actual, potential, and perceived impairments to objectivity.
Standard 2.3: If objectivity is impaired in fact or appearance, the details of the impairment must be disclosed promptly to the appropriate parties.
Principle 3: Internal auditors apply the knowledge, skills, and abilities to fulfill their roles and responsibilities successfully.
Standard 3.1: Internal auditors must possess or obtain the competencies to perform their responsibilities successfully.
Standard 3.2: Internal auditors must maintain and continually develop their competencies to improve the effectiveness and quality of internal audit services.
Principle 4: Internal auditors apply due professional care in planning and performing internal audit services.
Standard 4.1: Internal auditors must plan and perform internal audit services in accordance with the Global Internal Audit Standards.
Standard 4.2: Internal auditors must exercise due professional care by assessing the nature, circumstances, and requirements of the services to be provided.
Standard 4.3: Internal auditors must exercise professional skepticism when planning and performing internal audit services.
Principle 5: Internal auditors use and protect information appropriately.
Standard 5.1: Internal auditors must follow the relevant policies, procedures, laws, and regulations when using information. The information must not be used for personal gain or in a manner contrary or detrimental to the organization’s legitimate and ethical objectives.
Standard 5.2: Internal auditors must be aware of their responsibilities for protecting information and demonstrate respect for the confidentiality, privacy, and ownership of information acquired when performing internal audit services or as the result of professional relationships.
Principle 6: The board establishes, approves, and supports the mandate of the internal audit function.
Standard 6.1: The chief audit executive must provide the board and senior management with the information necessary to establish the internal audit mandate.
Standard 6.2: The chief audit executive must develop and maintain an internal audit charter that specifies, at a minimum, the internal audit function’s:
Standard 6.3: The chief audit executive must provide the board and senior management with the information needed to support and promote recognition of the internal audit function throughout the organization.
Principle 7: The board establishes and protects the internal audit function’s independence and qualifications.
Standard 7.1: The chief audit executive must confirm to the board the organizational independence of the internal audit function at least annually.
Standard 7.2: The chief audit executive must help the board understand the qualifications and competencies of a chief audit executive that are necessary to manage the internal audit function. The chief audit executive facilitates this understanding by providing information and examples of common and leading qualifications and competencies.
The chief audit executive must maintain and enhance the qualifications and competencies necessary to fulfill the roles and responsibilities expected by the board. (See also Principle 3 Demonstrate Competency and its standards.)
Standard 8.1: The chief audit executive must provide the board with the information needed to conduct its oversight responsibilities. This information may be specifically requested by the board or may be, in the judgment of the chief audit executive, valuable for the board to exercise its oversight responsibilities.
Standard 8.2: The chief audit executive must evaluate whether internal audit resources are sufficient to fulfill the internal audit mandate and achieve the internal audit plan. If not, the chief audit executive must develop a strategy to obtain sufficient resources and inform the board about the impact of insufficient resources and how any resource shortfalls will be addressed.
Standard 8.3: The chief audit executive must develop, implement, and maintain a quality assurance and improvement program that covers all aspects of the internal audit function.
Standard 8.4: The chief audit executive must develop a plan for an external quality assessment and discuss the plan with the board.
Principle 9: The chief audit executive plans strategically to position the internal audit function to fulfill its mandate and achieve long-term success.
Standard 9.1: To develop an effective internal audit strategy and plan, the chief audit executive must understand the organization’s governance, risk management, and control processes.
Standard 9.2: The chief audit executive must develop and implement a strategy for the internal audit function that supports the strategic objectives and success of the organization and aligns with the expectations of the board, senior management, and other key stakeholders.
Standard 9.3: The chief audit executive must establish methodologies to guide the internal audit function in a systematic and disciplined manner to implement the internal audit strategy, develop the internal audit plan, and conform with the Standards.
Standard 9.4: The chief audit executive must create an internal audit plan that supports the achievement of the organization’s objectives.
Standard 9.5: The chief audit executive must coordinate with internal and external providers of assurance services and consider relying upon their work.
Principle 10: The chief audit executive manages resources to implement the internal audit function’s strategy and achieve its plan and mandate.
Standard 10.1: The chief audit executive must manage the internal audit function’s financial resources.
Standard 10.2: The chief audit executive must establish an approach to recruit, develop, and retain internal auditors who are qualified to successfully implement the internal audit strategy and achieve the internal audit plan.
Standard 10.3: The chief audit executive must strive to ensure that the internal audit function has technology to support the internal audit process.
Principle 11: The chief audit executive guides the internal audit function to communicate effectively with its stakeholders.
Standard 11.1: The chief audit executive must develop an approach for the internal audit function to build relationships and trust with key stakeholders, including the board, senior management, operational management, regulators, and internal and external assurance providers and other consultants.
Standard 11.2: The chief audit executive must establish and implement methodologies to promote accurate, objective, clear, concise, constructive, complete, and timely internal audit communications.
Standard 11.3: The chief audit executive must communicate the results of internal audit services to the board and senior management periodically and for each engagement as appropriate.
Standard 11.4: If a final engagement communication contains a significant error or omission, the chief audit executive must communicate corrected information promptly to all parties who received the original communication.
Standard 11.5: The chief audit executive must communicate unacceptable levels of risk.
Principle 12: The chief audit executive is responsible for the internal audit function’s conformance with the Global Internal Audit Standards and continuous performance improvement.
Standard 12.1: The chief audit executive must develop and conduct internal assessments of the internal audit function’s conformance with the Global Internal Audit Standards and progress toward performance objectives.
Standard 12.2: The chief audit executive must develop objectives to evaluate the internal audit function’s performance. The chief audit executive must consider the input and expectations of the board and senior management when developing the performance objectives.
Standard 12.3: The chief audit executive must establish and implement methodologies for engagement supervision, quality assurance, and the development of competencies.
Principle 13: Internal auditors plan each engagement using a systematic, disciplined approach.
Standard 13.1: Internal auditors must communicate effectively throughout the engagement. (See also Principle 11 Communicate Effectively and its related standards and Standard 15.1 Final Engagement Communication.)
Standard 13.2: Internal auditors must develop an understanding of the activity under review to assess the relevant risks. For advisory services, a formal, documented risk assessment may not be necessary, depending on the agreement with relevant stakeholders.
Standard 13.3: Internal auditors must establish and document the objectives and scope for each engagement.
Standard 13.4: Internal auditors must identify the most relevant criteria to be used to evaluate the aspects of the activity under review defined in the engagement objectives and scope. For advisory services, the identification of evaluation criteria may not be necessary, depending on the agreement with relevant stakeholders.
Standard 13.5: When planning an engagement, internal auditors must identify the types and quantity of resources necessary to achieve the engagement objectives.
Standard 13.6: Internal auditors must develop and document an engagement work program to achieve the engagement objectives.
Principle 14: Internal auditors implement the engagement work program to achieve the engagement objectives.
Standard 14.1: To perform analyses and evaluations, internal auditors must gather information that is:
Standard 14.2: Internal auditors must analyze relevant, reliable, and sufficient information to develop potential engagement findings. For advisory services, gathering evidence to develop findings may not be necessary, depending on the agreement with relevant stakeholders.
Standard 14.3: Internal auditors must evaluate each potential engagement finding to determine its significance. When evaluating potential engagement findings, internal auditors must collaborate with management to identify the root causes when possible, determine the potential effects, and evaluate the significance of the issue.
Standard 14.4: Internal auditors must determine whether to develop recommendations, request action plans from management, or collaborate with management to agree on actions to:
Standard 14.5: Internal auditors must develop an engagement conclusion that summarizes the engagement results relative to the engagement objectives and management’s objectives. The engagement conclusion must summarize the internal auditors’ professional judgment about the overall significance of the aggregated engagement findings.
Standard 14.6: Internal auditors must document information and evidence to support the engagement results.
Principle 15: Internal auditors communicate the engagement results to the appropriate parties and monitor management’s progress toward the implementation of recommendations or action plans.
Standard 15.1: For each engagement, internal auditors must develop a final communication that includes the engagement’s objectives, scope, recommendations and/or action plans if applicable, and conclusions.
Standard 15.2: Internal auditors must confirm that management has implemented internal auditors’ recommendations or management’s action plans following an established methodology.
I’ve discussed the Privacy by Design principle before, in the Inside Internal Control newsletter. In case you don’t know, PbD is an approach developed by Dr. Ann Cavoukian, the Privacy Commissioner of Ontario, which proactively embeds privacy protection by default in the design of an organization’s practices and products.
Colin Braithwaite
Human capital is a firm’s most important and profitable asset. Recall Swiss banking giant UBS’ rogue trading disaster in 2011, during which the bank reported a $2.3-billion loss as a result of one man’s unauthorized trading. UBS’ chief executive officer resigned as a result, and the bank also lost two high-ranking executives who took indirect responsibility for the incident…
Occasional Contributors
Enterprise architecture is an important topic to organizations from executives, to IT/business resources, to customers, at all levels and around the globe. This blog post features input from three EA experts, from Canada, the United States and the United Kingdom.
Ron Richard