top stories

Share

ACCA is pleased to comment on The Institute of Internal Auditors' Professional Practices Framework (PPF) consultation on the International Standards for the Professional Practice of Internal Auditing (Standards).

We set out below our general comments and end with an appendix that contains our detailed responses  to the proposed changes, including the Interpretations. We acknowledge that our interpretations of what is being proposed may not be entirely accurate and we apologise for any errors we have made.

'Principle focused' Standards

In our response to your earlier Documentⁱ we commended The IIA's intention that the Standards should remain 'principle focused'. While this has generally been achieved within the proposed revised Standards, there is an extension of the number of instances where the proposed Standards are prescriptive of detailed methods (rules) to be used to apply auditing principles, of instance:

Brought forward from the existing Standards:

• The 'one-year' rule within Standard 1130-A1
• The requirement to document within Standard 2201-C1
• The 'one-year' rule within Standard 2010-A1

Added in these proposed Standards:

• The requirement to document within Standard 2200. This standard is also prescriptive as to what must be documented.
• The requirement to document within Standard 2010-A1

While we question the necessity of the above prescriptive rules (and consider the annual interval to be arbitrary for internal audit, though not of course for external audit), there is no doubt that the Standards remain 'principle focused' and we commend this.

Mandatory interpretive content to the proposed Standards; and 'Should' v. 'Must'

ACCA welcomes the inclusion of Interpretationsin the interest of clarity. We note that these are not intended to alter the mandatory nature of the Standards to which they relate, and we are content that these Interpretations should themselves be regarded as mandatory.

Replacing most of the instances of 'should' by 'must' is welcomed as it is plainer use of English. We believe, however, it is inconsistent with practice within accounting and external auditing Standards. We are not convinced that it is no longer necessary to define 'should' and 'must' within the glossary (see below).

Our concern here is the apparent inconsistency of IASB. IASB states that the word 'must' within the proposed Standards represents an 'unconditional requirement'.ⁱⁱ But then IASB allows that the auditor is to follow such requirements 'unless other procedures, which can be documented as sufficient and appropriate, could also satisfy the nature and intent of the Standards'. Therefore the so-called 'unconditional requirement' need not be followed if it can be met in 'spirit' using other procedures. This raises the question to us as to whether the 'must' requirements are truly mandatory. It does not appear to us that there is clear blue water between 'must' and 'should', the latter being defined by IASB as 'engagement procedures that are usually expected to be undertaken. The auditor is required to consider them as a professional internal auditor but may determine that they are inappropriate in the auditor's knowledge and professional judgement'.

Our conclusion is that the distinctive character between 'must' and 'should' needs to be tightened up and clear guidance on their respective meanings needs to be given within the Standards Framework - most probably either in the Introduction to the Standards or in the Glossary.

Assurance and consulting

ACCA considers that proposed changes to the Standards finally remove the discretion to provide an internal audit service that is limited to the assurance role only, albeit with constructive recommendations for improvements arising from the internal auditor's assurance work. We are aware that many people have reservations as to why The IIA seeks to define consulting work as within the authentic internal audit role and different from the assurance work that internal auditors undertake.

Commencing in 2000/01 with the 'new' definition of internal auditing and the 'new' Standards, the IIA sought to develop the internal auditor's role to include that of being a consultant. That was towards the end of the time when the importance of the internal auditor's assurance role was being underplayed. Many would say that internal auditors have enough to do in the assurance field nowadays.

Some within The IIA have interpreted the IIA's definition of internal auditing as giving 'consulting services' equal precedence to 'assurance services'ⁱⁱⁱand that it is mandatory for internal auditors to provide consulting services in addition to assurance services.

To date it has just about been possible for internal auditors to interpret the Standards to provide legitimacy to an internal audit role which embraced assurance services only . This has been possible as it has not been entirely clear whether the definition of internal auditing within the preamble of the Standards and the definition of 'Internal Audit Activity' in the Glossary have had the mandatory force equivalent to Standards themselves. To date, the only reference we have found within the Standards framework to suggest that internal auditors must provide consulting services is to be found within one of the non-mandatory Practice Advisories:

' The Chief Audit Executive (CAE) is responsible for establishing an internal audit activity whose scope of work includes all the activities in the Standards and in [The Institute of Internal Auditors'] definition of internal auditing.'^iv

A number of changes within the proposed new Standards do, we believe, remove any discretion that internal auditors may have had not to offer consulting services, by stressing that the Definition of Internal Auditing, which includes consulting services, is mandatory:

• Proposed Standard 1010 refers to the mandatory nature of the Definition of Internal Auditing.
• The Interpretation of proposed Standard 1300 states that the quality assurance and improvement program is designed to evaluate the internal audit activity's conformance with the Definition of Internal Auditing [etc]; and proposed Standard 1311 repeats this for internal assessments.
• Standard 1322 requires the CAE to disclose non-conformance with the Definition of Internal Auditing [etc].
• The Interpretation of Standard 2000 explains that an internal audit activity is effectively managed if, inter alia , it conforms to the Definition of Internal Auditing [etc].

ACCA considers that internal auditors should continue to have the option of carrying our assurance work only and not carrying out consulting work. We therefore invite The IIA to consider whether to incorporate into the Standards an 'opt out' from consulting services as a separate and distinct mandatory role for internal auditors.

IIA's policy on outsourcing internal audit

We support The IIA's policy that the CAE should be the holder of a senior position within the establishment being audited. We have a reservation, however, about how this might operate in practice, particularly in a smaller organisation where the internal audit function has been outsourced and of how the difficulty might be addressed.

If an in-house CAE (when internal audit is outsourced) combines his/her CAE responsibilities with other executive responsibilities, he/she could to be too closely aligned with management to represent to the audit committee the results of internal audit work (done by the external service provider). We would wish to avoid a situation where some senior person, probably within the finance function, is titular CAE but almost fully engaged upon other duties, and yet the audit committee depends upon him/her to report about internal audit and about internal audit results to the audit committee.

If such a situation did occur, a sensible audit committee might wish to receive direct reports from the person responsible for providing the outsourced internal audit service, and sometimes meet alone with that person. In this way the audit committee can get needed assurance that the external provider is content that the plan of audit engagements is appropriate, that reports to the audit committee of audit results are objective, and that internal audit is not experiencing any scope restrictions, etc. The audit committee would also wish to receive reports from the in-house CAE - not least to get a rain check on whether this titular CAE is really on top of things.

The important thing is that the organisation must retain ownership and accountability for the internal audit function and afford the audit committee the opportunity to be assured further, if necessary, about any potential conflict of interest, or concern about competence that might arise with a titular CAE.

Governance in the Standards

We welcome strongly these two new far-reaching Standards:

2110-A1 - The internal audit activity must evaluate the design, implementation, and effectiveness of the organization's ethics-related objectives, programs, and activities.

2110-A2 - The internal audit activity must assess whether the information technology governance of the organization sustains and supports the organization's strategies and objectives.

We are concerned that, even after the proposed revisions to the Standards, the 'governance' focus in the Standards is almost exclusively on the internal governance processes, important though they are. These internal governance processes overlap substantially with risk management and internal control - which are covered elsewhere within the Standards. There is much more to governance than the internal governance processes. In addition there is the performance of the board itself. Beyond that, there is the accountability of the board to the stakeholders (e.g. the shareholders) and how they exercise external control. A key issue is how boards (especially their non-executive directors) can get adequate assurance that board policies are being implemented effectively by management and that there are no 'banana skins' round the corner, unknown to the board but over which the organisation is likely to slip at some point in the future. In the past, the internal audit profession has been successful at transforming its role on several occasions so as to provide enhanced services that organisations have come to need. The internal audit profession badly needs to redefine its governance role beyond the audit of internal governance processes to cover whether and how we can serve the other emerging governance assurance needs of the organisation, as set out briefly above. The Standards are largely silent on these matters. We are missing an opportunity and risking that others will move in to fill the vacuum.

Expansion of the Standards

The length of IIA Standards has been increasing over the years. If adopted, these latest proposed changes represent the largest percentage increase (60%) since the introduction of the 'new' Standards in June 2001; the Standards are now more than twice the length of those 2001 Standards. Nevertheless, we consider the Standards not to be excessive in length (especially when compared with accounting and external auditing standards) and that the additional interpretive material to be found within the proposed new Standards is helpful and constructive.

Paucity of Standard content on performing audit engagements

We reiterate our concern about the relative lack of guidance on the professional minimum essentials when performing an audit engagement, which we addressed in our response to The IIA's earlier exposure document on its International Professional Practices Framework whose exposure period ended on April 30, 2007 . In our earlier response we said, by way of example, that the Standards insufficiently enunciate the principles that should underpin the determination as to whether adequate audit testing has been undertaken. We consider this is still the case.

Our above Table indicates that word count on 'Performing an engagement' has risen from 199 to 334 words - or from 6.3% to only 6.7% of the Standards. Compare this, for instance, with the relative emphasis on performing the audit engagement within external auditing standards. Of course word count alone is a crude indicator of coverage.

Classification between 'Attribute' and 'Performance' Standards

In response to The IIA's earlier document, ACCA raised concerns about what appears to ACCA to be a lack of clarity in classifying particular standards within either the 1000 or the 2000 series.^v We note that no Standard has been moved between the 1000 and the 2000 series so, in our view, this problem remains.

Some Introduction content to become mandatory

ACCA responded to your earlier Document saying that p4 of that Document stated an intention that certain interpretive material (i.e. (a) the Glossary to the Standards, (b) interpretive content from existing Practice Advisories and (c) 'a portion of the current introduction [to the Standards]') would in future all be regarded as interpretative of the Standards in a mandatory way. While we have no problem identifying the content of (a) and (b), it is not clear to us which portion(s) of the current Introduction to the Standards is to become interpretive of the Standards in a mandatory way. We did not notice any part of the current Introduction to the Standards as having been moved into the proposed new Standards on which we are being invited to comment, and The IIA's exposure text does not show what the Introduction to the new Standards will contain.

Preamble to the Standards

The IIA has not yet exposed the Preamble to the Standards. We suggest that the Preamble should make it clear that the Standards are intended to be applicable to all sectors (i.e. including the public and not for profit sectors). The preamble might also explain the benefits to the client of internal audit being carried out in accordance with the standards and commend the Standards for the attention and approval of boards.

Fraud and technology risks

Fraud and technology risks are highlighted by these Standards as areas of knowledge to be possessed by the internal auditor (Proposed Standards 1210.A2, 1210.A3, /1220.A1 and 1220.A2). Fraud risk has been added into a number of the Standards. Without playing down these two areas of risk, the risk profile of any organisation is complex and has many constituent parts. IT and fraud risks may well not be potentially the most significant or catastrophic to a particular business. We would have thought that the Standards would be better highlighting that internal auditors should have the requisite knowledge to identify those risks relevant to the industry in which they work and the appropriate forms of risk mitigation available to the business. They should also possess the skills necessary to test the risk mitigation processes. It might be appropriate to develop a series of practice guides to include fraud and IT. Others could be business continuity and disaster recovery, financial instruments, procurement risks, outsourcing risks, liquidity risk, market risk, etc.

While there is much more stress on 'fraud' within these proposed revised Standards, we do not believe that they tackle head on the issue of when internal audit is responsible for detecting and investigating fraud, and we consider they should. Many internal audit departments have been given that responsibility. The Standards should explain:

• The circumstances when the internal audit department may accept the responsibilities to detect and investigate fraud?
• How should it be determined whether an internal audit department has the responsibility for detecting and investigating fraud (presumably it should be set out within their Charter, etc)?
• Coordinating this work with others
• If they have been given that responsibility, what are the implications, for instance
  • the competencies the internal audit department needs
  • how they approach their fraud detection and investigation work,
  • managing conflicts with their other responsibilities,
  • etc?

Use of 'encouraged' within a Standard

In our earlier response we drew attention to the unsatisfactory use of the word 'encouraged' within the Standards. The word 'may' has rather similar connotations. Ideally, Standards should set out mandatory requirements only. We are pleased that the word 'encouraged' is no longer within proposed Standard 1321 (new Standard 1330) but only due to transferring the word 'encouraged' into Standard 2430. The word also remains within Standard 2410.A2. In our detailed, specific responses we propose revised wording as follows:

• For Proposed Standard 2430: 'Internal auditors must consider reporting that their engagements ...'
• For Standard 2410-A2: 'Internal auditors must consider acknowledging satisfactory performance in engagement communications.'

Glossary

We have already suggested that the respective meanings of 'Must' and 'Should' need to be defined either in the Introduction to the Standards or in the Glossary and that the meanings currently being attributed to these terms by IASB need to be tightened up. Perhaps 'May' should also be defined. However, the definition of 'Should' will be different from the previous definition of 'Should' that has been removed.

i IIA International Professional Practices Framework - Exposure Document; early 2007.

ii p1 (end) of IIA Exposure Draft Instructions, Version 2.0, 12/3/2007 .

iii e.g.: Christina Brune, editor of AuditWire , in AuditWire article 'Consulting: Friend or foe' [Vol. 25, No. 1, January - February 2003]:

'The IIA's definition of internal auditing affirms that it's internal auditors' duty to help the organization accomplish its objectives by evaluating and improving the effectiveness of risk management, control, and governance processes. Moreover, the definition gives equal consideration to both assurance and consulting activities.'

iv Practice Advisory 1300-1, 'Quality Assurance and Improvement Program', §1.

v ACCA's response to The IIA's earlier consultation said [using existing Standard numbers]:

' The grouping of the Standards into 'Attribute' and 'Performance' Standards is not a robust categorisation. The Introduction to the Standards states that:

'The Attribute Standards address the characteristics of organizations and parties performing internal audit activities. The Performance Standards describe the nature of internal audit activities and provide quality criteria against which the performance of these services can be evaluated.'

'It can be argued that the dictionary meaning of the word 'attributes' is to do with 'nature' - a word The IIA uses confusingly to describe their 'Performance' Standards. Furthermore, some of the existing 'Attribute' Standards are to do with 'performance' - e.g. Standards 1200, 1220, 1320, 1330 and 1340. Some of the existing 'Performance' Standards are to do with 'Attributes' - e.g. 2040, and everything between 2100 and 2130.C1.'

Back to top