New and Expanded Internal Audit Standards
By Janet L. Colbert
In Brief
Updated Standards Leave Less Room for Guesswork
The Institute of Internal Auditors (IIA) recently adopted a Professional Practices Framework (PPF) that updates and expands previous IIA guidance for internal auditors. The internal audit activity is part of a system of internal control, and contributes significantly to the overall governance structure of a corporation. Management, directors, investors, and external auditors will be affected by the new framework.
The Institute of Internal Auditors (IIA) recently adopted a Professional Practices Framework (PPF) that includes both new and updated internal audit standards. This framework provides a context for internal audit activities to mesh with other mechanisms of corporate governance. Two Statements on Auditng Standards (SAS) refer directly to internal audit activity:
The PPF includes a definition of internal auditing as well as the IIA Code of Ethics, Standards for the Professional Practice of Internal Auditing, practice advisories, and development and practice aids (see Exhibit 1).
The IIA’s definition of internal auditing reflects the broad duties of internal auditors in their organizations. The definition’s encompassing nature allows for future development of the role of the internal audit. The new definition is as follows:
Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
The IIA adds consulting activities to the more traditional assurance services in characterizing the work that internal auditors perform. In addition, the definition emphasizes the concept that internal auditing should add value to the organization. Finally, besides the familiar topic of internal control, two additional areas, risk management and governance, are specifically mentioned.
The IIA Code of Ethics has two components: “principles” and “rules of conduct.” The four principles are: integrity, objectivity, confidentiality, and competency. The rules of conduct amplify the principles and detail specific internal audit behaviors that are either mandated or prohibited. The code applies to all IIA members, IIA certificate holders and candidates, and those who provide internal audit services. Both individual internal auditors and entities that carry out internal audit activities must abide by the code.
The Standards for the Professional Practice of Internal Auditing (SPPIA) consist of three sets of standards, all of which are mandatory:
The internal auditor applies attribute, performance, and implementation standards when performing both assurance and consulting work. In an assurance engagement, the internal auditor is providing an independent assessment of one or more aspects of risk management, control, or corporate governance. When planning a consulting engagement, an agreement is made with the client as to the nature and scope of the work to be performed, again, related to risk management, control, or corporate governance. The results of assurance and consulting services help management achieve its objectives. Exhibit 3 shows the IIA’s explanation of both.
Practice advisories (PAs) provide internal auditors with guidance that is endorsed by the IIA but not mandatory. The PAs describe best practices that may aid the internal auditor in operationalizing the SPPIAs. Some PAs interpret the SPPIAs and may apply to all internal audit engagements. Other PAs provide specific advice for particular industries, topics, geographic regions, or specialties.
Development and practice aids constitute the largest element of the PPF. The aids offer training and education to internal auditors through continuing education courses, research reports, and other products and services. They are especially useful for addressing new and evolving areas and suggesting best practices. The aids are either developed or endorsed by the IIA.
Impact on External Audit Work
In considering the impact of internal audit on their work, external auditors should clearly differentiate between assurance and consulting engagements. They also need to understand the distinctions between internal audit engagements covering control, risk management, or corporate governance. They should also consider the requirements of SAS 65 as it relates to the understanding of internal auditing as a part of internal control, to the use of the internal auditors’ work or as assistants, and to quality reviews.
Assurance vs. consulting. When performing assurance engagements, the internal auditors independently design and execute the work. Because assurance service engagements yield an objective examination by the internal auditors, they receive more attention from external auditors, management, and board members than consulting services. Consulting services include an agreement between the internal auditor and the client as to the nature and scope of the work to be performed and are intended to directly aid managers in meeting their goals. Advisory services, training, or process design, which are normally relevant to improved operational activities, are examples of work that internal auditors may perform as part of a consulting engagement.
Control, risk management, and corporate governance. Whether an engagement involves assurance or consulting, internal audit work falls into one of three categories: control, risk management, or corporate governance. The IIA defines control as “any action taken by management, the board, and other parties to enhance risk management and increase the likelihood that established objectives and goals will be achieved.” Management uses controls to provide reasonable assurance that the goals and objectives of the entity are achieved.
Risk management involves directing the organization’s activities while at the same time regulating the likelihood and consequences of the entity’s risks, or exposures. The IIA defines risk as “the uncertainty of an event occurring that could have an impact on the achievement of objectives.”
Corporate governance is related to both controls and risk management. The governance process is composed of “the procedures utilized by the representatives of the organization’s stakeholders (e.g., shareholders, etc.) to provide oversight of risk and control processes administered by management.”
Of the three categories of work performed by internal auditors, internal audit assessment of controls over financial reporting is most likely to draw the attention of the external auditor and others responsible for public disclosures, while work addressing operational controls would be less so. Governance and risk management work could also prove beneficial to those representing the interests of the public, particularly if there are concerns about compliance or security issues.
SAS 55 and 65 Requirements
The PPF relates directly to several of SAS 55 and SAS 65’s specific requirements for external auditors. Some guidance applies to understanding how internal audit interacts with two of the five components of internal control. Other requirements are relevant if the work of internal auditors is incorporated into the external audit or if internal auditors are being used as assistants to the external auditor.
SAS 55 requires that the external auditor gain an understanding of the client’s system of internal control. The system is made up of five components: the control environment, risk assessment, control activities, information and communication, and monitoring. Internal auditors play a role in two of these: the control environment and monitoring.
To fully understand the control environment and monitoring aspects of internal control, the external auditor should inquire into the existence and function of the internal audit activity. Because of the standard’s recent issuance, external auditors should be especially careful to ensure that the PPF is being used, not the outdated Statements on Internal Auditing Standards (SIAS).
While SAS 55 mentions internal auditors briefly in its discussion of internal control, SAS 65 is devoted to guidance with respect to internal auditors. SAS 65 directs the external auditor to make inquiries concerning several aspects of the internal audit work.
The external auditor should ask about the level in the organization to which the internal audit activity reports. To encourage organizational independence, the internal auditor should report to a level high enough to accomplish its responsibilities, which typically means the audit committee. In addition, the internal auditor’s regular attendance and participation in audit committee meetings, as well as private conferences with the body, promote communication and help ensure the internal auditor’s independence.
The external auditor should also inquire about the charter for the internal
audit activity. Such a document should exist and should define the purpose,
authority, and responsibilities of the internal audit function. The auditor
should have obtained approval of the charter from senior-level management
and the board of directors.
Besides making inquiries about the organizational status of the internal audit
activity, the external auditor should also ask about both internal audit plans
and the scope of the internal audit work. Questions about plans should encompass
the nature, timing, and extent of work, while questions about the scope of
work should focus on access to records and limits placed on the internal audit
activities.
Internal Audit Work or Assistance
Besides becoming familiar with the internal audit activity as part of understanding internal control, the external auditor may elect to give the function further consideration. If the work of the internal auditors is relevant to the financial statement audit or if the internal auditors can supply direct assistance in the external engagement, the external auditors should seek additional knowledge about the internal audit activity. SAS 65 notes that, when using internal audit work or when the internal auditors provide direct assistance, the external auditor should evaluate the competence and objectivity of the internal auditors and study the independence of the internal audit activity within the entity. The external auditor should also consider the results of external quality reviews of the internal audit activity.
In discussing competence, the PPF encompasses the individual professionals as well as the entire activity. Individually, internal auditors should be adept at applying internal audit standards and methodology. They should also have good communication skills. Policies should be in place for appropriate continuing education and experience. Depending upon the nature of the work performed, an appreciation of accounting, management, information technology, economics, law, finance, or quantitative methods may be necessary. Finally, collectively, the internal auditors should possess the knowledge, skills, and other competencies needed to perform the engagement.
Competency as an entire internal audit activity is recognized when each individual employs the due professional care and skill of a reasonably prudent and competent internal auditor. To further this goal, the PPF recommends that internal auditors establish their proficiency by becoming certified and staying current through continuing professional development classes and programs.
The concept of independence applies to both the internal audit activity and individual internal auditors. Appropriate organizational status ensures the activity’s independence. Individual independence, however, depends on the objectivity of each internal auditor. An impartial, unbiased attitude is to be maintained on all engagements, and conflicts of interest should be avoided. Rotation of the internal auditors across engagements and prohibition against the acceptance of gifts or fees from employees or associated parties also promotes objectivity. Finally, the review of internal audit work before its release aids in assuring that the procedures are performed objectively and that appropriate conclusions are drawn.
Impairments to independence, both in fact and in appearance, should be disclosed
so work can be reassigned if appropriate. Besides possible conflicts of interest
or bias, scope limitations may also threaten independence. Such restrictions
should be communicated to the audit committee, along with their possible effect.
Quality Reviews
Besides considering competence, objectivity, and independence, concerned parties should also study the results of external quality reviews of the internal audit activity. The PPF promotes such external assessments as one component of the internal audit activity’s overall quality program.
Qualified individuals that are independent of the entity, such as external
auditors, outside consultants, or internal auditors from other organizations,
should perform external assessments at least once every five years. A formal
report, expressing an opinion regarding the internal audit activity’s
adherence to applicable standards, should be issued at the conclusion of the
assessment. The report can include statements regarding the activity’s
compliance with its charter and recommendations for improvement. Such reports
are useful not only to the external auditors, but also to the internal auditor,
senior management, and the board of directors.
Janet L. Colbert, PhD, CIA, CPA, is the James R. Meany Professor of Accounting in the department of accounting at the Gordon Ford College of Business, Western Kentucky University Bowling Green, Ky.
The CPA Journal is broadly recognized as an outstanding, technical-refereed publication aimed at public practitioners, management, educators, and other accounting professionals. It is edited by CPAs for CPAs. Our goal is to provide CPAs and other accounting professionals with the information and news to enable them to be successful accountants, managers, and executives in today's practice environments.
©2002 CPA Journal. Legal
Notices
Visit the new cpajournal.com.
){kind=link}
){kind=link}
){kind=link}