To some, the idea of tackling conformance with the International Standards for the Professional Practice of Internal Auditing may seem like a steep, uphill climb. The phrase “conformance with the Standards” can sound authoritative and overwhelming, suggesting a complex, resource-intensive effort. But conformance is actually much easier to achieve than many chief audit executives (CAEs) may think. In fact, numerous activities performed by practitioners likely conform with the Standards already.
Composed of principles-based, core requirements, the Standards provide a framework for performing and promoting internal audit services and are essential in meeting the responsibilities of internal auditors and the internal audit activity. Conformance with The IIA’s cornerstone of Mandatory Guidance begins with an awareness of the Standards and of how they provide a blueprint for the internal audit activity to evaluate and contribute to the improvement of organizational governance, risk management, and control processes. The Standards consist of two main categories:
- Attribute Standards (series 1000–1322) address the attributes of organizations and individuals performing internal auditing.
- Performance Standards (series 2000–2600) describe the nature of internal auditing and provide quality criteria against which the performance of these services can be measured.
A close examination of these areas reveals a relatively simple path to conformance, and one that many practitioners may already have begun to take. While not intended to provide confirmation of conformance, thinking about the Standards as advised can help internal auditors better navigate the requirements and streamline their approach.
Attribute Standards help establish the internal audit activity’s position within the organization. Performance Standards, by contrast, involve the performance of internal audit responsibilities such as planning engagements, performing engagements, and communicating results. The majority of internal audit activities likely expend most of their effort focusing on Performance Standards, which may explain why some of the most common areas of nonconformance have fallen within the Attribute Standards (see “Top Areas of Nonconformance” at right).
Conformance with the Attribute Standards can be assessed by breaking them down into simple concepts: 1) reviewing the internal audit charter; 2) determining the independence of the internal audit activity and objectivity of the internal auditors; 3) evaluating the proficiency and due professional care with which engagements are performed; and 4) confirming the completion, maintenance, and communication of the quality assurance and improvement program (QAIP). “Attributes Standards Overview,” at the bottom of this page, provides a detailed breakdown along each of these areas.
For existing internal audit activities, these concepts should already be established. Evidence of conformance can be demonstrated by ensuring that all elements of the Attribute Standards are formally documented — or by reviewing existing documentation and updating it as necessary. Newly formed (or forming) internal audit activities should determine how they are going to apply the Attribute Standards, and then implement and document them, as they help set the stage for why the internal audit activity exists and how it will function.
The easiest way to determine the level at which an internal audit activity conforms with the Standards is through an internal assessment. QAIPs require an internal assessment, which, per Standard 1311: Internal Assessments, includes:
- Ongoing performance monitoring, using processes, tools, and information considered necessary to evaluate conformance with the Code of Ethics and the Standards.
- Periodic assessments to evaluate conformance with the Code of Ethics and the Standards performed by someone in internal audit or within the organization with sufficient knowledge of internal audit practices. The individual must possess at least an understanding of all elements of the International Professional Practices Framework (IPPF).
Such steps may already be incorporated into the routine policies and practices currently used to manage the internal audit activity. If the activity is already performing ongoing monitoring and periodic assessments as described, then it may be in conformance with Standard 1311.
The internal audit activity must also conduct an external assessment every five years, at minimum, to conform with the 1300 series. Ensuring this assessment is completed may demonstrate conformance with Standard 1312: External Assessments.
Performance Standards consist of steps internal auditors perform on a regular basis. Four of the top 10 standards least conformed with, according to IIA Quality Assurance data, consisted of Performance Standards. As with the Attribute Standards, conformance with Performance Standards can also be broken down into simple concepts.
Standards series 2000 requires all internal audit activities to be managed effectively with policies and procedures to ensure value is added to the organization. The process includes establishing, communicating, and obtaining approval on a risk-based plan that can be deployed by appropriate and sufficient resources. Most internal audit activities likely follow these principles and therefore may conform to this series.
The 2100 series pertains to the nature of audit work and requires internal audit activities to evaluate and contribute to the improvement of the organization’s governance, risk management, and control processes by using a systematic, disciplined, and risk-based approach. Conformance with this series of standards requires the internal audit activity to devise an appropriate strategy to evaluate the organization, which involves:
- Obtaining an understanding of how the organization makes decisions, manages and communicates risk, promotes ethics and values, and ensures effective performance and accountability (Standard 2100: Governance).
- Evaluating risk exposures and assessing the adequacy and effectiveness of controls in responding to risks relating to governance, operations, and information systems regarding the achievement of strategic objectives, reliability and integrity of financial and operational information, effectiveness and efficiency of programs and operations, safeguarding of assets, and compliance with internal and external requirements. The evaluation should also include examining the potential for the occurrence of fraud and how fraud risk is managed (Standard 2120: Risk Management and Standard 2130: Control).
Performance Standards series 2200 through 2400 describe the audit engagement process. All internal audit activities should follow the basic engagement process, which consists of three parts:
- 2200 Series: Engagement Planning — determining objectives and scope, assessing timing considerations, and allocating resources to create and document a work program that considers the relevant strategies, objectives, and risks of the organization.
- 2300 Series: Performing the Engagement — conducting fieldwork, which includes identifying, analyzing, evaluating, and documenting appropriate information to support the engagement results, as well as supervising the engagement effectively.
- 2400 Series: Communicating Results — providing timely, quality results to the appropriate recipients that include the engagement’s objectives, scope, results (applicable conclusions, recommendations, and/or action plans), and applicable disclosures.
Most internal audit activities likely conform to these standards in principle — in other words, they conform with the essence of the requirement.
Internal audit activities that maintain a monitoring process to follow up on the disposition of outstanding audit engagement results most likely also conform to Standard 2500: Monitoring Progress. Conformance can be evidenced by a routinely updated exception tracking system, which may be a spreadsheet, database, or other tool.
Lastly, Standard 2600: Communicating the Acceptance of Risks, requires the CAE to use judgment to determine whether management has accepted a level of risk that may be unacceptable to the organization. This standard obligates the CAE to attain an understanding of the organization’s risk tolerance and risk acceptance process (if one exists). If the CAE concludes that an unacceptable level of risk has been accepted, the matter must be discussed with the organization’s senior management; and if it is not resolved, the matter must be brought to the board’s attention.
Easier Than It Seems
Internal auditors need to remember that conformance does not hinge on following a set of prescribed rules. Instead, conformance is about understanding and achieving the principles behind the Standards. Demonstrating conformance is as simple as identifying current processes in place related to each standard and then documenting sufficient evidence (see “Work Program,” above, for an example of a straightforward assessment).
The effort does not have to be daunting or consume an inordinate amount of resources. By reading and understanding the IPPF, including the new Implementation Guides and related Supplemental Guidance, and documenting their work, practitioners can easily align themselves with professional standards and enhance their value to the organization.