The IIA has asked for input on the International Standards for the Professional Practice of Internal Auditing (Standards). You can access information here. I strongly support this initiative and ask that you provide your comments.
I have been strongly critical of the last edition of the Standards, without any success. The last version included changing the word "should" to "must," as the standards are mandatory. However, in the process a serious flaw was introduced.
In several places, the Standards now mandate audit activities regardless of whether they are high risk. While each of these is important, what the Standards should mandate is consideration of them in its risk assessment. It should not say, as they do, that the annual plan must include them.
As they are now, the Standards mandate practices that are not consistent with risk-based auditing — where only activities that represent risks of significance are included in the audit plan. Here are a few examples.
The internal audit activity must assess and make appropriate recommendations for improving the governance process in its accomplishment of the following objectives:
Promoting appropriate ethics and values within the organization;
Ensuring effective organizational performance management and accountability;
Communicating risk and control information to appropriate areas of the organization; and
Coordinating the activities of and communicating information among the board, external and internal auditors, and management.
2110.A1 The internal audit activity must evaluate the design, implementation, and effectiveness of the organization's ethics-related objectives, programs, and activities.
2110.A2 The internal audit activity must assess whether the information technology governance of the organization sustains and supports the organization's strategies and objectives.
2120 Risk Management
The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes.
If you want to contribute to the success of the profession of internal auditing, I ask that you provide your comments.