www.theiia.org 2010 iia standards update andrew j. dahle, cia, cpa, cisa, cfe chair – iia internal...

36
www.theiia.org www.theiia.org 2010 IIA Standards Update Andrew J. Dahle, CIA, CPA, CISA, CFE Chair – IIA Internal Audit Standards Board Warren Hersh, CIA, CPA, CISA, CFE Member – IIA Internal Audit Standards Board October 26, 2010 1

Upload: hunter-feltham

Post on 15-Dec-2015

219 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Www.theiia.org 2010 IIA Standards Update Andrew J. Dahle, CIA, CPA, CISA, CFE Chair – IIA Internal Audit Standards Board Warren Hersh, CIA, CPA, CISA,

www.theiia.orgwww.theiia.org

2010 IIA Standards Update

Andrew J. Dahle, CIA, CPA, CISA, CFEChair – IIA Internal Audit Standards Board

Warren Hersh, CIA, CPA, CISA, CFEMember – IIA Internal Audit Standards Board

October 26, 2010

1

Page 2: Www.theiia.org 2010 IIA Standards Update Andrew J. Dahle, CIA, CPA, CISA, CFE Chair – IIA Internal Audit Standards Board Warren Hersh, CIA, CPA, CISA,

www.theiia.org

Session Overview

• Why The Standards Matter

• Understanding the International Professional Practices Framework (IPPF)

• What’s New – IIA 2010 Standards Revisions

• Questions

2

Page 3: Www.theiia.org 2010 IIA Standards Update Andrew J. Dahle, CIA, CPA, CISA, CFE Chair – IIA Internal Audit Standards Board Warren Hersh, CIA, CPA, CISA,

www.theiia.org

Why the Standards Matter

3

Page 4: Www.theiia.org 2010 IIA Standards Update Andrew J. Dahle, CIA, CPA, CISA, CFE Chair – IIA Internal Audit Standards Board Warren Hersh, CIA, CPA, CISA,

www.theiia.org

Standards are Critical

• Delineate basic principles that represent the practice of internal auditing

• Framework for performing and promoting a broad range of value-added internal auditing

• Establish the basis for the evaluation of internal audit performance

• Foster improved organizational processes and operations

4

Page 5: Www.theiia.org 2010 IIA Standards Update Andrew J. Dahle, CIA, CPA, CISA, CFE Chair – IIA Internal Audit Standards Board Warren Hersh, CIA, CPA, CISA,

www.theiia.org

Two Questions

Are you just now receiving your first exposure to the Standards?

5

Would you say that your organization has implemented most or all of the Standards?

Page 6: Www.theiia.org 2010 IIA Standards Update Andrew J. Dahle, CIA, CPA, CISA, CFE Chair – IIA Internal Audit Standards Board Warren Hersh, CIA, CPA, CISA,

www.theiia.org

Understanding the IPPF

International Professional Practices Framework

Issued January 2009

6

Page 7: Www.theiia.org 2010 IIA Standards Update Andrew J. Dahle, CIA, CPA, CISA, CFE Chair – IIA Internal Audit Standards Board Warren Hersh, CIA, CPA, CISA,

www.theiia.org

AUTHORITATIVE Guidance

Mandatory

Non mandatoryStrongly

recommended

Authoritative =

7

Page 8: Www.theiia.org 2010 IIA Standards Update Andrew J. Dahle, CIA, CPA, CISA, CFE Chair – IIA Internal Audit Standards Board Warren Hersh, CIA, CPA, CISA,

www.theiia.org

Overview of the IIA Standards

Attribute Standards: Purpose, Authority and Responsibility….…………….(1000) Independence and Objectivity…………………………(1100) Proficiency and Due Professional Care………………(1200) Quality Assurance and Compliance…………………..(1300)

Attribute Standards: Purpose, Authority and Responsibility….…………….(1000) Independence and Objectivity…………………………(1100) Proficiency and Due Professional Care………………(1200) Quality Assurance and Compliance…………………..(1300)

Performance Standards: Managing the Internal Auditing Activity………..…….(2000) Nature of Work.……………………………………..….(2100) Engagement Planning……………………………....…(2200) Performing the Engagement………………………….(2300) Communicating Results…………………………….....(2400) Monitoring Progress…………………………………...(2500) Resolution of Management’s Acceptance of Risks...(2600)

Performance Standards: Managing the Internal Auditing Activity………..…….(2000) Nature of Work.……………………………………..….(2100) Engagement Planning……………………………....…(2200) Performing the Engagement………………………….(2300) Communicating Results…………………………….....(2400) Monitoring Progress…………………………………...(2500) Resolution of Management’s Acceptance of Risks...(2600)

8

Page 9: Www.theiia.org 2010 IIA Standards Update Andrew J. Dahle, CIA, CPA, CISA, CFE Chair – IIA Internal Audit Standards Board Warren Hersh, CIA, CPA, CISA,

www.theiia.org

What’s New?IIA Standards Revisions

Effective January 1, 2011

9

Page 10: Www.theiia.org 2010 IIA Standards Update Andrew J. Dahle, CIA, CPA, CISA, CFE Chair – IIA Internal Audit Standards Board Warren Hersh, CIA, CPA, CISA,

www.theiia.org

Why Change?

• The Standards must remain current, relevant, and timely for the profession

• The IPPF process requires that all guidance be reviewed at least once every three years

• Ongoing changes are a key component of the continued development of the IPPF issued in January 2009

10

Page 11: Www.theiia.org 2010 IIA Standards Update Andrew J. Dahle, CIA, CPA, CISA, CFE Chair – IIA Internal Audit Standards Board Warren Hersh, CIA, CPA, CISA,

www.theiia.org

• The 90 days public exposure period:

• February 15 to May 14, 2010

• 1,350 responses globally from individuals and 29 from organizations

• The Internal Audit Standards Board (IASB) analyzed the results of the exposure and determined the disposition of comments.

• The IASB approved the final release of new/revised Standards at the June 2010 meetings.

• The Ethics Committee reviewed the final Standards to ensure their consistency with Code of Ethics.

• The new/revised Standards were released October 19, 2010.

• The new/revised Standards will be effective January 1, 2011.

Standards Exposure Process

11

Page 12: Www.theiia.org 2010 IIA Standards Update Andrew J. Dahle, CIA, CPA, CISA, CFE Chair – IIA Internal Audit Standards Board Warren Hersh, CIA, CPA, CISA,

www.theiia.org

Summary of Changes

• 3 new Standards

• 15 changes to existing Standards

• 2 deletions of the existing Standards

• 6 changes to existing Glossary terms

26 changes in total

12

Page 13: Www.theiia.org 2010 IIA Standards Update Andrew J. Dahle, CIA, CPA, CISA, CFE Chair – IIA Internal Audit Standards Board Warren Hersh, CIA, CPA, CISA,

www.theiia.org

Summary of Changes – Topics

• Define Functional Reporting of Internal Audit to the Board, and Clarify in the Charter (1000, 1110)

• Clarify when Newer Internal Audit Activities Can State They Conform with Standards (1321)

• Provide Requirements if Entity Level and Individual Engagement Opinions Are Issued (2010.A2, 2410.A1, 2450)

• Clarify Risk Management Coverage by Internal Audit (2120)

• Revise Definition of “Add Value” (2000 and Glossary)

• Revise Definition of “Chief Audit Executive” (Glossary) and Clarify Responsibilities with External Service Providers (2070)

• Enhance and Clarify Other Standards and Glossary Terms (throughout)

13

Page 14: Www.theiia.org 2010 IIA Standards Update Andrew J. Dahle, CIA, CPA, CISA, CFE Chair – IIA Internal Audit Standards Board Warren Hersh, CIA, CPA, CISA,

www.theiia.org

1000 – Purpose, Authority, and Responsibility

Interpretation:

The Internal Audit Charter is a formal document that defines the internal audit activity's purpose, authority, and responsibility. The internal audit charter establishes the internal audit activity's position within the organization, including the nature of the chief audit executive’s functional reporting relationship with the board; authorizes access to records, personnel, and physical properties relevant to the performance of engagements; and, defines the scope of internal audit activities. Final approval of the Internal Audit Charter resides with the board.

Standard 1000 – Change Interpretation

Exposure Results: Yes: 93.1%, No: 4.8%, No Opinion: 2.1%

Standards Board Decision: Adopt the exposed change14

Page 15: Www.theiia.org 2010 IIA Standards Update Andrew J. Dahle, CIA, CPA, CISA, CFE Chair – IIA Internal Audit Standards Board Warren Hersh, CIA, CPA, CISA,

www.theiia.org

1110 – Organizational Independence

Interpretation:Organizational independence is effectively achieved when the chief audit executive reports functionally to the board. Examples of functional reporting to the board involve the board:

• Approving the internal audit charter;• Approving the risk based internal audit plan;• Receiving communications from the chief audit executive on the internal audit

activity’s performance relative to its plan and other matters;• Approving decisions regarding the appointment and removal of the chief audit

executive; and,• Making appropriate inquiries of management and the chief audit executive to

determine whether there are inappropriate scope or resource limitations.

Standard 1100 – New Interpretation

Exposure Results: Yes: 88.7%, No: 8.3%, No Opinion: 3.0%

Standards Board Decision: Adopt the exposed change15

Page 16: Www.theiia.org 2010 IIA Standards Update Andrew J. Dahle, CIA, CPA, CISA, CFE Chair – IIA Internal Audit Standards Board Warren Hersh, CIA, CPA, CISA,

www.theiia.org

1312 – External Assessments

Interpretation:A qualified reviewer or review team consists of individuals who are competent in the professional practice of internal auditing and the external assessment process. The evaluation of the competency of the reviewer and review team is a judgment that considers the professional internal audit experience and professional credentials of the individuals selected to perform the review. The evaluation of qualifications also considers the size and complexity of the organizations that the reviewers have been associated with in relation to the organization for which the internal audit activity is being assessed, as well as the need for particular sector, industry, or technical knowledge.

A qualified reviewer or review team demonstrates competence in two areas: the professional practice of internal auditing and the external assessment process. Competence can be demonstrated through a mixture of experience and theoretical learning. Experience gained in organizations of similar size, complexity, sector or industry, and technical issues is more valuable than less relevant experience. In the case of a review team, not all members of the team need to have all the competencies; it is the team as a whole that is qualified. The chief audit executive uses professional judgment when assessing whether a reviewer or review team demonstrates sufficient competence to be qualified.

An independent reviewer or review team means not having either a real or an apparent conflict of interest and not being a part of, or under the control of, the organization to which the internal audit activity belongs.

Standard 1312 – Change Interpretation

Exposure Results: Yes: 84.1%, No: 9.3%, No Opinion: 6.6%

Standards Board Decision: Modify the exposed change16

Page 17: Www.theiia.org 2010 IIA Standards Update Andrew J. Dahle, CIA, CPA, CISA, CFE Chair – IIA Internal Audit Standards Board Warren Hersh, CIA, CPA, CISA,

www.theiia.org

1321 – Use of “Conforms with the International Standards for the Professional Practice of Internal Auditing”

Interpretation:The internal audit activity conforms with the Standards when it achieves the outcomes described in the Definition of Internal Auditing, Code of Ethics, and Standards.

The results of the quality assurance and improvement program include the results of both internal and external assessments. All internal audit activities will have the results of internal assessments. Internal audit activities in existence for at least five years will also have the results of external assessments.

Standard 1321 – New Interpretation

Exposure Results: Yes: 72.1%, No: 15.4%, No Opinion: 12.5%

Standards Board Decision: Adopt the exposed change17

Page 18: Www.theiia.org 2010 IIA Standards Update Andrew J. Dahle, CIA, CPA, CISA, CFE Chair – IIA Internal Audit Standards Board Warren Hersh, CIA, CPA, CISA,

www.theiia.org

2000 – Managing the Internal Audit Activity

Interpretation:The internal audit activity is effectively managed when:

• The results of the internal audit activity’s work achieve the purpose and responsibility included in the internal audit charter;

• The internal audit activity conforms with the Definition of Internal Auditing and the Standards; and

• The individuals who are part of the internal audit activity demonstrate conformance with the Code of Ethics and the Standards.

The internal audit activity adds value to the organization (and its stakeholders) when it provides objective and relevant assurance, and contributes to the effectiveness and efficiency of governance, risk management, and control processes.

Standard 2000 – Change Interpretation

Exposure Results: Yes: 87.6%, No: 9.5%, No Opinion: 2.9%

Standards Board Decision: Adopt the exposed change18

Page 19: Www.theiia.org 2010 IIA Standards Update Andrew J. Dahle, CIA, CPA, CISA, CFE Chair – IIA Internal Audit Standards Board Warren Hersh, CIA, CPA, CISA,

www.theiia.org

NEW Standard 2010.A2

2010.A2 – The chief audit executive must identify and consider the expectations of senior management, the board, and other stakeholders for internal audit opinions and other conclusions.

Exposure Results: Yes: 72.0%, No: 21.0%, No Opinion: 6.9%

Standards Board Decision: Modify the exposed change

19

Page 20: Www.theiia.org 2010 IIA Standards Update Andrew J. Dahle, CIA, CPA, CISA, CFE Chair – IIA Internal Audit Standards Board Warren Hersh, CIA, CPA, CISA,

www.theiia.org

NEW Standard 2070

2070 – External Service Provider and Organizational Responsibility for Internal AuditingWhen an external service provider serves as the internal audit activity, the provider must make the organization aware that the organization has the responsibility for maintaining an effective internal audit activity.

InterpretationThis responsibility is demonstrated through the quality assurance and improvement program which assesses conformance with the Definition of Internal Auditing, the Code of Ethics, and the Standards.

Exposure Results: Yes: 73.0%, No: 15.7%, No Opinion: 11.2%

Standards Board Decision: Modify the exposed change20

Page 21: Www.theiia.org 2010 IIA Standards Update Andrew J. Dahle, CIA, CPA, CISA, CFE Chair – IIA Internal Audit Standards Board Warren Hersh, CIA, CPA, CISA,

www.theiia.org

2110.C1 2210.C2 – Consulting engagement objectives must be consistent with the overall organization's values, strategies, and objectives goals of the organization.

Change Standard 2110.C1

2210.C2 – Consulting engagement objectives must be consistent with the organization's values, strategies, and objectives.

Exposure Results: Yes: 91.0%, No: 3.6%, No Opinion: 5.4%

Standards Board Decision: Adopt the exposed change21

Page 22: Www.theiia.org 2010 IIA Standards Update Andrew J. Dahle, CIA, CPA, CISA, CFE Chair – IIA Internal Audit Standards Board Warren Hersh, CIA, CPA, CISA,

www.theiia.org

Standard 2120 – Change Interpretation

2120 – Risk Management

Interpretation:Determining whether risk management processes are effective is a judgment resulting from the internal auditor’s assessment that:

• Organizational objectives support and align with the organization’s mission;• Significant risks are identified and assessed;• Appropriate risk responses are selected that align risks with the organization’s

risk appetite; and• Relevant risk information is captured and communicated in a timely manner

across the organization, enabling staff, management, and the board to carry out their responsibilities.

The internal audit activity may gather the information to support this assessment during multiple engagements. The results of these engagements, when viewed together, provide an understanding of the organization’s risk management processes and their effectiveness.

Exposure Results: Yes: 86.4%, No: 8.9%, No Opinion: 4.7%

Standards Board Decision: Modify the exposed change22

Page 23: Www.theiia.org 2010 IIA Standards Update Andrew J. Dahle, CIA, CPA, CISA, CFE Chair – IIA Internal Audit Standards Board Warren Hersh, CIA, CPA, CISA,

www.theiia.org

Change Standard 2120.A1

2120.A1 – The internal audit activity must evaluate risk exposures relating to the organization's governance, operations, and information systems regarding the:

• Reliability and integrity of financial and operational information;• Effectiveness and efficiency of operations and programs;• Safeguarding of assets; and• Compliance with laws, regulations, policies, procedures, and

contracts.

Exposure Results: Yes: 91.4%, No: 5.9%, No Opinion: 2.6%

Standards Board Decision: Adopt the exposed change23

Page 24: Www.theiia.org 2010 IIA Standards Update Andrew J. Dahle, CIA, CPA, CISA, CFE Chair – IIA Internal Audit Standards Board Warren Hersh, CIA, CPA, CISA,

www.theiia.org

2130.A1 – The internal audit activity must evaluate the adequacy and effectiveness of controls in responding to risks within the organization’s governance, operations, and information systems regarding the:

• Reliability and integrity of financial and operational information;

• Effectiveness and efficiency of operations and programs;• Safeguarding of assets; and• Compliance with laws, regulations, policies, procedures, and

contracts.

Change Standard 2130.A1

Exposure Results: Yes: 91.8%, No: 5.5%, No Opinion: 2.6%

Standards Board Decision: Adopt the exposed change24

Page 25: Www.theiia.org 2010 IIA Standards Update Andrew J. Dahle, CIA, CPA, CISA, CFE Chair – IIA Internal Audit Standards Board Warren Hersh, CIA, CPA, CISA,

www.theiia.org

Delete Standard 2130.A2

2130.A2

Internal auditors should ascertain the extent to which operating and program goals and objectives have been established and conform to those of the organization.

[Now in Standards 2120.A1 and 2130.A1.]

Exposure Results: Yes: 89.9%, No: 5.4%, No Opinion: 4.7%

Standards Board Decision: Adopt the exposed change25

Page 26: Www.theiia.org 2010 IIA Standards Update Andrew J. Dahle, CIA, CPA, CISA, CFE Chair – IIA Internal Audit Standards Board Warren Hersh, CIA, CPA, CISA,

www.theiia.org

2130.A3Internal auditors should review operations and programs to ascertain the extent to which results are consistent with established goals and objectives to determine whether operations and programs are being implemented or performed as intended.

[Now in Standards 2120.A1 and 2130.A1.]

Delete Standard 2130.A3

Exposure Results: Yes: 90.2%, No: 5.4%, No Opinion: 4.4%

Standards Board Decision: Adopt the exposed change26

Page 27: Www.theiia.org 2010 IIA Standards Update Andrew J. Dahle, CIA, CPA, CISA, CFE Chair – IIA Internal Audit Standards Board Warren Hersh, CIA, CPA, CISA,

www.theiia.org

Change Standard 2410.A1

2410.A1 - Final communication of engagement results must, where appropriate, contain the internal auditors’ overall opinion and/or conclusions. When issued, an opinion or conclusion must take account of the expectations of senior management, the board, and other stakeholders and must be supported by sufficient, reliable, relevant, and useful information.

Interpretation: Opinions at the engagement level may be ratings, conclusions, or other descriptions of the results. Such an engagement may be in relation to controls around a specific process, risk, or business unit. The formulation of such opinions requires consideration of the engagement results and their significance.

Exposure Results: Yes: 81.4%, No: 13.6%, No Opinion: 5.0%

Standards Board Decision: Modify the exposed change27

Page 28: Www.theiia.org 2010 IIA Standards Update Andrew J. Dahle, CIA, CPA, CISA, CFE Chair – IIA Internal Audit Standards Board Warren Hersh, CIA, CPA, CISA,

www.theiia.org

NEW Standard 2450

2450 – Overall OpinionsWhen an overall opinion is issued, it must take into account the expectations of senior management, the board, and other stakeholders and must be supported by sufficient, reliable, relevant, and useful information.

Interpretation:The communication will identify:

• The scope, including the time period to which the opinion pertains;• Scope limitations;• Consideration of all related projects including the reliance on other assurance

providers;• The risk or control framework or other criteria used as a basis for the overall

opinion; and• The overall opinion, judgment, or conclusion reached.

The reasons for an unfavorable overall opinion must be stated.

Exposure Results: Yes: 74.9%, No: 19.9%, No Opinion: 5.1%

Standards Board Decision: Modify the exposed change28

Page 29: Www.theiia.org 2010 IIA Standards Update Andrew J. Dahle, CIA, CPA, CISA, CFE Chair – IIA Internal Audit Standards Board Warren Hersh, CIA, CPA, CISA,

www.theiia.org

Change Definition - Add Value

Add Value

Value is provided by improving opportunities to achieve organizational objectives, identifying operational improvement, and/or reducing risk exposure through both assurance and consulting services.

The internal audit activity adds value to the organization (and its stakeholders) when it provides objective and relevant assurance, and contributes to the effectiveness and efficiency of governance, risk management, and control processes.

Exposure Results: Yes: 86.2%, No: 11.0%, No Opinion: 2.8%

Standards Board Decision: Modify the exposed change29

Page 30: Www.theiia.org 2010 IIA Standards Update Andrew J. Dahle, CIA, CPA, CISA, CFE Chair – IIA Internal Audit Standards Board Warren Hersh, CIA, CPA, CISA,

www.theiia.org

Change Definition - Chief Audit Executive

Chief Audit ExecutiveChief audit executive is a senior position within the organization responsible for internal audit activities. Normally, this would be the internal audit director. In the case where internal audit activities are obtained from external service providers, the chief audit executive is the person responsible for overseeing the service contract and the overall quality assurance of these activities, reporting to senior management and the board regarding internal audit activities, and follow-up of engagement results. The term also includes titles such as general auditor, head of internal audit, chief internal auditor, and inspector general.

Chief audit executive describes a person in a senior position responsible for effectively managing the internal audit activity in accordance with the internal audit charter and the Definition of Internal Auditing, the Code of Ethics, and the Standards. The chief audit executive or others reporting to the chief audit executive will have appropriate professional certifications and qualifications. The specific job title of the chief audit executive may vary across organizations.

Exposure Results: Yes: 67.5%, No: 29.0%, No Opinion: 3.5%

Standards Board Decision: Modify the exposed change30

Page 31: Www.theiia.org 2010 IIA Standards Update Andrew J. Dahle, CIA, CPA, CISA, CFE Chair – IIA Internal Audit Standards Board Warren Hersh, CIA, CPA, CISA,

www.theiia.org

Change Definition - Independence

Exposure Results: Yes: 84.0%, No: 12.6%, No Opinion: 3.5%

Standards Board Decision: Modify the exposed change

IndependenceThe freedom from conditions that threaten objectivity or the appearance of objectivity. Such threats to objectivity must be managed at the individual auditor, engagement, functional, and organizational levels.

The freedom from conditions that threaten the ability of the internal audit activity to carry out internal audit responsibilities in an unbiased manner.

31

Page 32: Www.theiia.org 2010 IIA Standards Update Andrew J. Dahle, CIA, CPA, CISA, CFE Chair – IIA Internal Audit Standards Board Warren Hersh, CIA, CPA, CISA,

www.theiia.org

Other Changes

• 1100 – Independence and Objectivity

• 2110.A2

• 2130.C1: Renumbered as 2220.C2

• 2130.C2: Renumbered as 2130.C1

• 2400 – Communicating Results

• Control Environment

• Information Technology Governance

• Objectivity

32

Page 33: Www.theiia.org 2010 IIA Standards Update Andrew J. Dahle, CIA, CPA, CISA, CFE Chair – IIA Internal Audit Standards Board Warren Hersh, CIA, CPA, CISA,

www.theiia.org

Summary of Changes – Topics

• Define Functional Reporting of Internal Audit to the Board, and Clarify in the Charter (1000, 1110)

• Clarify when Newer Internal Audit Activities Can State They Conform with Standards (1321)

• Provide Requirements if Entity Level and Individual Engagement Opinions Are Issued (2010.A2, 2410.A1, 2450)

• Clarify Risk Management Coverage by Internal Audit (2120)

• Revise Definition of “Add Value” (2000 and Glossary)

• Revise Definition of “Chief Audit Executive” (Glossary) and Clarify Responsibilities with External Service Providers (2070)

• Enhance and Clarify Other Standards and Glossary Terms (throughout)

33

Page 34: Www.theiia.org 2010 IIA Standards Update Andrew J. Dahle, CIA, CPA, CISA, CFE Chair – IIA Internal Audit Standards Board Warren Hersh, CIA, CPA, CISA,

www.theiia.org

Get the Standards - www.theiia.org/standards

International Standards for the Professional Practice of Internal Auditing (Standards)

34

Page 35: Www.theiia.org 2010 IIA Standards Update Andrew J. Dahle, CIA, CPA, CISA, CFE Chair – IIA Internal Audit Standards Board Warren Hersh, CIA, CPA, CISA,

www.theiia.org

Conformance with the Standards is required and essential

for the professional practice of internal auditing.

35

Page 36: Www.theiia.org 2010 IIA Standards Update Andrew J. Dahle, CIA, CPA, CISA, CFE Chair – IIA Internal Audit Standards Board Warren Hersh, CIA, CPA, CISA,

www.theiia.org

QUESTIONS

[email protected]

36