2008 Standards exposure
In January 2008, the Internal Audit Standards Board proposed changes to the International Standards for the Professional Practice of Internal Auditing. The changes fell into two main categories: firstly, those related to the new International Professional Practices Framework (IPPF) approved by the Board of Directors of The Institute of Internal Auditors (The global IIA) in July 2007; and secondly, revisions and updates designed to respond to recent developments in internal auditing.
The exposure period ended at the end of March 2008. The IIA - UK and Ireland completed a formal response on behalf of the membership. A copy of the response can be found here.
International Standards 2008 Exposure UK and Ireland response
The Standards Board considered the feedback from the profession worldwide and approved the final version of the standards at its meeting in July 2008. The International Standards for the Professional Practice of Internal Auditing will be formally released together with the whole of the IPPF in January 2009. To allow professionals to prepare to implement the new standards, the Standards Board authorised the release of a preview version in October 2008. This can be found on the Professional Guidance home page of this web site.
The proposed changes
The rest of this web page provides information about the exposure draft of the Standards.
The attached document shows all the proposed changes to the existing standards.
There are three main types of changes, corresponding to the three parts of the International Standards:
The following notes provide a summary of the types of changes. We also analysed the Standards by the type of change and presented it in a table in the following document.
Interpretations
Under the IPPF, Interpretations are a new element of the International Standards. They are intended to clarify terms or concepts and they are mandatory, just like the statements that they clarify. However, in developing these initial Interpretations, the Standards Board did not intend to change existing requirements, just to clarify them.
The interpretations should be read in the context of the rest of the standard. However, to assist reviewers during the exposure period, we put together a document showing all proposed interpretations, together with the source of the wording - eg an existing glossary entry or standard - where that source is from the standards. Here is the document.
Glossary
New definitions have been added to the Glossary for risk appetite, significance, and several definitions related to information technology. In addition, several existing definitions have been changed to improve consistency and clarity.
Statements
This exposure draft also included any new and revised Statements that the Standards Board identified over the preceding two years as part of its mandate – the ongoing review and discussion of the Standards and basic requirements for the professional practice of internal auditing and for evaluating the effectiveness of its performance. They were:
Should and must
The International Standards currently use the word ‘should’, which is defined in the Glossary as representing a mandatory obligation. The Standards Board has decided that it would be better to use the word ‘must’ to represent unconditional requirements, which are essential to the proper conduct of engagements. The auditor must follow these requirements unless other procedures, which can be documented as sufficient and appropriate, could also satisfy the nature and intent of the International Standards.
The International Standards continue to use the word ‘should’ to indicate engagement procedures that are usually expected to be undertaken. The auditor is required to consider them as a professional internal auditor but may determine that they are inappropriate in the auditor’s knowledge and professional judgment.
The Board and senior management
In recognising the importance of corporate governance to the role of internal audit, the Standards Board has introduced a number of changes to reflect more direct linkages with the Board. At the same time, it is important to reinforce internal audit’s role as providing a service to management so that the wording ‘senior management’ has been added to several Standards, previously referring to the Chief Audit executive’s (CAE) interaction with the board only.
Quality assurance and improvement programmes
The Standards Board is proposing several changes to the 1300 series to clarify the requirements; to refer to the Definition of Internal Auditing and to the Code of Ethics; to make it clear that the assessments are assessment of the quality of the activity, not of the Quality Assurance Improvement Program; to use one consistent phraseology for conformance with Standards; and to ensure that CAEs report the results of the whole of the Quality Assurance Improvement Program to senior management and the board.
Fraud risk
The Standards Board wishes to reflect the internal auditor’s role in relation to the risk of fraud by proposing changes to the following areas 1210.A1, 1220.A2, 2060, 2120.A2.
Mandatory requirements for the professional practice of internal auditing
The Standards Board is proposing to recognise the full extent of mandatory requirements by referring consistently both to the Definition of Internal Auditing and to the Code of Ethics, as well as to the International Standards.
Renumbering and reordering
Some of the Standards have been renumbered/moved to place them in a more appropriate position or category. In particular, the order of Standard 2100 – Nature of Work has been changed from risk management, control, and governance to governance, risk management, and control. The Standards Board believes that this better represents the flow of these processes within an organisation.
