1
A Message from the Standards Board
The New IPPF and Mandatory Guidance
October 2015
In July 2015, The IIA released a new International Professional Practices Framework (IPPF) to better support internal audit practitioners in fulfilling the profession’s evolving role with an insightful, proactive, and future-focused perspective.
As part of the mandatory guidance of the new IPPF, a set of ten Core Principles for the Professional Practice of Internal Auditing (Core Principles) was added, accompanying the existing mandatory components—the Definition of Internal Auditing, the Code of Ethics (COE), and the International Standards for the Professional Practice of Internal Auditing (Standards). The Core Principles comprise the fundamentals essential to the effective practice of internal auditing. They are the foundational underpinnings of the COE and the Standards, reflecting the primary requirements for the professional practice of internal auditing now and in the future. The Core Principles can be used as a benchmark against which to gauge the effectiveness of an internal audit activity. Thus, the Core Principles should be well expressed throughout the COE and the Standards.
Assessment of New Mandatory Guidance
The IIA’s International Internal Audit Standards Board (IIASB) reviewed the existing COE and the Standards in the context of the new Core Principles to assess the impact of adding the Core Principles and whether the Core Principles are adequately represented. Broadly, alignment was found between the elements, and no contradictions appeared. However, one core principle appeared to be only partially represented in the COE and the Standards, and a few other core principles would be better embodied by changing the wording of certain standards. Therefore, the IIASB will recommend changes to the Standards to better reflect the Core Principles. The ultimate goal is to have a framework where conformance with the Code of Ethics and the Standards achieves conformance with the Core Principles.
Exposure of Recommended Changes to the Standards
This document aims to inform members about the IIASB’s assessment of how well the newly issued Core Principles are evidenced in the COE and the Standards and to encourage members to become informed about proposed changes to the Standards in preparation to respond to an upcoming formal exposure.
The IIASB is expected to release an exposure document describing its recommended changes in early 2016. The exposure document and survey will be available online for a 90-day public comment period. All comments received are diligently considered.
2
Results of the IIASB’s Assessment and General Recommendations for Changes
The chart below summarizes the IIASB’s assessment of how well the Core Principles are evidenced in the COE and the Standards. The COE and the Standards were compared with the Core Principles, and conclusions were drawn from that comparison.
Core Principles
IIASB Analysis
IIASB Conclusions
1
Demonstrates integrity.
This core principle is embodied in Code of Ethics Principle and Rules of Conduct: Integrity.
Several standards reinforce the expectation of integrity. For example, integrity is required in maintaining objectivity (1120: Individual Objectivity) and in communicating errors or omissions (2421: Errors and Omissions).
The existing COE and Standards are considered sufficient relevant to this core principle.
2
Demonstrates competence and due professional care.
This core principle is embodied in Code of Ethics Principle and Rules of Conduct: Competency.
Competence and due care are required by several standards; for example, 1200: Proficiency and Due Care, 1210: Proficiency, 1220: Due Professional Care, and 1300: Quality Assurance and Improvement Program.
This core principle is evidenced in the COE and the Standards. However, changes can be made to some standards to better demonstrate the relationship.
3
Is objective and free from undue influence (independent).
This core principle is embodied in Code of Ethics Principle/Rules of Conduct: Objectivity.
Several standards require objectivity and independence. These include 1100: Independence and Objectivity, 1110: Organizational Independence, 1120: Individual Objectivity, and 1130: Impairment to Independence or Objectivity.
Furthermore, an internal audit charter codifies reporting relationships, organizational independence, authority, and access to information, as described in Standard 1000 (Purpose, Authority and Responsibility).
This core principle is evidenced in the COE and the Standards. However, changes can be made to some standards to better demonstrate the relationship.
4
Aligns with the strategies, objectives, and risks of the organization.
The consideration of organizational strategies, objectives, and risks when planning, executing, and reporting on engagements is evident in many current standards.
Examples include 2010: Planning, 2100: Nature of Work, 2110: Governance, 2120: Risk Management, 2130: Control, 2201: Planning Considerations, and 2000: Managing the Internal Audit Activity.
This core principle is evidenced in the Standards. However, changes can be made to some standards to better demonstrate the relationship.
5
Is appropriately positioned and adequately resourced.
The importance of internal audit’s organizational placement and sufficient and appropriate resources, is addressed in several standards.
These include 1000: Purpose, Authority, and Responsibility; 1110: Organizational Independence; 1111: Direct Interaction with the Board; and 2030: Resource Management
The Standards are considered sufficient relevant to this core principle.
6
Demonstrates quality and continuous improvement.
This core principle is embodied in Code of Ethics Principle/Rules of Conduct: Competency.
In addition, several standards specify requirements associated with demonstrating quality and continuous improvement, including the 1300 series of standards related to quality assurance and improvement programs and 1230: Continuing Professional Development. Other standards, such as 2040: Policies and Procedures and 2340: Engagement Supervision, help create an internal audit environment to deliver quality services.
This core principle is evidenced in the COE and the Standards. However, changes can be made to some standards to better demonstrate the relationship.
3
7
Communicates effectively.
This core principle is evident in several standards addressing chief audit executive communications with the board and management, as well as communications from the internal audit activity.
Examples include 2020: Communication and Approval, 2060: Reporting to Senior Management and the Board, and the 2400 series related to communicating results of engagements.
This core principle is evidenced in the Standards. However, changes can be made to some standards to better demonstrate the relationship.
8
Provides risk-based assurance
Several existing standards require internal audit work to be based on an assessment of risk, both at the overall program and the individual engagement levels.
Also, the importance of this core principle, providing risk-based assurance management and the board, is highlighted in several standards, including 2010: Planning, 2201: Planning Considerations, 2060: Reporting to Senior Management and the Board, and 2600: Communicating the Acceptance of Risks.
This core principle is evidenced in the Standards. However, changes can be made to some standards to better demonstrate the relationship.
9
Is insightful, proactive and future-focused.
Although implied by several standards, the existing COE and Standards do not completely address this Core Principle.
Several performance standards reflect the result of insightful, proactive, and future-focused activities. Examples include 2010: Planning, 2120: Risk Management, and 2060: Reporting to Senior Management and the Board.
However, this core principle is not fully recognized in the attribute standards.
The COE and Standards evidence this core principle partially but not sufficiently. Changes to some standards are recommended.
10
Promotes organizational improvement.
The responsibility for internal audit to contribute to and promote organizational improvement is embedded in several standards, including 2000: Managing the Internal Audit Activity, 2050: Coordination, 2100: Nature of Work, and 2500: Monitoring Progress
The 1300 series of standards related to a quality assurance and improvement programs also promotes organizational improvement within the internal audit activity.
This core principle is evidenced in the Standards. However, changes can be made to some standards to better demonstrate the relationship.
IIASB Recommendations About What Should Not Change
In the short term, the IIASB does not intend to make structural changes to the Standards. The organization of the Standards by attributes pervasive to all internal audit activities and performance requirements that relate to the life cycle of audit activities is in frequent use, and the time-tested construct has proven useful for internal audit practitioners. The IIASB also believes that modifying the structure or numbering process at this time is not cost beneficial to IIA members and would create unnecessary confusion.
Looking Forward
The mandatory elements in the new IPPF complement each other and help bring the IPPF to a new level of usefulness for internal audit practitioners. With relatively minor updates to the existing Standards, The IIA will have a guidance framework that is cohesive and consistent throughout. The concepts embodied in the ten Core Principles will guide future modifications to the Standards and help ensure internal consistency between the Standards and the Core Principles that are fundamental to the delivery of effective, quality internal audit services.