IIA Standards revised

Internal Auditor, Feb, 2004 by J. Whitley

FOLLOWING AN EXPOSURE draft issued last year, The IIA's Internal Auditing Standards Board (IASB) significantly revised its International Standards for the Professional Practice of Internal Auditing (Standards). Incorporating numerous comments on issues received through the exposure process, the board approved the Standards for January 2004 implementation.

The revisions are intended to recognize that internal audit activities are performed in diverse legal and cultural environments; within organizations that vary in purpose, size, complexity, and structure; and by persons within or outside the organization. Although many of the changes are expected to clarify some long-standing issues, the Standards are intended to be broad enough in scope and definition for global application. This includes a basic assumption that chief audit executives (CAEs) and internal auditors will exercise good judgment in applying concepts such as references to appropriate parties, acceptable level, and as appropriate.

One of the most prominent revisions is the overall inclusion of the word should in many of the individual standards. This change signifies a mandatory obligation for compliance.

During the exposure process, The IIA received many comments regarding the applicability of the Standards to government auditors and to those who may be impacted by legal or regulatory issues. The IASB has changed the introduction to clarify this position: "If internal auditors are prohibited by laws or regulations from complying with certain parts of the Standards, they should comply with all other parts of the Standards and make appropriate disclosures." Assurance and consulting services are also further defined in the introduction to offer an understanding of these distinctive activities.

Key provisions introduced in the Standards include requirements that internal auditors:

* Have knowledge of key information technology risks, controls, and available technology-based audit techniques to perform their assigned work.

* Consider the use of computer-assisted audit tools and other data analysis techniques.

* Include periodic internal and external quality assessments and ongoing internal monitoring as part of their quality assurance and improvement program.

* Provide final communication of engagement results and, when appropriate, include the internal auditor's overall opinion and/or conclusions.

In addition, the Standards indicate that the internal audit activity should assess the governance process and make appropriate recommendations for improvements by promoting ethics and values within the organization. This should include an evaluation of the design, implementation, and effectiveness of the organization's ethics-related objectives, programs, and activities.

The Standards also address consulting opportunities, as well as releasing engagement results to parties outside the organization.

The Standards can be found on The IIA's Web site, www.theiia.org, under "Guidance." The Institute recognizes that the development and issuance of the Standards is an ongoing process and encourages sending suggestions or comments regarding the Standards via e-mail to The IIA's Global Practices Center, standards@theiia.org.