Standards for the Professional Practice of Internal Auditing
Comments from ACCA
May 2003
Executive Summary
The Association of Chartered Certified Accountants (ACCA) is pleased to have this opportunity to provide comments to the Institute of Internal Auditors (IIA) on the proposed revision to the Standards for the Professional Practice of Internal Auditing (the exposure draft). These comments have been prepared in consultation with members of ACCA's Internal Audit Committee.
Although we have made a number of minor comments, mostly concerning possible misinterpretation of the Standards, we are generally in agreement with the proposed changes.
We believe, however, that the exposure draft over-extends the scope of internal audit. The Standards should ensure that the core role of internal audit, reviewing the adequacy of risks and controls, is not neglected at the expense of other possible aspects of internal audit work.
The suggested changes to the definitions are largely helpful, although we consider that further thought should be given to the definition of the 'Board' and that the different aspects of audit reporting should be more clearly explained.
Detailed Response
NEW AND REPLACEMENT STANDARDS
Standard 1210.A3 - The last sentence of this paragraph should be phrased more
positively as it is currently too defensive. For example, the Standard should
state that the Chief Audit Executive should ensure that the internal audit
function has access to suitable expertise in information technology; this will
enable the organisation's information and communication technology processes and
the associated risks and controls to be adequately understood. This may be
achieved through the use of specialist information and communication technology
auditors.
Standard 1220.A1 - Computer-assisted audit tools and techniques are more useful for auditing transactions than auditing controls. This means that they are generally of limited value for internal audit. The bullet point referring to such tools should, therefore, be omitted or placed later in the list - for example, third from the end. The current prominence given to such tools risks encouraging the further use of substantive testing, which has limited validity for internal auditors.
Standard 2130 - The proposed Standard may over-extend the scope of internal audit. The Standards should ensure that the core role of internal audit to review risks and controls, is not neglected at the expense of other possible aspects of internal audit work. Thus, internal audit should ensure that controls over the organisation's governance processes are sound rather than internal audit itself directly promoting good governance.
The use of the word �design� in the reworded Standard 2130.A1 is ambiguous and may cause problems in interpretation. �Design� may be a verb (referring to a process) or it may be a noun (referring to a specification). The Standard should clearly state whether the process of design or the specification which results from applying that process or both fall within the remit of internal audit.
Standard 2200.A1 - In many cases, this paragraph will, encourage too detailed an approach to engagement or assignment planning. At this stage, internal audit can only hope broadly to understand the activities under review and to identify the main risks and controls which may impact the achievement of the activities' objectives.
Standard 2201.A1 - This paragraph lacks clarity. As it stands, the nature of the 'clients' referred to is not defined. It is not clear whether these are partner organisations, out-sourced activities and/or other internal audit activities.
Standard 2201.A2 - This paragraph should be made more explicit; it should specify why internal auditors should consider how the results of their work may be used by others. If the issue is one of the confidentiality of the information internal auditors should consider the risks of possible breaches of confidentiality. This paragraph should also be revised to avoid any suggestion that internal audit might avoid undertaking an assurance engagement, or might exclude some aspects of a such an engagement, if such work risked uncovering matters relating to a wrongdoing which it would be embarrassing to disclose to a third party such as a regulator.
Standard 2410 - ACCA agrees with the proposed changes.
Standard 2440 - The word �report� is now being used in the context of
communicating audit engagement results, whereas, to date, its use in the
Standards has been restricted to summary reporting (for instance to the board)
and reporting by the Chief Audit Executive on internal audit performance. ACCA
prefers the phrase 'communicating audit results' to 'report' as it is less
confrontational and authoritarian in tone.
Standard 2220.A2 - This paragraph over-emphasises the importance and likelihood of consulting opportunities arising within an assurance engagement. This should be avoided by replacing the first word 'when' with the word 'if'.
INTRODUCTION TO THE STANDARDS
We agree with the proposed changes to the Introduction to the Standards.
EDITORIAL CHANGES AND GLOSSARY TERMS
We agree with the proposed editorial changes to the Standards and the additions to the Glossary Terms, except for the points made below.
The definition of 'Added Value' is an improvement on the longer current definition. The definition should, however, be tightened further. This should be by indicating that internal auditors add value by satisfying their management and board needs specifically in the area of effectively managing risks to the achievement of the organisation's agreed objectives through improved controls and governance processes.
The definition of the 'Board' should be improved by placing more emphasis on the Board being the most senior management body for the organisation and less emphasis on it being the body to which the Chief Audit Executive may report. In practice, the Chief Audit Executive may not report functionally to the board, although where this is the case, the internal audit charter should be agreed by the Board. The phrase 'agency or legislative body' may produce some confusion. Internal audit should not report to a legislative body. It should report to the most senior manager of the administrative function of the body.
The Glossary definition of �Board� states that internal audit �may� report
functionally to this governing body. �Functional reporting� is explained in
Practice Advisory 1110-2 which deals with 'Chief Audit Executive reporting
lines�. This Practice Advisory makes the distinction between functional and
administrative reporting. We consider that this could be extended so that the
Standards define the following three aspects of internal audit
reporting:
Functional reporting � to ensure that the professional service
of the internal audit function is effective in meeting the entity�s
needs
Administrative reporting � for �pay and rations� to ensure economic
and efficient utilisation of internal audit resources
and
Task
reporting � to communicate the results of audit engagements.
The Chief Audit Executive should report functionally to the audit committee and administratively to the Chief Executive Officer. Internal audit should also report each engagement or task to the executive manager who is head of the relevant department.
The definition of the phrase 'Conflict of Interest' would be improved if the words 'as a whole and the achievement of its agreed objectives' were to be inserted after the word 'organisation'. In addition, the use of the term �loyalty� within this revised definition is probably unwise. The IIA's Code of Ethics of scrupulously avoids the use of this emotive word, preferring terms such as integrity, objectivity, confidentiality and competency.
The wording of the definition of �External Service Provider� has been amended and is now deficient as there is no suggestion within the revised definition that the outside party is one which is providing, or willing to provide, a service to the organisation.
The exposure draft has some useful changes and additions to Glossary definitions on aspects of control and risk. It is still not entirely clear, however, whether �control� is to be considered part of �risk management� or vice versa. Early indications from the COSO team developing the new Enterprise Risk Management guidance suggest that it considers control to be part of risk management. This would seem to be the line taken by The IIA in its new Glossary definition of �Risk Management�. This point could, however, be made with greater clarity.