top stories

Comments from ACCA
April 2007

ACCA (the Association of Chartered Certified Accountants) is the largest and fastest-growing international accountancy body with 296,000 students and 115,000 members in 170 countries. ACCA works to achieve and promote the highest professional, ethical and governance standards and advance the public interest.

As you know, ACCA has adopted The Institute of Internal Auditors' Professional Practices Framework as applicable to ACCA members engaged in internal auditing. ACCA therefore has a strong interest in these proposals. We welcome the dynamism and commitment to continuous improvement that The IIA is displaying.

Our response to your Exposure Document has been prepared from comments made by our Internal Audit Members' Network Panel and from Prof. Andrew Chambers, whom you know and who used to chair that Panel and now chairs our Corporate Governance and Risk Management Committee. We recognise that we do not address all the issues upon which you have invited comment: we are restricting ourselves to the issues we consider should be reconsidered, or over which we consider our particular endorsement might be useful and also to other matters upon which we think our comments might be constructive.

The development process

We are concerned about the plethora of IIA committees engaged in developing this IPPF and believe this will inevitably lead to inconsistencies within the IPPF. We are concerned that the IASB is not supreme in determining the Standards in that the IASB is answerable to two levels of committee above IASB. We are further concerned that the profession of internal auditing, unlike other professional bodies, continues to keep standard setting within the profession and without a majority of external (non-auditor) members of the IASB and certain other IIA committees. Compare, for instance, with PCAOB in the US or APB in the UK.

When we tried to map the process for development and approval it became rather confusing. We were unclear as to what the overall role of each committee is supposed to be. It would be clearer if final approval of everything went through one channel and, because of the nature of this product, we consider that channel should be the IASB. For example, some 'guidance' has to be approved by the Ethics committee - in order to ensure compliance with the Code of Ethics - while some does not have to be - which seemed to us to be an anomaly.

We were unclear as to the minimum voting requirements at each committee, in order to approve developments.

We suggest that the IIA should specify a maximum period after which each element of the IPPF should be reviewed.

We consider this project provides an opportunity for The IIA to develop policy with regard to the involvement in the development of the IPPF of other bodies, such as ACCA, who have adopted the IPPF.

The important international dimension and the principles-based approach

The international character of internal auditing and the international reach of The IIA are to be cherished. We approve of the proposed new title (IPPF) which stresses the 'International' aspect. We approve of the acknowledgement that country-specific guidance may be developed at the levels below the mandatory levels of IPPF.

We welcome the inclusion within your 'Proposed Description' that: 'The Standards are principle focused...' and consider The IIA must be vigilant to hold onto this. We note that the revised mandatory Standards are intended to be expanded by inclusion of a proportion of the current Introduction and also the parts of the current non-mandatory Practice Advisories that interpret the Standards. Clearly there is a risk that expanding the content of the Standards will result in them becoming more rules-based in that they may tend to prescribe in mandatory form what the Institute regards as acceptable ways of applying the principles.

It is hard for us to comment on this as we have not seen the consequential extent to which the Standards will thereby be expanded. Our approval of this planned expansion is conditional upon the Standards increasing only modestly in length. We strongly support the intention that the expansions should be explanatory (interpretative) of principles within the Standards and we consider they must strictly eschew being prescriptive of the method(s) to be used to apply those principles. This will be particularly important if the new Standards are to be acceptable outside the US: their international acceptability and practical adoption depends upon this in considerable measure.

The authority of The Code of Ethics

We note your Proposed Description of the Code of Ethics, viz: 'A statement of the principles and expectations governing the behavior of individuals and organizations in the conduct of internal auditing. A description of the minimum requirements for conduct. The Code describes behavioral expectations rather than specific activities.'

This description excludes any requirement for members of The IIA, holders and candidates for its certifications, to be governed by this Code of Ethics in any work activities outside 'the conduct of internal auditing'. We would draw your attention to our discussion (see Annex below) of a recent CIA examination question, by way of challenging whether this is a correct interpretation of IIA rules.

Clarity

As with the IAASB's current 'clarity project' we consider this is an opportunity for The IIA to improve the clarity of their PPF. In general terms this will be a matter of ensuring consistent use of terminology and clarity of writing style. We also consider there are a number of specific, confusing classification and terminological issues which need to be resolved in the interests of clarity, as follows:

1. The grouping of the Standards into 'Attribute' and 'Performance' Standards is not a robust categorisation. The Introduction to the Standards states that: 'The Attribute Standards address the characteristics of organizations and parties performing internal audit activities. The Performance Standards describe the nature of internal audit activities and provide quality criteria against which the performance of these services can be evaluated.'

   It can be argued that the dictionary meaning of the word 'attributes' is to do with 'nature' - a word The IIA uses confusingly to describe their 'Performance' Standards. Furthermore, some of the existing 'Attribute' Standards are to do with 'performance' - e.g. Standards 1200, 1220, 1320, 1330 and 1340. Some of the existing 'Performance' Standards are to do with 'Attributes' - e.g. 2040, and everything between 2100 and 2130.C1.

2. In the Exposure Document it is stated within the 'Proposed Description' of the Standards that: 'Implementation Standards relate to major audit activities only (currently Assurance and Consulting) and not to type of engagement.'

   But the present Standards and Practice Advisories very frequently refer to 'assurance engagements' and 'consulting engagements' as being types of audit engagement. See, for instance, Standard 1220.C1, 2201.C1 etc.

3. We consider there could be some confusion between 'Practice Advisories' and 'Practice Guides'. Both have 'practical guidance' included in their definitions.
4. We consider that Standards using the phrase 'internal auditors are encouraged...' are inconsistent with your intention that Standards are mandatory, and are unlikely to be expressing a point of principle (1330 and 2410.A2).

We consider that one of the strong points of the present Standards, in terms of logic and clarity, is the hierarchical decimal numbering system that is used. We trust that this will be preserved if the Standards are expanded to include, in particular, some material from the Introduction and from the existing Practice Advisories.

Paucity of coverage

Notwithstanding our earlier remarks, we do consider there is scope to expand certain parts of the Standards while limiting the Standards to the principles-based approach which is to be commended. For instance, we note that currently there are 500 words in the Standards on engagement planning (Standards 2200 to 2240.C1) but only 200 on performing the engagement (Standards 2300 to 2340). The principles involved in satisfactorily performing an engagement are insufficiently addressed within the space of these 200 words. For instance, the latter Standards insufficiently enunciate the principles which should underpin the determination as to whether adequate audit testing has been undertaken.

Implementation Standards

The IAA appears to believe that there will be no further sets of Implementation Standards other than the two sets on 'assurance' and 'consulting'. We have not been convinced that the present 'principles focused' Standards have to date needed the two existing sets of Implementation Standards. But as the Standards are to be expanded to include interpretations, the inclusion of these two sets of implementation Standards will become more acceptable. This is because the underlying principles sometimes have to be interpreted differently in the context of consulting work, as compared to assurance work.

We agree that the Definition's bipolar division of the internal auditing role between 'assurance' and 'consulting' is different in kind from categorising internal audit work according to the work subject - e.g. you mention 'environmental auditing'. Others might be financial auditing, operational auditing, control self assessment, IT auditing, governmental auditing, fraud investigations, auditing in financial institutions, and so on. We do not consider it inconceivable that there may need to be mandatory Implementation Standards that interpret general and fundamental internal auditing principles to these and other specialised forms of audit work. So we do not agree that the possibility of developing future sets of Implementation Standards should be excluded.

Quality Assurance and Improvement Guidance

Finally, we are comfortable about placing the detailed practical guidance on meeting the requirements of Standard 1300 (Quality Assurance and Improvement Guidance) within the non-mandatory part of the proposed IPPF.

Annex

Is The IIA Code of Ethics only binding on IIA members and CIAs in the conduct of their work as internal auditors?

In 1998 when the international Institute of Internal Auditors adopted a policy of non-disclosure of their professional examinations questions so as to build a database of multi-choice questions which could be used again and again especially when online examining is introduced, they instituted a practice of publishing a Model Exam for the benefit of Certified Internal Auditor (CIA) candidates and instructors. Both the 1998 Model exam and also the next (2000) update included one interesting sample question within the Part I (Internal Audit Process) model paper. We reproduce it here:

'A CIA, working as the director of purchasing, signs a contract to procure a large order from the supplier with the best price, quality, and performance. Shortly after signing the contract, the supplier presents the CIA with a gift of significant monetary value. Which of the following statements regarding the acceptance of the gift is correct?

1. Acceptance of the gift would be prohibited only if it were non-customary.
2. Acceptance of the gift would violate The IIA's Code of Ethics and would be prohibited for a CIA.
3. Since the CIA is not acting as an internal auditor, acceptance of the gift would be governed only by the organization's code of conduct.
4. Since the contract was signed before the gift was offered, acceptance of the gift would not violate either The IIA's Code of Ethics or the organization's code of conduct.'

Many would be likely to opt for 'c.' but The Institute gives 'b.' as the correct answer. Their expanded answer in their Model Exam put it like this:

'Solution: b

1. Incorrect. Acceptance of the gift could easily be presumed to have impaired independence and thus would not be acceptable.
2. Correct. As long as an individual is a Certified Internal Auditor, he or she should be guided by the profession's Code of Ethics in addition to the organization's code of conduct. Article V of the Code of Ethics would preclude such a gift because it could be presumed to have influenced the individual's decision.
3. Incorrect. See response 'b.'
4. Incorrect. See response 'b.' Further, there is not sufficient information given to judge possible violations of the organization's code of conduct. However, the action could easily be perceived as a kickback.'

The same question and answer also appeared again in the 2004 Model Exam with just the reference to 'Article V' of the old Code of Ethics being replaced by 'Rule of Conduct 2.2' to refer to the updated Code of Ethics. Article V of the pre-2000 Code of Ethics read:

'Members and CIAs shall not accept anything of value from an employee, client, customer, supplier, or business associate of their organization which would impair or be presumed to impair their professional judgment.'

We have not checked whether this question appeared more recently than 2004.

Notwithstanding that the Practice Advisories acknowledge that some audit engagements may be a hybrid of assurance and consulting.

Q64 in the 1998 and 2000 Part I Model Exams.

Back to top