THE IIA’s GLOBAL INTERNAL AUDIT STANDARDS; EVOLUTION OR REGRESSION?

Transitioning from the International Standards for Professional Practice of Internal Auditors (ISPPIA) to the newly issued Global Internal Audit Standards (GIAS), it’s time we rethink the needs fulfilled or vacuum filled by these standards, understand the best approach to them and ascertain if GIAS represent an evolution or a regression!

Generally, following is what standards aim to achieve:

1. Setting a performance bar
2. Raising the quality of service
3. Consistency
4. Benchmarking
5. Reliability
6. Building confidence and trust
7. Encouraging Conformance
8. Attesting Conformance
9. Developing competencies of the practitioners

All that’s mentioned above is true for internal auditing. For businesses to understand and have confidence in the value provided by internal auditing, they need their internal audit functions to at least conform to some established best practices, so that the service could be compared and improved in furtherance of the business objectives.

In the absence of internal audit standards, even the purpose of internal auditing would become difficult to comprehend and experience since it could not be identified if the service provided was conducted competently and diligently against the objectives it was conceived to achieve. Moreover, even the engagement objectives cannot be fully and accurately identified in the absence of standards governing the service.

Having established the significance of standards, let’s now focus on what’s the best approach to these; rules-based or principles-based. Rules-based standards institute a rigid regimen to be followed and are suited in situations where creativity and innovation are discouraged. They are also required to be followed when only a singular interpretation is desired to be made.

In contrast, the principles-based standards, spell out the broader principles only, encouraging their adoption in varied circumstances while remaining within the confines of the principle only. There are no hard and fast rules to adhere to; diversity and difference in opinion is encouraged to inspire innovation.

Thankfully, both the ISPPIA and GIAS were and are principles-based standards since internal auditing services cannot be subjected to rigid governance. Let’s now look at some key areas of the new GIAS and determine if these are a step forward or backward.

First, some words about the standard setting body itself.

STANDARD SETTER’S REPUTE AND AUTHORITY:

• Authority stems from independence. International Internal Audit Standards Board (IIASB), the body responsible for setting and issuing internal audit standards is not independent; it’s operated, managed and financed by the Institute of Internal Auditors (IIA).
• IIA is also a certification body issuing exam-based competencies / certification programs and a membership-based organization, keeping everything internal audit indigenous.
• The standards desire that the Internal Audit function be independently positioned, however the IIASB remains dependent on the IIA.
• The issuance of standards does not make the IIA more authoritative on internal auditing.
• International Accounting and Assurance Standards Board (IAASB) responsible for issuing International Standards on Auditing (ISAs) governing the profession of external audit is an excellent example. It is an entirely independent Board.

AMBIGUOUS STRUCTURE:

• Under the new GIAS, we have International Professional Practices Framework, then we have Global Internal Audit Standards, followed by Topical Requirements and Global Guidance. We also have domains categorizing the standards comprising of principles again followed by requirements under each standard!
• The preface does not specify the structure in which the standards have been laid out.
• In contrast, the 2017 standards were more well-structured and easier to comprehend as these were simply based on statements of requirements and their interpretations. Standards were of two types: Attribute (attributes of organizations and individuals) and Performance Standards (nature of internal auditing services)

DOMAIN-II: ETHICS & PROFESSIONALISM:

• A standalone Code of ethics now been done away with.
• Instead, we now have 8 Standards (1.1 to 3.2) under 3 Principles that deal with Ethics and Professionalism (concepts of Integrity, Objectivity and Competence)
• Standards require, demonstration and allow deviation or more appropriately adjustment when needed.
• Similarly, deviation and adjustment are now also a possibility in ethics and professionalism.
• No membership-based bodies have code of ethics being part of some international standards, one could seek a departure from if needed.

DOMAIN-III: GOVERNING THE INTERNAL AUDIT FUNCTION:

• This domain spells out essential requirements from Board and Senior Management, which are unenforceable since standards are meant for internal auditors.
• Standards within the domain require extensive discussion with Board and Management to finalize internal audit governance and mandate, rather than the audit function or CAE proposing these.
• The mandate and charter need to come from Chief Audit Executive (CAE) and be reviewed and finalized with management and board; it cannot start with discussions with the Board and Management!

DOMAIN-IV: MANAGING THE INTERNAL AUDIT FUNCTION:

• Principle 9 requires the Internal Audit Function’s (IAF) position be strategically planned to fulfill its mandate and achieve long term success. For doing so it suggests CAE to understand the Governance Risk Management and Control (GRC) processes. It does not suggest anywhere to first understand the business, which is first and foremost in developing alignment of the IAF with the business needs.
• The methodologies helping manage the IAF cannot be capped or standardized by way of their specification in the standards, therefore, the methodologies specified under Standard 9.3 need to be referred to as minimum desired.

DOMAIN-V: PERFORMING INTERNAL AUDIT SERVICES:

• Standards 14.2 (Analyses and Potential Engagement Findings), 14.3 (Evaluation of Findings) encroach upon the free-thinking ability of the CAE by specifying how the work should be performed and findings extracted.
• Furthermore, it has been suggested that gathering evidence for advisory services might not be required since it is an advisory service, which is a wrong approach since it precludes an auditor from finding deficiencies or sub-optimal approach that need to be improved in case of advisory engagements as well.
• Standard 15.1 (Final Engagement Communication) does not specify that internal audit findings that need to be communicated should be prioritized in accordance with their materiality ascertained from an objective and approved rating framework.
• Standard 15.1 also requires Recognition of positive aspects identified during audit engagement, which should not be done. The principle for reporting should be exception reporting only in both the assurance and advisory findings, since recognition of areas where no deficiencies have been reported might confuse the users and might be perceived as absolute assurance giving absolute confidence about future as well.
• There’s nothing on specifying management’s responsibility of provision of evidence, the limitations of evidence and that an internal audit engagement does not provide absolute assurance, in the final engagement communication.

This analysis of the IIA’s GIAS is still not an elaborate account of all changes made and it will take some time to examine and practically experience all the new standards. However, the analysis above is incredibly significant and thought provoking for the internal audit profession. Unfortunately, therefore the GIAS do not seem to be a step forward!

Examples of evidence of conformance are however a welcome addition! So, cheers there.