EXPOSURE DRAFT SURVEY QUESTIONS

Transcription

1 . MISSION OF INTERNAL AUDITING. To what extent do you support the addition of a Mission of Internal Auditing to the IPPF? Very useful in selling IA to the wider community.2 To what extent do you agree that the proposed Mission of Internal Auditing captures what internal audit strives and/or aspires to accomplish in organizations? In addition to capturing what internal audit strives and/or aspires to accomplish, a good mission statement should also encapsulate: Why IA is essential to stakeholders Why IA is not like other functions such as external audit and risk management. I don't think it achieves these aims because it does not clearly highlight those aims which only IA has. This may arise because the mission statement has been based on the final paragraph to the interpretation of Standards paragraph What is different about IA that should be included in the mission statement? IA assesses all risk management processes by objective testing IA provides an opinion on the effectiveness of these processes IA provides this opinion without fear or favour. It is independent. I'd like to concentrate on the word 'assurance' and distinguish it from 'opinion'. Take an illustration: the organisation is in a hole. To provide assurance IA says, 'Don't worry; we'll soon have you out of there'. To provide value IA says, 'Our tests have shown the hole is 6 foot deep and is in danger of collapsing (objective, reliable opinion) Here's a spade to help you dig yourself out (advice) You're in a hole, stop digging downwards (insight)' While I can appreciate that the ultimate mission is for IA to be able to say, 'Don't worry', I think the mission statement has to be realistic and relevant. Hence I would replace the word 'assurance' with 'opinion', which is used in Standard 240.A, 'Final communication of engagement results must, where appropriate, contain the internal auditors opinion and/or conclusions'. I think the word 'opinion' has the sense of positive action about it, while 'assurance' gives the impression of comforting words. Whether the word 'assurance' or 'opinion' is used, it begs the question, 'On what?' I think the answer to that question needs to be, 'on whether the responses to risks reduce their threat to below the level set by the organisation'. I've shortened this to, 'Adequacy of risk management'. I've also removed the word 'reliable', which could apply to any function, with 'independent', which is an important distinguishing factor for internal audit. My suggestion for the Mission is therefore: Page

2 To enhance and protect organizational value by providing stakeholders with independent, objective opinions, advice and insight on the adequacy of all risk management. 2. CORE PRINCIPLES FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING 2. To what extent do you support adding Core Principles for the Professional Practice of Internal Auditing as an element of the IPPF? Essential to define the foundations of the standards 2.2 Do you agree with the three input-related Principles as proposed? Please see my comments under section 7, and the sent to for a full explanation. I believe the "input related" principles would be better considered as "auditor" related, while the true "input related" core principles are actually the risks of the organisation, since the mission statement refers to 'risk based'. I have replaced "input" with "planning" since it is more meaningful. Thus my suggestions are: Auditors. Auditors have all the necessary personal qualities, skills and independence to obtain and analyse data in order to present objective, reliable opinions (,2,3,,2) 2 Auditors communicate with stakeholders during all audit processes to understand their expectations (9) 3 All available resources are used and managed to report opinions when required (8) (Numbers in brackets refer to the RTF core principles, where they exist) Planning 4 IA is aligned strategically with the aims and goals of the organisation () IA verifies that the organisation has a complete list of risks which is constantly updated 6 Audit work is planned using a complete list of the organisation's objectives and risks 2.3 Do you agree with the six process-related Principles as proposed? Please see my comments under section 7, and the sent to IIA-Exposure@theiia.org, for a full explanation. I have replaced "process related" with "verification". 7 IA has the authority to obtain any data which is required to support an opinion (4) 8 IA has the resources necessary to carry out the agreed plan (6) 9 All audit work and opinions comply with appropriate standards 0 Audit work is subject to quality control checks to ensure it complies with standards. These include feedback from stakeholders (7) 2.4 Do you agree with the three output-related Principles as proposed? Please see my comments under section 7, and the sent to IIA-Exposure@theiia.org, for a full explanation. I have replaced "output" with "Reporting" Opinions are concise, understandable and supported by appropriate data (0) 2 Opinions are addressed to those responsible for implementing the responses Page 2

3 3 Opinions (or a summary) are sent to stakeholders, who will ensure appropriate responses are put in place and report externally, as required 4 Follow-up work is carried out to ensure responses to risks have been implemented 2. Do you agree with the order of the 2 Principles as proposed? Please see my comments under section 7, and the sent to IIA-Exposure@theiia.org, for a full explanation. 2.6 To what extent do you agree with the view that all Principles must be present and operating effectively for an internal audit function to be considered effective? None 2.7 Do you agree that the Principles, if adopted, would require guidance to help demonstrate to practitioners what the Principles might look like in practice? Definitely not. The Standards should provide the practical guidance. 3. IMPLEMENTATION GUIDANCE & SUPPLEMENTAL GUIDANCE 3. To what extent do you support the restructure of guidance elements from Practice Advisories to a more comprehensive layer entitled Implementation Guidance as part of the framework? None 3.2 To what extent do you support the restructure of guidance elements from Practice Guides to Supplemental Guidance as part of the framework? None 4. ADDRESSING EMERGING ISSUES 4. To what extent do you support the introduction of a new IPPF element to address emerging issues? None 4.2 To what extent do you agree that Emerging Issues Guidance, due to its quicker development process, should be less authoritative than Supplemental Guidance as part of the framework? None. POSITION PAPERS. To what extent do you support the deletion of Position Papers as an element of the IPPF? Page 3

4 None 6. REQUIRED AND RECOMMENDED 6. To what extent do you support revision of the words Mandatory and Strongly Recommended to Required and Recommended, respectively? None 7. SUMMARY OF THE ELEMENTS OF THE PROPOSED REVISED IPPF 7. Overall, to what extent do you support the changes regarding the IPPF as detailed on the previous page? I support the introduction of a mission statement and principles. However, I do not consider the wording of these sufficiently distinguishes internal auditing from similar functions like Risk Management or Compliance and have made suggestions to emphasise the differences. I believe that there has been a fundamental weakness in the way that the changes have been made to the IPPF. The usual method of defining standards is to decide on an objective (mission statement), set down a framework within which the objective is to be achieved (core principles) and define the tasks necessary to deliver the objective (standards). However, the decision by the RTF to retain the standards without any changes means that this process is turned on its head, which compromises the mission statement and principles, which have to be consistent with the standards. There is also a need to distinguish internal auditing as a tool from internal auditing as a function/department within an organisation. The tool (for example a saw) remains the same, whereas the function will change depending on the requirements of the organisation (for example, the saw can be used to cut firewood or cut the frame for a house). However, some of the core principles relate to the internal audit function, not the tool of internal auditing (for example principle 7). There is also no 'audit trail' showing how the principles were derived from the mission statement. So I considered how best to check that the principles were complete, and came to the conclusion that principles are similar to high level internal controls in that they are intended to ensure delivery of the objective (mission statement). So what are the risks to the objective that give rise to these internal controls? I believe the risks in the table below are those threatening the objective. The required responses to those risks can be then be used as the basis for core principles. In drawing up these risks and responses I used:. The RTF principles 2. The PWC report, '204 state of the internal audit profession' 3. 'Mind the gap' article by Anton van Wyk on the Ia online website ( Page 4

5 Risks Impact Responses (Principles) RTF The opinions provided by IA are incomplete Data obtained to verify whether the response to the risk is adequate is wrong or insufficient The data is correct but the opinion is not properly based on it, for example, making unjustifiable assumptions or not highlighting all the implications of the data found The opinion is delivered at an inappropriate time The opinion is not understood The opinion does not result in appropriate responses The opinion is based on procedures which do not follow If the audit plan is not based on all risks threatening the organisation's objectives, the opinions expressed from the audits will be incomplete and therefore not 'enhance and protect organizational value' The opinion will be incomplete or incorrect The opinion will not be supported by the data, or will be incomplete No time to implement suitable responses and prevent possible losses Management do not initiate appropriate responses The responses required to bring those risks found to be above the risk appetite are not implemented promptly Possible action by regulators. Poor quality of work. IA is aligned strategically with the aims and goals of the organisation (tool - planning) 2 IA verifies that the organisation has a complete list of risks (tool - planning) 3 IA has the authority to verify that the responses to all these risks are adequate (tool - verification) 4 Audit work is planned using a complete list of the organisation's objectives and the risks which threaten them (tool - planning) Audit worked planned is fully discussed with stakeholders (tool - planning) 6 The organisation continually watches for new risks and changing priorities and audit plans are changed where necessary (tool - planning) 7 Use auditors who have all the necessary personal qualities and skills to obtain data which will support a reliable opinion (auditors) 8 Give necessary authority to auditors to obtain data which will support an opinion (tool - verification) 9 Obtain comprehensive data, including that from outside the organisation and use modern technology and data interpretation techniques (tool - verification) 0 Use auditors who have all the necessary personal qualities and skills to draw objective conclusions based on all the data (auditors) Use auditors who are not susceptible to demands that opinions are changed so that they do not properly reflect the data from the audit (auditors) 2 Employ adequate resources (tool - verification) ,2, Use resources efficiently (tool - verification) 6 4 Opinions are written in clear jargon-free 9 language (tool - reporting) Opinions are discussed fully with those directly 9 responsible for implementing responses (auditors) 6 Opinions are addressed to those directly 0 responsible for implementing the responses (tool - reporting) 7 Opinions (or a summary) are sent to stakeholders, who will ensure appropriate responses are put in place (tool - reporting) 8 Follow-up work is carried out to ensure responses to risks have been implemented (tool - reporting) 9 All audit work and opinions comply with appropriate standards (tool - verification) 0 Page

6 Risks Impact Responses (Principles) RTF organisational, professional, national or international standards Responses to risks are inadequate Losses occur because management have not identified all risks above their risk appetite and taken appropriate responses 20 Audit work is subject to quality control checks to ensure it complies with standards. These include feedback from stakeholders (toolverification) 2 Summarised audit opinions sent to those responsible for governance, giving an overall conclusion on the adequacy of responses to risks (tool - reporting) The responses above naturally fall into two categories:. Principles relating to internal audit as a tool. These can be sub-divided into planning, verification and reporting which I believe to be more relevant than input, processing and output as used by the RTF. These principles are expanded by the Standards. 2. Principles relating to those using the tool, who I have referred to as ' auditors'. They will include permanent members of the internal audit function, including the CAE, plus others from the organisation, or external firms, brought in to use their specialist expertise. These principles are expanded by the Code of Conduct Taking the principles above, I have merged some and matched them with the RTF core principles in the table below. The numbers in brackets correspond to the numbers in the table above. The main changes are as follows: A separate category for the personal qualities and skills of auditors, considered by the RTF as input. While they are an input, I believe this term is confusing, since these qualities apply throughout the audit. I have included core principles and 2 in this category, since they relate to the personal skills of the auditor and not the tool of internal audit. The need to have a risk based audit plan is included. Despite the inclusion of 'risk based' in the mission statement, only core principle 6 gives a passing mention to them. Yet risks are the real input into the audit process and my section 'Tool - planning' is based on them. The need for internal audits to comply with standards is included. Follow-up work to ensure responses to risks required by the audit is included. Principles relating to the opinions from audits are included under Tool-reporting. It is really only these which distinguish internal audit from risk management. 7 0 RTF principle (Not included). Demonstrates uncompromised integrity 2. Displays objectivity in mindset and approach 3. Demonstrates commitment to competence. Is insightful, proactive, and future-focused 2. Promotes positive change Proposed principle Auditors. Auditors have all the necessary personal qualities, skills and independence to obtain and analyse data in order to present objective, reliable opinions (7,0,) 9. Communicates effectively 2 Auditors communicate with stakeholders during all audit processes to understand their expectations (,) 8. Achieves efficiency and effectiveness in delivery 3 All available resources are used and managed to report opinions when required (3) Input. Aligns strategically with the aims and goals of the enterprise. (Is included in process but must be the basis of IA work) Tool - planning 4 IA is aligned strategically with the aims and goals of the organisation () Page 6

7 Process IA verifies that the organisation has a complete list of risks which is constantly updated (2,6) 6 Audit work is planned using a complete list of the organisation's objectives and risks(4) Tool - verification 4. Is appropriately positioned within the organization 7 IA has the authority to obtain any data which with sufficient organizational authority is required to support an opinion (3,8). (Moved to input) 6. Has adequate resources to effectively address 8 IA has the resources necessary to carry out significant risks the agreed plan (2) 9 All audit work and opinions comply with appropriate standards (9) 7. Demonstrates quality and continuous improvement 0 Audit work is subject to quality control checks to ensure it complies with standards. These include feedback from stakeholders (20) 8. (Moved to Auditors) 9. (Moved to Auditors) Output 0. Provides reliable assurance to those charged with governance. (Moved to Auditors) 2. (Moved to Auditors) Tool - reporting Opinions are concise, understandable and supported by appropriate data (9,4) 2 Opinions are addressed to those responsible for implementing the responses (6) 3 Opinions (or a summary) are sent to stakeholders, who will ensure appropriate responses are put in place and report externally, as required.(7,2) 4 Follow-up work is carried out to ensure responses to risks have been implemented (8) In order to ensure the core principles deliver the mission they need to be matched: To enhance and protect organizational value 4 IA is aligned strategically with the aims and goals of the organisation 4 Follow-up work is carried out to ensure responses to risks have been implemented by providing stakeholders 2 Auditors communicate with stakeholders during all audit processes to understand their expectations 0 Audit work is subject to quality control checks to ensure it complies with standards. These include feedback from stakeholders 3 Opinions (or a summary) are sent to stakeholders, who will ensure appropriate responses are put in place and report externally, as required with independent, objective opinions, advice and insight. Auditors have all the necessary personal qualities, skills and independence to obtain and analyse data in order to present objective, reliable opinions 3 All available resources are used and managed to report opinions when required 7 IA has the authority to obtain any data which is required to support an opinion 9 All audit work and opinions comply with appropriate standards Opinions are concise, understandable and supported by appropriate data 2 Opinions are addressed to those responsible for implementing the responses on the adequacy of all risk management. IA verifies that the organisation has a complete list of risks which is constantly updated Page 7

8 6 Audit work is planned using a complete list of the organisation's objectives and risks 8 IA has the resources necessary to carry out the agreed plan Once the core principles are defined, the Standards required to deliver the mission within these principles can then be specified. So, while I generally support the changes, I think there are serious omissions. I believe that the RTF has also failed to address the main issue, that of updating the standards for auditors and the tool of internal auditing to enable the function of internal audit to become that of 'trusted advisor'. 7.2 To what extent do you agree that the pictorial representation adequately depicts the hierarchy and interrelationships of each element of the new proposed IPPF? 4 None 7.3 To what extent do you agree that the pictorial representation of the proposed new IPPF is visually appealing? 3 None Page 8