The “internal audit” versus “external audit” in details
LTE_IIA Prof Stds 2009
1. ' Background - IIA New or Changed Professional Standards
o Consequences of Non-Compliance
o New llA Standards
o Cha nged llA Sta nda rds
' ESI lA s Current Practices vs. New lchanged !!A Standards
2. round - llA New r Chan ed Professional a rds
Effective January t,2OO9, the lnstitute of !nternal Auditors (llA) made changes to
the lnternal Standards for the Professional Practice of lnternal Auditing
(Sto nda rdsl
were previously part of the Practice Advisories
1 Source: 5/2L/O9 Protiviti Presentation, "Changes in the llA Standards: New Requirements for lnternal Audit Functions"
3. Consequences of Non-Compliance -:
1) Any company listed on the New York Stock Exchange (NYSE) must have an
interna! audit function.
Since the llA is the global leader for the profession (including promulgation of
guidelines and leading practices for lA functions), NYSE-Iisted companies that
are not in compliance with the Sfandords could be out of compliance with the
NYSE requirements.
2l Higher likelihood that the external auditor will discount/dismiss ll(s work to
support the attestation of the year-end financial statements and financial
reporting internal controls - resulting in more time required by the external
auditor to perform the attestation and hieher audit fees.
3) Less than optimal effectiveness of the lA activity - particularlv in areas of fraud
risk assessment and management.
2 Source: September 2009 Protiviti, "Changes to the llA Standards: What Board Members and Executive Management Need to Know"
4. New llA Standards:
1010
LLLL
2tL0.A2
2L20.42
2L20.C3
2430
The mandatory nature of the Definition of lnternal Auditing, the Code of Ethics, and
the Stondords must be recognized in the internal audit charter. The chief audit
executive should discuss the Definition of lnternal Auditing, the Code of Ethics, and the
Standards, with senior management and the board.
The chief audit executive must communicate and interact directly with the board.
The internal audit activity must assess whether the information technology governance
of the organization sustains and supports the organization's strategies and objectives.
The internal audit activity must evaluate the potential for the occurrence of fraud and
how the organization manages fraud risk.
When assisting management in establishing or improving risk management processes,
internal auditors must refrain from assuming any management responsibility by
actually managing risks
Internal auditors may report that their engagements are "conducted in conformance
with the International Standards for the Professional Practice of lnternal Auditing", only
if the results of the quality assurance and improvement program support the
statement.
5. Chaneed !lA Standards:
1000,
1000.A1
&
1000.c1
L3L2
L320
The purpose, authority, and responsibility of the internal audit activity must be formally
defined in an internal audit charter; consistent with the Definition of lnternal Auditing,
the Code of Ethics, and the Standords. The chief audit executive must periodically
review the internal audit charter and present it to senior management and the board
for approval.
The nature of the assurance services provided to the organization must be defined in
the internal audit charter. lf assurances are to be provided to parties outside the
organization, the nature of these assurances must also be defined in the internal audit
charter.
The nature of consulting services must be defined in the internal audit charter.
External assessments must be conducted at least once every five years by a qualified,
independent reviewer or review team from outside the organization. The chief audit
executive must discusswith the board:The need for more frequent external
assessments; and the qualifications and independence of the external reviewer or
review team, including any potential conflict of interest.
The chief audit executive must communicate the results of the quality assurance and
improvement program to senior management and the board.
ln exercising due professional care, internal auditors must consider the use of
technology-based audit and other data analysis techniques.
L220.A2
6. Chaneed llA Standards:
2020
2LLO.AL
2330.42
LL10 &
1110.AL
The chief audit executive must communicate the internal audit activity's plans and
resource requirements, including significant interim changes, to senior managernent
and the board for review and approval. The chief audit executive must also
communicaLe the impact of resource !imitations.
The internalaudit activity must evaluate the design, implementation, and effectiveness
of the organization's ethics-related objectives, programs, and activities.
The chief audit executive must develop retention requirements for engagement
records, regardless of the medium in which each record is stored. These record
retention requirements must be consistent with the organization's guidelines and any
pertinent regulatory or other requirements.
The chief audit executive must report to a level within the organization that allows the
internal audit activity to fulfill its responsibilities.
The chief audit executive must confirm to the board, at least annually, the
organizational independence of the internal audit activity.
The internal audit activity must be free from interference in determining the scope of
internal auditing, performing work, and communicating results.
7. ESI IAs Current Practices vs. New/Changed llA Standards
(lnitial Gaps Only):
.
L L000 & , Purpose, Authority, and
1010 r Responsibility
Recognition of the Definition of
: !nternal Auditing, the Code of
, Ethics, and the Standards in the
' !A Charter
2 1220.A2 , Due Professional Care -
; :
Consideration of Use of
i r Computer-Aided Audit
Techniques (CAAT)
i 3 | 2L20.A2
' Fraud Risk Managementt!j
While the , Revised/included in lA i
December 2006 lA , Charter and approved ,
Charter mentions by Audit Cmte. in 2009.
Code of Ethics, it
does not appear to
cite the llA
Standards.
CAATs have been . Step #11 added to ',
,i
on audits. , . ACL training ongoing I
r Long-term - consider l
implementation of
continuous
;monitoring/au!itin-s- j
At the engagement i Added inquiry of
Ievel, a fraud , pot*ntial/actual fraud
brainstorming . to opening meeting
memo is required to agenda template
be completed.
8. ES! !ffs Current Practices vs. New/Changed llA Standards
(lnitial Gaps Only):
9. ESI lAs Current Practices vs. New/Changed llA Standards
(lnitia! Gaps Only):