"This set of changes will help practitioners better serve their stakeholders, interpret the guidance and conform to the standards that are critical to the internal audit profession,” says Andrew J. Dahle, CIA, chair of The IIA’s Internal Audit Standards Board (IASB).
Of the revisions, three new standards were added, 15 were changed, and two were completely deleted. Six definitions in the glossary were also revised: “Add Value;” “Chief Audit Executive;” “Control Environment;” “Independence;” “Information Technology Governance;” and “Objectivity.” Among the most significant changes are those related to internal auditors expressing opinions, and the declaration of organisational responsibility when service providers are used.
The IIA recognizes that it is necessary and appropriate for organisations to obtain support from external service providers particularly when additional resources or specialty expertise is needed. However, the new Standard 2070 – External Service Provider and organisational Responsibility for Internal Auditing – explains that when an external service provider serves as the internal audit activity, the provider must make the organisation aware that the organisation has the responsibility for maintaining an effective internal audit activity. This responsibility should be demonstrated through the organisation’s quality assurance and improvement program which assesses conformance with the standards.
“This standard was added because it is important for organisations to recognize that while they may have an external service provider perform the internal auditing, the overall responsibility for internal auditing still remains with the organisation,” explains Dahle.
The new revisions also clarify what is required if internal auditors express overall opinions on the organisation, as well as on an individual internal audit engagement. New Standards 2010.A2 and 2450, as well as revised Standard 2410.A1, along with related Interpretations, explain that opinions, conclusions or ratings must take into account the expectations of senior management, the board, and other stakeholders, and must be supported by sufficient, reliable, relevant, and useful information.
“Internal auditors must be responsive to key stakeholder expectations, and must make sure they have done sufficient work to justify any opinions and conclusions being given,” explains Dahle. “If overall opinions are being issued, it is important that internal auditors be transparent in how they reach them and what the opinion covers. This is done by providing specific information such as the time period to which the opinion pertains; audit scope limitations; considerations such as the reliance on other assurance providers; the risk or control framework or other criteria used as the basis for the opinion; and the reasons for any unfavorable opinion.”
MORE ARTICLES ON AUDITING