Transcript Slide 1

Utvikling av internrevisjonsstandarder, temaer
som diskuteres i IASB samt andre aktuelle
temaer innenfor intern revisjon.
Torsdag 17. februar 2011
Medlemsmøte i NIRF
av
Trygve Sørlie - Revisjonsdirektør i Gjensidige
Why
Performance
Standards
Matter
Peace of mind for
stakeholders and
confidence they’re
getting a quality
product
They are the bar
They lay the
ground work, but
that every auditor
are not the ultimate should comply with
goal
Broad perspective
on what you’re
supposed to be
Trygve Sørliedoing
Help audit to be
viewed as adding
value
Maximizing IA Performance – IPPF
Help improve the
dialogue about the
department
2
Standards are Critical
•
Delineate basic principles that represent the practice of
internal auditing
•
Framework for performing and promoting a broad range of
value-added internal auditing
•
Establish the basis for the evaluation of internal audit
performance
•
Foster improved organizational processes and operations
www.theiia.org
3
Two Questions
Are you just now receiving
your first exposure to the Standards?
Would you say that your organization has
implemented most or all of the Standards?
www.theiia.org
4
Understanding the IPPF
International
Professional
Practices
Framework
Issued January 2009 and updated January 2011
www.theiia.org
5
AUTHORITATIVE Guidance
Mandatory
Authoritative =
www.theiia.org
Non mandatory
Strongly
recommended
6
IPPF
Elements
Definition
Definition
Statement of fundamental purpose, nature, and scope of internal auditing.
Code of
Ethics
Statement of principles and expectations governing behavior of individuals and organizations in the
conduct of internal auditing. Description of minimum requirements for conduct. Describes behavioral
expectations rather than specific activities.
International
Standards
Mandatory requirements consisting of:
•
Statements of basic requirements for professional practice of internal auditing and for evaluating
effectiveness of its performance, which are internationally applicable at organizational and
individual levels. Principle-focused and provide a framework for performing and promoting
internal auditing. Includes Attribute, Performance and Implementation Standards.
•
Interpretations, which clarify terms or concepts within the Statements.
Consider both Statements and Interpretations to understand and apply correctly.
Position
Papers
IIA statement to assist a wide range of interested parties, including those not in internal auditing
profession, in understanding significant governance, risk or control issues and delineating related roles
and responsibilities of internal auditing.
Practice
Advisories
Address approach, methodology and considerations, but NOT detailed processes and procedures.
Concise and timely guidance to assist internal auditors in applying Code of Ethics and Standards and
promoting good practices. Includes practices relating to: international, country, or industry specific
issues; specific types of engagements; and legal or regulatory issues.
Practice
Guides
Detailed guidance for conducting internal audit activities. Includes detailed processes and
procedures, such as tools and techniques, programs, and step-by-step approaches, including
examples of deliverables.
Trygve Sørlie
Maximizing IA Performance – IPPF
7
Overview of the IIA Standards
Attribute Standards:
Purpose, Authority and Responsibility….…………….(1000)
Independence and Objectivity…………………………(1100)
Proficiency and Due Professional Care………………(1200)
Quality Assurance and Compliance…………………..(1300)




Performance Standards:







www.theiia.org
Managing the Internal Auditing Activity………..…….(2000)
Nature of Work.……………………………………..….(2100)
Engagement Planning……………………………....…(2200)
Performing the Engagement………………………….(2300)
Communicating Results…………………………….....(2400)
Monitoring Progress…………………………………...(2500)
Resolution of Management’s Acceptance of Risks...(2600)
8
Standards

Semantic
Must and Should
• Previous version, Standards were using
“Should” throughout with the definition in the
Glossary of “Should” being:
• The use of the word “Should” in the Standards
represents a mandatory obligation.
• All “Should” have been replaced by “Must”
except in the following five Standards:
• Standard 1010,
• Standard 2050,
• Standard 2130.A2, 2130.A3
• Standard 2220.A2
Trygve Sørlie
Maximizing IA Performance – IPPF
9
Standards
Semantic
• Must
• The Standards use the word “Must”
to specify an unconditional
requirement
• Should
• The Standards use the word
“Should” where conformance is
expected unless, when applying
professional judgment,
circumstances justify deviation
Trygve Sørlie
Maximizing IA Performance – IPPF
10
Position Papers
• Two position papers
• The role of Internal Auditing in
Enterprise Risk Management
• The role on Internal Auditing in
resourcing the internal audit
activity
Trygve Sørlie
Maximizing IA Performance – IPPF
11
Practice Advisories














(new since last IPPF)
PA 2050-2: Assurance Maps (July 2009)
PA 2050-3 Relying on the Work of Other Assurance Providers (October, 2010)
PA 2060-1: Reporting to Senior Management and the Board (May, 2010)
PA 2110-1: Governance: Definition (April, 2010)
PA 2110-2: Governance: Relationship With Risk and Control (April, 2010)
PA 2110-3: Governance: Assessments (April, 2010)
PA 2120-2: Managing the Risk of the Internal Audit Activity (April 2009)
PA 2200-2: Using a Top-down, Risk-based Approach to Identify the Controls to
be Assessed in an Internal Audit Engagement (April, 2010)
PA 2300-1: Use of Personal Information in Conducting Engagements (May,
2010)
PA 2320-1: Analytical Procedures (May, 2010)
PA 2330.A1-2: Granting Access to Engagement Records (May, 2010)
PA 2400-1: Legal Considerations in Communicating Results (May, 2010)
PA 2440-2: Communicating Sensitive Information Within and Outside the
Chain of Command (May, 2010)
PA 2440.A2-1: Communications Outside the Organization (May, 2010)
Trygve Sørlie
Maximizing IA Performance – IPPF
12
Practice Guides
Practice Guides
PG
Title
Category
Release
Date
PG
Assessing the Adequacy of Risk Management
Dec. 2010
PG
Measuring Internal Audit Effectiveness and Efficiency
Dec. 2010
PG
CAEs - Appointment, Performance Evaluation and Termination
May 2010
PG
Auditing Executive Compensation and Benefits
April 2010
PG
Evaluating Corporate Social Responsibility/Sustainable
Development
Feb. 2010
PG
Formulating and Expressing Internal Audit Opinions
April 2009
PG
Auditing External Business Relationships
May 2009
PG
Internal Auditing and Fraud
Dec. 2009
Trygve Sørlie
Maximizing IA Performance – IPPF
13
Practice Guides
• 15 Global Technology Audit Guides (GTAGs)
• Guide to the Assessment of IT Risk (GAIT)
• Additional guides will be issued regularly
Trygve Sørlie
Maximizing IA Performance – IPPF
14
Practice Guides
GTAG-1: Information Technology Controls
GTAG-2: Change and Patch Management Controls: Critical for
Organizational Success
GTAG-3: Continuous Auditing: Implications for Assurance, Monitoring,
and Risk Assessment
GTAG-4: Management of IT Auditing
GTAG-5: Managing and Auditing Privacy Risks
GTAG-6: Managing and Auditing IT Vulnerabilities
GTAG-7: Information Technology Outsourcing
GTAG-8: Auditing Application Controls
GTAG-9: Identity and Access Management
GTAG-10: Business Continuity Management
GTAG-11: Developing the IT Audit Plan
GTAG-12: Auditing IT Projects
GTAG-13: Fraud Prevention and Detection in an Automated World
GTAG-14: Auditing User-developed Applications
GTAG-15: Information Security Governance
Trygve Sørlie
Maximizing IA Performance – IPPF
15
What’s New?
IIA Standards Revisions
Effective January 1, 2011
www.theiia.org
16
Why Change?
• The Standards must remain current, relevant, and timely
for the profession
• The IPPF process requires that all guidance be reviewed at
least once every three years
• Ongoing changes are a key component of the continued
development of the IPPF issued in January 2009
www.theiia.org
17
The Internal Audit Standards Board
(15 of 20 members at mid-year 2010)
www.theiia.org
18
Standards Exposure Process
•
The 90 days public exposure period:
• February 15 to May 14, 2010
• 1,350 responses globally from individuals and 29 from organizations
•
The Internal Audit Standards Board (IASB) analyzed the results of the
exposure and determined the disposition of comments.
•
The IASB approved the final release of new/revised Standards at the June
2010 meetings.
•
The Ethics Committee reviewed the final Standards to ensure their
consistency with Code of Ethics.
•
IPPF Oversight Council review of the process
•
The new/revised Standards were released October 19, 2010.
•
The new/revised Standards will be effective January 1, 2011.
www.theiia.org
19
Global Body to Oversee Development of Internal Audit Standards
•
November 22, 2010
•
The Institute of Internal Auditors (IIA) announces the formation of the IPPF Oversight Council. This new body will begin by
overseeing the process for developing authoritative guidance within the International Professional Practices Framework (IPPF)
for internal audit professionals around the world. The Oversight Council will evaluate and advise the IIA Global Board of
Directors on the rigor of The IIA’s standard- setting processes.
“Stakeholders are demanding that standard setters are subject to oversight,” said IPPF Oversight Council Chairman and IFAC
Executive Director of Professional Standards Jim Sylph. “The IIA is to be congratulated on setting up this Oversight Council. It
is, indeed, an honor and a privilege to lead this body as it begins its critical role of enhancing the credibility of the IPPF standard
setting processes.”
•
•
Organizations represented on the Oversight Council include the International Federation of Accountants
(IFAC), the International Organization of SupremeAudit Institutions (INTOSAI), the World Bank, the
Organization for Economic Cooperation and Development (OECD), and the National Association of
Corporate Directors (NACD). Also serving on the Council are the chairman emeritus of the Committee of
Sponsoring Organization of the Treadway Commission (COSO) and a former chairman of The IIA Global
Board of Directors.
•
“Guided by its collective commitment to inclusiveness, transparency, diligence, timeliness, and other principles that will
generate the confidence of all internal audit stakeholders, the Council will provide ongoing assurance that The IIA’s
standards are of the highest caliber and are properly responsive to the public interest,” said IIA Global Chairman of the Board
Günther Meggeneder, CIA. “This ensures there’s due diligence in place for our standard-setting process, and is major milestone
for internal auditing becoming universally recognized as a profession.”
The Council’s oversight role will layer additional rigor on top of The IIA’s existing standard-setting process, which includes the
active involvement of five IIA international entities: Advanced Technology Committee, Committee on Quality, Ethics Committee,
Internal Audit Standards Board, and Professional Issues Committee. As such, the Council will evaluate the due-process
procedures for setting standards and guidance; review the charters of The IIA committees listed above; make recommendations
for process improvement to The IIA Board of Directors; and communicate in The IIA annual report on the adequacy and
transparency of the due process employed for standard- setting.
“Clearly, the Council’s oversight role is not a one-time commitment,” said Sylph. “To ensure practitioners in the internal audit
profession stay abreast of the most effective, efficient, and ethical ways of doing business, The IIA must continuously deliver
and update timely and relevant standards.”
•
•
www.theiia.org
2
Issuance
www.theiia.org
21
Review & Approval
Public Exposure
Development
Initiation
Summary of Changes
•
3 new Standards
• 15 changes to existing Standards
•
2 deletions of the existing Standards
•
6 changes to existing Glossary terms
26 changes in total
www.theiia.org
22
Summary of Changes – Topics
•
Define Functional Reporting of Internal Audit to the Board, and Clarify in the
Charter (1000, 1110)
•
Clarify when Newer Internal Audit Activities Can State They Conform with
Standards (1321)
•
Provide Requirements if Entity Level and Individual Engagement Opinions
Are Issued (2010.A2, 2410.A1, 2450)
•
Clarify Risk Management Coverage by Internal Audit (2120)
•
Revise Definition of “Add Value” (2000 and Glossary)
•
Revise Definition of “Chief Audit Executive” (Glossary) and Clarify
Responsibilities with External Service Providers (2070)
•
Enhance and Clarify Other Standards and Glossary Terms (throughout)
www.theiia.org
23
Standard 1000 – Change Interpretation
1000 – Purpose, Authority, and Responsibility
Interpretation:
The Internal Audit Charter is a formal document that defines the internal
audit activity's purpose, authority, and responsibility. The internal audit
charter establishes the internal audit activity's position within the
organization, including the nature of the chief audit executive’s functional
reporting relationship with the board; authorizes access to records,
personnel, and physical properties relevant to the performance of
engagements; and, defines the scope of internal audit activities. Final
approval of the Internal Audit Charter resides with the board.
Exposure Results: Yes: 93.1%, No: 4.8%, No Opinion: 2.1%
www.theiia.org
Standards Board Decision: Adopt the exposed change
24
Standard 1100 – New Interpretation
1110 – Organizational Independence
Interpretation:
Organizational independence is effectively achieved when the chief audit executive
reports functionally to the board. Examples of functional reporting to the board involve
the board:
• Approving the internal audit charter;
• Approving the risk based internal audit plan;
• Receiving communications from the chief audit executive on the internal audit
activity’s performance relative to its plan and other matters;
• Approving decisions regarding the appointment and removal of the chief audit
executive; and,
• Making appropriate inquiries of management and the chief audit executive to
determine whether there are inappropriate scope or resource limitations.
Exposure Results: Yes: 88.7%, No: 8.3%, No Opinion: 3.0%
www.theiia.org
Standards Board Decision: Adopt the exposed change
25
Standard 1312 – Change Interpretation
1312 – External Assessments
Interpretation:
A qualified reviewer or review team consists of individuals who are competent in the professional practice of internal
auditing and the external assessment process. The evaluation of the competency of the reviewer and review team is a
judgment that considers the professional internal audit experience and professional credentials of the individuals
selected to perform the review. The evaluation of qualifications also considers the size and complexity of the
organizations that the reviewers have been associated with in relation to the organization for which the internal audit
activity is being assessed, as well as the need for particular sector, industry, or technical knowledge.
A qualified reviewer or review team demonstrates competence in two areas: the professional
practice of internal auditing and the external assessment process. Competence can be
demonstrated through a mixture of experience and theoretical learning. Experience gained in
organizations of similar size, complexity, sector or industry, and technical issues is more
valuable than less relevant experience. In the case of a review team, not all members of the
team need to have all the competencies; it is the team as a whole that is qualified. The chief
audit executive uses professional judgment when assessing whether a reviewer or review team
demonstrates sufficient competence to be qualified.
An independent reviewer or review team means not having either a real or an apparent
conflict of interest and not being a part of, or under the control of, the organization to
which the internal audit activity belongs.
Exposure Results: Yes: 84.1%, No: 9.3%, No Opinion: 6.6%
www.theiia.org
Standards Board Decision: Modify the exposed change
26
Standard 1321 – New Interpretation
1321 – Use of “Conforms with the International Standards for the
Professional Practice of Internal Auditing”
Interpretation:
The internal audit activity conforms with the Standards when it achieves the
outcomes described in the Definition of Internal Auditing, Code of Ethics, and
Standards.
The results of the quality assurance and improvement program include the
results of both internal and external assessments. All internal audit activities
will have the results of internal assessments. Internal audit activities in
existence for at least five years will also have the results of external
assessments.
Exposure Results: Yes: 72.1%, No: 15.4%, No Opinion: 12.5%
www.theiia.org
Standards Board Decision: Adopt the exposed change
27
Standard 2000 – Change Interpretation
2000 – Managing the Internal Audit Activity
Interpretation:
The internal audit activity is effectively managed when:
•
•
•
The results of the internal audit activity’s work achieve the purpose and
responsibility included in the internal audit charter;
The internal audit activity conforms with the Definition of Internal Auditing and
the Standards; and
The individuals who are part of the internal audit activity demonstrate
conformance with the Code of Ethics and the Standards.
The internal audit activity adds value to the organization (and its stakeholders) when it
provides objective and relevant assurance, and contributes to the effectiveness and
efficiency of governance, risk management, and control processes.
Exposure Results: Yes: 87.6%, No: 9.5%, No Opinion: 2.9%
www.theiia.org
Standards Board Decision: Adopt the exposed change
28
Endring av IIA standardens definisjon av å
“tilføre merverdi/Add Value” fra 1. januar
2010
Gammel definisjon av å “tilføre merverdi”:
Value is provided by improving opportunities to achieve
organizational objectives, identifying operational
improvement, and/or reducing risk exposure through
both assurance and consulting services.
Merverdi skapes ved å forbedre mulighetene for at
organisasjonen når sine målsetninger, identifisere
driftsmessige forbedringer og/eller redusere
risikoeksponering både gjennom bekreftelses- og
rådgivningstjenester.
Ny definisjon av å “tilføre merverdi”:
The internal audit activity adds value to the organization
(and its stakeholders) when it provides objective and
relevant assurance, and contributes to the effectiveness
and efficiency of governance, risk management, and
controlprocesses.
”Internrevisjonen tilfører merverdi til organisasjonen
(og dens interessenter) når den gir objektiv og relevant
bekreftelse og bidrar til hensiktsmessige og effektive
prosesser
for governance, risikostyring og kontroll.”
29
.
Fokus
tidligere
var på at
verdien var
knyttet til å
levere
forbedring
er
Fokus nå
er at
verdien er
knyttet til å
gi objektiv
og relevant
bekreftelse
/”assurance
”
VALUE PROPOSITION OF INTERNAL
AUDITING FOR KEY STAKEHOLDERS
Internal Auditing: Assurance ▪ Insight ▪ Objectivity
GOVERNING BODIES AND SENIOR MANAGEMENT RELY ON
INTERNAL AUDITING FOR OBJECTIVE ASSURANCE AND INSIGHT
ON THE EFFECTIVENESS AND EFFICIENCY OF GOVERNANCE, RISK
MANAGEMENT AND INTERNAL CONTROL PROCESSES.
Assurance that the
organization is operating
as management intends.
Insight for
improving controls,
processes,
procedures,
performance, and
risk management;
and for reducing
expenses,
enhancing
revenues, and
Objective
assessments.
VALUE PROPOSITION OF INTERNAL
AUDITING FOR KEY STAKEHOLDERS
Internal Auditing
Internal Auditing is a
provides assurance on
catalyst for improving
the organization’s
an organization’s
governance, risk
effectiveness and
management and
efficiency by providing
control processes to
insight and
help the organization
recommendations
achieve its strategic,
based on analyses and
operational, financial,
assessments of data
and compliance
and business
objectives.
processes.
With commitment to integrity and
accountability, Internal Auditing
provides value to governing bodies
and senior management as an
independent source of objective
advice.
Effekten av områdets grad av modenhet og hvordan
det påvirker internrevisjonens leveranse
Det er viktig at det ikke er slik at internrevisjonens suksess er omvent
proposjonal med hvor moden området er eller hvor god styring og kontroll
ledelsen har.
Lav modenhet Medium modenhet Høy modenhet
100%
Modenhet
Internrevisjonens bidrag til å forbedre
hensiktsmessigheten og effektiviteten av
virksomhetsstyringen, risikostyringen og
den interne kontrollen
Mengden “assurance”/bekreftelse
som gis fra internrevisjonen
0%
Modenhet
Ingen assurance
- mange kritiske
forhold og
anbefalinger
Gir positiv
Noe assurance
- mange anbefalinger assurance – ingen
eller få
anbefalinger
Internrevisjonens bidrag til å forbedre hensiktsmessigheten
og effektiviteten av virksomhetsstyringen, risikostyringen og
den interne kontrollen er omvent proporsjonalt med hvor
moden det området som vurderes er.
32
Trygve Sørlie, 17. februar 2011
NEW Standard 2010.A2
2010.A2 – The chief audit executive must identify and
consider the expectations of senior management, the
board, and other stakeholders for internal audit opinions
and other conclusions.
Exposure Results: Yes: 72.0%, No: 21.0%, No Opinion: 6.9%
www.theiia.org
Standards Board Decision: Modify the exposed change
33
NEW Standard 2070
2070 – External Service Provider and Organizational
Responsibility for Internal Auditing
When an external service provider serves as the internal audit activity,
the provider must make the organization aware that the organization
has the responsibility for maintaining an effective internal audit activity.
Interpretation
This responsibility is demonstrated through the quality assurance and
improvement program which assesses conformance with the Definition
of Internal Auditing, the Code of Ethics, and the Standards.
Exposure Results: Yes: 73.0%, No: 15.7%, No Opinion: 11.2%
www.theiia.org
Standards Board Decision: Modify the exposed change
34
Change Standard 2110.C1
2110.C1 2210.C2 – Consulting engagement objectives must
be consistent with the overall organization's values,
strategies, and objectives goals of the organization.
2210.C2 – Consulting engagement objectives must be
consistent with the organization's values, strategies,
and objectives.
Exposure Results: Yes: 91.0%, No: 3.6%, No Opinion: 5.4%
www.theiia.org
Standards Board Decision: Adopt the exposed change
35
Standard 2120 – Change Interpretation
2120 – Risk Management
Interpretation:
Determining whether risk management processes are effective is a judgment resulting
from the internal auditor’s assessment that:
• Organizational objectives support and align with the organization’s mission;
• Significant risks are identified and assessed;
• Appropriate risk responses are selected that align risks with the organization’s
risk appetite; and
•
Relevant risk information is captured and communicated in a timely manner
across the organization, enabling staff, management, and the board to carry out
their responsibilities.
The internal audit activity may gather the information to support this assessment during
multiple engagements. The results of these engagements, when viewed together, provide
an understanding of the organization’s risk management processes and their
effectiveness.
Exposure Results: Yes: 86.4%, No: 8.9%, No Opinion: 4.7%
www.theiia.org
Standards Board Decision: Modify the exposed change
36
Change Standard 2120.A1
2120.A1 – The internal audit activity must evaluate risk exposures
relating to the organization's governance, operations, and information
systems regarding the:
•
•
•
•
Reliability and integrity of financial and operational information;
Effectiveness and efficiency of operations and programs;
Safeguarding of assets; and
Compliance with laws, regulations, policies, procedures, and
contracts.
Exposure Results: Yes: 91.4%, No: 5.9%, No Opinion: 2.6%
www.theiia.org
Standards Board Decision: Adopt the exposed change
37
Change Standard 2130.A1
2130.A1 – The internal audit activity must evaluate the adequacy and
effectiveness of controls in responding to risks within the
organization’s governance, operations, and information systems
regarding the:
•
•
•
•
Reliability and integrity of financial and operational
information;
Effectiveness and efficiency of operations and programs;
Safeguarding of assets; and
Compliance with laws, regulations, policies, procedures, and
contracts.
Exposure Results: Yes: 91.8%, No: 5.5%, No Opinion: 2.6%
www.theiia.org
Standards Board Decision: Adopt the exposed change
38
Delete Standard 2130.A2
2130.A2
Internal auditors should ascertain the extent to which
operating and program goals and objectives have been
established and conform to those of the organization.
[Now in Standards 2120.A1 and 2130.A1.]
Exposure Results: Yes: 89.9%, No: 5.4%, No Opinion: 4.7%
www.theiia.org
Standards Board Decision: Adopt the exposed change
39
Delete Standard 2130.A3
2130.A3
Internal auditors should review operations and programs
to ascertain the extent to which results are consistent with
established goals and objectives to determine whether
operations and programs are being implemented or
performed as intended.
[Now in Standards 2120.A1 and 2130.A1.]
Exposure Results: Yes: 90.2%, No: 5.4%, No Opinion: 4.4%
www.theiia.org
Standards Board Decision: Adopt the exposed change
40
Change Standard 2410.A1
2410.A1 - Final communication of engagement results must, where appropriate,
contain the internal auditors’ overall opinion and/or conclusions. When issued, an
opinion or conclusion must take account of the expectations of senior
management, the board, and other stakeholders and must be supported by
sufficient, reliable, relevant, and useful information.
Interpretation:
Opinions at the engagement level may be ratings, conclusions, or other
descriptions of the results. Such an engagement may be in relation to controls
around a specific process, risk, or business unit. The formulation of such
opinions requires consideration of the engagement results and their significance.
Exposure Results: Yes: 81.4%, No: 13.6%, No Opinion: 5.0%
www.theiia.org
Standards Board Decision: Modify the exposed change
41
NEW Standard 2450
2450 – Overall Opinions
When an overall opinion is issued, it must take into account the expectations of senior
management, the board, and other stakeholders and must be supported by sufficient,
reliable, relevant, and useful information.
Interpretation:
The communication will identify:
• The scope, including the time period to which the opinion pertains;
• Scope limitations;
• Consideration of all related projects including the reliance on other assurance
providers;
• The risk or control framework or other criteria used as a basis for the overall
opinion; and
• The overall opinion, judgment, or conclusion reached.
The reasons for an unfavorable overall opinion must be stated.
Exposure Results: Yes: 74.9%, No: 19.9%, No Opinion: 5.1%
www.theiia.org
Standards Board Decision: Modify the exposed change
42
Change Definition
- Add Value
Add Value
Value is provided by improving opportunities to achieve organizational
objectives, identifying operational improvement, and/or reducing risk exposure
through both assurance and consulting services.
The internal audit activity adds value to the organization (and its stakeholders)
when it provides objective and relevant assurance, and contributes to the
effectiveness and efficiency of governance, risk management, and control
processes.
Exposure Results: Yes: 86.2%, No: 11.0%, No Opinion: 2.8%
www.theiia.org
Standards Board Decision: Modify the exposed change
43
Change Definition
- Chief Audit Executive
Chief Audit Executive
Chief audit executive is a senior position within the organization responsible for internal audit activities.
Normally, this would be the internal audit director. In the case where internal audit activities are
obtained from external service providers, the chief audit executive is the person responsible for
overseeing the service contract and the overall quality assurance of these activities, reporting to senior
management and the board regarding internal audit activities, and follow-up of engagement results.
The term also includes titles such as general auditor, head of internal audit, chief internal auditor, and
inspector general.
Chief audit executive describes a person in a senior position responsible for effectively
managing the internal audit activity in accordance with the internal audit charter and the
Definition of Internal Auditing, the Code of Ethics, and the Standards. The chief audit
executive or others reporting to the chief audit executive will have appropriate
professional certifications and qualifications. The specific job title of the chief audit
executive may vary across organizations.
Exposure Results: Yes: 67.5%, No: 29.0%, No Opinion: 3.5%
www.theiia.org
Standards Board Decision: Modify the exposed change
44
Change Definition
- Independence
Independence
The freedom from conditions that threaten objectivity or the
appearance of objectivity. Such threats to objectivity must be
managed at the individual auditor, engagement, functional, and
organizational levels.
The freedom from conditions that threaten the ability of the internal
audit activity to carry out internal audit responsibilities in an unbiased
manner.
Exposure Results: Yes: 84.0%, No: 12.6%, No Opinion: 3.5%
www.theiia.org
Standards Board Decision: Modify the exposed change
45
Other Changes
•
1100 – Independence and Objectivity
•
2110.A2
•
2130.C1: Renumbered as 2220.C2
•
2130.C2: Renumbered as 2130.C1
•
2400 – Communicating Results
•
Control Environment
•
Information Technology Governance
•
Objectivity
www.theiia.org
46
Summary of Changes – Topics
•
Define Functional Reporting of Internal Audit to the Board, and Clarify in the
Charter (1000, 1110)
•
Clarify when Newer Internal Audit Activities Can State They Conform with
Standards (1321)
•
Provide Requirements if Entity Level and Individual Engagement Opinions
Are Issued (2010.A2, 2410.A1, 2450)
•
Clarify Risk Management Coverage by Internal Audit (2120)
•
Revise Definition of “Add Value” (2000 and Glossary)
•
Revise Definition of “Chief Audit Executive” (Glossary) and Clarify
Responsibilities with External Service Providers (2070)
•
Enhance and Clarify Other Standards and Glossary Terms (throughout)
www.theiia.org
47
Get the Standards - www.theiia.org/standards
International Standards for the Professional Practice of Internal Auditing (Standards)
www.theiia.org
Conformance with the Standards
is required and essential
for the professional practice
of internal auditing.
www.theiia.org
49
2010 Global Standards Survey
Total number of responses: 1338
Summary of Results
Are IIA Standards Minimal vs Aspirational (1)
– Current: Minimal 70%, Aspirational 30%
– Should be: Minimal 69% Aspirational 31%
Observations:
– Current and Should be are very similar.
– 1300 and 2600 are seen as most Aspirational. Only
3% want each of these to be more Minimal
Rules based vs Principles based (2)
• Principles based Overall 85%, should be 85%
• Rules based Overall 15%, should be 15%
• Observations
– No significant difference
Separate Standards for Individuals
• Roughly the same number disagree (41%) as
agree (44%) that there should be separate
Standards that apply specifically to Individuals
vs internal audit functions.
Standards Changes (4 and 5)
FREQUENCY
• 55% say Standards changes up to 1/year are
currently at the appropriate frequency
• 5% say they should change more frequently
• 40% say they should change less frequently
EXPOSURE PERIOD
• 78% say exposure period is appropriate.
• 6% say too long, 16% say too short.
Where are More or Less Standards
Needed? (6)
• All areas got 75% or more saying that no
change is needed.
• Overall, 9% want more standards, 8% want
less.
• The areas where most change is desired are:
– 1300 (13% want more, 11% want less)
– 2600 (13% want more, 6% want less)
Conformance (7)
• 70% say the generally conform. 22% partial,
3% do not, 4% don’t know
• There may be bias in the sample, in that those
most focused on Standards were more likely
to respond.
• The areas of lowest conformance are:
– 1300 (50%)
– 2600 (59%)
Why don’t you conform? (8)
• Compliance not supported by management or
the Board: 41%
• Not perceived as adding value : 39%
• Inadequate IA staff : 33%
• Small organizations: 31%
Overall Opinions
• 46% claim to provide overall opinions already.
Of those:
– 89% do on defined scopes
– 81% operational, 79% compliance, 71% financial
reporting, 65% risk management, 60% governance
and 47% strategic
– This does not seem to make sense
• 37% disagree on mandating overall opinions,
47% agree on mandating overall opinions
Engagement Opinions
• 67% provide opinions for engagements
(positive, negative or ratings)
• Percentages by area are similar to overall
opinions – not sure it makes sense
• 33% disagree with mandating engagement
opinions, 54% agree with mandating
engagement opinions
Utviklingen i revisjon
Intern revisjon er et konsekvensfag.
- hva som gjøres og hvordan det
utføres er avhengig av forholdene det
utføres under og hva formålet er.
(Knut Løken)
Balanse-/
eiendels-/
bilags
basert
revisjon
Pre-industrielle
periode
System
basert
revisjon
Industrielle
periode
Prosess
basert
revisjon
Risiko
basert
revisjon
I fremtiden
Assurance
basert/For
målsbasert
revisjon?
Post-industrielle
periode
Trygve Sørlie, 17. februar 2011
60
The opinion/assurance continuum
Low Assurance Medium Assurance
100%
confidence
High Assurance
Amount of uncertainty
95%
confidence/
comfort. The
auditor draws
the wrong
conclusion 5
out of a
hundred times
(possibility of drawing the wrong conclusion)
Amount of comfort/confidence
0%
confidence
Disclaim
an opinion
Negative
Assurance
Trygve Sørlie, 17. februar 2011
Positive
Assurance
61
Materiality levels vary for the different levels of the organization and must be
understood and comunicated when an opinion/assurance is issued/given on a
macro or micro level.
How high up in the organization should
internal audit focus its attention?
High materiality level
– The issue or amount has to be rather
significant or high to be considered
material at this level
Macro
level
Medium materiality level
Micro
level
Low materiality level
– a relative small issue or amount is
considered material at this level
Trygve Sørlie, 17. februar 2011
62
Fokuserer internrevisjonen på “the Real Risk” når den lager en risikobasert årsplan?
Key Imperatives for the Coming Decade:
Fully Embrace a Risk-Centric Strategy
Focusing on the “Real Risks”
Strategic & Business
60%
Operational 20%
Financial 15%
Compliance 5%
www.theiia.
org
Trygve Sørlie, 17. februar 2011
Fra Richard F. Chambers presentasjon til Milwaukee Chapter 7 sept. 2010.
63
Se side 27: http://www.nirf.org/_upl/internal_auditing_2011_trends_challenges_outlook.pdf
Vil internrevisjonens fokus endre seg?
Assurance i forhold til
strategi og M&A
Assurance i forhold til
virksomhetsstyring
og risikostyring
Assurance i forhold til
strategi og M&A
Assurance i forhold til
virksomhetsstyring
og risikostyring
Assurance i forhold til
prosesser &
operasjonell styring
og kontroll
NÅ?
Assurance i forhold til
prosesser &
operasjonell styring
og kontroll
FREMTID?
64
QUESTIONS
[email protected]
www.theiia.org
65