650 likes | 817 Views
Utvikling av internrevisjonsstandarder , temaer som diskuteres i IASB samt andre aktuelle temaer innenfor intern revisjon. Torsdag 17. februar 2011 Medlemsmøte i NIRF av Trygve Sørlie - Revisjonsdirektør i Gjensidige av Trygve Sørlie - Revisjonsdirektør i Gjensidige.
E N D
Utvikling av internrevisjonsstandarder, temaer som diskuteres i IASB samt andre aktuelle temaer innenfor intern revisjon. Torsdag 17. februar 2011 Medlemsmøte i NIRF av Trygve Sørlie - Revisjonsdirektør i Gjensidige av Trygve Sørlie - Revisjonsdirektør i Gjensidige
Peace of mind for stakeholders and confidence they’re getting a quality product They are the bar that every auditor should comply with They lay the ground work, but are not the ultimate goal Broad perspective on what you’re supposed to be doing Help audit to be viewed as adding value Help improve the dialogue about the department Why Performance Standards Matter
Standards are Critical • Delineate basic principles that represent the practice of internal auditing • Framework for performing and promoting a broad range of value-added internal auditing • Establish the basis for the evaluation of internal audit performance • Foster improved organizational processes and operations 3
Two Questions Are you just now receiving your first exposure to the Standards? ? Would you say that your organization has implemented most or all of the Standards? ? 4
Understanding the IPPF International Professional Practices Framework Issued January 2009 and updated January 2011 5
AUTHORITATIVE Guidance Mandatory Non mandatory Strongly recommended Authoritative= 6
Elements Definition Definition Statement of fundamental purpose, nature, and scope of internal auditing. Code of Ethics Statement of principles and expectations governing behavior of individuals and organizations in the conduct of internal auditing. Description of minimum requirements for conduct. Describes behavioral expectations rather than specific activities. International Standards Mandatory requirements consisting of: • Statements of basic requirements for professional practice of internal auditing and for evaluating effectiveness of its performance, which are internationally applicable at organizational and individual levels. Principle-focused and provide a framework for performing and promoting internal auditing. Includes Attribute, Performance and Implementation Standards. • Interpretations, which clarify terms or concepts within the Statements. • Consider both Statements and Interpretations to understand and apply correctly. Position Papers IIA statement to assist a wide range of interested parties, including those not in internal auditing profession, in understanding significant governance, risk or control issues and delineating related roles and responsibilities of internal auditing. Practice Advisories Address approach, methodology and considerations, but NOT detailed processes and procedures. Concise and timely guidance to assist internal auditors in applying Code of Ethics and Standards and promoting good practices. Includes practices relating to: international, country, or industry specific issues; specific types of engagements; and legal or regulatory issues. Practice Guides Detailed guidance for conducting internal audit activities. Includes detailed processes and procedures, such as tools and techniques, programs, and step-by-step approaches, including examples of deliverables. IPPF
Overview of the IIA Standards Attribute Standards: • Purpose, Authority and Responsibility….…………….(1000) • Independence and Objectivity…………………………(1100) • Proficiency and Due Professional Care………………(1200) • Quality Assurance and Compliance…………………..(1300) Performance Standards: • Managing the Internal Auditing Activity………..…….(2000) • Nature of Work.……………………………………..….(2100) • Engagement Planning……………………………....…(2200) • Performing the Engagement………………………….(2300) • Communicating Results…………………………….....(2400) • Monitoring Progress…………………………………...(2500) • Resolution of Management’s Acceptance of Risks...(2600) 8
Standards Semantic • Must and Should • Previous version, Standards were using “Should” throughout with the definition in the Glossary of “Should” being: • The use of the word “Should” in the Standards represents a mandatory obligation. • All “Should” have been replaced by “Must” except in the following five Standards: • Standard 1010, • Standard 2050, • Standard 2130.A2, 2130.A3 • Standard 2220.A2
Standards Semantic • Must • The Standards use the word “Must” to specify an unconditional requirement • Should • The Standards use the word “Should” where conformance is expected unless, when applying professional judgment, circumstances justify deviation
Position Papers • Two position papers • The role of Internal Auditing in Enterprise Risk Management • The role on Internal Auditing in resourcing the internal audit activity
Practice Advisories (new since last IPPF) • PA 2050-2: Assurance Maps (July 2009) • PA 2050-3 Relying on the Work of Other Assurance Providers (October, 2010) • PA 2060-1: Reporting to Senior Management and the Board (May, 2010) • PA 2110-1: Governance: Definition (April, 2010) • PA 2110-2: Governance: Relationship With Risk and Control (April, 2010) • PA 2110-3: Governance: Assessments (April, 2010) • PA 2120-2: Managing the Risk of the Internal Audit Activity (April 2009) • PA 2200-2: Using a Top-down, Risk-based Approach to Identify the Controls to be Assessed in an Internal Audit Engagement (April, 2010) • PA 2300-1: Use of Personal Information in Conducting Engagements (May, 2010) • PA 2320-1: Analytical Procedures (May, 2010) • PA 2330.A1-2: Granting Access to Engagement Records (May, 2010) • PA 2400-1: Legal Considerations in Communicating Results (May, 2010) • PA 2440-2: Communicating Sensitive Information Within and Outside the Chain of Command (May, 2010) • PA 2440.A2-1: Communications Outside the Organization (May, 2010)
Practice Guides • 15 Global Technology Audit Guides (GTAGs) • Guide to the Assessment of IT Risk (GAIT) • Additional guides will be issued regularly
Practice Guides GTAG-1: Information Technology Controls GTAG-2: Change and Patch Management Controls: Critical for Organizational Success GTAG-3: Continuous Auditing: Implications for Assurance, Monitoring, and Risk Assessment GTAG-4: Management of IT Auditing GTAG-5: Managing and Auditing Privacy Risks GTAG-6: Managing and Auditing IT Vulnerabilities GTAG-7: Information Technology Outsourcing GTAG-8: Auditing Application Controls GTAG-9: Identity and Access Management GTAG-10: Business Continuity Management GTAG-11: Developing the IT Audit Plan GTAG-12: Auditing IT Projects GTAG-13: Fraud Prevention and Detection in an Automated World GTAG-14: Auditing User-developed Applications GTAG-15: Information Security Governance
What’s New? IIA Standards Revisions Effective January 1, 2011 16
Why Change? The Standards must remain current, relevant, and timely for the profession The IPPF process requires that all guidance be reviewed at least once every three years Ongoing changes are a key component of the continued development of the IPPF issued in January 2009 17
The Internal Audit Standards Board(15 of 20 members at mid-year 2010) 18
The 90 days public exposure period: February 15 to May 14, 2010 1,350 responses globally from individuals and 29 from organizations The Internal Audit Standards Board (IASB) analyzed the results of the exposure and determined the disposition of comments. The IASB approved the final release of new/revised Standards at the June 2010 meetings. The Ethics Committee reviewed the final Standards to ensure their consistency with Code of Ethics. IPPF Oversight Council review of the process The new/revised Standards were released October 19, 2010. The new/revised Standards will be effective January 1, 2011. Standards Exposure Process 19
Global Body to Oversee Development of Internal Audit Standards • November 22, 2010 • The Institute of Internal Auditors (IIA) announces the formation of the IPPF Oversight Council. This new body will begin by overseeing the process for developing authoritative guidance within the International Professional Practices Framework (IPPF) for internal audit professionals around the world. The Oversight Council will evaluate and advise the IIA Global Board of Directors on the rigor of The IIA’s standard- setting processes. • “Stakeholders are demanding that standard setters are subject to oversight,” said IPPF Oversight Council Chairman and IFAC Executive Director of Professional Standards Jim Sylph. “The IIA is to be congratulated on setting up this Oversight Council. It is, indeed, an honor and a privilege to lead this body as it begins its critical role of enhancing the credibility of the IPPF standard setting processes.” • Organizations represented on the Oversight Council include the International Federation of Accountants (IFAC), the International Organization of SupremeAudit Institutions (INTOSAI), the World Bank, the Organization for Economic Cooperation and Development (OECD), and the National Association of Corporate Directors (NACD). Also serving on the Council are the chairman emeritus of the Committee of Sponsoring Organization of the Treadway Commission (COSO) and a former chairman of The IIA Global Board of Directors. • “Guided by its collective commitment to inclusiveness, transparency, diligence, timeliness, and other principles that will generate the confidence of all internal audit stakeholders, the Council will provide ongoing assurance that The IIA’s standards are of the highest caliber and are properly responsive to the public interest,” said IIA Global Chairman of the Board GüntherMeggeneder, CIA. “This ensures there’s due diligence in place for our standard-setting process, and is major milestone for internal auditing becoming universally recognized as a profession.” • The Council’s oversight role will layer additional rigor on top of The IIA’s existing standard-setting process, which includes the active involvement of five IIA international entities: Advanced Technology Committee, Committee on Quality, Ethics Committee, Internal Audit Standards Board, and Professional Issues Committee. As such, the Council will evaluate the due-process procedures for setting standards and guidance; review the charters of The IIA committees listed above; make recommendations for process improvement to The IIA Board of Directors; and communicate in The IIA annual report on the adequacy and transparency of the due process employed for standard- setting. • “Clearly, the Council’s oversight role is not a one-time commitment,” said Sylph. “To ensure practitioners in the internal audit profession stay abreast of the most effective, efficient, and ethical ways of doing business, The IIA must continuously deliver and update timely and relevant standards.”
Initiation Development Public Exposure Review & Approval 21 Issuance
Summary of Changes 3 new Standards 15 changes to existing Standards 2 deletions of the existing Standards 6 changes to existing Glossary terms 26 changes in total 22
Summary of Changes – Topics Define Functional Reporting of Internal Audit to the Board, and Clarify in the Charter (1000, 1110) Clarify when Newer Internal Audit Activities Can State They Conform with Standards (1321) Provide Requirements if Entity Level and Individual Engagement Opinions Are Issued (2010.A2, 2410.A1, 2450) Clarify Risk Management Coverage by Internal Audit (2120) Revise Definition of “Add Value” (2000 and Glossary) Revise Definition of “Chief Audit Executive” (Glossary) and Clarify Responsibilities with External Service Providers (2070) Enhance and Clarify Other Standards and Glossary Terms (throughout) 23
1000 – Purpose, Authority, and Responsibility Interpretation: The Internal Audit Charter is a formal document that defines the internal audit activity's purpose, authority, and responsibility. The internal audit charter establishes the internal audit activity's position within the organization, including the nature of the chief audit executive’s functional reporting relationship with the board; authorizes access to records, personnel, and physical properties relevant to the performance of engagements; and, defines the scope of internal audit activities. Final approval of the Internal Audit Charter resides with the board. Standard 1000 – Change Interpretation Exposure Results: Yes: 93.1%, No: 4.8%, No Opinion: 2.1% Standards Board Decision: Adopt the exposed change 24
1110 – Organizational Independence Interpretation:Organizational independence is effectively achieved when the chief audit executive reports functionally to the board. Examples of functional reporting to the board involve the board: Approving the internal audit charter; Approving the risk based internal audit plan; Receiving communications from the chief audit executive on the internal audit activity’s performance relative to its plan and other matters; Approving decisions regarding the appointment and removal of the chief audit executive; and, Making appropriate inquiries of management and the chief audit executive to determine whether there are inappropriate scope or resource limitations. Standard 1100 – New Interpretation Exposure Results: Yes: 88.7%, No: 8.3%, No Opinion: 3.0% Standards Board Decision: Adopt the exposed change 25
Standard 1312 – Change Interpretation 1312 – External Assessments Interpretation: A qualified reviewer or review team consists of individuals who are competent in the professional practice of internal auditing and the external assessment process. The evaluation of the competency of the reviewer and review team is a judgment that considers the professional internal audit experience and professional credentials of the individuals selected to perform the review. The evaluation of qualifications also considers the size and complexity of the organizations that the reviewers have been associated with in relation to the organization for which the internal audit activity is being assessed, as well as the need for particular sector, industry, or technical knowledge. • A qualified reviewer or review team demonstrates competence in two areas: the professional practice of internal auditing and the external assessment process. Competence can be demonstrated through a mixture of experience and theoretical learning. Experience gained in organizations of similar size, complexity, sector or industry, and technical issues is more valuable than less relevant experience. In the case of a review team, not all members of the team need to have all the competencies; it is the team as a whole that is qualified. The chief audit executive uses professional judgment when assessing whether a reviewer or review team demonstrates sufficient competence to be qualified. An independent reviewer or review team means not having either a real or an apparent conflict of interest and not being a part of, or under the control of, the organization to which the internal audit activity belongs. Exposure Results: Yes: 84.1%, No: 9.3%, No Opinion: 6.6% Standards Board Decision: Modify the exposed change 26
Standard 1321 – New Interpretation 1321 – Use of “Conforms with the International Standards for the Professional Practice of Internal Auditing” Interpretation:The internal audit activity conforms with the Standards when it achieves the outcomes described in the Definition of Internal Auditing, Code of Ethics, and Standards. The results of the quality assurance and improvement program include the results of both internal and external assessments. All internal audit activities will have the results of internal assessments. Internal audit activities in existence for at least five years will also have the results of external assessments. Exposure Results: Yes: 72.1%, No: 15.4%, No Opinion: 12.5% Standards Board Decision: Adopt the exposed change 27
Standard 2000 – Change Interpretation • 2000 – Managing the Internal Audit Activity • Interpretation: • The internal audit activity is effectively managed when: • The results of the internal audit activity’s work achieve the purpose and responsibility included in the internal audit charter; • The internal audit activity conforms with the Definition of Internal Auditing and the Standards; and • The individuals who are part of the internal audit activity demonstrate conformance with the Code of Ethics and the Standards. • The internal audit activity adds value to the organization (and its stakeholders) when it provides objective and relevant assurance, and contributes to the effectiveness and efficiency of governance, risk management, and control processes. Exposure Results: Yes: 87.6%, No: 9.5%, No Opinion: 2.9% Standards Board Decision: Adopt the exposed change 28
Endring av IIA standardens definisjon av å “tilføre merverdi/Add Value” fra 1. januar 2010 Fokus tidligere var på at verdien var knyttet til å levere forbedringer • Gammeldefinisjonav å “tilføremerverdi”: • Value is provided by improving opportunities to achieve organizational objectives, identifying operational improvement, and/or reducing risk exposure through both assurance and consulting services. • Merverdi skapes ved å forbedre mulighetene for at organisasjonen når sine målsetninger, identifisere driftsmessige forbedringer og/eller redusere risikoeksponering både gjennom bekreftelses- og rådgivningstjenester. Ny definisjon av å “tilføremerverdi”: The internal audit activity adds value to the organization (and its stakeholders) when it provides objective and relevant assurance, and contributes to the effectiveness and efficiency of governance, risk management, and controlprocesses. ”Internrevisjonentilfører merverdi til organisasjonen (og dens interessenter) når den gir objektiv og relevant bekreftelse og bidrar til hensiktsmessige og effektive prosesser for governance, risikostyring og kontroll.” . Fokus nå er at verdien er knyttet til å gi objektiv og relevant bekreftelse/”assurance”
VALUE PROPOSITION OF INTERNAL AUDITING FOR KEY STAKEHOLDERS Governing bodies and senior management rely on Internal Auditing for objective assurance and insight on the effectiveness and efficiency of governance, risk management and internal control processes. Internal Auditing: Assurance ▪ Insight ▪ Objectivity Assurance that the organization is operating as management intends. Insight for improving controls, processes, procedures, performance, and risk management; and for reducing expenses, enhancing revenues, and improving profits. Objective assessments.
VALUE PROPOSITION OF INTERNAL AUDITING FOR KEY STAKEHOLDERS Internal Auditing provides assurance on the organization’s governance, risk management and control processes to help the organization achieve its strategic, operational, financial, and compliance objectives. Internal Auditing is a catalyst for improving an organization’s effectiveness and efficiency by providing insight and recommendations based on analyses and assessments of data and business processes. With commitment to integrity and accountability, Internal Auditing provides value to governing bodies and senior management as an independent source of objective advice.
100% Modenhet 0%Modenhet Effekten av områdets grad av modenhet og hvordan det påvirker internrevisjonens leveranse Det er viktig at det ikke er slik at internrevisjonens suksess er omvent proposjonal med hvor moden området er eller hvor god styring og kontroll ledelsen har. Høy modenhet Medium modenhet Lav modenhet Internrevisjonens bidrag til å forbedre hensiktsmessigheten og effektiviteten av virksomhetsstyringen, risikostyringen ogden interne kontrollen Mengden “assurance”/bekreftelse som gis fra internrevisjonen Gir positiv assurance – ingen eller få anbefalinger Ingen assurance - mange kritiske forhold og anbefalinger Noe assurance - mange anbefalinger Internrevisjonens bidrag til å forbedre hensiktsmessigheten og effektiviteten av virksomhetsstyringen, risikostyringen og den interne kontrollen er omvent proporsjonalt med hvor moden det området som vurderes er. Trygve Sørlie, 17. februar 2011
NEW Standard 2010.A2 2010.A2 – The chief audit executive must identify and consider the expectations of senior management, the board, and other stakeholders for internal audit opinions and other conclusions. Exposure Results: Yes: 72.0%, No: 21.0%, No Opinion: 6.9% Standards Board Decision: Modify the exposed change 33
NEW Standard 2070 2070 – External Service Provider and Organizational Responsibility for Internal Auditing When an external service provider serves as the internal audit activity, the provider must make the organization aware that the organization has the responsibility for maintaining an effective internal audit activity. Interpretation This responsibility is demonstrated through the quality assurance and improvement program which assesses conformance with the Definition of Internal Auditing, the Code of Ethics, and the Standards. Exposure Results: Yes: 73.0%, No: 15.7%, No Opinion: 11.2% Standards Board Decision: Modify the exposed change 34
2110.C12210.C2 – Consulting engagement objectives must be consistent with the overallorganization's values, strategies, and objectives goals of the organization. Change Standard 2110.C1 • 2210.C2 – Consulting engagement objectives must be consistent with the organization's values, strategies, and objectives. Exposure Results: Yes: 91.0%, No: 3.6%, No Opinion: 5.4% Standards Board Decision: Adopt the exposed change 35
Standard 2120 – Change Interpretation • 2120 – Risk Management Interpretation:Determining whether risk management processes are effective is a judgment resulting from the internal auditor’s assessment that: • Organizational objectives support and align with the organization’s mission; • Significant risks are identified and assessed; • Appropriate risk responses are selected that align risks with the organization’s risk appetite; and • Relevant risk information is captured and communicated in a timely manneracross the organization, enabling staff, management, and the board to carry out their responsibilities. The internal audit activity may gather the information to support this assessment during multiple engagements. The results of these engagements, when viewed together, provide an understanding of the organization’s risk management processes and their effectiveness. Exposure Results: Yes: 86.4%, No: 8.9%, No Opinion: 4.7% Standards Board Decision: Modify the exposed change 36
Change Standard 2120.A1 2120.A1 – The internal audit activity must evaluate risk exposures relating to the organization's governance, operations, and information systems regarding the: • Reliability and integrity of financial and operational information; • Effectiveness and efficiency of operations and programs; • Safeguarding of assets; and • Compliance with laws, regulations, policies, procedures, and contracts. Exposure Results: Yes: 91.4%, No: 5.9%, No Opinion: 2.6% Standards Board Decision: Adopt the exposed change 37
Change Standard 2130.A1 2130.A1 – The internal audit activity must evaluate the adequacy and effectiveness of controls in responding to risks within the organization’s governance, operations, and information systems regarding the: • Reliability and integrity of financial and operational information; • Effectiveness and efficiency of operations and programs; • Safeguarding of assets; and • Compliance with laws, regulations, policies, procedures, and contracts. Exposure Results: Yes: 91.8%, No: 5.5%, No Opinion: 2.6% Standards Board Decision: Adopt the exposed change 38
Delete Standard 2130.A2 2130.A2 Internal auditors should ascertain the extent to which operating and program goals and objectives have been established and conform to those of the organization.[Now in Standards 2120.A1 and 2130.A1.] Exposure Results: Yes: 89.9%, No: 5.4%, No Opinion: 4.7% Standards Board Decision: Adopt the exposed change 39
2130.A3 Internal auditors should review operations and programs to ascertain the extent to which results are consistent with established goals and objectives to determine whether operations and programs are being implemented or performed as intended.[Now in Standards 2120.A1 and 2130.A1.] Delete Standard 2130.A3 Exposure Results: Yes: 90.2%, No: 5.4%, No Opinion: 4.4% Standards Board Decision: Adopt the exposed change 40
Change Standard 2410.A1 2410.A1- Final communication of engagement results must, where appropriate, contain theinternal auditors’ overallopinion and/or conclusions. When issued, an opinion or conclusion must take account of the expectations of senior management, the board, and other stakeholders and must be supported by sufficient, reliable, relevant, and useful information. Interpretation: Opinions at the engagement level may be ratings, conclusions, or other descriptions of the results. Such an engagement may be in relation to controls around a specific process, risk, or business unit. The formulation of such opinions requires consideration of the engagement results and their significance. Exposure Results: Yes: 81.4%, No: 13.6%, No Opinion: 5.0% Standards Board Decision: Modify the exposed change 41
NEW Standard 2450 2450 – Overall OpinionsWhen an overall opinion is issued, it must take into account the expectations of senior management, the board, and other stakeholders and must be supported by sufficient, reliable, relevant, and useful information. Interpretation:The communication will identify: • The scope, including the time period to which the opinion pertains; • Scope limitations; • Consideration of all related projects including the reliance on other assurance providers; • The risk or control framework or other criteria used as a basis for the overall opinion; and • The overall opinion, judgment, or conclusion reached. The reasons for an unfavorable overall opinion must be stated. Exposure Results: Yes: 74.9%, No: 19.9%, No Opinion: 5.1% Standards Board Decision: Modify the exposed change 42
Change Definition • - Add Value Add Value Value is provided by improving opportunities to achieve organizational objectives, identifying operational improvement, and/or reducing risk exposure through both assurance and consulting services. The internal audit activity adds value to the organization (and its stakeholders) when it provides objective and relevant assurance, and contributes to the effectiveness and efficiency of governance, risk management, and control processes. Exposure Results: Yes: 86.2%, No: 11.0%, No Opinion: 2.8% Standards Board Decision: Modify the exposed change 43
Change Definition - Chief Audit Executive Chief Audit Executive Chief audit executive is a senior position within the organization responsible for internal audit activities. Normally, this would be the internal audit director. In the case where internal audit activities are obtained from external service providers, the chief audit executive is the person responsible for overseeing the service contract and the overall quality assurance of these activities, reporting to senior management and the board regarding internal audit activities, and follow-up of engagement results. The term also includes titles such as general auditor, head of internal audit, chief internal auditor, and inspector general. Chief audit executive describes a person in a senior position responsible for effectively managing the internal audit activity in accordance with the internal audit charter and the Definition of Internal Auditing, the Code of Ethics, and the Standards. The chief audit executive or others reporting to the chief audit executive will have appropriate professional certifications and qualifications. The specific job title of the chief audit executive may vary across organizations. Exposure Results:Yes: 67.5%, No: 29.0%, No Opinion: 3.5% Standards Board Decision: Modify the exposed change 44
Change Definition • - Independence Independence The freedom from conditions that threaten objectivity or the appearance of objectivity. Such threats to objectivity must be managed at the individual auditor, engagement, functional, and organizational levels. The freedom from conditions that threaten the ability of the internal audit activity to carry out internal audit responsibilities in an unbiased manner. Exposure Results:Yes: 84.0%, No: 12.6%, No Opinion: 3.5% Standards Board Decision: Modify the exposed change 45
Other Changes 1100 – Independence and Objectivity 2110.A2 2130.C1: Renumbered as 2220.C2 2130.C2: Renumbered as 2130.C1 2400 – Communicating Results Control Environment Information Technology Governance Objectivity 46
Summary of Changes – Topics Define Functional Reporting of Internal Audit to the Board, and Clarify in the Charter (1000, 1110) Clarify when Newer Internal Audit Activities Can State They Conform with Standards (1321) Provide Requirements if Entity Level and Individual Engagement Opinions Are Issued (2010.A2, 2410.A1, 2450) Clarify Risk Management Coverage by Internal Audit (2120) Revise Definition of “Add Value” (2000 and Glossary) Revise Definition of “Chief Audit Executive” (Glossary) and Clarify Responsibilities with External Service Providers (2070) Enhance and Clarify Other Standards and Glossary Terms (throughout) 47
Get the Standards - www.theiia.org/standards International Standards for the Professional Practice of Internal Auditing (Standards) 48
Conformance with the Standards is required and essential for the professional practice of internal auditing. 49
2010 Global Standards Survey Total number of responses: 1338 Summary of Results