Home > Risk > Poll is now closed. 118 have now voted!

Poll is now closed. 118 have now voted!

May 1, 2023 Leave a comment Go to comments

The poll is closed and I will share the final results in a separate post.

As a reminder, the stated purpose of the Standards (according to the draft) is:

The Global Internal Audit Standards provide requirements and recommendations to guide the professional practice of quality internal auditing globally. The Standards also establish a basis for evaluating the performance of internal audit services.

X

Q1: Do you agree with the stated purpose of the IIA’s Standards?

ANSWER CHOICES

RESPONSES
Yes

46.15%

54
No

53.85%

63
TOTAL

117

X

Q2: The Standards should “provide requirements and recommendations to guide the professional practice of quality internal auditing globally.”  Does the draft describe quality internal auditing?

ANSWER CHOICES RESPONSES
They describe in full what is required for high quality internal auditing

5.08%

6
They describe, with minor exceptions, what is required

15.25%

18
They describe some of the requirements, but there are a few serious omissions or errors

59.32%

70
They do not describe what is needed

20.34%

24
TOTAL

118

X

Q3: Should the draft be approved?

ANSWER CHOICES RESPONSES
Yes, with perhaps a few minor changes

5.93%

7
Yes, after some edits of significance

17.80%

21
No. The issues merit significant change and a reissue of the draft

66.10%

78
No. The Standards should not be changed at this time

10.17%

12
TOTAL

118

X

Q4: What is the most significant issue of concern? Add others in the comments area.

Note that the Responses do not include the points made by those who responded with Other.

ANSWER CHOICES RESPONSES
None of the above

1.69%

2
Improved focus on risk-based auditing

6.78%

8
Less “must”. It’s too rules-based

33.05%

39
Use the Core Principles rather than those in the draft

1.69%

2
Change the Purpose statement

3.39%

4
Separate what must be done (standards) from how it should be done (framework)

24.58%

29
It’s too long

3.39%

4
Other (see below)

25.42%

30
TOTAL 118

Other comments on this question:

  • All of the above (five people)
  • All of the above – especially a focus on Enterprise Risks – risk-based auditing
  • Aside ensuring an improved focus on risk based auditing, the use of “must” in the standard especially with regards to board oversight should be reviewed. The code of ethics now ethics and professionalism should be a separate element of the global audit standards for ease of reference. Some core principles deleted/merged in the proposed standards should be maintained as they are of significant benefits to the performance of internal auditing.
  • It will not improve the value (I.e. output) of IA services in the eyes of our key stakeholders, nor move the profession forward
  • Too much must – not all IA shops are the same and ultimately need to fit in with what their stakeholders require so structuring to avoid IPP vs stakeholder conflict would be sensible; trying to overreach (IIA has no jurisdiction over the Board); too long – show the “black letter” vs the guidance more clearly
  • Separate out board / audit committee requirements beyond scope of CAE
  • It is too long to be meaningfully understood and applied consistently- even by a large mature IA function. The whole set has become too proscribed “must” vs “should” and takes away the professional judgement of the CAE for what it the best fit for their organization and culture. As currently written, the draft supports that there is o my one way to be “effective” when that is clearly not the case in current practice. It seems to ignore the 3Lines Model altogether.
  • Requirements do not distinguish between Assurance, Building and Consulting Engagements
  • The whole thing is a mess. It looks as if it’s been written by well intended amateurs and needs a wholesale review and rewrite.
  • 1) too rigid & rules-based, especially when IA are trying to be agile, risk based & provide value added advisory services. 2) for different contextual needs, maturity & culture of each organization, auditors should discern the best approach. While we employ systematic & disciplined approaches, there are many subjective & judgmental elements as well. The wisdom to know the differences & approach is important as there is no one size fits all. The standards should rise above to describe principles and what ‘good looks like’ instead of prescriptive & detailed methods. CAEs / IA Managers would have the maturity to lead & coach their junior auditors on the details, according to the different org needs. Ultimately, we want to protect our companies by partnering & collaborating with Management, as trusted advisors, without compromising our independence, objectivity, and moral courage.
  • Board mandated requirements. The IIA has no authority to impose requirements upon the Board.
  • Treatment of advisory services equal to assurance engagements reducing agility and value to be provided.
  • The Purpose Statement seems to me somewhat general (too broad) and it does not consider ethics as a part of the purpose. Besides, as a core domain how is possible that do not have a requirement and implementation section?
  • Needs more on risk-based audit, small audit function, need to cover the minimum requirements when the company is in law maturity, more investing in advisory engagements. Ethics should not be standards. weak relation between conformance and quality.
  • Cost/benefit analysis of the changes to improve the professionalism of the profession.
  • It is likely to make the profession less attractive to join / stay. With less auditors standards don’t even matter. Its also far too long and there is no requirement to innovate or modernise. More of the same will lead to less and less relevance. Are IA being consulted on AI governance or any emerging risk areas as risk management experts – No, a sign of irrelevance.
  • Audit can be a core business partner, contributing to strategy from a risk management perspective. Is this risk management? Yes, but it goes beyond that, the opportunity being risk management and strategy integration.
  • Governance bodies roles
  • 1) remove requirements over people and things IA cannot control (Board); 2) more on performance and value; 3) Advisory: a) IA should be able to initiate, and b) provide standards and guidance throughout; 4) Leverage three lines model, including reliance (or not) on 2LOD audits.
  • It sets out requirements for audit committees who are not IIA members or internal auditors
  • Too focused on big departments; unrealistic musts like an ann’l review of the charter by the Audit Committee.
  • Following rules does not establish Effectiveness of Assurance, rules are not even a proxy for effectiveness
  • Absence of how you determine the link between organisational success and failure and IA role .. weak on emphasizing the 3Lines
  • Use the Core Principles; Change the Purpose; too prescriptive
  • It’s a solution in search of a problem
  • I would choose 1, 2 and 5 and 6
  • The proposed standards will be detrimental to the charity sector, where resource is very scarce, and the emphasis on extensive box ticking and compliance to ‘musts’ is at odds with charities’ public benefit objectives.

X

Your thoughts are welcome – and please add your voice to the poll if you haven’t already.