New professional standards tell internal auditors to take measures to safeguard their independence when asked to perform work other than internal audit—and that could become incredibly important this year as companies look for help adopting new accounting standards, like revenue recognition.
The Institute of Internal Auditors took steps in 2016 to update the professional standards that guide internal auditors with changes that are taking effect in 2017. Although not enforceable by any regulatory body, IIA’s professional standards help internal auditors provide the kind of objective assurance companies need to help them remain compliant with a host of regulatory mandates, not the least of which includes Sarbanes-Oxley compliance with internal control reporting.
One of the hallmarks of a sound internal audit function is that it remains independent of company management, ideally reporting directly to the audit committee to provide an objective set of eyes and ears on various operations within the company. In heavily regulated industries, like financial services, that’s a common model, says Dawnella Johnson, a partner in risk consulting at Crowe Horwath. “At the biggest banks, it’s very unlikely that the chief audit executive would play any other role,” she says.
According to the IIA’s “three lines of defense” model for managing risks, operational managers have primary responsibility in the first line of defense to guard the organization against risk, while risk management and compliance functions serve as their backstop in the second line of defense. The role of internal audit is to provide independent assurance of the organization’s risk strategy, positioning them as a third line of defense.
Given internal auditors’ expertise in all things risk and control, however, it can be difficult for companies to lay off asking internal audit to help with tasks such as managing risk or designing internal controls to mitigate risk. “There’s a recognition that chief audit executives are subject matter experts in risk management,” says Mark Kultgen, national leader of internal audit and Sarbanes-Oxley services at audit firm RSM. “Married with organizational pressures to do more with less, there comes a point where chief audit executives are asked to perform duties outside of internal audit.”
“There’s a recognition that chief audit executives are subject matter experts in risk management. Married with organizational pressures to do more with less, there comes a point where chief audit executives are asked to perform duties outside of internal audit.”
Mark Kultgen, National Leader of Internal Audit and Sarbanes-Oxley Services, RSM
That prompted the IIA to address in its professional standards how audit executives can take measures to assure their independence and objectivity is protected, even when they are pulled in on risk management or other consulting jobs. “Our standards are staying current with where practice is evolving,” says Lisa Hirtzinger, vice president on global standards and guidance at the IIA.
The updated standards seek to address situations where audit executives are asked to perform certain risk functions, making them less objective when it comes time to perform an audit of the company’s risk assessment or risk management activities. The standards also address concerns when audit executives are asked to perform consulting roles in any number of areas, impairing their objectivity when later tasked with auditing that area. It puts the auditor in the position of auditing his or her own work, essentially.
The new guidance tells auditors if they can’t mitigate conflicts through staffing—assigning different auditors on audit work than those who provided risk or other consulting services—then they can be forthright and disclose concerns to management and the audit committee. The new guidance explains the kind of communication the chief audit executive should provide to the board of directors and senior management, and it enhances the annual requirement for chief audit executives to report on their quality assurance and improvement programs, as well as their level of conformance with standards.
“It enables auditors to embrace that role of providing objective, independent assurance, but also be a resource within the company because of the knowledge auditors have,” says Brian Christensen, executive vice president of global internal audit at consulting firm Protiviti. “It provides a great opportunity for internal auditors to step up and meet the needs of the world around us.”
The new guidance doesn’t represent a shift in the core principles of good internal audit but it provides good governance practices, says Johnson. “The best organizations are probably doing things like this already, but now the standards say overtly to think this through,” she says.
IIA STANDARDS INTRO
Below is an excerpt from the Introduction to the Standards:
Introduction to the Standards Internal auditing is conducted in diverse legal and cultural environments; for organizations that vary in purpose, size, complexity, and structure; and by persons within or outside the organization. While differences may affect the practice of internal auditing in each environment, conformance with The IIA’s International Standards for the Professional Practice of Internal Auditing (Standards) is essential in meeting the responsibilities of internal auditors and the internal audit activity.
The purpose of the Standards is to:
1. Guide adherence with the mandatory elements of the International Professional Practices Framework.
2. Provide a framework for performing and promoting a broad range of value-added internal auditing services.
3. Establish the basis for the evaluation of internal audit performance.
4. Foster improved organizational processes and operations.
The Standards are a set of principles-based, mandatory requirements consisting of:
• Statements of core requirements for the professional practice of internal auditing and for evaluating the effectiveness of performance that are internationally applicable at organizational and individual levels.
• Interpretations clarifying terms or concepts within the Standards.
The Standards, together with the Code of Ethics, encompass all mandatory elements of the International Professional Practices Framework; therefore, conformance with the Code of Ethics and the Standards demonstrates conformance with all mandatory elements of the International Professional Practices Framework.
The Standards employ terms as defined specifically in the Glossary. To understand and apply the Standards correctly, it is necessary to consider the specific meanings from the Glossary.
Source: The IIA
The new guidance enables internal audit to continue to increase the value it can bring to organizations, says Frank Campagna, managing director in risk and advisory services at accounting firm CBIZ. “The value proposition for internal audit is that it’s become a real risk business,” he says. “The best companies that have included risk in decision making have averted risk disasters more than companies that have not.”
The new accounting standard on revenue recognition provides a huge and timely example of where internal auditors are likely to be drawn in to assist with designing new controls that they later might be asked to test. Companies are required to adopt the massive new accounting standard on revenue recognition in 2018, and experts have lamented for months that many companies were moving too slowly through the process of assessing how they will be affected by the standard and preparing to implement it.
Now 2017 will be crunch time for companies to alter their processes and controls to begin producing revenue numbers under the new accounting in time for the start of the 2018 reporting year. It’s likely at least some internal audit functions will play some kind of role to support revenue recognition adoption efforts in some organizations, says Christopher Cimino, a partner in advisory, risk, and compliance at KPMG.
“Revenue recognition starts with the accounting, but it flows through to people, processes, and technology, and internal audit may be participating along the way to provide that real-time point of view,” says Cimino. “Companies are really starting to get moving on revenue recognition, and internal audit often has a seat at the table. If you fast-forward to when new processes and controls are in place, you are going to want to do some evaluation.”
The new standards will not steer internal audit away from having a role in the revenue recognition adoption effort, but will help them do so in a way that will not impair their objectivity or independence. That could prove important when external auditors determine to what extent they will rely on internal audit’s work as they perform their own audit procedures.