March 31, 2008
Open Letter to the Institute of Internal Auditors on Proposed Changes to the International Standards for the Professional Practice of Internal Auditing
On behalf of the Board of Directors of the Association of College and University Auditors (ACUA), I write to express our views on the proposed changes to the International Standards for the Professional Practice of Internal Auditing (the Standards). The Association of College and University Auditors is an international association of approximately 600 internal audit departments at institutions of higher education. Our membership is comprised of a diverse mix, ranging from very large audit departments with many internal auditors on staff to small one-person departments. ACUA has always encouraged our members to comply with the Standards; thus, we welcome the opportunity to provide input into this process. Generally, the Board of Directors is supportive of the proposed changes. Overall, we see many of the proposed changes as either reflective of the natural progression of our profession or modifications that make the standards clearer (e.g., replacing “should” with “must”). Still, we do want to express some specific concerns noted by both our members and board. We have listed our comments following the proposed addition or change.
NEW 1010 – Recognition of the Definition of Internal Auditing, the Code of Ethics, and the Standards in the Internal Audit Charter - The mandatory nature of the Definition of Internal Auditing, the Code of Ethics, and the Standards must be recognized in the internal audit charter. The chief audit executive should discuss the Definition of Internal Auditing, the Code of Ethics, and the Standards with senior management and the board.
ACUA Response: ACUA believes there is no value added in requiring discussion of the definition of internal auditing, the Code of Ethics, or the Standards in the internal audit charter. We believe it is sufficient to state in the charter that the internal audit department will meet or exceed the Standards.
NEW 1111 – Direct Interaction with the Board - The chief audit executive must communicate and interact directly with the board.
ACUA Response: ACUA believes that with the diversity of our membership, there will be instances where the Board does not want the audit function reporting directly to them, making it difficult for the chief audit executive (CAE) to comply with Standard 1111. While we acknowledge that such a reporting line is best, frequently this decision will be outside of the CAE’s ability to control or influence. We believe this is a case where the Standards should read “should” rather than “must.”
NEW 1312 – External Assessments - External assessments must be conducted at least once every five years by a qualified, independent reviewer or review team from outside the organization. The chief audit executive must discuss with the board:
• The need for more frequent external assessments.
• The qualifications and independence of the external reviewer or review team, including any potential conflict of interest.
ACUA Response: ACUA supports the concept of external assessments; however, we believe The IIA should discontinue performing the “certification services” for a fee. There appears to be a conflict of interest in requiring a practice, and then providing the service that fulfills the requirement.
NEW 2120.A2 – The internal audit activity must evaluate the potential for the occurrence of fraud and how the organization manages fraud risk.
ACUA Response: ACUA believes that The IIA should provide additional guidance on implementing Standard 2120-A2, such as whether the expectation is an annual evaluation or an evaluation as part of each audit.
NEW 2120.C3 – When assisting management in establishing or improving risk management processes, internal auditors must refrain from assuming any management responsibility by actually managing risks.
ACUA Response: ACUA believes that clarification should be provided as to those activities that the internal auditors must refrain from assuming. For example, if internal auditors provide internal control training to management or staff, are they assuming management responsibility? This standard seems overly vague in what an auditor must avoid.
NEW 2110.A2 – The internal audit activity must assess whether the information technology governance of the organization sustains and supports the organization’s strategies and objectives.
ACUA Response: ACUA believes that many of its member organizations will not have the resources to fully comply with Standard 2110.A2.
Thank you for the opportunity to provide input into the proposed changes. We appreciate your consideration of our comments and thoughts.
Sincerely,
M. Kevin Robinson, CIA, CFE
ACUA President