PROFESSIONAL GUIDANCE.Consulting Implementation Standards The Internal Auditing Standards Board In the United States, the Auditing Standards Board (ASB) is the senior technical committee designated by the American Institute of Certified Public Accountants (AICPA) to issue auditing, attestation, and quality control statements, standards and guidance to certified public (IASB IASB See International Accounting Standards Board (IASB). ) continues to develop the Professional Practices Framework (PPF PPF Plasma protein fraction, see there ) as recommended by the Guidance Task Force. Consistent with the definition of internal auditing and the components of the PPF, Implementation Standards is consulting services Noun 1. consulting service - service provided by a professional advisor (e.g., a lawyer or doctor or CPA etc.) service - work done by one person or group that benefits another; "budget separately for goods and services" have been developed to provide guidance to internal auditors Internal auditor An employee of a company who analyzes the company's accounting records to that the company is following and complying with all regulations. when performing such engagements. The proposed Consulting Implementation Standards represent the next major expansion of the Standards for the Professional Practice of Internal Auditing (Standards) and complement the newly adopted Attribute (1) In relational database management, a field within a record. (2) In object technology, a single element of data. See instance attribute and static attribute. , Performance, and Assurance Implementation Standards. * The IASB is seeking comments on proposed Consulting Implementation Standards, one new Assurance Implementation Standard, and a revision (programming) revision - A release of a piece of software which is not a major release or a bugfix, but only introduces small changes or new features. to the definition of consulting services contained in the glossary A term used by Microsoft Word and adopted by other word processors for the list of shorthand, keyboard macros created by a particular user. See glossaries in this publication and The Computer Glossary. to the Standards. The proposed Implementation Standards and revised definition are reflected in the far right or third column of the following table. The existing Attribute, Perfor mance, and Assurance Implementation Standards, which are effective as of Jan. 1, 2002, are included for reference purposes.
Standards for the Professional Practice of
Internal Auditing
EXISTING ATTRIBUTE EXISTING IMPLEMENTATION
STANDARDS STANDARDS
1000 -- PURPOSE, AUTHORITY, AND
RESPONSIBILITY
The purpose, authority, and
responsibility of the internal
audit activity should be
formally defined in a charter,
consistent with the Standards,
and approved by the board.
1100 -- INDEPENDENCE AND
OBJECTIVITY
The internal audit activity
should be independent,
and internal auditors
should be objective in
performing their work.
1110 -- ORGANIZATIONAL 1110.A1 -- The internal audit
INDEPENDENCE activity should be free from
The chief audit executive interference in determining
should report to a level the scope of internal
within the organization auditing, performing work,
that allows the internal and communicating results.
audit activity to fulfill
its responsibilities.
1120 -- INDIVIDUAL OBJECTIVITY
Internal auditors should have an
impartial, unbiased attitude and
avoid conflicts of interest.
1130 -- IMPAIRMENTS TO 1130.A1 -- Internal auditors
INDEPENDENCE OR OBJECTIVITY should refrain from
If independence or objectivity assessing specific
is impaired in fact or operations for which they
appearance, the details of the were previously responsible.
impairment should be disclosed Objectivity is presumed
to appropriate parties. The to be impaired if an auditor
nature of the disclosure will provides assurance services
depend upon the impairment. for an activity for which the
auditor had responsibility
within the previous year.
1130.A2 -- Assurance
engagements for functions over
which the chief audit executive
has responsibility should be
overseen by a party outside
the internal audit activity.
EXISTING ATTRIBUTE PROPOSED IMPLEMENTATION
STANDARDS STANDARDS
1000 -- PURPOSE, AUTHORITY, AND 1000.A1 -- The nature of
RESPONSIBILITY assurance services provided
The purpose, authority, and to the organization and
responsibility of the internal to third parties should be
audit activity should be defined in the audit charter.
formally defined in a charter, 1000.C1 -- The nature of
consistent with the Standards, consulting services provided
and approved by the board. to the organization and to
third parties should be
defined in the audit charter.
1100 -- INDEPENDENCE AND
OBJECTIVITY
The internal audit activity
should be independent,
and internal auditors
should be objective in
performing their work.
1110 -- ORGANIZATIONAL
INDEPENDENCE
The chief audit executive
should report to a level
within the organization
that allows the internal
audit activity to fulfill
its responsibilities.
1120 -- INDIVIDUAL OBJECTIVITY
Internal auditors should have an
impartial, unbiased attitude and
avoid conflicts of interest.
1130 -- IMPAIRMENTS TO 1130.C1 -- Internal auditors
INDEPENDENCE OR OBJECTIVITY may provide consulting
If independence or objectivity services relating to operations
is impaired in fact or for which they had previous
appearance, the details of the responsibilities. However,
impairment should be disclosed internal auditors should
to appropriate parties. The maintain their objectivity
nature of the disclosure will when drawing conclusions and
depend upon the impairment. providing advice to management.
1130-C2 -- If internal auditors
have impairments to objectivity
relating to proposed consulting
services, disclosure should be
made to the engagement client
prior to accepting the
engagement.
1200 -- PROFICIENCY AND DUE
PROFESSIONAL CARE
Engagements should be
performed with proficiency
and due professional care.
1210 -- PROFICIENCY 1210.A1 -- The chief audit executive
Internal auditors should should obtain competent advice and
possess the knowledge, skills, assistance if the internal audit staff
and other competencies needed lacks the knowledge, skills, or other
to perform their individual competencies needed to perform all or
responsibilities. The internal part of the engagement.
audit activity collectively 1220.A2 -- The internal auditor should
should possess or obtain the have sufficient knowledge to identify
knowledge, skills, and other the indicators of fraud but is not
competencies needed to perform expacted to have the expertise of a
its responsibilities. person whose primary responsibility
is detecting and investigating fraud.
1220 -- DUE PROFESSIONAL CARE 1220.A1 -- The internal auditor should
Internal auditors should exercise due professional cary
apply the care and skill by considering the:
expected of a resonably * Extent of work needed to achieve the
prudent and competent internal engagement's objectives.
auditor. Due professional * Relative complexity, materiality, or
care does not imply significance of matters to which
infallibility. assurance procedures are applied.
* Adequacy and effectiveness of risk
Management, control, and
governance processes.
* Probability of significant errors,
irregularities, or noncompliance.
* Cost of assurance in the relation to
potential benefits.
1220.A2 -- The internal auditor should
be alert to the significant risks that
might - affect objectives, operations,
or resources. However, assurance
procedures alone, even when performed
with due professional care, do not
guarantee that all significant
risks will be identified.
1230 --CONTINUING NO changes.
PROFESSIONAL DEVELOPMENT
1300 -- QUALITY ASSURANCE No changes.
AND IMPROVEMENT PROGRAM
1310 -- QUALITY PROGRAM No changes.
ASSESSMENTS
1311 -- INTERNAL ASSESSMENTS No changes.
1312 -- EXTERNAL ASSESSMENTS No changes.
1320 -- REPORTING ON THE No changes.
QUALITY PROGRAM
1330 -- USE OF No changes.
"CONDUCTED IN ACCORDANCE
WITH THE STANDARDS"
1340 - DISCLOSURE OF No changes.
NONCOMPLIANCE
1200 -- PROFICIENCY AND DUE
PROFESSIONAL CARE
Engagements should be
performed with proficiency
and due professional care.
1210 -- PROFICIENCY 1210.C1 -- The chief audit exuctive
Internal auditors should should decline the consulting
possess the knowledge, skills, engagement or obtain competent
and other competencies needed advice and assistance if the
to perform their individual internal audit staff lacks the
responsibilities. The internal knowledge, skills, or other
audit activity collectively competencies needed to perform
should possess or obtain the all or part of the engagement.
knowledge, skills, and other
competencies needed to perform
its responsibilities.
1220 -- DUE PROFESSIONAL CARE 1220.C1 -- The internal auditor
Internal auditors should should exercise due professional
apply the care and skill care during a consulting
expected of a resonably engagement by considering the:
prudent and competent internal * Needs and expectations of engagement
auditor. Due professional clients, including the nature,
care does not imply timing, and communication
infallibility. of engagement results.
* Relative complexity and extent of
work needed to achieve the
engagement's objectives.
* Cost of the consulting engagement in
relation to potential benefits.
1230 --CONTINUING None.
PROFESSIONAL DEVELOPMENT
1300 -- QUALITY ASSURANCE None.
AND IMPROVEMENT PROGRAM
1310 -- QUALITY PROGRAM None.
ASSESSMENTS
1311 -- INTERNAL ASSESSMENTS None.
1312 -- EXTERNAL ASSESSMENTS None.
1320 -- REPORTING ON THE None.
QUALITY PROGRAM
1330 -- USE OF None.
"CONDUCTED IN ACCORDANCE
WITH THE STANDARDS"
1340 - DISCLOSURE OF None.
NONCOMPLIANCE
Existing Performance Standards
EXISTING ATTRIBUTE EXISTING IMPLEMENTATION
STANDARDS STANDARDS
2000 -- MANAGING THE INTERNAL
AUDIT ACTIVITY
The chief audit executive should
effectively manage the internal
audit activity to ensure it
adds value to the organization.
2010 -- PLANNING 2010.A1 -- The internal audit
The chief audit executive activity's plan of engagements
should establish risk-based should be based on a risk
plans to determine the assessment, undertaken at least
priorities of the internal audit annually. The input of senior
activity, consistent with the management and the board should
organizations's goals. be considered in this process.
EXISTING ATTRIBUTE PROPOSED IMPLEMENTATION
STANDARDS STANDARDS
2000 -- MANAGING THE INTERNAL
AUDIT ACTIVITY
The chief audit executive should
effectively manage the internal
audit activity to ensure it
adds value to the organization.
2010 -- PLANNING 2010.C1 -- The internal audit
The chief audit executive activity's plan of engagements
should establish risk-based should include anticipated
plans to determine the consulting engagements.
priorities of the internal audit 2010.C2 -- The chief audit
activity, consistent with the executive should consider
organizations's goals. proposed consulting
engagements based
on the engagement's
potential to add value,
mitigate risk, and improve
the organization's operations.
2020 - COMMUNICATION AND No changes.
APPROVAL
2030 - RESOURCE MANAGEMENT No changes.
2040 - POLICIES AND No changes.
PROCEDURES
2050 - COORDINATION No changes.
2060 - REPORTING TO THE No changes.
BOARD AND
SENIOR MANAGEMENT
2100 - NATURE OF WORK
The internal audit activity
evaluates and contributes
to the improvements of risk
management, control, and
governance systems.
2110.A1 - The internal audit
2110 - RISK MANAGEMENT should monitor and evaluate the
The internal audit activity effectiveness of the organization's
should assist the organization risk management system.
identifying and evaluating 2110.A2 - The internal audit
significant exposures to activity should evaluate risk
risk and contributing to the exposures relating to the
improvement of risk management organization' governance, operations,
and control systems. and information systems regarding the:
* Reliability and integrity of
financial and operational
information.
* Effectiveness and efficiency of
operations.
* Safeguarding of assets.
* Compliance with laws,
regulations, and contracts.
2120 - CONTROL 2120.A1 - Based on the results of the
The internal audit activity risk assessment, the internal audit
should assist the organization activity should evaluate the adequacy
in maintaining effective and effectiveness of controls
controls by evaluating their encompassing the organization's
effectiveness and efficiency goverance, operations, and information
and by promoting continuous systems. This should include:
improvement. * Reliability and integrity of
financial and operational
information.
* Effectiveness and efficiency of
operations.
* Safeguarding of assets.
* Compliance with laws, regulations,
and contracts.
2120.A2 - Internal auditors should
ascertain the extent to which operating
and program goals and objectives have
been established and conform to those of
the organization.
2120.A3 - Internal auditors should
review operations and programs to
ascertain the extent to which results
are consistent with established goals
and objectives to determine whether
operations and programs are being
implemented or performed as intended.
2120.A4 - Adequate criteria are needed
to evaluate controls. Internal auditors
should ascertain the extent to which
management has established adequate
criteria to determine whether objectives
and goals have been accomplished. If
adequate, internal auditors should use
such criteria in their evaluation. If
inadequate, internal auditors should
work with management to develop
appropriate evaluation criteria.
2130 - GOVERNANCE 2130.A1 - Internal auditors should
The internal audit activity review operations and programs to ensure
should contribute to the consistency with organizational values.
organization's governance
process by evaluating and
improving the process through
which (1) values and goals are
established and communicated,
(2) the accomplishment
of goals is monitored, (3)
accountability is ensured, and
(4) values are preserved.
2020 - COMMUNICATION AND None.
APPROVAL
2030 - RESOURCE MANAGEMENT None.
2040 - POLICIES AND None.
PROCEDURES
2050 - COORDINATION None.
2060 - REPORTING TO THE None.
BOARD AND
SENIOR MANAGEMENT
2100 - NATURE OF WORK
The internal audit activity
evaluates and contributes
to the improvements of risk
management, control, and
governance systems.
2110 - RISK MANAGEMENT 2110.C1 - Internal auditors should
The internal audit activity incorporate knowledge of risks gained
should assist the organization in consulting engagements into the
identifying and evaluating process of identifying and evaluating
significant exposures to significant risk exposures of
risk and contributing to the the organization.
improvement of risk management 2110.C2 - During consulting engagements,
and control systems. internal auditors should address risk
consistent with the engagement's
objectives and should be alert to
additional significant risks.
2120 - CONTROL 2120.C1 - Internal auditors should
The internal audit activity incorporate any knowledge of controls
should assist the organization gained in consulting engagements into
in maintaining effective their overall assessment of risk.
controls by evaluating their
effectiveness and efficiency
and by promoting continuous
improvement.
2130 - GOVERNANCE 2130.C1 - Consulting engagements should
The internal audit activity be accepted only when the engagement's
should contribute to the objectives are consistent with the
organization's governance
process by evaluating and overall values and goals of the
improving the process through organization.
which (1) values and goals are
established and communicated,
(2) the accomplishment
of goals is monitored, (3)
accountability is ensured, and
(4) values are preserved.
2200 - ENGAGEMENT PLANNING
Internal auditors should develop
and record a plan for each
engagement.
2201 - PLANNING CONSIDERATIONS
In planning the engagement,
internal auditors should consider:
* The objectives of the activity
being reviewed and the means by
which the activity controls its
performance.
* The significant risks to the
activity, its objectives,
resources,m and operations and
the means by which the potentil
Impact of risk is kept to an
acceptable level.
* The adequacy and effectiveness
of the the activity's risk
management and control systems
compared to a relevant control
framework or model.
* The opportunities for making
significant improvements to the
acitivity's risk management and
control systems
2210 - ENGAGEMENT OBJCTIVES 2210.A1 - When planning the engage-
The engagement's objectives should ment, the internal auditor should
address the risks, controls, and identify and assess risks relevant
governance processes associated to the activity under review. The
with the acitivites under review. engagement objectives should
reflect the results of the risk
assessment.
2210.A2 - The internal auditor
should consider the probability of
significant errors, irregularities,
noncompliance, and other exposures
when developing the engagement
objectives.
2220 - ENGAGEMENT SCOPE 2220.A1 - The scope of the
The established scope should be engagement shoudl include consider-
sufficient to satisfy the ation of relevant systems, records,
objectives of the engagement. personnel, and physical properties,
including those under the control
of thrid parties.
2230 - ENGAGEMENT RESOURCE
ALLOCATION
Internal auditors should determine
appropriate resources to achieve
engagement objectives. Staffing
should be based on an evaluation of
the nature and complexity of each
engagement, time constraints,
and available resources.
2240 - ENGAGEMENT WORK PROGRAM 2240.A1 - Work programs should
Internal auditors should develop wo establish the procedures for
that achieve the engagement objecti identifying, analyzing, evaluat-
These work programs should be recor ing, and recording information
during the engagement. The work
program should be approved prior to
the commencement of work, and any
adjustments approved promptly.
2300 - PERFORMING THE ENGAGEMENT
Internal auditors should identify,
analyze, evaluate, and record
sufficient information to achieve
the engagement's objectives.
2310- IDENTIFYING INFORMATION
Internal auditors should identify
sufficient, reliable, relevant, and
useful information to achieve the
engagement's objectives.
2200 - ENGAGEMENT PLANNING
Internal auditors should develop
and record a plan for each
engagement.
2201 - PLANNING CONSIDERATIONS
In planning the engagement, 2201.C1 - Internal auditors should
internal auditors should consider: establish a wirtten or oral under-
* The objectives of the activity standing with consulting engagement
being reviewed and the means by clients about objectives, scope,
which the activity controls its respective responsibilities, and
performance. other client expectations.
* The significant risks to the
activity, its objectives,
resources,m and operations and
the means by which the potentil
Impact of risk is kept to an
acceptable level.
* The adequacy and effectiveness
of the the activity's risk
management and control systems
compared to a relevant control
framework or model.
* The opportunities for making
significant improvements to the
acitivity's risk management and
control systems
2210 - ENGAGEMENT OBJCTIVES 2210.C1 - Consulting engagements
The engagement's objectives should should be planned to meet the
address the risks, controls, and agreed-upon objectives established
governance processes associated with the client.
with the acitivites under review.
2220 - ENGAGEMENT SCOPE 2220. C1 - In performing
The established scope should be consulting engagements, internal
sufficient to satisfy the auditors should ensure that
objectives of the engagement. the scope of the engagement is
sufficient to address the
agreed-upon objectives. If the
auditor has reservations about
the scope of the engagement,
these reservations should
be considered in determining
whether or not to proceed
with the engagement. If the
engagement is continued, the
reservations should be communited
to appropriate parties.
2230 - ENGAGEMENT RESOURCE
ALLOCATION
Internal auditors should determine
appropriate resources to achieve
engagement objectives. Staffing
should be based on an evaluation of
the nature and complexity of each
engagement, time constraints,
and available resources.
2240 - ENGAGEMENT WORK PROGRAM 2240.C1 - Work programs for
Internal auditors should develop wo consulting engagements should vary
that achieve the engagement objecti in form and content depending upon
These work programs should be recor the nature of the engagement.
2300 - PERFORMING THE ENGAGEMENT
Internal auditors should identify,
analyze, evaluate, and record
sufficient information to achieve
the engagement's objectives.
2310- IDENTIFYING INFORMATION
Internal auditors should identify
sufficient, reliable, relevant, and
useful information to achieve the
engagement's objectives.
2320 - ANALYSIS AND EVALUATION
Internal auditors should base
conclusions and engagement results
on appropriate analyses
and evaluations.
2330 - RECORDING INFORMATION 2330.A1 - The chief audit
Internal auditors should record executive should control access
relevant infor- to engagement records. The chief
mation to support the conclusion audit executive should obtain
and engagement results. the approval of senior management
and/or legal counsel prior
to releasing such records to
external parties, as appropriate.
2330.A2 - The chief audit
executive should develop
retention requirements require-
ments for engagement records.
These retention requirements
should be consistent
with the organization's
guidelines and any pertinent
regulatory or other requirements.
2340 - ENGAGEMENT SUPERVISION
Engagements should be properly
supervised to ensure objectives
are achieved, quality is assured,
and staff is developed.
2400 - COMMUNICATING RESULTS
Internal auditors should
communicate the engagement
results prompty.
2410 - CRITERIA FOR COMMUNICATING 2410.A1 - The final communication
Communications should include of results should,
the engagement's objectives and where appropriate,
scope as well as applicable contain the internal
conclusions, recommendations, and auditor's overall opinion.
action plans. 2410.A2 - Engagement
communications should acknowledge
satisfactory performance.
2420 - QUALITY OF COMMUNICATIONS No changes.
2421 - ERRORS AND OMISSIONS No changes.
2430 - ENGAGEMENT DISCLOSURE OF No changes.
NONCOMPLIANCE WITH THE Standards
2440 - DISSEMINATING RESULTS 2440.A1 - The chief audit executive
The chief audit executive should is responsible for communicating
disseminate results to the the final results to individuals
appropriate individuals. who can ensure that the results are
given due consideration.
2500 - MONITORING PROGRESS 2500.A1 - The chief audit
The chief audit executive should executive should establish a
establish and maintain a system follow-up process to monitor and
to monitor the disposition ensure that management actions
of results communicated to have been effectively implemented
management. or that senior management has
accepted the risk of not taking
action.
2600 - MANAGEMENT'S ACCEPTING OF No changes.
RISKS
Glossary
EXISTING DEFINITION
CONSULTING SERVICES - The range of
services, beyond internal audit's
assurance services, provided to
assist management in meeting its
objectives. The nature and scope
of work are agreed upon with the
client. Examples include
facilitation, process design,
training, and advisory services.
2320 - ANALYSIS AND EVALUATION
Internal auditors should base
conclusions and engagement results
on appropriate analyses
and evaluations.
2330 - RECORDING INFORMATION 2330.C1 - Prior to releasing
Internal auditors should record consulting engagement records
relevant infor- to other parties, the chief
mation to support the conclusion audit executive should obtain
and engagement results. the approval of the engagement
client and/or legal counsel, as
2330.C2 - The chief audit
executive should develop
retention requirements for
consulting engagement records.
These retention requirements
should be consistent with the
organization's guidelines and any
pertinent regulatory or other
requirements.
2340 - ENGAGEMENT SUPERVISION
Engagements should be properly
supervised to ensure objectives
are achieved, quality is assured,
and staff is developed.
2400 - COMMUNICATING RESULTS
Internal auditors should
communicate the engagement
results prompty.
2410 - CRITERIA FOR COMMUNICATING 2410.C1 - Communication of
Communications should include the progress and results of
the engagement's objectives and consulting engagements should be
scope as well as applicable tailored to meet the needs of
conclusions, recommendations, and engagement clients. The form
action plans. and content will vary depending
on the nature of the engagement
and the services requested.
2420 - QUALITY OF COMMUNICATIONS None.
2421 - ERRORS AND OMISSIONS None.
2430 - ENGAGEMENT DISCLOSURE OF None.
NONCOMPLIANCE WITH THE Standards
2440 - DISSEMINATING RESULTS 2440.C1 - Results of consulting
The chief audit executive should engagements should be
disseminate results to the disseminated to engagement
appropriate individuals. clients.
2440.C2 - During consulting
engagements, risk management,
control, and governance issues
may be identified. When these
issues are significant to the
organization as a whole, they
should be communicated to senior
management and the board.
2500 - MONITORING PROGRESS 2500.C1 - Dispostion of the
The chief audit executive should results of consulting engagements
establish and maintain a system should be monitored to the
to monitor the disposition extent agreed upon with the
of results communicated to client.
management.
2600 - MANAGEMENT'S ACCEPTING OF None.
RISKS
Glossary
EXISTING DEFINITION PROPOSED DEFINITION
CONSULTING SERVICES - The range of CONSULTING SERVICES - Advisory or
services, beyond internal audit's partnering activities that add
assurance services, provided to value and improve an
assist management in meeting its organization's operations, in
objectives. The nature and scope which the nature and scope
of work are agreed upon with the of services are agreed
client. Examples include upon with the client. Examples
facilitation, process design, include counsel, advice,
training, and advisory services. facilitation, process design,
and training.
|
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion