exposure draft survey questions documents/iia...pg. 1 exposure draft survey questions . 1. m. ission...

pg. 1

EXPOSURE DRAFT SURVEY QUESTIONS

1. MISSION OF INTERNAL AUDITING

1.1 To what extent do you support the addition of a Mission of Internal Auditing to the IPPF?

Completely Support Do Not Support

5 4 3 2 1

Comments :

Comment 1: IIA MEMBER: Rating <2>

The IIA’s mission is; “… to provide dynamic leadership for the global profession of internal auditing.” The IPPF is a delivery mechanism to support this mission, by providing standards and guidance on how professional IA’s should conduct their activities. Do not believe that a mission statement for IA, as part of the IPPF, is required or necessary over and above the current definition, as it (the definition) sufficiently meets our current requirements, as acknowledged by the RTF.

Comment 2: Non-Member: Rating <5>

Comment 3: Collective response : 6 IIA MEMBERS : All six rated this a 5

Support the inclusion of a mission and like the one they have come up with as think that it ties in risk and assurance well.

1.2 To what extent do you agree that the proposed Mission of Internal Audit captures what internal audit strives and / or aspires to accomplish in organizations?

Completely Agree Do Not Agree

5 4 3 2 1

Comments :


It appears to be trying to attempt to give meaning to what “add value’ is defined as and is largely a “rephrasing of the definition” and rather wordy. From this stand-point depending on the sector that an IA is operating the definition of what the expectations of IA are and how the board sees them as adding value can be very varied. From a traditional shop of compliance to a more foreword thinking unit of consulting and business improvement focus and business partner and trusted advisor. Are we considering aspirational of what an IA of today is , what is a foregone expectation of what services an IA unit provides or in the advocacy field are we needing to up our game on what skills we need to serve the future needs of businesses. Has the IA profession evolved to be what businesses need them to be? What do our stakeholders expect us as IA to deliver, are we meeting their expectations or just doing what we know? i.e. Do we assume the services we provide meet their needs or is this all they know, based on what we have told them?


No mentioning of Independent assurance is made. Would’ve been better by stating what is provided 1st and then the benefit to the organisation. e.g. Provide stakeholders independent assurance to enhance and protect organisation value.

pg. 2

Risk-based and objective and reliable isn’t needed in the mission if this is supported by the Standards and Code of Ethics. It becomes unnecessary wordy.

Comment 3: Collective response : 6 IIA MEMBERS: All six rated this a 5

Touches on all the key words

2. CORE PRINCIPLES FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING

2.1 To what extent do you support adding Core Principles for the Professional Practice of Internal Auditing as an element of the IPPF?


5 4 3 2 1

Comments :


Agree with the sentiments of the RTF.



2.2 Do you agree with the three “input-related” Principles as proposed?


5 4 3 2 1

Comments :


This is very closely aligned to the Code of Ethics and we should guard against duplication or at the very least ensure alignment. Therefore the missing component is “confidentiality” in which case suggest to include in first principle, as” Demonstrates uncompromised integrity and respectfully manages confidentiality.” If we were to introduce these, the suggestion would be leave the principles in this framework, revisit the Code of Ethics and remove same from them, which would essentially leave “Rules of Conduct”. Then we could rename this rather the “IA Code of Conduct” which would be the remaining aligned to the principles.


What about independence? This has not been covered off. If this has been left off to compensate for the many outsourced IA functions then the concept of independence has been missed. In that case the suggestion is that further guidance in the Implementation of the standards should be provided to clarify the interpretation with some commentary specific to that type of arrangement to aid practitioners.


Consider the use of the word ‘Independence’

Exposure Draft: Proposed Enhancements to the IPPF – QLD CHAPTER COUNCIL INPUT

pg. 3

2.3 Do you agree with the six “process-related” Principles as proposed?


5 4 3 2 1

Comments :


The “purpose” of the IA function and therefore the nature of assurance/consulting services provided, that the Board wish to extract from having an IA unit, has direct influence on the effectiveness of the IA function, and this has not been covered. If the IA function delivers on the Board expectations, generally confirmed in IA Charters, then the Board is likely to have the view that the IA is effective. This is supported by Standard 1000, 1110 & 1130. May need to consider providing case study examples of “common scenarios” that would not be considered appropriate within the further guidance. If so purpose comes from why the Board determines why they require an IA function and what value they derive from the function.

Don’t believe that the IA function should align strategically. The IA should know what the strategy is in terms of definition or establishing the nature and timing of the assurance work to be undertaken, so its an input to the audit plan. Where strategy comes in is really in association with Performance Audits, so maybe the implementation guidance should be expanded to highlight that the strategy or outcomes/KPI’s should be considered in assessment within these types of reviews.


IA is not a legal requirement, so appropriate positioning can be have different meanings and if not particularly defined, it is just words meaning nothing. As long as the standards and guidance helps with the interpretation of what is appropriate position or cases of what would not meet the requirements of appropriate positioning.

Strategic goals of the company may not align with IA. E.g. constant cost cutting at the cost of controls. If this is a goal of the company, IA can’t really align or the organisation has to accept that their level of risk has increased. The issue with strategy, is rather that to provide value add services the assurance work undertaken should be congruent with the outcomes being sought by the organisation at largely the strategy execution level in line with the processes under review. The audit function should deliver on their mandate as agreed with the Board, which may / may have very limited linkages to strategy e.g. largely compliance work where adequately of process is already accepted. Would remove #5 from the list, rather put in a phrase regarding

Comment 3: Collective response : 6 IIA MEMBERS: Five rated this a 5 and one a 4

Core Principle 5 possibly needs to be teased out to make it more clear

2.4 Do you agree with the three “output-related” Principles as proposed?


5 4 3 2 1

Comments :



pg. 4

In relation to principle 10, would also include “timely” Often IA is accused of being very rear-mirror focused, and it’s about providing that assurance when it matters to business outcomes such that is can influence when it matters or proactively.



Consider using the words ‘Add Value’

Principle 11 should link to risk management as well

2.5 Do you agree with the order of the 12 Principles as proposed?


5 4 3 2 1

Comments :


Do like IPO model, just “missing” feedback, for continuous improvement but if we consider feedback incorporation in Quality assessments, Quality programs, competency frameworks (under principle #7) then we could by inference declare it is “covered”.

Refer prior comments, purpose in principles 4-9, is “missing” should be covered first. Missing the audit plan in principles 4-9, would be 3rd.



Grouping into three groups is logical. However, each principle should be equally weighted/significant

Ambivalent as to the order

2.6 To what extent do you agree with the view that all Principles must be “present and operating effectively” for an internal audit function to be considered effective?


5 4 3 2 1

Comments :


We currently “declare” a unit is effective if it meets the requirements of the mandatory guidance within IPPF. On that basis, we say the 12 principles are what we espouse in essence across the current mandatory guidance, then provided there are no gaps, that would be the case.

We don’t seem to cover the scope of the audit activities. It would “appear” that it is assumed that the audit plan itself is effective. i.e. if the Board approved it, it has covered the right things. The onus is on the Board to highlight


pg. 5

if they feel that the IA has left important things out. It is a responsibility of the IA team to adequately understand the assurance map, ensure it is materially complete and taking into account various other source of information, to provide the appropriate level of coverage. Then they would need to answer do we have the right number and right skilled resources to execute the work required. Do not believe that we have sufficiently covered off having the right audit plan that would therefore focus on ensuring that nature of work is therefore what is required by entity. Then a secondary aspect would be good plan, but was it able to be executed ?

Additional comments>> As has been advised, the RTF “mapping” of the principles to the standard/s against which demonstration would be largely attested, this should have highlighted whether we have sufficient “coverage” in the standards and at the same time, that we have the means to be able to demonstrate and the vehicle through which this would be done.


The impact of change would not be known until the changes have happened, which is very often long after the face and often a subjective assessment. So what is “positive change” if it can’t always be measured and we don’t often have immediate feedback of its impact? It may be anticipated positive change. Do not see the value of this principle, as the IA team may see their contribution as positive influence, while the client sees it as an imposition.


2.7 Do you agree that the Principles, if adopted, would require guidance to help demonstrate to practitioners what the Principles might look like in practice?


5 4 3 2 1

Comments :


Refer previous commentary, the principles are umbrella to the current IPPF mandatory guidance, therefore if our standards and implementation guidance does not currently fit that brief to sufficiently give that perspective, then yes we have gaps and these need to be filled, if not then we should already have the appropriate level of guidance in place. Understanding that the profession is evolving and that there may also be options for “leading practice” in certain areas which should be leveraged for the betterment of the entire IA profession.

Comment 2: Non-Member: Rating <2> Thought this is what the current standards and advisories did.

Comment 3: Collective response : 6 IIA MEMBERS: Three rated this a 5 and three a 4

Yes, but in the sense that it should already be there so only new ones required if gaps are identified

Guidance would be beneficial to ‘developing’ or ‘new’ IA units

3. IMPLEMENTATION GUIDANCE & SUPPLEMENTAL GUIDANCE


pg. 6

3.1 To what extent do you support the restructure of guidance elements from “Practice Advisories” to a more comprehensive layer entitled “Implementation Guidance” as part of the framework?


5 4 3 2 1

Comments :


Believe that “Implementation Guidance” is more closely attuned to the intention of guidance, title of advisory, creates the impression that you could take it or leave it, as opposed to giving you guidance on how to conform and therefore meeting the intent of the standards.


Comment 3: Collective response : 6 IIA MEMBERS: Three rated this a 5 and three a 4

I think that the new title gives a clearer picture of what they’re about

3.2 To what extent do you support the restructure of guidance elements from “Practice Guides” to a “Supplemental Guidance” as part of the framework?


5 4 3 2 1

Comments :


Support the refresh and change to Supplemental Guidance…. should it be part of IPPF or should we treat it like we plan to the Position papers and have them published but as it is not prescriptive and would offer options/suggestions on practice it is largely a reference point on an issue / industry etc.


Comment 3: Collective response : 6 IIA MEMBERS: Four rated this a 5 and two a 4

Like Question 3.1 I think that the new title gives a clearer picture of what they’re about

4. ADDRESSING EMERGING ISSUES

4.1 To what extent do you support the introduction of a new IPPF element to address emerging issues?


5 4 3 2 1

Comments :


pg. 7


Strongly oppose this element as part of IPPF. Would rather see as part of implementation guidance, things to consider in planning and ongoing evaluation of the organisational assurance landscape. Tried in the late 90’s to raise emerging issues to the Audit & Risk Committee’s and it largely backfired, as it tended to create a storm in a tea-cup, unnecessary stress at the committee level on potential issues. Their view unless it had a very high probability of materialisation and the organisation was not ready from a control perspective to manage, they expected the existing processes to identify and address. The approach adopted therefore was:

Ensure that emerging issues were identified and recognised within the business risk profile Ensure that an appropriate mitigation strategy was in place to manage the risk(s), normal escalation

protocols would apply should it be outside board tolerances As part of audit planning would consider the assurance map and the current risk profile and mitigation

strategies Audit would consider special requests on emerging issues, if warranted and requested by the Board due to

exposure or perceived exposure and therefore would form part of the planned coverage. The differencehowever may be the urgency on timing and therefore execution of the review

When these things hit, not all IA know what they are and how to handle so the expectation would be more or practical advise to advise what is the issue, how will they identify it, where to look and what they could find. Then suggested approaches on how to handle manage the issues, maybe case studies etc. Believe this could be an additional value add service that the IIA could provide to practitioners, and would be welcome. In some cases once the storm has passed, these things largely become business as usual and are embedded.


If not relevant to an industry or organisation it is just another “flavour of the month” and sales pitch for external audit firms through their Risk and Advisory service functions.

Comment 3: Collective response : 6 IIA MEMBERS: Two rated this a 5, two a 4, one a 3, and one a 1

Issues are often experienced by many others in the profession, guidance on how to respond will be valuable to all and will assist in providing confidence where a response to an emerging but known issue already identified is required.

I don’t agree that this should be part of the IPPF. I do agree that the IIA should be developing and promulgating information, however, this should be done outside of the IPPF framework for a similar reason as they are removing the position papers.

4.2 To what extent do you agree that Emerging Issues Guidance, due to its quicker development process, should be less authoritative than Supplemental Guidance as part of the framework?


5 4 3 2 1

Comments :


Definitely agree it should not be authoritative but rather advisory in nature. Also concur that quicker development is necessary to facilitate quicker call to action. As mentioned would go further to say, it should not be part of IPPF.

pg. 8

May need to consider the network or method that IIA can draw on experts in the field or contributors for “war stories” that could help in these areas from a lessons learnt perspective. Access maybe by CAE’s.


Comment 3: Collective response : 6 IIA MEMBERS: Three rated this a 4, two a 3, and one a 1

5. POSITION PAPERS

5.1 To what extent do you support the deletion of “Position papers” as an element of the IPPF?


5 4 3 2 1

Comments :



Comment 3: Collective response : 6 IIA MEMBERS: Three rated this a 5, one a 4, and two a 3

6. REQUIRED AND RECOMMENDED

6.1 To what extent do you support revision of the words “Mandatory” and “Strongly Recommended” to “Required” and “Recommended”, respectively?


5 4 3 2 1

Comments :




New wording sounds less strict

7. SUMMARY OF ELEMENTS OF THE PROPOSED REVISED IPPF

7.1 Overall, to what extent do you support the changes regarding the IPPF as detailed on the previous page?


5 4 3 2 1

pg. 9

Comments :


Do not support in whole, but to the extent /exclusion based on foregone commentary. i.e.

IPPF should comprise

Definition of Internal Audit Core Principles Code of Conduct (as opposed to Ethics, as first 3 catered for in Core Principle Inputs) Implementation Guidance Supplemental Guidance (no aversion to not being included)



7.2 To what extent do you agree that that the pictorial representation adequately depicts the hierarchy and interrelationships of each element of the new proposed IPPF?


5 4 3 2 1

Comments :


In the current suggested form, it describes what is being suggested. Not In the context of answer to 7 above, incorporating feedback through directional relationship:


Comment 3: Collective response : 6 IIA MEMBERS: Three rated this a 5, one a 4, and two a 4

I don’t like it as much as the old one. The old one is very clear to understand without much explanation, however, the new one is a little less easy to understand. Personal opinion is that the mission circle may be confusing.


pg. 10

7.3 To what extent do you agree that the pictorial representation of the proposed new IPPF is visually appealing?


5 4 3 2 1

Comments :


Mission is too pronounced.


Comment 3: Collective response : 6 IIA MEMBERS: Four rated this a 4 and two a 3

Font is a bit too small to read, content is ok.

CONTRIBUTORS: 8 [ 7 IIA members & 1 practicing IA non member ]

Disclaimer: The views and opinions expressed in this commentary are personal opinions and do not necessarily reflect the official policy or position of the IIA Queensland Chapter or that of any employers (or groups within) of any of individuals /collective contributors.

exposure draft survey questions documents/iia...pg. 1 exposure draft survey questions . 1. m. ission...

Documents