IIA has revised standards on internal auditing. The revised standards become effective from January 2017. One of the new year resolution of Internal auditor should be to update their internal audit practices and procedures, including internal audit charter to reflect the changes done in in the IPPF. See here
1130.A3 – The internal audit activity may provide assurance services where it had previously performed consulting services, provided the nature of the consulting did not impair objectivity and provided individual objectivity is managed when assigning resources to the engagement.
With this new additions, safeguards have been mandated for IAA assurance assignments for areas where consulting have been provided. The new standard acknowledges that:
- Some of the consulting assignment have the potential to impair objectivity.
- Impairment can happen at IAA level as well as individual level.
Objectivity impairment at Individual level:
A person loves his creation. Even the most objective person has the potential to fall in love with work of his creation.
“An assessment need to be not only just and fair but also need to be seen as just and fair”.
To avoid a potential impairment, a CAE should assign a different individual or a different team for assurance assignment. E.g. an individual / team who were involved in the designing of controls for a process should not be part of team performing assurance assignment.CAE need to also assess, whether IAA should perform assurance assignment.
CAE need to also factor in the organization maturity and management expectationswhile considering the in impairment assessment.
This is relatively easier to manage by assigning alternate resources.
Objectivity impairment at IAA level
Today average size of an IAA activity is in single digits. An analysis (here) indicates that to manage internal control and compliance you need an average 2.74 FTE.
With this information, it is easy to hypothesizes that in case of consulting assignment, the person who is involved generally happens to a CAE.
Similarly, in the pursuit of better and robust control environment, CAE/IAA undertake the responsibility of certain controls. i.e. they undertake the responsibility of first line and/ or second line of defense. Some of the reasons could be:
- Unwillingness of organization to put control on processes but expectation to minimize risks.
- Unwillingness of organization to hire proper talent.
- Unwillingness of organization to adopt best practices.
- Unwillingness of organization to accept the risk
The best way to manage such scenario would be outsourcing such assurance assignment to a third party.
References: How To Be Objective When You’re Emotionally Invested
Metric of the Month: Internal Audit Staff Size
Call for action:
Inputs/ comments/ suggestion: I welcome inputs/ comments / suggestions from readers on how to approach this issue. Feel free to correct me, educate me.
Share the Article: If you like it, share it. If you share it with others, and they comment, we all will get more learned.
(Disclaimer: The views expressed constitute the opinion of the author and the author alone; they do not represent the views and opinions of the author ’s employers, supervisors, nor do they represent the view of organizations, businesses or institutions the author is, or has been a part of.)
