State Internal Audit Advisory Board
Internal Auditing Standards and Requirements in the State of Illinois Review Course
Based on 2017 IIA Standards

IIA Performance Standard 2000 – Managing the Internal Audit Activity

2000 – Managing the Internal Audit Activity
The chief audit executive must effectively manage the internal audit activity to ensure it adds value to the organization.

Interpretation:
The internal audit activity is effectively managed when:

  • It achieves the purpose and responsibility included in the internal audit charter.
  • It conforms with the Standards.
  • Its members conform with the Code of Ethics and the Standards.
  • It considers trends and emerging issues that could impact the organization.

The internal audit activity adds value to the organization and its stakeholders when it considers strategies, objectives, and risks; strives to offer ways to enhance governance, risk management, and control processes; and objectively provides relevant assurance.

2010 – Planning
The chief audit executive must establish a risk-based plan to determine the priorities of the internal audit activity, consistent with the organization’s goals.

Interpretation:
To develop the risk-based plan, the chief audit executive consults with senior management and the board and obtains an understanding of the organization’s strategies, key business objectives, associated risks, and risk management processes. The chief audit executive must review and adjust the plan, as necessary, in response to changes in the organization’s business, risks, operations, programs, systems, and controls.

2010.A1 – The internal audit activity’s plan of engagements must be based on a documented risk assessment, undertaken at least annually. The input of senior management and the board must be considered in this process.

2010.A2 – The chief audit executive must identify and consider the expectations of senior management, the board, and other stakeholders for internal audit opinions and other conclusions.

2010.C1 – The chief audit executive should consider accepting proposed consulting engagements based on the engagement’s potential to improve management of risks, add value, and improve the organization’s operations. Accepted engagements must be included in the plan.

2020 – Communication and Approval
The chief audit executive must communicate the internal audit activity’s plans and resource requirements, including significant interim changes, to senior management and the board for review and approval. The chief audit executive must also communicate the impact of resource limitations.

2030 – Resource Management
The chief audit executive must ensure that internal audit resources are appropriate, sufficient, and effectively deployed to achieve the approved plan.

Interpretation:
Appropriate refers to the mix of knowledge, skills, and other competencies needed to perform the plan. Sufficient refers to the quantity of resources needed to accomplish the plan. Resources are effectively deployed when they are used in a way that optimizes the achievement of the approved plan.

2040 – Policies and Procedures
The chief audit executive must establish policies and procedures to guide the internal audit activity.

Interpretation:
The form and content of policies and procedures are dependent upon the size and structure of the internal audit activity and the complexity of its work.

2050 – Coordination and Reliance
The chief audit executive should share information, coordinate activities, and consider relying upon the work of other internal and external assurance and consulting service providers to ensure proper coverage and minimize duplication of efforts.

Interpretation:
In coordinating activities, the chief audit executive may rely on the work of other assurance and consulting service providers. A consistent process for the basis of reliance should be established, and the chief audit executive should consider the competency, objectivity, and due professional care of the assurance and consulting service providers. The chief audit executive should also have a clear understanding of the scope, objective, and results of the work performed by other providers of assurance and consulting services. Where reliance is placed on the work of others, the chief audit executive is still accountable and responsible for ensuring adequate support for conclusions and opinions reached by the internal audit activity.

2060 – Reporting to Senior Management and the Board
The chief audit executive must report periodically to senior management and the board on the internal audit activity’s purpose, authority, responsibility, and performance relative to its plan and on its conformance with the Code of Ethics and the Standards. Reporting must also include significant risk and control issues, including fraud risks, governance issues, and other matters that require the attention of senior management and/or the board.

Interpretation:
The frequency and content of reporting are determined collaboratively by the chief audit executive, senior management, and the board. The frequency and content of reporting depends on the importance of the information to be communicated and the urgency of the related actions to be taken by senior management and/or the board.

The chief audit executive’s reporting and communication to senior management and the board must include information about:

  • The audit charter.
  • Independence of the internal audit activity.
  • The audit plan and progress against the plan.
  • Resource requirements.
  • Results of audit activities.
  • Conformance with the Code of Ethics and the Standards, and action plans to address any significant conformance issues.
  • Management’s response to risk that, in the chief audit executive’s judgment, may be unacceptable to the organization.

These and other chief audit executive communication requirements are referenced throughout the Standards.

2070 – External Service Provider and Organizational Responsibility for Internal Auditing
When an external service provider serves as the internal audit activity, the provider must make the organization aware that the organization has the responsibility for maintaining an effective internal audit activity.

Interpretation
This responsibility is demonstrated through the quality assurance and improvement program which assesses conformance with the Code of Ethics and the Standards.

SIAAB Interpretation:
Pursuant to FCIAA, Section 2001(a) each designated State agency as defined in Section 1003(a) shall maintain a full-time program of internal auditing and accordingly would not be in compliance with FCIAA whenever an external service provider served as the internal audit activity.

Further, in accordance with the IIA’s International Professional Practice Framework (IPPF), the chief audit executive is responsible for developing policies and procedures. Formal administrative and technical audit manuals may not be needed by all internal audit activities. A small internal audit activity may be managed informally. Its audit staff may be directed and controlled through daily, close supervision and memoranda that state policies and procedures to be followed. In a large internal audit activity, more formal and comprehensive policies and procedures are essential to guide the internal audit staff in the execution of the internal audit plan.

From: The IIA’s International Professional Practices Framework Copyright 2017 by The Institute of Internal Auditors, Inc., 1035 Greenwood Blvd, Suite 401, Lake Mary, FL 32746. Reprinted with permission

Please close this window to return to Ability LMS to take the quiz for this lesson.