Overview

This brief provides a high level overview on the IIA Standards, challenges for Internal Auditors and CAEs to comply with Standards and how to build a robust internal audit framework that will help them overcome compliance challenges and enhance efficiency and performance

Download a Solution Brief

Compliance Challenges for Internal Auditors and CAEs
In October 2010, The Institute of Internal Auditors (IIA) revised the International Standards for the Professional Practice of Internal Auditing (Standards), for implementation from January 2011. These principle-focused Standards provide a framework to establish, strengthen and evaluate internal audit performance, while promoting a broad range of value-added internal audit activities. Yet complying with the Standards is far from easy. Internal auditors and Chief Audit Executives (CAEs) have to establish a robust and efficient audit management program, perform quality assurance reviews, provide visibility to top management, and quickly adapt to changes while coping with limited resources and constrained budgets.

MetricStream provides an audit management solution that streamlines, integrates and automates end-to-end internal audit processes. Built on a single platform, the solution extends across the enterprise, enabling organizations to efficiently manage a wide range of audit programs, data and processes in compliance with The IIA Standards. Silos are broken down in favor of continuous collaboration, and audit workflows are automated for enhanced efficiency and cost-savings. Simultaneously, top-level visibility is provided for CAEs to track the status of audits and compliance with The IIA Standards.

According to The IIA, the purpose of the Standards is to:

  • Delineate basic principles that represent the practice of internal auditing.
  • Provide a framework for performing and promoting a broad range of value-added internal auditing.
  • Establish the basis for the evaluation of internal audit performance.
  • Foster improved organizational processes and operations.

Why The IIA Standards Matter
Internal auditors are no longer merely overseers of financial reporting accuracy and control effectiveness. Stakeholders and top management are relying on them to be their eyes and ears in the organization, provide assurance of compliance, deliver critical strategic advice to mitigate threats, and help prevent fraud.

To help internal auditors effectively meet these demands, The IIA Standards provide a set of principles and best practices referred to as the profession’s ‘foundation and quality benchmark’. These Standards enable internal auditors to follow a systematic and disciplined process of evaluating and improving the effectiveness of GRC processes. They also help internal auditors make valuable strategic recommendations, and strengthen organizational reputations. Businesses that are compliant with the Standards indicate to the world that they are committed to protecting their stakeholders and customers.

Recent Changes to the Standards - Effective January 1, 2011
To ensure that the Standards remain current and relevant, The IIA reviews them at least once every three years. In October 2010, 26 changes were made to the Standards1

3 new Standards were introduced, based on the principles of:

  • Taking into account the expectations of senior management and other stakeholders for internal audit opinions and other conclusions (2010.A2, 2450)
  • Holding the organization responsible for effective internal auditing (2070)
  • Supporting overall opinions with sufficient, reliable, relevant, and useful information (2450)

15 changes were made to existing Standards, including:

  • Defining the functional reporting relationship between the CAE and the Board, and clarifying the same in the audit charter (1000, 1110)
  • Determining the competence of the review team (1312)
  • Determining when the internal audit activity complies with the Standards (1321)
  • Adding value to the organization by providing objective and relevant assurance, and contributing to the effectiveness of governance, risk management and control processes (2000)
  • Ensuring that the consulting engagement objectives are consistent with the organization’s, strategies and objectives (2210.C2)
  • Assessing the effectiveness of risk management processes from multiple engagements (2120)
  • Evaluating organizational risk exposure and effectiveness of controls (2120.A1, 2130.A1)
  • Communicating the results of various internal audit engagements (2400)
  • Taking into account the expectations of senior management, the Board and other stakeholders when communicating internal auditors’ opinions at the engagement level (2410.A1)

2 existing Standards were deleted:

  • Standard 2130.A2
  • Standard 2130.A3

6 changes were made to existing Glossary terms:

  • Add value
  • CAE
  • Independence
  • Control environment
  • Information Technology Governance
  • Objectivity

Compliance Challenges for Internal Auditors and CAEs

More complex responsibilities, less resources
The IIA Standards require internal auditors and CAEs to not only validate the accuracy of controls, but also perform quality assurance reviews, strengthen collaboration with top management and other assurance functions, and consistently evaluate the organization’s exposure to risk. Resources are limited, and deadlines are tight. Noncompliance could result in external auditors discounting or dismissing the work of internal auditors which, in turn, would affect the organization’s reputation.

Lack of collaboration and coordination
Most companies have multiple siloed systems to manage various audit processes such as reporting, fieldwork and documentation. This makes it difficult to manage and monitor compliance with the Standards. Redundancies and duplicate activities are likely to occur, wasting time and precious resources. Siloed systems also limit the ability of internal auditors to collaborate and coordinate activities with other assurance functions, as per Standard 2000.

Inefficient manual processes
Manual audit tools and processes can be extremely resource-intensive and prone to errors. Spreadsheets, for instance, are bulky, cumbersome, and take up a lot of time and effort to manage. Moreover, manual control testing limits the repeatability of verifications at standard intervals.

Limited visibility into internal audit processes, quality assurance programs and action plans
The success of internal auditing programs and their compliance with The IIA Standards is largely dependent on how effectively these programs are monitored. A lack of complete and real-time visibility into the audit programs could result in inconsistencies and vulnerabilities going unnoticed. It would also limit the ability of CAEs and internal auditors to provide valuable, risk-based insights to senior management that can help in directing business strategy.

Key Features of the MetricStream Solution

  • Built on the robust, flexible and scalable MetricStream GRC Platform
  • Enables fast implementation with configurable forms, information flows, notifications, alerts and escalation paths
  • Seamlessly integrates with external systems to retrieve, store and deliver audit data
  • Provides intuitive interfaces with easy access to and navigation of contextual information
  • Provides secure, Web-based access for all internal auditors with appropriate views and tabs for initiating actions, responding to events, and managing assigned tasks
  • Contains built-in, flexible reporting capabilities, risk heat maps, charts and dashboards

Overcoming Compliance Challenges with the help of the MetricStream Solution
MetricStream provides a comprehensive Audit Management Solution to streamline, strengthen and simplify compliance with The IIA Standards. Its advanced capabilities - such as built-in remediation workflows, time tracking, automatic alerts, risk assessment methodologies and offline audit functionalities - enable internal auditors and CAEs to build a robust internal audit framework aligned with The IIA Standards and best practices.

Below are the key Standards that the MetricStream solution enables compliance with:

Attribute Standards 
Standard 1100 - Independence and Objectivity

The internal audit activity must be independent, and internal auditors must be objective in performing their work.

How the MetricStream Solution Helps

  • Provides a centralized framework to clearly define reporting relationships among the CAE, internal auditors and the Board
  • Offers a resource management tool to:
    • Maintain auditor details and profiles for evaluation
    • Efficiently allocate audit assignments so as to avoid conflicts of interest
  • Provides a centralized information repository to simplify the storage, organization and management of all IA policies and procedures, as well as The IIA Standards

Standard 1200 - Proficiency and Due 
Professional Care

Engagements must be performed with proficiency and due professional care.

How the MetricStream Solution helps

  • Enables the CAE to track the competencies of internal auditors by maintaining a centralized auditor profile page with details about each auditor’s skills, qualifications, certifications, roles and responsibilities
  • Helps evaluate auditors at periodic intervals through a streamlined process of survey design, distribution and management
  • Provides an integrated framework for internal auditors to collate crucial information such as the adequacy of the organization’s GRC processes, needs and expectations, extent and complexity of work and cost of assurance, which will help in preparing the audit plan

Standard 1300 - Quality Assurance and Improvement Program
The CAE must develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity.

How the MetricStream Solution Helps (Covered in detail in the next sections)

Performance Standards
Standards 2000 - Managing the Internal Audit Activity

The CAE must effectively manage the internal audit activity to ensure it adds value to the organization.

How the MetricStream Solution Helps

  • Helps align audits with risks and organizational goals
  • Supports both annual and ongoing audits triggered either periodically or in an ad hoc manner
  • Streamlines the complete internal audit lifecycle from risk assessment, to audit planning and scheduling, to audit execution, to reporting, to review and implementation of recommendations
  • Offers a centralized, Web-based policy management repository with integrated collaboration and workflow tools to access, create and modify these policies globally in a controlled manner
  • Transcends organizational silos, and establishes an integrated audit management framework that enables the CAE to seamlessly share information and coordinate activities with other internal and external providers of assurance and consulting services
  • Simplifies reporting to senior management by providing flexible reporting tools with drill-down capabilities that contain details of the audit program, findings, issues and other matters
  • Provides powerful dashboards with real-time information on audits, issues and risks which can be leveraged to develop business strategy

Standard 2100 - Nature of Work
The internal audit activity must evaluate and contribute to the improvement of governance, risk management and control processes using a systematic and disciplined approach.

How the MetricStream Solution helps

  • Offers a centralized information model to closely map risks to auditable entities (business units, processes, applications, and projects), controls, control tests, policies and regulations
  • Provides flexible risk assessment methodologies, algorithms and heat maps to identify risks concerning the reliability and integrity of financial information, effectiveness and efficiency of operations, safeguarding of assets, fraud, and compliance with policies and regulations
  • Supports risk scoping and ranking with advanced heat maps to identify high risk areas
  • Enables a targeted, risk-based internal audit
  • Automates control testing, and generates automatic reports, thereby saving valuable time, resources and costs

Standard 2200 - Engagement Planning
Internal auditors must develop and document a plan for each engagement, including the engagement’s objectives, scope, timing and resource allocations.

How the MetricStream Solution Helps

  • Helps create a systematic audit plan with a well-defined objective and scope that is closely linked to organizational goals, as well as quality, compliance and risk management processes
  • Provides a resource management tool to identify and approve the resources required, draw up audit calendars, efficiently allocate resources, and track budgets
  • Helps define the procedures for identifying, analyzing, evaluating, and recording information during the audit engagement Enables internal auditors to organize audits in a logical structure and hierarchy with detailed audit templates, work orders, evaluation criteria and tasks
  • Accelerates review and approval cycles through automated routing of information

Standard 2300 - Performing the Engagement
Internal auditors must identify, analyze, evaluate, and document sufficient information to achieve the engagement’s objectives.

How the MetricStream Solution Helps

  • Provides flexible and streamlined survey management capabilities to collect information and responses
  • Enables auditors to record qualitative or quantitative findings along with detailed observations and recommendations in predefined formats alongside the checklist of evaluation criteria and questions
  • Offers a unique Briefcase for internal auditors to easily enter audit findings in notebook computers or handheld devices at remote field sites without access to the corporate network, and later synchronize the data with the central repository
  • Enables the audit to be tracked and measured against milestones to ensure timely execution

Standard 2400 - Communicating Results
Internal auditors must communicate the results of engagements.

How the MetricStream Solution Helps

  • Provides flexible reporting capabilities for standard or customized reports to be prepared on the audit scope, objectives, findings, issues, conclusions, recommendations and action plans
  • Simplifies the process of reporting by automatically generating reports in predefined formats and layouts, and exporting them to standard MS Word or PDF templates

Standard 2500 - Monitoring Progress
The Chief Audit Executive must establish and maintain a system to monitor the disposition of results communicated to management.

How the MetricStream Solution Helps

  • Offers graphical dashboards with drill-down capabilities to track the implementation of corrective actions and recommendations until they are completed
  • Provides automated alerts and notifications to help ensure that tasks are performed in time, and that the process is kept on track
  • Generates periodic reports tracking the status of the action plans

Standard 2600 - Resolution of Senior Management’s Acceptance of Risks
When the Chief Audit Executive believes that senior management has accepted a level of residual risk that may be unacceptable to the organization, the Chief Audit Executive must discuss the matter with senior management. If the decision regarding residual risk is not resolved, the Chief Audit Executive must report the matter to the board for resolution.

How the MetricStream Solution Helps

  • Supports residual risk rating to determine if the risk should be accepted or mitigated further
  • Automatically updates residual risk scores once corrective actions have been implemented

Why MetricStream

  • Integrate internal audit and quality assurance processes in compliance with The IIA Standards
  • Streamline the entire audit lifecycle across all types of audits
  • Enhance collaboration with other assurance functions and senior management
  • Save costs, time and resources by automating control testing and report generation
  • Consolidate and archive all internal audit information in a centralized repository
  • Simplify and accelerate the creation of reports
  • Track audit metrics and statuses in real time
  • Stay updated on IIA Standards, and implement industry best auditing practices

Strengthening the Value of Internal Auditing through Quality Assurance Programs
Under Standard 1300, CAEs have to establish and maintain a Quality Assurance and Improvement Program (QAIP) which enables them to determine their overall level of compliance with The IIA Standards according to the following ratings:

  • Generally conforms
  • Partially conforms
  • Does not conform

To meet this standard, CAEs can perform either a full external assessment (described in Practice Advisory 1312-1), or an internal Self-assessment with Independent Validation (SAIV) (described in Practice Advisory 1312-2). These assessments can take several weeks to complete depending on various factors such as the size of the organization and the internal audit team.

An external assessment involves an external team working onsite to perform a complete evaluation of the internal audit organization. It exposes CAEs to best practices from experts, as well as advanced IT audit procedures.

On the other hand, an SAIV involves only one validator working onsite to substantiate the findings of the self-assessment. In other words, much of the internal audit review is performed in-house. This helps save substantial time, costs and resources.

Building a Robust and Efficient Quality Assurance Program with the MetricStream Solution
The MetricStream solution provides an integrated and streamlined approach to systematically manage both internal self-assessments and external assessments. Its unique blend of software and content enables internal auditors and CAEs to embed industry best practices for quality internal auditing.

The solution also captures regulations, rules and other important regulatory information from external sources such as the IIA website, using a GRC feeds module that is based on MetricStream Infolet technology. The system provides automatic alerts when new regulations are changed or updated. It also helps in mapping regulations to compliance risks to enable more effective risk monitoring.

Assessment planning
The MetricStream solution enables a systematic risk-based assessment with a consistent analysis and assessment of risks across all dimensions of the enterprise. The solution provides a clear view into the organizations risk profile and enables managers to plan their assessment accordingly.

The solution also offers a single point of reference to draw up the assessment program, assign responsibilities, stipulate time frames, and schedule on-site meetings and interviews. For internal assessments, the solution collates the profiles of all internal auditors to help CAEs evaluate their competence, and appoint a self-assessment team leader.

Documentation
The solution’s centralized information repository provides easy access to the documentation required for the assessment, including audit work papers, internal auditor qualifications and certifications, audit manuals, annual audit plans, performance reports and status reports to the Board. It also enables internal auditors to define checklists, tasks and pass/fail criteria.

Field work
During the assessment, the solution provides a framework to record findings and conclusions, measure progress against milestones and track the time spent for optimal resource utilization. The solution also facilitates a streamlined, systematic and efficient process of survey design, distribution, implementation and response collection across the organization’s audit clients and staff.

Identification of nonconforming areas
Using the information collected, the self-assessment leader can determine areas of nonconformance, recommendations for improvement, and plans for their implementation. The solution enables these details to be entered in a predefined self-assessment draft report which can be presented to the independent validator. In the case of an external assessment, the solution supports the creation of a QAR draft report.

Reporting
Once the external assessors, self-assessment leaders or independent validators have provided their comments, the solution facilitates the creation of final reports detailing the results and subsequent action plans. It automatically routes this information for review and approval among senior leaders, while providing graphical dashboards with real-time insights on how these action plans are being implemented across the organization. The dashboards also provide trending analytics to monitor the performance of internal auditing. In addition, the solution enables Key Performance Indicators to be defined, with automatic alerts indicating when thresholds are about to be breached.

Request a demo Download RFP Template Pricing Contact