The current International Professional Practices Framework (IPPF) IPPF Standards
The current International Professional Practices Framework (IPPF) IPPF Standards have been effective from 01 January 2017, the draft standards are under review and open for public opinion and are expected to be released and the end of 2023. The purpose of the IPPF Standards is to regulate every practising internal auditor across all industry, and fosters uniformity across the profession. The new IPPF has 15 principles, this provides detailed guidance on the work conducted by the practising internal auditors, as well as the Chief Audit Executive. The principles are detailed below are detailed below:
- Principle 1 Demonstrate Integrity
- Principle 2 Maintain Objectivity
- Principle 3 Demonstrate Competency
- Principle 4 Exercise Due Professional Care
- Principle 5 Maintain Confidentiality
- Principle 6 Authorized by the Board
- Principle 7 Positioned Independently
- Principle 8 Overseen by the Board
- Principle 9 Plans Strategically
- Principle 10 Manages Resources Principle 11 Communicates Effectively
- Principle 12 Enhances Quality
- Principle 13 Plan Engagements Effectively
- Principle 14 Conduct Engagement Work
- Principle 15 Communicate Engagement Conclusions and Monitor Action Plans
Linked to each principle is the requirements, considerations for implementation and evidence of conformance. The draft International Professional Practices Framework (IPPF) standards places a lot of emphasis on the role of the Board; principle 6 to 8 of the draft emphasises the “musts”, being mandatory practices that the Board has to play. These roles have three themes, which are
- The responsibility to authorise and set the authority of the Internal Audit Function;
- The responsibility to position the internal audit function, ensuring that it retains its objectivity and independence; and
- The responsibility to oversee the performance of the Internal Audit Function, which includes layers that ensure that quality audit work is produced.
Effectiveness of the internal audit function
The above elements are important in ensuring the independence, autonomy and effectiveness of the internal audit function, however the question remains whether the Institute of Internal Auditors (IIA) have authority to actually make prescription to the Board. This is so as the standards are applicable to internal auditors and not to the boards. Further, in cases where the board is not complying to principles, can there be any sanctions taken against the Board in that case. It is questionable whether principle 6 to 8 of the draft standards would be enforceable in the manner currently written. Actions can be taken against those practising as Internal Auditors for non-compliance, but not against any other parties.
A more solution focused approach should be adopted to address this quandary, specifically looking in the South African context. A solution that appreciates, that there are other authoritative bodies for those serving as board members or directors. We suggest gleaning from the Companies Act and the King Code of Corporate Governance as they provide guidance on the role of the board as it relates to internal audit. We would need to compare mandatory requirements of the board from existing statute and compare to the draft IPPPF standards to conclude on whether the Board can be held accountable for the fulfilment of its role as it relates to the Internal audit function.
The authoritative role of the Board over the Internal Audit function include the approval of the founding documents like the internal audit Charter, internal audit plan, internal audit budget, and resource plan on an annual basis. This is aligned to prescripts contained in the King IV Report on Corporate Governance for South Africa (King IV), which clearly indicates that the direction of the Internal Audit function must be set by the Governing Body, through approval of the IA Charter. (King Report on Corporate Governance for South Africa, 2016)
The responsibility of positioning the Internal audit function to ensure that the function remains independent and objective, is also aligned to prescripts contained in the King IV , which highlights that the governing body, through the audit committee must ensure the authority , competence, gravitas, objectivity and independence of the CAE and the Internal Audit Function. The approval of appointment, removal and remuneration of the CAE. . (King Report on Corporate Governance for South Africa, 2016)
The responsibility of overseeing the internal audit function, which is established through constant communication between the CAE and Board and ensuring that adequate capacity exist to carry out audits in the organisation, as well as overall quality of the work conducted. This is aligned to King IV on appropriate capacitation and skills for the function, and that external quality assessment is conducted every five years.
Principle 15 of the King Code give guidance on how the governing body should deal with all its assurance providers including the Internal Audit function, this is aimed at ensuring that the control environment is enabled that supports the integrity of financial information for internal decision making (King Report on Corporate Governance for South Africa, 2016). It can be noted that the guidance provided for under Principle 15 of the King Code, is aligned to the guidance in the new IPPF standards. The requirements of the IPPF are however in most cases extended and elaborate and provide for more activities that the Board must undertake, as steps to ensuring that the overall objective of fulfilling its roles and responsibilities. Although from a theme and principle, there is alignment, the “musts” that are presented by the draft IPPF standards, require the Board to elevate its understanding of its role specific to internal audit.
The Companies Act provides limited guidance on internal audit, as it just communicates the audit committee’s process for dealing with issues raised by the internal audit function. There is no denial that the role played by the Board in ensuring that the internal audit function is elevated in any organisation is significant. The clarity and expansion to include this significant role played by the board in the IPPF standards recognises that internal audit cannot exist outside of the direction of the board. In South African terms, there is support from the King Code, as to that role, thus this ensures that the standards are implementable as they can be linked to a particular Code. Perhaps a comparison can be made on how the principles above will be enforceable at a global level.
Author Bio:
Tumelo Mahusi is the Head of Risk and Internal Audit of Bagaka Group. She is responsible for all assurance projects related to internal audit. She holds a degree in Bachelor of Commerce, a Bachelor of Commerce Honours (Internal Audit), and a Masters in Business Administration. Throughout her career, Tumelo has gained extensive experience working with clients across various industries, including mining, manufacturing, financial, and services.