Certified Public Accountants
& Business Consultants

Focus On Internal Audit: Changes To International Professional Practices Framework (IPPF)

Contact Our Team

The International Professional Practices Framework (IPPF) serves as the blueprint of knowledge and guidance for the practice of internal auditing.
May 27, 2010

The International Professional Practices Framework (IPPF) serves as the blueprint of knowledge and guidance for the practice of internal auditing. It also facilitates the consistent development, interpretation, application of principles, methodologies and techniques of the internal audit function.

The IPPF has always required that the Institute of Internal Auditors (IIA) review all guidance every three years to help ensure that all guidance is current, relevant and timely.

As a result of the recent review, the IIA published its revised Standards for the Professional Practice of Internal Auditing (the IIA Standards).

The revised IIA Standards create new or update requirements around:

  • Purpose, authority, and responsibility
  • Modifications to internal audit charter
  • Communications with the board of directors
  • Organizational independence
  • Due professional care – use of technology-based audits
  • External assessments
  • Reporting on the quality assurance and improvement program
  • Communication & resource impact
  • Ethics program
  • IT governance
  • Fraud risk management
  • Prohibition from managing risk
  • Records retention
  • Conformance with the IIA standards

The IIA, with its updated standards, is properly realigning internal audit from “controls testers” to “strategic auditors.” This realignment brings the profession back to a more balanced level of responsibility and focus, similar to the profession’s role pre-Sarbanes-Oxley.

RubinBrown believes this to be a key move to make the profession more relevant and become the “eyes and ears” for the board and management. The next step is to work with management and the board to enhance perceptions of internal audit and to utilize this resource to help achieve companies’ strategic objectives.

Below, RubinBrown has summarized the changes to the standards and provided insights on how to implement them. The insights provided are not all inclusive and should be tailored to your specific organization.

Purpose, Authority, and Responsibility (Revised)
Standard 1000

(Revisions in bold)

The purpose, authority and responsibility of the internal audit activity must be formally defined in an internal audit charter, consistent with the definition of internal auditing, the code of ethics, and the Standards. The chief audit executive must periodically review the internal audit charter and present it to senior management and the board for approval.

Modifications to the Internal Audit Charter (New)
Standard 1010

This section provides recognition of the definition of internal auditing, the code of ethics, and the standards in the internal audit charter. The chief audit executive should discuss the definition of internal auditing, the code of ethics, and the standards with senior management and the board.

How to Implement Standards 1000 & 1010:

  • Revise the internal audit charter as necessary to conform to the standards
  • Evaluate the scope of the internal audit activity ensure that it is more than just SOX assistance
  • Educate management on the definition of internal auditing
  • Expand scope of work to include more traditional internal auditing activities

Communication with the Board of Directors (Revised)
Standard 1111

(Revisions in bold)

The chief audit executive must communicate and interact directly with the board.

Organizational Independence (Revised)
Standard 1110

(Revisions in bold)

The chief audit executive must report to a level within the organization that allows the internal audit activity to fulfill its responsibilities. The chief audit executive must confirm to the board, at least annually, the organizational independence of the internal audit activity.

How to Implement Standards 1111 & 1110:

  • The overall purpose of the revisions is to properly align the internal audit activity and increase its visibility to the board
  • The CAE should hold executive meetings with the board
  • As part of the annual internal audit plan, present a communication plan
  • Perform an independence assessment and report findings to the board

Due Professional Care – Use of Technology-based Audits (Revised)
Standard 1220.A2

(Revision in bold)

In exercising due professional care internal auditors must consider the use of technology-based audit and other data analysis techniques. How to Implement Standard 1220.A2:

  • Evaluate the nature of the transactions to be tested and determine the most effective and efficient method of testing
  • Identify IT audits to minimize transactional-based audits

External Assessments (Revised)
Standard 1312

(Revisions in bold)

External assessments must be conducted at lease once every five years by a qualified independent reviewer or review team from outside the organization. The chief audit executive must discuss with the board:

  • The need for more frequent external assessments
  • The qualifications and independence of the external reviewer or review team, including any potential conflicts of interest

Reporting on the Quality Assurance and Improvement Program (Revised)
Standard 1320

(Revisions in bold)

The chief audit executive must communicate the results of the quality assurance and improvement program to senior management and the board

How to Implement Standards 1312 & 1320:

  • The QAR Standard was in place since 2004, the revised standards expanded the communication requirements
  • Evaluate and communicate the need for more frequent external assessments
    • Based on prior external assessments and internal quality reviews
    • Turnover in the department
    • Change in standards
  • Qualifications and independence of external reviewer:
    • Internal audit experience, knowledge of the standards, industry expertise, QAR experience
    • Real and/or apparent conflict of interest
  • Communicate results to management and board
  • Communicate ALL QAR results, not just external assessments

Communication & Resource Impact (Revised)
Standard 2020

(Revision in bold)

The chief audit executive must communicate the internal audit activity’s plans and resource requirements, including significant interim changes, the senior management and the board for review and approval. The chief audit executive must also communicate the impact of resource limitations.

How to Implement Standard 2020:

  • No significant change from the old standard (changed the wording from “should” to “must”)
  • Most departments already implemented this standard as part of the annual plan presentation and approval
  • Provide updates to the board on a regular basis

Ethics Program (Revised)
Standard 2110.A1

(Revisions in bold)

The internal audit activity must evaluate the design, implementation and effectiveness of the organization’s ethics-related objectives, programs and activities.

How to Implement Standard 2110.A1:

  • Include the ethics program in the annual risk assessment
  • Update audit universe and plan accordingly<.li>
  • Perform an ethics program assessment which includes the following phases - Plan > Assess > Report:
    • Plan – work with management to determine scope of the assessment
    • Assess – understand the ethics program in place, assess and evaluate against established frameworks
    • Report – coordinate findings with Human Resources and Legal Department

IT Governance (New)
Standard 2110.A2

The internal audit activity must assess whether the information technology governance of the organization sustains and supports the organization’s strategies and objectives.

How to Implement Standard 2110.A2:

  • Include in the annual risk assessment, and based on results of the assessment, as part of the audit universe
  • Leverage existing work (e.g., SOX IT governance assessments)
  • Evaluate and understand the framework used by the IT activity/department
  • Evaluate whether the goals and objectives of the IT activity are aligned with those of the organization

Fraud Risk Management (New)
Standard 2120.A2

The internal audit activity must evaluate the potential for the occurrence of fraud and how the organization manages fraud risk.

How to Implement Standard 2120.A2:

  • Assist management in performing an assessment or perform an independent assessment
  • Leverage existing assessments performed as part of SOX compliance (“tone at the top” control activities)
  • Include fraud in the annual risk assessment
  • High risk areas should be added to the audit universe with specific fraud coverage
  • Update audit plan with fraud procedures
  • Use third-party tools to assist in detecting fraud
  • Use specialists (CFEs) During the planning phase of each project, consider the risk of fraud

Prohibition from Managing Risk (New)
Standard 2120.C3

When assisting management in establishing or improving risk management processes, internal auditors must refrain from assuming any management responsibility by actually managing risks.

How to Implement Standards 2120.C3:

  • As with any other activity/process, the internal audit activity should not assume management’s role/responsibility
  • Internal audit should participate in the risk management process as an advisor and/or expert
  • As part of an enterprise risk management initiative, internal audit should be part of the process to avoid silos (refer to the IIA publication – The Role of IA in ERM)
  • Role is limited to discussing risks in IA’s risk universe

Records Retention (Revised)
Standard 2330.A2

(Revisions in bold)

The chief audit executive must develop retention requirements for engagement records, regardless of the medium in which each record is stored. These retention requirements must be consistent with the organization’s guidelines and any pertinent regulatory or other requirements.

How to Implement Standard 2330.A2:

  • Most departments are complying with this standard. The only change is to consider the impact of the ‘medium’ in which the audit workpapers are stored
  • Coordinate with legal department to ensure policy is consistent with the organization’s and regulatory requirements
  • Use paper-less auditing to minimize the risk of noncompliance

Conformance with the IIA Standards (New)
Standard 2430

Internal auditors may report that their engagements are “conducted in conformance with the International Standards for the Professional Practice of Internal Auditing,” only if the results of the quality assurance and improvement program support the statement.

How to Implement Standard 2430:

  • Similar to Standard 1321 – Use of “Conforms with the International standards for the Professional Practice of Internal Auditing” must meet the quality assurance standards (Standard 1300).
  • Internal audit departments should evaluate their current practices against the standards and identify areas for improvement.

As the next internal audit planning cycle begins, chief audit executives should engage management and the board on how internal auditing is more than testing controls and how this valuable resource can be utilized to address strategic issues and objectives.


Under U.S. Treasury Department guidelines, we hereby inform you that any tax advice contained in this communication is not intended or written to be used, and cannot be used by you for the purpose of avoiding penalties that may be imposed on you by the Internal Revenue Service, or for the purpose of promoting, marketing or recommending to another party any transaction or matter addressed within this tax advice. Further, RubinBrown LLP imposes no limitation on any recipient of this tax advice on the disclosure of the tax treatment or tax strategies or tax structuring described herein.

For more information, please contact: