IIA and ISO standards :

discussion about their

integration, similarities and
differences.

16/11/2018
Isabel Haeck
Johan Lambert
Agenda

► Introduction
► WS question
► Internal Audit versus ISO Audit
► WS answer
► Integration
► Conclusion

Gestion des conflits d’intérêts au sein de la STIB

Introduction

IIABEL WS 16 November 2018 3

 What is the STIB context ?
• Internal Audit Service run based on IIA’s IPPF
and
• Strategy & Innovation / Quality & Process
Management : ISO 9001
• Issues :
• What is actually internal audit ? How ?
• Single audit ?
• Process owner ?
• Reports : « + quality » ?

IIABEL WS 16 November 2018 4

 External factors
Why ISO or COSO ?
Manufactory, production, quality, customer satisfaction : ISO
Finance reporting, listed companies : COSO & IIA

Looks like stakeholders/industry set the tone for the approach

Really ? What if ….

IIABEL WS 16 November 2018 5

 Laws in Brussels
Ordonance du 23 février
2006 RBC « OOBCC »  ICS COSO based

Arrêté du 18 octobre 2007

du Gouvernement RBC  ICS detailed. Must establish an effective IA.

Projet d’arrêté du 28 avril

2016 - RBC  IIA Standards.

IIABEL WS 16 November 2018

6
« Gestion de l' Audit Interne selon les normes IIA » IIABEL WS 16 November 2018
7
Agenda

► Introduction
► WS question
► Internal Audit versus ISO Audit
► WS answer
► Integration
► Conclusion

Gestion des conflits d’intérêts au sein de la STIB

 WS question

What is the risk if an internal audit activity is run based only

on one of the two approaches ?
or
What have the two approaches to bring to each other ?

Discussion
What does your CEO think about it ?

IIABEL WS 16 November 2018 9

Agenda

► Introduction
► WS question
► Internal Audit versus ISO Audit
► WS answer
► Integration
► Conclusion

Gestion des conflits d’intérêts au sein de la STIB

Frameworks

Audit mission ?
ISO 9000
ISO 9001

ISO 9004
ISO 19011 – definition - principles
ISO 31000
APG’s Code of Conduct and Ethics
IIABEL WS 16 November 2018
1
 ISO 9001 - 2015
ISO 9001 is a standard that sets out the
requirements for a quality management system.

It helps businesses and organizations to be more

efficient and improve customer satisfaction.

Source : https://www.iso.org/iso-9001-quality-management.html

IIABEL WS 16 November 2018 12

 QMS 1/2
• A quality management system is a way of defining how an
organization can meet the requirements of its customers and other
stakeholders affected by its work.

• ISO 9001 is based on the idea of continual improvement.

• It doesn’t specify what the objectives relating to “quality” or “meeting

customer needs” should be, but requires organizations to define
these objectives themselves and continually improve their processes in
order to reach them.

IIABEL WS 16 November 2018 13

 QMS 2/2
• ISO 9001 is suitable for organizations of all types, sizes and sectors.

• In fact, one of the key improvements of the newly revised ISO

9001:2015 was to make it more applicable and accessible to all types
of enterprises.

• Smaller companies that do not have staff dedicated to quality can still
enjoy the benefits of implementing the standard – ISO has many
resources to assist them.

IIABEL WS 16 November 2018 14

 QMS benefits 1/2
• Assess the overall context of your organization to define who is
affected by your work and what they expect from you. This will
enable you to clearly state your objectives and identify new
business opportunities.

• Put your customers first, making sure you consistently meet their
needs and enhance their satisfaction. This can lead to repeat custom,
new clients and increased business for your organization.

IIABEL WS 16 November 2018 15

 QMS benefits 2/2
• Work in a more efficient way as all your processes will be aligned and
understood by everyone in the business or organization. This increases
productivity and efficiency, bringing internal costs down.

• Meet the necessary statutory and regulatory requirements.

• Expand into new markets, as some sectors and clients require ISO
9001 before doing business.

• Identify and address the risks associated with your organization

IIABEL WS 16 November 2018 16

ISO 9001 – 2015 in a nutshell

IIABEL WS 16 November 2018 17

 ISO 31000 - 2018
SO 31000:2018, Risk management – Guidelines, provides
principles, framework and a process for managing risk. It
can be used by any organization regardless of its size, activity
or sector.
Using ISO 31000 can help organizations increase the
likelihood of achieving objectives, improve the
identification of opportunities and threats and effectively
allocate and use resources for risk treatment.
However, ISO 31000 cannot be used for certification
purposes, but does provide guidance for internal or external
audit programmes.

Source : https://www.iso.org/iso-31000-risk-management.html IIABEL WS 16 November 2018 18

ISO 31000 in a nutshell

IIABEL WS 16 November 2018 19

 « Documented information »

9 « documents » in 36 documented
mandatory IPPF information requirements
 Risk based  Evidence based
 Document = control

IIABEL WS 16 November 2018 20

ISO 9001 documented information1/4
1 4.3 Scope QMS
2 4.4.2 b) Processes (support), to the necessary extend
3 4.4.2 a) Processes (execution), to the necessary extend
4 5.2.2 a) Quality policy
5 6.2.1 Quality objectives
6 7.1.5.1 Fitness for purpose of monitoring and measurement resources
7 7.2 d. Competence
8 7.5 Documented information
9 8.1 e) 1) Processes caried out as planned ‐ planning
10 8.1 e) 2) P & S conformity to requirements ‐ planning
11 8.2.3.1 Customer requirements
12 8.2.3.2 a) P&S CR review, as applicable

IIABEL WS 16 November 2018 21

ISO 9001 documented information 2/4
13 8.2.3.2 b) P&S new CR, as applicable
14 8.2.4 P&S Requirements change
15 8.3.2 f) D & D requirements are met
16 8.3.3 D & D inputs
17 8.3.4 f) D & D Controls
18 8.3.5 D & D outputs
19 8.3.6 D & D Changes
20 8.4.1 Externally provided P, P & S
21 8.5 a) 1) P&S Characteristics ‐ available
22 8.5 a) 2) Results to be achieved ‐ available
23 8.5.2 Traceability as applicable
24 8.5.3 Customer's property issues

IIABEL WS 16 November 2018 22

ISO 9001 documented information 3/4
25 8.5.6 Control of changes
26 8.6 a) Conformity with acceptance criteria for P & S Release
27 8.6 b) P & S Release authority
28 8.7.2 a)NC : desciption, authority, action taken, result
29 8.7.2 b)NC :  action taken
30 8.7.2 c)NC :  concessions
31 8.7.2 d)NC : authority
32 9.1.1 Result of QMS performance and effectiveness evaluations
33 9.2.2 f)Implementation of audit programme and audit results
Management review results (opportunities, change & resource 
34 9.3.3 needs QMS)
35 10.3 a) NC : nature, actions
36 10.3 b) NC : results

IIABEL WS 16 November 2018 23

ISO 9001 documented information 4/ 4

An opportunity ?

IIABEL WS 16 November 2018 24

 Prices …..

Mandatory ISO 9000

ISO 9001
156,64 €
121,44 €

ISO 9004 156,64 €

Guidance ISO 19011

ISO 31000
139,04 €
77,44 €
651,2 €

Et caetera
IIABEL WS 16 November 2018 25
 Definition - mission

Internal auditing is an independent, objective Systematic, independent

assurance and consulting activity designed to and documented
add value and improve an organization's process for obtaining
operations. It helps an organization accomplish audit evidence and
its objectives by bringing a systematic, evaluating it objectively to
disciplined approach to evaluate and improve the determine the extent to
effectiveness of risk management, control, and which audit criteria are
governance processes. fulfilled.

To enhance and protect organizational value by

providing risk-based and objective assurance,
advice, and insight.
?

IIABEL WS 16 November 2018 26

 Principles
Code of ethics ‐ principles 9001 Principles

Integrity v Customer focus +/‐

Objectivity v Leadership ?
Confidentiality v Engagement of people ?
Competency  v Process approach +/‐
Evidence‐based decision making +/‐ ?
Relationship management +/‐ ?

Core principles 19011 Audit principles

Demonstrates integrity. v Ethical conduct v
Demonstrates competence and due professional care. v
Is objective and free from undue influence (independent). v Fair presentration +/‐
Aligns with the strategies, objectives, and risks of the organization. ? Due professionnal care v
Is appropriately positioned and adequately resourced. ? Independance v
Demonstrates quality and continuous improvement. v Evidence‐based approach +/‐
Communicates effectively. v Confidentiality v
Provides risk‐based assurance. ?
Is insightful, proactive, and future‐focused. ?
Promotes organizational improvement. ?
IIABEL WS 16 November 2018 27
 Internet support

https://global.theiia.org/Pages/globaliiaHome.aspx

ISO/TC176 Quality management and quality assurance

https://committee.iso.org/home/tc176sc2

ISO 9001 Auditing Practices Group

https://committee.iso.org/sites/tc176sc2/home/
page/iso-9001-auditing-practices-grou.html

The Bureau for Standardisation (NBN)

https://www.nbn.be/en
IIABEL WS 16 November 2018 28
 About guidances

The IIA guidances are endorsed by The IIA through

formal review and approval processes.

Lots of expensive guidances.

ISO/TC 176 Auditing Practices Group Guidance : Disclaimer

ISO 9001 Auditing Practices Group

https://committee.iso.org/sites/tc176sc2/home/
page/iso-9001-auditing-practices-grou.html

IIABEL WS 16 November 2018 29

Place in the 3 Lines of Defense Model

IIABEL WS 16 November 2018

30
 Why should IA act as 2nd LoD ?

• New regulations
• New activities
• Reinforcement
• Efficiency

• Risks ?
Guidance : Internal Audit and the Second Line of
Defense, The IIA, January 2016

IIABEL WS 16 November 2018

31
 Drivers of requirement

Legal, industry good Customers, suppliers,

practices, good regulator, legal, good
governance, cases practices

IIABEL WS 16 November 2018 32

 Auditors status

Employees of the organisation, Employees of the organisation

or can be an independent entity
through outsourced or co-
sourced arrangement.
CAE appointed with board
approval.
appointed by line management,
or can be an independent entity
through outsourced or co-
sourced arrangement.

IIABEL WS 16 November 2018 33

 Independance

Independent of Independent of line

audited activities and management activities
independent of audited but not the
management; management
structure;

truly independent. not truly independent.

34
IIABEL WS 16 November 2018
 Planning

How?
Context,
Risk based mandatory
Continuous improvment
Risk-based 19011
Who ?

CAE Management
(ISO 19011 5,2)

IIABEL WS 16 November 2018 35

 Serving

Serves the needs of the Line management and

organisation as a whole; may be senior
in particular the audit management; generally
committee, chief no reporting to the audit
executive officer and committee.
senior management.

IIABEL WS 16 November 2018

36
 Reporting line

Audit committee Line management and

functionally for senior management.
operations and chief
executive officer for
administration.

IIABEL WS 16 November 2018

37
 Objective

Varies according to the Limited focus; whether

audit; focus on evaluating the management system is
controls designed to operating as intended.
assure the accomplishment
of the organisation’s goals
and objectives.

IIABEL WS 16 November 2018

38
 Scope
Covers all organisation
activities; able to respond
to the needs of the audit
committee, chief
executive officer and
senior management.
Limited to the
management system –
quality, environment,
safety, legal compliance,
etc.
Tayloring authorized.
IIABEL WS 16 November 2018
39
 Focus

Context monitoring
Fact based & Historical events as
forward-looking. expressed in management
system documentation.

IIABEL WS 16 November 2018

40
 Coverage

Reviews governance, Periodically review

risk management, and records supporting the
control processes management system;
according to risk-based can be risk-based
need. coverage.

IIABEL WS 16 November 2018

41
 Outcome

Helps organisation to Statement of

enhance and protect adherence to
organisation value and management system
accomplish objectives. requirements.
Improved QMS.

IIABEL WS 16 November 2018

42
 Fraud and corruption

Is directly concerned Not concerned with

with the prevention of prevention and
fraud in any activity detection of fraud.
reviewed.

IIABEL WS 16 November 2018

43
 Reports
Mandatory
Scope, objective, results
Guidance
Audit Reports: Communicating
Assurance Engagement
Results
Formulating and Expressing
Internal Audit Opinions
Mandatory
Results
Guidance
Scope, objective, client, audit
team, dates and places,
criteria, findings and
evidences, conclusion,
statement on compliance,
annexes
IIABEL WS 16 November 2018 44
 Organisation Size

1 auditor for 800 – 1000 Pers Smal and big firms

IIABEL WS 16 November 2018 45

 Reports go to

Audit committee, chief Line management.

executive officer and
senior management.

46
IIABEL WS 16 November 2018
 Profession

Yes: No.
A theoretical body of knowledge. Some Limited Specialised
Relative independence in education (1 – 3 days).
decision-making in practice.
Specialised education.
A code of ethics for behaviour of
its members.

IIABEL WS 16 November 2018

47
 Continuity

Permanent service run Generaly punctual

by full time auditors missions run by quality
specialists (1st party
audits)

IIABEL WS 16 November 2018 48

 Qualifications

Specialised university Diploma, certificate

courses and short and short course
course training training available;
available.

Certifications No certifications.

IIABEL WS 16 November 2018 49

 Risks management

Explicitly risk based Shy but pervasive

0.3.3 : Risk-based thinking
- Risks and opportunities
- To address risks to conform
- Action requested
4.1 “”issues” to achieve strategy and
results to understand organization and
its context
6.1 Consider R&O when planning
No formal ERM required
ERM = guidance
IIABEL WS 16 November 2018 50
Cross reference ?

NSTR

IIABEL WS 16 November 2018 51

Agenda

► Introduction
► WS question
► Internal Audit versus ISO Audit
► WS answer
► Integration
► Conclusion

Gestion des conflits d’intérêts au sein de la STIB

 Answer to the question

There are risks using only one approach,

there are opportunities to combine both.

Your answer ?

IIABEL WS 16 November 2018 53

Agenda

► Introduction
► WS question
► Internal Audit versus ISO Audit
► WS answer
► Integration
► Conclusion

Gestion des conflits d’intérêts au sein de la STIB

 Integration

1300 QAIP ISO 9001

2000 Managing the IAA ISO 19011 ? 31000 ?

4.2 Expectations of interested parties

IIABEL WS 16 November 2018 55

Agenda

► Introduction
► WS question
► Internal Audit versus ISO Audit
► WS answer
► Integration
► Conclusion

Gestion des conflits d’intérêts au sein de la STIB

Conclusion 1/4

Helps us demonstrating
we do the job.
Enforce discipline.
Does not replace IPPF

IIABEL WS 16 November 2018 57

 Conclusion 2/4
IIA IPPF vs ISO 9001 – 19011 :

Do you add value?

Are you agile ?

IIABEL WS 16 November 2018 58

 Conclusion 3/4

Risk-based Evidence-based risk

Identification (NC)
Risk approach
Complementary

Converging on the long run ?

IIABEL WS 16 November 2018 59
Conclusion 4/4

Your conclusion ?

IIABEL WS 16 November 2018 60

 Next topics

What’s in for us in ISO 19011 and other

audit related ISO publications ?

What can the IPPF bring to an ISO audit

service ?

IIABEL WS 16 November 2018 61

Questions ?

Gestion des conflits d’intérêts au sein de la STIB

62