ISSAI vs IIA Standards: Which Framework Applies to EU Auditors?

What it is: background and legal basis

When navigating the world of auditing, particularly as an EU auditor or a candidate preparing for the EPSO AD7 Auditors competition, understanding the landscape of international auditing standards is essential. This includes familiarity with both the International Standards of Supreme Audit Institutions (ISSAI) framework, primarily used by the European Court of Auditors (ECA), and the International Professional Practices Framework (IPPF) issued by the Institute of Internal Auditors (IIA), used by the Commission's Internal Audit Service (IAS) and many EU agencies.

The legal basis for the ECA's audit mandate is enshrined in the Treaty on the Functioning of the European Union (TFEU). Specifically, Article 287 TFEU empowers the ECA to examine the accounts of all revenue and expenditure of the Union and to ensure sound financial management. This broad mandate allows the ECA to select its audit methodology, which, in practice, relies heavily on the ISSAI framework developed by INTOSAI.

INTOSAI, the International Organisation of Supreme Audit Institutions, operates as an autonomous, independent and non-political organisation. It provides a framework for governmental audit standards. INTOSAI's framework includes the Lima Declaration of Guidelines on Auditing Precepts (1977), forming the foundation for the ISSAI standards. These standards are not legally binding in the same way as EU regulations, but rather represent a globally recognised professional framework for public sector auditing. The ISSAI framework is hierarchical:

• ISSAI 100: Fundamental Principles of Public Sector Auditing.
• ISSAIs 200, 300, 400: General Standards, Financial Audit Standards, Performance Audit Standards, and Compliance Audit Standards, respectively.
• Implementation Guidelines: provide more specific guidance on applying the standards.

The IIA's IPPF, on the other hand, while not explicitly referenced in the Treaties, is recognized as best practice for internal audit functions globally. The IIA, a professional organization, develops and maintains the IPPF. The European Commission's IAS (Internal Audit Service), and many EU agencies, have adopted the IPPF. While the ECA focuses on external audit, the IAS and agency internal auditors provide assurance and advisory services within their respective organizations, aligning with the IIA's framework.

How it works in practice

Let's examine how these standards are applied in the EU context:

ECA and ISSAI

The European Court of Auditors (ECA) predominantly uses the ISSAI framework to conduct its audits. Understanding key ISSAI principles is crucial:

• ISSAI 100 - Fundamental Principles of Public Sector Auditing: This foundational standard outlines the core principles underpinning public sector auditing, emphasizing independence, objectivity, integrity, and confidentiality. The ECA, as the EU's independent external auditor, adheres strictly to these principles in its audits of EU finances.
• ISSAI 200 - Financial Audit Principles: These principles focus on providing assurance about the reliability of financial statements. The ECA applies ISSAI 200 when auditing the EU's consolidated accounts, assessing whether they present a true and fair view of the EU's financial position.
• ISSAI 300 - Performance Audit Principles: Performance audits examine the economy, efficiency, and effectiveness of public sector programs and activities. The ECA frequently uses ISSAI 300 to assess whether EU funds are being used efficiently and achieving their intended objectives. These audits often lead to special reports with recommendations for improvement.
• ISSAI 400 - Compliance Audit Principles: Compliance audits determine whether public sector activities are complying with applicable laws, regulations, and policies. The ECA uses ISSAI 400 to verify that EU funds are disbursed and used in accordance with the Financial Regulation and other relevant legal provisions.

Consider a specific example: When the ECA audits the Common Agricultural Policy (CAP), it will use a combination of ISSAI 200 (to verify the accuracy of expenditure declarations), ISSAI 300 (to assess the effectiveness of CAP measures in achieving their objectives), and ISSAI 400 (to ensure that CAP payments comply with EU regulations).

IAS/Agencies and IIA

The European Commission's Internal Audit Service (IAS) and many EU agencies rely on the IIA's International Professional Practices Framework (IPPF). The IPPF provides comprehensive guidance for internal audit functions:

• The IIA's Core Principles for the Professional Practice of Internal Auditing: These principles underpin the entire IPPF and emphasize integrity, objectivity, competence, and due professional care.
• The IIA's Code of Ethics: Internal auditors must adhere to a strict code of ethics, promoting ethical conduct and preventing conflicts of interest.
• The IIA's International Standards for the Professional Practice of Internal Auditing: These standards provide detailed requirements for managing the internal audit function, performing internal audit engagements, and reporting results.
• The IIA's Three Lines Model (now 'Three Lines of Defence'): This model emphasizes the roles of management, risk management and compliance functions, and internal audit in ensuring effective governance and risk management.

The Three Lines of Defence model (now the Three Lines Model) is particularly relevant. The first line of defence consists of operational management, who own and control risks. The second line consists of risk management and compliance functions, who monitor and support the first line. The third line of defence is internal audit, which provides independent assurance on the effectiveness of the first two lines.

Let's consider an example: The internal audit function of a European Agency might use the IIA standards to assess the effectiveness of the Agency's risk management framework. The internal auditors would review the Agency's risk register, test the controls in place to mitigate key risks, and report their findings to the Agency's management and audit committee.

The IIA's IPPF has been recently updated, with the *2024 IPPF* now in effect. This updated framework includes significant changes to the Standards, including an increased focus on organizational resilience, cybersecurity, and sustainability.

The following table summarizes the key differences:

The most common points of confusion

• Distinguishing between the *purpose* of external audit (ECA/ISSAI) and internal audit (IAS/IIA). The ECA provides an independent opinion on the EU's finances, while the IAS helps Commission services and agencies improve their operations.
• Understanding the *practical implications* of the Three Lines Model. Many professionals struggle to correctly identify which functions belong to each line and how they interact.
• Recognizing that while ISSAIs are *globally recognised*, they aren't legally binding in the same way as EU legislation. The ECA chooses to use them to fulfil its Treaty obligations.

Why it matters for EU auditors

Understanding both the ISSAI and IIA frameworks is crucial for any EU auditor. If you join the ECA, you'll directly apply ISSAI principles in your audits of EU spending. If you work for the Commission's IAS or an EU agency's internal audit service, you'll use the IIA's IPPF to assess the effectiveness of internal controls and risk management. Being familiar with both frameworks allows you to understand the broader audit landscape within the EU and contribute effectively to ensuring sound financial management and good governance.

Mastering this information is key to success in the EPSO AD7 Auditors competition, as questions often test your knowledge of these fundamental audit frameworks. Prep for AD7 Auditors on Prep4EU

Related guides

• European Court of Auditors Explained
• ECA DAS: EU Budget Audit