Background
Effective internal audit delivers great value to the organization and its leaders. As the Institute of Internal Auditing (IIA) describes it:
Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
The IIA has provided guidance on the professional practice of internal auditing since 1947. Their key principles are captured in their International Standards for the Professional Practice of Internal Auditing (“Standards”), last published in 2017.
This year, the IIA decided it was time to update the Standards. On March 1st, they released a draft for public comment. Renamed the Global Internal Audit Standards, they are asking for comments to be submitted by the end of this month.
The draft has met with a host of comments, both positive and negative, with more to come before the end of the comment period.
It certainly has a lot of meat, running to 108 pages. Much of it is excellent.
The trouble is that the meat is not lean. It has content that may not be required to meet the stated objectives of the Standards:
The Global Internal Audit Standards provide requirements and recommendations to guide the professional practice of quality internal auditing globally. The Standards also establish a basis for evaluating the performance of internal audit services.
I ran a survey on my website and was surprised to find that slightly less than half of the respondents agreed that these are the right objective for the Standards.
I believe the Standards should:
- Set out minimum requirements that an internal audit function must meet before they can be considered as providing the quality internal audit services their organization needs. (The Standards use the word “must” for these requirements.)
- Provide suggested but not mandatory guidance on how to build on those minimum standards to deliver world-class value. (The Standards use “should” and “may” for these suggestions.)
Bearing the stated objective in mind, I have challenged IIA staff and those responsible for putting the draft together to consider two questions:
- Are the requirements in the draft sufficient? If they are met, does that mean that an internal audit function is providing the quality internal audit services the organization and its leaders need?
- Are the requirements excessive? Do they mandate activities that are not necessary, where audit departments that do not meet them can and do deliver high quality audit services?
In my opinion, the draft fails both questions. That opinion was echoed in my survey, where less than a quarter of the respondents thought the draft describes (in full or with minor exceptions) what is required for high quality internal auditing.
Before explaining my reasons for that opinion, let me share some more history.
Mission or Purpose
Richard Chambers (then the President and CEO of the IIA) explained in a blog post how an IIA task force (of which I was privileged to be a member) made significant improvements to IIA guidance.
As The IIA has done periodically since the forerunner of the IPPF was first adopted in the 1970s, a global task force of internal audit’s best was charged with reviewing the framework, a process that extended over the past several months.
The task force, in the context of not only what issues the profession had tackled in the past but in what may lie ahead, concluded that there are opportunities to enhance the IPPF.
The task force determined, for example, that while the Definition of Internal Auditing does a good job of articulating what internal audit is, the IPPF does not specifically describe the mission of internal auditing. This is an important distinction, particularly when viewing how internal audit can properly serve an organization when, for instance, it might have dual reporting obligations to a board or audit committee as well as to executive management.
The task force also concluded that, if internal audit standards are principles-based, then those principles should be clearly defined and aligned directly to the relevant standards. Through much discussion and debate, the task force did just that, drafting 12 core principles that can be mapped to the existing standards. Again, with an eye to the future, some members of the task force pointed out that additional standards might be needed in the short and long term to support some of the principles.
The mission that the task force developed was:
“Enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight.”
The statement includes several key words or phrases:
- Enhancing and protecting value
- Risk-based and objective
- Assurance, advice and insight
Traditionally, internal audit functions have focused on protecting value (managing or mitigating risks to objectives), but the task force felt that was insufficient. Attention should also be paid to whether the function is helping organizations enhance value, for example by optimizing the sales force to drive revenue or taking new products to market at the right time.
How do the mission and core principles compare to the content of the draft update?
The mission has been replaced by a purpose statement:
Internal auditing enhances the organization's success by providing the board and management with objective assurance and advice.
Let’s compare it to the mission statement of:
“Enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight.”
I like:
- The words about enhancing success. It is better than “value.”
- Clarifying who are the customers of internal audit’s assurance and advice, although I wonder whether it is necessary.
But I am very concerned about the removal of key words:
- Risk-based
- Insight
I think this is moving in the wrong direction – backwards and not forward.
I don’t mind changing from a mission to a purpose statement as long as the purpose is sufficient. I prefer:
“Enhance and protect organizational value by providing the risk-based and objective assurance, advice, and insight the organization needs.”
I have changed the task force’s language to clarify that internal audit should provide not just any assurance, advice and insight (such as what matters to middle management) but what the organization’s leaders and governing body need to achieve success. Audit what matters and provide information that matters.
Risk-Based Auditing
As Richard said, we developed Core Principles for the Effective Practice of Internal Auditing:
- Demonstrates integrity
- Demonstrates competence and due professional care
- Is objective and free from undue influence (independent)
- Aligns with the strategies, objectives and risks of the organization
- Is appropriately positioned and adequately resourced
- Demonstrates quality and continuous improvement
- Communicates effectively
- Provides risk-based assurance
- Is insightful, proactive and future-focused
- Promotes organizational improvement
Best practice audit teams around the world have moved to a risk-based audit approach that focuses their work on the more significant risks to the enterprise as a whole.
This was emphasized in both the mission and the core principles. But it is hardly mentioned in the draft.
I ran an earlier survey in December 2022. While 42% continue the traditional (and less valuable) practice of performing “full scope audits that focus on risks to the entity being audited,” 53% said that their “audits focus on controls over risks that are important to the enterprise as a whole.”
But the IIA’s Standards have not moved with the times. The draft continues to require that engagement planning must identify risks to the process, business unit or location being audited. It says those are the risks that must be in the scope of the engagement, rather than risks to the enterprise as a whole.
Unfortunately, that leads to auditing what doesn’t matter to success, and missing what does.
I realize that is not the intent of those involved in writing the draft. They intended engagement planning to refine the scope, the risks that were identified as part of the overall audit planning process. But that is not what the Standards say. I talk about this as auditing what matters to management of the business unit, when we should be auditing what matters to the success of the enterprise and its leaders.
Missing Principles
As Richard wrote, the task force was unanimous in asserting that the Standards should be principles-based, rather than rules-based. It was good to see the draft is structured around principles.
However, the draft omits one very important core principle, namely that internal audit is “insightful, proactive and future-focused.”
Insight was a concept introduced by the task force. There was unanimous agreement by its members that in addition to the assurance (i.e., opinions on the adequacy of controls) and formal advice (actions for improvement) provided in the internal auditor’s formal communications, management obtains great (and arguably more) value from what the auditor thinks about the management of the area, its culture and more – thoughts that might not be backed by “evidence” but are the professional opinions and insights of the auditor.
Also missing is the principle that internal auditing should be proactive and forward-looking.
In other words, internal audit teams should audit the risks of today and tomorrow, not those of the past. Provide valuable assurance, advice and insight that will help the organization address its short and longer-term challenges, rather than tell them what they did wrong in the past.
I understand that the drafters might have had difficulty with this, even though it would have moved the profession forward, because there are no related Standards in the current version. But, as Richard wrote, “the task force pointed out that additional standards might be needed in the short and long term to support some of the principles.” Omitting the principle because there is no current Standard is not an adequate reason. This is far too important to omit.
Musts
Perhaps the problem of concern to most of those who have commented is that although it is “principles-based” in theory, there are so many “musts” that, in practice, it is rules-based.
As many have pointed out, this is changing from a set of principles-based standards that sets out what needs to be achieved to a framework that describes what must be done to deliver the desired results. (I am ambivalent as long as the Standards achieve their stated objective.)
However, I totally agree with the complaint that there are too many “musts.”
The draft has “musts” that are not necessary activities for quality internal auditing. In other words, internal audit services may be of high quality, even world-class, without these being done. The points in question include:
- “Internal auditors must confirm that management has implemented the agreed-upon action plans.” While this may or even (in some opinions) should be done, it is not necessary. It is not a must. My audit committee told me they expect management to follow up and ensure corrective actions are taken.
- “The chief audit executive must develop a plan for the performance of an external quality assessment and obtain the board’s approval.” The external quality assurance review typically focuses more on conformance to the Standards than the quality of internal services in the eyes of our customers. Again, we can argue whether this should or may be done. But it is clear to me that there is no justification for mandating it.
- “The internal audit function’s methodologies must be established, documented, and maintained in alignment with the Standards.” I can see that in some large internal audit departments, there may be value. But are they absolutely necessary, especially when the average internal audit function has only five members? If you don’t have them, does that mean you are not performing quality internal auditing? This is not a must. It’s a may.
- “Internal auditors must not provide assurance over an activity for which, within the past year, they provided advisory services.” This is not necessarily an impairment to objectivity, any more than performing an assurance engagement in the previous year that included an assessment and recommendations for improvement prevents the auditor from being objective.
- “Internal auditors must enhance their knowledge, skills, and abilities by completing at least 20 hours of continuing professional education annually.” While desirable (i.e., “should”), this is not always practical.
- “To conduct the engagement risk assessment, internal auditors must… identify the significant risks to the objectives of the activity under review.” This was discussed above.
There are many more, including “musts” relating to the board (see below).
The draft explains that it uses must, should and may. But there are far too many of the first and far too few of the other two.
One of the most contested issues is whether the Standards should dictate activities of the board (or other governing body). The Standards use the word “must” when they say (this is a sample):
- The board must review (and approve) the internal audit mandate at least annually.
- The board must support the internal audit function.
- The board must ensure the internal audit function has unrestricted access.
- The board must support the chief audit executive through regular, direct communications.
- The board must establish a direct reporting relationship with the chief audit executive and the internal audit function.
- The board must approve and/or participate in decisions regarding the appointment, removal, performance evaluation and remuneration of the chief audit executive.
- The board must provide the chief audit executive with opportunities to discuss significant and sensitive matters with the board, including meetings without senior management present.
- The board must ensure that the chief audit executive is positioned at a level that enables internal audit services and responsibilities to be performed without interference from any level of management and provides the organizational authority and status to bring matters directly to senior management and/or the board and to escalate matters to the board when necessary.
- The board must ensure that the internal audit function is free from interference when determining its scope, performing internal audit engagements and communicating results.
- The board must ensure the chief audit executive has the qualifications and competencies to manage the internal audit function effectively and ensure quality performance of internal audit services.
- The board must ensure the internal audit function has sufficient resources to fulfill the internal audit mandate and achieve the internal audit plan.
- The board must ensure that the chief audit executive develops, implements and maintains a quality assurance and improvement program.
- The board must ensure an external quality assessment of the internal audit function is conducted at least every five years.
I think most people would agree that most (there is not a consensus on them all) of the above should be done. But can the IIA dictate what the board must do?
Do these “musts” belong in the IIA’s Standards?
If they are not performed by the board, does that mean the internal audit function is ineffective?
The Standards should only mandate (using the word “must”) what is necessary for quality internal auditing. It should not mandate what the IIA would like to see for other purposes, such as promoting quality assurance reviews.
I have heard that the mandates of the board are included in the draft Standards so that the head of internal audit can discuss them with the board. There are far better ways of achieving this.
Overall Assessment
I asked two questions earlier. Here they are again, with my assessments:
- Are the requirements in the draft sufficient? If they are met, does that mean that an internal audit function is providing the quality internal audit services the organization and its leaders need?
The draft does not do nearly enough to emphasize the risk-based auditing of what matters to the success of the organization. In addition, it insufficiently addresses the need to update the audit plan dynamically, as the business and its risks change.
- Are the requirements excessive? Do they mandate activities that are not necessary, where audit departments that do not meet them can and do deliver high quality audit services?
It is far too long and includes requirements that, if not performed, do not indicate that internal auditing is ineffective.
I agree with the 75% of respondents to my survey: the IIA should revise the draft (after including more people in the process) and resubmit for comment.
There is far too much that needs to be changed to simply amend and publish.
In March, I sent a letter to the IIA and its leaders that may be of interest.