The Chartered Institute of Internal Auditors (the UK affiliate of the global Institute of Internal Auditors) is usually a thought leader, promoting and explaining best and leading internal auditing practices. For example, they have done excellent work on [enterprise] risk-based auditing.
But their latest publication, Internal Audit Code of Practice: Guidance on effective internal audit in the private and third sectors steps backwards from the progress made by the IIA in its Definition and Core Principles.
Here are my more significant criticisms:
1. The first and most important failure (and I mean just that) is when they define the Role and Mandate on internal audit:
“The primary role of internal audit should be to help the board and executive management to protect the assets, reputation and sustainability of the organization.”
The IIA’s Definition of Internal Audit is right when it says that internal audit should help the organization achieve its objectives.
Internal audit should help an organization both create and protect value.
Talking about protection and not the creation of value is a severe limitation of internal audit effectiveness. It implies that internal audit should not address whether:
- Customers are billed the full price
- The company takes full advantage of available vendor discounts
- Management bids effectively for new business
- Decision-makers are taking the right risks for success
2. While risk management practitioners are beginning to recognize that effective risk management is far more than a review of a list of the more significant risks, the Code does not:
“It does this by assessing whether all significant risks are identified and appropriately reported by management to the board and executive management.”
3. Quite disturbing is the fact that the antiquated notion of cyclical auditing is included in the guidance.
4. The Code says that internal audit reports should focus on “significant control weaknesses”. The global IIA rightly explains that internal audit provides assurance; that is not the same as the Code’s emphasis on reporting weaknesses – it’s a great deal more! Internal audit reports should inform leadership whether the more significant ‘risks’ to the objectives of the company are being effectively managed, and that should include not only harmful ‘risks’ but the optimization of performance as well. Internal audit should explain which enterprise objectives might be affected by identified control weaknesses and by how much.
I have high expectations from this UK organization. I expect to see thought leadership that moves practices forwards. This moves them backwards and is a lost opportunity.
I welcome your opinions and comments.