I was privileged to be a member of the IIA’s task force that developed the Core Principles for the Professional Practice of Internal Auditing.
I believe they were a significant step forward in guiding internal audit functions around the world.
So, I was very interested when I saw that the IIA had published a new Practice Guide (PG), Demonstrating the Core Principles for the Professional Practice of Internal Auditing.
It is worth reading by and discussion among practitioners.
But, while it has some good advice, it is also flawed. Let me take it principle by principle.
1. Demonstrates integrity.
This is good:
“In simple terms, integrity means doing the right thing and providing honest, objective assurance and advice, even when doing so is uncomfortable or difficult and avoiding an issue might be easier (e.g., minimizing engagement observations or omitting observations from an engagement report).”
What is not said clearly is that internal auditors need to be brave – but not foolhardy. They need to find a way to communicate the fact that the emperor has no clothes without getting their head chopped off.
My main objection is that the Key Indicators omit the most significant factor: whether management and the rest of the organization believe in the integrity and objectivity of the internal auditors. Is IA able to set aside their biases (see my earlier post) whether favorable or adverse? Are they constructive in their advice, rather than confrontational?
2. Demonstrates competence and due professional care.
By and large, the PG is OK, but again it misses a key point.
Is the internal audit function able to perform engagements on every area of significant risk to objectives? Many struggle with this, whether it is the ability to hire IT audit expertise or to staff audits on technical accounting, marketing, or engineering issues.
A key indicator should be based on:
- the ability of the IA team to perform audits of all significant sources of risk, and
- whether owners of those areas of risk believe internal audit has the competence to perform related audits, understand the issues, assess the adequacy of risk management and internal control, provide useful and valuable constructive advice, and communicate effectively.
3. Is objective and free from undue influence.
As the PG states, this is closely linked with the first principle. But this one is more about the CAE being able to withstand any inappropriate pressure from management, whether it is in risk assessment, selecting which audits to perform, the staffing of those audits, or how the results are communicated.
While the PG includes some useful factors to consider, there are more:
- Who hires the CAE? Does the audit committee only consider candidates recommended by management?
- Who fires the CAE?
- Does the audit committee only approve the CAE’s compensation, or does it have a more active role?
- Who sets the budget for the IA function? Is the audit committee able to override any limitations by management?
- How strong is the relationship between the CAE and the executive team? How strong is the relationship with the audit committee?
- How effective and frequent are the in person and other meetings with the members of the audit committee?
- What happens when management tries to interfere?
4. Aligns with the strategies, objectives, and risks of the organization.
The discussion in the PG is quite good.
- Internal auditors have a responsibility to add value to the organization they serve. One of the best ways to provide that value is to connect internal audit engagements to the risks that may have the greatest impact on the organization’s ability to achieve its objectives.
- … the CAE should consider the risks to achieving the organization’s strategic objectives.
- In response to changes in the organization’s business, risks, operations, programs, systems, and/or controls, the CAE must also review the plan and adjust it, even if that is necessary more often than annually.
- … internal auditors should have sufficient information to regularly update the internal audit activity’s organization wide risk assessment.
The Enablers and Key Indicators are again useful but incomplete. They omit:
- Few, if any, audits are performed where the focus is on sources of risk that are not strategic to the organization and its ability to achieve its objectives. That includes cutting out of the scope of audits sources of risk that are of concern only to middle or local management.
- The board and executive management support IA in a flexible risk assessment and audit planning process.
- Audits can be performed and the results communicated when management needs the information. That requires an agile and lean IA function that is responsive to changes in the business and its environment.
5. Is appropriately positioned and adequately resourced.
The key is in this discussion:
Ideally, the CAE functionally reports directly to the board (i.e., the highest level of governance in the organization), which preserves independence by providing the CAE with unrestricted access to address sensitive matters, especially those involving management or senior management. Administratively, the CAE should report to the highest level of management, which is generally the CEO, or at least to a level that enables the internal audit activity to carry out its responsibilities.
My earlier comments apply to this Principle as well, but:
- ‘Percentage of completion of internal audit plan’ is a very poor indicator of quality. A high percentage may indicate that the function is insufficiently flexible and is not adapting as conditions and risks change.
- Another key indicator in the PG is ‘Percentage of internal audit plan available for management requests.’ But every audit, including those at the request of management, should be prioritized based on enterprise risk and value. Best practice is not to allocate a percentage of the plan to management requests, but to have a flexible plan that includes such requests when justified.
- ‘Percentage of internal audit plan coverage dedicated to high-risk processes and entities’ is another key indicator in the PG, but not only should it be 100%, but every hour on every audit should be on issues that are of potential significance to enterprise objectives and success.
6. Demonstrates quality and continuous improvement.
This is clearly important and the traditional methods for measuring quality are discussed in the PG. I prefer to ask management and the board:
- Are we providing you with the information you need, when you need it, in a form that is actionable?
- Do you believe our team and our work product are as effective and valuable as they should be?
7. Communicates effectively.
The PG goes down a rabbit hole that was not envisaged by the task force. We were focused on communicating the results of our work, which should not be limited to the written report.
Meetings with management where a two-way discussion can be held, with questions asked and answered as necessary to build a common understanding of the situation, its condition, and what needs to be done, are far more important and valuable than a written report.
The written report needs to communicate:
- What the stakeholder in management or the board needs to know, rather than what IA wants to say.
- Whether there are issues of significance, defined as matters that represent an unacceptable level of risk to enterprise objectives.
- Whether senior management and/or the board need to act themselves, or at least monitor actions taken.
Anything more is potentially burying valuable information in a mountain of waste.
But the PG starts and spends most of its time on the communication of matters that may be important to some CAEs (not to me) but are not of significance to top management or the board.
8. Provides risk-based assurance.
Key here is to focus on enterprise risk, not risk to the objectives of a function of department. That is an area of the IIA’s Standards that needs to be updated.
The PG refers appropriately to the risk assessment and the maintenance of an audit plan that focuses on the risks of today and tomorrow to enterprise success.
But if fails to explain the word ‘assurance’.
Assurance should be one of the primary products of internal audit work.
Are management’s processes, systems, organization, and so on sufficient to provide reasonable assurance that the more significant risks to the success of the organization are at acceptable levels?
Saying that something is unacceptable, high risk, or low risk, is not providing the assurance stakeholders need. Provide the context and actionable information if the risk to objectives is unacceptable.
Is everything OK or not? If not, where and what needs to be done?
As noted earlier, the metric should be whether stakeholders believe IA is providing the information they need, when they need it.
I am reminded of a conversation I had with the chair of the audit committee at the first company where I was CAE. I asked him for his assessment of IA performance. His answer was:
“You help us sleep through the night.”
We gave him the assurance that he could rely on management to address the more significant sources of risk. Similarly, executives told me that we gave them that same necessary assurance together with constructive and objective advice when any area, new of emerging, needed attention.
9. Is insightful, proactive, and futurefocused.
Our focus on the task force was that internal audit should audit the risks of today and tomorrow, rather than those of history.
The organization is moving forward and reporting on the past only has value if it is relevant to decisions and actions today and tomorrow. That way of thinking is not reflected in the PG.
We included the wonderful word ‘insightful’ because we wanted internal audits to loosen the shackles of the written report and share all their insights about the area audited with management. As noted earlier, in person communication is an under-utilized tool.
There are insights that don’t belong in a formal report but can be shared more informally with management.
We are professionals and are entitled to share our professional insights and advice, even if the objective evidence may be lacking. All we have to say is that it’s our opinion, based on our experience and so on.
The PG goes down another rabbit hole when it links the use of analytics and other technology to being insightful, proactive, and futurefocused. While they are wonderful tools that can help, the attitude of the auditor is what we are talking about – not the tools they may or may not use.
10. Promotes organizational improvement.
I agree with this:
“If the internal audit activity is implementing this core principle, management will consider the internal audit activity to be a business partner and a trusted advisor that helps it to achieve its objectives. Evidence of this relationship includes management proactively reaching out to the internal audit activity to request services. Additionally, stakeholder surveys issued by the internal audit activity may measure whether management finds value in a collaborative partnership with the internal audit activity.”
But the percentage of consulting engagements has nothing to do with quality performance. When audits identify issues, we should be working with management to agree on and for them to implement corrective actions.
The PG is generally OK with its Key Enablers and Key Indicators, but I prefer seeing whether management believes we are contributing to their and the organization’s success.
Is the money spent on internal audit worth it?
The Core Principles are something that every internal auditor should understand and every CAE should base the performance of their function against.
My guidance is in Auditing that Matters and I plan to provide more in the coming months.
I welcome your comments.
- The agile organization - May 17, 2023
- Internal audit and ESG: My opinion - April 24, 2023
- Was Silicon Valley Bank a failure of risk management? - March 28, 2023