When the International Professional Practices Framework (IPPF) was updated in 2015 to include the Core Principles for the Professional Practice of Internal Auditing, it provided a significant opportunity to integrate and align these Principles into an internal audit activity's quality assurance and improvement program (QAIP). The challenge is how to do it in a practical and meaningful way that provides incremental value to the internal audit activity and its stakeholders. This is especially relevant in today's dynamic business environment, because demonstrating the effectiveness of Core Principles as a component of the QAIP supports the credibility and value of internal audit and promotes its role within the organization's governance structure.
The best way to integrate Core Principles into the internal audit activity's understanding of quality is to develop a concept and approach that is easy to understand, is adaptable to an individual organization, and provides insight into how effectively the Core Principles are being achieved. It also is important to understand how achieving Core Principles could be an integral component of the QAIP and an extension of the assessment process. Even though QAIP external assessments do not require auditors to evaluate conformance with the Core Principles, they are a mandatory element of the IPPF. As such, chief audit executives (CAEs) should have a perspective as to whether they are being achieved and a way to communicate that perspective to key stakeholders in a way that is easy to understand and can be monitored, measured, and reported over time.
Why Integrate the Core Principles?
Standard 1300: Quality Assurance and Improvement Program is designed to promote and support quality and continuous improvement in an internal audit activity. Internal and external assessment components provide a framework to ensure quality is embedded into internal audit processes and infrastructure. Communication of results to senior management and the board supports their fiduciary oversight of the internal audit activity. Achieving these Core Principles is a professional requirement. Embedding them into the QAIP is an effective way to ensure the internal audit activity is aligned with these mandatory IPPF elements or ensure that governance and oversight activities related to internal audit are consistent with successful practices and professional requirements.
How to Integrate the Principles
Quality standards require an evaluation of conformance with the Code of Ethics and the International Standards for the Professional Practice of Internal Auditing. It is assumed that if an internal audit activity is in general conformance with the Code of Ethics and the Standards, then it is achieving the Core Principles. As a result, even though Core Principles are mandatory, there is no mechanism defined to provide a CAE with a view toward whether the Core Principles are being achieved.
In fact, there are other characteristics that demonstrate whether an internal audit activity is achieving the Core Principles beyond conformance with other mandatory elements of the IPPF. The most appropriate mechanism to integrate Core Principles into the QAIP is to use a maturity framework to describe levels of maturity related to each principle. This can provide insight into achieving Core Principles efficiently using a combination of quantitative and qualitative characteristics to define maturity.
The QAIP provides quantitative characteristics to the maturity framework through its internal and external assessment requirements. Other qualitative characteristics that help describe placement on the maturity spectrum supplement the QAIP quantitative view. There are five steps that provide a roadmap for implementing a Core Principles Effectiveness Framework into a QAIP.
1. Establish a Maturity Framework
The Core Principles Effectiveness Framework (see "Core Principles Effectiveness Model" below) describes the infrastructure, process, and quality associated with differing levels of achieving effectiveness for the Core Principles. Progression along the maturity spectrum is a function of demonstrating characteristics associated with each level. Movement to a higher level of maturity assumes characteristics of all previous levels of maturity continue to be demonstrated. Placement on the maturity spectrum is a matter of professional judgment considering the "best fit" based on defined characteristics.
Effectiveness progresses from:
- An ineffective level – Infrastructure and processes supporting the internal audit activity are not well defined or operating effectively and there are many areas of partial or nonconformance with associated standards.
- A partially effective level – Infrastructure and processes supporting the internal audit activity are defined and operating effectively but there are areas of partial conformance within associated standards.
- An effective level – Infrastructure and processes supporting the internal audit activity are mature and there is general conformance with all associated standards.
- A sustainable level – Quality programs are focused on continuous improvement and general conformance with associated standards is demonstrated for at least two consecutive external assessments.
- World class – There is a drive and passion for continuous improvement using benchmark data and peer input, with external quality assessment taking place more frequently than once every five years with a focus on generating ideas for improvement.
Most organizations strive to be at an effective to sustainable level, as there are incremental costs associated with operating at a world-class level.
2. Map Core Principles With the Standards and Code of Ethics
Linking the Core Principles to associated professional guidance is the next critical step in the process. Without clear linkage, results of the QAIP, including internal and external assessment, cannot provide data for placement on the maturity spectrum. While linkage is subject to professional judgment, there are clear associations between the Core Principles and the Principles and Rules of Conduct in the Code of Ethics and the Standards. An example of linkage related to the Core Principle "demonstrates integrity" is shown in "Core Principles Mapping" below). This same linkage exercise needs to be conducted for all other Core Principles.
3. Define Characteristics of Maturity
Placement of a Core Principle onto the maturity spectrum requires that characteristics specific to that level of maturity be defined. There are three aspects to characteristics that should be defined for each level. Standards and QAIP characteristics define maturity in terms of level of conformance with the Standards and the extent to which conformance is validated through internal periodic assessment or external assessment elements of the QAIP. Infrastructure and process characteristics define maturity in terms of level of formality and sophistication within the internal audit activity. These characteristics also attempt to describe behaviors within the internal audit activity that support differing levels of maturity. The third category comprises those characteristics specific to a Core Principle and might include examples of infrastructure, process, conformance, or successful practices that are unique to that Core Principle. Characteristics build upon those described for the previous level of maturity and should provide a clear view and differentiation between the levels. When viewed in combination, these definitions provide a useful tool to facilitate the placement of a specific Core Principle onto the maturity spectrum. As with any maturity framework, placement on the spectrum is a "best fit" based on the judgment of the professional performing the assessment. "Demonstrates Integrity Characteristics," below, establishes the characteristics for the Core Principle, "demonstrates integrity." The Standards, QAIP, infrastructure, and process characteristics are the same for all Core Principles.
4. Perform Internal and External Assessment Consistent With Requirements of a QAIP
Evaluating the effectiveness of the Core Principles can only be accomplished when the results of the QAIP support placement of effectiveness within the maturity spectrum. A well-designed QAIP that includes internal and external assessment components and communication of those results provides the perfect platform for evaluation, placement, and communication of effectiveness. Ongoing monitoring of internal audit activity performance supports quality on an audit-by-audit basis. This is often supported by the definition, tracking, and reporting of key performance indicators (KPIs). The best way to monitor effectiveness is to identify Core Principles effectiveness as a KPI and report statuses related to maturity annually to senior management and the board. This further supports the board's fiduciary oversight responsibility of internal audit by providing insight into current and changing maturity levels for the Core Principles. Periodic internal assessment provides the opportunity to assess conformance with the Code of Ethics and the Standards to provide data associated with the defined characteristics, and is essential to provide insight into conformance in the periods between external assessments. An external assessment provides the perspective of an independent assessor or assessment team qualified in the practice of internal audit and external assessment related to levels of conformance. Frequency of external assessment is a factor in determining level of maturity.
5. Evaluate and Report Maturity Levels for Core Principles
Placement of maturity in the Core Principles Effectiveness Framework is a matter of professional judgment. Using a systematic and defined framework increases the likelihood that placement is appropriate and consistent with defined characteristics. A maturity framework provides the foundation and perspective to make reasoned and professional judgments regarding the levels of maturity for each Core Principle. From an organizational perspective, some principles might be more relevant than others in achieving objectives. Increasing the level of maturity and the resulting investment might be appropriate.
Aligning Internal Audit
The Core Principles established in the IPPF describe the essence of an internal audit activity. Incorporating an evaluation of Core Principles into the QAIP provides the perfect mechanism to demonstrate to stakeholders that this mandatory element of the IPPF is relevant to the practice of internal auditing in the organization and that the internal audit activity is aligned to their requirements. Using a maturity framework provides a context for this communication that is measureable and easy to understand. It also provides better insight into the activities that support the profession and can promote a deeper understanding of internal audit's role in the governance mechanism of organizations. As the Standards change, the Core Principle Effectiveness Framework is scalable and adaptable. Each Core Principle's defined characteristics can be adapted to organizations and modified over time as circumstances warrant.