It was more than 40 years ago when the first internal audit standards were introduced. Since that time, the profession has matured immensely, and the proliferation of internal audit departments around the world has been remarkable. The standards have been revised and upgraded periodically and are now a critical component of The IIA's International Professional Practices Framework.
No true profession can exist without standards to which its members are held accountable. The Merriam-Webster dictionary defines a standard as "a level of quality, achievement, etc., that is considered acceptable or desirable . . . ideas about morally correct and acceptable behavior." It is in large part because of The IIA's International Standards for the Professional Practice of Internal Auditing that internal auditing is now widely viewed around the world as a profession.
Despite the accessibility of professional internal audit standards, there is plenty of evidence that conformance falls disappointingly short. The Internal Audit Foundation's 2015 Common Body of Knowledge (CBOK) study found that less than 35 percent of chief audit executives (CAEs) fully comply with The IIA's Quality Assurance and Improvement Program standards alone. While conformance with other standards was often much higher, we must recognize that we are only as strong as our weakest link. Even more troubling, the CBOK report noted that many CAEs who do not conform to the Standards do not disclose their nonconformance to their audit committees or other governing bodies.
I conducted a quick poll on Twitter in anticipation of this blog post and found that only 57 percent of respondents asserted full conformance with the Standards.
Internal auditing's quest to be recognized as a profession is, quite frankly, imperiled by the troubling level of nonconformance to professional standards. As the CBOK report noted:
Some people believe that internal auditing will not universally be considered a true profession until internal auditors not only have mandatory professional standards, but also begin to apply and follow those standards consistently.
Beyond the lofty rhetoric about the profession, conformance with internal audit standards has a direct impact on the effectiveness and stature of every internal audit department. CAEs who don't ensure conformance to the Standards are putting themselves and their departments at risk. The CBOK report found that, "Compared to other CAEs in the CBOK study, those reporting conformance to professional standards related to internal audit quality:
- Were more likely to report functionally to a board, audit committee, or equivalent.
- Were more likely to have complete and unrestricted access to information as appropriate for the performance of audit activities.
- Worked in organizations with more highly developed risk management processes.
- Used a wider variety of resources to develop audit plans.
- Made more use of technology in internal audit processes.
- Were more likely to have documented procedures in an internal audit manual.
- Received more hours of training and were more likely to have formalized training programs.
- Were more likely to report that funding for the internal audit function was 'completely sufficient.'"
During my career, I have led scores of quality assessments of internal audit departments — from two-person government functions to Fortune 500 company audit departments with hundreds of internal auditors. I can say without equivocation that there was a direct correlation between conformance to standards and how the CAE and the department were perceived and valued by their stakeholders. Those CAEs who didn't ensure conformance typically didn't fully deliver on stakeholder expectations.
Departments that were not in conformance often generated audit results that were not risk-based, timely, or accurate. CAEs who presided over these departments were not "trusted advisors" and would acknowledge that "the phone never rings" with inquiries or requests from stakeholders.
While nonconformance or selective conformance to internal audit standards may prove expedient in the short term, it can be disastrous as a long-term strategy. Indeed, in today's volatile and dynamic economic environment, stakeholders demand the high performance associated with internal audit functions that conform to standards. Those who do not deliver are doomed to be marginalized in their organization, or worse.
My advice to CAEs who don't conform: Reform.
I welcome your thoughts.