"The intelligent have plans; the wise have principles." —Raheel Farooq
The world of internal auditing in the 21st century can be exhilarating, rewarding, nerve-wracking, exciting, and downright terrifying at times. The challenges that organizations face today make providing independent assurance to enhance organizational value anything but dull.
In looking back over more than four decades in this profession, I couldn't have imagined as a junior auditor at Trust Company of Georgia how radically the profession would change during my career. The junior auditor of today can leverage new technology to examine an enormous volume of data in minutes that once took days or weeks. She can dive into understanding and evaluating organizational culture, and wrestle with serious questions about data ethics, data privacy, and data protection. What radical changes await her over the next 40 years is impossible to say with certainty, except that they will occur.
The foundation that will enable us to navigate the changes to come is the International Professional Practices Framework generally and the Core Principles for the Professional Practice of Internal Auditing specifically. No matter what changes may impact the profession, we must stand on principles. We should never lose sight of the fundamental beliefs that drive our profession and our practitioners.
The recently published IIA Practice Guide "Demonstrating the Core Principles for the Professional Practice of Internal Auditing" provides excellent direction on embracing and demonstrating those Core Principles in all aspects of our professional lives. What's more, the guide identifies enablers and key indicators that chief audit executives (CAEs) can use to customize an approach to demonstrating the Core Principles in their audit teams.
While this blog post can't provide the depth and detail of the new practice guide, I'd like to address how the Core Principles drive home what we do. I'll look at Core Principles one through five in this post and six through 10 in a subsequent post.
Demonstrates integrity. The practice guide notes that integrity is the foundation of the other principles in The IIA's Code of Ethics, and I have often written that ethics are table stakes for great internal auditors. One sentence in the guidance captures this beautifully: "In simple terms, integrity means doing the right thing and providing honest, objective assurance and advice, even when doing so is uncomfortable or difficult and avoiding an issue might be easier." After all, as noted author Awdhesh Singh observed, "Principles are not meant so much for the easy times, as for the difficult times."
Demonstrates competence and due professional care. Internal audit's role in organizations continues to expand. The scope of work has grown far beyond simple assurance on financial reporting, which was the case when I started out. But we must remain true to the principle that requires our services be delivered with competence and due professional care.
There are two ways to approach this principle. The easy way is to view this as a mandate to never stray beyond areas where we have the necessary knowledge, skills, and experience to provide competent and effective service. Instead, we should challenge ourselves to view this as a mandate to expand our knowledge, skills, and experience commensurate to the demands of our organizations, while making sure we seek out competent advice and assistance in areas where we don't yet have that expertise.
Is objective and free from undue influence (independent). It is good to remind ourselves that objectivity and independence are not interchangeable words. The guidance provides a good definition: "Objectivity is an unbiased mental attitude that requires internal auditors not to subordinate their judgment on audit matters to others, and independence is freedom from conditions that threaten the ability of the internal audit activity to execute its responsibilities in an unbiased manner."
This principle applies to many aspects of our day-to-day work as practitioners, from who we report to administratively to how we disclose material facts when we report on engagements. The relationships we build with our boards, audit committees, CEOs, chief financial officers, chief information officers, and others also impact our ability to provide independent assurance. Ultimately, the CAE must ensure that internal audit's work is objective and independent, including any work from outside service providers that is relied upon by internal audit.
Aligns with the strategies, objectives, and risks of the organization. This principle is critical to showing how internal audit adds value to the organization. It should be obvious that internal audit's work should align with the risks that have the greatest impact on the organization. Indeed, providing "risk-based and objective assurance, advice, and insight" is part of The IIA's Mission of Internal Audit.
Is appropriately positioned and adequately resourced. This is one principle in which internal audit often focuses on only half the battle. Many CAEs are proficient at making their case for having the sufficient resources to execute the audit plan. However, too often we accept the status quo on reporting lines and other factors that can limit the effectiveness of the internal audit function. CAEs should regularly review the internal audit charter with the audit committee or full board and determine if changes in the audit function's scope of work or reporting lines are necessary to execute the organization's risk management strategy.
As I mentioned earlier, I will explore the remaining five principles — demonstrating quality and continuous improvement; communicating effectively; providing risk-based assurance; being insightful, proactive, and future-focused; and promoting organizational improvement — in my next blog post.
In the meantime, I urge you to review the new practice guide and genuinely examine how you are demonstrating those foundational beliefs and principles in your work.
As always, I look forward to your comments.