Internal Auditor’s blogs reflect the personal views and opinions of the authors. These views may differ from policies and official statements of The Institute of Internal Auditors and its committees and from opinions endorsed by the bloggers’ employers or the editors of Internal Auditor.

Rules Versus Common Sense​​

Comments Views

I always enjoy facilitating The IIA’s “Beginning Auditor Tools and Techniques” seminar. Actually, I like facilitating all The IIA’s seminars, but the new auditor seminar has an additional element of enjoyment because it gives me the opportunity to warp young minds early in their … I mean … the new auditor seminar has an additional element of enjoyment because interacting with brand new auditors is a hoot. You want to force yourself to think about what it is we internal auditors really do for a living? Get in a room with a bunch of new auditors who are not afraid to ask the tough questions.

Invariably, there is one question that comes up again and again. “What do the Standards say we have to do about [blank]?” Fill in that blank with any of the myriad things we do to get internal audit work done.

After the third or fourth time the question comes up, they will usually cut themselves off and say, “I know, I know. Nothing.” Eventually they begin to realize that the Standards don’t lay out specific policies and procedures.

(Now, if they want to have a discussion about best practices, that is another thing.)

It may well be that one of the great takeaways for seminar participants is that the Standards are not rules. The IPPF provides guidance regarding the operation of a professional internal audit operation. They are minimum (required) expectations. They are not meant to be the policies and procedures that detail the daily activity within the operation. (That is why every audit shop needs its own procedure manual.)

And I can only hope that this takeaway leads to individuals who are willing to go back and ask serious questions about the way their internal audit department operates. I know far too many internal auditors who, while their brains are fully engaged in the work of reviewing other operations, just flat turn those brains off when it comes to the policies and procedures developed within their own departments.

The preceding is meant to build on my last post where I talked about a phrase I had seen regarding internal auditors. “We don’t just follow rules. We have standards.” I pointed out a few concepts within that statement, but I also ended by indicating that the most important concept within this phrase is that it is a statement of freedom.

Internal auditors are free … often more free than they realize.

We have the freedom to accomplish our work in the most effective and efficient manner available. We have the freedom to not be tied to outdated rules. We have the freedom to refrain from adhering to antiquated policies and procedures. We have the freedom to question what has been done and to not just accept the way things are because it is the way things are.

We have the freedom to quit doing things that do not make sense.

And yet, I encounter far too many internal auditors who seem to think that their policies, practices, and procedures are etched in cement — irrevocable writ for which noncompliance will result in the requirement to complete a petty cash audit, banishment into the accounting department, or some other penalty ever-so-slightly short of death.

The concept of standards vs. rules reinforces internal audit’s freedom to do work in the way that best accomplishes the objective of that work. It reinforces the freedom to not just do the work because the rules say it must be done that way.

Or, as a friend of mine used to put it, “Do the work with our brains sitting somewhere on the desk next to us.”

However, with all that being said, we do still have those standards out there — the part of the entire equation that is not to be messed with.

And, to be honest with you, I’m not sure I agree with every single one of them.

I guess we’re just stuck with them, right?

Then again …

We’ll talk about that next time.

Internal Auditor is pleased to provide you an opportunity to share your thoughts about these blog posts. Some comments may be reprinted elsewhere, online or offline.



Comment on this blog post

comments powered by Disqus
  • CIA-June-2021-Blog-1
  • CIA-LS-June-2021-Blog-2
  • Agents-of-Change-June-2021-Blog-3