I always enjoy facilitating The IIA’s “Beginning Auditor
Tools and Techniques” seminar. Actually, I like facilitating all The IIA’s
seminars, but the new auditor seminar has an additional element of enjoyment because
it gives me the opportunity to warp young minds early in their … I mean … the new
auditor seminar has an additional element of enjoyment because interacting with
brand new auditors is a hoot. You want to force yourself to think about what it
is we internal auditors really do for a living? Get in a room with a bunch of
new auditors who are not afraid to ask the tough questions.
Invariably, there is one question that comes up again and
again. “What do the Standards say we have to do about [blank]?” Fill in that blank
with any of the myriad things we do to get internal audit work done.
After the third or fourth time the question comes up, they
will usually cut themselves off and say, “I know, I know. Nothing.” Eventually
they begin to realize that the Standards don’t lay out specific policies and
(Now, if they want to have a discussion about best practices,
that is another thing.)
It may well be that one of the great takeaways for seminar participants
is that the Standards are not rules. The IPPF provides guidance regarding the
operation of a professional internal audit operation. They are minimum
(required) expectations. They are not meant to be the policies and procedures
that detail the daily activity within the operation. (That is why every audit
shop needs its own procedure manual.)
And I can only hope that this takeaway leads to individuals
who are willing to go back and ask serious questions about the way their
internal audit department operates. I know far too many internal auditors who,
while their brains are fully engaged in the work of reviewing other operations,
just flat turn those brains off when it comes to the policies and procedures
developed within their own departments.
The preceding is meant to build on my last post where I
talked about a phrase I had seen regarding internal auditors. “We don’t just
follow rules. We have standards.” I pointed out a few concepts within that
statement, but I also ended by indicating that the most important concept
within this phrase is that it is a statement of freedom.
Internal auditors are free … often more free than they
We have the freedom to accomplish our work in the most
effective and efficient manner available. We have the freedom to not be tied to
outdated rules. We have the freedom to refrain from adhering to antiquated policies
and procedures. We have the freedom to question what has been done and to not
just accept the way things are because it is the way things are.
We have the freedom to quit doing things that do not make
And yet, I encounter far too many internal auditors who seem
to think that their policies, practices, and procedures are etched in cement — irrevocable
writ for which noncompliance will result in the requirement to complete a petty
cash audit, banishment into the accounting department, or some other penalty ever-so-slightly
short of death.
The concept of standards vs. rules reinforces internal audit’s
freedom to do work in the way that best accomplishes the objective of that work.
It reinforces the freedom to not just do the work because the rules say it must
be done that way.
Or, as a friend of mine used to put it, “Do the work with
our brains sitting somewhere on the desk next to us.”
However, with all that being said, we do still have those
standards out there — the part of the entire equation that is not to be messed
And, to be honest with you, I’m not sure I agree with every
single one of them.
I guess we’re just stuck with them, right?
Then again …
We’ll talk about that next time.