Recently, The IIA sent out a tweet which included an image
with the phrase “We don’t just follow rules. We have standards.” While at first
glance a simple statement, there are a number of important thoughts/concepts buried
I think the primary point — the one that was meant to be
made by including it in the tweet — is a reminder that internal auditors are
professionals. A basic condition for any profession to be recognized as such is
the existence of agreed upon standards that establish the baseline for
professional behavior. That’s a major reason why The IIA’s IPPF exists. (That’s International Professional Practices Framework in case you didn’t know. And
with that knowledge, you now also know why most of us just call it the Red
Book or the Standards.) In other words, we don’t just follow a bunch of
helter-skelter rules; we have principles-based standards that drive our
I also think this little phrase also serves as a great
reminder to all internal auditors of the important difference between standards
and rules. The former provides guidance; the latter provides specific steps to help
ensure adherence to those standards. In other words, standards are the drivers;
rules are just how we get to those standards.
And this all leads to another important reminder. We must
keep the difference between standards and rules in mind with all aspects of our
work — both in how we do the work we do, and how we review the work others do. Standards
drive rules, not the other way around. The minute rules don’t make sense — the minute
they are serving no purpose other than ensuring they are followed, the minute
rules hinder the efficient and effective application of those standards — then the
rule(s) should be ignored/abolished/ forgotten.
All internal audit reviews should include evaluation of
rules (procedures, etc.) for relevance and how well standards (objectives,
etc.) are accomplished. This is foundational to one of the core principals in
the Standards, that internal audit should “promote organizational improvement.”
Doing nothing but ensuring rules are being followed provides limited value to
our stakeholders. (Are you listening compliance auditors?)
However, it is just as important for internal audit to
practice what it preaches and evaluate everything it does under a similar lens.
Every audit shop should take a close look at how it gets its work done —
evaluate the policies and procedures being followed by the audit department —
and ensure rules are established in furtherance of the Standards, not just to
continue doing things the way they have always been done.
However, there is one more point/aspect about the phrase “We
don’t just follow rules. We have standards.” Perhaps the most important one.
It is a statement of freedom.
What do I mean by that? I’ll explain that in my next post.