Internal Auditor’s blogs reflect the personal views and opinions of the authors. These views may differ from policies and official statements of The Institute of Internal Auditors and its committees and from opinions endorsed by the bloggers’ employers or the editors of Internal Auditor.

Standards Versus Rules​​

Comments Views

Recently, The IIA sent out a tweet which included an image with the phrase “We don’t just follow rules. We have standards.” While at first glance a simple statement, there are a number of important thoughts/concepts buried therein.

I think the primary point — the one that was meant to be made by including it in the tweet — is a reminder that internal auditors are professionals. A basic condition for any profession to be recognized as such is the existence of agreed upon standards that establish the baseline for professional behavior. That’s a major reason why The IIA’s IPPF exists. (That’s International Professional Practices Framework in case you didn’t know. And with that knowledge, you now also know why most of us just call it the Red Book or the Standards.) In other words, we don’t just follow a bunch of helter-skelter rules; we have principles-based standards that drive our professionalism.

I also think this little phrase also serves as a great reminder to all internal auditors of the important difference between standards and rules. The former provides guidance; the latter provides specific steps to help ensure adherence to those standards. In other words, standards are the drivers; rules are just how we get to those standards.

And this all leads to another important reminder. We must keep the difference between standards and rules in mind with all aspects of our work — both in how we do the work we do, and how we review the work others do. Standards drive rules, not the other way around. The minute rules don’t make sense — the minute they are serving no purpose other than ensuring they are followed, the minute rules hinder the efficient and effective application of those standards — then the rule(s) should be ignored/abolished/ forgotten.

All internal audit reviews should include evaluation of rules (procedures, etc.) for relevance and how well standards (objectives, etc.) are accomplished. This is foundational to one of the core principals in the Standards, that internal audit should “promote organizational improvement.” Doing nothing but ensuring rules are being followed provides limited value to our stakeholders. (Are you listening compliance auditors?)

However, it is just as important for internal audit to practice what it preaches and evaluate everything it does under a similar lens. Every audit shop should take a close look at how it gets its work done — evaluate the policies and procedures being followed by the audit department — and ensure rules are established in furtherance of the Standards, not just to continue doing things the way they have always been done.

However, there is one more point/aspect about the phrase “We don’t just follow rules. We have standards.” Perhaps the most important one.

It is a statement of freedom.

What do I mean by that? I’ll explain that in my next post.

Internal Auditor is pleased to provide you an opportunity to share your thoughts about these blog posts. Some comments may be reprinted elsewhere, online or offline.



Comment on this blog post

comments powered by Disqus
  • Idea-September-2020-Blog-1
  • Galvanize-September-2020-Blog-2
  • CIA-September-2020-Blog-3