We have new leadership of the IIA Standards Board. Patty Miller, former Chair of the Board of The IIA and a recently-retired internal audit services partner with Deloitte, took over as chair at the International Conference in July. She is supported by a board that is required to have at least 14 members, all of which must have the CIA qualification and in practice have diverse experience of the global practice of internal auditing.
Updating the IIA's
International Standards for the Professional Practice of Internal Auditing (Standards) is always going to be a challenge. Perhaps the biggest question is whether the Standards should reflect current or leading practices. In other words, should they lead the profession to greater things or codify practices only after they have become more broadly accepted.
Setting standards that are ahead of general practice is not easy. Obstacles can include obtaining sufficient votes from the Board members and positive feedback when the draft Standards are exposed for public comment.
But, setting standards that are behind generally accepted best and leading practice only encourages internal audit departments to remain laggards.
As Patty and a new Board (I assume there is some level of change among the members) consider their task, I would like to share my recommendations. In them, I will reference an excellent new guide from the Chartered Institute of Internal Auditors (CIIA, the UK affiliate of the IIA):
Effective Internal Audit in the Financial Services Sector (PDF).
This new set of recommendations is intended for organizations in the financial services sector, but is generally applicable to global organizations in any sector. I recommend the guide to every audit committee and CAE.
The composition of the IIA Standards Board should be public. Only the chair is named on the IIA website.
While the Standards should not be “bleeding edge,” they should at least follow leading edge practices such as those practiced and promoted by leaders of the profession.
The Standards should adopt the language of the CIIA in the guide mentioned above. It is acceptable for the Standards to mandate (through use of the word "must") inclusion in audit scope of certain areas such as code of ethics and IT governance. But the audit plan does not have to include everything that is in that audit scope. “Audit scope” means that it is an area subject to audit, and the CAE uses risk-based judgment to determine which areas to include in the audit plan. It is not acceptable for the Standards to mandate the assessment of specific areas (for example, see Standard 2110.A1 and A2, which mandate the assessment of code of ethics and IT governance, respectively); these may not represent high risk areas every year.
The Board should study why internal audit departments are failing to practice what is established as the role of internal auditing: evaluating and improving the effectiveness of risk management, control and governance processes (although I prefer that the order be governance, risk management, and related control processes). What are the barriers and what should be done to address them? For example, should there be a standard that says that it is the auditor’s responsibility to communicate to the board the absence of a risk management program? Should there be a clarification that, for example, a risk assessment be made of governance processes, in the same way as financial processes are assessed, before deciding which if any to include in the audit plan?
The Board should work with other IIA committees to understand why organizations that do not audit either risk management or governance processes are passing the IIA Quality Assurance Review. Is that a failure of the Standards of the QAR reviewer is saying that these organizations comply with the Standards?
The Standards should mandate in clear language an audit plan that is designed to address the risks that matter to the achievement of objectives and creation of value by the organization as a whole. The Standards currently require a risk-based plan to identify engagements but then a secondary risk assessment to determine areas of focus. The second assessment is not necessary if the risk-based plan includes an appropriate assessment of risks to the organization as a whole. The current Standards lead to audits of risks that are important to a location of business unit but not necessarily to the organization as a whole
As required in the CIIA guide and by an increasing number of global standards, the IIA Standards should require “at least annually, an assessment of the overall effectiveness of the governance, and risk and control framework of the organisation, together with an analysis of themes and trends emerging from internal audit work and their impact on the organisation’s risk profile.” This requirement is a common feature of national organizational governance codes and regulator guidance for such as the financial services sector, and the time to mandate a professional opinion has come.
Finally, the Standards Board should perform a “gap analysis” between the recommendations in the CIIA guide (representing at least one view of leading practices) and the current set of IIA Standards. This should be one of the primary drivers of the work of the Board in coming months. The analysis should be supplemented by an assessment of the full set of Standards by the Board and Professional Issues Committee (the latter are tasked with providing enabling guidance on the Standards and leading practices). Each member should be asked to review and vote on each Standard, assigning a grade from “Current and effective — no change required” through “Out of date and needs revision/replacement.”
How would you advise the IIA Standards Board?
I welcome your comments.