"Your [internal audit] mission, should you accept it," has been clarified by The IIA. A new and generalized mission statement was included in the update of the International Professional Practices Framework published at the recent IIA International Conference in Vancouver.
It is short and to the point:
To enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight.
While the text is short, there is a huge amount of meaning behind it — that's my opinion (I was a member of the RTF that developed it, but I don't have a monopoly on how it should be interpreted).
The definition of internal auditing has not been changed and is consistent (again, in my opinion) with the mission statement.
By the way, the RTF recognized that most internal audit departments will have a mission statement that is customized for their organization and charter. But, a general mission statement that organizations can use as a basis for their own should add value and is useful in helping stakeholders and practitioners understand the professional practice of internal auditing.
Deconstructing the mission statement:
- "Enhance and protect." I think this is interesting because while most internal auditors focus on preventing harm, we should also be concerned with our organization being able to optimize results. My favorite phrase these days is "take the right level of the right risks." An organization will not optimize results if it is over-controlled, overly cautious, and unnecessarily risk-averse.
- "Organizational value" talks to all the measures by which the success of the organization is measured; it focuses on macro, enterprisewide risks to the value of the organization, rather than the more traditional, micro-risk focus of internal auditors (when they focus on risks within business processes or at locations, instead of risks to corporate objectives).
- "Risk-based" speaks to the fact that we should be focused on the risks that matter to enterprise value and the achievement of corporate objectives.
- "Objective" is a subtlety: While auditor independence is important, our objectivity (in perception as well as reality) is critical. By the way, look at the new core principle of "is objective and free from undue influence (independent)." The need for internal audit to be free from undue management influence was recently highlighted in an IIA study that said many CAEs are pressured to change their audit reports.
- "Assurance" is the first word in the list of our end-products — as it should be.
- "Advice and insight" follow. The mission statement doesn't use the word "consulting" (which remains in the definition of internal auditing), but instead uses these better terms. "Advice and insight" speak to the need for internal audit to share all its professional thoughts and considerations so that management can make the best possible decisions. Think about this within the context of the core principle: "Is insightful, proactive, and future-focused."
What do you think?
Please consider my
separate post on the core principles.