Internal Auditor’s blogs reflect the personal views and opinions of the authors. These views may differ from policies and official statements of The Institute of Internal Auditors and its committees and from opinions endorsed by the bloggers’ employers or the editors of Internal Auditor.

A New Mission for Internal Audit​​​

Comments Views

​"Your [interna​​l audit] mission, should you accept it," has been clarified by The IIA. A new and generalized mission statement was included in the update of the International Professional Practices Framework published at the recent IIA International Conference in Vancouver.

It is short and to the point:

​​To enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight.

While the text is short, there is a huge amount of meaning behind it — that's my opinion (I was a member of the RTF that developed it, but I don't have a monopoly on how it should be interpreted).

Mission Impossible

​The definition of internal auditing has not been changed and is consistent (again, in my opinion) with th​​e mission statement.

By the way, the RTF recognized that most internal audit departments will have a mission statement that is customized for their organization and charter. But, a general mission statement that organizations can use as a basis for their own should add value and is useful in helping stakeholders and practitioners understand the professional practice of internal auditing.

Deconstructing the mission statement:

  • "Enhance and protect." I think this is interesting because while most internal auditors focus on preventing harm, we should also be concerned with our organization being able to optimize results. My favorite phrase these days is "take the right level of the right risks." An organization will not optimize results if it is over-controlled, overly cautious, and unnecessarily risk-averse.
  • "Organizational value" talks to all the measures by which the success of the organization is measured; it focuses on macro, enterprisewide risks to the value of the organization, rather than the more traditional, micro-risk focus of internal auditors (when they focus on risks within business processes or at locations, instead of risks to corporate objectives).
  • "Risk-based" speaks to the fact that we should be focused on the risks that matter to enterprise value and the achievement of corporate objectives.
  • "Objective" is a subtlety: While auditor independence is important, our objectivity (in perception as well as reality) is critical. By the way, look at the new core principle of "is objective and free from undue influence (independent)." The need for internal audit to be free from undue management influence was recently highlighted in an IIA study that said many CAEs are pressured to change their audit reports.
  • "Assurance" is the first word in the list of our end-products — as it should be.
  • "Advice and insight" follow. The mission statement doesn't use the word "consulting" (which remains in the definition of internal auditing), but instead uses these better terms. "Advice and insight" speak to the need for internal audit to share all its professional thoughts and considerations so that management can make the best possible decisions. Think about this within the context of the core principle: "Is insightful, proactive, and future-focused."

What do you think?

Please consider my separate post on the core principles.​​​

Internal Auditor is pleased to provide you an opportunity to share your thoughts about these blog posts. Some comments may be reprinted elsewhere, online or offline.



Comment on this blog post

comments powered by Disqus
  • IIA Quality_July 2020_Blog 1
  • IIA Online Testing_July 2020_Blog 2
  • IIA Training_July 2020_Blog 3