Nearly half of the internal auditor respondents to the Thomson Reuters Accelus State of Internal Audit Survey 2014 indicate assessment of their organization’s culture is not an area of focus, and more than one-fourth have no involvement in the assessment of corporate governance. Additionally, they say they do not consider either whistleblowing or customer outcomes a priority. How can this be if internal auditors are knowledgeable of, and performing work in accordance with, our profession’s International Standards for the Professional Practice of Internal Auditing (Standards)?
We are all most likely focused on risk-based internal audit planning, continually assessing the risks to our organizations. In fact, according to Standard 2010: Planning, we are obligated to develop a risk-based plan — based on the risk assessment and input from senior management and the board — consistent with our organization’s goals.
To meet this standard, it would follow that we should include assessments of both governance and culture, key to the level of overall risk in our organizations, in our planning. Standard 2060: Reporting to Senior Management and the Board includes reporting on governance by the CAE. Standard 2110: Governance more specifically includes internal audit’s obligation to make recommendations for governance improvements. Part of that standard calls for internal auditors to ensure governance accomplishes the objectives of promoting appropriate ethics and values (i.e., culture) within the organization.
Two facets of Standard 2110 (A1 and A2) are particularly important when considering two risks many organizations face. A1 calls for an evaluation of the effectiveness of ethics-related objectives, programs, and activities. A compliance and ethics program can significantly mitigate regulatory compliance risk, which is important in a time of increased regulatory scrutiny.
The evaluation should include support of the program, risk assessment, policies and procedures, communication and training, and monitoring and audit procedures. The whistleblower or anonymous reporting mechanism is another important part of the overall evaluation of the program.
As a subset of the overall compliance and ethics program, internal audit should look at the compliance elements in place to protect organizations from the risks of anti-bribery and corruption, anti-trust, and other regulatory compliance requirements. Standard 2110.A2 calls for an assessment of whether IT governance supports the organization’s strategies and objectives. Given the significant risks organizations face related to the protection of their own and customers’ data, and being able to ensure business continuity, the evaluation of IT governance should be in internal audit’s plans.
Unfortunately, although compliance with Standards 1300 through 1321 can help internal audit demonstrate compliance with the overall Standards, compliance related to an audit function’s quality program remains the lowest, according to The IIA Research Foundation’s Common Body of Knowledge study. There are audit functions created by individuals whose knowledge of the Standards is limited to their objective to assess the quality of the audit program. A lack of detailed understanding of the Standards may explain some nuances in areas of focus in the survey results noted previously, as well as past overemphasis on financial controls and compliance. It is ironic that, through the process of implementing the quality standards, auditors become familiar with all of our general professional obligations under the Standards.
According to Standard 1300: Quality Assurance and Improvement Program, the CAE must develop and maintain a quality and improvement program that covers all aspects of internal audit activity. Standard 1310: Requirements of the Quality Assurance and Improvement Program states that the program must include internal as well as external assessments. The internal assessment (Standard 1311) must include ongoing monitoring of the internal audit activity, as well as periodic self-assessment. Ongoing monitoring may include project checklists, oversight, peer reviews, and client surveys. Self-assessment may be satisfied by listing each standard and checking for compliance. Standard 1320: Reporting on the Quality Assurance and Improvement Program requires a report on the program to senior management and the board, providing the CAE with some unique opportunities. Results may be used to support the need for internal resources, or to demonstrate that the function is in full compliance with the Standards.
Our Standards are continuously reviewed and revised; however, they remain general enough to ensure fit regardless of size, industry, or geography. Compliance with the Standards demonstrates the commitment to integrity, quality, and professionalism we share as members of the internal audit profession.