The international IIA has thought about updating its international standards again (or is consulting to do so). See on the IIA’s website Proposed Enhancements to the Institute of Internal Auditors International Professional Practices Framework. (IPPF) (4 August 2014). Or has it? The document states:
The RTF is not proposing changes to the content or ongoing relevance of the following IPPF elements: The Definition of Internal Auditing; The Code of Ethics; The International Standards for the Professional Practice of Internal Auditing (Standards); Currently existing guidance (Practice Guides/Practice Advisories/Position Papers).
So if none of this is changing – what is? Well the ‘enhancements’ include the introduction of a new mission statement for internal audit; codification of the status of advisories, guidance and position statements within a framework and nomenclature; and the setting out of core principles for the practice of internal auditing.
So let’s consider these in turn. The mission statement seems like a good place to start. The mission of internal audit is stated as:
“TO ENHANCE AND PROTECT ORGANIZATIONAL VALUE BY PROVIDING STAKEHOLDERS WITH RISK-BASED, OBJECTIVE AND RELIABLE ASSURANCE, ADVICE AND INSIGHT.”
This all seems sensible. It is intuitive, it is helpful. Is it internal audit though? What is unique to audit as opposed to say IT, marketing or HR? I guess the assurance and the objectivity. I think the one missing component is ‘independent’. For this marks IA out from any other professional function in any organisation. It is nice, for once, for internal audit to be defining itself in positive terms, i.e. what it can do, not what it cannot. My post Whistleblowing; Another thing internal audit cannot do? takes issue with the profession’s propensity to be defined in negative terms.
So let’s consider the principles – thank goodness that the profession has gone down a principles rather than rules based approach. So what are they? As stated in the IIA paper they are:
- Demonstrates uncompromised integrity.
- Displays objectivity in mindset and approach.
- Demonstrates commitment to competence.
- Is appropriately positioned within the organization with sufficient organizational authority.
- Aligns strategically with the aims and goals of the enterprise.
- Has adequate resources to effectively address significant risks.
- Demonstrates quality and continuous improvement.
- Achieves efficiency and effectiveness in delivery.
- Communicates effectively.
- Provides reliable assurance to those charged with governance.
- Is insightful, proactive, and future-focused.
- Promotes positive change
Let’s take these in turn. 1) yes that’s fine but integrity is not a binary, digital, thing. It can be a matter of judgement. I’m not sure how you would qualify it and at a principles level it may not make sense to qualify it. I do think this will need some form of view underpinning it.
2) Yes fine. I agree with the mindset bit. This is not just about silly rules of can’t review things previously looked at or lines of reporting etc. It is about mindset and then the application of this mindset.
3) This one is problematic. Being committed to competence sounds weak. Even a poor performer can be committed to competence. Also what is competence? Context dependent or context independent knowledge of the area being audited, or the ability to audit the area, i.e. a competent auditor. I think this needs a) strengthening, to be more definitive, and b) being clearer about what competence means.
4) Yes I agree. I would change authority to be seniority or position. Otherwise there are issues of being ‘in authority’ i.e in an executive role, which is a no no for a CAE.
5) I sort of get what this means but am unclear what this means in detail, and whose definition of strategy. The CEO’s? The Board’s? What is their strategy is to be amoral or unethical, should the CAE align to them or be independent? Perhaps better to say support ‘work towards the enterprise’s reasonable business objectives?’ Also the enterprise word is used here when organisation is used elsewhere. I would use one or the other throughout.
6) Hmm – another one that is difficult. It is difficult to define significant and adequate in this context. Again it might be one that needs thinking about at a level below principles. The principle makes sense though.
7) 8) 9) Yes fine. They all need definition clearly, but as principles they makes sense.
10) This one is more challenging. Does IA always provide assurance to those in charge of governance? I would argue, sometimes it is funders, or regulators or ultimately taxpayers. Perhaps this needs the addition of ‘and relevant stakeholders’?
11) Yes – sounds like a bit of a utopian comment that is difficult to argue with. Future focused could be more carefully phrased at ‘risk rather than issue focused’. This is probably the most helpful for me in my job, as the temptation is to get wrapped up in current ‘crises’.
12) Yes – as a principle it is difficult to argue with. I think this needs to be more specific though. Perhaps positive organisational change?
So, all in all, the ‘motherhood and apple pie’ principles are fine. They need some tweaking and working through at a layer below principles, but they make sense.
So this leaves the nomenclature changes for guidance and supporting advisories. Yes this makes sense. First to establish a change from mandatory and strongly recommended to required and recommended. It is either something that should be done or not. I would suggest the fewer items fall into mandatory the better. We can all interpret principles in a meaningful manner in our contexts and should do so if we are to make the change the principles require.
The removal of position statements from the guidance, either category, is helpful. Particularly as the IIA has a habit of getting unhelpful (read wrong) answers in these (see my recent post Whistleblowing; Another thing internal audit cannot do? about the UK IIA’s view of whistleblowing activities). The proposition is that these are aimed outside of the profession at its stakeholders. Why? What if a CAE makes a complex judgement to adopt x or y position and this reasoned professional decision is contrary to the position statement? I think all guidance should be aimed at the profession, as the profession has the right skills to adopt, amend or discount the position as shown.
As for the clarity over which guidance is mandatory or not, I welcome the retraction of mandatory to apply to the IPPF, definition and ethics only. Internal audit is not a right and wrong profession and the fewer rules are set down the better. It is also consistent with a principles based approach adopted (now we have principles!).
So overall, the profession guidance and framework I think is much clearer following this paper, and I welcome the principles, as it firmly establishes a principles based approach. I recently disagreed with Professor Andrew Chambers over the rules versus principles issue (see Internal Audit: Where are we now?) and I think the IIA here has been supportive of my principles-based approach.
So how would I encapsulate these changes – well not much change really. A mission that is common sense; a tidied up framework for guidance; both underpinned by clearly articulated principles. Has this changed my audit world? No, not really, but at least the profession is resisting ‘pseudo scientification’ and adopting a principles based approach to life. We occupy a wide ranging, complex, and ever changing position in most organisations and I think these approaches should allow space for the profession to evolve.