GUEST BLOG
Editor’s Note: The views expressed here are the opinions of the author.
In March, the Institute of Internal Auditors released a draft version of an overhaul of its professional practice standards and framework that intend to guide the behavior and actions of internal auditors as they carry out their work. I encourage all internal auditors to read the newly released draft version of the Standards and provide your comments to the IIA before the exposure period ends late next month.
First, hearty and heartfelt congratulations are in order to both the IIA’s International Standards Board and the dedicated IIA staff for such a heavy lift in completely reworking the entire International Professional Practice Framework (IPPF) and for taking on the most expansive revision to the Standards that’s ever been attempted. More than two years of effort has resulted in a major re-envisioning of this important body of standards and guidance. What the IIA has labelled an “evolution” is arguably an even more aggressive change than that.
While the IIA has vigorously encouraged feedback, receiving critical reaction is not always easy to take, and digesting the volume of commentary is a daunting task. I know from first-hand experience. Participation on the Standards Board is a voluntary role, and the endless hours of discussion and debate these dedicated professionals have endured—not to mention the time and energy they will continue to expend—is a thankless task. So, on behalf of the thousands of practitioners around the world, thank you!
I come from a rather unique background to have a perspective on what we are looking at in the exposure draft of the Standards. I have not only been a chief audit executive for eight years, been on the IIA’s Global Board of Directors for two years, on IIA global volunteer committees (eight years), and been a senior member of the IIA staff (seven years), but I have also been an external service provider of outsourced and co-sourced internal audit services for two years. In addition to that, I have had direct responsibility for the IPPF as an IIA staff member and led the last round of revisions to the IPPF from a staff perspective (the IPPF Relook project). I’ve also been a member of the IIA and part of the profession for most of my 40-year career. That experience doesn’t automatically make my views and opinions right, of course, but it does allow for a rather unique perspective. It is probably also why I am so passionate about this topic. (And, in the interest of full transparency, why I may also not be completely objective.)
With this Open Letter to the IIA, my aim is, after studying the exposure document closely, to suggest some areas that the IIA rethink or reevaluate in its approach. I say rethink and reevaluate intentionally, as it is clear, knowing the deep experience of all the people who have worked on this, that much of what I raise are things that were likely already discussed and debated at great length. I would find it extremely unlikely that I am so smart or insightful as to come up with things that weren’t already considered. So, perhaps, this is a request to take a step back and reconsider these points in your deliberations with a fresh and objective perspective, in addition to the multitude of comments you will surely receive from others.
What I Like in the Draft Standards Update
First, the good. Here are some of the things that I like in the newly revised draft Standards:
- The organizing construct of using “Domains” (in the fashion of a COSO framework). This is a stellar organizing approach.
- The linking of every principle to a domain, and the linking of every standard to a principle. Doing this makes logical sense and adds much to the structure of the Standards as a whole.
- Addressing the concept of professional skepticism, and better addressing confidentiality.
- Including content on the need for an audit function, led by the CAE, to have a strategy, and a strategic plan.
- The effort to include content specific to the public sector. (While not fully robust in all places, this helps address some concerns of applicability for this important sector of members and practitioners and can only get more robust over time.)
My 10 Areas to Rethink
While this list might be taken as criticism, I hope it is instead viewed more as deliberative observation, similar to views in an opinion editorial (op-ed) in a newspaper. It is what auditors are trained to do: view what is and provide a view on how it could be better. Now, I don’t want to be prescriptive (or presumptive) by suggesting possible solutions, as those are best done in a two-way dialogue. But here are the things that I think should be rethought, and why:
1. Please rethink combining Standards and Guidance (referred to as Considerations for Conformance and what was previously Implementation Guidance) into one long document called Standards (when it is really a partial framework).
Why? – The document making up the Standards as proposed is over one hundred pages, and it includes guidance making it seem more like a framework than “Standards.” Not only is the document long, but it will create confusion as to what is “mandatory” and what is “optional” when the collective body is named “Standards,” not only for practitioners but for any outside parties looking at the Standards. The Standards should include what is mandatory to achieve conformance, and the rest should be in a separate, yet linked, document that guides how to implement the Standards. Standards should, though, include the domains, the principles, and the associated standards, as well as any other elements considered mandatory.
2. Please rethink the replacement of the Mission and Definition with solely a Purpose.
Why? – The Definition of internal audit, in its current form, has existed for more than 20 years. Absent the issue that the exact wording of this Definition has been codified into legislation and regulation around the world and there might be unintended consequences if it no longer actually exists as a formal part of the official Framework, I think most practitioners could live without the Definition. Importantly, however, the Definition is a definition of internal auditing, the verb of doing the work itself. The Mission, by contrast, was created and added to the Framework, to address the noun of why the function itself exists. Disappointingly, the proposed “Purpose” is a watered-down replacement to the Mission and the Definition and therefore is a less useful statement.
Some have suggested, and I agree, that the Purpose, as proposed, is not a robust, or even fully accurate, description of why internal audit exists. Personally, I’d prefer to tell my stakeholders what my “mission” is, rather than what my “purpose” is. And now that language would be gone, which is a major step backwards. Ideally, internal audit and internal auditing would have a Vision (what an aspirational future looks like), a Mission (how the vision would be pursued), and a Purpose (the reason for existence). I have proposed language for each of these three elements in social media and am happy to make them available for consideration. Given this is not about prescriptive solutions, I will not include that detail in this discussion.
3. Please rethink the abolishment of a separate, stand-alone Code of Ethics.
Why? – Better and more thoroughly addressing the elements of the current Code of Ethics into the Standards is a good move for many reasons. But that should not mean that a separate Code of Ethics should not still co-exist. I don’t think any internal auditor would recommend to their company that its code of ethics or code of conduct be subsumed into another much larger document such that it is no longer separately identifiable. Having members, certification holders, and certification candidates agree to, abide by, and uphold a Code of Ethics for internal audit professionals is an essential element of being a profession, and should not cease. A Code of Ethics, in my view, should be easily identifiable, succinct, clear and supported by the separate and more expansive set of Standards (as part of a larger Framework).
4. Please rethink the move to more rules-based language with the use, for example, of the words “must” and “ensure.”
Why? – The history of the Standards, absent one notable exception (the requirement for a quality assurance review (QAR) at least once every five years) has been intended to be principles-based (hence, the establishment and addition of the missing element, now expanded upon, of Principles to the Framework in 2017). Principle-based standards are desired and allow a profession to treat its constituents as professionals, introducing judgment and guidance to apply the Standards as it makes most sense in their environment.
It is why words like “must” and “ensure” were used more sparingly and intentionally to establish requirements in the currently existing Standards. In the proposed Standards, the words “must” and “ensure” have exploded in usage such that reading the entire document starts to feel much more like a rules-based set of Standards.
While the desire to raise the bar may have driven this approach, there are many unintended consequences from the overuse of these words. So, it would behoove The IIA to go back through the entire document and only use the word “must” when it is believed to be absolutely necessary. And, as well, to do the same for the word “ensure” since the act of ensuring something is not the same as taking proactive steps to provide reasonable assurance. In the current draft proposal, the word “must” is used over 300 times, and the word (or derivation of the word) “ensure” is used over 90 times, which is excessive and most likely not appropriate in many of the circumstances where it is used and hopefully not actually intended.
5. Please rethink the explicit creation of obligations for boards of directors as part of the Standards.
Why? – While the reason for doing this is fully understandable, it is outside of the IIA’s purview to create obligations for any party other than internal auditors. Guidance should create help, training should aid internal auditors, and advocacy should further the visibility of internal audit as to the role the board and audit committee needs to play to have a fully functioning, viable, and independent quality internal audit function. But the IIA cannot and should not try to create obligations of the board and audit committee directly through mandatory Standards. The unintended consequences could include boards and audit committees questioning the authority of the IIA, wondering what else would be promulgated in the future without their direct input, and even some internal audit functions choosing to not try to conform to the Standards, as these Principles and Standards creating obligations for the board of directors are a reach too far. Consider the converse, would the IIA believe it proper for other parties with no jurisdiction over internal audit try to tell internal audit what it must do, as well intended as it may be?
6. Please rethink trying to raise the bar so aggressively with so many new requirements.
Why? – It is very noble to try to raise the bar, so to speak, with the inclusion of a number of new requirements using “must” as part of Standards, but there comes a point where moving the bar too high will just leave too many functions behind. The unintended consequences could include many more functions not conforming to the Standards, some not bothering with QARs, and some intentionally just walking away from the Standards. Yes, raise the bar, but not so aggressively that it leaves too many behind. If the IIA still desires an aggressive move to raise the bar, create a pathway to get there or introduce gradations of acceptable maturity depending on size or complexity of the organization.
7. Please rethink creating the risk of a checklist mentality.
Why? – As I’ve talked with a number of CAEs who have thoroughly read the proposed Standards, one thing I hear often, and agree with, is that with so many things that feel more like rules (rather than principles) the consequence could be a checklist mentality. Internal audit functions may focus on all the “musts” and just create a checklist to tick off conformance with them. That would apply to performance of the work, a quality assurance and improvement program (QAIP), a readiness assessment, and a full QAR. This approach is not conducive to how a profession, with a set of principle-based Standards, should operate, and has been purposely avoided (or tried to be avoided) to date. The proposal, as it currently reads, elevates the risk of a checklist mentality to much greater heights and is not appropriate.
8. Please rethink the (inadvertent?) downplaying of the concept of “risk-based” plans and assessments.
Why? – Most practitioners have processes in place to emphasize driving their assessments, plans, and projects based on risk. Some are great at this, and for others it remains a work in progress. There are vestiges of old-school cyclical auditing and “do what was done last year” thinking, but much of that has gone away as the profession, at the macro level, continues to evolve. Yet, the goal of continuing to refine the efforts of internal audit to always focus on the highest risks of the organization and to the achievement of objectives remains a fundamental cornerstone of being able to add the most value and contribute to organizational success. So, why is the terminology about being “risk-based” much less present in the proposed mandatory elements of the Standards, as compared to the existing mandatory elements of the Framework? Perhaps it was just a drafting oversight, but being risk-based is an important cornerstone of effective internal auditing on the things that matter. Risk-based matters.
9. Please rethink certain things that are proposed as musts when they are better served as guidance (rules vs. principles).
Why? – Yes, this has been brought up a number of times in this letter already, but it is a critical point. Not only for the abundance of the use of the word “must,” but there are at least a dozen easily identifiable “musts” that should not be requirements as they are not appropriate in all circumstances. Some examples include: the use of ratings, making recommendations, and specifically making an explicit conformance with the Standards statement in final engagement communications. Perhaps ideas and practices that work in certain circumstances, applying the best judgment of the CAE to their environment, but not things that must be done.
10. Please rethink the implementation timeline.
Why? – If little to no change of notable substance results from the comments received and the Standards Board concludes to move forward with things much as has been proposed, these are significant changes, and more time may be necessary from when they are approved (late 2023) to when they are formally adopted and mandatory (2025). And, on the flip side, if the feedback and comments result in major revisions to what has been proposed, then more time will be needed to adopt and vet the changes, and a re-exposure would be likely necessary. So, regardless, the current proposed timeline might be too aggressive and might need to be reconsidered.
Fit for Purpose?
I have attempted to include many of the views I am hearing from others, as well as my own opinions and considerations, here in a call to action for the IIA and its Standards Board to rethink or reconsider a number of things. The Standards and the IPPF are critically important to the profession, and are, in most jurisdictions, standards that are followed and applied by dedicated professionals in an optional way. Yet things we all take very seriously, as if they were required.
While it doesn’t have to be perfect, and never will be, the Standards that drive what defines the professional practice of internal auditing needs to continue to evolve and always be fit for purpose. Absent reconsidering some, or all, of these points, it is my view that what we will have in the future if the new Standards are adopted “as is” will be less fit for purpose than what exists today.
To the IIA, to the Standards Board, and to every practitioner and governance overseer of internal audit out there, thank you for your dedication to this incredibly special profession, and for listening to this call to action.
I look forward to continued engagement on this critical evolutionary undertaking.
Hal Garyn is Managing Director and Owner of Audit Executive Advisory Services, LLC based in FL.
Excellent comments – the IIA did not really invite such a well thought out discussion and observations by focusing on a very granular and self-selected comment process: Your comments on other parties resonate particularly as a regulated entity; perhaps i am paranoid but i would expect to see regulators interpreting much of what i think are meant as examples or best practices as requirements – i think this will have a negative impact on stakeholders and lead to excessive effort in some areas and stifle innovation in others as there will be ‘one way’ to measure or manage a certain objective
Thank you so much for your insight into the proposed IIA Standards. An a CAE in the public sector, I whole heartedly agree with your assessments of the improvements that need to be made.
Thank you, Hal Garyn. Very apt. absolutely agree with you, especially on the concept of the “risk-based”, definition and mission of Internal Audit.
Hi Hal:
Thank you for your insightful and intelligent review of the proposed standards. You’ve captured many of my own thoughts and hope the IIA incorporates all of your recommendations.
Ultimately, there are many aspects of this revision that needs a little more thought and refinement, particularly the inadvertent move away from auditor judgement and other potential unintended consequences such as moving away from principles towards rote “musts.”
Thanks Hal! Your insights and leadership continue to be an important part of guiding the profession.
Tom Harris
Hal, I completely agree. I am also concerned that the draft standards are poorly written. The requirements are not uniquely identified, some requirements are considerations and some considerations are requirements. It does give the impression of having been edited.
Hal, as always a well thought trough piece of work. Firstly, I want to join you in congratulating the IIA and specifically the International Standards Board on this brave move. Although not with alI, I agree with most of your comments. The two statements I passionately agree with are numbers 6 and 8. More specifically in no 6, your statement “ create a pathway to get there or introduce gradations of acceptable maturity depending on size or complexity of the organization.” Like you, I have volunteered for the IIA for decades, and served two terms on the IASB. During my last term on the IASB, I wrote a white paper for the Board to consider proposing a “maturity level” of standards, basically proposing the “musts” being proportionate to the size and completion of the organisation.
Congratulations on a professional and diplomatic delivery of challenges to the draft. I admire your insight and delivery and thank you for this contribution to my own consideration for feedback to the IIA.