Professional standards are often interesting documents. Typically they offer a set of core principles that are intended to act as a beacon of light to guide behaviors and decision-making among the noble practitioners and workers who toil under the given occupation’s collective flag.
These professional standards or codes of conduct are generally well-intended, but in reality, they are almost always so over-worked by committees that they are written in a tortured language that is nearly unreadable and even harder to put into practice in daily working environments. On the other end of the spectrum, they may be too basic and “no duh” to offer any real insight. Either way, professional principles are mostly forgettable and offer very little to most professionals who must navigate difficult ethical dilemmas and workplace conundrums on a daily basis.
Many statements of professional core principles are just a list of a few nice words that sound good, but are almost meaningless in practice. Consider the American Institute of Certified Public Accountants’ “Values and Vision Statement,” which lists the principles of integrity, passion, innovation, and collaboration. Along with each is a statement that doesn’t provide much help in terms of how to live by them. Along with Innovation, for example, we get: “We are encouraged to challenge ourselves to take chances and apply creative ideas and approaches to all that we do.” I’m sure all the CPAs out there are feeling invigorated after reading that.
Multa Paucis
Professions that have done this well tend to boil down the message to a single memorable and powerful line made all the more important by being rendered in Latin. Doctors, for example, take the Hippocratic Oath of “primum non nocere,” or “first, do no harm.” Marines, Army Rangers, and other military groups use some form of, “Leave no man behind,” or in Latin, “nemo resideo.” Many police departments adopt some form of the phrase, “To protect and serve.”
My Latin is rusty and I don’t intend—nor would I ever be so bold—to offer an overarching phrase or motto that captures the essential mandate of internal audit in a few words. (Just for fun, though, if you have some ideas for one, please offer them in the comments section below! Extra points for Latin phrases.) But I do want to examine the core principles that are offered by internal audit professional associations.
IIA’s Core Principles
The Institute of Internal Auditors (IIA) offers a set of core principles in its Standards & Guidance — International Professional Practices Framework that is better than most. They are:
- Demonstrates integrity
- Demonstrates competence and due professional care
- Is objective and free from undue influence (independent)
- Aligns with the strategies, objectives, and risks of the organization
- Is appropriately positioned and adequately resourced
- Demonstrates quality and continuous improvement
- Communicates effectively
- Provides risk-based assurance
- Is insightful, proactive, and future-focused
- Promotes organizational improvement
Still, some of these are fairly vague, redundant, or beyond the professional’s control. It’s hard to imagine, for example, an internal auditor who sets out to not communicate effectively or chooses not to be “adequately resourced.” Still, they serve as a decent set of reminders for internal auditors to behave in way that is ethical and effective and they are worth revisiting on a regular basis.
“How an internal auditor, as well as an internal audit activity, demonstrates achievement of the Core Principles may be quite different from organization to organization, but failure to achieve any of the principles would imply that an internal audit activity was not as effective as it could be in achieving internal audit’s mission,” the IIA states in its introduction to the principles.
Interestingly, the last principle, “promotes organizational improvement,” is a watered down version of what was proposed in an earlier version of the principles, which was, “promotes positive change.” I’d argue that the earlier version was more powerful, as it evokes a bigger commitment to good than just incremental process improvement, as the resulting principle seems to suggest. It could even serve as that overarching principle that we mentioned earlier. Promote positive change, from the Latin, “ad promovere positivum mutatio.” Has a nice ring to it, right? I just hope Google Translate served me well.
An Alternative Set of Principles
My intention isn’t to criticize the IIA’s Core Principles, since as I mentioned they are better than most. And it could be worse; there could be no principles at all. As far as I know there are no core principles, for example, for compliance professionals. Michael Volkov, CEO of law firm Volkov Law Group, offers a pretty good set of stand-in principles in this article, “The Compliance Profession Needs to Adopt Professional Standards.”
I did recently come across a newly issued set of professional standards for internal auditors issued by the Institute of Chartered Accountants of India’s (ICAI) Internal Audit Standards Board. To be sure, the ICAI’s core principles borrow heavily from the IIA’s and some are identical. I do, however, think in some ways that it may be a more succinct, actionable, and a better-stated version, with clearly elaborated descriptions of what each principle means in practice. I’m not suggesting they are overall a better set of principles, just that they may offer some additional insights on the role of internal audit and the guidelines auditors should follow.
In the interest of finally fulfilling the promise made in the headline of this article, I will run thought them now, with some of the language provided by the ICAI and some of my own thoughts. First a full list, and then I will address each one.
- Independence
- Integrity and objectivity
- Due professional care
- Confidentiality
- Skills and competence
- Risk-based auditing
- System and process focus
- Avoiding participation in operation decision-making
- Sensitivity to multiple stakeholder interests
- Quality and continuous improvement
1. Independence
OK, this one is pretty straightforward, and while I prefer the IIA’s move to put integrity at the top of the list, I can certainly understand why independence might come in first in India, where corruption is high. Transparency International scores India just a 40 out of 100 on its Corruption Perception Index. Indeed, it’s often not the integrity of the internal auditors that interferes with a true assessment, but the integrity of those around the auditors trying to influence them. Retaining that independence often requires courage to stand up to others who may seek to influence audit findings. Internal auditors must also advocate for structures that help to maintain independence, such as reporting to the audit committee.
Also, with the continuing trend for internal audit providing more advisory and consulting work, independence has grown in importance. As internal audit does more work to shape risk-management, compliance, and governance structures, they must use care not to abandon independence. Internal Audit can’t compromise its ability to provide an unvarnished take on the processes and functions it audits.
As the ICAI so artfully puts it: “The internal auditor shall be free from any undue influences which force him [or her] to deviate from the truth. This independence shall be not only in mind, but also in appearance. Also, the internal auditor shall resist any undue pressure or interference in establishing the scope of the assignments or the manner in which these are conducted and reported, in case these deviate from set objectives.”
2. Integrity and Objectivity
Interestingly, the ICAI paired integrity with objectivity, rather than its more logical cousin of independence, where the IIA includes it. I think the point here is that objectivity is in the auditor’s control, while independence may not be. The idea is that acting with integrity includes bringing full objectivity to the internal audit process. That means not bowing to undue influence, avoiding conflicts of interest, and standing up to those who want auditors to look the other way—in other words, acting with integrity.
According the ICAI: “The internal auditor shall be honest, truthful, and be a person of high integrity. He [or she] shall operate in a highly professional manner and seen to be fair in all his dealings. He shall avoid all conflicts of interest and not seek to derive any undue personal benefit or advantage from his position.”