We recently sat down with Norman Marks to talk about the recently proposed updated draft of the Institute of Internal Auditors’ professional practice standards. In March, the IIA released a draft version of an overhaul of its International Standards for the Professional Practice of Internal Auditing, generally referred to as “the Standards.” The framework intends to guide the behavior and actions of internal auditors as they carry out their work.
Marks, author of the blog, Norman Marks on Governance, Risk Management, and Audit, and the author of several books on internal audit, has some strong views on the proposed standards. Overall, he doesn’t hide the fact that he has many problems with what has been proposed, even while he agrees that there are plenty of improvements. The biggest issue for Marks, he says, is that they drift too far from a focus on risk-based auditing.
“I don’t think they are simpler, and at nearly 200 pages I don’t think they are streamlined,” says Marks. “I recognize that some really good people, many of whom are friends of mine and I have great respect for, put in a lot of work. I’m just surprised such good people have given us something that has gone backwards,” says Marks.
He also says there should be a more transparent process for airing comments and revising the draft. “They need to bring more people into the process,” he says. “I hope they realize it does need significant change. They need to come up with a second draft, not a final, a second draft for comment in the next six months.” 
I agree with the assessment of this draft. It has a tone of too much confrontation with management. Using words like “courage” implies that internal auditors are in a culture that must “overcome” management. The internal audit role is to inform management of risk and provide assurance that it has been addressed to the organization’s risk tolerance level but it is still management’s prerogative to address risk as they see appropriate. The wording feels like it was written from the perspective of the external CPAs of what they “wish” internal audit looked like. My read of the draft infers that if management doesn’t address risk the way internal audit recommends it is not acceptable and must be reported. That is confrontational. I am concerned that especially with small audit shops and in private businesses, this is going to push leadership to abandon the standards and implement their own “ideas” of what internal auditors should be which pushes us back to what it was in the 1980s.
Great insight. I haven’t had a chance to review the draft yet, but I know one issue for small IA departments is that requirements for peer reviews, etc are a burden on the IA staff available time. We have a one person audit director for a $700-million school district. Board members have yet to increase staffing, but they criticize all the time taken for either continuing education, or peer reviews vs audits. What that does is increase motivations to outsource internal audit due to the visible, non-audit work. I think the standards need to give a break to small departments, especially when staffed with CIA’s with over 20 years experience.