Advancing the Practice of Internal Audit
As I mentioned earlier, I was honored to be a member of the Re-Look Task Force that has proposed changes to the IIA’s standards framework (IPPF).
One of the changes is to introduce Core Principles for the Professional Practice of Internal Auditing.
The first nine are “motherhood and apple pie” restatements of what I hope we all know are necessary attributes of internal auditing, such as our integrity, resources, and ability to communicate. They are important to restate because although they may be obviously necessary, they are not all always present in practice.
For example, I continue to meet CAEs who don’t have sufficient resources to address more than a handful of critical risks. The last has been charged with all the SOX work without being given the resources necessary to provide both his core internal audit assurance work and the consulting services necessary to manage the SOX program.
The three that I think will help advance the professional practice of internal auditing are the last three on the list (which should be the first three).
10. Provides reliable assurance to those charged with governance.
11. Is insightful, proactive, and future-focused.
12. Promotes positive change.
What is “assurance”? Our stakeholders need to know if the processes for governance, management of risk, and the related controls can be relied upon to manage critical risks at acceptable levels: whether they will enable the organization to take the right risks with confidence and achieve or surpass objectives.
They need our professional opinion.
I hope this principle will advance the practice of providing such an opinion, a formal one, to the board and top management.
A list of deficiencies is not assurance.
#11 is very interesting. Surveys continue to tell us that our stakeholders on the board and in executive management want more from us. In addition to focusing on the right risks (a deficiency in our practice according to recent PwC and KPMG surveys), they value our insight – what we can tell them about management processes and practices beyond what we might put in the audit report.
Our traditional role is to report on what has happened (and gone wrong) in the past – hindsight. We should instead help our organizations, their executive team and board, manage into the future.
This means moving from hindsight to foresight with insight into current and foreseeable conditions.
We should be proactive in looking at changes in business systems and processes, organizational structures and staffing, and more – providing consulting services to help ensure our future is one with adequate management of risk, including security and controls.
The great Canadian ice hockey player, Wayne Gretzky, was asked “what is the secret of your success?” His answer:
“I skate to where the puck is going to be”
We need to audit where the risk is going to be.
The last talks about the need to do more than make a recommendation and let management respond. We need to promote positive change. I ask that you read and comment on my article in the August issue of the Internal Auditor magazine on “The Internal Audit Evangelist”.
In another article in the same issue, the author talks about his department achieving an acceptance rate of 84% on its recommendations. Management accepted and implemented 84% of internal audit ratings.
That is a 16% failure rate!
Where is the value when management only occasionally listens to us?
How will management see us if we frequently are unable to see business risks and needs in the same light as they see them?
There is zero value in recommendations.
There is only value in positive change.
We should work with management to ensure we agree on the facts, agree on the risk to objectives (specifying which are at risk), agree on whether that risk should be accepted or treated, and then agree and help them determine the best path forward.
If the great majority of internal audit departments are able to say that:
- We provide our stakeholders with the assurance they need to manage and direct the organization with confidence
- We provide insight into current conditions and our work is focused on the risks that will face the organization as it moves forward, and
- We work with management to effect positive change
the professional practice of internal audit will be one worthy of pride.
I welcome your thoughts and comments.