Advancing the Practice of Internal Audit
As I mentioned earlier, I was honored to be a member of the Re-Look Task Force that has proposed changes to the IIA’s standards framework (IPPF).
One of the changes is to introduce Core Principles for the Professional Practice of Internal Auditing.
The first nine are “motherhood and apple pie” restatements of what I hope we all know are necessary attributes of internal auditing, such as our integrity, resources, and ability to communicate. They are important to restate because although they may be obviously necessary, they are not all always present in practice.
For example, I continue to meet CAEs who don’t have sufficient resources to address more than a handful of critical risks. The last has been charged with all the SOX work without being given the resources necessary to provide both his core internal audit assurance work and the consulting services necessary to manage the SOX program.
The three that I think will help advance the professional practice of internal auditing are the last three on the list (which should be the first three).
10. Provides reliable assurance to those charged with governance.
11. Is insightful, proactive, and future-focused.
12. Promotes positive change.
What is “assurance”? Our stakeholders need to know if the processes for governance, management of risk, and the related controls can be relied upon to manage critical risks at acceptable levels: whether they will enable the organization to take the right risks with confidence and achieve or surpass objectives.
They need our professional opinion.
I hope this principle will advance the practice of providing such an opinion, a formal one, to the board and top management.
A list of deficiencies is not assurance.
#11 is very interesting. Surveys continue to tell us that our stakeholders on the board and in executive management want more from us. In addition to focusing on the right risks (a deficiency in our practice according to recent PwC and KPMG surveys), they value our insight – what we can tell them about management processes and practices beyond what we might put in the audit report.
Our traditional role is to report on what has happened (and gone wrong) in the past – hindsight. We should instead help our organizations, their executive team and board, manage into the future.
This means moving from hindsight to foresight with insight into current and foreseeable conditions.
We should be proactive in looking at changes in business systems and processes, organizational structures and staffing, and more – providing consulting services to help ensure our future is one with adequate management of risk, including security and controls.
The great Canadian ice hockey player, Wayne Gretzky, was asked “what is the secret of your success?” His answer:
“I skate to where the puck is going to be”
We need to audit where the risk is going to be.
The last talks about the need to do more than make a recommendation and let management respond. We need to promote positive change. I ask that you read and comment on my article in the August issue of the Internal Auditor magazine on “The Internal Audit Evangelist”.
In another article in the same issue, the author talks about his department achieving an acceptance rate of 84% on its recommendations. Management accepted and implemented 84% of internal audit ratings.
My comment?
That is a 16% failure rate!
Where is the value when management only occasionally listens to us?
How will management see us if we frequently are unable to see business risks and needs in the same light as they see them?
There is zero value in recommendations.
There is only value in positive change.
We should work with management to ensure we agree on the facts, agree on the risk to objectives (specifying which are at risk), agree on whether that risk should be accepted or treated, and then agree and help them determine the best path forward.
If the great majority of internal audit departments are able to say that:
- We provide our stakeholders with the assurance they need to manage and direct the organization with confidence
- We provide insight into current conditions and our work is focused on the risks that will face the organization as it moves forward, and
- We work with management to effect positive change
the professional practice of internal audit will be one worthy of pride.
I welcome your thoughts and comments.
Leave a Reply
Norman Marks on Governance, Risk Management, and Audit 
Why is internal audit needed?
– If it is required by law – but that doesn’t determine how much internal audit is required.
– If it provides value – but that depends on the amount of value provided and to whom.
I suspect that some management doesn’t find much value from internal audit, and might even find it intrusive. It is the board and its committees that really should benefit from internal audit. And it would help internal audit if regulators and other outside groups or organizations (proxy companies, perhaps?) started focusing some on the resources that companies are providing to internal audit – of course that might also lead to criticisms of internal audit itself.
Initially I did not believe that the new principles were very impressive. Norman, I appreciate your comments above. I see that from internal audit’s viewpoint at least a couple of the principles are improvements and forward looking. This was a step that internal audit apparently thought it needed to make in a formal manner. But this should be just a step – the promotion of internal audit is behind the times and opportunities, and should accelerate.
I have seen that there is a debate about just how far internal audit can go to not only audit but to also provide recommendations and improvements. Benefit added can be much greater with recommendations and improvements. It is for organizations like the IIA to determine how far internal audit can go with consulting, and making and perhaps designing recommendations and improvements, as long as internal audit isn’t auditing itself. For value added purposes internal audit should open up the opportunities for consulting, recommendations and improvements to the maximum extent that is deemed appropriate. Of course, the internal audit budget and personnel also need to be sufficient and qualified.
Thanks Norman for all your work.
Dave Tate, Esq. (San Francisco)
http://tatetalk.com
Norman, I have now idea who was in this advisory group other than discussed it was chaired by the COSO Chair Bob Hirth and the principles approach rings of COSO? You said you are one who else? Why no disclosure in the document? Maybe I missed it
Need some transparency on this whole process and who is involved. I am shocked not to see who is involved described to the membership and published?
Michael Corcoran Sent from my iPhone
>
Mike, the membership of the RTF was both global and impressive. The proposal was approved, I believe, by the IIA Board. Now it is time to see what the members have to say.
Hi Norman,
Whatever becomes reality from advancing the practice needs to include details on benchmarks for making documents an efficient reading experience. You could include this within the meaning of point 3: ‘We work with management to effect positive change.’
Ron, there are lots of training sessions on that topic. I personally don’t think we should have prescriptive standards as what will work in one environment may not work in others. In addition new ideas and technology arise all the time.
Thanks for the comment. This would make a good Research Foundation subject.
Thanks Norman. Let me know if I can assist in that research and thank you for replying promptly.
I work to change the actuarial fate of firms in the Information Security space. It turns out that the root causes upstream of fact on the ground vulnerability fits cleanly in business process failures.
If a transaction invites more liability than gain, a business should not want to do it faster with the aid of a computer. Is the flowing lost cash to pay for a breach the true upstream cause of a bad business process using a computer to bleed faster? If I cross check accountancy when a human goes on vacation, why do I skip cross checking computer automated accounting?
On may say, that of course the programmers checked the accountancy code on release. But, post release unplanned change to that code is a business process. First, internal projects that modified that code might normally QA that change. But, did I turn the QA test interfaces off when I went into production? Did I effectively build a QA environment for an attacker on my production server? Did I then, under control the patching process of known vulnerabilities to prevent down time to production from immature change management processes?
Is not the core reason to avoid patching vulnerabilities the risk of down time from immature change management? Is not change management a business control?
But, why did I evade excellent change management controls? What if the IT Audit team insisted on implementing wasteful change management processes? Not that Change Management itself is wasteful, but there are wasteful forms of “How” to implement Change Management as opposed to “What” and “Why” to implement Change Management.
Then, process waste in the “How” of Change Management, leads to reduced uses of Change Management in a form that makes an actuarial difference in the fact on the ground inventory of known InfoSec risk.
Good IT Audit and efficient controls are essentially the upstream influence over the supply of vulnerable systems and untraced liable information flows. Changing the human controls over that process matters hugely for good or for fraud, waste and abuse.
Now, there are other controls besides Change Management that influence the instantaneous inventory of Identifiable Vulnerability and at Risk Information Flows. But, this is a single example were useful vs useless GRC makes a real difference.
That difference matters more than a number on a scale from 1 to 5. In calibrated terms it easily influence the number of Security Incidents costing more than one million USD per incident to resolve. It can also influence the rate of successful exploitation per thousand staff.
Effective and efficient human control processes are part of the picture often these are upstream of the true instance of risk. Prevent the supply of vulnerable systems rather than prevent good GRC from helping. Excellent human processes without automated cross checks only tend to achieve 2 sigma standards of quality. Management should adopt 98% of your recommendations or IT audit has a Six Sigma for Services quality control issue inside its processes.
We really need new risk auditors to audit the risk management system based on achievment of objectives.. Current auditors traditionally trained to audit based on financial reports and do not think they have enough skill set to carry new responsibility.
Norman, I agree with your assessment of the last three principles. As auditors, we should be able to (10) provide reliable assurance that is (11) insightful and future focused to (12) promote positive change. The only way to do this is to take the time to understand the processes we are auditing. We don’t need to be the technical experts on the process details, but we need to have a firm grasp of the business objectives for each step of the process. Only by relating an internal control issue back to the business function can we be sure of providing that positive assurance. Only by knowing how the business functions will we be able to tell how it can improve in the future. And only by discussing improvements in the business will we be able to demonstrate positive change.
There are definitely the changes (or continue for those who already been in these changes) we need to advance our profession. Thanks for sharing!
Norman
i quite enjoy your blog. its insightful.
however, i have a challenge with how we talk about risks in Internal audit, it appears that we tend to want to be the risk manager as well as the auditor. We have a risk management function in our company and internal audit function. Internal audit basically uses the output of risks identified by RM to plan its annual work, so that we can go where the puck is. Is this not good enough for internal audit?
i think at times we tend to talk internal audit beyond its primary role and start laying emphasis on the consulting side. this tends to create some form of tension with RM. Our recommendations do provide positive change to the organization.
i welcome your feedback.
Before internal audit can rely on the work performed by the risk management function, it needs to assess that function and its processes. When those are evaluated and found reliable, then the IA plan can be developed based on RM’s work. More has to be done to identify the required engagements, which may require assessing controls over selected risk sources (say, a sample of countries or locations contributing to the risk, or assessing in separate engagements the business and ITGC processes).
I agree that IA has a valuable consulting side, but we should be careful about duplicating rather than encouraging the work of others.