Home > Audit, IIA > Core Principles for Effective Internal Audit

Core Principles for Effective Internal Audit

The IIA released an update to its standards (specifically, the International Professional Practices Framework, or IPPF) at its recent International Conference, in Vancouver. They now include new Core Principles for the Professional Practice of Internal Auditing, as well as a Mission of Internal Audit statement.

This is how the principles are described:

The Core Principles, taken as a whole, articulate internal audit effectiveness. For an internal audit function to be considered effective, all Principles should be present and operating effectively. How an internal auditor, as well as an internal audit activity, demonstrates achievement of the Core Principles may be quite different from organization to organization, but failure to achieve any of the Principles would imply that an internal audit activity was not as effective as it could be in achieving internal audit’s mission (see Mission of Internal Audit[1]).

  • Demonstrates integrity.
  • Demonstrates competence and due professional care.
  • Is objective and free from undue influence (independent).
  • Aligns with the strategies, objectives, and risks of the organization.
  • Is appropriately positioned and adequately resourced.
  • Demonstrates quality and continuous improvement.
  • Communicates effectively.
  • Provides risk-based assurance.
  • Is insightful, proactive, and future-focused.
  • Promotes organizational improvement.

I was privileged to be a member of the task force (RTF), composed of leading internal audit practitioners from across the globe, which recommended that the IIA leave the definition of internal audit unchanged but add core principles and a mission statement. Taking the last item first, we recognize that each IA department will probably have its own mission statement, customized to its organization and charter. However, including a generalized mission statement in IIA guidance would be useful.

The RTF debated whether the IIA standards are rules-based or principles-based. We all felt that they are principles-based, so somebody asked what those principles are. After a lot of discussion, we developed ten that after minor word changes are the Core Principles listed above.

In August, I am joining with Paul Sobel in a free OCEG webinar to discuss World-Class Internal Auditing (based, in part, on my book of the same name). One of the questions we will each answer is which of the principles is our favorite. My choice will probably be “is insightful, proactive, and future focused”. I explained why in a post last year, Auditing Forward.

But, I might also choose “communicates effectively”. Here are a few excerpts from the book:

It is revealing that the IIA Standards do not require an audit report! Standard 2400, Communicating Results, simply says “Internal auditors must communicate the results of engagements.”

The audit report, I learned, is not a document that summarizes what we did and shares what we would like to tell management and the board.

Instead, it is a communication vehicle. It is the traditional way internal audit communicates what management and the board need to know about the results of our work.

The audit report is not for our benefit as internal auditors. It is not a way to document our work and demonstrate how thorough we were. It is for the benefit of the readers of the report, management, and (when I was CAE) the audit committee. It tells them what they need to know, which is typically whether there is anything they need to worry about.

………………….

I talked to my key stakeholders in management and on the audit committee and listened carefully so I could understand what they needed to hear after an audit was completed.

I heard them say that they wanted to know the answers to two questions:

  1. Is there anything they need to worry about?
  2. Are there any issues of such significance that somebody in senior management should be monitoring how and when they are addressed?

In other words, they wanted to manage by exception. They were going to trust internal audit and operating management to address routine issues; they didn’t want to waste their time (my expression; they didn’t actually use those words) on matters that didn’t merit their attention.

………………….

The traditional way to express an opinion in an audit report is through a rating scale, such as one that uses a three point scale of Satisfactory, Needs Improvement, and Unsatisfactory.

I don’t believe that a rating scale conveys to the executive reader what they need to know.

If we are tasked with assessing controls over risks, we should not only be telling management whether the risks are being managed effectively but explain, in business language, the effect on corporate objectives.

………………….

My focus is always on providing each stakeholder with the information they need to run the business, when they need it, in a clear and easy-to-consume fashion.

………………….

Which are your favorite principles?

Do you agree with my thoughts on auditing forward and effective communications?

How does your internal audit department measure up to these principles?

[1] To enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight.

  1. July 26, 2015 at 4:12 AM

    Indeed, effectiveness matters most, that is the most important of the three (and more) E’s, including efficiency and economy. That becomes clear once we realize that we can be very efficient in in-effective (possibly stupid) pursuit. Effectiveness requires a clear purpose (i.e. strengthening Corporate Governance) and a clear perspective where it is assessed from (ideally the Board’s view). Serving two (or more) masters is one of the challenges in practice (…)

  2. B MURTHY
    July 27, 2015 at 5:42 PM

    Is there anything they need to worry about?
    Are there any issues of such significance that somebody in senior management should be monitoring how and when they are addressed?

    These two sentences sums up and articulates clearly the role of Internal audit

  3. Kaya Kwinana
    July 30, 2015 at 5:37 AM

    Earlier on it is said, “For an internal audit function to be considered effective, all Principles should be present and operating effectively.”

    Later, however, it says, “failure to achieve any of the Principles would imply that an internal audit activity was not as effective as it could be in achieving internal audit’s mission.”

    Why not simply say “failure to achieve any of the Principles would imply that an internal audit activity was not effective” if the earlier statement is true?

  4. Thu Ly
    August 31, 2015 at 9:29 PM

    I like all principles as they are critical to IA practice. However my concern is that we need to integrate fraud auditing into IA or investigating unit under CAE. This team comprises CFE, CFS or CISSP to take care of fraud investigation. If the resource is not available, it can be outsourced but not performed by internal audit team. We need to be clear. I think that the reflection of fraud auditing into the IA will make a completeness of IA principles and the effectiveness of IA work.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: