Core Principles for Effective Internal Audit
The IIA released an update to its standards (specifically, the International Professional Practices Framework, or IPPF) at its recent International Conference, in Vancouver. They now include new Core Principles for the Professional Practice of Internal Auditing, as well as a Mission of Internal Audit statement.
This is how the principles are described:
The Core Principles, taken as a whole, articulate internal audit effectiveness. For an internal audit function to be considered effective, all Principles should be present and operating effectively. How an internal auditor, as well as an internal audit activity, demonstrates achievement of the Core Principles may be quite different from organization to organization, but failure to achieve any of the Principles would imply that an internal audit activity was not as effective as it could be in achieving internal audit’s mission (see Mission of Internal Audit).
- Demonstrates integrity.
- Demonstrates competence and due professional care.
- Is objective and free from undue influence (independent).
- Aligns with the strategies, objectives, and risks of the organization.
- Is appropriately positioned and adequately resourced.
- Demonstrates quality and continuous improvement.
- Communicates effectively.
- Provides risk-based assurance.
- Is insightful, proactive, and future-focused.
- Promotes organizational improvement.
I was privileged to be a member of the task force (RTF), composed of leading internal audit practitioners from across the globe, which recommended that the IIA leave the definition of internal audit unchanged but add core principles and a mission statement. Taking the last item first, we recognize that each IA department will probably have its own mission statement, customized to its organization and charter. However, including a generalized mission statement in IIA guidance would be useful.
The RTF debated whether the IIA standards are rules-based or principles-based. We all felt that they are principles-based, so somebody asked what those principles are. After a lot of discussion, we developed ten that after minor word changes are the Core Principles listed above.
In August, I am joining with Paul Sobel in a free OCEG webinar to discuss World-Class Internal Auditing (based, in part, on my book of the same name). One of the questions we will each answer is which of the principles is our favorite. My choice will probably be “is insightful, proactive, and future focused”. I explained why in a post last year, Auditing Forward.
But, I might also choose “communicates effectively”. Here are a few excerpts from the book:
It is revealing that the IIA Standards do not require an audit report! Standard 2400, Communicating Results, simply says “Internal auditors must communicate the results of engagements.”
The audit report, I learned, is not a document that summarizes what we did and shares what we would like to tell management and the board.
Instead, it is a communication vehicle. It is the traditional way internal audit communicates what management and the board need to know about the results of our work.
The audit report is not for our benefit as internal auditors. It is not a way to document our work and demonstrate how thorough we were. It is for the benefit of the readers of the report, management, and (when I was CAE) the audit committee. It tells them what they need to know, which is typically whether there is anything they need to worry about.
I talked to my key stakeholders in management and on the audit committee and listened carefully so I could understand what they needed to hear after an audit was completed.
I heard them say that they wanted to know the answers to two questions:
- Is there anything they need to worry about?
- Are there any issues of such significance that somebody in senior management should be monitoring how and when they are addressed?
In other words, they wanted to manage by exception. They were going to trust internal audit and operating management to address routine issues; they didn’t want to waste their time (my expression; they didn’t actually use those words) on matters that didn’t merit their attention.
The traditional way to express an opinion in an audit report is through a rating scale, such as one that uses a three point scale of Satisfactory, Needs Improvement, and Unsatisfactory.
I don’t believe that a rating scale conveys to the executive reader what they need to know.
If we are tasked with assessing controls over risks, we should not only be telling management whether the risks are being managed effectively but explain, in business language, the effect on corporate objectives.
My focus is always on providing each stakeholder with the information they need to run the business, when they need it, in a clear and easy-to-consume fashion.
Which are your favorite principles?
Do you agree with my thoughts on auditing forward and effective communications?
How does your internal audit department measure up to these principles?
 To enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight.