Home > Risk > A new code sets back the status and practice of internal auditing

A new code sets back the status and practice of internal auditing

January 16, 2020 Leave a comment Go to comments

The Chartered Institute of Internal Auditors (the UK affiliate of the global Institute of Internal Auditors) is usually a thought leader, promoting and explaining best and leading internal auditing practices. For example, they have done excellent work on [enterprise] risk-based auditing.

But their latest publication, Internal Audit Code of Practice: Guidance on effective internal audit in the private and third sectors steps backwards from the progress made by the IIA in its Definition and Core Principles.

Here are my more significant criticisms:

  1. The first and most important failure (and I mean just that) is when they define the Role and Mandate on internal audit:

“The primary role of internal audit should be to help the board and executive management to protect the assets, reputation and sustainability of the organization.”

The IIA’s Definition of Internal Audit is right when it says that internal audit should help the organization achieve its objectives.

Internal audit should help an organization both create and protect value.

Talking about protection and not the creation of value is a severe limitation of internal audit effectiveness. It implies that internal audit should not address whether:

    • Customers are billed the full price
    • The company takes full advantage of available vendor discounts
    • Management bids effectively for new business
    • Decision-makers are taking the right risks for success
  1. While risk management practitioners are beginning to recognize that effective risk management is far more than a review of a list of the more significant risks, the Code does not:

“It does this by assessing whether all significant risks are identified and appropriately reported by management to the board and executive management.”

  1. Quite disturbing is the fact that the antiquated notion of cyclical auditing is included in the guidance.
  1. The Code says that internal audit reports should focus on “significant control weaknesses”. The global IIA rightly explains that internal audit provides assurance; that is not the same as the Code’s emphasis on reporting weaknesses – it’s a great deal more! Internal audit reports should inform leadership whether the more significant ‘risks’ to the objectives of the company are being effectively managed, and that should include not only harmful ‘risks’ but the optimization of performance as well. Internal audit should explain which enterprise objectives might be affected by identified control weaknesses and by how much.

I have high expectations from this UK organization. I expect to see thought leadership that moves practices forwards. This moves them backwards and is a lost opportunity.

I welcome your opinions and comments.

  1. January 16, 2020 at 12:51 PM

    Norman, couldn’t agree more. It’s a document firmly set in the 20th century. How it ‘builds’ on the IIA Standards I don’t know. I don’t see how it adds to the Standards at all. As you say, there is no recognition of IIA reporting on the likely achievement of the organisation achieving its objectives. If IA want a seat round top table they are going to have to do better than this.

  2. January 16, 2020 at 5:46 PM

    Norman – I couldn’t agree more.The difference is subtle but profound. Protecting value takes auditors into business operations. Value creation lies in strategies. Let the first line of business protect value. Audit can only add value if it goes where the value is

  3. Roger Estall
    January 16, 2020 at 7:47 PM

    Norman, well spotted. This UK outfit gives a whole new meaning to the expression ‘thought leadership’. Hitherto we have assumed this bit of management-speak jargon referred to actions to help ideas and practice to progress but, demonstrating the perils of jargon and confected expressions, it also apparently means the opposite…..as in ‘follow me into the past’. Quite an achievement to claim what they have done here as ‘thought leadership’ – especially if claimed with a straight face!
    On a separate note, I got a bit lost with the comment ‘….whether the more significant ‘risks’ to the objectives of the company are being effectively managed, and that should include not only harmful ‘risks’ but the optimization of performance as well.’ If a ‘risk’ is ‘significant’ then it is a fair bet that it isn’t ‘being managed’ otherwise it wouldn’t be significant but instead would be as intended (and therefore unremarkable) I would have thought.
    And I couldn’t quite work out how non optimisation of performance isn’t ‘harmful’. After all, it’s the main killer of companies.
    I think this all further demonstrates the notion that the creation of any compound noun by either adding an adjective to ‘risk’ or adding ‘risk’ to a noun, results in something that has no practical meaning (setting aside that there is no agreement about what ‘risk’ means anyway)!

  4. January 17, 2020 at 1:47 AM

    Norman, I fully agree. To the extent this becomes the new norm, it is a serious set-back to the value of auditing and leveraging even current levels of artificial intelligence, it could be the beginning of the end of (human) auditing and become a rule/standard based automated process.

  5. Colin F Washington
    January 17, 2020 at 4:17 AM

    Yes! you are correct. Heaven forbid that the “Slick rick” type of CEO gets wind of this they could further compromise the integrity of the IA function.

  1. January 20, 2020 at 5:23 AM

Leave a Reply to Roger Estall Cancel reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: