Home > Risk > Norman’s Principles for Effective Internal Auditing

Norman’s Principles for Effective Internal Auditing

November 11, 2021 Leave a comment Go to comments

I am in the midst of writing a new book and decided I needed to define my core principles for effective internal auditing.

I know the IIA has defined core principles (I was part of that effort), but they include aspects like independence which is more about how internal audit functions rather than what they need to do.

I would very much appreciate your review and comments/criticisms of these:

  • Provide the Audit Committee and management with the assurance, advice, and insight they need on what matters now and will matter in the future to the success of the business.
  • Provide the actionable information they need when they need it.
  • Be agile and efficient in both planning and execution of every audit engagement.
  • Focus on what matters and exclude from scope anything that does not matter.
  • Write (and otherwise communicate) for the time-limited, speed-reading executive. Don’t waste anybody’s time but get the message across and drive action!
  • Work with management[1] to ensure they can rely on their processes, systems, organization, and controls as they direct and manage the company to achieve its objectives.
  • Measure the success of internal audit by the success of the company, not by the number of audits performed or the number of issues identified.
  • Recognize that quality and effectiveness are best recognized through the eyes of the satisfied customer.

Clearly, each one of these needs discussion and explanation. For example, you can only be assured of auditing what matters now and will matter in the future if you are continuously updating the audit plan to reflect changes in the business, its context, and its risks.

I thank you in advance. I am sure I have missed something.

[1] Richard Chambers refers to this as being a Trusted Advisor.

  1. littlegyrn
    November 11, 2021 at 5:30 AM

    Prioritizing risk and audit finding to be in further alignment with company objectives and strategy.

  2. John Fraser
    November 11, 2021 at 6:05 AM

    Not sure that I agree with: “Measure the success of internal audit by the success of the company, not by the number of audits performed or the number of issues identified.” I agree re the numbers bits, but I think the measurement should be the quality of the advice provided, since there can be many successful companies with incompetent internal audit functions.

  3. November 11, 2021 at 6:59 AM

    Norman, I believe principles are the means of delivering the mission statement/primary objective. Is your mission statement that of the IIA’s?
    I have derived a set of principles based on a mission statement in my submission to the IIA’s consideration of the IPPF:

    Mission: The internal audit function will protect and enhance the value of an organisation by
    examining those processes which manage the opportunities and risks impacting on its
    objectives and reporting on their effectiveness.

    Principles:
    1. IA reports to a management level sufficiently senior to ensure it has the authority
    and independence to carry out all the work necessary to provide an opinion.
    2. IA has the resources necessary to carry out the agreed plan.
    3. Auditors have all the necessary personal qualities, skills and independence to
    obtain and analyse data in order to present objective, reliable opinions.
    4. Auditors communicate with stakeholders during all audit processes to understand
    and deliver their expectations, and update them with the current progress of the
    audit, including deficiencies found.
    5. Audit work is planned using a complete, updated list of the organisation’s
    objectives and the opportunities and risks which have the greatest impact on their
    achievement
    6. IA obtains comprehensive data, including that from outside the organisation and
    uses modern technology and data interpretation.
    7. Opinions relate to whether the objectives of the processes being audited are likely
    to be achieved and are concise, understandable and supported by appropriate
    data.
    8. Opinions are addressed to those responsible for implementing the responses and
    other stakeholders with an interest in the opinion.
    9. Follow-up work is carried out to ensure responses to risks have been implemented.

    The derivation of these principles is here: https://www.internalaudit.biz/webresources/page26.html

    In general, I think your principles are quite specific, more a quality control checklist or recipe for a successful audit. Nothing ‘wrong’ with that, except they don’t match with my understanding of ‘principles’ – with the possible exception of your last principle.

    • Norman Marks
      November 11, 2021 at 7:28 AM

      David, thanks for sharing. As I said in my post, I am less concerned with the how than I am with what IA delivers. I don’t see many of my principles among yours.

  4. Bill Spoehr
    November 11, 2021 at 8:08 AM

    The comments to your post will be more entertaining than your dead-on ideas. I’ll get the popcorn.

    • Norman Marks
      November 11, 2021 at 8:12 AM

      I’ll get the same sodas

  5. Mark Williams
    November 11, 2021 at 9:06 AM

    I like it, especially the second to last bullet on a measuring value.
    Just one extra that instantly springs to mind:

    Communicate (loads!)?
    e.g.:
    – In Audit delivery with audit clients and stakeholders, even if you’ve nothing to say and not at end, but share as we go.
    – In Audit Planning with Execs, Audit Committee, within IA leadership, with each other and in our teams.
    – Regular communication on management actions.
    – For continuous improvement, with each other in our department and teams to learn from each other.
    Basically, rapid feedback loops galore.

  6. Mark Williams
    November 11, 2021 at 9:24 AM

    Focus on Risks?

  7. Michael Jensen
    November 11, 2021 at 5:19 PM

    “Write (and otherwise communicate) for the time-limited, speed-reading executive. Don’t waste anybody’s time but get the message across and drive action!”

    This needs to be on literally every employee’s principles list… and maybe a t-shirt!

  8. John Fraser
    November 11, 2021 at 6:00 PM

    Re succinct audit reports, here is some history. When the Chair of the Audit Committee asked the CEO why there were so many unresolved audit issues, the CEO said that he did not have time to read my reports so he told his secretary to read them and tell him if there was anything important in them. All audit reports had executive summaries and opinions and colour coded ratings but he was just too lazy. By the way, he turned out to be a disaster as a CEO.

  9. November 11, 2021 at 7:34 PM

    You and I train the CSuite, BOD and/or Audit Committee for a few that really want to engage directly. Books are well, not personal.

  10. November 12, 2021 at 3:41 AM

    Norman, looking at your first principle, it is very broad. It could be read as applying to all managers and directors in an organisation, although the reference to the Audit Committee does act as a restriction. I think it sets up internal audit as a consultant on ‘what matters’ to the organisation but I presume that is the intention.

    • Norman Marks
      November 12, 2021 at 5:39 AM

      David, yes. We have customers at all levels of the organization. Each relies on the organization’s people, processes, systems, and controls as they manage the business for success. While the audit committee is our primary customer, in my experience they want internal audit to add value for management as well as for themselves.

  1. November 11, 2021 at 5:37 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: