Norman’s Principles for Effective Internal Auditing
I am in the midst of writing a new book and decided I needed to define my core principles for effective internal auditing.
I know the IIA has defined core principles (I was part of that effort), but they include aspects like independence which is more about how internal audit functions rather than what they need to do.
I would very much appreciate your review and comments/criticisms of these:
- Provide the Audit Committee and management with the assurance, advice, and insight they need on what matters now and will matter in the future to the success of the business.
- Provide the actionable information they need when they need it.
- Be agile and efficient in both planning and execution of every audit engagement.
- Focus on what matters and exclude from scope anything that does not matter.
- Write (and otherwise communicate) for the time-limited, speed-reading executive. Don’t waste anybody’s time but get the message across and drive action!
- Work with management[1] to ensure they can rely on their processes, systems, organization, and controls as they direct and manage the company to achieve its objectives.
- Measure the success of internal audit by the success of the company, not by the number of audits performed or the number of issues identified.
- Recognize that quality and effectiveness are best recognized through the eyes of the satisfied customer.
Clearly, each one of these needs discussion and explanation. For example, you can only be assured of auditing what matters now and will matter in the future if you are continuously updating the audit plan to reflect changes in the business, its context, and its risks.
I thank you in advance. I am sure I have missed something.
[1] Richard Chambers refers to this as being a Trusted Advisor.
Leave a Reply
Norman Marks on Governance, Risk Management, and Audit 
Prioritizing risk and audit finding to be in further alignment with company objectives and strategy.
Not sure that I agree with: “Measure the success of internal audit by the success of the company, not by the number of audits performed or the number of issues identified.” I agree re the numbers bits, but I think the measurement should be the quality of the advice provided, since there can be many successful companies with incompetent internal audit functions.
Norman, I believe principles are the means of delivering the mission statement/primary objective. Is your mission statement that of the IIA’s?
I have derived a set of principles based on a mission statement in my submission to the IIA’s consideration of the IPPF:
Mission: The internal audit function will protect and enhance the value of an organisation by
examining those processes which manage the opportunities and risks impacting on its
objectives and reporting on their effectiveness.
Principles:
1. IA reports to a management level sufficiently senior to ensure it has the authority
and independence to carry out all the work necessary to provide an opinion.
2. IA has the resources necessary to carry out the agreed plan.
3. Auditors have all the necessary personal qualities, skills and independence to
obtain and analyse data in order to present objective, reliable opinions.
4. Auditors communicate with stakeholders during all audit processes to understand
and deliver their expectations, and update them with the current progress of the
audit, including deficiencies found.
5. Audit work is planned using a complete, updated list of the organisation’s
objectives and the opportunities and risks which have the greatest impact on their
achievement
6. IA obtains comprehensive data, including that from outside the organisation and
uses modern technology and data interpretation.
7. Opinions relate to whether the objectives of the processes being audited are likely
to be achieved and are concise, understandable and supported by appropriate
data.
8. Opinions are addressed to those responsible for implementing the responses and
other stakeholders with an interest in the opinion.
9. Follow-up work is carried out to ensure responses to risks have been implemented.
The derivation of these principles is here: https://www.internalaudit.biz/webresources/page26.html
In general, I think your principles are quite specific, more a quality control checklist or recipe for a successful audit. Nothing ‘wrong’ with that, except they don’t match with my understanding of ‘principles’ – with the possible exception of your last principle.
David, thanks for sharing. As I said in my post, I am less concerned with the how than I am with what IA delivers. I don’t see many of my principles among yours.
The comments to your post will be more entertaining than your dead-on ideas. I’ll get the popcorn.
I’ll get the same sodas
I like it, especially the second to last bullet on a measuring value.
Just one extra that instantly springs to mind:
Communicate (loads!)?
e.g.:
– In Audit delivery with audit clients and stakeholders, even if you’ve nothing to say and not at end, but share as we go.
– In Audit Planning with Execs, Audit Committee, within IA leadership, with each other and in our teams.
– Regular communication on management actions.
– For continuous improvement, with each other in our department and teams to learn from each other.
Basically, rapid feedback loops galore.
Focus on Risks?
“Write (and otherwise communicate) for the time-limited, speed-reading executive. Don’t waste anybody’s time but get the message across and drive action!”
This needs to be on literally every employee’s principles list… and maybe a t-shirt!
Re succinct audit reports, here is some history. When the Chair of the Audit Committee asked the CEO why there were so many unresolved audit issues, the CEO said that he did not have time to read my reports so he told his secretary to read them and tell him if there was anything important in them. All audit reports had executive summaries and opinions and colour coded ratings but he was just too lazy. By the way, he turned out to be a disaster as a CEO.
You and I train the CSuite, BOD and/or Audit Committee for a few that really want to engage directly. Books are well, not personal.
Norman, looking at your first principle, it is very broad. It could be read as applying to all managers and directors in an organisation, although the reference to the Audit Committee does act as a restriction. I think it sets up internal audit as a consultant on ‘what matters’ to the organisation but I presume that is the intention.
David, yes. We have customers at all levels of the organization. Each relies on the organization’s people, processes, systems, and controls as they manage the business for success. While the audit committee is our primary customer, in my experience they want internal audit to add value for management as well as for themselves.
Reblogged this on Norman Marks on Governance, Risk Management, and Audit and commented:
I wrote this in 2021. Note that none of the Principles talk about compliance with the IIA Standards.
Do you like mine or those in the draft?
Work with management[1] to ensure they can rely on their processes, systems, organization, and controls as they direct and manage the company to achieve its objectives.
This an important item. Too often audit is viewed as only applicable to financial systems and controls whereas it needs to be applied to management systems and controls as well.