Home > Risk > Updated Internal Audit Core Principles

Updated Internal Audit Core Principles

September 14, 2022 Leave a comment Go to comments

The IIA is in the process of revamping their International Professional Practices Framework (IPPF), including the Mission, Core Principles, and Standards.

I think that is an excellent move and am encouraged by what I have heard and seen of the Evolution update in progress.

There is one area where I think that we (collectively, as a form of crowdsourcing) can help. That is around the updated Core Principles (“the principles”).

I would like to share with you my thoughts to get your related comments and upgrades.

One of the criticisms of the COSO frameworks is that there are too many principles – a criticism I agree with. For example, they have many more than in the ISO 31000 risk management standard.

We should have a few principles for the IPPF’s principles.

  1. Effective internal audit in conformance with the Standards requires that all the principles are present and functioning.
  2. Present and functioning means that there are no major deficiencies in the achievement of the principle.
  3. Therefore, the only principles that should be included in the IPPF are those necessary for an effective internal audit function. A proposed principle is not relevant if it is not necessary, if internal audit can be effective in its absence.
  4. Achievement of the principles should not only be necessary for effective internal auditing, but also for the internal audit function to be a trusted partner of both management and the board.

An example of #3 is in the COSO Internal Audit Framework. One of its principles is that the board is independent of management. However, that is generally not the case for family and similar organizations. Internal control in family businesses can be effective even if the board is composed of family members.

Being a trusted partner is not absolutely necessary for an internal audit function to be effective, notably when there are problems with the culture of the organization and the leadership of the management team. But is very much a desirable attribute.

Turning our attention to the principles that should be included in the IPPF, I think more attention should have been given to updating the last three of the current Core Principles.

These are around the product of our services, that Internal Audit:

  • Provides risk-based assurance.
  • Is insightful, proactive, and future-focused.
  • Promotes organizational improvement.

I was privileged to be on the ReLook Task Force that developed them only a few years ago. We wanted them to be short and to the point, but the updated principles are more expressive. That’s probably a good move.

I would like your thoughts on these as a replacement and expansion of the principles around the valuable products of the internal audit function.

  • Provides constructive assurance, advice, and insight on what matters to the success of the organization, including the achievement of its enterprise objectives, when it is needed by management and the board.
  • Is forward-looking, focused on the effectiveness of the organization’s governance, management of risk and opportunity, and related systems of internal control in providing reasonable assurance of the organization’s current and future success.
  • Focuses on what matters to the success of the organization, the achievement of enterprise objectives, addressing both current and future risks and opportunities that might have a significant effect on its success.
  • Works with management, listening in a collaborative manner and exercising its independent, professional judgment, to promote improvement in the organization’s systems of governance, management of risk, and internal control.
  • Shares the results of its work through a combination of timely written and oral communications that are fair, balanced, concise, clear, and actionable.

What do you think?

What have I missed and how would you upgrade my ideas?

Please share here (not only on LinkedIn) so comments are in one place and can be reviewed by IIA staff.

Thank you in advance.

  1. Bruce McCuaig
    September 14, 2022 at 4:59 AM

    Shouldn’t these principles be in the job description of every member of the 1st line of defence? I think the best place to start the development of mission etc. for internal audit is to state at least one compelling reason it should exist; one critical business problem only IA can solve. The mission, purpose and performance of the IIA an then be determined. There is a huge amount of talent in the IA community. Nothing wrong with your principles, just misplaced.
    I don’t see progress in the evolution of the IA profession coming from the IIA.

    • Norman Marks
      September 14, 2022 at 5:03 AM

      Bruce, did you attend the IIA webinar? If not, please listen and then share your views. The link to Evolution is in the post.

      • Bruce Mccuaig
        September 14, 2022 at 6:41 AM

        Thanks Norman. I will listen. I did sign up but could not get in for some reason.

  2. September 14, 2022 at 5:52 AM

    Thanks for your thoughts. I think they are all on the right path. Principles are tough. Fewer (at a high level) is better. Keep it simple. Keep it essential. And assure that all terminology within the principles is free of jargon and crystal clear to both professionals and stakeholders.

  3. Anonymous
    September 14, 2022 at 7:16 AM

    hi Norman, good, provoking article, as always, thank you for that. I’m afraid have a different perspective on this one. I’m not sure ‘assurance’ can live without objectivity (which in turn only exists with adequate level of independence). and without assurance, there is no difference between audit and an expert support function (3rd and 2nd line, if you will). changing that principle entails a profound change in the very definition of audit, one that, I believe, works against the profession.

    • Norman Marks
      September 14, 2022 at 7:36 AM

      Thanks for the comment. I agree that independent positioning and objectivity are essential. However, they are addressed elsewhere in the principles, rather than in these end product-related principles, so I did not include them in my list.

  4. Azhar Zia-ur-Rehman
    September 14, 2022 at 9:04 AM

    this change is vital. Auditors should no longer be policemen but should be partners in ensuring that the enterprise has efficient and relevant processes. Secondly, the domain of TECHNOLOGY AUDIT needs to be nurtured and enhanced, Probably IPPF needs to be revised to include technology audit requirements and ethics. I am available to help.
    Additionally, IIA needs to work with ISACA to make COBIT the framework not only for IT GOVERNANCE but for TECHNOLOGY GOVERNANCE. KING IV is very advanced in this direction. In this regard, please read my book from Amazon — Technology Governance — Concepts and Practices.

    • Norman Marks
      September 14, 2022 at 9:14 AM

      Thank you for this. Have you seen the IIA’s Global Technology Audit Guides? Do they meet your needs?

  5. Naeem Qureshi
    September 14, 2022 at 10:41 AM

    Good & thought provoking suggestions…
    IA professionals also need to upscale their soft skills to align with rapidly changing environment & business needs.

  6. September 14, 2022 at 11:23 AM

    When the IIA Foundation initially asked for comments on the IPPF, I submitted a document with a suggested mission statement, set of principles and standards (https://www.internalaudit.biz/webresources/page26.html). My main point was that there should be an ‘audit trail’ between these three documents. In other words, the principles should derive from the mission statement and the standards from the principles. Thus, it is not possible to decide finally on any of the three elements until all have been completed, since standards which were incomplete would imply that the principles and mission statement were similarly incomplete.
    So I am reluctant to comment on the proposed principles, without knowing the proposed mission statement and the standards derived from the principles.
    My proposed mission statement is, ‘The internal audit function will protect and enhance the value of an organisation by examining those processes which manage the opportunities and risks impacting on its objectives and reporting on their effectiveness.
    The principles I derived were:
    1. IA reports to a management level sufficiently senior to ensure it has the authority and independence to carry out all the work necessary to provide an opinion.
    2. IA has the resources necessary to carry out the agreed plan.
    3. Auditors have all the necessary personal qualities, skills and independence to obtain and analyse data in order to present objective, reliable opinions.
    4. Auditors communicate with stakeholders during all audit processes to understand and deliver their expectations, and update them with the current progress of the audit, including deficiencies found.
    5. Audit work is planned using a complete, updated list of the organisation’s objectives and the opportunities and risks which have the greatest impact on their achievement
    6. IA obtains comprehensive data, including that from outside the organisation and uses modern technology and data interpretation.
    7. Opinions relate to whether the objectives of the processes being audited are likely to be achieved and are concise, understandable and supported by appropriate data.
    8. Opinions are addressed to those responsible for implementing the responses and other stakeholders with an interest in the opinion.
    9. Follow-up work is carried out to ensure responses to risks have been implemented.
    10. Quality control processes are adopted to ensure all work is to required standards.

    These principles are not as ambitious as yours Norman (perhaps they should be) but I would be interested to see how standards might be derived from them.

  7. Norman Marks
    September 14, 2022 at 12:00 PM

    For David Griffiths:

    When the IIA Foundation initially asked for comments on the IPPF, I submitted a document with a suggested mission statement, set of principles and standards (https://www.internalaudit.biz/webresources/page26.html). My main point was that there should be an ‘audit trail’ between these three documents. In other words, the principles should derive from the mission statement and the standards from the principles. Thus, it is not possible to decide finally on any of the three elements until all have been completed, since standards which were incomplete would imply that the principles and mission statement were similarly incomplete.
    So I am reluctant to comment on the proposed principles, without knowing the proposed mission statement and the standards derived from the principles.

    • Norman Marks
      September 14, 2022 at 12:01 PM

      I have seen the proposed Purpose statement (instead of Mission) and high level description of the principles. I believe they were described in the webinar, link included in the blog post.

      They have a framework where principles flow from the Purpose and then the Standards follow from the principles.

  8. Azhar
    September 14, 2022 at 12:33 PM

    This is very thorough work. Needs adoption by IIA.

  9. Markus Kanhofer
    September 14, 2022 at 2:55 PM

    I agree that all points mentioned are elements of a highly effective internal audit function.

    However, I think that for revisions to the „core principles“ your suggested statements are too long. Currently the principles are worded in a short one-liner format so that stakeholders are not overwhelmed by too much text.

    Having said that, I still believe you make excellent points to make the current core principles more meaningful and elaborate on them to set a more detailed standard. I would actually love to see 3 sentences from you for each of the existing 10 Internal Audit core principles.
    These longer statements could be used by CAEs to discuss expectations and priorities of their primary customers.

    Management and the board may for example add further points, e.g. what „effective communication“ means for them and what a „risk-based assurance“ could look like in practice (especially for organizations working on combined assurance models).

    Lastly, having seen the draft for the 15 new core principles (Evolution Webinar slide 19) I see a risk that some of them will be worse compared to the existing 10 principles. Some examples:
    – „appropriately positioned and adequately resource“ seems now to be replaced with „Managing Resources“.
    – „Aligns with the strategies, objectives, and risks of the organization“ is now described as „Strategically plans“
    – „Is insightful, proactive, and future-focused“ seems to be completely missing.

    Some elements seem to be picked up in the new purpose statement (slide 17 of the webinar), although I find the new suggested purpose slide too long and too complicated to read.
    I am still a fan of the current mission statement which could be slightly modified and rebranded as purpose: “to enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight.“ This would be followed by ambitious but realistic principles together with more detailed standards giving clear guidance how to reach the ambition.

  10. LP
    September 14, 2022 at 11:14 PM

    IA’ functional reporting line to the board is key and the standards must be clearer and aligned with the 3 lines. A fundamental governance role of IA is to mitigate unavoidable agency problems.

    A CRO cannot be objective and must therefore report to management, not the board. The IIA should lead the way here and strongly advocate for changing regulations if necessary, not trying to accommodate and compromise on important risk governance principles.

  11. Azhar Zia-ur-Rehman
    September 14, 2022 at 11:50 PM

    King IV is a very good document to adopt from.

  12. B MURTHY
    September 15, 2022 at 2:03 AM

    I would like the following to be added:
    “coordinate with Board & Management appraising them for timely implementation of audit recommendations agreed upon” to enhance the organisation effectiveness.

  13. September 15, 2022 at 8:23 AM

    Norman Marks: thanks for the post. I think the #1 goal of new standards should be the need to get internal audit customers to define, with some clarity, what they want as deliverables from IA. The current mission statement tells me next to nothing what the end result from an “effective” internal audit shop should look like. I suspect it has been written to be purposely vague. That would be sad if that’s true.

    I have been promoting the need for boards to clearly define their PURPOSE. See Clarity on Board in ETHICAL BOARDROOM at https://ethicalboardroom.com/clarity-on-board/
    . It proposes a PURPOSE statement for boards. Boards that accept the type of PURPOSE I propose are then better equipped to tell internal audit and risk what they want/need from them with some clarity. (demand driven IA)

    My submission to the NACD in the US describing changes needed in US board practices are summarized in my ETHICAL BOARDROOM article “Board Practices Under Spotlight in the U.S.. It’s available at https://ethicalboardroom.com/board-practices-under-spotlight-in-the-us/

    If the IIA is serious about updating the standards they need to try and agree with some clarity the PURPOSE of an effective IA function.

  14. September 15, 2022 at 9:57 AM

    I’ve now viewed the webinar and like the approach that the IIA is taking. However:
    The ‘Purpose’ of internal audit as written could be applied to any function within an organisation, especially risk management. We should not shy away from the fact that IA adds value by providing an opinion of the effectiveness of controls and the ‘Purpose’ should state this. Mention is made of an ‘elevator conversation’. I’m afraid I would leave the elevator asking, ‘But what does internal audit actually DO?’

  15. September 15, 2022 at 12:05 PM

    I’d also like to add a comment on slide 28 (Application Standards). I would have thought an important audit to carry out would be on the Board’s approval and decision making process

  16. September 17, 2022 at 12:21 AM

    I just want to say that I am enjoying the conversations.

    Thank you, NM.

  17. September 17, 2022 at 11:24 AM

    Norman, having now had the time to consider your suggested principles, together with the ‘Purpose’ of internal audit as stated in the IIA webinar I think that your second principle best defines the purpose of internal audit. It states the unique quality of internal audit and what hundreds of thousands of internal auditors are doing around the world every day, which is missing from the IIA proposed purpose. I think your other principles then cover what and how IA delivers its ‘purpose’.
    I have yet to consider the IIA principles in detail.

  18. September 18, 2022 at 2:18 AM

    I have now looked at the ‘Principles for Standard Domains’ (slide 19) but am not much wiser. The only comment I can really make is that they are not worded as principles and the English is inconsistent.
    ‘Integrity’ is not a principle. ‘Auditors should demonstrate integrity, objectivity, competency, professional care and confidentiality’ is a principle.
    The English needs improving. Under IV there is ‘Communicates effectively’ but ‘Managing Resources’. Surely this should be ‘Manages resources’ for the English to be consistent?

    • Norman Marks
      September 18, 2022 at 6:16 AM

      True. I believe these are placeholders and the final principles will be longer, like mine.

      • September 18, 2022 at 7:43 AM

        I also hope Norman that, like yours, there are fewer.

  1. September 14, 2022 at 5:01 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: