Home > Risk > Advice to the IIA on their draft Standards

Advice to the IIA on their draft Standards

A little over a week ago, I shared my report on the draft. I urged everybody not only to read the draft carefully and answer their survey, but to share their overall assessment directly with the IIA and on this blog site – so everybody can see  and consider all of them.

What you may not know is that I have been talking to the IIA staff and some members of the Auditing Standards Board for months.

Have a look at my post from September, 2022: Updated Internal Audit Core Principles. I said (note today’s highlights):

We should have a few principles for the IPPF’s principles.

    1. Effective internal audit in conformance with the Standards requires that all the principles are present and functioning.
    2. Present and functioning means that there are no major deficiencies in the achievement of the principle.
    3. Therefore, the only principles that should be included in the IPPF are those necessary for an effective internal audit function. A proposed principle is not relevant if it is not necessary, if internal audit can be effective in its absence.
    4. Achievement of the principles should not only be necessary for effective internal auditing, but also for the internal audit function to be a trusted partner of both management and the board.


I would like your thoughts on these as a replacement and expansion of the principles around the valuable products of the internal audit function.

    • Provides constructive assurance, advice, and insight on what matters to the success of the organization, including the achievement of its enterprise objectives, when it is needed by management and the board.
    • Is forward-looking, focused on the effectiveness of the organization’s governance, management of risk and opportunity, and related systems of internal control in providing reasonable assurance of the organization’s current and future success.
    • Focuses on what matters to the success of the organization, the achievement of enterprise objectives, addressing both current and future risks and opportunities that might have a significant effect on its success.
    • Works with management, listening in a collaborative manner and exercising its independent, professional judgment, to promote improvement in the organization’s systems of governance, management of risk, and internal control.
    • Shares the results of its work through a combination of timely written and oral communications that are fair, balanced, concise, clear, and actionable.

Feedback from staff and leaders included:

“Thanks! Some great points.”

“Thank you for sharing… I shared it with the IIASB chair and staff.”

In emails about the issue of including agreed action plans instead of recommendations in the audit report: “We definitely agree with you, Norman.  We have had a couple of lengthy discussions about this topic and, while recommendations may still be a part of the process of getting to a final report, agreed-upon actions is definitely the goal.  We’re still working on how to best state that, recognizing that in some IA functions they are only asked for recommendations, but the best practice is to work with management on a solution that both agree manages the underlying risk to an acceptable level.”

In emails about the topic of enterprise risk-based audits: “That is our goal too, business objective based and risk based audit.”

This exchange over the last six months or so is why I am so disappointed in the draft that has emerged.

The people I have been talking to on staff and on the ASB understood and agreed with everything I said. Yet they have produced a long document that flies in its face.

They took a very long time to share what I consider a flawed document.

Rubbing salt in the wound, they have publicized it with great hoopla, talking about it being “a defining moment for the profession”.

How can they now walk it back, recognizing the need for substantial change?

PLEASE, join me in carefully reviewing, then sitting back and thinking about the draft.

Whether you agree with me or not, share your overall assessment with IIA staff at standards@theiia.org as well as here in the Comments.

The IIA survey is insufficient to capture whether the draft Standards meet the needs of the profession and should be published.

As with all audit reporting, the earlier the better so they can start work on corrective actions.


  1. djallc
    March 17, 2023 at 7:49 AM

    With how the entire process has been “packaged”, I doubt there is any appetite for changes to the new proposed standards. After taking the popsition of how GREAT the new draft is, with no one being able to see it, tells me the decisions has already been made. We are now just expected to bow down and accept the wisdom of our “superiors.”

    • Norman Marks
      March 17, 2023 at 7:50 AM

      That is my fear, and everybody with any access to leadership should be doing what they can to prevent that from happening.

      • djallc
        March 17, 2023 at 7:55 AM

        I have tried. In one case, I had a scheduled phone call, but suggested I was not interested in wasting anyone’s time if the call was just to humor me instead of engaging. They cancelled the call via email. The IIA executive staff clearly communicated they had no interest in my views or engagement. They must be much smarter than I ever could be.

        • Norman Marks
          March 17, 2023 at 8:00 AM

          That is dumb of them

  2. March 17, 2023 at 8:28 AM

    Great post. It is sad to hear that your suggestions met with positive support and then all/most was ignored but it appears indicative of the approach building the draft. Your points above re key principles are spot on. This is the direction IIA needs to go. I think the IASB Chair Mike Peppers needs to call time and seriously discuss with IIA’s board where to from here. I share your concern that the “sunk cost” cognitive bias is likely going to be in full force.

  3. Norman Marks
    March 17, 2023 at 8:44 AM

    You can reach Mike at mpeppers@utsystem.edu

    • March 17, 2023 at 12:03 PM

      I have tried a few times but it appears the IIA has a conscious policy of not responding to feedback, whether it goes to standards@theiia.org or Michael Peppers.

  4. March 17, 2023 at 9:10 AM

    This ship has sailed, Norman. Or, I could say, the cake is already fully baked. I fear that comments will, for the most part, just be an exercise in futility. I am sad to say this, and hope I am wrong, because what we see as the exposure are steps backward and not progress.

    • March 17, 2023 at 9:27 AM

      Adding, since the beginning of 2019, The IIA has submitted over 50 comment letters on others exposures, for advocacy purposes, and other such responses to matters of interest. I suspect The IIA doesn’t invest in these letters with the expectation that they will be ignored by the receiving party and nothing will change as a result. As such, I sincerely hope we are getting more than lip service when encouraged to submit our comments on the Standards exposure. Works both ways.

    • Norman Marks
      March 17, 2023 at 9:38 AM

      Hal, have you reached out to those in the IIA who could change the cake?

      • March 17, 2023 at 9:42 AM

        They don’t want to hear from me. It is an abomination that no one from the 2017 IPPF Relook taskforce (that included 2 past chairs, Bob Hirth, you, me and others) were consulted at all. They don’t want to hear from us, or we would have been consulted before it was exposed.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: