Comparing the draft IIA Standards and the Core Principles for Effective Internal Audit
One of the points I made in my review of the draft was that it is not consistent with the Core Principles for Effective Internal Auditing.
I have asked whether the principles on which the draft is based are the right principles.
Here is a comparison. My apologies for the formatting with lots of unnecessary white space (a defect in the editor).
| Current Core Principles and my comments | Principles in Draft Standards |
| Demonstrates integrity.
This is in the draft. |
Principle 1 Demonstrate Integrity
Internal auditors demonstrate integrity in their work and behavior. |
| Demonstrates competence and due professional care.
This has been divided. |
Principle 3 Demonstrate Competency
Internal auditors apply the knowledge, skills, and abilities to fulfill their roles and responsibilities successfully. Principle 4 Exercise Due Professional Care Internal auditors apply due professional care in planning and performing internal audit services. Principle 5 Maintain Confidentiality Internal auditors use and protect information appropriately. |
| Is objective and free from undue influence (independent)
This one has been divided and it is unclear whether Principle 10 adequately addresses “free from undue influence).. |
Principle 2 Maintain ObjectivityInternal auditors maintain an impartial and unbiased attitude when performing internal audit services and making decisions.
Principle 6 Authorized by the Board The board establishes, approves, and supports the authority, role, and responsibilities of the internal audit function. |
| Is appropriately positioned and adequately resourced.
Positioning is partially addressed (only its independence, not its effectiveness to understand what it happening). |
Principle 7 Positioned Independently
The board establishes and protects the internal audit function’s independence. Principle 8 Overseen by the Board The board oversees the internal audit function to ensure the function’s effectiveness. Principle 10 Manages Resources The chief audit executive manages resources to implement the internal audit function’s strategy, complete its plan, and achieve its mandate. |
| Demonstrates quality and continuous improvement.Quality is not guaranteed by conformance. | Principle 12 Enhances Quality
The chief audit executive ensures conformance with the Global Internal Audit Standards and continuously improves the internal audit function’s performance. |
| Communicates effectively.
This has been split and the requirement to monitor action plans (which should be a management responsibility) has been added. |
Principle 11 Communicates Effectively
The chief audit executive ensures the internal audit function communicates effectively with its stakeholders. Principle 15 Communicate Engagement Conclusions and Monitor Action Plans Internal auditors communicate the engagement findings and conclusions to the appropriate parties and monitor management’s progress toward the completion of action plans. |
| Aligns with the strategies, objectives, and risks of the organization.
Provides risk-based assurance. Is insightful, proactive, and future-focused. Promotes organizational improvement. These four core principles are not addressed, and have been replaced. |
Principle 9 Plans Strategically
The chief audit executive plans strategically to ensure the internal audit function fulfills its mandate and is positioned for long-term success. Principle 13 Plan Engagements Effectively Internal auditors plan each engagement using a systematic, disciplined approach. Principle 14 Conduct Engagement Work Internal auditors implement the engagement work program to achieve the engagement objectives. |
Leave a Reply
Norman Marks on Governance, Risk Management, and Audit 
Looking at it this way, and thanks Norman, it is one more example where the proposed version is actually a step backwards, not forwards. I feel like we bought a new deck (old deck?) of cards (but the cards are all the same, of course), shuffled them, and with much of the same content said … voila, look how much better this is. (Head shake and face palm)
I agree, Hal. It’s a step back.
Maybe the Standards Board didn’t want to embrace risk-based assurance, advice, and insight by a forward-looking function because only about half of the global IA teams do it.
That’s an historic challenge. Do the Standards lead or follow the profession?
The Standards, IMO, should be “principles-based,” not “rules-based”, and should guide the profession toward continuous improvement yet be achievable when the function is resourced appropriately and has the “right” reporting lines. Not sure what the IIASB was thinking, but perhaps they spent so much time on this they just got tired when groupthink set in. If they’d only done a pre-exposure and consultation with some people who have a history with all this perhaps we’d not be where we are today. But, without material change, I cannot support what we are looking at today as exposed, when what we currently have is infinitely better. (sad emoji, now) That is a pretty damning statement from the person who oversaw the IPPF in the mid-2010s from a staff perspective for IIA HQ, and was the staff leader on the IPPF Relook project that culminated in what we have now (and you were a key member of the task force).
Norman, my two main concerns about the GIAS are the failure to properly implement risk based internal audit, as you have noted above, and the badly written content. How did it get past any editing stage. I’ve now posted my final comments at https://www.internalaudit.biz/webresources/giascomments.html.
Thanks
I agree with others that it should be clearly and obviously principles-based. If internal auditors perceive that their profession is based on rules, then many will display that mindset when dealing with their audit clients. And, to me, that’s just wrong. We’ve been trying to kill canned audit programs for decades. We need people to think, interpret, and apply principles. And, I will add, unless there is a law or regulation to the contrary I think we need every audit professional to skeptically and deeply consider whether anyone’s rules and guidance will help (or harm) their ability to add value and fulfill their responsibilities.
Well said
I think the entire audit profession has been coerced into taking steps backward, especially since the buzz phrase “agile auditing” surfaced. Is that not what internal auditors have been doing for their respective organizations based upon good clean standards on how to carry through with an audit. I’ve been auditing for a long time and I am beginning to think I really do not know how to audit any function within my financial institution. Why do changes have to be if something is not broken?