Home > Risk > Comparing the draft IIA Standards and the Core Principles for Effective Internal Audit

Comparing the draft IIA Standards and the Core Principles for Effective Internal Audit

One of the points I made in my review of the draft was that it is not consistent with the Core Principles for Effective Internal Auditing.

I have asked whether the principles on which the draft is based are the right principles.

Here is a comparison. My apologies for the formatting with lots of unnecessary white space (a defect in the editor).

Current Core Principles and my comments Principles in Draft Standards
Demonstrates integrity.

This is in the draft.

Principle 1 Demonstrate Integrity

Internal auditors demonstrate integrity in their work and behavior.

Demonstrates competence and due professional care.

This has been divided.

Principle 3 Demonstrate Competency

Internal auditors apply the knowledge, skills, and abilities to fulfill their roles and responsibilities successfully.

Principle 4 Exercise Due Professional Care

Internal auditors apply due professional care in planning and performing internal audit services.

Principle 5 Maintain Confidentiality

Internal auditors use and protect information appropriately.

Is objective and free from undue influence (independent)

This one has been divided and it is unclear whether Principle 10 adequately addresses “free from undue influence)..

Principle 2 Maintain ObjectivityInternal auditors maintain an impartial and unbiased attitude when performing internal audit services and making decisions.

Principle 6 Authorized by the Board

The board establishes, approves, and supports the authority, role, and responsibilities of the internal audit function.

Is appropriately positioned and adequately resourced.

Positioning is partially addressed (only its independence, not its effectiveness to understand what it happening).

Principle 7 Positioned Independently

The board establishes and protects the internal audit function’s independence.

Principle 8 Overseen by the Board

The board oversees the internal audit function to ensure the function’s effectiveness.

 Principle 10 Manages Resources

The chief audit executive manages resources to implement the internal audit function’s strategy, complete its plan, and achieve its mandate.

Demonstrates quality and continuous improvement.Quality is not guaranteed by conformance. Principle 12 Enhances Quality

The chief audit executive ensures conformance with the Global Internal Audit Standards and continuously improves the internal audit function’s performance.

Communicates effectively.

This has been split and the requirement to monitor action plans (which should be a management responsibility) has been added.

Principle 11 Communicates Effectively

The chief audit executive ensures the internal audit function communicates effectively with its stakeholders.

Principle 15 Communicate Engagement Conclusions and Monitor Action Plans

Internal auditors communicate the engagement findings and conclusions to the appropriate parties and monitor management’s progress toward the completion of action plans.

Aligns with the strategies, objectives, and risks of the organization.

Provides risk-based assurance.

Is insightful, proactive, and future-focused.

Promotes organizational improvement.

These four core principles are not addressed, and have been replaced.

Principle 9 Plans Strategically

The chief audit executive plans strategically to ensure the internal audit function fulfills its mandate and is positioned for long-term success.

Principle 13 Plan Engagements Effectively

Internal auditors plan each engagement using a systematic, disciplined approach.

Principle 14 Conduct Engagement Work

Internal auditors implement the engagement work program to achieve the engagement objectives.

  1. March 18, 2023 at 8:40 AM

    Looking at it this way, and thanks Norman, it is one more example where the proposed version is actually a step backwards, not forwards. I feel like we bought a new deck (old deck?) of cards (but the cards are all the same, of course), shuffled them, and with much of the same content said … voila, look how much better this is. (Head shake and face palm)

    • Norman Marks
      March 18, 2023 at 9:01 AM

      I agree, Hal. It’s a step back.

      Maybe the Standards Board didn’t want to embrace risk-based assurance, advice, and insight by a forward-looking function because only about half of the global IA teams do it.

      That’s an historic challenge. Do the Standards lead or follow the profession?

      • March 18, 2023 at 9:10 AM

        The Standards, IMO, should be “principles-based,” not “rules-based”, and should guide the profession toward continuous improvement yet be achievable when the function is resourced appropriately and has the “right” reporting lines. Not sure what the IIASB was thinking, but perhaps they spent so much time on this they just got tired when groupthink set in. If they’d only done a pre-exposure and consultation with some people who have a history with all this perhaps we’d not be where we are today. But, without material change, I cannot support what we are looking at today as exposed, when what we currently have is infinitely better. (sad emoji, now) That is a pretty damning statement from the person who oversaw the IPPF in the mid-2010s from a staff perspective for IIA HQ, and was the staff leader on the IPPF Relook project that culminated in what we have now (and you were a key member of the task force).

  2. March 18, 2023 at 1:02 PM

    Norman, my two main concerns about the GIAS are the failure to properly implement risk based internal audit, as you have noted above, and the badly written content. How did it get past any editing stage. I’ve now posted my final comments at https://www.internalaudit.biz/webresources/giascomments.html.

    • Norman Marks
      March 18, 2023 at 1:31 PM


  3. March 21, 2023 at 8:18 AM

    I agree with others that it should be clearly and obviously principles-based. If internal auditors perceive that their profession is based on rules, then many will display that mindset when dealing with their audit clients. And, to me, that’s just wrong. We’ve been trying to kill canned audit programs for decades. We need people to think, interpret, and apply principles. And, I will add, unless there is a law or regulation to the contrary I think we need every audit professional to skeptically and deeply consider whether anyone’s rules and guidance will help (or harm) their ability to add value and fulfill their responsibilities.

    • Norman Marks
      March 21, 2023 at 9:10 AM

      Well said

  4. March 22, 2023 at 9:19 AM

    I think the entire audit profession has been coerced into taking steps backward, especially since the buzz phrase “agile auditing” surfaced. Is that not what internal auditors have been doing for their respective organizations based upon good clean standards on how to carry through with an audit. I’ve been auditing for a long time and I am beginning to think I really do not know how to audit any function within my financial institution. Why do changes have to be if something is not broken?

  1. March 18, 2023 at 8:14 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: