Norman Marks on Governance, Risk Management, and Internal Audit

I have been invited to comment on the draft Code of Practice from the Chartered Institute of Internal Auditors (the UK affiliate of the IIA). You can find it here.

Take the time to review it.

This is an important document not only because of its potential impact on internal auditing in the UK, but also because it might be adopted in other parts of the world.

One thing I like about it is that it is relatively short! But it has a lot of principles, perhaps too many.

I have considered:

• Whether it is necessary given the new Global Internal Audit Standards (GIAS).
• Whether its content is appropriate and desirable.
• Whether it adds value to the profession and its practices.

I will conclude on those at the end. First, let’s review its content.

I like its ambitious start:

The purpose of the Code

The principles which follow are aimed at enhancing the overall impact and effectiveness of internal audit within organisations operating in the UK and Ireland. They are regarded as a benchmark of good practice against which organisations should assess their internal audit function.

It continues with:

The Code should be applied in conjunction with the Global Internal Audit Standards. The Code builds on these Standards and seeks to increase the impact and effectiveness of internal audit by clarifying expectations and requirements.

The Code is principles based. It is expected that the principles are applied proportionately, in line with the nature, scope and complexity of the organisation. Internal audit functions should apply the Code in the context of internal audit regulatory standards applicable to the organisation.

As you may have read in previous posts on this blog, I am not a fan of GIAS. I do not believe it defines what is required for effective internal auditing (it has too much at the same time as omitting stuff). It has not, as proclaimed by the IIA, “elevated the profession”.

But any Code of Practice has to recognize the existence of the Global Standards.

The Code has 36 Principles. I believe in principles-based guidance, especially as I was part of the team that developed the IIA’s Core Principles. I still believe those nine principles were excellent: clear, concise, and sufficient. Do we need the 36 in the draft Code or the 15 in GIAS? Let me remind you what is in the Core Principles.

The Core Principles, above all, define tangible internal audit effectiveness. When all Principles are present and operating cohesively, internal audit function achieves maximum efficiency. Though the way every internal auditor approaches these Core Principles may vary from organization to organization, there’s no denying that a failure to achieve any of the Principles would signal an internal audit activity that’s not performing at its absolute best.

• Demonstrates integrity.
• Demonstrates competence and due professional care.
• Is objective and free from undue influence (independent).
• Aligns with the strategies, objectives, and risks of the organization.
• Is appropriately positioned and adequately resourced.
• Demonstrates quality and continuous improvement.
• Communicates effectively.
• Provides risk-based assurance.
• Is insightful, proactive, and future-focused.
• Promotes organizational improvement.

The first Principle in the draft Code is:

The primary role of internal audit should be to help the board and senior management to protect the assets, reputation and sustainability of the organisation.

It does this by:

• providing independent, risk-based and objective assurance, advice, insight and foresight;
• assessing whether all significant risks are identified and appropriately reported by management to the board and senior management;
• assessing whether the organisation is adequately controlled; and
• challenging and influencing senior management to improve the effectiveness of governance, risk management and internal controls, including identifying efficiencies and removing duplicative and/or redundant controls.

The role of internal audit should be articulated in an internal audit charter, which should be publicly available.

There’s a major mistake in that first sentence. The role of internal audit is not limited to helping protect the assets, etc. of the organization. Consider the Mission of Internal Audit that our Core Principles team wrote:

The mission of internal audit is to enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight.

However the bullets that support the Code’s first principle are excellent. I note that they reference “risk-based and objective assurance, advice, insight and foresight”.

GIAS has received a lot of criticism for mandating board and top management governance and oversight of internal audit. The Code repeats that in its second principle. Board governance should be addressed in a corporate governance code; this draft Code need not and arguably should not include it. I would eliminate that principle.

I like the 6^th and 7^th principles (with my highlights). They form the core of effective internal auditing!

6. Risk assessments and prioritisation of internal audit work.

In setting its scope, internal audit should form its own judgement on how best to determine internal audit coverage given the structure and risk profile of the organisation. It should take into account business strategy and should form an independent view of whether the key risks to the organisation have been identified, including emerging and systemic risks, and assess how effectively these risks are being managed. Internal audit’s independent view should be informed, but not determined, by the views of management, the risk function, or other control functions. In setting out its priorities and deciding where to carry out more detailed work, internal audit should focus on the areas where it considers risks to be higher.

Internal audit should make a risk-based decision as to which areas within its scope should be included in the internal audit plan. It does not necessarily have to cover all of the scope areas every year. Its judgement on which areas should be covered in the internal audit plan should be subject to approval by the board audit committee.

7. Internal audit coverage and planning.

Internal audit plans, including significant changes, should be approved by the board audit committee. Internal audit plans should be dynamic, updated timely, and have the flexibility to deal with unplanned events to allow internal audit to prioritise any work of importance and emerging risks. Changes to the internal audit plan should be considered in light of internal audit’s ongoing assessment of risk.

Principle 8 is long (I am not going to excerpt it here because of its length). It identifies a lot of areas that “should” be addressed.

But is that consistent with a risk-based approach?

I don’t think so.

Any area should only be included in scope where it is justified based on the level of risk to enterprise objectives!

I like the idea of principle 9:

Internal audit should be present at, and issue consolidated reports, to key governance committees, including the board audit committee and any other board committees as appropriate. The nature of the reports will depend on the remit of the respective governing bodies. Internal Audit should also issue relevant consolidated reports to the board risk committee and present as appropriate.

I have always been concerned that the CAE is not present for meetings of the Compliance Committee, Governance Committee, Strategy Committee, Technology Committee and so on. In fact, the CAE should probably attend certain board meeting discussions.

But another long principle, #10, on board reporting again strays into mandating more than may be required. The principle should be to tell them what they need to know, when they need to know, and do so concisely. While the many bullets are nice things to consider, we need to focus on telling them what they need, rather than what we want to say.

I do like #11:

At least annually, internal audit’s reporting to the board audit, board risk and any other board committees should include an overall opinion on the effectiveness of the governance, and risk and control framework of the organisation, and its overall opinion on whether the organisation’s risk appetite is being adhered to. This should support any Board disclosure on the company’s risk management and material controls and should highlight any significant weaknesses identified.

However, this Code is not limited to financial services so this should be removed: “overall opinion on whether the organisation’s risk appetite is being adhered to”. While internal audit should assess, as often as required based on risk, how management knows it is taking the right risks, internal audit should not be separately evaluating the level of risk that is being taken – even if that were possible, which it is not.

Principles 12-14 get into details that I am not persuaded are necessary. I would prefer that the Code be as concise as possible.

Section E contains several principles that are expressed well. I like them and will leave you to read and consider them.

Section F is supposed to cover whether internal audit has the necessary resources to fulfil its mission. It’s done well to a point. That point is that it fails to reference whether there are sufficient resources to address the more significant sources of risk (and opportunity) to the achievement of enterprise risks. It also says nothing about whether the staff are performing at desired levels.

Principle #29 is fine:

The board audit committee is responsible for approving internal audit’s performance objectives and evaluating the performance of the internal audit function on a regular basis. In doing so, it will need to identify appropriate criteria for defining the success of internal audit. This should include assessing internal audit’s value, impact, effectiveness and efficiency. Delivery of the internal audit plan should not be the sole criteria in this evaluation.

But #30 is not:

Internal audit should maintain an up-to-date set of policies, procedures, methodology and performance and effectiveness measures for the internal audit function. Internal audit should continuously improve these in light of industry developments.

Internal audit does not need to be burdened with unnecessary red tape and bureaucracy. It should have the policies and procedures necessary to perform well. Period!

31-33 talk about quality. I would far prefer a more principles-based description of the CAEs’s responsibility to ensure quality auditing. Period!

Coming back to the purpose of the Code:

The principles which follow are aimed at enhancing the overall impact and effectiveness of internal audit within organisations operating in the UK and Ireland. They are regarded as a benchmark of good practice against which organisations should assess their internal audit function.

…and my considerations:

• Whether it is necessary given the new Global Internal Audit Standards (GIAS).
• Whether its content is appropriate and desirable
• Whether it adds value to the profession and its practices

1. It adds content that is missing from GIAS, which I appreciate. It tends towards elevating the profession! It is also shorter and more concise, which is also excellent. Is it necessary? It is useful, yes – especially if they are modified as discussed above – but it shouldn’t be necessary if GIAS was more effective.
2. Some of the content is desirable, but there should be more about helping the leaders of the organization enhance the upside in addition to protecting against the downside. There is also content that could and should be removed. It is not sufficiently principles and risk based.
3. Will it add value? Yes.
4. Is it sufficient to assess the effectiveness of internal audit? It’s better than GIAS by a long way, but I think there is more to say on topics like enhancing the upside and ensuring the right team is in place.

I welcome your thoughts.