Norman Marks on Governance, Risk Management, and Internal Audit

Getting the International Standards for the Professional Practice of Internal Auditing right is important, deserving of our attention and support.

Leadership of the IIA and its Standards Board spent much of the last year, with help from dedicated volunteers, working on an update.

It is a major piece of work, involving a dramatic change in the structure of the Standards[1], some revised content (much of it good), and a new name: the Global Internal Audit Standards (GIAS).

Those involved deserve our thanks for their hard work and dedication.

But have they succeeded in giving the profession and its practitioners what is needed?

That is the question I ask.

While the IIA provided a survey that solicited practitioners’ thoughts on each element of the draft, they did not include necessary high-level questions about whether it does what the profession needs.

I polled practitioners to find out. 118 responded (thank you) and I have now closed the survey.

It is time to review what they said. (I have moved most of my related opinions and reflections to footnotes. That doesn’t mean that I don’t think they are important. They are. But I wanted to focus this post on the results of the poll.)

I have included, after summarizing the poll results, a survey by auditors in academia, and a list of feedback by several thought leaders. I have also included a link to a response by the State of Illinois Internal Audit Advisory Board.

X

But first, we need to decide what the Standards should provide for practitioners. Where is its value? How do we assess whether it meets our needs as a profession and as practitioners?

Kathleen Seeuws (Vice President Standards and Guidance for the IIA) shared a Frequently Asked Questions document in a post this week on LinkedIn. It says:

The Standards Board periodically reviews the Standards and updates them when changes are considered necessary. Based on research done by the Standards Board and IIA staff, it became clear that the structure of the International Professional Practices Framework was not fully meeting the needs of the internal audit profession. Given the rapid changes in the global business environment, the Standards Board determined that it was time to significantly revise the Standards and other elements of the IPPF. Goals included elevating the profession of internal auditing and enhancing stakeholder recognition and understanding of the value internal auditing provides.

Note that last sentence.

It doesn’t distinguish between elevating the profession in the eyes of our stakeholders and elevating the professional practice of internal auditing.

The second ‘elevation’ is far more important.

When internal auditing is effective, meeting the assurance, advice, and insight[2] needs of our customers, they see the value[3].[4] Quality services consistently delivered by functions around the world will elevate the profession in the eyes of our stakeholders.

I very much like the purpose of the Standards according to the draft:

The Global Internal Audit Standards provide requirements and recommendations to guide the professional practice of quality internal auditing globally. The Standards also establish a basis for evaluating the performance of internal audit services.

In other words, the GIAS should define what is required (what “must” be done) if an internal audit activity is to be considered minimally effective in providing the quality services customers and other stakeholders need.

It also provides recommendations (what “should” be done) that are likely to take an internal audit activity beyond the minimum level of acceptable performance towards world-class. (“Acceptable” should be defined in terms of the value delivered to our customers, that is. How has internal audit contributed to their and the organization’s success?)

Since the GIAS defines everything that must be done to achieve a minimally acceptable level of performance (my interpretation), conformance to the GIAS can be a basis for assessing whether that base level is achieved[5].

I asked practitioners about the purpose of the Standards. The results are surprising.

X

Q1: Do you agree with the stated purpose of the IIA’s Standards?

Yes	46.15%	54
No	53.85%	63
TOTAL		117

X

I am not sure why so many disagree with the stated purpose of the Standards shown above. I certainly like it. My only explanation is that they thought this was asking about the Purpose of Internal Auditing that is included in the draft GIAS[6].

The next question is the critical one in assessing the draft GIAS and whether it meets the needs of the profession and its practitioners.

X

Q2: The Standards should “provide requirements and recommendations to guide the professional practice of quality internal auditing globally.”  Does the draft describe quality internal auditing?

ANSWER CHOICES	RESPONSES
They describe in full what is required for high quality internal auditing	5.08%	6
They describe, with minor exceptions, what is required	15.25%	18
They describe some of the requirements, but there are a few serious omissions or errors	59.32%	70
They do not describe what is needed	20.34%	24
TOTAL		118

X

As you will see in the answers to question 4 below, as well as in posts on LinkedIn by multiple internal audit influencers, practitioners are very concerned that there are so many mandatory requirements[7] in the draft GIAS (“must” statements.) Too many rules make these rules-based, not principle-based standards.

Here, they are saying that even with so many mandatory requirements, there are serious omissions!

Practitioners are not ready to approve the draft.

X

Q3: Should the draft be approved?

ANSWER CHOICES	RESPONSES
Yes, with perhaps a few minor changes	5.93%	7
Yes, after some edits of significance	17.80%	21
No. The issues merit significant change and a reissue of the draft	66.10%	78
No. The Standards should not be changed at this time	10.17%	12
TOTAL		118

X

Hopefully, the Standards Board and IIA leadership will take notice of this assessment by those practitioners who have taken the time to read and consider the full draft. (Listening to those who attended a brief presentation has limited value.)

I am hearing that there is great reluctance to go through a second comment period. But getting this right is too important and there are other options[8].

My next question didn’t quite work the way I intended (I blame the tool). Practitioners were only given the choice of one rather than multiple answers.

The number who picked “Other” is substantial, so I have shown percentages excluding that option.

X

Q4: What is the most significant issue of concern? Add others in the comments area.

ANSWER CHOICES	ALL RESPONSES			EXCLUDING “OTHER”
None of the above	1.69%	2		2.27%
Improved focus on risk-based auditing[9]	6.78%	8		9.09%
Less “must”. It’s too rules-based[10]	33.05%	39		44.32%
Use the Core Principles rather than those in the draft[11]	1.69%	2		2.27%
Change the Purpose statement	3.39%	4		4.55%
Separate what must be done (standards) from how it should be done (framework)	24.58%	29		32.95%
It’s too long[12]	3.39%	4		4.55%
Other (see below)	25.42%	30
TOTAL		118

X

Practitioners overwhelmingly believe the draft has gone overboard, mandating activities that are not essential to quality internal auditing.

X

I have suggested that the IIA and its Standards Board should ask:

1. Does the draft include everything required for internal audit to provide the quality internal audit services its customers need? Is it sufficient?
2. Does the draft include requirements that are not necessary for internal audit to provide the services its customers need? Is it excessive?

I didn’t ask about the inclusion of “musts” assigned to the board or audit committee (or other governing body)[13]. What I have seen on social media is significant opposition.

X

Here are the comments provided in the Other option to this question. (I have edited for grammar and spelling, and highlighted the ones that got my attention.)

• All of the above (three people).
• Cost/benefit analysis of the changes to improve the professionalism of the profession.
• It is likely to make the profession less attractive to join / stay. With less auditors, standards don’t even matter. It’s also far too long and there is no requirement to innovate or modernise. More of the same will lead to less and less relevance. Are IA being consulted on AI governance or any emerging risk areas as risk management experts – No, a sign of irrelevance.
• Audit can be a core business partner, contributing to strategy from a risk management perspective. Is this risk management? Yes, but it goes beyond that, the opportunity being risk management and strategy integration.
• Governance bodies’ roles.
• 1) remove requirements over people and things IA cannot control (Board); 2) more on performance and value; 3) Advisory: a) IA should be able to initiate, and b) provide standards and guidance throughout; 4) Leverage three lines model, including reliance (or not) on 2LOD audits.
• It sets out requirements for audit committees who are not IIA members or internal auditors.
• Too focused on big departments; unrealistic musts like an annual review of the charter by the Audit Committee.
• All of the above – especially a focus on Enterprise Risks – risk-based auditing.
• Following rules does not establish Effectiveness of Assurance, rules are not even a proxy for effectiveness.
• Absence of how you determine the link between organisational success and failure and IA role .. weak on emphasizing the 3Lines.
• Use the Core Principles; Change the Purpose; too prescriptive.
• It’s a solution in search of a problem.
• I would choose 1, 2 and 5 and 6.

XAs always, I value your thoughts. I am assured that the Standards Board will consider these results[14].

X

A smaller survey by the Association of College and University Auditors reported that “74% of respondents generally supported the proposed new Standards”. They also said:

The top concerns over specific sections of the new Standards are as follows:

• 59% of respondents took issue of the excessive Board requirements throughout Domain III: Governing the Internal Audit Function. Most question whether the IIA has the authority to mandate specific Board requirements as board members are usually not IIA members and the CAE does not have authority over the board’s actions.
• 41% disagreed with Standard 8.4 External Quality Assurance, which modifies the requirements by mandating an external review be performed every 10 years, instead of a self-assessment with validation, and requires having a Certified Internal Auditor (CIA) on the review team. This is cost-prohibitive and excludes seasoned reviewers who are not CIAs.
• 21% were concerned with Standard 15.1 Final Engagement Communicationbecause it requires findings to be ranked by significance, as rankings are subjective and cause conflict.
• 10% disagreed with elements of the new Domain I: Purpose of Internal Auditing. The purpose statement focuses on “enhancing the organization’s success” and “serving the public interest.” The prior mission statement focused on providing a risk-based independent and objective service. Members believe the emphasis on success and serving the public interest presents a conflict of interest and shift in priorities.
• 10% felt that acknowledgement of bias inStandard 2.1 Individual Objectivity and the statement “Internal auditors must be aware of and manage potential biases” negatively conveys auditors are inherently biased instead of being fair and impartial.

Additional concerns noted as particularly burdensome for the small shops were identified in the following areas:

• Standard 2.2 Safeguarding Objectivity– Small shops felt the requirement that internal auditors must not provide assurance over an activity where they provided advisory services within the last year is too restrictive and limiting.
• Standard 10.2 Human Resource Management– “The CAE must establish a program to recruit, develop, and retain qualified internal auditors” may be overly-burdensome.
• Standard 12.1 Internal Quality Assessment – The suggested alternative for small shops “to consider requesting assistance from others within the organization to conduct periodic assessments, such as former internal auditors or others with suitable knowledge of internal auditing” may not be practical.
• Standard 12.2 Performance Measurement– A new standard aiming to build upon accountability of internal audit to both the board and senior management requires the CAE to develop and report on a performance measurement methodology creates more administrative work.

The State of Illinois Internal Audit Advisory Board sent the IIA a letter with some telling points. They include a lot of comments about practices in government agencies, as well as these:

• Standards for the Internal Audit function should provide the framework under which a Chief Audit Executive must operate but provide the flexibility for them to apply their professional judgment to appropriately implement what is needed.
• It appears that many sections of the new Standards are written from a slant of people with more of an external than internal audit background as they are too restrictive. A Chief Audit Executive absolutely must be held to a Standard Practice but must be allowed to utilize their professional judgment.
• There is an overuse of the word “must” especially when it comes to dictating how a process should be implemented with a specific methodology, as opposed to stating that the Chief Audit Executive must have a documented process as to how to handle that particular process. This extreme overuse of the word “must” throughout the new Standards greatly hinders the ability of the Chief Audit Executive to perform their duties.
• Dictating Responsibilities of the Board do not Belong in Internal Audit Standards.
• Requiring an overall rating system is too prescriptive and unnecessary.

Comments by others:

My apologies in advance for missing some of the thoughts and opinions that have been shared by others. Here are some I have seen, plus one interview I did.

Email or message me if I missed one and I will add it to the post.

• Hal Garyn
• Hal Garyn, Rob Stingle, Paul Smith, Rob Berry, and Jason Mefford
• Todd Davies
• Doug Anderson
• Richard Chambers and Patty Miller
• Norman Marks interview
• Markus Kanhofer
• Gregory Rimmer-Hollyman[15] (posted as a comment on LI).
• David Finch[16] (also posted as a comment).
• Tim Leech, multiple posts
• Alexander Ruehle
• David Griffiths
• Rainer Lenz

I welcome your thoughts and reflections on the above.

FOOTNOTES

[1] Not sure it was worth it, as it really adds nothing to the content of the Standards, only their presentation. I would prefer making everything simple and concise.

[2] According to Kathleen, “the term ‘insight’ was removed because it was not clearly and distinctly different from ‘advice.’”

I don’t think any of the members of the IIA Task Force that unanimously voted to add insight to the Mission and Core Principles would agree. I for one wasn’t asked, and I am not aware that others were. There is a significant difference between advice (which is generally included in formal reporting) and insight (which is generally less formal). Members of the Task Force commented that our insight may be the most valuable service we provide!

[3] The CEO of Tosco Refining Company told the Governor of the State of New Jersey that “internal audit gives us a competitive advantage”.

[4] In my opinion, recognition of internal auditing by our customers, regulators, and other stakeholders may be lower than desired because of inconsistent quality internal auditing that adds value by helping organizations succeed.

[5] That base level may not be the optimal level of performance. I am not persuaded that every internal audit activity should be doing the same work in the same way regardless of organization (and IA) size, industry sector, regulatory environment, organizational maturity, speed of risk, profitability, and so on.

Any assessment of the performance of the internal audit activity should go beyond conformance to a base level defined by the GIAS. It needs to assess whether IA is delivering the value the organization needs. This is a serious issue IMHO when it comes to the IIA’s QAR.

Conformance to a Standard is not always necessary for quality internal audit services to be provided, and conformance doesn’t guarantee quality either.

It is FAR better to use a maturity model to assess the current and planned level of maturity (and this its potential to deliver the right valuable services). This is one option. See also this guidance from the IIA.

[6] I share that opinion; I think it is a clear step backwards from the current Mission statement.

Kathleen’s FAQ says:

“The Purpose statement was intended to include the best and most meaningful aspects of the Mission and Definition of Internal Auditing while remaining concise”.

I totally disagree. They should have added four words, no more, about meeting our customers’ assurance, advice, and insight needs), and not removed key words. It then becomes:

…to enhance and protect organizational value by providing the risk-based and objective assurance, advice, and insight our customers need.

Others have expressed their thoughts on the Purpose statement, although most have suggested language that is less concise.

[7] The word “must” is used 296 times in the draft, including the introductory section and Glossary.

[8] I have suggested that the team working on the draft be expanded to include, at least as reviewers, respected practitioners and influencers who will contribute to its excellence (including those who have shared their views on LinkedIn and elsewhere, see the list at the end of this post).

[9] Although at first glance the numbers are low, many of the comments included this as an area of concern, as did most of the influencers on LinkedIn.

The FAQ says:

The sentence “Internal auditing enhances the organization’s success by providing the board and management with objective assurance and advice” achieved the goal of creating a concise, single statement of the Purpose of Internal Auditing that speaks easily to stakeholders. The phrase “risk-based” was not included in the description of internal auditing because it was recognized to be internal auditors’ means of arriving at assurance and advice, but the phrase did not directly reflect how internal auditors help the organization be successful. Additionally, phrases such as “objectives-based” were considered, but this basis of internal audit performance again did not seem to be a concept essential to demonstrating to stakeholders directly how internal auditing supports organizational success. However, internal auditors’ focus on objectives and risks remains a central concept in the Standards, as a means for developing audit plans, assigning resources, and planning and conducting audit engagements.

That is anything but persuasive. “Speaking easily to stakeholders” is not sufficient when it comes to writing standards for effective internal auditing.

Rather than assuming that internal auditors are taking an enterprise risk-based approach, it should be mandated. Far too many functions continue to use a cyclical approach to audit planning.

The draft makes a major error, for some inexplicable reason, when it says that a risk universe (a list of significant risks to the organization’s objectives) is the same as an audit universe (a list of auditable entities and processes).

In fact, as explained separately, the draft continues the practice of encouraging audits of risks to auditable entities instead of risks to the enterprise. That is hardly effective internal auditing that meets the needs of our customers and will elevate the profession in their or other’s eyes.

[10] The Task Force strongly believed that the Standards should be principles-based, allowing practitioners the flexibility to determine the best way to achieve them and deliver the value organizations need. When there are so many ‘musts”, this becomes a rules-based set of Standards.

[11] I was one of the two, as I believe building on the work by the IIA Relook Task Force is the best way to start upgrading the draft.

[12] One of the problems with the length is that it makes it less accessible. While some may believe that including Implementation Guidance is a positive move, I strongly disagree. Today’s technology allows links between related documents, and it is important to have the flexibility to update and upgrade guidance as technology and practices change.

GIAS must be concise and easy to reference and absorb. At over 100 pages, it is neither. Note that the IIA continues to share GTAGs.

[13] The FAQ states:

“The Standards Board believes that the structure of Domain III. Governing the Internal Audit Function will enhance the dialog between chief audit executives and their boards about the important partnership between the two and help clarify the expectations and conditions that enable effective internal audit functions. If a board supports the Purpose of Internal Auditing, it should embrace the newly articulated requirements. The evidence needed is not expected to be more burdensome than that which is currently completed as part of the chief audit executive’s interaction with the board.”

I understand the need for dialogue. But it is unrealistic and unnecessary to include these as “must” activities in the GIAS. The IIA has existing guidance on this area and the GIAS should only include what is necessary and mandatory for effective internal auditing.

[14] Although the FAQ is very defensive!

[15] Like many who have already commented I started reviewing the standards and lost the will to continue very early on.
The biggest issue is the conceptual rather than the detail as the detail cannot be right if the concepts are fundamentally flawed. Unfortunately the mechanisms in place for feedback do not allow open feedback on the concepts.
I will confess as I am now at the stage in my career of where I am no longer a practising internal auditor (after doing it for over 30 years), but rather now a non-executive director and independent audit committee member the unwillingness to battle my way through this has been made greater.
It is also why I take great umbrage at the institute trying to tell me what I should or should not do in this space. They have no authority overboard directors or audit committee members and to act like they have is an extremely arrogant overreach. Ok rant over
I have not posted my overall feedback as it is a case of predominantly regurgitating what others have already stated, e.g. too rules based, no separate COE, no definition (which has legislative consequences) etc.
having worked with Doug when he was VP on the global board and I was chair of PS Committee. I fully support his thoughts as a wise sage.

[16] I have attempted to read the draft page by page, but keep coming back to the same conclusions:
1) The consolidation of rules (rather than principles) leads to an overtly complex document with many loopholes. A principled based approach would be more concise and more forceful in its approach.
2) The mix of rules based standards and guidance notes makes it difficult to implement – the guidance is aged and needs to be modernised if it is to be appropriate;
3) the draft standards mandate actions on bodies over which the IIA Inc have absolutely no authority. As a consequence, they are adversarial in nature and do not encourage compliance;
4) The draft standards are not “leading edge” but instead are a backward step in many areas. The use of technology has not been considered at all, nor have the more up to date thinking of “risk based internal auditing” or “enterprise risk management” (to name but two) and the need for Internal Audit to work towards the objectives of the organisation, not simply to what Internal Audit consider to be their “audit risk universe”.

5) the draft response document does not provide the scope to strategically challenge the Standards Board, preferring instead to concentrate on generalist topics.