The efficient and effective internal auditor
The IIA has released for public comment a draft update of its Standards.
I believe it is important for everybody who shares my desire to advance the internal audit profession and its practices to review and share feedback on the draft.
X
I took my time in carefully reviewing the draft, line by line, and then sat back to reflect.
Everybody should, in my opinion, do the same.
X
The IIA Standards Board, leadership, and staff spent most of 2022 working on this renewal of the Standards. I congratulate them on the significant changes, including some that I have been talking about for years.
I was looking forward to a document that would recognize and promote the development of efficient and effective practices around the world. One change that I am pleased to see they have made is the need to update the internal audit plan as conditions change, at the speed of risk and the business.
I was hoping that I could get behind a new set of Standards and promote it actively.
I am unable to do that.
X
Unfortunately, the IIA’s survey (which I was happy to complete) does not include a request to assess whether the draft should be approved, approved with minor changes, approved only after specific major changes are made, or otherwise.
X
I decided to write what is essentially an audit report to communicate my overall assessment of the draft and the specific major issues I have. I am using the word “major” in the same way as COSO: a deficiency that prevents the draft from achieving its purpose, its objectives.
With that in mind, I considered and included in the report what I believe the value of the IIA Standards, their purpose, should be. Then I assessed whether the purpose was met.
My overall opinion was not favorable. You can download a copy of my report here. I have embedded a copy below this post.
I have a deserved reputation for being direct, even blunt. I have been that in my report, which I shared with IIA leadership as well as staff and members of the Standards Board.
X
As far as I can tell, and I have asked the IIA, they will not be posting the comments they receive, so I am sharing mine here. They have not voiced any objection.
I ask that you share your assessment of the Standards here, copying or linking any response (other than the survey), so we can all see and discuss each other’s thoughts. I expect the IIA staff and members of the Standards Board will be checking here to see what is said.
Please review the draft carefully. It is important.
Complete their survey and, if you have additional comments or want to share an overall opinion with them, the email is standards@theiia.org.
X
If you agree with my points and observations, I would appreciate your so informing the IIA as well as posting your comments in this blog.
If you disagree, please post your comments. X
I am especially interested in your thoughts on:
- My statement about the purpose and value of the Standards.
- Whether the draft Standards fulfil that purpose.
- Your thoughts on each of my major issues. X
Thanks
X
PS – I am open to panel or other open discussions of the draft.
Leave a comment
Norman Marks on Governance, Risk Management, and Internal Audit 
Norman: I agree all internal auditors and IA’s customers should take the time to review the draft and comment. The focus of my comments on the draft has been on IA’s PURPOSE not the annual audit plan. https://bit.ly/3YA1XEQ
What I am dismayed to hear is the IIA refuses to post comments to the draft for public review. This time the IIA said they were updating the standards to better serve the public interest. Keeping what people say and think about the exposure draft is NOT IN THE PUBLIC’S INTEREST. I hope they reconsider.
Tim, what do you think about my report and the points I made?
I need time to review. My view is that unless PURPOSE is agreed, much of what follows may need changes.
I’m going through the new standards at present. I’m not that impressed as it doesn’t properly recognise that determination of risks is a management responsibility. I’ll post my comments when I have finished.
David
http://www.internalaudit.biz
David: I agree. The IIA has been unwilling to take a clear position on the point you raise since CRSA came on the scene in the late 80s. Your point leads to a related issue – is the basic IA paradigm of internal auditors deciding what to audit and then telling management what IA thinks are “material weaknesses”, “significant deficiencies” or even worse “Audit findings” a human interaction model that makes sense in today’s world. I don’t believe it is. I think it is a throwback extension to command/control management.
Norman, I’ve drafted comments but set them aside to reflect, thinking that I was too extreme. Having read yours, I think I’m providing more detail but aiming at the same issues. The standards lack a business purpose or outcome. They should provide guidance for how auditing and auditors can add business value and improve business performance. Instead they provide instructions on how auditors should audit. These aren’t standards. They are rituals. I am terribly disappointed in the lack of public disclosure of feedback. We should all learn from shared perspectives.
Thanks, Tom. They should definitely listen to you!
Hi Norman,
I read your initial thoughts in your email over lunch and then reminded myself to have a look at your detailed analysis on the train home.
So I Googled “Norman Marks” and the first thing that comes up is “Norman Marks obituary” and I thought to my simple mind – gee that is a pretty severe response by someone to Norman’s honest articulations. 😊
I have read both the proposed standards and your response.
And not for the first time and not for the last time – I am in complete agreement with you.
As I read the proposed standards I was strangely reminded of President Eisenhower’s famous farewell address where one of the most decorated and experienced military people of our or any era warned of the military industrial complex – that vicious propagation that by its very existence benefits both sides of the arms demand supply chain.
I couldn’t shake the thought of not only that there was much that needed to be changed in the proposed standards – which you have well structured its deficiencies – but also that had we (or is it we had) crossed the line between standards to promote best / better practice and standards that justify the existence of the Institute.
I am not sure that anyone will take note – or should take note – of the musings of a short-sighted bald antipodean auditor but if they were I would ask of them three things.
First that all commentary – not just the congratulatory – is published in central place for all to consider.
Secondly that out of respect of those that have taken the time to write the commentary every line of every commentary is addressed even if it is to provide a rebuttal.
And thirdly that there are three minds be specifically engaged in the process from this moment forward.
You.
Tim.
Todd Davies.
Now if you will excuse me I have other obituaries to peruse.
Take care.
Tom
They should definitely listen to you, Tom.
Tom, I’m up to standard 13.1. I’m pausing to write my obituary.
David
Hi Norman.
As usual I find myself in furious agreement with half of what you say and wanting to refute the other half. Glad to see that this reaction is consistent over the years. It makes for better thinking.
I’m working through it slowly from the perspective of practicing ARC chair and an advisor to best practice companies who are doing great work.
There’a a lot of red-lining so far and I’ve only got through the glossary. I’ll pull together some cohesive thoughts.
The biggest problem seems to be that the IIA and its committees are wonderful people but also institutionalised insiders who keep on referencing the same old ideas to modern challenges and without regular exposure to the leading edge. So far it’s got more of a foot in the past than in the future.
I don’t envy the job of the team. I’ll take my time to make a useful and actionable submission and hopefully get there in the end.
Thanks, Todd. Glad to see I can still stimulate opposing views, even in the same person’s head.
Norman,
I think you are correct on the vast majority of your points – I would say it needs a major rewrite at the very least .. It flies in the face of progressive IA movements (lean/agile) ..
1) Standards should promote effective and efficient IA to add value to organisations on a forward basis via insight and foresight
2) Risk IA based in organisational terms not by unit
3) Coordinated with others, with measures of reliance
4) Shouldn’t be about excessive documentation (document to prove reasonable assurance only otherwise this kills the lean/agile move)
5) Guidance on how to define “Reasonable assurance” (a core point in IA) is still not present in IIA standards .. How can we be about assurance, and have no definition of this?!
6) Agree all documentation requirements listed should be stripped from this draft. Also think they read of a tick box mindset (e.g., how you make transparent whether resource /coverage is adequate is not really addressed)
7) There should some attempt by the IIA to set out a track changes with the old standards and the new – otherwise how do we explain clearly the changes to members and stakeholders
8) What would NED institutes etc. think of this?
Also concerned about:
> The meaning of “courage”
> Limited alignment with IIA UK code of practice (where IA is asked to look at areas such as culture, information presented to the board etc.,.), or explanation why this is not the direction of travel to take ..
>References to root cause should be “root causes” – no such thing as one root cause!
Raises a question about the IIA process for this .. and how open they will be to this challenge when largely having ‘baked in’ this version .
Thanks, James
I agree with everything you took issue with and your recommendations. I was never a fan of the old standards and didn’t expect much of an improvement with the new proposed ones. IA overall does not have a desirable reputation in part because of lack of innovation and nuance at the “policy-setting” level – the IIA. Honestly I and many others have little pride in being internal auditors. So many of the people running shops don’t think or act as you do. Most are the personification of thr IIA standards – antiquated, dull, prescriptive, and stubborn. IMO the entire profession needs an overhaul from the ground up, starting with the IIA. Out with the old and in with the new and true best practices.
Thanks Norman. Your points regarding purpose, compliance vs effectiveness/value and promotion of IIA vs quality audit services particularly resonate with me.
Audit is not an end in itself. What I would like to see is more focus on defining the assurance needs of the business and how to meet those needs, less focus on simply looking for areas that are auditable and treating the audit plan as a sacred cow.
Thanks, Ian
Norman, I totally agree with you. Although I am still working through the detail, I have come to the following conclusions:
The document is not suitable as a standard setter. Much of reads like like a text book with the result that it is far too long at 108 pages.
‘Recommendations’ should be retitled ‘Standards’, given a unique number and, in may cases, rewritten to be more concise.
‘Considerations’ should be included in a separate document, possibly labelled, ‘Best Practice’.
There are two ‘Purposes’ for internal auditing, one in the glossary and one following the glossary. Neither are unique to internal auditing.
I will continue…
My comments on the GIAS can be downloaded at https://www.internalaudit.biz/webresources/giascomments.html. I will probably make some changes before submitting them to the IIA.
My conclusions are:
The Standards document lacks focus and, as a consequence, loses the inherent simplicity of the audit process. The document does not follow the requirements of Standard 11.2 for ‘Effective Communications’. In particular:
• Some requirements are vague, lengthy and include unnecessary detail.
• Some requirements are unnecessary, while others which are necessary are not included.
• Requirements are not individually numbered, making reference to them difficult.
• Some detail in ‘Requirements’ should be in ‘Considerations’ (Example: Standard 13.1 Engagement Communication).
• The ‘’Considerations’ section reads like a textbook for students studying for IIA exams. It is not always concise, correct or complete. It makes the standards, at 108 pages, far too long. It should be revised and placed in a separate ‘Best Practices’ document.
• There are many instances in the Standards where internal auditors are expected to assess risks. This is management’s responsibility and there should be clear instructions that the internal audit function is not responsible for determining risks, although it may assist management in doing this.
Hi Norman
I’ve gone through the standards, if that’s what we can call them. I’m in total agreement with your recommendations but would also highlight the following:
1. The amount of duplication throughout the document is excessive. The standards would be simpler if we had one document withthe principles, cross-referenced to the relevant standard/s, and in turn referenced to the applicable “recommendations”.
2. These standards are as colleagues have said, an outdated textbook that has not been updated, and is sure to drive internal audit into the grave. In particular, if standards are going to be written in such a way that they can be confirmed to, the bureaucratic command and control tone has to be removed. In addition, there is little consideration for small or medium enterprises and there is no doubt that the priority of the standards should be aligned to enterprise IA maturity stages.
3. There is absolutely no understanding or acknowledgment of Agile/Lean principles which are all about working collaboratively to work with management to uncover significant risks and to collaborate on actions required to mitigate the risks and to deliver customer value.
4. Your note on residual risk is well made. More concerning is that the IIASB clearly does not understand the concept of residual risk as high residual risk speaks to potentially significant unaddressed risks and if those are strategic, there is little point in “auditing” them, rather engaging with management in an advisory service
5. You have said everything I said about evidence/documentation which again demonstrates a total lack of digital understanding.
I too concluded that these standards should be withdrawn and reworked. In this case, Less would be More.
6. Although the board is the key stakeholder, and hopefully both the CAE and IAF report through to the board, thus there should be more focus on understanding their expectations, the organisational strategy, management’s assessment of the strategic risks in developing a roadmap for the IAF, and I am in full agreement in adopting dynamic planning with the board’s approval.
In conclusion, I believe that purpose could be the same as the mission as laid out in your document.
Well done on a comprehensive assessment, well summed up.
Thanks, Sharon
Hi Norman. Thanks for leading the charge on this.
This is where I got to with mine… in carousel format to get above the detail.
I’ve read what the rest of the IA commentariat (Illuminati?) had to say and I think we’re all pretty much unified on the same feedback.
https://www.linkedin.com/feed/update/urn:li:activity:7069196902914764800/
The question now is how to take it forward.