The Institute of Internal Auditors (IIA) has released a revised set of professional standards for the practice of internal audit (Standards) for public exposure and comment. The comment period is open through May 30, 2023, and The IIA encourages feedback through its online survey. We call upon every internal audit practitioner to make their voice heard. This is your opportunity to help shape the future of your profession.
This long-awaited transformation marks a major milestone in the continued evolution of internal audit, and The IIA’s exposure release has generated significant discussion. It’s our goal to help keep the discussion as constructive as possible, so that the internal audit community can respectfully work together to clarify and define its shared standards of performance and behavior. Accordingly, we write not to critique The IIA’s proposal, but rather to raise awareness about some of the changes that could have long-term impacts on internal auditors‘ day-to-day responsibilities.
We understand the complexity, difficulty, and magnitude of The IIA’s efforts in undertaking this transformation. We have been in their shoes. We first worked together roughly 25 years ago to help craft what were the most sweeping reforms to the Standards in IIA history at that time. Each of us later chaired the International Internal Audit Standards Board (IIASB), and Patty served on two task forces responsible for revamping and continually enhancing The IIA’s International Professional Practices Framework (IPPF). Patty is a former IIA Global Chairman, and Richard served as IIA Global President and CEO for 12 years. All this to say, we have profound respect and admiration for the work that has gone into these proposals, and we care deeply about helping to ensure that The IIA achieves its stated objectives. It is in this spirit that we call attention to six of the most potentially impactful proposed changes that we think every internal auditor should understand.
Background on the Proposed Standards and Key Trends
It’s helpful to begin with a broader view of how the proposed Standards are different. For a more detailed overview, see The IIA’s special edition of Global Perspectives & Insights and Richard’s rundown of major differences between the IPPF as we know it and the proposed revisions. For our current purposes, three trends are noteworthy:
- Shift from general principles to more prescriptive requirements. The existing Standards generally emphasize broad, outcomes-oriented principles that allow a CAE to exercise professional judgment to determine — with the approval of their boards — the most effective ways to implement each Standard in their organization. The proposed Standards take a more prescriptive approach with specific rules, and less reliance on professional judgment. i.e., There are more “musts” and fewer “shoulds/coulds.”
- Shared standards for assurance and advisory. The current Standards separately address assurance and “consulting” internal audit work. The proposal applies a common standard set across all services. Conformance could be challenging for strictly advisory services, the nature of which can vary significantly.
- Consolidation of requirements and recommendations. The IPPF’s current structure separates the Standards from the non-mandatory Implementation Guidance. The proposal integrates Standards and guidance (“Considerations”) under the banner of Global Internal Audit Standards, creating potential confusion on mandatory vs. non-mandatory, and a long document to digest.
Those are some overarching trends we noted when reviewing the proposals — but what are the significant changes of which internal auditors should take note? We have identified six that we think are the most significant.
1. Required Ratings for Overall Conclusion and Each Finding
Currently, CAEs can provide opinions where and how they deem appropriate: “Opinions at the engagement level may be ratings, conclusions, or other descriptions of the results.” The proposed Standards make it mandatory on each finding and for the aggregated engagement result to have a rating, ranking, or other indication of priority.
Internal audit should be required to communicate the significance of issues. Ratings are a fine process when they align with stakeholder needs and expectations, when they aid in communicating significance, and when practitioners acknowledge the risks. However, many practitioners experience ratings as a common source of friction and tension with stakeholders, with the discussion centering on the “grade” rather than the issue to be addressed. If ratings become mandatory, tension with stakeholders may increase in some organizations, slowing down the resolution process and undermining building effective stakeholder relationships.
2. Historical CAE Standards Now Directed at the Board
Currently, responsibility for enabling boards to fulfill their governance responsibilities relative to internal auditing falls on the CAE. The CAE is required to communicate the board’s role in ensuring the appropriate position and independence of internal audit, critical to internal audit‘s provision of objective assurance. The proposed Standards instead allocate specific governance responsibilities directly to the board, employing the phrase “the board must” 30+ times.
The proposed change makes explicit the important responsibilities boards have for ensuring that internal audit has the appropriate level of authority. But boards don’t fall under the jurisdiction of The IIA, and it remains to be seen how enthusiastically they’ll embrace its guidance as to how they carry out their responsibilities. Also, if boards choose not to heed The IIA’s requirements, it could put the internal audit function in an awkward nonconformance position. CAEs can only communicate — not dictate — requirements.
3. Required Recommendations for All Findings, and Management Action Plans “When Applicable”
Internal auditors currently have the responsibility to report an issue, offer a recommendation, and let management decide how to resolve it. In the proposed Standards, internal audit must formulate recommendations for every finding and “if applicable” obtain management’s action plans. In other words, recommendations would be required, and action plans would be optional.
The proposed Standards are more prescriptive about what due professional care looks like, removing a degree of professional judgment from the equation. This could force greater discipline within internal audit to consistently understand root causes and share insightful suggestions.
In our experience, management often knows better than internal audit how to address issues. Even better, they may do so during fieldwork, or share planned solutions with internal audit before recommendations are needed. Either way, we believe action plans are generally critical and recommendations useful, but only when needed.
4. Required Conformance Statements on Communications
In proposed Standard 4.1, “final engagement communications and communications with senior management and the board” would be required to specifically state conformance with Standards or disclose nonconformance. Standard 15.1 stipulates that final engagement communications must list all “Standard(s) with which conformance was not achieved,” “the reason(s) for nonconformance,” and the “impact of nonconformance on the engagement findings and conclusions.”
This change could help emphasize the importance of the Standards and provide transparency for report readers on whether conformance has been achieved. But lack of conformance sometimes simply reflects lack of resources (e.g., no quality assessment because the board didn’t approve the budget, or a single audit practitioner who acts both as CAE and auditor). Statements of nonconformance may give CAEs support in favor of more resources, but the larger impact could be longer reports that cause confusion or even a lack of confidence among readers unfamiliar with the Standards, and less overall conformance — starting with this requirement.
5. New QAR Team Requirements
The existing Standards require the CAE to discuss with the board the qualifications and independence of a proposed Quality Assurance Review (QAR) team. The proposed Standards would require CAEs to ensure that QAR teams include at least one member who has completed IIA-sanctioned external QA training, and at least one member with an active Certified Internal Auditor (CIA) designation.
This change could positively impact the competence of QAR teams, ensuring that practitioners have received sufficient training. It could also impact team availability by making it more difficult to identify teams, especially in the short term. CAEs and boards would have less latitude in selecting teams.
6. QAIP Scope Expansion: Achievement of Performance Objectives
The proposed Standards expand the Quality Assurance and Improvement Program (QAIP) scope as evaluating not only conformance with Standards, but also achievement of performance objectives measured as metrics (see 8.3). Example metrics include progress against agreed-upon action plans, increased staff productivity, increased process cost-efficiency, “level of contribution” to improving risk management, and “effectiveness in building relationships and meeting the needs of stakeholders.” A performance measurement standard (12.2)adds example metrics such as “increase in the number of action plans for process improvements” and “clarity of stakeholder communications.”
CAEs should be focused on, and accountable for, continuous improvement. With this new requirement, it will be critical for CAEs to rationalize performance objectives against the Standards, as there’s a risk they may not align. For example, the board may set a performance objective of fully completing the audit plan by year-end — while the Standards stipulate that internal auditors must continuously assess risk and adjust audit plans accordingly. The objective of finishing is balanced against the requirement to stay flexible and risk-focused.
Make Your Voice Heard
We applaud The IIA’s ongoing commitment to elevating the quality of internal audit services through greater conformance. These efforts will be transformative. That’s why it’s vital that every internal audit practitioner takes the time to understand the proposed changes that could most impact their important role. To that end, Richard offers questions to help practitioners think about the proposals in the context of the future needs of the profession.
The revised Standards will not be confirmed until much later in 2023. Whether you embrace The IIA’s proposals or have constructive criticism to contribute, be part of the change you want to see. Speak now or forever hold your peace.
Richard Chambers, CIA, CRMA, CFE, CGAP, is the CEO of Richard F. Chambers & Associates, a global advisory firm for internal audit professionals, and also serves as Senior Internal Audit Advisor at AuditBoard. Previously, he served for over a decade as the president and CEO of The Institute of Internal Auditors (IIA). Connect with Richard on LinkedIn.
Patricia Miller, CIA, CRMA QIAL, CPA, CISA is the owner of PKMiller Risk Consulting, LLC, a member of the COSO Board of Directors, and serves as an internal audit Advisor for CNM, LLP. Previously, Patty was an enterprise risk services partner with Deloitte & Touche LLP, and served as global chairman of the board of The Institute of Internal Auditors (IIA). Connect with Patricia on LinkedIn.