Calling all internal audit enthusiasts: the Institute of Internal Auditors has released a draft of proposed new standards for the profession and is calling for public comment on the material. So if internal auditing is your career or you deal with internal auditors in some other capacity, put on your thinking cap and download a copy.
The proposed updates are meant to bring more clarity to the purpose of internal auditing, how internal audit functions should be governed and managed, and the code of ethics that internal audit professionals should follow. In their final form, these updates would replace the existing International Standards for the Professional Practice of Internal Auditing that internal auditors follow today.
The draft standards are out for public comment through May 30. The plan is to release a final version by the end of the year.
“Effective professional standards aren’t, and can’t be, static,” IIA president Anthony Pugliese said this week in a prepared statement about the proposed updates. “In addition to making the standards clearer and easier to use, we’ve also made sure the new draft standards reflect the rapidly changing business landscape and the ever-expanding scope of internal audit work.”
Pugliese is certainly right about the expanding scope of internal audit work in recent years. When Sarbanes-Oxley compliance first landed on the corporate world’s doorstep 20 years ago, internal audit quickly became the team taking point on internal control over financial reporting and SOX compliance generally; according to the 2022 State of SOX report from Workiva, at least half of internal audit teams still have primary responsibility for SOX compliance today.
Except, SOX compliance consumes a lot of time. And at least in theory, internal audit still has a day job working with the board and management team on other stuff — everything from cybersecurity to ESG reporting to vendor risk, whose importance has soared in recent years; plus routine operational audits. So if the need for effective internal audit functions has transformed, then revisiting the standards that define this profession is not a bad idea.
So what do the proposals contain? Let’s take a look.
[Disclosure: I do write a paid column for the IIA about boardroom governance. The IIA did not pay me to write the post, or even know this post was coming before it went live.]
New Name, New Structure, New Details
Most notably, even the name of the thing will change. Gone is the “International Standards for the Professional Practice of Internal Auditing” title, in favor of a simpler, clearer “Global Internal Audit Standards.” The new document would still use material from all six elements of the current professional practices framework, but reorganize those six elements into five domains:
- Purpose of Internal Auditing, to define what internal audit does and why that helps the enterprise
- Ethics and Professionalism, to articulate the profession’s code of ethics
- Governing the Internal Audit Function, which focuses on the relationship between the board and the chief audit executive
- Managing the Internal Audit Function, which explores how the chief audit executive should run his or her team
- Performing Internal Audit Services, which discusses how to perform assurance and advisory engagements
Each domain then has much more material (the proposed draft runs 108 pages in total) unpacking the important issues relevant to it. For example, the Governing domain goes into new detail for how the board should oversee the internal audit function — responsibilities that “were implied or indirectly stated in the existing standards” and “are now stated more directly and clearly.”
The draft also contains new and different requirements for the quality assurance and improvement program that internal audit functions are supposed to undergo; a new section specifically for internal auditors at public-sector organizations (excellent idea); and an expanded glossary to define terms such as “criteria,” “condition,” “finding,” “inherent risk,” “residual risk,” “risk tolerance,” and other buzzwords we use all the time without necessarily confirming that everyone understands what those words mean.
Some Immediate Issues
To be clear, I haven’t yet read the draft standards. Even right away, however, we can all see what a few of the big issues are for internal audit functions today; issues that would benefit from more clarity.
First, what is internal audit’s relationship with the board? Specifically, how much is the board supporting internal audit, and acting as an advocate for internal audit with the rest of management? Or how much is the board simply sitting around waiting for internal audit to come to the board with various reports?
The latter strikes me as a surefire way to leave internal audit stranded in SOX compliance duties, briefing the audit committee from now to eternity but never doing much else. On the other hand, internal audit can help the enterprise with many other issues, providing that the board understands why internal audit exists and engages with it to tackle all those thornier, more strategic risk issues.
Second, what is internal audit’s relationship with management? This really is just another verse of the song I began to sing in the previous paragraph. Management can also use internal audit for all sorts of tasks: performing risk assessments, recommending new internal controls, building analytics tools for emerging risks, and more.
People do sometimes get hung up over internal audit’s independence from the business, but let’s be honest here. Internal audit needs to demonstrate some value to the business. Operating units are going to ask, “What can you do for me?” If your immediate answer is, “Well, I do my own thing because I need to maintain independence” — that’s going to get a lot of doors closed in your face.
Yes, I understand that internal audit does need to maintain some degree of independence; but it needs to maintain a degree of relevance and importance, too. The more these new standards can help audit leaders strike that balance, and demonstrate it to others, the better.