3 Questions to Consider Before Implementing the New Standards
In January 2024, the Global Internal Audit Standards (the IIA’s Standards) were updated after a long consultation process. While the updated standards are not expected to have a dramatic impact on IA functions or departments, there were changes in the approach and in specific areas, including the purpose of internal audit, the use of a long-term plan, and the addition of terms like “courage” and” professional skepticism.”
The two-year revision process included the participation of internal audit experts and leaders from around the world. (It hardly needs mentioning that participation in the standards process is voluntary, and the thousands of hours put in by these professionals speaks volumes to the dedication of the profession.)
The IIA standards provide a framework for setting up a best-in-class IA function. If you read them (even quickly), there are lots of good points that any IA team, big or small, can benefit from. The standards give a comprehensive look that shows the complexities and interconnectedness of what internal audit functions and professionals do.
Constructive Feedback and Alternative Viewpoints
On the whole, the standards have been well-received. At Risk Oversight, we have focused on understanding the structure of the standards that use “domains” (e.g. Ethics and Professionalism, Governing the Internal Audit Function) that link to each principle and each standard to a principle. (This set-up works well, much like the COSO model.)
But there are also some drawbacks, debates, and alternative viewpoints about the effectiveness of the new standards. Below, we have highlighted three questions that we find the most interesting to consider. We recommend going to the original sources to consider the insights, feedback and critiques we’ve found especially useful:
1. Have the new standards sacrificed the value of principles for a prescriptive approach?
For one interesting set of opinions, check out this excellent whitepaper “The Global Internal Audit Standards – Old Wine in New Bottles?” by internal audit experts, Rainer Lenz and David O’Regan. The whitepaper argues that the length alone of the 120-page Global Audit Standards leads to a more “prescriptive” approach that diminishes their value overall. Lenz and O’Regan believe that the standards have missed the opportunity for a truly more principles-based approach.
“By following rules, the focus of internal auditors is misguided toward form over substance, encouraging a checklist-based mind-set that diminishes moral agency.”
2. Is “rules-based” the most effective choice of language?
The feedback from Lenz and O’Reagan echoes feedback in 2023 in “An Open Letter to the IIA Regarding the Draft Standards Update” from internal audit expert and former IIA’s Global Board of Directors member Hal Garyn. Garyn urges the IIA to “rethink the move to more rules-based language” and cautions against the extensive use of the words “must” and “ensure,” which intensify the risk of focusing on conformance over adding real value.
“Not only for the abundance of the use of the word “must,” but there are at least a dozen easily identifiable “musts” that should not be requirements as they are not appropriate in all circumstances. Some examples include: the use of ratings, making recommendations, and specifically making an explicit conformance with the Standards statement in final engagement communications.”
3. Can internal audit dictate what Boards do?
The new standards provide details of what boards and audit committees should do, including how to recruit for internal audit and how internal audit should be reflected in mandates and minutes. While the internal audit and internal control function does influence boards and audit committees through recommendations, we can say from experience that dictating what boards should and should not do is easier said in theory, but impossible in practice. In Garyn’s An Open Letter he addresses this challenge head-on saying that “it is outside of the IIA’s purview” to write standards for any party other than internal auditors.
“The IIA cannot and should not try to create obligations of the board and audit committee directly through mandatory Standards. The unintended consequences could include boards and audit committees questioning the authority of the IIA, wondering what else would be promulgated in the future without their direct input, and even some internal audit functions choosing to not try to conform to the Standards, as these Principles and Standards creating obligations for the board of directors are a reach too far.”
**************
The detail and comprehensiveness of the new Global Internal Audit Standards gives auditors a lot of ideas to work with. But on the other hand, do they give us perhaps too much? Would less really mean more? In our experience, IA teams in larger organizations do take the standards seriously to varying degrees, from using them as reference, to a more religious approach to implementation. But, in practice, the principles of how they operate trump the detailed requirements.
The Global IIA Standards have far-reaching implications across the world and speak to the dedication of the profession to a high bar, collaboration across stakeholder groups, and a dedication to continuous improvement. If you are an organization who uses them, we encourage you to understand the feedback and viewpoints and to adopt a reasonable and pragmatic approach for implementing them.
If you have any questions about how the IIA Global Standards are applied in practice, please don’t hesitate to reach out to us. Contact me at adrienne@riskoversight.ca.