Proposed Global Internal Audit Standards Afford a Chance to Make Our Voices Heard

After much anticipation, The IIA has released a revised set of professional standards for the practice of internal audit for public exposure and comment. 

More than just an update to the existing Standards, this marks a major step in the ongoing evolution of the International Professional Practices Framework through a significant overhaul of the structure, integrating the Standards with the Code of Ethics, Core Principles, Implementation Guidance, and Practice Guides, and elevating the expectations made of boards. There is a new statement of the Purpose of Internal Auditing to supplement the familiar Definition and replace the Mission plus there is provision for “topical requirements” for the future. There is even a proposed change of name for the Standards to Global Internal Audit Standards.

This is the most sweeping change to the standards in more than 20 years, and presents a  significant opportunity for internal auditing and its future. A profession is largely defined by its shared standards of performance and behavior, its body of knowledge, its collective commitment to integrity, and the means by which it prepares and validates individuals as being professionally competent and therefore trustworthy. All auditors, audit leaders, and their stakeholders should be watching these developments very closely, and making sure their voice is heard.

Public comment opened March 1 and will continue through May 30. The expectation is to confirm changes by the end of the year.

This article provides you a summary of the major changes being proposed and practical steps you can be taking now with your teams and stakeholders in preparation for the changes to come. I encourage all professionals to get involved.

The IPPF as We Know It

The “Red Book” is relatively slender, especially when considered alongside comparable publications. Even with the inclusion of non-mandatory Implementation Guidance (in which the Standards are repeated) and Glossary, the IPPF runs to 243 cropped pages and the Standards themselves occupy a mere 23 pages.

The structure of the IPPF has grown more complex over subsequent iterations and addressing this is a high priority for the new document. The current IPPF has five mandatory components:

• The Mission of Internal Auditing.
• Core Principles for the Professional Practice of Internal Auditing.
• Definition of Internal Auditing.
• Code of Ethics (comprising four principles plus rules of conduct).
• International Standards for the Professional Practice of Internal Auditing (52 Standards subdivided into 19 Attribute Standards (the 1000s) and 33 Performance Standards (the 2000s)), each comprising a statement of the standard, interpretation (where applicable), and requirements for assurance and consulting engagements (where applicable).

Non-mandatory (recommended) guidance takes the form of:

• Implementation Guides (with 56 IGs following the four principles of the Code of Ethics and the 52 Standards) and Practice Advisories.
• Supplemental Guidance, including Practice Guides, Global Technology Audit Guides (GTAGs), and Guide to the Assessment of IT General Controls Scope Based on Risk (GAIT).

There is also a Glossary.

The Standards are broad principles-based, high level, outcomes-oriented statements rather than narrower, prescriptive rules. They are, however, intended to be binding when “must” is used (which appears 126 times in the current Standards) while allowing for professional judgment when written as “should” (appearing 11 times). Being principles-based has helped to ensure the brevity and endurability of the Standards and it has allowed for wider applicability and adaptability. However, broader statements can lead to a higher degree of interpretation and potentially deviation, and practitioners and stakeholders often need and want greater specificity. Official IIA guidance helps, but the authoritative yet non-mandatory “recommended” status of IIA guidance has also been confusing at times.

Overview of the Proposed Changes to the IPPF

The IIA has long been committed to elevating the quality of internal audit services through greater conformance and the proposed revisions are aimed at ensuring the Standards are “insightful, prescient, clear, and direct.”

While the Global Internal Audit Standards combines multiple elements of the current IPPF, the concept of an international framework representing all standards, guidance, and other pronouncements remains (the term IPPF is defined in the new Glossary). The new document converges the following components of the current IPPF:

• The Mission of Internal Auditing.
• Core Principles for the Professional Practice of Internal Auditing.
• Definition of Internal Auditing.
• Code of Ethics.
• International Standards for the Professional Practice of Internal Auditing.
• Implementation Guides and Practice Advisories.

There are 53 Standards organized under 15 Principles and arranged in five Domains:

1. Purpose of Internal Auditing
2. Ethics and Professionalism
3. Governing the Internal Audit Function
4. Managing the Internal Audit Function
5. Performing Internal Audit Services

Each Domain opens with explanatory paragraphs. Each Principle is expressed first in short form (e.g., “demonstrate integrity”) and second in full (“internal auditors demonstrate integrity in their work and behavior”) followed by further explanatory text. The 15 Principles mostly reflect the original 10 Core Principles with additions especially noticeable in the Managing Domain.

The Standards (which, like the Principles, also have a short form version) are defined by Requirements written as imperatives (“must”) for internal auditors, the chief audit executive, or the board. “Should” is generally reserved for Considerations for Implementation and Evidence of Conformance.

Domain I introduces a new Purpose of Internal Auditing that clarifies and bolsters the Mission without extending the role of internal auditing or introducing new expectations. The Purpose includes reference to internal auditing strengthening an organization’s ability to serve the public interest. “Public interest” is referenced in two other places in the new Standards and only in the context of the public sector. There has long been an interest in including public interest as part of the definition and I anticipate this topic will generate much discussion.

Domain II expands the Code of Ethics to include Exercise Due Professional Care (previously one of the Standards) as a fifth principle. There are 13 Standards in this Domain.

Domain III will also be scrutinized closely. In allocating responsibilities for governance relating to internal auditing, the phrase “the board must” is used 30 times (and twice more in Domain IV). It is vital a board recognizes and accepts its role for governance includes the need to ensure appropriate provision of independent and objective assurance. Technically, The IIA has no authority to set standards for governance bodies, and it will be interesting to observe how boards respond. Clearly, much more will be needed beyond publishing such requirements, but making them explicit is a really good start.

Domain IV covers the responsibilities of the CAE as the head of the internal audit function. 

Domain V focuses on the fundamentals of internal service engagements, namely planning, performing, communicating, and following up.

There is also an expanded Glossary including useful additional technical terms, like condition, finding, effect, and impact. “Internal audit function” is used instead of “internal audit activity.” “Consulting” is replaced with “advisory services.” There is a revised definition of risk to recognize the potential to impact strategy as well as objectives.

Also of note is the inclusion of public sector requirements. These are specifically stated under Considerations for Implementation and Evidence of Conformance for 19 of the Standards. Clearly the public sector is so broad and diverse it is hard to cover anything close to the full range of additional considerations, but recognition of some key differences is helpful.

In addition to the exposure document itself, The IIA has provided other materials to explain the changes, including a special edition of Global Perspectives & Insights. 

Responding to the Proposals

Respondents have an opportunity to complete a survey indicating the extent to which they agree or disagree with each component. In each case, additional comments can be made.

Aside from reviewing the details of the new proposals, I would encourage you to take a few steps back and consider bigger questions about the future needs of the profession and stakeholders. You may wish to ask yourself:  

• Do the proposals achieve the intended objective of creating standards that are “insightful, prescient, clear, and direct” (bearing in mind the work continues, particularly in considering topical requirements)?
• Do the proposals go too far or not far enough?
• Do they reflect recent changes in the profession, support current imperatives, and enable future growth and development?
• Will Domain I help communicate the purpose and value of internal auditing to your stakeholders and wider audiences?
• Will Domain III help secure the support of organizations and their governing bodies for internal auditing?
• Overall, will the changes lead to improvements in conformance, quality, timeliness, relevance, and ultimately the impact of internal auditing on organizational success?

Preparing for the Changes

The changes will not be confirmed until much later this year following consultation and further potential revisions. However, internal audit professionals should start preparing now.

• Familiarize yourself with the proposals and consider the implications for your internal audit function, organization, and stakeholders.
• Discuss the proposed changes with your team to help them understand what is likely to happen.
• Share the exposure with stakeholders, especially senior management and the board, and solicit their feedback.
• Respond to the exposure by May 30. 
• Seek opportunities for receiving briefings and training from your local IIA affiliate or IIA Global on the nature and timetable for roll-out of the changes and any other resources to help you prepare.
• Anticipate other changes from The IIA and other providers with content linked to the IPPF, including supplemental guidance, certifications, training, publications, external quality assessments, and related tools and resources.

This transformation will long be considered a major milestone in the continued evolution of the profession. With the comment period open until May 30th, I hope you’ll take the opportunity to be a part of the change you want to see.