Are We One Profession, Two, or Even More?

The following is excerpted from an article Jay Taylor and I wrote for the latest edition of EDPACS:

"While there are others (such as the Board of Environmental, Health & Safety Auditor Certifications, which offers a valuable certification for EH&S auditors), there are two dominant organizations for internal auditors: the Institute of Internal Auditors (IIA) and ISACA (formerly known as the Information Systems Audit and Control Association).

"We are, in truth, a single profession — but unfortunately we have two organizations that profess to represent us and provide professional standards. While there have been attempts in the past to reconcile and agree on common standards, the fact is there are two sets.

"We agree in principle with the ISACA statement that, 'The specialised nature of information systems (IS) auditing and the skills necessary to perform such audits require standards that apply specifically to IS auditing.' But many of us are both Certified Internal Auditors (CIA) and Certified Information System Auditors (CISA), and are confused as to how we determine where one set of professional standards starts and ends versus the other set. How can we, for example, realistically separate a business function into the automated portion versus the non-automated portion when trying to seamlessly evaluate controls within a single process from end-to-end? The truth is we cannot and should not abdicate the evaluation of all technology-related areas to IT auditors. There should only ever be one internal auditing department at any organization, and IT auditors are members of that department. Just as it makes no sense to us to have two people making a single evaluation of controls, it also makes no sense to have two potentially competing and conflicting standard-setting bodies for a single profession. We hope that time and common sense will enable leaders within ISACA and IIA to move towards a combined, authoritative set of standards. Initial areas of focus should include a single set of standards around such things as the role and purpose of internal auditing within the organization, audit planning, risk assessment, documenting the work, reporting, and other areas where professionals see commonality. We certainly have no problem with the existence of two professional organizations, with ISACA taking the lead on technical IT guidance, certifications, and training. However, until there is a recognition that we are in fact one profession, the wasteful and duplicative efforts of the two organizations will likely continue. New thinking is needed to rationalize the domains of the two organizations. 

"An interesting question is whether we are considered a profession by those that matter: regulators, boards, and those responsible for governance and risk management frameworks. The good news is that major progress has been made around the world in the last decade. Although internal auditing still has a long way to go if it is to be considered in the same league as external auditing, the IIA has been taking the lead in reaching out to international governance, regulatory, and governmental organizations with their advocacy programs to obtain the professional recognition needed."

With no disrespect to my very good friends Dave Richards and Patty Miller, there is no better time than today to seek a reconciliation between The IIA and ISACA. We have new leaders at president and chairman who can approach ISACA with a fresh face.

Some years ago, we actually had an agreement for convergence of standards, but for no good reason (there are reasons, but they are not good reasons — mostly personal and political) these efforts failed.

I urge all auditors to press ISACA and IIA leadership, and their standards boards, to work collaboratively for the good of our single profession. Let's have a common face to the world, whether in our advocacy or our standards.

Posted on Jul 18, 2009 by Norman Marks

Share This Article:    

  1. These are difficult choices, made even more so by the number of organizations that represent internal auditors including:
    •     ACUA (College & University)
    •     ACUIA (Credit Union)
    •     AHIA (Healthcare)
    •     AIIA (Insurance)
    •     IAAIA (Airline)
    •     CUIAA (Credit Union)
    •     NASACT (State Auditor, Comptrollers & Treasurers)
    •     AIG (Inspectors General)
    •     APPFA (Pension Fund)
    •     ALGA (Local Government)
    •     etc
    Imagine the dilemma of an IT internal auditor at a city hospital. He would have to choose between the IIA, ISACA, ALGA, and AHIA.
    I know the history of the split between IIA and EDPAA but...What ever happened to one organization representing all auditors?

  1. First - range of organizations - ***GROAN***

    I'm not (quite) old enough to know all about the split (I entered IT Auditing after 10 of hard-core IT) but sure got to enjoy the effects.

    Frankly I think one of the most damaging effects was the decision to create COBiT in a manner that did not allow it to smoothly integrate with COSO. Our chapter donated a grand to the effort, and we were all horrified by the outcome. But... ...with the passage of time, we have come to accept how wonderful COBiT is, and how wonderful COSO is, each for their own...

  1. Norman,

    The problem is  much more serious than even what  you  discuss above. We are many professions as described further below with dire consequences. This leaves the stakeholders confused and it is the companies that pay the price for the duplication/excessiveness of services.

    Noted risk management guru Felix Kloman has been talking about the silos at the professional level for 20 years now. Not only is there the IIA and ISACA, the two "internal audit organizations you note", but what about all of the other risk/governance organizations out there with their individual certifications and  responsibilities in the governance/risk management and assurance domains-AHIA, AICPA, ACFE, CAS, FERMA, GARP, IMA, IRM, ISO, RMA, PRIMA, PRMIA, RIMS, SOA, SRM- and others.

    He states " I am appalled by the lack of interest in and knowledge of other risk management organizations by each of these groups. Their focus is inward, not outward. Unless and until these groups begin inviting each others' members, citing their articles, listing their conferences, and seriously talking with each other, we will remain confined in our respective silos."

    The problems between IIA and ISACA will not get resolved until leadership sits down and does the kinds of things that Felix recommends above. Taking his thoughts one step further, there are 15-20 recognized risk/governance/assurance frameworks floating around the globe-some excellent and some average. The point is the plethora of value added frameworks. Did we really need the expenditure or energy needed in the roll out of yet another COSO framework on monitoring? Really?


    Arnold Schanfield



Leave a Reply