IIA in the UK Challenges Boards and Internal Auditors

Norman Marks, CRMA, CPA, is a vice president for SAP and has been a chief audit executive and chief risk officer at major global corporations for more than 20 years.


In the U.K., internal auditors are represented by the Chartered Institute of Internal Auditors (an institution that is now 60 years old, was granted a Royal Charter in 2010, and is affiliated with the Global Institute of Internal Auditors).

A committee, chaired by Roger Marshall and including audit committee chairmen, CAEs, and prominent academics (such as my good friend, Professor Andrew Chambers), has published draft recommendations to the UK Institute (C-IIA) Effective Internal Audit in the Financial Services Sector that are open for comment. Although aimed at financial services, organizations in all industries should take note.

The committee’s recommendations are intended (in their words) to “supplement, rather than replace, the existing standards” for the professional practice of internal auditing from The IIA. However, the recommendations are more than mere explanations — I believe them to be substantial and important.

[Please note that my comments, below, are my own and intended to stimulate discussion.]

The recommendations start with a redefinition of the role and mandate of internal audit.

The primary role of Internal Audit should be to help to protect the assets, reputation, and sustainability of the organisation.

It does this by assessing whether all significant risks are identified and appropriately reported to the Board and Executive Management; assessing whether they are properly controlled; and by challenging Executive Management to improve the effectiveness of governance, risk management, and internal controls. The role of Internal Audit should be articulated in an Internal Audit Charter, which should be publicly available.

Personally, I think the role of internal audit is to provide assurance and consulting services, consistent with the IIA’s 1999 definition of internal auditing. Those assurance and consulting services enable management and the board to “protect the assets, reputation, and sustainability of the organisation.” Only management and the board can make the necessary decisions and take the actions required. However, I can see that by providing independent and objective evaluations of “risk management, control, and governance processes,” internal audit is “helping.”

But, I like the tone and wording of the second paragraph, especially the use of the word “challenging.” It takes internal audit from the passive role of “here is my assessment, do what you will” to the more assertive “here is my assessment, now it is time for you to act.”

I don’t agree with the detail of the second recommendation. While I agree with the headline, that internal audit’s scope should be unrestricted, internal audit should assess management’s process for risk identification and assessment — and neither impose its own judgment nor duplicate management’s assessment when management’s process has been assessed as effective. In other words, the language in the recommendation that “Internal Audit should independently determine the key risks that face the organisation, including emerging and systemic risks” should only apply in the absence of an effective management process. This is explained in the "interpretation" to IIA Standard 2010: “The chief audit executive takes into account the organization’s risk management framework, including using risk appetite levels set by management for the different activities or parts of the organization. If a framework does not exist, the chief audit executive uses his/her own judgment of risks after consideration of input from senior management and the board.

The recommendations go on to specify that a number of key areas should be included within internal audit’s scope. These include the important areas of “governance structures and processes,” “strategic and management information presented to the Board,” and “the risk and control culture of the organization.” Unfortunately, the committee has been bitten by the "risk appetite" bug, which is (in my opinion) insufficient to establish the desired levels of all types of risk, including safety, compliance, reputation, and efficiency as well as financial risks.

I like the description of risk assessment:

Internal Audit’s risk assessment should be all-encompassing, taking into account business strategy and objectives and the full range of risks that have an impact on the organisation; combine a bottom up and top down assessment of risk; and take into account potential future or emerging risks on a continuous basis.

 I also like two aspects of the recommendations around reporting:

  • Internal Audit should be present at, and issue reports to, both the Board Audit Committee and the Board Risk Committee and any other Board Committees as appropriate.

  • Internal Audit’s reporting to the Audit and Risk Committees should include at least annually an assessment of the overall effectiveness of the governance, and risk and control framework of the organisation, together with an analysis of themes and trends emerging from Internal Audit work and their impact on the organisation’s risk profile.

The recommendations regarding the authority and organizational positioning of the chief audit executive (CAE) within the organization may be easier achieved for financial services than companies in other industries. However, I do agree that the ideal is that the CAE is at Executive Committee level or equivalent and has the right to attend such meetings.

One recommendation that has caught the eye of reporters is that the CAE should report to the Chairman of the Board, who may delegate that responsibility to the Chairman of the Audit Committee. If there is a need for an administrative, or secondary reporting line, it should be to the CEO.

As this is a draft and open for comments, please share your comments on the draft either here or directly with the U.K. Institute.

Posted on Feb 17, 2013 by Norman Marks

Share This Article:    

  1. Couldn't agree more. In this way, internal audit function would be reasonably placed with dignity to argue which is or isn't its obligations. Thanks.

  1. Norman; I believe the IIA UK paper is an important step forward and all IIA members globally should take the time to download a copy and read it.  It is worth noting that the paper raised a concern that IIA global standards continue to be set for what the paper references as the "lowest common denominator".   I share this concern and, in particular, am concerned that the IIA doesn't champion management owned risk assessment processes to a much greater extent than they do today. 

    At Gulf Canada in the 80s when we launched CRSA we told the CEO and the board that internal audit would no longer be functioning in the role as primary risk/control analysts and reporters.  If an issue was important enough to warrant formal assurance management should take the lead and complete an assessment of the risks and controls and provide a report to the board. Internal audits role was to report to the board on the reliability of management's risk management processes and reports being provided.  This included reporting areas that IA believed management should be assessing and reporting on but were not.   

    The more and better direct report audits internal audit does the more management will be content to continue to allow internal audit to do the majority of formal assessment and reporting work.  This is a serious problem in a world where IA usually assesses less than 5% of the risk universe in any given year.  The fact that few companies today require their managers, particularly their senior managers,  take any formal training in risk assessment methods bears this out. This results in misaligned responsibility. Traditional direct report audit methods constitute a significant risk to better governance that needs to be addressed.


  1. The UK document does have a few new points in it but for the most part repeats much of what can be found in existing IIA Practice Advisories, Practice Guides or Position Papers. I don't think anyone would argue that the Standards represent "the lowest common denominator" because that is the way they had to be designed to be applicable and implementable to the greatest number of audit functions around the world. Even written as they are today there are many, many smaller audit shops that cannot comply.

    As UK document states, the recommendations are designed to supplement the existing standards. But it does not state whether or not the reommendations MUST be followed or how they will supplement the existing standards.

  1. Is the IIA missing an opportunity to promote the Standards? The Guidance is divorced from the IIA Standards whereas a similar initiative for the UK public sector resulted in a document explicitly based on the IIA Standards with additional guidance for the public sector (the “Public Sector Internal Audit Standards” – PSIAS). This approach could easily be applied to the financial sector (when you track the Guidance against the IIA Standards, there is not much “new”).

    I very much agree with your comments on risk assessment and Tim Leech’s point about promoting “management owned risk assessments”. The IIA Position Statement “An Approach to Implementing Risk Based Internal Audit” goes into some detail about when internal audit can rely on management’s risk assessment and when it can use its own. Given the Guidance is intended for regulated entities (who must meet explicit requirements to have effective processes to identify, manage and monitor all risks), I wonder what kind of message would be implied if internal audit used its own risk assessment process to determine its audit plan.

    Taking that risk assessment text you quoted, something like the following could better position internal audit in terms of 2010 (rather than as some kind of "red team" risk function): “Internal Audit’s COVERAGE OF THE ORGANISATION’S risk assessment PROCESSES should be all-encompassing TO ASSESS HOW EFFECTIVELY business strategy and objectives and the full range of risks that have an impact on the organisation ARE REFLECTED IN THE ORGANISATION’S bottom up and top down assessment of risk THAT take into account potential future or emerging risks on a continuous basis.”

Leave a Reply