A Road Map for an Update of the IIA Professional Standards

Norman Marks, CRMA, CPA, was a chief audit executive and chief risk officer at major global corporations for more than 20 years. The views expressed in this blog are his personal views and may not represent those of The IIA.


We have new leadership of the IIA Standards Board. Patty Miller, former Chair of the Board of The IIA and a recently-retired internal audit services partner with Deloitte, took over as chair at the International Conference in July. She is supported by a board that is required to have at least 14 members, all of which must have the CIA qualification and in practice have diverse experience of the global practice of internal auditing.

Updating the IIA's International Standards for the Professional Practice of Internal Auditing (Standards) is always going to be a challenge. Perhaps the biggest question is whether the Standards should reflect current or leading practices. In other words, should they lead the profession to greater things or codify practices only after they have become more broadly accepted.

Setting standards that are ahead of general practice is not easy. Obstacles can include obtaining sufficient votes from the Board members and positive feedback when the draft Standards are exposed for public comment.

But, setting standards that are behind generally accepted best and leading practice only encourages internal audit departments to remain laggards.

As Patty and a new Board (I assume there is some level of change among the members) consider their task, I would like to share my recommendations. In them, I will reference an excellent new guide from the Chartered Institute of Internal Auditors (CIIA, the UK affiliate of the IIA): Effective Internal Audit in the Financial Services Sector (PDF).

This new set of recommendations is intended for organizations in the financial services sector, but is generally applicable to global organizations in any sector. I recommend the guide to every audit committee and CAE.

  1. The composition of the IIA Standards Board should be public. Only the chair is named on the IIA website.
  2. While the Standards should not be “bleeding edge,” they should at least follow leading edge practices such as those practiced and promoted by leaders of the profession.
  3. The Standards should adopt the language of the CIIA in the guide mentioned above. It is acceptable for the Standards to mandate (through use of the word "must") inclusion in audit scope of certain areas such as code of ethics and IT governance. But the audit plan does not have to include everything that is in that audit scope. “Audit scope” means that it is an area subject to audit, and the CAE uses risk-based judgment to determine which areas to include in the audit plan. It is not acceptable for the Standards to mandate the assessment of specific areas (for example, see Standard 2110.A1 and A2, which mandate the assessment of code of ethics and IT governance, respectively); these may not represent high risk areas every year.
  4. The Board should study why internal audit departments are failing to practice what is established as the role of internal auditing: evaluating and improving the effectiveness of risk management, control and governance processes (although I prefer that the order be governance, risk management, and related control processes). What are the barriers and what should be done to address them? For example, should there be a standard that says that it is the auditor’s responsibility to communicate to the board the absence of a risk management program? Should there be a clarification that, for example, a risk assessment be made of governance processes, in the same way as financial processes are assessed, before deciding which if any to include in the audit plan?
  5. The Board should work with other IIA committees to understand why organizations that do not audit either risk management or governance processes are passing the IIA Quality Assurance Review. Is that a failure of the Standards of the QAR reviewer is saying that these organizations comply with the Standards?
  6. The Standards should mandate in clear language an audit plan that is designed to address the risks that matter to the achievement of objectives and creation of value by the organization as a whole. The Standards currently require a risk-based plan to identify engagements but then a secondary risk assessment to determine areas of focus. The second assessment is not necessary if the risk-based plan includes an appropriate assessment of risks to the organization as a whole. The current Standards lead to audits of risks that are important to a location of business unit but not necessarily to the organization as a whole
  7. As required in the CIIA guide and by an increasing number of global standards, the IIA Standards should require “at least annually, an assessment of the overall effectiveness of the governance, and risk and control framework of the organisation, together with an analysis of themes and trends emerging from Internal Audit work and their impact on the organisation’s risk profile.” This requirement is a common feature of national organizational governance codes and regulator guidance for such as the financial services sector, and the time to mandate a professional opinion has come.
  8. Finally, the Standards Board should perform a “gap analysis” between the recommendations in the CIIA guide (representing at least one view of leading practices) and the current set of IIA Standards. This should be one of the primary drivers of the work of the Board in coming months. The analysis should be supplemented by an assessment of the full set of Standards by the Board and Professional Issues Committee (the latter are tasked with providing enabling guidance on the Standards and leading practices). Each member should be asked to review and vote on each Standard, assigning a grade from “Current and effective — no change required” through “Out of date and needs revision/replacement.”

How would you advise the IIA Standards Board?

I welcome your comments.


Posted on Aug 5, 2013 by Norman Marks

Share This Article:    

  1. Take a deep breath and resolve to do more than just make a few minor changes to the status quo, where this is required.Begin by interviewing members of Audit Committees and Boards to define their requirements. Obtain from IIA chapters around the world what their boards, legislation and standards require. Document these requirements. Understand that independence and objectivity are not threatened by co-operation with others in the organisation, especially those responsible for identifying risk. Require such co-operation. Establish a standard which requires the audit plan to be based on the organisation's risk register. If this is not possible require the CAE to report this to the board. Consider the above recommendations based on the CIIA guide. Revise the definition of internal audit to bring it into line with the proposed standards. Consider dropping the inclusion of consultancy in the definition. Arrange part of the 2014 conference around updating the standards. Bear in mind the following: The Thomson Reuters Accelus 2013 annual survey states, 'The main challenges for internal audit functions centre around assurance on internal process and IT risk, whereas the key challenges for the board are corporate governance, strategy and strategic level risk management. Ideally the two sets of challenges should be aligned; what is of concern to the board should also be of concern to the internal audit function.'
  1.  Well said, David. Personally, I am fine with the definition of internal auditing and believe it is about time that internal auditors around the world started living up to it!

    I believe consulting services are OK, as long as they are seen as ways to deliver assurance (e.g., by assisting with the improvement of less mature risk and governance processes) or performed only after all critical assurance activities are resourced.

    I especially like the point made about divergence between board and IA focuses, although the Accelus survey is not my favorite.

  1. "the time to mandate a professional opinion has come."

    I posit that requiring this would be of dubious incremental value in many organizations, and could be misleading.  How often would an opinion be forced out in order to "generally conform" when internal audit is not in a position to perform a proper assessment either due to some deficiency of the audit department or a lack of "Independence and Authority" per section E of the CIIA guide.  This can also arise where the Audit Committee would rather internal audit spend their time focusing on specific areas instead of worrying about overall risk assessments and governance.  I think this also goes right to your points 4 & 5.  There could be a dichotomy between conforming to the standards and satisfying the Audit Committee that many CAEs wouldn't want to resolve since it's not necessarily in their best interests.

    I'm not saying the profession couldn't legitimately get there, but it seems like the standards and the profession should address and better establish other areas first (better accountability to the standards, increased BOD awareness, etc....).  Maybe "the time" has not yet come.

  1. As a reminder, the posts I make here are my own opinion and not necessarily the views of the IIA. They are also not influenced or subject to 'censorship' by the IIA, for which I am grateful.

    I should say that I have known Patty Miller for many years, as well as others on the Standards Board. I am confident that under her leadership we will see thoughtful consideration of all views and the implementation of necessary change.

  1. Norman - first thanks for the vote of confidence!  We have a very experienced, professional and committed Standards board (IIASB) and the questions you raise are at the forefront of recent conversations we have had.  You will be pleased to know that many of your suggestions are already under review - with IIASB task forces gathering information to formulate recommendations.  We'll monitor the blog comments you receive.

    Also, in July at the International Conference meetings, the Executive Committee of the IIA Board approved the creation of a special task force to assess the ongoing appropriateness of and responsibility for the elements and structure of our current International Professional Practices Framework (IPPF), including the definition of internal auditing.  That task force is currently being formed, and will be considering the future of the profession and if our professional standards and guidance structure can continue to serve us well.  Part of the activities of the IIASB and the special task force will include collecting stakeholder and auditor input on these important points. 

  1.  My thanks to Hal Garyn of the IIA fir this link to the Board membership. I know seven of the members so we should be in good hands! https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Standards.aspx

  1. Please see this well-written comment on LinkedIn.http://www.linkedin.com/groupAnswers?viewQuestionAndAnswers=&discussionID=263531627&gid=107948&commentID=155223584&trk=view_disc&fromEmail=&ut=1itf4cQZ5SWBQ1&_mSplash=1

  1.  Let's try that again.

    Please see this comment left on LinkedIn: http://www.linkedin.com/groupAnswers?viewQuestionAndAnswers=&discussionID=263531627&gid=107948&commentID=155223584&trk=view_disc&fromEmail=&ut=1itf4cQZ5SWBQ1&_mSplash=1

  1. Patty: Good to hear that you are going to revisit the foundations of internal auditing and make sure they are' fit for purpose'. You will have doubtless read Richard Chambers blog on 'Why is internal audit on regulators' radar?' I think this reinforces the need to make sure we are meeting the expectations of regulators and Boards now and into the future. We now have a seat at the top table and need to ensure we keep it. This answers Jared's point about whether 'the time' has come; I think it has. Jared has a point that some Audit Committees would rather internal audit limit their scope and this is a point that the Standards Board will doubtless take into account.(Sorry about the bold type, can't seem to prevent it)
  1. I need to know more about it

Leave a Reply