Internal Audit Licensing: Be Careful What You Wish For

Richard Chambers, CIA, CGAP, CCSA, CRMA, shares his personal reflections and insights on the internal audit profession. 
Numerous vocal internal audit leaders from around the world are promoting the idea of licensing practitioners as a way to enhance the profession’s stature and proficiency. They profess a licensing requirement would give internal auditors greater credibility and even influence. In fact, a few IIA institutes have even taken up the cause within their respective countries.
I say, be careful what you wish for.
I acknowledge that licensing might come with some benefits, such as creating the appearance of greater parity between internal auditors and their external audit counterparts, such as CPAs, chartered accountants, etc. It is also argued that licensing would enhance internal audit’s ability to deliver assurance that meets rigid standards and regulations that often accompany licensing requirements, thereby elevating the confidence of internal audit’s stakeholders, corporate shareholders, and others.
However, for all of those potential benefits, licensing would almost certainly open the door to the heavy hand of regulation. It would effectively invite government to not only oversee how internal auditing is practiced, but also how standards are set and what criteria and qualifications are established for a person to work in the profession.
In my opinion, internal auditing’s remarkable success is a direct result of our profession’s ability to regulate itself. Without the specter of government intervention, The IIA launched the forerunner to the International Professional Practices Framework. No regulator mandated creation of our Code of Ethics or the accompanying disciplinary process. No state-operated licensing authority established the Certified Internal Auditor (CIA) qualification, nor administers it around the world. Instead, The IIA and its thousands of extraordinary members and volunteers have given selflessly during the past 72 years to ensure the internal audit profession grows and thrives in such a way that it enjoys the respect and confidence of corporate boards, legislators, and regulators. I fear that, in the face of strict licensing controls, we would sacrifice a crucial level of autonomy that makes our profession a source of innovation in companies worldwide.
It is also important to note that, today, internal auditing is practiced as a single global profession. Thanks to The IIA and its network of more than 100 affiliated institutes, internal auditors from China to Brazil and from Zimbabwe to the United States practice in conformance with a single set of standards, adhere to a single Code of Ethics, and demonstrate their proficiency in achieving the CIA by passing examinations that comprise the same questions and are overseen in highly secure testing centers by a global Professional Certifications Board. Licensing would inevitably be mandated at a national level.
Conversely, local standards or supplemental guidance would almost certainly be promulgated by the local licensing authority. Certification or qualification examination content and administration would likely be set by the licensing authority, as would disciplinary proceedings against internal audit practitioners accused of ethical misconduct. All of that would quickly lead to a significant alteration to, if not the demise of, the global profession as we know it.
None of my misgivings about licensing is to suggest that internal auditors shouldn’t be held to the highest standards. Indeed, IIA Standard 1210: Proficiency requires that:
Internal auditors must possess the knowledge, skills, and other competencies needed to perform their individual responsibilities. The internal audit activity collectively must possess or obtain the knowledge, skills, and other competencies needed to perform its responsibilities.
Frankly, licensing of sister professions — external auditors and lawyers, for example — hasn’t been the panacea it was envisioned to be. There remain great struggles within those professions to demonstrate the kind of professional proficiency that is expected by regulators, licensors, and the general public.
Personally, I have enjoyed the freedom to serve and to adapt as the job required. I think that, if we were a licensed profession and had to follow very rigid and prescribed standards and policies set forth by potentially hundreds of different government entities and regulatory bodies, our ability to be responsive to our stakeholders would be restricted severely. I’m not sure, for example, that it would serve our stakeholders to exclude an expert on IT risk and cybersecurity from becoming an internal auditor simply because of a lack of proficiency in accounting and financial analysis.
It really comes down to this: What is the overarching purpose of internal audit? Is it to serve external stakeholders, such as shareholders, taxpayers, or government regulators? Or is it to serve stakeholders within an organization or enterprise?
If you argue that our most important role is to serve the needs of stakeholders external to our enterprises, then you might make a stronger case for licensing. However, I would argue that such external stakeholders are best served when companies or government entities have a strong system of internal controls. Internal auditing provides a crucial third line of defense and assurance on the effectiveness of internal controls, risk management, and corporate governance.
For me, it’s a matter of principle. An ethical person is motivated not simply by a code of ethics, but by a desire to do the right thing. As internal auditors, our value to the organizations we serve lies in our ability to assemble a team of highly skilled practitioners capable of working together to collectively identify and help mitigate risks. I do not believe that we need government licensers to tell us how to do that.
That’s my opinion. I hope you’ll share yours. 

Posted on Jan 27, 2014 by Richard Chambers

Share This Article:    

  1. I'm with you on this issue Richard! You have nicely summarized the pros and cons. I would add another "con" as being the time and effort it would take by our institute globally and in each jurisdiction to achieve licensing status. That time would be taken away from continuing to professionalize our practices and advocacing on our behalf. The only real benefits from licensing are credibility and presumably some requirement for organizations to maintain internal audit. Personally, I would rather organizations choose to have internal audit functions because of the quality of our service which, as Richard points out, is largely due to our adaptability (which could be affected by licensing requirements). Let's keep the profession united by global standards and self-regulate our conformance to those standards through professionally-conducted quality assessment reviews. Performance and advocacy will ensure demand for our services.

  1.  Good evening sir! I need clarification,what exactly do you mean when you say,in a nutshell,you dont believe in licencing? is it in a sense that you have confidence that the IIA can still function on its own without being obligated to licencing? I want to understand these terms clearly as I am very interested in Internal auditing! thank you for the wonderful blog,at least I'll have sth to read other than magazines.

  1. Very good article and well argued.

    But Sir, please let me inform you that, in some countries (like in my country, Romania), the heads of internal audit could occupy this position only after following a certification program of 3 years, granted by the local Financial Auditors Institute (as provided by the local laws and only for the private sector, public sector being separatelly regulated, no certification required).

    Further, this involve enrollement in Financial Auditors Chamber and payment of the annual subscriptinos, payment of the certification program of 3 years and, after "graduation", payment of an annual subscription more than double if compared to IIA.

    So, in this case, we could discuss about at lest two possible problems

    - an innefective local IIA institute and poor involvement of IIA Global in solving this kind of issues (if noticed), which leed to continuous decreasing of the no.of members, no. of  annual subscriptions paid and, more important, the decreasing no. and also the interest of/for certified internal auditors.

    - second, the involvement of another different profession in the profession of internal auditors, a unique case in Europe in my opinion and which should require the intervention of the global institute in solving this matter of fact,  at least for providing local/ international support, lobby (due to the affiliation to IFAC/FEE of the local institute of financial auditors), etc   

    Sorry for long email,

    Best Regards, SD



  1. I agree with Richard's points and arguement but also note the others comments. One size does not fit all and in some countries a more regulatory environment may be required. However for the rest of us the freedom to self regulate is valuable and to be the ones in control of our destiny i.e. if we produce good work/value then our organisations will employ us so it is a good motivator. It is our attitude and personal ethics that makes a difference. No amount of regulation is going to have the same impact especially when we look at the examples Richard has provided. Regulations are not always or may not be the best answer to adress some internal audit out lyers. It is good that our profession and Institute has been recognised as delivering what is required and to have the flexibility to move with our organisations and change the way we deliver and add value. I have valued the ability to offer "consulting" services and advice which probably would not exist under regulation so yes we must weigh up the costs very carefully and be careful about what we wish for.

  1. As a government auditor, I have additional concern that licensure could create an increased risk to auditor independence. For example, if a licensing authority is at the state level, state auditors who are regulated by the licensing authority are vulnerable to perceived or explicit threats to their licensure status, which may result in an inadequate risk assessment or set of findings. Further, because the outcome of an audit is so often based on professional judgment, it would be easy for a pressured auditor to disguise an inappropriate outcome. In addition, powerful people outside of the licensing authority who may be made uncomfortable by the presence of auditors, could use the threat of their influence over licensure status (and thereby an auditor's employment) to inappropriately influence an audit outcome. While these scenarios may be unlikely (maybe), their impact should be sobering enough to give serious pause to anyone considering the possibility of licensure for auditors.

  1. Hi Richard. I fully agree with you. While, at first glance, licensing may look desirable it would tie internal auditors' hands and restrict the wide nature of their work and techniques. If licensing worked, I might be tempted to consider it, but the various financial problems we have had in the UK shows that it doesn't work. (See
  1.  Yes Richard, I do agree with you about being carefully in the system of licensing Internal Audit Proffession. We have common body of knowledge unlike other proffessions. There are thousands and thousands of different Governenment and Regulatory body based on their Countries Policy,Rules and Regulations. These procedure differs from country to country. Hence,

    Licensing the Internal Audit proffession will attract respective Government to intervene by placing certain policies and rules to regulate the matters which in turn will affect the Internal Audit Proffession in different countries, since the Governenment System are different from country to country and hence the uniformity of Internal Audit Proffession around the world will likely to departed. I opinioned that because as Internal Auditor I can see now we are in the right path. Before going further on other matters concerning the Internal Audit Proffession, we have to go back and make sure all countries around the World have IIA's Chapters and adopt fully the use of International Standard for Proffessional Practice of Internal Auditing.

    Before taking off the Flight to the Sky let us make sure that every of our colligues is in board seated comfartably with tight belt ready to take off.



  1. Absolutely agree that it’s a matter of principle and an ethical person is motivated by a desire to do the right thing but not by a Code. But what about a person who, in case of absence any licensing requirements, easily occupied the internal auditor position and tended to act under this ethical line? Even in some situations the authorized managers could push these kind persons on internal auditor positions and through such coverage seeking to mitigate disclosure risk of their fraud and illegal activities.The licensing could play somewhat preventive role. However, I’m sure that more effective way t could be an enforcement of the IIA;s role and increasing authority as consciously monitori and guard of professional values. If so, then the licensing system /if local legislation required/ could play only permission level status yielding place to professional self-regulated community.That I Wish For!  

  1. i do appreciate that licencing may invite the pros and cons as well discussed by chambers.the governments may actuall y seek to develop stricter rules for internal auditors who shall be licended in diffrent jurisdictions and there shall be as aresult loss in self regulation.the auditors know whats good for profession and should be at the helm of the professions future decision making process.

    however,just as the external auditors are licenced and are publically practicing the licencing could actually allow various players to take ity to another level in that internal auditors should actually provide the internal audit services to institutions that do not have their own internal audit functions. 

  1. I agree totally with Richard, licencising to me is a distracter to the real issue of professional practice glued in a global standard. Internal audit service is to the organisation what the heart is to the body, from Lagos to Hiroshima, internal audit practice following the IPPF yields a solid objective assurance or otherwise of the internal state of risk, control and governace.

  1. As we all know the licensing requirements of certified public accountants has not created the credibility and trust what it was supposed to achieve. I agree with Richard and would not go for a mandatory licensing. I fully understand the trend to be more credible - at the other hand many companies and Boards still have very resticted budgets for IA departments and keep recruiting junior auditors who in my personal opinion can not add any value to risk management or operational processes, if you do not have several years line experience. Although all these more "junior" staff are CIA certified, I think they lack the practical experience to make an impact on business.

    The IIA could be further pushing credibility by adding several years of line management experience as a requirement to become CIA and/or conduct studies where recommendations/best practices are given to Management/Boards in terms of ideal composition of an IA department and where the differentiated value added of senior auditors compared to more junior auditors are put in perspective.


Leave a Reply