Are We One Profession, Two, or Even More?
The following is excerpted from an article Jay Taylor and I wrote for the latest edition of EDPACS:
"While there are others (such as the Board of Environmental, Health & Safety Auditor Certifications, which offers a valuable certification for EH&S auditors), there are two dominant organizations for internal auditors: the Institute of Internal Auditors (IIA) and ISACA (formerly known as the Information Systems Audit and Control Association).
"We are, in truth, a single profession — but unfortunately we have two organizations that profess to represent us and provide professional standards. While there have been attempts in the past to reconcile and agree on common standards, the fact is there are two sets.
"We agree in principle with the ISACA statement that, 'The specialised nature of information systems (IS) auditing and the skills necessary to perform such audits require standards that apply specifically to IS auditing.' But many of us are both Certified Internal Auditors (CIA) and Certified Information System Auditors (CISA), and are confused as to how we determine where one set of professional standards starts and ends versus the other set. How can we, for example, realistically separate a business function into the automated portion versus the non-automated portion when trying to seamlessly evaluate controls within a single process from end-to-end? The truth is we cannot and should not abdicate the evaluation of all technology-related areas to IT auditors. There should only ever be one internal auditing department at any organization, and IT auditors are members of that department. Just as it makes no sense to us to have two people making a single evaluation of controls, it also makes no sense to have two potentially competing and conflicting standard-setting bodies for a single profession. We hope that time and common sense will enable leaders within ISACA and IIA to move towards a combined, authoritative set of standards. Initial areas of focus should include a single set of standards around such things as the role and purpose of internal auditing within the organization, audit planning, risk assessment, documenting the work, reporting, and other areas where professionals see commonality. We certainly have no problem with the existence of two professional organizations, with ISACA taking the lead on technical IT guidance, certifications, and training. However, until there is a recognition that we are in fact one profession, the wasteful and duplicative efforts of the two organizations will likely continue. New thinking is needed to rationalize the domains of the two organizations.
"An interesting question is whether we are considered a profession by those that matter: regulators, boards, and those responsible for governance and risk management frameworks. The good news is that major progress has been made around the world in the last decade. Although internal auditing still has a long way to go if it is to be considered in the same league as external auditing, the IIA has been taking the lead in reaching out to international governance, regulatory, and governmental organizations with their advocacy programs to obtain the professional recognition needed."
With no disrespect to my very good friends Dave Richards and Patty Miller, there is no better time than today to seek a reconciliation between The IIA and ISACA. We have new leaders at president and chairman who can approach ISACA with a fresh face.
Some years ago, we actually had an agreement for convergence of standards, but for no good reason (there are reasons, but they are not good reasons — mostly personal and political) these efforts failed.
I urge all auditors to press ISACA and IIA leadership, and their standards boards, to work collaboratively for the good of our single profession. Let's have a common face to the world, whether in our advocacy or our standards.
Posted on Jul 18, 2009 by Norman Marks
Share This Article: