Reflections on IIA and ISACA: The Lost Opportunities

ISACA has issued for comment an excellent draft on "Controls Monitoring and IT." Information on how to download it, and my comments on the document, are here.

There are multiple interesting aspects to this guidance, in addition to the great content:

  • The IIA has a "competitive" document, the GTAG on Continuous Auditing. A team (of which I am a member) is currently engaged in updating the GTAG. At least two members of that team are members of ISACA.
  • The ISACA team that worked on their draft includes individuals who are active in the IIA.

Which brings us to the question of the day: why don't ISACA and IIA "get along" at the headquarters level, and collaborate on standards and other guidance? There is some excellent cooperation at local chapter level, but for some reason there is a history at the headquarters level.

When are we going to learn to get along? If not now, when?

What do you think?

Posted on May 10, 2010 by Norman Marks

Share This Article:    

  1. I am a member of both the IIA and ISACA.  I carry both the CIA and the CISA and believe both are valuable credentials.  I think that better collaboration between the IIA and ISACA is essential.  We are simply in an era where integrated auditing is no longer a "nice to have" but a "must have."  If we can't get along now we are not setting the right tone for the marketplace with respects to integrated auditing nor are we demonstrating our professional capabilities to manage conflict in the spirit of a greater good. 

    I am interested in understanding the reasons for the history of conflict at the headquarters level - does anyone know? Or have we already become the Montagues and the Capulets? 
  1. Norman, another great question that of course you know alot about the answer.  And my response is one that you have heard before I am sure.  But for those of you that don't know, here goes:

    To get along you must "get together".  And when might that happen?

    I have been with EDPAA, now ISACA, since the beginning (1977) in Chicago (their headquarters was in Carol Stream IL)  and actually worked briefly with one of the founders of EDPAA, Gerry Myers.

    BTW, Gerry was instrumental in helping internal audit create continuous auditing programs in the "store" audits in 1977.  He could work magic with IBM 360's and legacy master file and transaction file systems.  He built our first data warehouse for audit that included a monthly balancing routine to continuously audit the financial reporting process.  IDEA had not been invented (came along in 1984) so we used an audit tool called Dyl-280 (I believe CA owns the rights to that program today).  DASD was not cheap in those days and we were hounded by the IT folks on a regular basis, i.e., if you build it you must use it or lose it!  I learned that alot of things did go "bump" in the night in those days.  Notice this pre-dates the GTAG 3 you like so much by 30 years.

    We used those programs for 8 years before Field Services woke up one day with a big fraud on their hands and concluded that audit was doing the job they should have been doing all along.  Ok, $12.9 million was a big fraud in those days.  We transferred the programs to them and started building much higher on the food chain CA programs.  Audit resources were cut in half (down to about 45 auditors).


  1. Does anybody have any inside knowledge about the history - either from an ISACA or IIA perspective?

    Does anybody have any suggestions for moving forward? I am not personally in favor of trying to merge the two organizations, but prefer collaboration and shared standards.

    By the way, I am encouraged that current IIA HQ leadership desires change as well.

  1. Thank you, Norman, for recognizing how important it is for The IIA and ISACA to partner on important initiatives for the profession. It is important the readers know there are actually many instances over the years where our organizations have collaborated very effectively on important initiatives.  As the CEOs of the respective organizations, we are committed to continuously communicating and identifying opportunities for further cooperation.

    - Susan Caldwell, CEO, ISACA
    - Richard Chambers, President and CEO, The Institute of Internal Auditors

  1. Thank you, Susan and Richard, for the comment. It is very heartening to hear the commitment from IIA and ISACA leadership. Working together, we will be able to improve advocacy for our shared profession, education for business leaders and regulatory agencies, guidance and training for our members, and the integration of IT and other audit activities.

    I am proud to be a member of both organizations.

  1. I also have been a member of both ISACA and the IIA going back to the old EDPAA days. I am also the co founder of the ISACA Edmonton Chapter and a Past President of the IIA Edmonton Chapter. As previously noted I see tremendous cooperation and sharing at the chapter level between our two Internal Audit organizations. I agree wholeheartedly with Don's comments. What we must continue to focus on in my opinion is that a true risk based approach to the assurance we seek to provide through internal audit does not distinguish between 'regular auditing' and 'IT' auditing and our clients don't distinguish between them either. I believe that both organizations have the same goal and even if we never join together we need to ensure this remains a differentiation only in our eyes and not our clients. Our two global internal audit professions would do well to present one unified face to the world and leave the administration in the back room.
  1. Greetings Colleagues!

    I am very pleased to see an ISACA and The IIA' join message here:

    "As the CEOs of the respective organizations, we are committed to continuously communicating and identifying opportunities for further cooperation.

    - Susan Caldwell, CEO, ISACA
    - Richard Chambers, President and CEO, The Institute of Internal Auditors"

    Believe me, a lot of colleagues continuously have the same question without answers until now!! Thanks Marks for serving as facilitator on this critical issue.

    Hope both professional communities act in consequence, and everybody could receive the benefits of real sinergy between both sources of knowledge and professionalism!

    Fernando Nikitin

Leave a Reply