Internal Audit Licensing: Be Careful What You Wish For

Numerous vocal internal audit leaders from around the world are promoting the idea of licensing practitioners as a way to enhance the profession’s stature and proficiency. They profess a licensing requirement would give internal auditors greater credibility and even influence. In fact, a few IIA institutes have even taken up the cause within their respective countries.

I say, be careful what you wish for.

I acknowledge that licensing might come with some benefits, such as creating the appearance of greater parity between internal auditors and their external audit counterparts, such as CPAs, chartered accountants, etc. It is also argued that licensing would enhance internal audit’s ability to deliver assurance that meets rigid standards and regulations that often accompany licensing requirements, thereby elevating the confidence of internal audit’s stakeholders, corporate shareholders, and others.

However, for all of those potential benefits, licensing would almost certainly open the door to the heavy hand of regulation. It would effectively invite government to not only oversee how internal auditing is practiced, but also how standards are set and what criteria and qualifications are established for a person to work in the profession.

In my opinion, internal auditing’s remarkable success is a direct result of our profession’s ability to regulate itself. Without the specter of government intervention, The IIA launched the forerunner to the International Professional Practices Framework. No regulator mandated creation of our Code of Ethics or the accompanying disciplinary process. No state-operated licensing authority established the Certified Internal Auditor (CIA) qualification, nor administers it around the world. Instead, The IIA and its thousands of extraordinary members and volunteers have given selflessly during the past 72 years to ensure the internal audit profession grows and thrives in such a way that it enjoys the respect and confidence of corporate boards, legislators, and regulators. I fear that, in the face of strict licensing controls, we would sacrifice a crucial level of autonomy that makes our profession a source of innovation in companies worldwide.

It is also important to note that, today, internal auditing is practiced as a single global profession. Thanks to The IIA and its network of more than 100 affiliated institutes, internal auditors from China to Brazil and from Zimbabwe to the United States practice in conformance with a single set of standards, adhere to a single Code of Ethics, and demonstrate their proficiency in achieving the CIA by passing examinations that comprise the same questions and are overseen in highly secure testing centers by a global Professional Certifications Board. Licensing would inevitably be mandated at a national level.

Conversely, local standards or supplemental guidance would almost certainly be promulgated by the local licensing authority. Certification or qualification examination content and administration would likely be set by the licensing authority, as would disciplinary proceedings against internal audit practitioners accused of ethical misconduct. All of that would quickly lead to a significant alteration to, if not the demise of, the global profession as we know it.

None of my misgivings about licensing is to suggest that internal auditors shouldn’t be held to the highest standards. Indeed, IIA Standard 1210: Proficiency requires that:

Internal auditors must possess the knowledge, skills, and other competencies needed to perform their individual responsibilities. The internal audit activity collectively must possess or obtain the knowledge, skills, and other competencies needed to perform its responsibilities.

Frankly, licensing of sister professions — external auditors and lawyers, for example — hasn’t been the panacea it was envisioned to be. There remain great struggles within those professions to demonstrate the kind of professional proficiency that is expected by regulators, licensors, and the general public.

Personally, I have enjoyed the freedom to serve and to adapt as the job required. I think that, if we were a licensed profession and had to follow very rigid and prescribed standards and policies set forth by potentially hundreds of different government entities and regulatory bodies, our ability to be responsive to our stakeholders would be restricted severely. I’m not sure, for example, that it would serve our stakeholders to exclude an expert on IT risk and cybersecurity from becoming an internal auditor simply because of a lack of proficiency in accounting and financial analysis.

It really comes down to this: What is the overarching purpose of internal audit? Is it to serve external stakeholders, such as shareholders, taxpayers, or government regulators? Or is it to serve stakeholders within an organization or enterprise?

If you argue that our most important role is to serve the needs of stakeholders external to our enterprises, then you might make a stronger case for licensing. However, I would argue that such external stakeholders are best served when companies or government entities have a strong system of internal controls. Internal auditing provides a crucial third line of defense and assurance on the effectiveness of internal controls, risk management, and corporate governance.

For me, it’s a matter of principle. An ethical person is motivated not simply by a code of ethics, but by a desire to do the right thing. As internal auditors, our value to the organizations we serve lies in our ability to assemble a team of highly skilled practitioners capable of working together to collectively identify and help mitigate risks. I do not believe that we need government licensers to tell us how to do that.

That’s my opinion. I hope you’ll share yours.