When It Comes to Internal Audit Principles — The Stand Must Be Complete

In my previous blog post, I explored half of The IIA’s Core Principles in relation to the recent release of a new Practice Guide, “Demonstrating the Core Principles for the Professional Practice of Internal Auditing.” However, when it comes to principles, we must be all in. So, in this blog, I will examine the remaining five principles.

It is important to repeat my sincere belief that demonstrating our adherence to the Core Principles is the path that will lead our profession into a successful future. The International Standards for the Professional Practice of Internal Auditing and other parts of the International Professional Practices Framework provide specific rules and direction to practitioners, but the Core Principles are the foundation on which our house is built. As U.S. President Franklin D. Roosevelt once noted, “Rules are not necessarily sacred, principles are.”

So, it is with a nod to that reverence that I offer my observations of Core Principles 6 through 10.

Demonstrates quality and continuous improvement. This core principle speaks to the need for internal auditors to constantly seek to improve our skills and services to our organizations. The 1300 series of the Standards mandate that chief audit executives (CAEs) establish and maintain a quality assurance and improvement program (QAIP). I like to stress the improvement aspect of the QAIP standard because it is a measurable demonstration of our commitment to the principle.

Ongoing monitoring of internal audit performance, periodic self-assessments or external assessments by qualified personnel, and formal external quality assurance reviews every five years are options to monitor how well we are doing.

As I mentioned in the previous post relating to the core principle on demonstrating competence and due professional care, we should challenge ourselves to expand our knowledge, skills, and experience commensurate to the demands of our organizations.

Communicates effectively. There are several Standards that address communication, including the 1300 series, which requires CAEs to communicate to stakeholders the results of periodic quality assurance reviews. The Standards also require CAEs to communicate in engagement planning and performance, as well as reporting findings. They certainly must communicate the acceptance of risk. The practice guide refers to CAEs “actively promoting the internal audit activity’s mission, role, value, and effectiveness.”

I must stress here that communication is not a checkbox exercise but a skill that is honed over years. One can go through the motions of communicating information, actions, and recommendations to stakeholders, but effective communication is a two-way street. There must be an exchange of knowledge, purpose, desire, frustrations, and common goals for there to be effective communications. Achieving this exchange requires stakeholder relationships built on mutual respect and trust.

Provides risk-based assurance. The new practice guide notes that this core principle embodies the essence of internal audit’s mission “to enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight.”

Nearly every aspect of the CAE’s role demonstrates adherence to this core principle, from assessing the organization’s governance, risk management, and control processes, to assessing the role of culture and maturity. Core Principle 4 — aligns with the strategies, objectives, and risks of the organization — also contributes to providing risk-based assurance.

The biggest challenge to this core principle is that, while many aspects of the internal audit function and the CAE’s role within it help demonstrate adherence, actually achieving effective risk-based assurance is a significant challenge that requires collaboration with our stakeholders and a deep understanding of the organization’s strategy, culture, and goals.

Being insightful, proactive, and future-focused. I have written often about internal auditing maturing from providing simple hindsight to providing insight and foresight. This core principle captures that evolution. Insightful internal audit should educate stakeholders about the impact and root causes of control failures, incorporate knowledge of emerging risks into the organization’s risk strategy, and apply these insights and others to enhance risk management throughout the organization.

Internal audit’s role as an educator can demonstrate it being future-focused. For example, internal audit can alert the organization to emerging technology trends, such as 5G, that will impact the organization and help prepare the organization for its arrival.

Promoting organizational improvement. According to the new practice guide, “… the very nature of internal audit work is to evaluate and contribute to the improvement of the organization’s governance, risk management, and control processes.” This is only part of the picture. The core principle requires more than contributing to organizational improvement. Internal audit must have a role in promoting organizational improvement. This means being a leader by demonstrating improvement within the internal audit function and providing the education and insights necessary to promote improvement throughout the organization.

This exploration of the 10 Core Principles shows the intertwined nature of many of the principles and how success in one area can support success in another. Ultimately, there are two goals that every practitioner should strive to achieve: 1) ingrain these principles into all aspects of your professional lives; 2) help others in the organization adopt and adapt these principles to their roles. 

If we can achieve those two goals, we will position ourselves and our organizations to succeed no matter what challenges the future holds.

As always, I look forward to your comments.