80 years of the IIA: Time to reflect and project?

 

The IIA was founded in the US in 1941, with the UK institute opening in 1948. Eighty years later, how much has our profession achieved? The past year has seen immense disruption to our working practices and many teams have emerged with innovative solutions and new ways of supporting their businesses. Now is a good time to ask where are we – and where we are going?

I got involved in internal audit in 2002 as chief audit executive (CAE) of AstraZeneca. Since 2010, I have trained clients and IIA organisations across Europe, combining my passions for internal audit, training and development. I am a passionate believer in progressive internal audit (writing the book Lean Auditing in 2015) and I don’t think I would have enjoyed working in internal audit if it had not been a profession that could make a real difference to organisational performance; offered something important to the wider agenda of purposeful and ethical business; and was prepared to innovate.

The 2017 IPPF states that we should “strive to enhance GRC” and should be “insightful, proactive and future-focused”, which reflects a progressive agenda. Our interest in adding value and coordinating, even relying on, others, plus the latest version of the Three Lines Model, show that we are trying to position ourselves in a unique role at the top table. The interest in lean and agile ways of working and data analytics is heartening, because these innovations focus on the specific ways we can achieve our vision in a practical manner. Increasing interest in auditing culture and root cause analysis is also encouraging because behavioural issues are often causal factors behind poor governance, risk management and compliance (GRC) performance.

However, there are some recurring areas where we do not always live up to our potential and if we examine some assumptions and dilemmas behind these we may unlock more of the potential of our profession. I hope that discussing these challenges can form part of a deeper conversation about where we are as a profession, and where we are going.

 

Key areas to focus on

For me there are three key areas to start with:

Independence and objectivity 

The IIA IPPF Standard 1000 is clear about the importance of independence and objectivity, and the importance of an independent reporting line. The IIA Code of Ethics also stresses the need for integrity and to be objective and offers some guidance on what this means. Past research by IIA Global found examples of senior managers trying to control internal audit using budget cuts or by excluding CAEs from meetings. Others cited lack of audit committee support, but of course these issues vary widely in different organisations, sectors and countries.

CAEs and internal auditors try hard to balance flexibility and pragmatism and independence and objectivity. They talk about dealing with challenges on a “case by case basis” and try to stay on the right side of the line. However, it can be hard to know exactly where a decision crosses from the “grey zone” to representing a loss of internal audit’s independence and objectivity in a particular situation. This has become an issue during the pandemic, when some internal auditors have contributed support in first- and second-line roles and audit leaders, including Richard Chambers, then CEO of IIA Global, have urged CAEs not to let “independence” become a barrier to useful action.

I support the notion that we should be flexible, but do we believe that if we have the right reporting line and an independent frame of mind, we don’t need to worry too much about independence and objectivity? Or should we admit that there is a tightrope to walk, and that we should be talking about challenges more often?

In particular, how open are we about the role of organisational politics in our work? The last proper research on this topic was done in 2015, but the 2019-20 Chartered IIA report on external quality assessment (EQA) results suggests, indirectly, that there are still “no-go zones” in many audit plans. Does your plan make it clear where no-go zones relate to key risks, and does it make transparent the impact of resources on internal audit coverage? (This also affects our ability to make overall opinions).

Assurance, reasonable assurance and un-assurance

The IIA Standards define internal audit’s role in terms of “Providing risk-based and objective assurance”. They define what to do when “assurance engagements” or “assurance services” suffer from an impairment (explained in the glossary to the Standards). And they talk about the need for due professional care in “assurance procedures” (1220) and the importance of quality assurance and improvement programmes (QAIPs). IPPF 2000 mentions internal audit providing “relevant assurance” and in the glossary to the Standards, the terms “adequate control”, “control” and “risk management”
are defined in terms of “reasonable assurance”.

However, the terms “assurance procedures” and “reasonable assurance” are not defined in the IIA Standards or glossary, although the Standards state “assurance procedures alone, even when performed with due professional care, do not guarantee that all significant risks will be identified”.

We all know that our risk-based approach to internal audits and the scoping of assignments helps us to determine relevant assurance. Communication around the work we have done, or not done (the scope of an assignment), helps us to explain that our assurance is reasonable and not absolute. But let’s compare our standards with those of external auditors: The IAASB statement ISA700 (paragraph 11) defines reasonable assurance in the context of external auditing in terms of “whether the financial statements as a whole are free from material misstatement”. And before the external audit progresses there is a discussion and agreement on what amount(s) would be material? Furthermore, external auditors request management assurances that all relevant information has been disclosed.

This external audit “reasonable assurance” starts with what would be a “material misstatement” and then works backwards to make sure that the work done supports this level of materiality; ie, they aim to give an outcome-based view around their reasonable assurance. This makes sense and adds value, since, if it is done properly, there is an objective measure of whether the external auditor has done their work properly.

At present, I believe a large number of internal audit teams define their “reasonable assurance” in terms of the work they will/won’t have done – ie, an input-based definition of reasonable assurance. This approach makes us a hostage to fortune and I think we should talk more often about what we mean by “reasonable assurance” and develop more guidance about good and less good practice. Where possible, this should include how to focus our work more on the outcomes we are assuring. It would be timely, given that we are trying to be more lean and agile and also given our developing practices in data analytics, artificial intelligence and machine learning.

Innovation and IIA Standards

I enjoy hearing about innovation in our profession. Internal audit’s passion for moving forward was obvious when I chaired the second day of the Chartered IIA’s virtual conference in October 2020. I also love reading articles about new ways of working and swapping “war stories” with internal auditors, many of whom have introduced huge changes over the past year, from single-page reporting to remote auditing and increased use of technology.

However, we need to ask how often exciting updates about new ways of working are explicit about the way they link to the three lines model and our IPPF. When I wrote Lean Auditing I was concerned that everything I proposed factored in IIA Standards etc. I asked for input from IIA Global technical staff to ensure I was on the right track.

Many of the articles and presentations on new ways of working that I see are comparatively silent about how they comply with our Standards. I don’t want to stifle creativity and innovation, rather I believe that connecting new ways of working more closely to our Standards will enable our profession to progress its agenda of creativity and innovation alongside our professional disciplines.

More visible links between our Standards and “the next big thing” will help us to keep our feet on the ground. If we don’t do this, it could undermine our reputation and credibility in the eyes of stakeholders and regulators.

We are an important and mature profession and being open about the more challenging aspects of our vitally important work will help us to raise the bar even higher. 

James C Paterson is director of Risk & Assurance Insights. He runs courses for us on topics including lean and agile auditing, root-cause analysis, assurance mapping, preparing for an EQA and influencing and political savvy.

This article was published in May 2021.