At the end of October I attended the 21st International Turkish Internal Auditing Congress, organized by TİDE, the Turkish IIA, here in Istanbul. On the second day Paul Boyle, until very recently chairman of the IIA of Britain, gave an interesting speech with the title: „How can we market Internal Audit better to our Stakeholders and our (current and future) audit associates?“ I want to recap here the thought impulses Paul has given me and add my own.
A lack of appreciation for Internal Audit’s true worth?
The argument starts with the statement that internal audit‘s work is not appreciated properly by the audit stakeholders as shown in declining perception of value their contribution by senior management. If it were – in a supply and demand analogy – senior management and the board would request much more of it and be ready to give IA more budget, pay higher salaries etc.
According to Paul, this stems from a lack of communicating or marketing the capabilities and services of internal auditing to stakeholders – there is not enough or not enough effective advertising. Why? Because we cannot properly express what we do and why we do it in a way that resonates with the main stakeholders and wants them to have more of it. The language is too technical, starting with the IIA Definition of Internal Auditing; which is creates an expectation gap on the side of the stakeholders. Plus there is a flaw about added value.
It starts with the newly introduced Mission Statement of Internal Audit as formulated by the IIA:
To enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight.
And with the Definition:
Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
Both the Mission Statement and the Definition contain the notion that Internal Auditing adds or enhances value.
The IIA has defined “add value” in the Glossary of the Standards:
The internal audit activity adds value to the organization (and its stakeholders) when it provides objective and relevant assurance, and contributes to the effectiveness and efficiency of governance, risk management, and control processes.
So where exactly does the value come from? Per Definition, Internal Audit is an assurance and consulting activity.
Is the true added value coming from assurance?
Internal Audit‘s primary and historical raison d‘être is to provide independent and objective assurance. Assurance is an
objective examination of evidence for the purpose of providing an independent assessment on governance, risk management, and control processes for the organization.
– IIA, 2017 Standards, Glossary
“Show me what you have and I will tell you – as an independent and objective expert – if everything is ok. The best assurance that I can provide is – simplified – that everything was and is in order.”
But is this knowledge addedvalue? If management and board hadn’t received this report from internal audit then would there be any more risks? Not really. No added value in assurance.
And if everything is not in order? Then the identified gaps will be expressed as observations (condition, criteria, cause, effect) and a remediation will be recommended for the responsible management to implement. When that is executed, the expected standard (criteria) is achieved and the organization is where it actually should have been.
Not really, just closed gaps that should not have been there in the first place.
The added value comes from consulting
Consulting, per IIA Standards, is
(a)dvisory and related client service activities, the nature and scope of which are agreed with the client, … intended to add value and improve an organization’s governance, risk management, and control processes without the internal auditor assuming management responsibility. Examples include counsel, advice, facilitation, and training.
– IIA, 2017 Standards, Glossary
Here’s the added value, or to be exact this is where the IIA defines the added value to be. To go beyond evaluating conformance of actual observed condition with expected criteria and to take the opportunity of the independent and objective assessment to improve and raise the bar of the expected criteria; or by providing extra services like trainings.
Consulting is optional
Looking at the new 10 Core Principles for the Professional Practice of Internal Auditing, which all need to be present and operating effectively in order to consider an internal audit function effective, we do not find consulting or advisory services. Assurance is there (principle 8). And promoting organizational improvement (principle 10), but that’s not consulting.
Core Principle no. 8: Provides risk-based assurance.
While the provision of consulting services is also possible, it is optional. Assurance isn’t.
So adding value is optional for Internal Audit.
Or: If Internal Audit performs by the Core Principles and provides risk-based assurance, and that’s what stakeholders want, there’s little value added or adding value is not required.
Isn’t this a flaw in the IIA Framework?
No wonder that Internal Audit practitioners who embrace the IIA Framework and certify to abide by Code of Ethics, Standards, Definition and whatnot feel that no one really appreciates their true worth.
Note at the end
I am a physicist and used to start approaching new problems “first principles”. But the IIA has still to explain to me in everyday language, how a principle – and abstract theoretical entity – can “present and operating effectively”.
Principle: a fundamental truth or proposition that serves as the foundation for a system of belief or behaviour or for a chain of reasoning.
– Merriam-Webster dictionary online
That’s the kind of technical language that has a tradition for decades of Internal Controls theory and that is not readily understood by management let alone by the rest of the organization.
But certainly the IIA can solve this by issuing a mandatory definition for the terms “being present” and “operating effectively” in their application to principles.
The first principle is that you must not fool yourself and you are the easiest person to fool.
– Richard P. Feynman