Unmasking the Global Internal Audit Standards
In March 2023, The IIA released the draft Global Internal Audit Standards (GIAS).
This is a much-anticipated overhaul of the current International Professional Practices Framework (IPPF) that many practitioners have long been accustomed to.
The International Internal Audit Standards Board has clearly put in a lot of efforts to arrive at a draft which is much better organised after years of targeted refinements. Other than being more reader-friendly, the most impressive enhancement is the logical flow that links every standard to a principle, which is in turn linked to a domain.
The erudite members also recognised that meeting every stakeholder’s needs in a single draft or document is improbable. It is certain that they will have to spend endless days poring through the feedback received from around the world before finalising the GIALS as scheduled in December 2023.
As a practitioner, I appreciate and welcome many of the significant changes, which include:
- Organising concepts into 5 domains and 15 principles.
- Linking standards to the principles.
- Giving clarity to many “to-dos” by specifying “who” to do it.
- Changing from a largely principle-based framework to including specific requirements.
- Adding a noticeable emphasis on public interest and public sector.
- Demarcating the line between assurance and consulting work.
However, I also have certain areas of concern.
Assigning Responsibilities to the Board
Under Domain 3 on Governing Internal Audit Function, the GIAS assigned various responsibilities to the Board for the oversight of the internal audit function. These include approving the internal audit mandate, maintaining ongoing communications with the Chief Audit Executive (CAE), which includes obtaining their perspective on the organisation’s strategies, objectives and risks, and protecting the internal audit’s independence, among other tasks.
While most internal audit practitioners, myself included agree with these views and welcome the increased clarity, a bigger question arises – To what extent can the GIAS promulgated by the IIA impose responsibilities on the Board which is not part of the IIA?
The IPPF is the only internationally recognised set of internal audit standards that is embraced by many government agencies, stock exchanges, charities, central banks, and other entities. In order for the GIAS to uphold that legacy, it is crucial for key stakeholders to agree on the tenets outlined within the GIAS. Even if the Board members in different localities eventually reach a consensus on the responsibilities, it may take many discussions and several months before (if ever) the relevant agencies or directors’ institutions formally adopt the GIAS.
Considering this, what would be the outcome if the GIAS is ultimately not endorsed by these stakeholders?
Ambit of the GIAS
The Standards apply to individual internal auditors and the internal audit function. Domain 2 on Ethics and Professionalism states that “Internal auditors” refer to recipients of or candidates for IIA professional certifications and all IIA members, including those who are members of IIA affiliates and chapters. This is puzzling. If the GIAS’ standards only refer to IIA members and certificate holders or those aspiring to obtain certifications, it raises the question of how we can make sense of non-members and non-certificate holders who practise internal audits.
Could it be that the position is that the IIA only has authority over its members and certificate holders? If that is the case, why are there double standards in assigning responsibilities to Board members?
Furthermore, how will future Quality Assurance Review assessors review compliance or lack thereof of non-members and non-certificate holders (which may include the CAE) in an internal audit function if they are not within the ambit of the GIAS?
Root Cause
Under Standard 14.3, “When evaluating potential engagement findings, internal auditors must identify the root cause, determine the potential effects, and evaluate the significance of the issue.” Most internal auditors try their best to identify root causes and discuss them with Management to mitigate or prevent future occurrences. However, achieving 100% success in such endeavours is rare, if not impossible.
In many real-life cases, the best conclusion internal auditors can draw is a stronger correlation between a set of exceptions and a variable, such as a particular control owner or type of transaction. Correlation and causation are not the same. If internal auditors identify and attempt to “eliminate” the suspected root cause based on a relatively high correlation, only to find the same issue resurfacing later, are they guilty of a moral crime?
Engagement Conclusions
Under Standard 14.5, “Internal auditors must develop an engagement conclusion.” Previously, Standard 2410.A1 stated that “Where appropriate, the internal auditors’ opinion should be provided.” It is not uncommon for the Board to commission the internal audit function to review a targeted part of a process due to specific concerns. In such cases, where the review is narrow in scope, it may not be fair to expect an engagement conclusion from the internal audit function or the Management. Further, it raises the question of whether such an engagement conclusion would hold meaningful value to the Board, who are the key users of the internal audit reports.
Overall, the GIAS has achieved much from the overhaul, and much credit must be given to the volunteers and IIA Secretariat who have worked tirelessly to bring it to this level. While it is improbable for any set of standards to meet all stakeholders’ needs, it would be appreciated if the areas mentioned above are taken into consideration during the finalisation of the GIAS.
Nicodemus Tan is a Partner at Baker Tilly LLP, a Governor of The Institute of Internal Auditors Singapore, and a fervent believer that internal audit when done right will provide an immense competitive advantage to the organisation.
The Institute of Internal Auditors Singapore blogs reflect the personal views and opinions of the authors. These views may differ from policies and official statements of The Institute of Internal Auditors Singapore and its committees and from opinions endorsed by the bloggers’ employers.
