What do the recent IIA changes mean for my organisation?
The Global Institute of Internal Auditors (the IIA) has published changes to the International Professional Practices Framework (the IPPF). On first look the changes do not look that significant given that the Definition, Code of Ethics and the Standards for the Professional Practice of Internal Auditing within the IPPF have not changed. However, we think that the changes signify a change of focus for the profession in how it views what good looks like, with a clearer focus on outcomes.
The main changes published are:
- a mission for internal audit;
- a new broader guidance framework; and
- new principles which sit alongside the existing International Standards for the Professional Practice of Internal Auditing (the Standards).
- The mission is short and to the point: 'To enhance and protect organisational value by providing risk-based and objective assurance, advice, and insight'. It is a more interesting way of explaining what internal audit does compared with the existing, and somewhat dry, definition.
We always welcome a refresh of guidance. The businesses and industries in which internal audit operates evolve constantly; it is natural therefore that guidance on implementing the IPPF should also be refreshed. The main change in our view is that guidance is now more clearly flagged with regards its purpose. It will take a while for this guidance to be updated and published (albeit two new pieces of implementation guidance were released at the same time as the IPPF changes). Therefore, existing guidance can still be used and we expect to see a steady communication of new and updated guidance between now and 2017.
The main changes and the biggest impact for Heads of Audit and Audit committees are the new principles. It is here that we can see the renewed focus on outcomes.
One could argue that internal auditors should be seeking to help their organisations and customers improve outcomes, and the new principles are just reflecting that mind-set in how the profession sets its own quality framework. The principles are:
- demonstrates integrity;
- demonstrates competence and due professional care;
- is objective and free from undue influence (independent);
- aligns with the strategies, objectives and risks of the organisation;
- is appropriately positioned and adequately resourced;
- demonstrates quality and continuous improvement;
- communicates effectively;
- provides risk-based assurance;
- is insightful, proactive and future-focused; and
- promotes organisational improvement.
The 10 principles are not intended to replace the standards. The standards have always been 'principles based'; the IIA acknowledges that until now specific principles have not been articulated. We should see therefore as helping to define the mind-set, behaviour and characteristics of an effective internal audit function – ie 'what does good look like?'
What actions should Heads of Audit be taking?
Internal audit teams should already have a clear view of their conformance with the standards and the IPPF, whether through a self-assessment or a formal external review. Heads of Audit should ensure audit committees are aware of the changes, and in time should be seeking to discuss the principles with audit committees to gauge the committee’s view of internal audit.
The principles therefore provide Heads of Audit and Audit committees a framework in which to talk about what good internal audit looks like without committee members having to be experts in the detail of the standards. That must help us as internal auditors, to have something more customer/ stakeholder friendly around which to discuss the requirements of the IPPF. The principles framework also helps us to focus on what does internal auditing mean to the business, what does the business want from internal audit, and is internal audit helping the organisation through its plan of risk based assurance and advice? This should bring a new challenge to those completing self-assessments, to review teams undertaking external quality reviews of internal audit functions, and to Audit committees.
If you have any questions about the changes, or would like advice on your organisation’s internal auditing arrangements, please don’t hesitate to contact someone in our internal audit team: Mark Jones.