internal audit

The IIA is Updating their Standards, Again?

As most card-carrying members of the IIA know, the IIA updates its Standards on the average of about every 3 years. Why? Because many of the power brokers of the IIA want to ensure the Standards are in tune with changes in the regulatory environment and, in general, to continue to advance the profession of internal auditing. While the rationale makes sense, the truth is the IIA Standards are really a set of “Internal Audit Best Practices”. Some of you may ask, “wait a second, aren’t the Standards Mandatory?” In theory, they most certainly are. But the true answer to the question really depends on one’s perspective. In other words, while the intrinsic value of the Standards is undeniable, why don’t all internal auditors and the internal audit functions around the globe adhere to the Standards since they are mandatory? After serving as an international volunteer to the IIA for ten years, I worked directly with the Standards Board, co-authored 3 GTAGs, wrote and reviewed countless other forms of guidance for the IIA membership on a global basis. During this period of time I learned about the highly political nature of the IIA and how a number of international committees produce guidance as well as maintain the Standards. After a few years of my IIA tenure many European members were pushing the IIA to essentially make the CIA a professional license just like a CPA in the United States. While the idea had many merits to it the consensus of the power brokers was it would be impossible to create and maintain such a license on a global scale. Therefore, the CIA certification and others like it from the IIA are no different now than the day the first CIA examination was administered many decades ago. The only thing that has really changed is the value of an internal audit function globally is much more seen as a value-add to an organization and the CIA designation is viewed by management and regulators with a much higher level of respect which alone is significant. A survey was conducted just a few years ago by the IIA which essentially asked “why does your internal audit function not follow the “mandatory” nature of the Standards?” Not shockingly, but certainly disappointing the survey found that only roughly half of the internal audit functions seriously adhere to the standards and that even a smaller percentage actually follow standard 1312 which states every internal audit function MUST have an external assessment performed at least every five years. After 30 years of either practicing as an internal auditor, external auditor or a management consultant I have learned that the majority of internal audit functions follow what is described as the “spirit” of the Standards. In other words, many card-carrying members of the IIA simply view the Standards as a set of “best practices”. As I read the proposed changes to the Standards before I shared my personal view in this post, we card-carrying members of the IIA will continue to see changes to the Standards that have very little effect, if any, on the profession of Internal Audit. Changing sentence structure of a Standard or adding a few words here or there to the Standards carry almost no weight and will virtually not impact the profession of internal auditing. What would be great for the IIA to do is to reduce the IIASBs propensity of “updates” to the Standards and use these limited resources to provide badly needed guidance in the form of more GTAGs, (last new one was published in 2012) update outdated GTAGs (where some efforts have been made), and the same with Practice Guides, Practice Advisories, etc. that the internal audit practitioners need to help them provide more value added audits and consulting services which will continue to advance the profession of Internal Audit. Sorry folks, but continually updating the Standards which is virtually akin to wordsmithing means very little to the day-to-day practitioner.

About Hunt Risk Solution Partners – we are one of the leading providers of risk advisory services in the great southwestern region of the United States. Our primary areas of service focus are Regulatory Compliance, Internal Audit, Information Technology (IT) Audit and Business Process Improvement (BPI). For further information or contact Mr. Hunt at