A new report from the IIA says nearly half of internal audit departments don't fully apply its professional standards
Among the most important functions of internal audit's leading professional organization, the Institute of Internal Auditors, is to act as keeper and caretaker of the occupation's code of conduct, the International Standards for the Professional Practice of Internal Auditing. While the IIA goes to great lengths to keep the standards updated and applicable, a survey it conducted last year reveals some sobering news: Nearly half of the chief audit executives (CAEs) polled say they only apply part of the standards to their work or that they don't use them at all.
The results, reported earlier this month by the IIA, are likely to raise eyebrows among practitioners and regulators alike, as the internal audit profession seeks to automate some processes and increase its influence as a partner with the business inside most companies.
The standards set minimum requirements for all internal audit functions and "provide a foundation for performing efficiently and effectively, and are intended for use wherever internal audit is practiced," the report states. Conformance to the standards is mandatory for all IIA members and for those who hold a Certified Internal Auditor certification, offered by the IIA.
The report, "Looking to the Future for Internal Audit Standards: Standards Updates, Usage, and Conformance," finds that more than a third of the CAEs (35 percent) use just a part of the standards, and another 11 percent don't use them at all. While those numbers may be a concern to some, they are an improvement from the last time the IIA asked if auditors were using the standards in 2010. The number of CAEs who said they fully conform to the standards increased from 46 percent in 2010 to 54 percent in 2015.
Companies with small audit departments, newer audit departments, no audit committee, or that include internal auditors that aren't members of the IIA or don't hold professional certifications were all less likely to fully adhere to the professional standards. Only 43 percent of companies with three or less employees in the audit department, for example, say they are in full conformance with the standards.
"A decision not to use professional standards may add flexibility to internal audit practices, but that flexibility does not come without a price," writes the report's author, James A. Bailey, an accounting professor at Utah Valley University. "Some people believe internal auditing will not be viewed as a true profession until internal auditors not only have mandatory rules but also begin to follow those rules consistently."
Companies that decline to follow the standards do so for a variety of reasons. Chief among them is the cost. Nearly of third of those that don't fully conform say that they don't see the benefits of fully applying the standards compared to the cost to conform. Other reasons respondents gave for not conforming with the standards include views that they are not appropriate for small organizations (31 percent), they are too time-consuming (19 percent), they are too complex (14 percent), or compliance isn't supported by the management or the board (23%). "This support may sometimes be limited because of low awareness levels among some management officials and boards regarding the value of the standards," the report states. Some respondents said they didn't use them because they aren't required by law or that they are superseded by local government regulations or standards.
The IIA also looked at which particular standards some companies choose to neglect when they only partially conform. Conformance was the lowest for Standard 1300 – Quality Assurance and Improvement Program. The standard requires internal audit departments to have a self-assessment program and to conduct periodic quality reviews, often called a quality assessment review (QAR). Of CAEs that don't fully conform, only 42 percent conformed to Standard 1300. The report says that the IIA will conduct a separate analysis of Standard 1300 due to the low conformity with it. "Due in part to the lower use of and conformance to Standard 1300, CBOK will issue a separate research report in 2016 with specific analysis and recommendations for this standard," it states.
Other individual standards that suffered from lower conformance include Standard 2600 – Communicating the Acceptance of Risk (61 percent conformity), Standard 2500 – Monitoring Progress (71 percent conformity), and Standard 2400 – Engagement Planning (74 percent).
The report suggests some steps that companies can take to increase conformance with the standards and to overcome some of the barriers to applying them. They include:
- Present year-on-year results of internal assessments to senior management and the audit committee to highlight improvements in conformance with the Standards, and enlist their support in addressing conformance gaps.
- Apply a fit-for-purpose and cost-effective approach to implementing the Standards, and rely on the organization's internal resources where cost effective. For example, use internal auditors to deliver training and to simplify methodology templates and forms.
- If cost is an issue, consider performing a self-assessment with an independent validation instead of a full external assessment.
- Compare the requirements of the Standards to applicable government regulations to identify differences, and assess the level of additional effort needed to close any conformance gaps.
These steps could go a long way to helping organizations reach better conformance with the professional standards, which is certainly a worthwhile goal for the IIA. It's also possible that if internal audit finds itself at the center of some major frauds and scandals, in the way that finance executives did earlier in the century, Congress could make conformance to the standards mandatory for internal audit professionals, at least here in the United States.