Many of us always wonder what guides internal auditors both from a practice and behaviour point of view. I mentioned in my earlier article that fear of internal auditors is as a result of both misconceptions of what internal audit is about, as well as previous bad experiences with auditors who were not familiar with the standards and behaviours that guide the profession.
Many of us always wonder what guides internal auditors both from a practice and behaviour point of view. I mentioned in my earlier article that fear of internal auditors is as a result of both misconceptions of what internal audit is about, as well as previous bad experiences with auditors who were not familiar with the standards and behaviours that guide the profession. Today, I would like to give you a view of the institutions and guidelines that internal auditors are accountable to and expected to uphold respectively. A better understanding of this would help us know what to expect from auditors and hold them accountable, as well as help stakeholders understand how to better support their internal audit functions so they provide their best value. Standards and guidance for internal audit are provided through the International Professional Practices Framework (IPPF), the conceptual framework that organises guidance provided by the Institute of Internal Auditors (IIA). Established in 1941, the Institute of Internal Auditors is the internal audit profession’s global voice, recognized authority, acknowledged leader, chief advocate, and principal educator. Generally, members work in internal auditing, risk management, governance, internal control, information technology audit, education, and security. Globally, the IIA has more than 180,000 members. The institute provides internal audit professionals worldwide with guidance which is classified as ‘mandatory’ or ‘strongly recommended’. Today, I will focus on the mandatory guidance. Conformance with the principles provided in the mandatory guidance is required and essential for the professional practice of internal auditing. The following are the three mandatory elements of the IPPF:Definition of internal auditing Internal audit is defined by IIA as "…an independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.” You may be surprised to see that internal audit reviews risk management and governance, in addition to controls, or that internal audit can help an organisation accomplish its objectives. Yet, these are some of the key roles of an internal audit function. This definition is rich and should be referred to when setting up internal audit charters to ensure that the mandate of the internal audit function is conclusive and cover key areas provided in the definition. Code of ethics Internal audit is governed by a code of ethics that states the principles and expectations governing the behaviour of individuals and organisations in the conduct of internal auditing. It describes the minimum requirements for conduct and behaviour under the following key principles: Integrity – This helps establish trust between auditors and those being audited thereby providing the basis for reliance on their judgment. When auditors have integrity, their work has a strong foundation to stand on. Objectivity – Internal auditors should make a balanced assessment of all relevant circumstances and should not be unduly influenced by their own interests or by others in forming judgments. Therefore, auditors need not inspire fear. An auditor’s work is meant to be objective and not a witch-hunt. However, when done objectively and issues arise, management should receive the feedback objectively as well and agree on actions to improve or rectify the situation. Confidentiality – Internal auditors have access to a lot of information as part of their mandate and should not disclose this information without appropriate authority, for instance, if there is a legal or professional obligation to do so. Information obtained during the course of an audit should not be misused. Competency - Internal auditors should take time to learn about the areas they review and then apply their knowledge, skills and experience in the performance of their work. Sometimes, management says that auditors do not understand what the business is about. Auditors should invest in understanding their businesses so that they are able to offer value. However, the organisations should also support internal auditors as they seek to continuously sharpen their skills. This would include, among other things, supporting a reasonable training budget for the internal audit function. Training should cover core business areas, as well as help auditors meet continuous professional education (CPE) requirements.International standards for the professional practice of internal auditing (standards)Standards are principle-focused and provide a framework for performing and promoting internal auditing. I won’t go into too much detail on these. However, broadly, they are classified into attribute and performance standards. Attribute standards address the attributes of organisations and individuals performing internal auditing, while performance standards describe the nature of internal auditing and provide quality criteria against which the performance of these services can be measured. You can read more about this on the IIA website. My hope is that through the discussions we have had so far, we can continue to lift the veil of misconception over internal audit and commit to forging relationships between management and the internal audit function, that lead to maximised value for the organisation as a whole.The writer is a risk assurance services manage at PricewaterhouseCooper Rwanda