Internal Audit Quality – Fusing Care and Due Diligence with Audit Principles

“I’m not 39, I’m 23 with 16 Years of Internal Audit Experience”

Internal Audit Quality - Fusing Care and Due Diligence with Audit PrinciplesOver Thanksgiving weekend, I celebrated my 39th birthday. The first thing that struck me about hitting 39 was that “39″ doesn’t seem nearly as “old” as it did when I was 23 and ready to take on the world (although my body does seem to creak and snap a bit more each morning). The other, more profound, phenomenon was the amount of introspection that comes with approaching a major age milestone. Pondering the big “four-oh” caused me to reflect on how I’ve spent my life. Being somewhat of a data geek, I broke it down into the following percentages:

  • Licensed Driver – 61%
  • Student – 44%
  • Husband – 28%
  • Parent – 18%
  • Diapers – 7%

I realize this probably doesn’t mean much to anyone besides me, but I do find it interesting to see how much of my life has been spent in various situations. In some of these situations (parent, husband), the numerator will continue to increase and the role will represent an even larger portion of my life. In other cases (diapers), the percentage will steadily (and hopefully) decrease over time. Considering I’ve been in the workforce in some capacity since I was 15 (64% of my life) it would be foolish of me not to consider the impact work has had in my life. I started my illustrious career as a busboy (1.2%), road construction laborer (13%), and gopher/delivery boy (9%). Quite the impressive career, wouldn’t you say?

Binding Internal Audit with GRC

Then there’s internal audit. I spent the first 12 ½ years of my post-collegiate career as an internal auditor. The last 3 ½ years were dedicated to researching the profession, as well as enabling the broader practices incorporating GRC through technology. I’ve obtained three Internal Audit (IA) related certifications (four if you count the CPA that I immediately shelved upon passing the exam). I’ve performed a number of roles in consulting, IA department management and IA quality assurance. I continue to serve as a volunteer instructor for the Institute of Internal Auditors (IIA). In the grand scheme of things, I have dedicated quite a bit of my career to this fine profession (16 years, 41% of my life, 64% of my time in the workforce). To say I’m vested in this profession would be an understatement.

I realize that many of you haven’t spent 41% of your lives practicing internal audit, and that’s OK. With that in mind, I am pleased to do you the service of helping you raise your “IA-IQ”. This will be the first post in a series focuses on a profession that truly is the glue that holds your broader GRC program together.

Knowing What the Glue is Made of

To start this series off, let’s begin with a primer on the glue that holds the glue together: The International Professional Practices Framework (IPPF). The IPPF organizes the full body of authoritative guidance set forth by the IIA regarding the content of the work and the workers within the internal audit universe. The key elements of the IPPF are categorized as “Mandatory Guidance” (non-negotiable – you must do this) and “Strongly Recommended Guidance” (if you plan on being successful, you’ll do this too).

Mandatory Guidance

    Definition of Internal Auditing

    States the fundamental purpose, nature, and scope of the profession. For GRC professionals, consider that the definition contains some familiar phrases. This definition states that internal audit gives organizations a “systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.” (my emphasis added)

    Code of Ethics

    States the principles and expectations governing the behavior of individuals and organizations in the conduct of internal auditing

    The International Standards for the Professional Practice of Internal Auditing (Standards)

    Represents the “principle-focused framework for performing and promoting internal auditing and for evaluating the effectiveness of its performance.” Think of this as a list of: 1. how to audit, 2. how to communicate your results and 3. how to determine if you are any good at what you do.

Strongly Recommended Guidance

    Position Papers

    Assist interested parties in understanding significant governance, risk or control issues

    Practice Advisories

    Assist in the application of Mandatory Guidance (those items from the above list)

    Practice Guides

    Provide detailed guidance for conducting internal audit activities

In terms of the day-to-day practice of internal auditing, the Standards represent the roadmap that internal audit practitioners can follow to effectively execute their responsibilities. If you are unfamiliar with the Standards (or if you’re an internal auditor that hasn’t brushed up recently – hint, hint), I encourage you to visit the Standards page on the IIA’s website to gain a deeper appreciation for the intricacies of internal audit.

Fusing Care and Due Diligence with Audit Principles

I’d like to offer one closing thought on this discussion on the IPPF. Once on a consulting engagement at a Fortune 500 company, a high-ranking, internal audit manager told me that demonstrating compliance with the Standards was “as easy as falling out of a boat and hitting water.” To say I found this statement to be both arrogant and misguided would be an understatement. Those who take the time and effort to read and understand the IPPF will realize that that while its components are principles-based and written in plain language, demonstrating clear and basic compliance with it is not anywhere as simple as this manager suggested. As with any professional guidance, there is much room for interpretation and a great deal of reliance placed on the proficiency and judgment of individual practitioners. It is paramount that any internal audit department that wishes to truly fulfill its responsibilities read the Standards, work to collectively understand them and constantly evaluate whether they are living up to them.

I look forward to continuing the internal audit discussion and hope you join with me as we review this topic in future blog posts. I am thrilled to be involved with this fine profession, and I’m hoping that my 41% lifetime involvement statistic continues to trend upward.


Jason Rohlf - GRC ConsultingThis blog post was written by Vonya Global guest author Jason Rohlf. Jason Rohlf is a Senior Manager with OrangePoint, a GRC consultancy based in Overland Park, KS specializing in GRC process design, implementation and improvement. Mr. Rohlf is a featured author on the OrangePoint Blog. To read more from Mr. Rohlf and his OrangePoint colleagues, we encourage you to visit the OrangePoint Blog blog.opgrc.com. To learn more about OrangePoint, visit www.opgrc.com.