IIA ran an unusual process of making all submissions private and not available to the public. A number of thought leaders have made their views public. We’ll be running a ruler over their response in due course. Here’s our submission in full.
Dear Team
IIA Exposure Draft Submission
IIA ran an unusual process of making all submissions private and not available to the public. A number of thought leaders have made their views public. Here’s ours in full.
Setting standards is hard. Writing guidance is harder. The size of the task is not lost on me and I wish the team well.
IIA have embarked on an enormous task and there has clearly been a lot of headway.
There is a lot to like, but there are multiple fatal flaws that could overshadow all of this good work.
I’ve provided this letter to assist the Standards Board to navigate these challenges with structural and directional themes to then empower the team to land the project. This feedback is around structure and leadership and is beyond the questions asked in the consultation survey.
Key points
- Impacts a lot of people. Applies to 180,000 IIA members around the world. Any organization aligned to the IA standards, including those with regulator encouragement will be impacted, which is uncountable audit shops and providers. Many have endorsed the previous version of the standards. Small changes will make big ripples, so IIA needs to be sure about any mandatory changes.
- There’s a lot in it. Many expert reviewers have struggled to get through it and stand back from it to give a considered view. I am concerned that many (like me) didn’t make it all the way through and there are issues that may not be picked up.
- All in one place. Anyone who has had to run a QAIP program or do an EQA will appreciate everything being in the one place. Well done IIA, this is a huge benefit. Thank you.
- It’s long and detailed. 108 pages of dense content. Reviewers are getting lost in the detail. It’s hard to see the wood for the trees.
- Not principles-based. Principles-based regulation prescribes the outcome and rationale (what and why) and gives some latitude on how it is done with the exception of a few mandatory items that are defined broadly enough to allow an approach that is fit-for-purpose of the circumstances. There are 255+ mandatory requirements. This
- Doubling down on conformance vs performance. Despite claims of moving towards performance, the draft anchors in conformance rather than outcomes. Putting Evidence of Conformance in the document underlines this impression, in bold.
- Combined document is a double-edged sword. It would be a brave soul to vary from guidance in a set of standards. This needs to be dealt with through clever layout or separating the supplemental guidance.
- New purpose statement. The established definition has been replaced by a new purpose statement. The statement is woolly and could apply to any 2nd line function. IA’s unique proposition is not stated or clear.
- Board requirements are an overreach and possibly not well understood. The requests on the board read like a list of demands, some of which seem to have little resemblance to how modern boards work or the level of detail at which they operate, and many of which should sit with senior management and not the board.Management’s role receives minimal attention other than as a respondent. Most of these requirements remain CAE-led activities but have been shifted to the Board. Boards don’t take kindly to being told what to do – particularly by a subordinate. This will get significant push back.
- Some questionable guidance. Some of the supplementary guidance is out of date or questionable; particularly the Evidence of Conformance Sections. There is too much to review in this round.
- There’s a lot of good content. While there’s some structural challenges in the document there is also a lot of really useful content. Unfortunately the small amounts of deeply flawed content outshadows a lot of the good content.
- The glossary is a mess. The world doesn’t need a new set of conflicting definitions. The glossary includes new language, some conflicting with established standards and others are just plain wrong. The glossary needs to align with well accepted global standards and definitions unless there are genuine cases where it is absolutely necessary to differ. Anything else will cause intended consequences.
- Topical Requirements. There is a proposal for even more requirements but only if you bump into them. The proposal looks like a minefield full of trip wires. Guidance is always appreciated but additional conditional mandatory items is a really bad idea.
- Benefits of change. Is this document a success?
I normally assess any assurance update by the following criteria:
- Higher quality assurance, targeted to the most important areas.
- Greater confidence in the assurance and advice provided.
- Easier for people to understand and comply with.
- Additional requirements have a clear benefit that outweighs the effort.
There is an assertion on page 1 and in the marketing material that this set of standards helps go beyond conformance and “establish a basis for evaluating the performance of internal audit services”. I see little evidence to support this assertion particularly from the perspective of those who fund or rely on internal audit. It is also unclear if/how IIA has moved the dial positively on any of the above. Standards board needs to set some clear success criteria and measure them to make sure this project delivers.
Our recommendations to get this right and bring this project home
- Take a principles-based approach. Specify the outcome not the method. Consolidate and simplify the non-negotiables without specifying how. Let people innovate. Anything else should be guidance and clearly labelled a minimum conformance baseline rather than an aspirational standard or approaching best practice.
- Revise the new purpose statement. IIA has always struggled to articulate its value proposition. The latest draft illustrates the point. Either articulate IIA’s unique proposition (the things only IA can do) or leave it as is.
- Align with accepted definitions. The world does not need another set of competing definitions. It will be a headache for users. Align with globally accepted standards from the external audit profession, ISO, and IIA’s own agreed and tested definitions wherever possible.
- Separate supplementary guidance. It would be a brave soul that would vary from guidance in a standard in the current form. Put the supplementary guidance in a separate volume to avoid giving it undue weight.
- Especially for the Evidence of Conformance Sections. This particularly so for the evidence of conformance sections. While well intended (and useful) this will drive a tick-box response.
- Evidence of conformance guidance. Only list the key controls that address the risks or performance that each standard is trying to address. Make it really clear that these are indicative and not the only way to meet the requirements.
- Update the supplementary guidance. There is considerable public debate about the supplementary guidance which could derail the exposure draft. It’s of mixed quality and applicability and there’s too much to review. Previous teams have taken years to do so. Find a way to do an update now or in the near future.
- Public sector guidance. Incorporate the principles into each section and take out the public sector peculiarities. They are some genuine differences, but not enough to justify this approach.
- Get the language right. Drop the reference to The Board and use a broad term instead. And let’s kill off the term CAE once and for all and have something better. IIA has already done lots of research on this one.
- Resource appropriately. The standard of the document is not on par with the quality of documents from peers in the governance / assurance space or the position that IIA aims to hold itself in. It reinforces IIA’s position as a b-class professional body that does not resource its technical areas as well as its peers.IIA has always struggled to write good guidance by its volunteers. Bring in highly skilled technical experts guided by practitioners and stakeholders, like other standard setters do.
- Get some customers to review the final draft. Audit & Risk Committee members had little involvement in the process. It shows. Get a stakeholder reference group to review the final draft.
- And some technical experts too. This will avoid any fatal flaws that cause issues with regulators and other professional bodies down the line.
Disclaimer: Incomplete review
There’s a lot in this. I’ve spent a lot of time reviewing and summarising but it’s a massive body of work. Please forgive us if we’ve missed anything important or short-changed the enormous effort that’s gone into this project. The enormity of the task so far is not lost on me.
While I have completed the survey, I have not commented on the detail of the Standards as I have assumed that these fundamental matters must be addressed first, and I am hopeful that these will be picked up by others.
I do however worry that many (like me) have become bogged down in the issues that I raise at the front of the standards that they have not applied their minds fully to Principles IV and V. This is problematic as this is where most of the work is actually performed. I’d welcome the opportunity to consider this properly at a later stage.
Given the magnitude of the feedback and changes I believe a second exposure round is warranted, and I will do my best to make myself available.
Sincerely,
Todd Davies FCA PFIIA MAICD
Full letter attached (including typos).
If you’re a more visual person, you can see our LinkedIn Carousel here.