Governance, risk and assurance excellence since 2007
Adelaide08 7231 1912 | Sydney02 9043 1719
Fit for purpose governance, risk and assurance that absolutely delivers
Why the IIA’s mandatory Topical Requirements are a bad idea
There are already 223 mandatory requirements in the new internal audit standards. Topical Requirements add even more. Here’s what you need to know.
One of my tasks this week was to help a group of Chief Auditors work out what’s changed in the new Internal Audit Standards and where to focus first.
There’s been a lot written on this including many useful summaries from the usual commentators.
But to really acquit a brief like this, you need to put in the work and read and understand the Standards deeply.
A comprehensive body of work
I’m slightly in awe of what a body of work this is and at what the team of staff and volunteers at IIA HQ have been able to achieve. Both in terms of sheer volume, while also driving a massive uplift in what was there before. The ambitions for generational uplift were audacious, and I’m coming around to the idea that they might actually be achieved.
I’ve always been of the view that you need to get Positioning, Partnering and desired impact (Performance) dialled in before thinking about Process, People and Technology. The IIA Standards go after this directly, shifting from conformance to performance as defined by each organisation and forcing organisations to think deeply about what it is they really want. This is to be commended.
But there is a lot of detail to digest.
I’ve had four different AI sidekicks tasked to help me work through the document. Not one was able to get through the volume. For example, IIA’s two-way mapping document shows all the changes between the 2017 standards and the new ones. It runs at 166 pages in dense landscape table format. The paid version of Claude.ai ran out of tokens before it could make sense of it.
There’s a lot in the new Standards. You can’t read it cover to cover. You need to go at it programmatically over multiple sessions.
But the 5 sections, each with 3-5 Principles and 2-6 standards under each are easy to conceptualise and get your head around if you aren’t comparing to what was there previously.
Principles-based regulation prescribes the outcome and rationale (what and why) and gives some latitude on how it is done with the exception of a few mandatory items that are defined broadly enough to allow an approach that is fit-for-purpose.
Todd Davies, Submission on the Standards Exposure Draft
I had promised myself I wasn’t going to reconcile between what I asked the IIA to consider and where they landed on things. But the task became necessary for other reasons.
I’m pleased to report that most things were acted on and the public submissions made a difference. In their own words:
One of the key themes in IIA’s report on the changes and decisions on the exposure draft was the prescriptive nature of the Standards (Theme 1).
They have addressed this theme by making it clear that Considerations for Implementation are exactly that. While they may be “common or preferred” they are not mandatory. These have the word “should” against them. The word “should” appears 266 times. That’s a lot of preferred practice.
Similarly, Evidence of Conformance which could appear to be mandatory is now called Examples of Evidence of Conformance to “emphasize the listed items are only examples, and not a checklist of requirements.”, addressing the concern raised that these might become a default checklist of things to do and how to do them. It’s still potentially regression to a previous mean, but it’s a step forward.
Sounds good right?
Well, kinda.
I’d commented before that the number of mandatory requirements had increased to 220+ things that people must do.
I’ve now done the math. It’s a lot.
15 Principles
52 Standards within those principles
223 Mandatory requirements (must) within those standards (down from 255 in the exposure draft)
266 suggestions on how you should do it, or explain why your idea is better (probably to a regulator or reviewer)
566 things to consider in total.
And that’s before considering example evidence of conformance from old practice guides and prior common practice that might not fit what is right for your organisation for right now. Here’s the heat map (examples of conformance not included).
Comprehensive and complete? Yes.
Streamlined and easy? Maybe, but quite a meal to digest and document.
Breaking it up by sections helps a lot, and while I wasn’t initially a fan of segmenting the document by responsibility, it will definitely help with delegation and implementation.
So why the hoo-hah about Topical Requirements?
So 275 mandatory things to do (standards + mandatory items) and you’re done right?
Not so fast. Now there’s potentially Topical Requirements as well – a concept currently out for comment.
Note the term “requirements”, not guidance. In the IIA’s own words, the Topical Requirements as proposed are:
Required when providing assurance on a specified risk area… and
Subject to external quality assessment.
While everything else raised in my submission seems to have been actioned, the comment on topical requirements did not receive a mention. Not a single word. IIA has been silent on this and seems to be forging ahead with yet more (conditional) mandatory requirements.
In my view this is madness. As I said in my submission:
Topical Requirements. There is a proposal for even more requirements but only if you bump into them. The proposal looks like a minefield full of trip wires. Guidance is always appreciated but additional conditional mandatory items is a really bad idea.
Todd Davies, Submission on the Standards Exposure Draft
IIA has addressed everything else commendably. This one is a potential problem, particularly for organisations that are well-progressed.
One size doesn’t fit all
I’ve worked with 200-300 organisations around the world in audit and risk as an expert advisor, chief auditor, outsourced head of audit, and Audit & Risk Committee Chair, all with a keen eye to what best practice looks like. This experience set would be wider than most.
What I can honestly say is that they’re all different, even if they’re within the same sector and geography. The baseline and principles may be similar but the chances of prescriptive guidance being fit for purpose is remote. The “what” rarely changes. The “how” nearly always does.
I’ve also been chasing internal audit best practice for 25+ years. What I can say about this is that it’s constantly evolving. Today’s best practice is tomorrow’s norm, and today’s good is tomorrow’s irrelevant. These days I’ve taken the view, that being fit-for-purpose is what matters most. Mandatory requirements are the antithesis of this.
Today’s best practice is tomorrow’s norm, and today’s good is tomorrow’s irrelevant. These days I’ve taken the view, that being fit-for-purpose is what matters most. Mandatory requirements are the antithesis of this.
Todd Davies
The first Topical Requirement out for exposure is cyber. It’s an important topic, but there’s a problem with the mandatory nature of what’s proposed. I assume the same problem would apply to other Topical Requirements.
In this case, my read is that if you have a wide-ranging cyber internal audit program (as most internal audit functions do or should), then you have to run their playbook as defined in the 2024 Topical Requirements (prescriptive). And have it included in your EQA for review (requiring either an expert reviewer on the team, or more likely, tick box compliance).
Cyber is evolving quickly. As I’ve said in feedback to the IIA, as an Audit and Risk Committee Chair if I was to request or endorse a cyber audit (which I do often), I’d seek the Chief Auditor’s guidance on what to focus on and how to chunk it over multiple years (as I do now).
Topical Requirements get in the way of this, promoting a one-size-fits-all approach that isn’t fit for purpose. I wouldn’t sponsor a cyber review as proposed in Topical Requirements.
As guidance to help people get to a common baseline, possibly. But many are way ahead of this. And the field is moving quickly. Even reframing this as a Good Practice Guide would be a challenge given how fast things are moving. It will date quickly.
I have often said that putting IIA’s guidance ahead of the organisation’s needs is a recipe for a new Chief Auditor being appointed. This is far less so with the new standards, but in my view, many Topical Requirements could fit firmly and squarely in this category.
Going back to the session I was preparing for, I asked where the CAEs were at with the standards. One very experienced CAE was well advanced and found similar to myself – these are a huge job to document, but also a huge step forward. By contrast, another reported that their Audit Committee Chair described the IIA Standards as mildly interesting, but not something that should be blindly conformed with.
IIA has an opportunity to shift the dial enormously and cement the win. Or undermine the gains by publishing many Topical Requirements and making them mandatory.
My advice would be to pull back to the IIA on the mandatory nature of Topical Requirements. Guidance is always appreciated. Mandatory requirements are less so. One size doesn’t fit all.
IIA’s consultation process I believe is still open. I encourage everyone to get in touch with the IIA if you share these views via the consultation link above.
TD
More resources
The Davies Report is our infrequent digest of what we’re seeing and doing on risk and assurance.
