Insights from the Global Internal Audit Standards Glossary


Can you understand an entire body of work from reading the glossary? Maybe.

This is the first in a series of my first impressions on the 2024 Global Internal Audit Standards – the biggest changes in nearly a decade – starting with the Glossary.


Words and definitions

You know you’re really nerding out when you start reading a book by reading the glossary first.

Or maybe that’s what experts do. If I recall rightly, the best thinkers in the internal audit field did this too. You know the crowd – the Beacon Award winners, the top thought leaders on the planet. That crowd.

You can tell a lot from a glossary about clarity of thought and intent.

In the same way that a great risk appetite statement can tell you the strategy and business model and industry of the company, a glossary can also tell you a lot of what you need to know.

Words and definitions matter. Precision matters. You can’t be loose with a glossary. Its the anchor for everything and the summary of the work.

Confused and wordy definitions? The thinking needs a final shake out or two.

Elegant and simple? Maybe the team are nearing mastery.

This is true for any comms document but is particularly important for Standards and reference documents, which is why they take so much work to get right.

In this case these documents will be used around the world, mandated by regulators (possibly without context) and translated into many languages and with all the confusion that comes with this.

I was very critical of the draft glossary in my submission to the IIA Standards Board. It still needed a shakeout. And the stakes were too high to get this wrong. This is what I said.

Is it possible to like a glossary?

Yes. It seems it is.

You can imagine my pleasant surprise when I had a cold read nearly 12 months later.

The final version is elegant, and surprisingly so

I’m not sure why. Maybe it’s nice typesetting, the music I’m listening to or the right balance of caffeine while the sun’s out. Maybe it comes from not trying to make a submission or make a carousel on a laptop in a hotel the night before chairing a crammed ARC agenda. Whatever the reason, I found myself liking the glossary.

It’s clean and elegant, which is normally a sign of clear, tight thinking.

I even get the impression that I’ll refer to it often.

Pretty rare for a glossary.

A few controversial points

There are a few points that will stir a few people up.

I can already imagine the risk commentariat racing to their keyboards with pitchforks in hand when they read the definitions of inherent and residual risk.

Good I say. These are useful and necessary concepts for auditors – even if the risk people will never understand us.

Saying that a risk assessment is typically assessed in terms of impact and likelihood? Yes, probably right, but probably also a bit narrow. I never understood the rage against the 5×5 matrix. I still find it pretty useful in the captain’s bridge even if it causes head scratching in the gunnels of the ship.

And then reasonable assurance thrown into the definition of risk management? Such controversy.

Here’s a few annotations.

Helpful clarity.

That aside, I really like where the team has got to on the rest of the definitions.

A lot of it gives clarity that’s been desperately needed for years. And locks in some of the concepts that I’ve been espousing for the last 20 years or so.

Here’s a few examples.

  • Advisory services (formerly consulting services) is now tightly defined. Its other. Sundries. Not the assurance stuff. Put another way, if an engagement is not assurance it’s advisory. (This also means if an engagement isn’t advisory then it’s assurance. This will get the lawyers, insurers and professional practices people at the firms excited).

  • Assurance. It’s not the IFAC or IAASB definition, but I’m kind of glad about this. If you’re increasing stakeholder confidence you’re providing assurance. (And those stakeholders should be able to rely on it). That’s pretty clear.

  • Engagement. If you don’t have specific goals and objectives it’s not an engagement. Controversial? Maybe. Necessary? Absolutely.

  • Must, should, may. Clear definitions on what is mandatory, recommended or just friendly advice. Hopefully the balance is right. The word must has increased 80% in this version of the standards. I’ll write about that in a later post.

  • Engagement Conclusion? The Internal Auditors’ judgement when considering all engagement findings collectively. Actually, not sure I like that one. It sounds like negative assurance to me, which is a concept more at home in a Monty Python skit, but I’ll come back to that later.

My conclusion?

Other than things that boffins like me will tie themselves in knots about, it’s a pretty good document. And better than many that I attempt to wade through. I think it will serve us well.


Why am I reading and writing about the GIAS Glossary?

Great question.

All Standards are dry and hard work.

People need to know them but don’t want to read them, and they can become a monkey on people’s backs for years. Maybe even five. (If you understand the in-joke on this, first correct answer gets a free virtual coffee with me).

Back to the reason.

I’m putting together some mastermind groups with a small number of very bright people who will be using the standards to set the next generation of best practice. The plan is to learn, innovate, have a lot of fun and along the way and conquer everything in the Standards (including being ready for year 1 compliance) in a single school term.

If you’re in our VIP tribe you’ll hear about this soon. Places will be limited. You can register your interest by talking to us or dropping us a line here.

I’ll be doing a slow methodical read of the Standards in the coming weeks.

If you’d like to hear more about this, make sure you’re following me on LinkedIn or subscribed to The Davies Report. We’ll aim to make a dry subject enjoyable. After all, it’s too important not to.

As always, thanks for all you do.

Todd Davies