The chair of the Global board of The Institute of Internal Auditors corrected a posting of mine in LinkedIn a couple of weeks ago.
I acknowledge his comment.
I also think I have a point too! Well, I would, right?
I referred to the “new” public sector internal audit standards and he pointed out that they weren’t new; but more an adjustment of a number of existing standards, “in the rather quaint UK way of doing things”.
A lot of people worked hard and seriously from March 2012 to March 2013 to put together a unified set of internal audit standards for the UK public sector. Several sub-sectors make up the UK public sector: central government, local government, devolved governments and, of course, health, being the main ones. Now, from 1 April 2013, they share a set of internal audit standards. In addition, there is a mechanism that will ensure that those standards are always up to date. It is an achievement worthy of congratulation, even if it was at the same time based on previous projects over the years.
So, what is the history? Well, from the last decades of the twentieth century many of these sectors based their internal audit manuals and standards on the standards provided by The Institute of Internal Auditors (The IIA). For example, the central Government Internal Audit Standards (GIAS) from the 1990s explicitly acknowledged The IIA standards and the Chartered Institute of Public Finance and Accountancy (CIPFA) based its Code of Practice for local government on GIAS.
So, Phil is right, the UK public sector has had internal audit standards for some time and they have been based on The IIA standards.
However, during the noughties, the UK public sector did not update their standards. They, therefore, missed the huge changes that The IIA made to their standards at the turn of the millennium. The introduction of the Professional Practices Framework (PPF) around 2000 and the refinement of the framework into the current International Professional Practices Framework (IPPF) in 2009 changed the look and content of the international standards – and the UK public sector was in danger of being radically out of alignment with them.
At the same time as The IIA was developing the IPPF, HM Treasury, the UK’s finance ministry, undertook a project to re-align GIAS with the international best practice. This time, not only were UK central government’s internal audit standards to acknowledge The IIA’s standards, but they actually incorporated The IIA’s standards, adding more detailed “UK Central Government Requirements” where absolutely necessary. This new version of GIAS came into force in April 2009. A similar set of standards for the health sector followed a couple of years later.
However, the Code of Practice for local government, last updated by CIPFA in 2006, did not yet incorporate The IIA standards. So there was a mixed bag of standards across the public sector at a time when the drive was for whole of government accounts and joint working between different parts of the public sector. In addition, the experience of updating GIAS and, in particular, the health standards highlighted how much effort this required. It was not clear, despite all the best will in the world, how these standards were going to keep up-to-date with regular changes in the global context.
That’s the point when The IIA’s local affiliate, Chartered Institute of Internal Auditors (Chartered IIA), and CIPFA came together to create something that would acknowledge international best practice, implement it for the particular needs of the UK public sector, allow consistent practice in all parts of the UK public sector and provide a sustainable and durable structure that would make sure the standards were always up to date. Working with HM Treasury, the two professional bodies recruited all the organisations who are responsible for setting internal audit standards in different parts of the UK public sector, set up a single advisory board to coordinate the work and to advise those standards setters on how to implement The IIA standards – and completed the work in just over a year!
Now you may say that there should be only one internal audit standard setter: the International Internal Audit Standards Board (IIASB), established and maintained by The IIA. And, you may ask why the UK public sector can’t simply take The IIA’s standards without all this fuss. But, remember, however well established and well-known are international standards boards, there is always some local, sovereign group that regulates or legislates the implementation of their standards.
Think about the two examples that might be most familiar to many internal auditors: the external audit “International Standards on Auditing” and the accounting “International Financial Reporting Standards”. They are not in use in the UK just because the two boards responsible for them – IFAC’s International Auditing and Assurance Standards Board (IAASB) and the International Accounting Standards Board (IASB) – issue the standards. No, there is legislation that mandates their use in the UK – so the UK government is in fact the “standard setter” for the UK. In addition, the UK government established standards boards, overseen by the Financial Reporting Council, which review the outputs from the international boards; consult with UK external auditors, companies, users of accounts and other interested parties; and issue UK versions of the standards, which do sometimes have additional or different requirements. Similar structures exist for the implementation of the International Public Sector Accounting Standards (IPSAS) issued by the IPSAS-Board (IPSASB).
The UK government to date has passed no legislation mandating which standards internal auditors must use. There is regulation that requires there to be “proper practices” in place for local government – and guidance from the responsible UK government ministry identifies which documents contain those proper practices. However, there are groups within government who are responsible for determining which standards their internal auditors should use. De facto, they set the standards for internal audit in their part of the UK public sector. They are the groups now collectively known as the Relevant Internal Audit Standards Setters (RIASS). The new Public Sector Internal Audit Standards Advisory Board (IASAB), peopled by knowledgeable and interested parties, with an independent chair, provides an efficient conduit, taking The IIA’s standards and advising the RIASS on implementation.
I keep talking about The IIA’s standards. What I mean are the mandatory elements of the IPPF. So, UK public sector internal auditors follow The Definition of Internal Auditing, The Code of Ethics and the International Standards for the Professional Practice of Internal Auditing, with minimal extra requirements to meet the needs of the UK public sector.
So, this is the “quaint” way that the UK public sector has gone about acknowledging, recognising and accepting The IIA’s standards. It builds on a long tradition of recognising The IIA’s role in setting international standards in this area. It embodies a particular British style and tradition. But, as I said at the start, the unified standards and the sustainable mechanisms that will maintain them are new and worth celebrating. And, The IIA should be justifiably pleased that its role as an international standard setter has been acknowledged in such a durable institution.