“New” internal audit standards in the UK public sector?

The chair of the Global board of The Institute of Internal Auditors corrected a posting of mine in LinkedIn a couple of weeks ago.

I acknowledge his comment.

I also think I have a point too!  Well, I would, right?

I referred to the “new” public sector internal audit standards and he pointed out that they weren’t new; but more an adjustment of a number of existing standards, “in the rather quaint UK way of doing things”.

A lot of people worked hard and seriously from March 2012 to March 2013 to put together a unified set of internal audit standards for the UK public sector.  Several sub-sectors make up the UK public sector: central government, local government, devolved governments and, of course, health, being the main ones.  Now, from 1 April 2013, they share a set of internal audit standards.  In addition, there is a mechanism that will ensure that those standards are always up to date. It is an achievement worthy of congratulation, even if it was at the same time based on previous projects over the years.

So, what is the history?  Well, from the last decades of the twentieth century many of these sectors based their internal audit manuals and standards on the standards provided by The Institute of Internal Auditors (The IIA).  For example, the central Government Internal Audit Standards (GIAS) from the 1990s explicitly acknowledged The IIA standards and the Chartered Institute of Public Finance and Accountancy (CIPFA) based its Code of Practice for local government on GIAS.

So, Phil is right, the UK public sector has had internal audit standards for some time and they have been based on The IIA standards.

However, during the noughties, the UK public sector did not update their standards.  They, therefore, missed the huge changes that The IIA made to their standards at the turn of the millennium.  The introduction of the Professional Practices Framework (PPF) around 2000 and the refinement of the framework into the current International Professional Practices Framework (IPPF) in 2009 changed the look and content of the international standards – and the UK public sector was in danger of being radically out of alignment with them.

At the same time as The IIA was developing the IPPF, HM Treasury, the UK’s finance ministry, undertook a project to re-align GIAS with the international best practice.  This time, not only were UK central government’s internal audit standards to acknowledge The IIA’s standards, but they actually incorporated The IIA’s standards, adding more detailed “UK Central Government Requirements” where absolutely necessary.  This new version of GIAS came into force in April 2009.  A similar set of standards for the health sector followed a couple of years later.

However, the Code of Practice for local government, last updated by CIPFA in 2006, did not yet incorporate The IIA standards.  So there was a mixed bag of standards across the public sector at a time when the drive was for whole of government accounts and joint working between different parts of the public sector.  In addition, the experience of updating GIAS and, in particular, the health standards highlighted how much effort this required.  It was not clear, despite all the best will in the world, how these standards were going to keep up-to-date with regular changes in the global context.

That’s the point when The IIA’s local affiliate, Chartered Institute of Internal Auditors (Chartered IIA), and CIPFA came together to create something that would acknowledge international best practice, implement it for the particular needs of the UK public sector, allow consistent practice in all parts of the UK public sector and provide a sustainable and durable structure that would make sure the standards were always up to date.  Working with HM Treasury, the two professional bodies recruited all the organisations who are responsible for setting internal audit standards in different parts of the UK public sector, set up a single advisory board to coordinate the work and to advise those standards setters on how to implement The IIA standards – and completed the work in just over a year!

Now you may say that there should be only one internal audit standard setter: the International Internal Audit Standards Board (IIASB), established and maintained by The IIA.  And, you may ask why the UK public sector can’t simply take The IIA’s standards without all this fuss.  But, remember, however well established and well-known are international standards boards, there is always some local, sovereign group that regulates or legislates the implementation of their standards.

Think about the two examples that might be most familiar to many internal auditors: the external audit “International Standards on Auditing” and the accounting “International Financial Reporting Standards”.  They are not in use in the UK just because the two boards responsible for them – IFAC’s International Auditing and Assurance Standards Board (IAASB) and the International Accounting Standards Board (IASB) – issue the standards.  No, there is legislation that mandates their use in the UK – so the UK government is in fact the “standard setter” for the UK.  In addition, the UK government established standards boards, overseen by the Financial Reporting Council, which review the outputs from the international boards; consult with UK external auditors, companies, users of accounts and other interested parties; and issue UK versions of the standards, which do sometimes have additional or different requirements.  Similar structures exist for the implementation of the International Public Sector Accounting Standards (IPSAS) issued by the IPSAS-Board (IPSASB).

The UK government to date has passed no legislation mandating which standards internal auditors must use.  There is regulation that requires there to be “proper practices” in place for local government – and guidance from the responsible UK government ministry identifies which documents contain those proper practices.  However, there are groups within government who are responsible for determining which standards their internal auditors should use.  De facto, they set the standards for internal audit in their part of the UK public sector.  They are the groups now collectively known as the Relevant Internal Audit Standards Setters (RIASS).  The new Public Sector Internal Audit Standards Advisory Board (IASAB), peopled by knowledgeable and interested parties, with an independent chair, provides an efficient conduit, taking The IIA’s standards and advising the RIASS on implementation.

I keep talking about The IIA’s standards.  What I mean are the mandatory elements of the IPPF.  So, UK public sector internal auditors follow The Definition of Internal Auditing, The Code of Ethics and the International Standards for the Professional Practice of Internal Auditing, with minimal extra requirements to meet the needs of the UK public sector.

So, this is the “quaint” way that the UK public sector has gone about acknowledging, recognising and accepting The IIA’s standards.  It builds on a long tradition of recognising The IIA’s role in setting international standards in this area.  It embodies a particular British style and tradition.  But, as I said at the start, the unified standards and the sustainable mechanisms that will maintain them are new and worth celebrating.  And, The IIA should be justifiably pleased that its role as an international standard setter has been acknowledged in such a durable institution.

6 words for my readers

I just want to say:

Thank you and I’ll be back!

Thank you for reading.

I’m not going to be posting for a while.  I’m packing up our life in Australia and travelling home to the UK.  When I’m settled in, I aim to start posting again.

See you back here in June 2013!

Don’t wallow in problems; make things better

Oh, Mike Figliuolo, how you wound me up! You’ve even stirred me from my self-imposed professional blogging hiatus.

Mike’s crime? Retweeting an old blog with that old chestnut in the title: “don’t bring problems, bring solutions!”

So, what’s my problem? Well, my experience has been that when the phrase is used in real life it is normally a symptom of careless and thoughtless management. It is an excuse for not providing adequate direction and support to staff.

I believe in the power and value of an observer who can see a problem before anyone else and can articulate it. However, there is no law that says that such a person will have all the knowledge and skills to put together a sound, effective answer to the problem.

Having read Mike’s blog (and thought it through a little more), I’m not sure we disagree that much.

The point is not the knee-jerk trotting out of: “don’t bring me problems”. It’s about challenging yourself – and the people you lead – to re-frame the problems you see so that you can improve the situation.

Read the blog for yourself. Find it here. It’s a very reasonable and sensible piece.

It’s not simply about being the heroic solution-provider. It’s about changing the perspective from what is going wrong to what you are trying to achieve and what you can do to achieve it. And, that, my friends, is a very worthwhile idea to take with you.

I’ve observed many times people complaining about the problems they face but in a way that suggests that they just don’t want to fix the problems. It’s as if their complaining is a team-building exercise.

The questions to ask are:

  • Well, I’m seeing all these problems but what do I want the world to be like? What’s the goal here?
  • What do I need to do to make that happen?
  • What help do I need – either to answer the first three questions or to implement a solution?

This can be a much more positive and fun team-building exercise than complaining all the time.

And, who’s Mike Figliuolo? He’s a practitioner and trainer in leadership, strategy, communications, etc. Find his web site here and his tweets here. Thanks for the new ideas, Mike.

Need to tell

I am not a natural communicator – so I’m fascinated by the topic.  How much should you communicate to employees, for example?

After seeing him speak at IIA-Australia’s Western Australian conference in 2012 – it was great, you should go – I subscribe to a newsletter issued monthly by Jurek Leon,  He describes himself as “a speaker, trainer and retail consultant, with practical tips, ideas and down-to-earth examples on word-of-mouth marketing, motivation, customer focused selling and designing and managing the customer experience”.

In his February 2013 newsletter, he quotes a story from another marketing specialist, Canadian Donald Cooper.  And it got me thinking.

Now, I’m not sure how much to quote from the newsletters since I’m not getting permission.  Let’s just say Mr Cooper told a story of staff in a manufacturing plant.  Every time they saw suited and booted visitors tramp around their factory floor, they started worrying over the idea of a takeover and potential job losses.  The solution: put up a notice board telling everyone ‘Who Will Be Visiting This Week’.  This simple idea turned around the situation.

There’s more to the story – sign up to the two newsletters:

  • Mr Leon’s – here
  • Mr Cooper’s – here

Well, what did it get me thinking?

I was thinking about the idea of people having a “need to know”.  This I believe is what drives the decision making of people like me who are natural technical people.  So, we ask ourselves what do our people need to know and when and we answers those questions from our own perspective.

Why do the people on the factory floor need to know who is coming?  I don’t want to bother them with the information.  I’m not asking them to do anything about it.

Of course, from the perspective of the people on the factory floor, this is something happening on their home turf.  They are naturally curious and rumours – often wild ones – spring up to fill the vacuum.  Maybe one way to look at it is that it is polite to tell people when they have visitors.

What occurred to me is that, even when they don’t see a need-to-know, leaders always have a need to tell.

Enjoy the newsletters!

Related audit but not the audit question asked? A repost from ChiefAuditExecutive

Related audit but not the audit question asked?.

I agree with the sentiments that Chiefauditexecutive expresses.

But then, I guess, I would.

The premise of the Institute of Internal Auditors, for which I’ve worked for 9 nine years, is that internal auditing is a separate profession, even if it is closely allied to professions like the external auditing part of accountancy.  That means internal auditors need a different basket of competencies and it makes sense to have those recognised by obtaining a qualification like Chartered Internal Auditor in the UK and Ireland or CMIIA (Aust) in Australia or a certification like CIA.

So, roll up, roll up – enrol, get your skills recognised and help build the profession!

On Murdoch and governance

Lots of fuss about the News Corp AGM, its style and outcomes. But, really, is this news? It isn’t new. It isn’t surprising. It isn’t very helpful.

If you invest in News Corp, you clearly aren’t investing in a normal quoted company. The share structure shows that. It is not hidden.

You are investing in Rupert Murdoch and in his judgement and in the organisation’s ability to execute his ideas. His risk appetite is high. He takes big bets – on colour presses, on pay TV. This is great as long as he is right.

The whole panoply of governance is not solely focused on mitigating the risk of a relying on a single person but that is part of it. You might therefore think I’d be arguing on the side of those who wanted change at News Corp. Well, in one way, yes! But, my main point here is that the requirements of governance should not take away the responsibility from shareholders, investors and fund managers to read the signs and make their own judgements – which might also be wrong!

So, yes, News Corp does not meet the characteristics of the majority of companies! If it’s too rich for your blood, don’t invest. Or include at that risky end of your portfolio.

(Actually, that is really mean to the truly interventionist fund managers who try to improve overall governance standards by commenting and voting, rather than cutting and running to protect their own investments. But sometimes maybe you have to admit defeat, retire from the battle and hope to win the war.)

Accountability and responsibility – a follow-up

Firstly, asking for feedback and not enabling comments is a pretty basic error – sorry about that.

Second, one of my colleagues from the UK has provided a really interesting comment on LinkedIn:

My industry has the concept of a “RACI”. Accountability: the person with whom the buck stops and ususally the decision authority; Responsibility: the person that does the work (usually reports to the Accountable party); Consultee: individuals who need to be involved prior to decisions being taken (advisors or stakeholders); and Information Recipients: those impacted by the decisions – they need to be told, but have no say. In this way a Director may be accountable but a manager responsible for delivery.”

It strikes me that this might provide a really useful model for thinking about the role of Chief Audit Executive. I shall ponder further on this.

Responsibility and accountability

In the course of my duties I came across someone suggesting that CAEs should be responsible, but not accountable, for conforming with the IPPF, in particular the standards. My jaw dropped. What is this crazy suggestion? What is the difference between responsible and accountable? So I looked it up.

Conscious of being accused of British bias, I used both a World English and an American English dictionaries. That gave me my first lesson. In British English, accountable can be a synonym for responsible but this is not the case in American English.

Apart from that, the results are fairly consistent. The two dictionaries agree that being responsible means you have the duty to do something and can be blamed or credited if you do something or fail to do it; they also agree that accountability is being required or expected to justify actions or decisions.

There is therefore a difference in degree. If you are responsible, you have to do it. If you are accountable, you have to be seen to have done it.

I can see that getting the profession to agree and to implement the idea of Responsiblity might be considered a first step. However, we are seeking to act on the West End Stage or Broadway of the governance theatre, not in a small community hall in the back of beyond. So perhaps we need to skip the first step and to accept the accountability that we expect of other actors in the governance drama!

Who’s cheering and who’s booing? Leave me a comment and let me know.


Oxford Dictionary of English

Accountability – the face or condition of being accountable; responsibility

Accountable – required or expected to justify actions or decisions; responsible

Responsibility – the state or fact of having a duty to deal with something or of having control over someone; the state or fact of being accountable or to blame for something; the opportunity or ability to take decisions without authorisation.

Responsible – having an obligation to do something or having control over someone; being the primary cause of something and so able to be blamed or credited for it; involving important duties, independent decision-making or control over others.

New Oxford American Dictionary

Accountable – required or expected to justify actions or decisions; explicable, understandable

Responsibility – the state or fact of having a duty to deal with something or of having control over someone; the state or fact of being accountable or to blame for something; the opportunity or ability to act independently and take decisions without authorisation.

Responsible – having an obligation to do something or having control over someone; being the primary cause of something and so able to be blamed or credited for it; involving important duties, independent decision-making or control over others.

Diddums den! Company directors are finding it all too hard.

Directors have been told what’s what!  No, I’m not talking about British MPs and their views of Rupert Murdoch’s fitness to serve.  I’m talking about the fall-out from two court cases brought by the Australian Securities and Investments Commission (ASIC): James Hardie and Centro.  The lessons people are drawing from the judgements include:

  • Directors must read documents.
  • Directors can’t rely on others.
  • They must read the financial statements and form own judgements.
  • They must read board minutes before approving them.
  • They have a responsibility to see that board minutes and statements to the stock exchange are accurate.

Is this really so onerous?

Holding directors to account doesn’t happen everywhere.  Directors’ duties are spelt out in UK corporate law but until they are tested in the courts the question remains: are they enforceable and, if not, are they worth the electronic bits and bytes in which they are written?  However, the UK Corporate Governance Code does provide further guidance to directors on what they should do to fulfil their responsibilities. Perhaps the ASX Corporate Governance Principles and Recommendations need an overhaul to provide real guidance to directors.  The place to start is to consult with shareholders and governance experts to find out what they expect from their board of directors.  The Australian Institute of Corporate Directors is calling for a wider policy debate on this issue.

At the same time, many commentators are saying that we shouldn’t enforce the accountability of directors because it will put people off taking the job.  But, if we don’t insist that people meet the requirements of the job, what’s the point of having them there in the role?

The concerns expressed about delegation are more worrying.  Yes, sitting at the apex of a large modern corporate is daunting – that’s why these directors get the big bucks.  But, the principles of delegation stand:

  1. You delegate the task but not the responsibility.
  2. You have a responsibility to assess the quality of the people or organisations to whom you are delegating.
  3. You have to insist on receiving reports that enable you to assess whether you think a good job has been done or not.
  4. You assess all of this by receiving different information from different sources and forming your own judgements.
  5. You are accountable for those judgements.

It is a big question for senior managers and directors: how do you know?  If you set a policy and hire a staff and set them to implement the policy, how do you know that it is being done the way you want to?  As an observer, I’ve long wondered how the members of the board and C-suite can do their jobs and I’ve admired their ability.  In recent years I was also amazed to hear a well-respected governance guru state clearly that he didn’t – couldn’t – know what was going on throughout the organisation – and that he relied on internal audit as a key source of reliable information to help him fulfil his duties as a director.

Which brings us to what’s in it for internal audit.  Internal audit is a cornerstone of governance, not because board directors can simply abdicate their responsibilities and pass all of it to internal audit, but because it is a source of information that is within the organisation, understanding the nuances of aspiration and attainment within the organisation, yet organisationally independent of the main management reporting line.  To fulfil that role the internal auditor needs to be a professional, advocating, insisting on and following the professional standards promulgated by the Institute of Internal Auditors – the International Professional Practices Framework.

So, my message to the hard-pressed corporate director: recognise that you are accountable; delegate deliberately and intelligently; create multiple sources of information; weigh them up against the other; insist on having high quality internal audit to support you; and step up to provide visible and effective support for that professional internal auditor.

Very interesting. Should internal auditors be considering the community and moral aspects of risks? Is this part of what is meant by the public interest of our profession?


I have been struck by all of the Titanic centenary memorials and programmes, much like the ship itself, out of my compartmentalised risk management thinking. It is not man’s natural state to risk manage, but have we really progressed so little that scenes from the Costa Concordia in 2012 could be quite happily spliced into footage of the Titanic film relating to 1912? Would I, if they had had internal audit in 1910-14 have raised the question about lifeboats and an effective ‘plan B’ if I were White Star or Harland and Woolff’s auditors?

Well I could do the internal auditor’s ‘told you so dance’ (one of the few and secret pleasures an internal auditor can take when clients do not act on advice), but this is not helpful. I would far rather see companies, organisations and leaders take a more risk managed approach to life and their businesses.


View original post 445 more words