“New” internal audit standards in the UK public sector?

The chair of the Global board of The Institute of Internal Auditors corrected a posting of mine in LinkedIn a couple of weeks ago.

I acknowledge his comment.

I also think I have a point too!  Well, I would, right?

I referred to the “new” public sector internal audit standards and he pointed out that they weren’t new; but more an adjustment of a number of existing standards, “in the rather quaint UK way of doing things”.

A lot of people worked hard and seriously from March 2012 to March 2013 to put together a unified set of internal audit standards for the UK public sector.  Several sub-sectors make up the UK public sector: central government, local government, devolved governments and, of course, health, being the main ones.  Now, from 1 April 2013, they share a set of internal audit standards.  In addition, there is a mechanism that will ensure that those standards are always up to date. It is an achievement worthy of congratulation, even if it was at the same time based on previous projects over the years.

So, what is the history?  Well, from the last decades of the twentieth century many of these sectors based their internal audit manuals and standards on the standards provided by The Institute of Internal Auditors (The IIA).  For example, the central Government Internal Audit Standards (GIAS) from the 1990s explicitly acknowledged The IIA standards and the Chartered Institute of Public Finance and Accountancy (CIPFA) based its Code of Practice for local government on GIAS.

So, Phil is right, the UK public sector has had internal audit standards for some time and they have been based on The IIA standards.

However, during the noughties, the UK public sector did not update their standards.  They, therefore, missed the huge changes that The IIA made to their standards at the turn of the millennium.  The introduction of the Professional Practices Framework (PPF) around 2000 and the refinement of the framework into the current International Professional Practices Framework (IPPF) in 2009 changed the look and content of the international standards – and the UK public sector was in danger of being radically out of alignment with them.

At the same time as The IIA was developing the IPPF, HM Treasury, the UK’s finance ministry, undertook a project to re-align GIAS with the international best practice.  This time, not only were UK central government’s internal audit standards to acknowledge The IIA’s standards, but they actually incorporated The IIA’s standards, adding more detailed “UK Central Government Requirements” where absolutely necessary.  This new version of GIAS came into force in April 2009.  A similar set of standards for the health sector followed a couple of years later.

However, the Code of Practice for local government, last updated by CIPFA in 2006, did not yet incorporate The IIA standards.  So there was a mixed bag of standards across the public sector at a time when the drive was for whole of government accounts and joint working between different parts of the public sector.  In addition, the experience of updating GIAS and, in particular, the health standards highlighted how much effort this required.  It was not clear, despite all the best will in the world, how these standards were going to keep up-to-date with regular changes in the global context.

That’s the point when The IIA’s local affiliate, Chartered Institute of Internal Auditors (Chartered IIA), and CIPFA came together to create something that would acknowledge international best practice, implement it for the particular needs of the UK public sector, allow consistent practice in all parts of the UK public sector and provide a sustainable and durable structure that would make sure the standards were always up to date.  Working with HM Treasury, the two professional bodies recruited all the organisations who are responsible for setting internal audit standards in different parts of the UK public sector, set up a single advisory board to coordinate the work and to advise those standards setters on how to implement The IIA standards – and completed the work in just over a year!

Now you may say that there should be only one internal audit standard setter: the International Internal Audit Standards Board (IIASB), established and maintained by The IIA.  And, you may ask why the UK public sector can’t simply take The IIA’s standards without all this fuss.  But, remember, however well established and well-known are international standards boards, there is always some local, sovereign group that regulates or legislates the implementation of their standards.

Think about the two examples that might be most familiar to many internal auditors: the external audit “International Standards on Auditing” and the accounting “International Financial Reporting Standards”.  They are not in use in the UK just because the two boards responsible for them – IFAC’s International Auditing and Assurance Standards Board (IAASB) and the International Accounting Standards Board (IASB) – issue the standards.  No, there is legislation that mandates their use in the UK – so the UK government is in fact the “standard setter” for the UK.  In addition, the UK government established standards boards, overseen by the Financial Reporting Council, which review the outputs from the international boards; consult with UK external auditors, companies, users of accounts and other interested parties; and issue UK versions of the standards, which do sometimes have additional or different requirements.  Similar structures exist for the implementation of the International Public Sector Accounting Standards (IPSAS) issued by the IPSAS-Board (IPSASB).

The UK government to date has passed no legislation mandating which standards internal auditors must use.  There is regulation that requires there to be “proper practices” in place for local government – and guidance from the responsible UK government ministry identifies which documents contain those proper practices.  However, there are groups within government who are responsible for determining which standards their internal auditors should use.  De facto, they set the standards for internal audit in their part of the UK public sector.  They are the groups now collectively known as the Relevant Internal Audit Standards Setters (RIASS).  The new Public Sector Internal Audit Standards Advisory Board (IASAB), peopled by knowledgeable and interested parties, with an independent chair, provides an efficient conduit, taking The IIA’s standards and advising the RIASS on implementation.

I keep talking about The IIA’s standards.  What I mean are the mandatory elements of the IPPF.  So, UK public sector internal auditors follow The Definition of Internal Auditing, The Code of Ethics and the International Standards for the Professional Practice of Internal Auditing, with minimal extra requirements to meet the needs of the UK public sector.

So, this is the “quaint” way that the UK public sector has gone about acknowledging, recognising and accepting The IIA’s standards.  It builds on a long tradition of recognising The IIA’s role in setting international standards in this area.  It embodies a particular British style and tradition.  But, as I said at the start, the unified standards and the sustainable mechanisms that will maintain them are new and worth celebrating.  And, The IIA should be justifiably pleased that its role as an international standard setter has been acknowledged in such a durable institution.


6 words for my readers

I just want to say:

Thank you and I’ll be back!

Thank you for reading.

I’m not going to be posting for a while.  I’m packing up our life in Australia and travelling home to the UK.  When I’m settled in, I aim to start posting again.

See you back here in June 2013!

Don’t wallow in problems; make things better

Oh, Mike Figliuolo, how you wound me up! You’ve even stirred me from my self-imposed professional blogging hiatus.

Mike’s crime? Retweeting an old blog with that old chestnut in the title: “don’t bring problems, bring solutions!”

So, what’s my problem? Well, my experience has been that when the phrase is used in real life it is normally a symptom of careless and thoughtless management. It is an excuse for not providing adequate direction and support to staff.

I believe in the power and value of an observer who can see a problem before anyone else and can articulate it. However, there is no law that says that such a person will have all the knowledge and skills to put together a sound, effective answer to the problem.

Having read Mike’s blog (and thought it through a little more), I’m not sure we disagree that much.

The point is not the knee-jerk trotting out of: “don’t bring me problems”. It’s about challenging yourself – and the people you lead – to re-frame the problems you see so that you can improve the situation.

Read the blog for yourself. Find it here. It’s a very reasonable and sensible piece.

It’s not simply about being the heroic solution-provider. It’s about changing the perspective from what is going wrong to what you are trying to achieve and what you can do to achieve it. And, that, my friends, is a very worthwhile idea to take with you.

I’ve observed many times people complaining about the problems they face but in a way that suggests that they just don’t want to fix the problems. It’s as if their complaining is a team-building exercise.

The questions to ask are:

  • Well, I’m seeing all these problems but what do I want the world to be like? What’s the goal here?
  • What do I need to do to make that happen?
  • What help do I need – either to answer the first three questions or to implement a solution?

This can be a much more positive and fun team-building exercise than complaining all the time.

And, who’s Mike Figliuolo? He’s a practitioner and trainer in leadership, strategy, communications, etc. Find his web site here and his tweets here. Thanks for the new ideas, Mike.

Need to tell

I am not a natural communicator – so I’m fascinated by the topic.  How much should you communicate to employees, for example?

After seeing him speak at IIA-Australia’s Western Australian conference in 2012 – it was great, you should go – I subscribe to a newsletter issued monthly by Jurek Leon,  He describes himself as “a speaker, trainer and retail consultant, with practical tips, ideas and down-to-earth examples on word-of-mouth marketing, motivation, customer focused selling and designing and managing the customer experience”.

In his February 2013 newsletter, he quotes a story from another marketing specialist, Canadian Donald Cooper.  And it got me thinking.

Now, I’m not sure how much to quote from the newsletters since I’m not getting permission.  Let’s just say Mr Cooper told a story of staff in a manufacturing plant.  Every time they saw suited and booted visitors tramp around their factory floor, they started worrying over the idea of a takeover and potential job losses.  The solution: put up a notice board telling everyone ‘Who Will Be Visiting This Week’.  This simple idea turned around the situation.

There’s more to the story – sign up to the two newsletters:

  • Mr Leon’s – here
  • Mr Cooper’s – here

Well, what did it get me thinking?

I was thinking about the idea of people having a “need to know”.  This I believe is what drives the decision making of people like me who are natural technical people.  So, we ask ourselves what do our people need to know and when and we answers those questions from our own perspective.

Why do the people on the factory floor need to know who is coming?  I don’t want to bother them with the information.  I’m not asking them to do anything about it.

Of course, from the perspective of the people on the factory floor, this is something happening on their home turf.  They are naturally curious and rumours – often wild ones – spring up to fill the vacuum.  Maybe one way to look at it is that it is polite to tell people when they have visitors.

What occurred to me is that, even when they don’t see a need-to-know, leaders always have a need to tell.

Enjoy the newsletters!

Related audit but not the audit question asked? A repost from ChiefAuditExecutive

Related audit but not the audit question asked?.

I agree with the sentiments that Chiefauditexecutive expresses.

But then, I guess, I would.

The premise of the Institute of Internal Auditors, for which I’ve worked for 9 nine years, is that internal auditing is a separate profession, even if it is closely allied to professions like the external auditing part of accountancy.  That means internal auditors need a different basket of competencies and it makes sense to have those recognised by obtaining a qualification like Chartered Internal Auditor in the UK and Ireland or CMIIA (Aust) in Australia or a certification like CIA.

So, roll up, roll up – enrol, get your skills recognised and help build the profession!

On Murdoch and governance

Lots of fuss about the News Corp AGM, its style and outcomes. But, really, is this news? It isn’t new. It isn’t surprising. It isn’t very helpful.

If you invest in News Corp, you clearly aren’t investing in a normal quoted company. The share structure shows that. It is not hidden.

You are investing in Rupert Murdoch and in his judgement and in the organisation’s ability to execute his ideas. His risk appetite is high. He takes big bets – on colour presses, on pay TV. This is great as long as he is right.

The whole panoply of governance is not solely focused on mitigating the risk of a relying on a single person but that is part of it. You might therefore think I’d be arguing on the side of those who wanted change at News Corp. Well, in one way, yes! But, my main point here is that the requirements of governance should not take away the responsibility from shareholders, investors and fund managers to read the signs and make their own judgements – which might also be wrong!

So, yes, News Corp does not meet the characteristics of the majority of companies! If it’s too rich for your blood, don’t invest. Or include at that risky end of your portfolio.

(Actually, that is really mean to the truly interventionist fund managers who try to improve overall governance standards by commenting and voting, rather than cutting and running to protect their own investments. But sometimes maybe you have to admit defeat, retire from the battle and hope to win the war.)

Accountability and responsibility – a follow-up

Firstly, asking for feedback and not enabling comments is a pretty basic error – sorry about that.

Second, one of my colleagues from the UK has provided a really interesting comment on LinkedIn:

My industry has the concept of a “RACI”. Accountability: the person with whom the buck stops and ususally the decision authority; Responsibility: the person that does the work (usually reports to the Accountable party); Consultee: individuals who need to be involved prior to decisions being taken (advisors or stakeholders); and Information Recipients: those impacted by the decisions – they need to be told, but have no say. In this way a Director may be accountable but a manager responsible for delivery.”

It strikes me that this might provide a really useful model for thinking about the role of Chief Audit Executive. I shall ponder further on this.