Question 1: What does your Affiliate do to create external … · · 2018-04-12The Auditing and Accounting oversight body makes presentations about Standards. ... I.E. Big Four

GLOBAL COUNCIL 2018 – CONSOLIDATED NOTES FROM DISCUSSION SESSIONS – STANDARDS CONFORMANCE

1

Question 1: What does your Affiliate do to create external demand (from stakeholders) for conformance?

AFRICA

Get the stakeholders to adopt the IPPF standards as a mechanism

Good presence in the public sector but no action in the private sector

Work with members to emphasis the standards

By law must conform with the standard.

Stakeholders network – free site with guidance and resources

Simplify key elements and creating short papers providing examples of the standards in action.

Conference with other professional bodies (i.e. charters accountants) and each bring topics to the program.

Function of internal audit is not recognized in some countries (Angola) but work with members and give them training to influence their own companies. Also meetings with financial sector that should have internal audit because of international regulations. Not sure if in alignment with the conformance with IPPF. Work with media to promulgate internal audit with articles/content

National code for corporate governance.

More effective job to embrace the content of the IPPF – good job in public sector but lacking in private sector

Collaborative work/partner with other well-known organizations to spread the knowledge of the standards.

Mauritius Have code of good governance. Must apply IIA standards not required to conform. Uganda has regulation. Accountants are regulated. Discussions but gap. Commercial banks are now required to have internal audit. Ghana public sector is required to conform to IPPF, private sector not. Have internal audit agency for public. Togo has regulation for countries and auditors must use international standards. Conformance with IPPF for financial sector. Kenya public sector and financial sector must comply with IPPF.

Difficult to determine the number of internal auditors in each country. Most members at the IIA are from the public sector

How do we get other sectors? Much smaller businesses. Educate and partner with directors from other sectors. Bring credibility and effectiveness as IA and they can sit on any board. The standards help optimize corporate governance. Forums that promote corporate governance. Political influence in the public sector.

Most countries have regulations for the public sector and financial industry that require conformance of the standards. One country has a code of corporate governance that standards must be applied but not conformed to. For private sector conformance there is on-going discussions but a gap exists. Partnering with director associations/sister organizations.

The accounting profession is very strong in our countries with a lot of numbers/members. Some of our countries are early into the internal audit profession, so many practicing auditing are not aware of what internal audit really is. So, we are mostly working on awareness versus conformance to stakeholders. Also, conformance is hard when auditors are not members of The IIA, or certified. They have degrees in multiple different professions.


2

The Auditing and Accounting oversight body makes presentations about Standards. For private sectors, the CEO sometimes make presentations regarding Standards. This is working to some extent.

The accounting profession is very strong with a lot of members. Whenever they have training and workshops for internal auditors, they invite us. This gives us an opportunity to discuss our Standards. We also do something similar at ISACA events.

We are creating awareness now, but to the point of conformance. We encourage AC members to support their IA’s to attend. We create awareness for Standards to those in the profession and outside the profession.

There is a challenge between the registered and the unregistered. To make awareness, we provided free training on the IPPF. The local newspaper wrote about it. We now have a weekly column either directly or indirectly.

We have a very strong accountancy who tests on the internal audit Standards. Trying to coordinate more with accountants.

Most auditors just have college degrees in accounting, economics, etc. Many have not gotten certification. The accountants have more members. We are just now starting, so certification is going slow.

There is no urgency for auditors to conform. Some doing internal audit work, are doing it based upon the external audit standards.

There are some who are QA qualified, but they are expensive, sometimes coming from consultants or South Africa.

ASIA/PACIFIC

Efforts to encourage conformance includes: o Regular communications at the director level in both private and government sectors to

educate them on The IIA as well as the standards and the compliance requirements to follow.

o Offer standards training to private and public sectors as well as the members. o Provide step-by-step guidance on the standards for organizations to follow.

Japan – EQA to ask stakeholders’ demand and needs; feedback from them on training

Philippines – in all MOUs with stakeholders (focus on regulators, such as SEC) we ensure that IIA standards are included.

China – in listed companies and state owned companies, IA is required. China National Auditor Office issued new regulations. IIA China CEO was interviewed on CCTV in premier time.

Australia – promoting IPPF to the listed companied. Required listed companies to express conformance or explain. Issues a number of publications.

Taiwan – combined conference with IIA governance and IIA Taiwan. Include IPPF in publications

Indonesia – translated IPPF mandatory guidance to Indonesian IAs. In 2018, will consider to translate IPPF recommended guidance. Promote IPPF to government

Suggestion – share a database with all affiliates of their various advocacy activities

More translation for IIA affiliates

Talk with influencing bodies (regulators), endorse the standards and quality assurance review (leveraging the Standards)


3

Dealing with situations where compliance matters more (e.g. if the standards are not required organizations won’t require them. More concerned with “are there penalties for non-conformance?”

Hold forums with Audit Committees and CAEs (sometimes directors)

Leverage CIA as the only recognized certificate for the profession

Trying to work toward recognition in the local governance code.

Korea – FSS recommends standards for Financial Services

Korea – provides award to government entities (includes conformance with the Standards (results in year-end bonus)

Promote QA as a means of building awareness.

Build relationship with Stock Exchange who can require IA. Some have IA requirement, but lacks details including conformance with the Standards.

Listed companies require someone who is a CIA (which mean they have to conform)

Corporate Governance Code – require IA and standards but silent on which standards. Working to change to IIA standards.

Influence Supreme Auditors to require IIA Standards

Leverage media, press, etc. particularly when there is a corporate failure.

Build awareness with government officials

Hong Kong / Philippines – comply or explain model via stock exchange

Promote QAIP service providers

Central Bank circulars for financial institutions

Leveraging College/Universities to build awareness around conformance. EUROPE/NORTH AMERICA

Compliance with the standards, promoted to the audit committees. Invite once a year audit committees without an internal audit function. Partnership with the National association of corporate directors – Access to database.

QA internal and external, effective in winning over the support of audit committees backing from regulators. Financial. This year they will develop the code to fit the other sectors. “They need effective internal audit”.

Develop and push QA towards the largest companies. Close relations with the Directors association.

Awareness of standards, more focus on methodology. Invite stakeholders to the IIA events. If the audit committee don’t agree or understand the standards we can’t reach higher

conformance. Engage the audit committees! Advocacy efforts toward audit committees.

Strategic plan to communicate the importance of compliance with the standards towards the national association of corporate directors. Engage Audit Committees, invite stakeholders to IIA events.

Develop sector specific code, consistent with the IPPF to promote the standards towards the stakeholders

In the USA and UK is highly promoted


4

In Finland new regulation is being created to regulate and have the profession under standards and conformance for Public Administration.

Russia working with regulators and Central Bank of Russia and Ministry of Finance. Database has been created of chairman of the boards and committees of the 500 largest Russian Companies, sending letters and providing them with a copy of the book with an introduction.

Conformance does not guarantee added value. I.E. Big Four accounting firms failures. It is an instrument to add value.

Germany standards are taken as a given, it’s not a big issue.

Switzerland has a high level of conformity. The issue is educating about importance and relevance of the standards to the regulators.

Also important to educate about the difference between internal and external auditors.

The Stock Exchange Commission in Spain is starting to regulate the audit committees.

Educating and making stakeholders aware of the value of Internal Audit and standards is a continuous task.

Following the standards usually assures that IA adds value to the organization.

In Finland new regulation is being created to regulate and have the profession under standards and conformance for Public Administration

Educating and making stakeholders aware of the value of Internal Audit and standards is a continuous task.

Publications together with public sector institutions

Quality assessment reviews

Mandatory and supplemental guidance translated in local language

Efforts to increase the internal auditing awareness (e.g. conferences and other events)- organized on a regular bases – repeat the message

Proactive advocacy approach

Integrating value proposition, QA standards, publications, etc.

AC involvement in situation of nonconformance with standards

Conformance with standards to be mandatory, enforced by regulations

Message across the members: conformance with Standards.

Regularly reinforcing the message.

Holding round tables and other networking events for stakeholders.

The law took care of that. The government requires entities to have IA (if required they must have it). Listed companies, and other private sector companies that fit the profile. Since 1992 the law was created in Israel.

There is a law that requires government organizations to have IA. They use the global standards to develop the law.

Translated the Standards and Implementation Guides.

Financial organization require IA through their organizational governance bylaws.

Help understand the code of ethics.

Create awareness among CAEs.

Require Quality Assurance Reviews to show compliance.

By example – leverage horror stories.


5

Publish and promoted the principles for IA. Describe what it means and how is should look like.

Publish and promoted the internal audit principles. Describe what it means to be an auditor and how an internal audit activity should look like.

Require quality assurance reviews to demonstrate conformance, and define maturity levels.

Laws IA must be in conformance with Standards – always emphasized when meeting with (regulators) stakeholders – except for QAs

Practice of IA in Public Sector there is a large gap.

Global standards should be recognized in law

Due to these regions, the context of conformance is being applied by what in the law not necessarily all of the Standards and out of their controls especially Standard 1312.

CENTRAL AND SOUTH AMERICA/CARIBBEAN

Must present The IIA and the Standards as educational opportunities

Organize workshops to invite stakeholders; try to teach about the profession (sometimes governance, regulators, BOD members, etc) – for free

Including audit committee members and CEOs in regional events as both speakers and attendees; having joint sessions and conversations

Tone at the Top – pass it on to stakeholders

Make them a member of The IIA to use at least some of the info

Globally our standards are more push than pull; Standards are one direction only

Standards give rights to the auditors and do not focus on the duties, Standards must be applied with humility

Use legitimate power, not use Standards as power (teacher not preacher)

Mutual expectations paper – the right and duties of the auditee and the auditor

I’m auditing you, who audits me?

Give the IPPF to regulators and meet with them to discuss the importance of internal audit activities and standards

Give the IPPF to audit committee members

Activities with audit committees, discussions on standards and value of the internal audit profession

QAR – a lot of efforts in the region

Suggestion: All the countries in the region need support from IIA Global about the QAR. Written agreement that they can use their own team leaders in the region. That would lower the costs and also be able to distribute the service locally.

Seminars and trainings

A project in Guatemala called Knowledge factor – inviting CAEs to share their experiences in conformance and how they work with their audit committee and explaining the conformance between each other.

Meetings with Universities and helping them reweaving their content. Helping them getting the IPPF and best practices in the education.

We are reaching out to local regulators to drive the process and enforce conformance.


6

We’re promoting Quality Assurance to advance the role of internal auditing and the need to apply standards.

We’re fostering relationships with professional associations and with public and private entities.

We’re facing challenges advancing conformance. It’s is perceived as a best practice but not as mandatory guidelines.

We are trying to educate stakeholders. One thing is to try to explain value of quality assurance so that they can understand the value of internal audit and become interested in checking compliance with Standards.

We are talking to legislators directly and inviting them to local conferences and seminars.

Invite regulators to seminars, annual congresses.

We have some struggles helping stakeholders understand the role of internal auditors. Still working to teach members on Standards, code of ethics. Biggest challenge is with non-finance-related organizations.

We have a ways to go and have done little outreach to stakeholders. Some government auditors have no knowledge of Standards. Most of the knowledge of IPPF is in finance-related internal auditors.

Colombia – Before we can educate stakeholders, we need to educate internal auditors.

Peru – Similar position as Colombia. We need to take it step by step.

Nicaragua – Stakeholders are invited to annual conferences. Includes regulators. Law currently requires compliance with IPPF.

In Panama, in banking must follow IPPF.

We try to recruit C-suite members to be advocates at their level (peer-to-peer).

In El Salvador, similar to Nicaragua. Looking for opportunities to reach out to stakeholders.

Brazil has organization of directors. Not even those members know the extent of what we can deliver to them. We first have to educate our people and use those people to educate stakeholders.

Most efforts are directed to members. Need to raise the bar first, before going to stakeholders. However, some are doing stakeholder outreach to create demand for compliance. Need to leverage C-suite and board supporters of internal audit to do peer-to-peer advocacy for internal audit. Can use media and supporters to further influence legislators and regulators.

MIDDLE EAST

Encourage QAs.

Competition from firms.

Advocacy has been to members and organizations, especially those where conformance is a requirement.

Promoting and encouraging compliance seem to be easier within the financial sector.

Some are targeting corporation at the Audit Committee level.

Internal audit is a requirement in the government sector in UAE. It helps promote conformance.

They encourage conformance by pushing for regulation/legislation, promotion of QA services, and education (conferences).


7

Question 2: What percentage of your advocacy efforts specific to conformance are related to internal (CAE) vs. external stakeholders (Audit Committee Chair)? Question 3: Are your advocacy efforts to promote the value of conformance successful?

A. If yes, what has worked best? B. If not, why not?

AFRICA

Make sure internal CAE works hard to apply the standards

Look at conformance and application of quality assurance

Make sure to ask specific questions in the QAR manual and provide to the audit committee.

Percentage 70/30 more internal compliance with CAE than external (audit committee)

Percentage 50/50

Percentage 60/40

Make sure all CAE conform before going to the audit committee.

Give the tool to CAE to use before going to audit committee

Problem is that not all CAE are not member of the affiliate. Make sure all CAE ascribes to the standards by first being members –

Majority of the affiliate’s advocacy efforts is focus on internal as opposed to external.

Create toolkit for internal auditors (CAE) to boast about the foundation about the IIPF.

The fact that there is legislation does not mean the standards are applied. Some do not have copies or access to the standards. No Accessibility / Little accessibility.

Management does not like internal auditor because they fear that something will be found so they do not support audits.

Develop methodology of the standards

Make our standards available to everyone as opposed to consider it as a service.

Responsibility of the institute to convert nonmember internal auditor to be members and ensure adherence/understanding of the standards.

Bring nonmember internal auditor on board. Make value proposition more glamourous /appealing to turn nonmembers into members.

Conformance advocacy is more to external vs. internal stakeholders to better understand the profession.

Need to educate

Too many CAs from the accounting profession and not the IA profession. Promote selection of the CAE on both CA and CIA for both public and private sectors.

IA much broader responsibilities.

Local dynamics – accountants vs. auditors.

Efforts are focused externally. Barrier - too many CA’s from the accounting profession. There is political influence on selection of AC members in the public sector. Local dynamics on salary scales for accountants vs. auditors.

Varies by country and the degree of regulation.


8

Our advocacy efforts are much higher percentage for internal (CAE’s) (80%) compared to external stakeholders.

Current advocacy efforts are minimal, so there is not much success. Need to find a strategy to advocate more to those who are already doing internal auditing.

There is need for more advocacy.

We have local authority with many internal auditors. The current City Auditor is a CIA, so he is pushing the CIA. With unemployment, government is paying for CIA to support youth.

In Ghana, we have a long way to go, mainly because of the accounting profession.

Major issue with conformance is the current thinking is about CPA. The CIA is just now coming to minds in our countries. So, it is difficult to push CIA certification.

The issue is about the accountants. Very senior executives see no difference between accountants and internal auditors.

This is more about culture. Most doing internal auditing have accounting education. In one country, a lot of people have taken the CIA, but only one passed.

Need to build relationships with HR. They are the ones who recruit. There does need to be enough qualified internal auditors in the recruiting market.

ASIA/PACIFIC

In Sri Lanka, the CAE is not required to follow compliance standards, therefore they are not motivated to support IIA standards.

Internal demand is more important that external in Mongolia, therefore they focus on the private organization auditors.

IIA Kazakhstan is a new affiliate and focused on building their membership.

Focused on meeting with stakeholders to find interest level in membership as well as developing content on website

The three affiliates at the table are in early stages of advocacy development, therefore they are limited any providing any successes.

Ensure the regulators and members to understand more on the value of the conformance, not only conformance itself.

80:20 (Japan, Taiwan and Philippines)

50:50 (China and Australia)

40:60 Indonesia

China - Ensure the members understand more on the value of the conformance.

Japan - Financial agencies in Japan asked for IA designation, which helps IIA Japan to promote CIA.

Australia - Treasure department requires IPPF for IA in that sector. IA not following any rule is a risk, we have to follow the professional standards.

Indonesia – Public asked “where is IA” after corruption. Conformance with standards doesn’t mean flawless

50/50, 80/20, 70/30, 80/20

Difficult to reach the right audience

Some are more focused on lobbying government and regulators

Some are experiencing confusion between internal and external.


9

Most audit committee chairs are coming from an external audit background and lack enough awareness and understanding.

Do our members feel sufficiently obligated to educate our key stakeholders? This is a challenge because IIA Standards are above and beyond their minimum (legally) required. Do CAEs even care?

Can Global create an orientation packet for Audit Committees?

EUROPE AND NORTH AMERICA

Is the IPPF enough? Is the standard high enough? Communicate exclusivity in the membership. Raise the value of the membership, as members

you follow our standards. Advocacy is as important towards Audit Committees as CAE’s How do we measure whether it’s working or not? We agree that something needs to be

done but how? Regulators send out questions regarding conformance?

Distinguish advocacy and development. 100% is outside the internal audit (external) but 100% of development is done within the institute (internal) Members – personal development CIA

External- QA

People in the board to show good examples. Engage them in the QA.

UK Financial services code, consistent with the IPPF but works towards the stakeholders

UK follow up on conformance: Impacts has changed IAA: reporting lines, etc. Surveys Influence the regulators

Spain, USA focus more on affiliated. Must increase efforts to the audit committee.

Germany stakeholders differentiate the difference between internal and external auditor. In other countries this is not clearly understood.

Engagement of External/ Internal Auditors outsourced to advocate for the standards conformance when dealing with the Audit Committee and top management.

Germany convinced authorities / regulators that Internal Audit could perform functions that were in plan to be given to External auditors.

Russia gives 4 hours training to the committees and prefer face to face contact to advocate.

Advocacy efforts focused on CAEs - less than 30% and the rest on external

No knowledge of compliance.

50%

Not doing it in a systematic way.

CAEs don’t know what the standards are.

External auditors should be asking what standards govern the IA.

Yes – through university classes at the master level.

No – because we are only starting on this area.

No – we are focused on serving members, not creating demand. Conformance is not our goal. We leave it to the companies.

No – Just starting and we see there is room for improvement. In the public sector there will be more demand next year.


10

Yes – education and periodic meetings.

Yes – seminars for audit committee members.

Yes – for public sector and No – for private sector.

No – because many institutes are only starting these efforts.

One way to improve is through university classes at the master level, or creating seminars tailored to the audit committee to help them understand the value.

Maybe 70% internal, 30% external

90% internal, 10% external

Focused more on members, focus on external QA’s to advocate

50/50 (but more so on Internal-more mature status)

Not much interest from the market to be considered successful

Success depends on the audience

Falls with the political situation in the country

Translating IA tools provided by IIA very useful especially in public sector

Perhaps monitoring the usage of the tools being downloaded from the website


CAE focus 80%; stakeholders 20%

70% internal

Must disclose Standards internally so they can apply them in their daily job

Need to use someone on the audit committee as the one to push conformance, someone who is from IA or understands IA and is independent member of the AC

Global provide a template or manual to build on for advocacy

Need to do an institute strategic plan; each affiliate do a 3-5 year plan; so need a plan as leadership changes annually

Need material to show to AC and BOD for QAR and they asked what we gain and what happens if we don’t do that – need to show value beyond conformance (what is the value beyond complying with the Standards?)

Benefit of using the Standards is a common understanding among the team

lack of internal assessments

We have a policy as well, we follow the Standards

We don’t have the statistics on who are conformed with standards and who’s not. Although, working a lot on promoting the Standards.

Table discussions with CAEs about their conformance with the standards and their experiences in advocacy efforts to their audit committees.

Universities – working with the content with the professors to help them include the standards in the education.

QA – mostly in Banking but not in public sector (Peer pressure) 70% Internal - 30% External.

Not enough efforts in place. Do not have a strategic plan solely focused on advocacy.

Unfortunately there is limited access to policymakers.


11

Need to leverage The IIA’s global status to foster partnerships with local public and private sector; it provides credibility.

There’s should be further support and intervention from regional bodies, such as FLAI.

Most of the effort focus on internal (CAE) versus external (audit committee chair).

Closer to an 80 to 20 or 90 to 10 percentage internal to external.

Wish we had more time to be able to go out to work with stakeholders.

Did roundtable discussion with audit committee members invited to listen to what internal audit is saying.

Never ending effort. A lot of work to do. Not enough hours in the day.

The main challenge is internal auditor compliance.

Have had some success in inviting audit committee members to annual conference to have them learn more about internal audit.

There has been some successes in educating stakeholders by inviting them to attend annual conference to have them learn more about internal audit.

However, limited time for affiliate leaders makes it challenging to for sustained efforts.

MIDDLE EAST

Partial conformance provides clients with a road map.

It may convey the wrong message and people will be satisfied with partial conformance.

We must clearly define the difference between optional and mandatory conformance (all at the table agree).

GC vs BC

Standards should mention that CAEs should exhibit knowledge, especially new ones.

Questions 4: What do you see as the main opportunities and challenges with a maturity model approach? AFRICA

Mature institutes feel that Standards are not elevated/inspirational enough.

Smaller institutes may be too challenged and can only do the minimum.

Define what are the minimum standards that should be in place based on the maturity of the industry, the country/region, and affiliate.

Maturity model has advantages but we should define the minimum practice/standards.

Define what we mean by the maturity level- what is the base and what we should aspire to be.

Will strive to be better. Will improve the profession. Opportunity to show you are adding value to the organization. 4 or 5 scale. Standards require us to be at the basic. Maturity of an organization must be taken into account.

Resources could be an issue whether it is people or $. Demonstrate your gap. Not competent internal auditors out in the marketplace. Need minimum qualifications for internal auditors. Need to educate the audit committee about conformance. Advocacy goes hand in hand with conformance. The audit committee must annually assess the CAE. Provide standards for rating. Need consistency for the criteria to be used. Needs to be local.


12

Will improve the credibility of the profession. Becomes aspirational to perform better. Will improve your value to the organization.

Will demonstrate criteria gaps such as resource shortfalls.

Need minimum qualifications for auditors and there is a need to educate audit committees.

Consistency on criteria needs to be defined.

Maybe we can use a hybrid of “Maturity Model Approach” and “Conform and Explain.” Our region needs time to grow. We note where we conform. We need to explain where we are not conforming.

The adoption should be a gradual process.

By such date, you must conform. But, we need to get support.

We have certified accountants. How do we get them to conform to internal audit Standards? How do we get them to embrace our Standards? After you get a number of accountants who are certified, you can build on it.

See a lot of challenges with the maturity model. ASIA/PACIFIC

Opportunity includes providing a growth map to assist in establishing a model for organizations to follow; and facilitates benchmarking.

Challenge is in developing a plan to roll out the model as well as measuring the quality.

Criteria is clear and gives good direction.

What is maturity? It is going to be challenging as maturity definition depends on industry, governments and countries.

Public companies in many countries, AC has to disclose its oversight. IA was not mentioned, External audit was included. However, if AC report includes IA’s conformance with the Standards, it will drive the changes

We don’t need a checklist approach.

Full conformance model is preferred, not maturity model as it has more risk; it gives small IA shops excuses of not conformance; the delineation is not defined in the paper. It is a clumsy approach.

Opportunities

Many others have already moved in this direction

Tells you where you are and what the gap is.

Maturity models are a better reflection of reality

Overcomes people who know they won’t generally conform.

Set and manage expectations. Help to ensure consistency across QAIP providers. Challenges

Could lead to a perception that non-conformance is ok (big concern)

Could become very complicated particularly in how it’s communicated to stakeholders.

Will need to clearly define certain quantitative standards.

If done, clear guidelines on how to operationalize would be difficult.

Maturity model is definitely worth exploring. May be best used as a tool for CAE’s rather than as part of an EQA. Would need to be very well defined to ensure consistency and proper use.


13


How do we apply this on the unique organizations? In theory, we have a good theoretical model but difficult in practice due to different organizations

Comply or explain is clear, comply and explain is contradictory. Without clarity, we can lose credibility.

Level of complexity. Contradictory, you can’t conform and explain What happens if they don’t conform? Sanctions? Conformance is not about the individual internal auditor, it comes via the audit committee. Micro and macro, through the individual vs going through the audit committees.

In other part of the worlds, there is lack of personnel to give QA’s. A peer review system could be implemented.

With a maturity model the affiliate can position itself and further develop. A perceived risk is that in other cases some organizations might deny that they are not yet mature.

Implementation might become difficult.

Anything that is non-conforming weakens the standards

Standards should be a minimum expectation (baseline).

Should be clear of what are the goals of applying the maturity level. Conformance does not guarantee added value.

Challenges: consistency is key for a successful approach, maturity of the market where you implement this (local issues), reluctance to implement a new model (maturity model); used in the right way can encourage QA. A proper framework provided by IIA will help.

Opportunities: recommendations after QAR on how to get from a 8 to 9 (how to improve step by step); conform or explain provides a possibility to explain the particular environment; also details about conformance to better understand the situation ((comply and explain)

Maturity model should contain more than conformance requirements, e.g. proactivity, benchmarking, quality, value for money.

Challenges to maintain consistency of approach.

Provides pathways to continuous improvement.

It’s a very good tool to self-assess and use as benchmark to know where improvement is needed to reach the desired level.

No model will fit everybody.

Having a scale makes it easier to find ways to improve.

If the maturity model is too challenging, people will not be interested in using it.

No way to enforce it. We can enforce if the IA is a member, but if the IA is not we cannot enforce.

Using the model can help develop KPIs

If the maturity model is too challenging, people will not be interested in using it.

Working with volunteers for translations, quality and consistency can be a challenge

Fantastic tool for Stakeholders not IA for them to measures progress.

Challenges are to fully understand the maturity model approach.


14

Aware of model is one of the most efficient tools

Possible to achieve and maintain a high-performance grade but may be hard.

What drive conformance, what comes first on the continuous journey

A communication tool to use with stakeholders on the continuous journey

Use maturity model when providing assessments, depends on the maturity of the organization

Size of IAA should be considered

Good tool to observe and monitor – what’s the next step

Principles are used when speaking about maturity

Benefits to move toward an ability model from maturity model (depends on how it is being used – internal/external)

Challenges are to fully understand the maturity model approach. CENTRAL AND SOUTH AMERICA/CARIBBEAN

Better competence, better capacity and quality; good opportunity to improve conformance

Knowledge of the Standards is the biggest challenge; CAE may not be implementing the Standards if IIA Global implemented a maturity model

Challenge is the will to use it, maturity model is just the tool – need to have the will to use the tool

Opportunity is for the IAA to do an honest self-assessment; need to have an owner for the action plan

Will need to clarify that maturity model does not mean Standards are optional; maturity model makes sense

Level 1 maturity should require full conformance, and up to level 5 would be high performance

Can be used as a benchmark

Challenge: clash between staff who know IPPF at lower level; then rotational CAE who doesn’t understand IPPF is the one who is talking with the AC and cannot communicate or understand the message

Opportunity: It’s an easy way to explain to individuals who are not internal auditors.

Opportunity: Even though you have an immature internal audit function, you will be able to use this model. Good idea!

Challenge is how we should promote the model – if the internal auditors don’t understand the IPPF, how can they understand the model?

Opportunity - to set benchmarks and identify gaps.

Challenge – not enough resources for its application.

Maturity model is the best way to see the road as a journey of continuous improvement.

Conform and explain would give opportunity for companies that haven’t reach level of conformance. Must have the opportunity to explain.

Comply or explain in Colombia

We have opportunity to help organizations reach a higher level of conformance. When we have the tools, knowledge or courses we can offer quality assurance services. Opportunity for the affiliates to step up and help organizations conform.


15

Also for individual practitioner, conformance reflects well by demonstrating to stakeholder the value of internal audit.

Conformance should be linked to competency model.

As we want to raise the bar we have to have people to do the job. We have to have to people available to do the training to raise the bar.

Challenge is differing levels depending on the sector and industry.

Challenge is that lower conformance reflects poorly to stakeholders who we are trying to convince we can do the job

MIDDLE EAST

Did not discuss.

Questions 5. Should “conform and explain” be interpreted as: A. How an IAA is making efforts to move toward conformance and mitigating

the associated risks of not being in conformance? or B. An explanation of why a Standard is not applicable and why it is not

possible for the IAA to comply? C. Both

AFRICA

Should be both. Conform and explain model.

A – No exceptions. How an IAA is making efforts to move toward conformance and mitigating the associated risks of not being in conformance. All standards are applicable no matter what size. This will heighten the support needed where there are constraints in resources.

Should be both, potentially a hybrid with the Maturity Model.

Regarding QAs, before we conduct a quality exam, we need to assess ourselves. Maybe, we could start with a self-assessment versus an official QA.

ASIA/PACIFIC

All at the table said that “conform and explain” is interpreted as “both” as certain things can be explained if they cannot comply and clear as to what happens if they do not.

Develop an action plan to influence local governments/organizations.

Should explain who, what, and when in responding to compliance issues.

Some say A, some B. Participants seems unclear what the question means.

“C – Both” is strange and background paper is confusing. The way it is written is overly complicated and not for AC.

“And” is confusing, should be “or”

C is the choice, but everyone thinks another option D which would be A, B plus if you conform, you must explain how you conform.

Lots of discussion with very little agreement EUROPE AND NORTH AMERICA


16

We need another option: Neither

B - Declare that we don’t have conformance. Language is contradictory both with A and B. Struggle to see how it can work in practice, for example if you are in conformance with

standards do you explain also? Why conform and explain rather than conform or explain?

B. In some cases IA is used in a compliance function. Controls should be implemented when these functions are performed.

Conform or explain is the message to deliver, as it is clear.

Need to step back and understand what our goal is for conformance.

Conform and explain principle is based on self-assessment.

Making efforts to conform on an ongoing basis – so the meaning is a mixture of A and B.

In public sector for instance –if an organization comply with the local regulations, and the Standards are not in line with this- a dilemma: Compliance is sometimes simply not possible!

Both – because regulations in some countries prevent full compliance. Where efforts are been made to meet compliance it’s useful in providing an improvement plan.

50 % of the group selected option A, while the other 50% selected option C. Those who picked A said, either you conform or you don’t; because you already have conform and disclose.

C (both) – sometimes it is not in capacity of IA to be in conformance every time. Example reporting relationship – what if they don’t accept.

Very important to provide transparency on why not in compliance. Understanding the exception for not complying is very important.

Clear and obvious for all stakeholders regarding conformance – if there is an opportunity to explain – would be happy to. IA is not always the owner of the not conformance. For example, independence importance and regulators put in law – opened a lot of discussion once it was put into law. Performance depends on the organization. Many don’t have an expectations. Would a maturity help to communicate? For some it would lower expectations

Maturity model provides idea if you generally conform at what level you are to protect IA reputation. Maturity models could be adjusted on a local level but still unified with global.

Overall advocate both but not fully understood. CENTRAL AND SOUTH AMERICA/CARIBBEAN

What are the risks of not being in conformance?

Lack of consistency, would not be able to prioritize the risks in the organization

Would not be systematic and disciplined like our definition

A focus on time vs quality for internal audits

KPIs are % of audit plan or audit reports that are delivered on time; so wrong incentive – time becomes the driver

Pizza – diameter (size), thickness (scope), ingredients (quality)

Conformance is necessary, but not sufficient

Must advance your products and services;


17

need to prove quality; need to recognize humility; use internal auditors who know methodology, and guest auditors who understand the business

Conformance is a means, not the goal itself

It’s easier to understand A.

Even though it’s difficult to do some activities, you can still do something. Both

Both

Depending on the situation. There may be an issue where you can’t comply.

The only challenge here is that while the answer is both, not applicable, can explain why it is not applicable. Need to make clear under what circumstances that is an acceptable answer.

Opportunity to the use of QA who can validate use of conform and explain.

If I’m a member of the audit committee, I have a fiduciary responsibility.

Both. However, we need to make clear under what circumstances (conditions) that is acceptable to explain versus comply.

MIDDLE EAST

Action plan and commitment to achieve compliance instead of justification.

Culturally, companies in the Middle East will be satisfied with partial conformance.

Progress reports more often than every 5 years.

Question 6: Do you believe a “conform and explain” model would help or hinder conformance rates? Why?

AFRICA

If we go to this model, it would help because it would bring more transparency.

Must be crafted very well to identify as many possibilities as possible.

Must be piloted first

Recommended that there should be a section in the integrated report that would explain it.

Should be part of the advocacy efforts

Timeline on when they are going to conform

Would help the conformance rates. Allows reflection on gaps and speeds up conformance.

Confirm and explain will give IIA a roadmap to where we need to go and grow, which will help conformance rates over time. In my board paper, I list the standards. I am not conforming.

ASIA/PACIFIC

It will do both, but more to a positive. It can challenge organizations to see the need to comply in their explanation of why they are not complying. Elevates conversation about the standards and need to create plans.

It might allow excuses why they cannot comply and create acceptance to current process.

May need to offer flexibility in transition when new standards are issued or revised.


18

Participants don’t believe in the proposed concept, don’t believe in “conform and explain.” It will be more damaging and hence hinder the IA position on top of allowing excuses. Participants asked whom the “explanations” go to: IIA affiliates, IIA global or self-reporting.

If AC gets the paper from CAE on the “conform and explain”, AC doesn’t know whether to trust IA’s work.

IAA needs to sell the value of the EQA, instead trying to avoid the problem. Some countries (Japan, Australia, and Indonesia) have seen increase in the number of EQA, but still have huge improvement opportunities.

The reasons that IAAs don’t do EQA is because of the cost. Majority of CAEs don’t review the standards and conformance with the standards with the AC.

Publicly listed companies in Australia will require by the corporate governance code that all companies must have IAA and all IAAs must follow IPPF; if not, they need to explain. IIA Global should disseminate it with other affiliates. IIA Global should recognize the Australian government, such as press release

Hinder: Too much burden

Help: Provides a better tool for communication to key stakeholders. EUROPE AND NORTH AMERICA

We are not regulators, we have no authority “we don’t have a stick to hit them with.” Change the language and the perspective.

What is the outcome? Is conform and explain going public? Can this become the stick for the audit committees? Do we even have the power to make this a reality?

Hinders because it enables companies to be in non-conformance which undermines the effectiveness of the standard.

“Conform and explain” model would enhance compliance. The group was divided. Several members think this will hinder because it can be used as an

excuse. Other members think that it can help increase conformance rates because more organizations can adopt the standards, but it may generate confusion about how much can be explained.

Who would get information when performing QA? Maturity models would be shared with C-suite and board/AC.

For regulator ensure you are living by the Standards. Checked through QA by regulators – private.

In Public Sector, QA’s could be available, as they understand it public could be available.

Too complicated in the context of their region (Balkans) and legal compliance. IA is practiced according to the law not necessarily IIA Standards.


Conform and explain could be risky, could create a bypass that explaining and really only in conformance with a small % of the Standards.

Will need to state which standard you have to be in conformance with; and which are even options for explaining


19

People are not aware that we have IGs

Think conform and explain will hinder, they just won’t follow it

Hinder – all it will do is normalize the deviations (make it ok)

Could just turn conformance into a paper exercise and downplay the relevance of the Standards.

Suggestion: make it mandatory to report on the internal self-assessment

It forces you towards compliance. It is a tool to make the internal auditor improve, think and discuss.

The differences between public and private sector

ISO certifications, they don’t have the understanding of the importance of CIA. It would help by providing transparency in the process and fostering conformance.

Conform and explain concept is good, especially in Latin America, where countries in the region are all in similar situations in maturity.

Depends on the organization. The relationship we have with the stakeholders, board, and audit committee.

If we have a strong organizations with good governance, we feel we need to comply. If organization is low level governance, with little interest in it, it could hurt.

Tone at the top is very important in every instance.

Some organizations are much more committed to compliance.

Even for organizations with low-level maturity, it provides the opportunity to have a clear list of what they need to do to conform.

It is a journey. It’s going to help in that it sets out a path to conformance.

Term is familiar enough that it won’t create confusion.

Conform and explain would give opportunity for companies that haven’t reach level of conformance to have a path forward and explain when circumstances do not allow compliance.

MIDDLE EAST Did not discuss.

Questions 7: What do you see as the main opportunities and challenges with a “conform and explain’” approach?

AFRICA

Major opportunity is a collective application of minds – get people to think about what they are doing.

Encourage more demonstrable responsible behavior (truth, ethics)

Provides better platform for reflection for the future – over time will be better to assess.

Challenge is going to be who you are explaining to

Pro - Reflection and aspiration, gap identification

Does the reach of IIA Global require external auditors who are providing an internal audit function to conform to the standards? Internal auditors outsourced.


20

Challenges - Where does the discussion end? When conformance increases. How long would you allow an internal audit department not to conform? Need tools from global to assist in driving advocacy of conformance. How do you handle gaps?

There is a lack of QA reviewers in this part of the world. IIA Global can provide training to develop qualified reviewers.

ASIA/PACIFIC

As conformance increased in the future, there may be an inadequate supply of quality assessors.

Major challenges: o 80% of the CAE’s are not IIA members and not interested in conformance. o No quality training programs for external assessments.

Model needs to be simple to roll out and easy to explain.

A lot of time and energy on this paper and discussion, do we know how to regulate this?

Need for a database to share the best practices in conformance

Share IIA Australian Advocacy plan

Opportunities: Communications to management and audit committees. Biggest benefit is for the CAE.

Challenges: Regulators won’t care


Advantage; if you don’t conform you need to explain. This enable a conversation with an objective of being in conformance.

EQA: You conform here and here, now the response is to explain. Same principal for the management.

We do not have authority do anything, so the only thing we can keep doing is advocacy efforts. We have to deliver something that will help the audit committee deliver their objective.

We are not regulators, we have no authority “we don’t have a stick to hit them with”. Change the language and the perspective.

What is the outcome? Is conform and explain going public? Can this become the stick for the audit committees? Do we even have the power to make this actuality?

Future topics: Principals are above the standards. So, what if we talk about following the 10 principals and the standards follows. Have we made any progress? Are we moving forward? The papers and discussions make one want to work with the questions. But there is no road map yet and no tools.

It’s a challenge. No opportunities, instead conform and explain allows for non-conformance. We need to require conformance and develop a means of enforcing consequences for non-performance.

“Conform and explain” model is more than a tick mark

Challenges – getting the standards understood and accepted by key stakeholders in the first place.

There should be a clear definition of thresholds.

Opportunity: to provide information where IA stands, it’s a continuous journey.


21

Challenges: to be misunderstood – why not being at highest level – the legal context of the region.

Challenges: to always try to move to the next level – periodic assessments would add value

It would interesting to have Affiliates to have maturity models and compare where the countries are. A maturity model used as a benchmarking tool


Opportunities: What is the lever – how do you measure conformance? The model will help

Will help with statistics of conformance around the globe

The model will help departments to be compliant with the standards

Challenges: Consistent use of the model. Everyone may do it in different ways Opportunity – stakeholders and members will acquire greater awareness of the standards and it will

provide further disclosure.

Challenge - might be cost prohibited.

Improves opportunity to see a path forward to full compliance.

Challenge is to explain what it means to our stakeholders.

Affiliates have an opportunity to help organizations reach the higher level of conformance.

There is a challenge with the risk that organization will use it as an excuse not to support further conformance with standards.

MIDDLE EAST Did not discuss.

Documents

Question 1: What does your Affiliate do to create external … · · 2018-04-12The Auditing and Accounting oversight body makes presentations about Standards. ... I.E. Big Four