The Institute of Internal Auditors presented its updated
The new competency framework has three main components, with skill subcategories, proficiency levels and characteristics of demonstrating proficiencies in each of the categories, similar to the old competency framework.
"One of the key features in the new competency framework, because we've published this in an Excel workbook, is that the categories are adjustable to your organization's needs," said David Petrisk, director of standards and guidance at the IIA. "That's largely in response to feedback we were getting from public sector auditors as well as from others, that the categories needed to be flexible."
Other new features in the framework include proficiency levels and job role expectations. "They can be used to help benchmark your expectations to market conditions, and also you can customize and adjust some of the details to fit your organization and market," he added. "It's a customizable framework that provides more context than we did previously."
There are also new templates accompanying the guidance document to help audit executives record individual and collective assessments and relate them back to the organization's strategy and to individual professional goals.
The proficiency levels of basic, intermediate, advanced and expert are more defined. "It takes out some of the guesswork," said Emre Alpargun, vice president and chief audit executive at Palo Alto Networks. "It gives more concrete examples."
Risk management
The IIA is finding audit executives are looking more closely at risk management. "How is risk affecting our profession? Profoundly," said IIA president and CEO Anthony Pugliese. He noted that 54% of stakeholders don't think they do a great job on enterprise risk management.
"Today we see far more of a dynamic role, and it's impossible to not have a more dynamic response to risk, given how fast and furious and how diverse those risks are coming at us in our businesses all the time," he added. "What is the future of risk in internal audit? Well, we're beginning to note that internal audit is, over time, beginning to do a risk function in a different way than owning the risks, but in terms of how they approach risk and what they're responsible for in the identification of risk, so we're seeing a change. Internal audit teams are being positioned differently in organizations in their response to risk, and we have a lot more research to do on exactly how that's happening and why that's happening. I have a lot of theories on why it's happening. I think we're good at it, but our job is not to manage or own risk. Our job is to shine a light on risk."
Digital disruptions and geopolitical events are accelerating such risks. "We need to make sure that we're running our internal audit functions with that in mind," said IIA chair Terry Grafenstine, "It's the speed of risk. We're only as good as how fast we are and how forward looking we are."
