Listen on Apple Podcasts, Spotify and YouTube
Welcome to AccelPro Audit, where we provide expert interviews and coaching to accelerate your professional development. Today, we’re featuring a conversation with Mike Peppers, Chief Audit Executive for The University of Texas System.
Peppers, a recent Chair of the Institute of Internal Auditors, worked on the historic project to evolve the Global Internal Audit Standards. The new standards were released on January 9, 2024 and will become effective January 9, 2025.
Peppers brought deep technical knowledge and a track record of service to the role. He currently serves as the representative to the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Board of Directors.
Listen on Apple Podcasts, Spotify and YouTube
Interview References:
J. Michael Peppers’ The University of Texas System profile.
1:54 | Global Internal Audit Standards. (2024). The Institute of Internal Auditors.
11:42 | Global Assembly 2023 Summary Report. (2023). Global Assembly.
17:12 | Report on the Standard-setting and Public Comment Process for the Global Internal Audit Standards. (2024). The Institute of Internal Auditors.
Supplemental Materials:
Global Guidance (Supplemental Guidance within the Global Internal Audit Standards, comprises Global Practice Guides and Global Technology Audit Guides). The Institute of Internal Auditors.
TRANSCRIPT
I. TIMELESS AUDIT STANDARDS, UPDATED
AS: I want to start by talking about this latest update to the global internal audit standards. Typically, they're updated every five years, but this most recent update was a historic reimagining of the standards. It's a huge milestone in audit. Why was this the right moment to evolve?
MP: It is something we try to keep our attention on, because the world changes. But we have not done a very significant overhaul to our standards for about 20 years. They should not need to be updated frequently, but it has been two decades, and I think we're all in agreement that our world has changed, the pace of business has changed, how business is conducted has changed, and so we wanted to make certain that our standards were as usable by today's internal audit practitioners as possible.
So we decided to do a major overhaul. We started off by calling it the relook of the standards, but in fact it became much more than just a relook. We got the name a little bit later of IPPF Evolution, and IPPF is the International Professional Practices Framework. And that encompasses several different elements of guidance, the standards being one of them.
And so we did this historic relook to just be more fluid, to cover the needs of the practitioners that are in our various business sectors, and to really also be as responsive as possible to our stakeholders, internal auditors. Internal auditing itself really has a goal: to be helpful, to be of assistance to our stakeholders.
And that can be our organizations generally where we work, but it's also our board members, management of our organizations, and those who use the services of our organizations. We really wanted to ensure that these standards were where they needed to be for this time period.
AS: You've been working on updating these global internal audit standards for years. Tell us why they're interesting, and why internal auditors should care.
MP: One of the things that is so important, as internal audit professionals, is that we be transparent and accountable with what we're doing. We've been charged with coming into different areas in our organizations, assessing them, auditing them, doing advisory work in their areas.
And we need to do that in a structured, fair and objective way. That's one of the reasons that standards are so important to us—that we have a consistent approach to how we do internal auditing, and so we develop the standards that have principles associated with them that everyone can look at, and be aware of.
And so it is encouraging and exciting for us to think about having standards that are set in the public interest and serve our members to help them to do their jobs as effectively and efficiently as they can, because we want to be successful and we want to help our organizations be successful. So I think these standards give us a structure that we can work with to do that.
AS: What would you say are the three or four key updates that internal auditors should be aware of?
MP: Even though we did a historic reimagining of the standards, we did not change the profession. What we were really trying to do is ask how can we make those more helpful, usable, even user friendly, if you will, for our internal auditors? So we started off by asking our stakeholders, asking our members, what would make the standards more helpful to them. And so whenever we got that feedback, that's how we structured the changes. And one of them was simplification, making them more concise. Over time, there have been elements added to the standards. It had different components of a mission, a definition, code of ethics, principles and implementation guides.
When the users were looking for a topic or needed guidance around something, they could go to one place and see all of the different elements that they might want to consider. From a structural perspective, that was something we kept in mind.
And then we took all of the standards and how they were previously organized, and we put them into five domains. If you want to see topics on ethics and professionalism, you can go right to that domain and look. If you are working with your board or your management, and you're trying to get guidance about that, you can go straight to that domain. Or if you are a staff auditor and you're working on an engagement somewhere, and you're trying to make certain that you're covering the bases you need to, there's a domain for conducting the audit engagement. That structure was important.
And then the other significant change is in the domain that I've just referenced around governance, and around the oversight that our boards have in the relationships that internal auditors have with their boards. Senior management is also a significant part of that, and so for the first time in our standards, we now have more structured guidance around those relationships. And I think that in the near term and longer term, that's going to be helpful to our chief audit executives, and to the internal audit functions as they communicate in meaningful ways with their boards. I'd say those are some of the highlights.
—
II. TECHNOLOGY’S IMPACT ON AUDIT
AS: You mentioned that the pace of business has changed. And of course we can't talk about the pace of business without talking about technology. How does technology impact continuous risk monitoring and dynamic audit?
MP: I'm going to address that in two ways. First, whenever we are looking at the risks that exist in our organization and we're developing our work plans, we're going to be looking at technology. So as an internal auditor, we need to be prepared to assess those risks and then address them as necessary. But we try not to be so specific in the standards because technology changes so rapidly, and we want our standards to be as timeless as possible.
But another very important element related to technology is how we as internal auditors use technology to perform our work as effectively and efficiently as possible. There are always new things that come up and that are available to us. So the standards address, again at a higher level, the need for internal auditors to continually be developing their competencies.
And sometimes, that's through training or particular certifications. But sometimes it involves obtaining specialized resources to look at something very specific. Both of those concepts feed into having that dynamic internal audit function that can be responsive, and address continuous risk in our organizations.
AS: You noted there are many moving pieces when developing standards. There was feedback solicited from many different stakeholders. And that feedback was used to determine how it was applicable to the public sector, as well as internal audit functions. Given all of that, how did you come to a consensus?
MP: When we embarked on this project, we knew that, as I said earlier, we really wanted to be responsive. We did not want to be a standards board that sat in a room and came up with thoughts and just pushed them out. That would not have been successful. So three years ago, we started research and outreach efforts and we did a global practitioner survey. We talked with people who have conducted external quality assessments over the years and we reached out to other organizations that set standards to get best practices.
So all of this input was coming in and the staff was so diligent in putting it together because we were charged not only with our own desire to make these responsive, but we have an oversight council as well, made up of independent individuals that are appointed from outside bodies who are going to be looking at how we develop these, in the public interest, so that the standards would be serving as many of our different stakeholders and parties as possible.
After we got all of that input, that helped us to prepare what we call the exposure draft of the new standards. And then when we had that exposure draft, we did everything possible to get it out in front of all of those individuals that gave us input.
We had a survey individuals could respond to. We had thousands that responded to it, and gave us individual feedback. Then we started the process of putting and grouping that information that we got in those perspectives from the stakeholders into some major themes. I have never seen a group of people work together as collaboratively and cooperatively as this group did.
AS: It sounds like it was a rewarding experience. Is that fair to say?
MP: I think that when I look back at the things that I've done over time in my career, being a part of this team, being the chairman of the Standards Board at this time, will be one of the highlights for me. And I hope that the standards will last 20 years, like the ones that we're just looking at replacing.
AS: The new standards apply globally, and they apply to organizations regardless of their purpose, size, complexity, or structure. That means that they need to be adaptable to different situations and different circumstances. How did they provide guidance across such a diversity of organizations?
MP: You are correct. In the last probably 10 years or so, my engagement in different capacities with the IIA has pointed out just how diverse our world is, and the different organizations that make it up. And another element in addition to the purpose and size of our organizations is also the maturity of the internal audit functions themselves, and their ability to work with the standards. And we wanted these to be as globally and universally applicable as possible.
So one of the things we did to attempt to make that easier and more effective, is that in each of the five domains we have the principles that apply. And then we also have the standards that map to those principles. But then underneath those requirements, we have two new elements. One is called Considerations for Implementation, and one is called Examples of Evidence of Conformance. These considerations and examples are not requirements, but they are intended to give practitioners guidance to apply the standards in their settings.
These are considerations for them to think about, whether they are in the public sector or working in a financial organization or working in a very regulated area. They have different examples that they may be able to follow. And then, a key part of what we do is document the work that we've done. And all of these examples can be scaled based on type of organization and type of internal audit function.
AS: So over the long term, it seems pretty clear that the standards are going to simplify and streamline the profession, but in the short term, change isn't always easy. What supporting resources do you have to help practitioners implement the changes and ensure they're rolling them out in a way that does not disrupt the business?
MP: As I mentioned earlier, we didn't change the profession. Generally, if an internal audit function today is conforming with our current standards, I would not expect there to be a crisis of non-conformance when they see the new standards. If we see some gaps, these can be deployed and utilized for the next year, because it will be a 12 month period of time after the standards are released that our internal audit professionals will have to be in conformance with the new standards.
But having said that, we do want to make it as seamless and easy as possible for them. And so we'll release a disposition report that summarizes the themes, the feedback, and what changed. We'll also be releasing a comparison document that will outline the differences between the standards that we're dealing with today, and the 2024 Global Internal Audit Standards, so that individuals can determine whether those changes are something that they'll need to address.
And there will also be many informational and training opportunities throughout the year of 2024 to help individuals and any stakeholders better understand the impact that the new standards will have.
—
III. DEVELOPING BEST PRACTICES
AS: You're the Chief Audit Executive for the University of Texas system, which is one of the largest in the country. How has your role informed your work at the IIA and in helping develop these standards?
MP: One of the things that the IIA has always done is to utilize a great mix of both staff resources and volunteer resources. We have a volunteer network of practitioners across the globe that are invaluable in all of the different elements of work that we need to do. I’m a career internal auditor, and I think I have the information flow, and the benefit has absolutely gone both ways. Whenever I have been working on any topic, with the IAA and most recently with the standards, I have been able to hopefully bring to the table the experiences of practical work applying experiences we have.
And that's one of the reasons that on our standards board, we do look for diversity of all types. And we have people representing diverse organizations we talked about in the public sector, private sector, large, small goods, and services.
So we're all bringing our real life experiences into this practicality. And then also, as we sit around the table and hear from individuals with these diverse backgrounds, I'm able to bring back to the University of Texas system those concepts, those best practices that I've learned to help us do our work better.
AS: You've also achieved great success in your own career. You were recognized as a distinguished faculty member in the IIA's Volunteer Faculty Program. You served as the chair of the IIA's Global Board in 2017, and you are also in their American Hall of Fame as a Distinguished Audit Practitioner. I mentioned all of that because I think it would be helpful to our listeners to really understand who were your mentors, those people who guided you along the way.
MP: It started for me many years ago as a young professional, wanting to get outside the daily environment at the organizations I was in, to reach out and to have a broader network, to really challenge myself and to also give back.
I have always had a personal interest in education and training, and developing oneself. And maybe that's one of the reasons that I've been auditing in higher education for my entire career. As I did that, I had opportunities to contribute at local levels and then regional, district regional levels, and up it went to North America and then global. At each of those levels, I really feel that the advancement opportunities I had were because of the networking and the professionals that I was associating with.
And I just consider myself to be so fortunate to have been around people that were willing to share back with me. And so that's what I have also tried to do with others that are earlier in their career currently, even down to interns that we have that come from different University of Texas System Institutions that work here in our Internal Audit Department. I think it's a key responsibility for us, particularly in the last several years since the effects of the pandemic have really impacted the ways in which professionals interact.
AS: If you could tell us the one thing that you're excited about in terms of how the new standards will improve the profession, what would that be?
MP: I hope to hear from our members that this new set of global internal audit standards is going to make their job easier to do more effectively. Because our goal is to serve our organizations. That's why we're the internal auditors, not external auditors or reviewers or regulators. I hope that our internal auditors are working in their organizations because they care about the mission and the goals and the objectives of those organizations.
We've really had a focus on not just conformance, but performance. So if you conform and you perform at a high level, that is going to equal increased quality. And that is going to reflect back on the internal auditor who is working so hard to do all those things for their organizations.
This AccelPro audio transcript has been edited and organized for clarity. This interview was recorded on December 23, 2023.
Listen on Apple Podcasts, Spotify and YouTube
AccelPro’s expert interviews and coaching accelerate your professional development. Our mission is to improve your day-to-day job performance and make your career goals achievable.
Send your comments and career questions to questions@joinaccelpro.com. You can also call us at 614-642-2235.
If your colleagues in any sector of the audit field might be interested, please let them know about AccelPro. As our community grows, it grows more useful for its members.