Reframing Internal Audit: Why the IIA IPPF Needs a Systemic, Strategic Overhaul
Aarn Wennekers
Defining Potential | Developing Blueprint for Success | Accelerating Performance | Harnessing Talent | Results Oriented Mindset = Superior Performance
Introduction: The Limits of Risk-Based Thinking in a Complex World
After more than 25 years operating at the intersection of internal audit, executive coaching, governance, and risk, I’ve reached a clear and provocative conclusion: The IIA’s International Professional Practices Framework (IPPF) no longer fits the world it was designed to serve.
The world today is not linear. It’s messy, adaptive, interdependent, and unpredictable. Organizations behave less like engineered machines and more like living systems. Leadership teams shift strategies midstream, boards face emergent crises, and risk — once something we tried to map and mitigate — now morphs faster than our frameworks can keep up.
And yet, the IPPF still privileges stability over adaptability, risk over purpose, and assurance over learning. It fails to acknowledge the complex adaptive environments in which we now operate. It encourages internal audit to monitor, but not to enable. To control, but not to catalyze. To observe, but not to intervene.
Even more troubling, the IPPF keeps the door open to consulting work, which only fuels management’s desire to turn internal audit into a reactive support service. That door needs to close. Not because we fear involvement, but because we must protect the unique, system-level vantage point that only an independent, strategically embedded assurance function can offer.
I take a critical look at the IPPF from the lens of complex systems, strategic enablement, and board-level engagement. I outline where the framework holds value, where it fails spectacularly, and where it must evolve to remain relevant, not as a compliance relic, but as a future-ready leadership function.
What the IPPF Gets Right (And Still Matters)
Let me start with what I still respect. The IPPF does offer some valuable components:
Principles-Based Design: The standards are flexible enough to avoid checklist thinking. That’s vital when context matters more than control.
Assurance vs. Consulting Distinction: The .A and .C split acknowledges that internal audit can offer insight beyond traditional assurance, though this line is increasingly blurred.
Independence & Objectivity: These anchors must remain. They’re the foundation for trust, particularly with audit committees.
Quality Assurance Requirements: The QAIP mechanism — when used well — supports learning, integrity, and relevance.
These strengths are important. But let’s not confuse structure for strategy. These are table stakes — not differentiators.
The IPPF Assumes a Predictable World — But That World No Longer Exists
Here’s the core flaw: the IPPF treats the organization as a machine. If we identify the right risks, install the right controls, and apply the right methodology, we’ll prevent failure.
That worldview is obsolete. Today’s organizations behave like complex adaptive systems — full of feedback loops, power dynamics, social networks, and emergent behavior. Success is no longer linear. Strategy is no longer fixed. And performance is influenced more by culture and leadership than by compliance.
And yet, the IPPF is silent on all of this. It makes no mention of:
Systemic risk
Organizational learning
Emergence, non-linearity, or adaptive capacity
Internal audit cannot lead from behind. We must become the function that audits for learning, alignment, and purpose — not just control. We need to audit not only what’s documented, but also what’s latent, informal, and dynamic. That’s where the risk — and the opportunity — lives.
From Risk-Based Auditing to Objective-Achievement Auditing
Risk-based auditing served us well in a different era. But today, it’s no longer enough.
Risk is only half the equation. Organizations exist to achieve objectives — to deliver outcomes, to fulfill mandates, to create impact. And that’s what internal audit must focus on.
Objective-achievement auditing asks a different set of questions:
Are we aligned with our strategic purpose?
Are our structures and systems coherent enough to deliver results?
Is leadership creating clarity and enabling adaptation?
Are we learning fast enough to stay viable?
This shift isn’t about abandoning risk. It’s about putting it in context. Risk without purpose is noise. Purpose without capability is failure. Auditing for objective achievement places assurance in service of strategy — not separate from it.
And critically: this is where audit’s independence matters most. We’re not here to execute strategy. We’re here to evaluate whether the organization is actually equipped to achieve it.
Internal Audit’s Triple Role: Coach, Mentor, Advisor
The IPPF gives us a list of technical competencies. But it says almost nothing about the interpersonal, developmental, and systemic leadership roles that CAEs and audit leaders must play.
To be effective in today’s environment, internal audit must operate in three key modalities:
Coach: Creating space for reflection, challenge, and clarity at the executive and board levels.
Mentor: Supporting the growth of leaders and teams through experience sharing, ethical guidance, and organizational storytelling.
Advisor: Bringing systemic insight to strategy, structure, culture, and risk appetite — without crossing into management’s lane.
These roles allow us to intervene before assurance is needed, and well beyond the boundaries of an audit report. And when done right, they reinforce — not weaken — our independence.
Boards need this. Executives crave it. And the profession must normalize it.
Consulting Is the Wrong Direction: We Must Close the Door
Let me be blunt: internal audit should not be a consulting function.
Yes, we need to provide insight. Yes, we must be trusted advisors. But no, we should not design solutions, manage projects, or execute transformations. That’s management’s job.
The IPPF’s permissiveness around consulting invites a slow erosion of independence. It’s a slippery slope — and one that many CAEs are already sliding down.
We must reclaim our identity as:
Independent observers of system health
Strategic sensemakers
Navigators of boardroom blind spots
This is not retreat - it’s elevation. And it’s essential if we’re going to maintain credibility with audit committees.
“Adding Value” Is Not Enough — Let’s Redefine It Systemically
The IPPF encourages us to "add value." But it fails to define value in ways that reflect how modern organizations actually work.
In complex environments, value is:
Emergent
Relational
Multi-layered
Often invisible until it disappears
Value is created when internal audit:
Surfaces misalignment
Illuminates culture and behavior
Reflects system dynamics
Strengthens decision quality
It’s time we measure ourselves not just by the number of findings — but by the quality of conversations we enable, the clarity we create, and the resilience we support.
Conclusion: Let’s Lead the Shift and Not Wait for Permission
The future of internal audit won’t be secured by doubling down on risk registers or issuing more reports. It will be earned through relevance, clarity, courage, and strategic leadership.
The IPPF was a necessary foundation. But now, it’s a limited map in a world that demands a more expansive compass. Our role is not to follow — it’s to lead. Not to please — but to serve. Not to consult — but to catalyze.
Let’s shut the door on consulting. Let’s elevate the assurance function to its highest form — one that supports objective achievement, strengthens governance, and coaches leaders toward wiser, braver decisions.
Let’s show up systemically, strategically, and relationally.
That’s how internal audit stays indispensable.
That’s how we lead forward.
And that’s the future I choose to support and build.
Unlock Your Organization’s Full Potential
I work with boards, CEOs, and executive teams who are ready to move beyond outdated leadership paradigms and embrace a systemic, adaptive, and high-impact approach to governance and leadership.
If your board or leadership team is looking to elevate performance, increase strategic impact, and lead with confidence in complexity, let’s connect. DM me here on LinkedIn or email me at aarn@successadvisors.ca for a free, no-obligation conversation.
#InternalAudit #ObjectiveAchievement #AuditLeadership #ComplexAdaptiveSystems #GovernanceMatters #StrategicAssurance #BoardEffectiveness #CoachingInAudit #AuditTransformation #FutureOfAudit #TheIIA
Aarn Wennekers © 2025