Unfit for Complexity
A Board-Level Critique of the IIA’s Global Internal Audit Competency Framework
For directors and executives asking: Is this a framework for control? Or, a shield against relevance? What can audit say without consequence?
Boards frequently ask what value internal audit brings to the organization beyond compliance. The Institute of Internal Auditors’ (IIA) 2025 Global Internal Audit Competency Framework attempts to answer that by offering a structured model of professional development. With ten core domains, four proficiency tiers, and templates for self-assessment, it presents a crisp taxonomy of the skills and behaviors expected from internal audit professionals at every stage.
This framework has value. It’s clean, consistent, and professionally legible. But if your organization operates in a complex environment, where strategy, regulation, and risk evolve in real time, then this document, while tidy, is not enough. Worse, used uncritically, it may reinforce the very patterns that limit audit’s strategic contribution.
What the Framework Gets Right
The IIA framework gives internal audit something every maturing function needs: language and structure. It lays out developmental expectations across areas like governance, ethics, communication, and technology. It maps the journey from novice to expert with useful specificity.
For CAEs leading teams in regulated, compliance-heavy environments, or those in jurisdictions where internal audit is still emerging, this document offers both credibility and coherence. It helps HR functions and audit committees align expectations, plan development, and benchmark maturity. And in its emphasis on communication, collaboration, and interpersonal influence, it nods toward the growing importance of soft skills in delivering real impact.
Importantly, the framework doesn’t restrict internal audit to compliance work. It includes language on advisory roles, continuous improvement, and organizational learning, at least at the higher levels of competency. That’s progress, and it matters.
But let’s not confuse structural polish with adaptive capacity.
What the Framework Could Improve
1. It Treats Complexity Like a Technical Problem
The framework is built for a complicated world, a world where knowledge is cumulative, procedures are repeatable, and expertise reduces uncertainty. In such a world, audit makes sense as a control mechanism. It tests, validates, and assures against a known standard.
But most modern organizations don’t operate in merely complicated environments.
They operate in complex adaptive systems (a mix of complicated and complex) contexts where outcomes emerge from interactions, not linear plans; where cause and effect shift as actors respond to each other; and where certainty is often retrospective.
The IIA’s model doesn’t account for that. It assumes clarity is achievable through role mastery and skill accumulation. But in complexity, clarity isn’t something you master. It’s something you negotiate, in context, with others, under pressure.
Definition:
Complicated systems have many parts but follow predictable rules (e.g., processing invoices or aircraft maintenance).
Complex systems involve uncertainty, feedback loops, and shifting dynamics (e.g., public trust, innovation risk, geopolitical volatility).
2. It Overemphasizes Individual Capability
The framework is designed around the idea that competence resides in the individual: the auditor acquires knowledge, builds skills, moves up. But in complex systems, value often emerges through interaction, between functions, across silos, through trust-based networks.
There’s no mention of collective sensemaking, psychological safety, team dynamics, or organizational learning as drivers of audit effectiveness. No attention to how internal audit interacts with the system’s politics, memory, or habits.
Audit doesn’t create value in isolation. It does so relationally, by what it notices, who it tells, and whether those insights land.
3. It Treats Internal Audit as External to the System It Evaluates
By framing audit as a neutral observer, the framework reinforces a view that internal audit should remain independent, detached, and evaluative. This aligns with regulatory standards, but it denies a basic truth: audit functions shape the very systems they assess.
An audit function that’s seen as punitive or opaque drives defensive behavior. One that reports findings through rigid protocols misses early signals of system strain. When audit isn’t trusted, it becomes a formality, not a feedback loop.
Key point:
Audit is not a passive mirror. It participates in the system. Its presence, language, and methods have effects, intended or not.
4. It Avoids Power, Politics, and the Problem of Being Ignored
The framework never addresses what happens when audit insights are unwelcome, when the board isn’t interested, when management bristles, or when the CAE faces quiet resistance. There’s no mention of how trust is earned, how truth is negotiated, or how organizational culture shapes what can be said.
Information doesn’t move cleanly in real organizations. It moves through relationships, power structures, and histories of past conversations. The idea that good methodology alone can carry critical insight is technically hopeful and politically naïve.
Additional clarity:
Audit doesn’t fail because it lacks insight. It fails when the insight can’t travel—when power shuts down what politics hasn’t already silenced. Boards should periodically ask not just ‘What is audit saying?’ but ‘What can audit say without consequence?’ That’s your real indicator of value.
5. It Simulates Rigor Through Templates
The appendices include matrices and scorecards to assess proficiency. These tools look precise. But they’re diagnostic theatre, rating relational courage or organizational savvy on a 4-point scale doesn’t produce better auditors. It produces compliance rituals.
Used for HR or performance review purposes, these templates reward polish over perceptiveness. They promote conformity over curiosity. And they give boards a false sense of progress.
Should Internal Audit Expand Its Role or Stay Independent?
The framework hints that internal audit can support management while still reporting to the board. But it never addresses the tension this creates. In reality, audit leaders face three options:
Stay purely compliance-focused, reporting only to the board.
Support management and strategy, while preserving formal independence.
Split the function, separating assurance from adaptive insight.
From a governance and complexity perspective, Option 3 deserves serious consideration.
Assurance audit protects the system: testing controls, ensuring regulatory compliance.
Systems insight supports adaptation: surfacing weak signals, challenging assumptions, feeding back intelligence in real time.
Both are necessary. But asking one function to do both compromises both.
This idea echoes the work of Tushman and O'Reilly on ambidextrous organizations. They argue that to both optimize and adapt, systems need structurally distinct roles: one to maintain order, one to explore. Trying to do both through one function typically leads to conservatism.
Additional clarification:
In many firms, audit expands horizontally instead of structurally. It takes on advisory roles without the redesign needed to manage the trade-offs. The result? It becomes too blunt to offer insight, too enmeshed to assure independence, and too vague to earn trust.
What Boards and Executives Should Do
1. Use the Framework. But Don’t Rely on It
It’s a good floor. But it’s not a ceiling. Use it to set baseline expectations. But don’t confuse role proficiency with system relevance. An audit function can ace every domain in this framework and still miss the risk that matters.
2. Ask Harder Questions
When was the last time audit told us something we didn’t want to hear?
Do we treat audit reports as insight, or as post-mortems?
Does the CAE have real influence in strategy conversations, or just access?
Board-facing provocation:
Audit can’t be braver than the board allows. If your CAE isn’t surfacing inconvenient truths, the problem may not be them. It may be the conditions you’ve created.
3. Consider a Dual Audit Structure
This isn’t about compromising independence. It’s about avoiding role confusion. Let one team focus on assurance: reporting cleanly to the board. Let another, perhaps staffed by former auditors, support management as a peer-level insight function.
If that feels uncomfortable, good. Comfort isn’t the goal. Clarity is.
Conclusion
Professional frameworks are essential. They protect integrity. But when the world stops cooperating with the categories we’ve built, holding the framework too tightly doesn’t make us safer. It just makes us slower.
That’s not a knock on the IIA. It’s a call for boards and executives to stop asking audit to do everything—and start asking what kind of insight they really want.
Because if audit is only there to confirm what we already know, we don’t need a framework.
We need a mirror.
Key Terms and Concepts (for context):
Complex system: An environment with many interacting elements where outcomes are unpredictable and evolve over time.
Sensemaking: The process of interpreting ambiguous signals to guide action.
Ambidextrous organization: One that separates structures for control (exploitation) and learning (exploration).
Fitness function: A concept from systems theory, what the system is ‘rewarding’ or selecting for, often unconsciously.
Role conflict: When one function is expected to serve competing masters without clarity or protection.
Source Notes and Theoretical Foundations
Complex Adaptive Systems (CAS): Defined by Holland (1992), refined by Stacey (1996), and applied in management by Snowden & Boone (2007). CAS theory focuses on non-linearity, emergence, and the adaptive behavior of interacting agents under conditions of uncertainty.
Ambidextrous Organizations: Tushman & O’Reilly (1996) argue for structural separation between exploitation (control, efficiency) and exploration (learning, adaptation) in complex firms.
Agency Theory: As per Eisenhardt (1989), internal audit acts as an agent of the board to reduce information asymmetry. This theory supports formal independence but is agnostic on how insight travels.
Competency Frameworks: Based on Human Capital Theory (Becker, 1964), these models assume that individual knowledge and skill accumulation lead to performance gains. This assumption is reliable in stable domains, but increasingly strained in complex environments.
Political Systems Thinking: Argyris (1990), Senge (1990), and Kahane (2010) highlight the role of interpersonal dynamics, defensive routines, and conversational power in how learning—and suppression—happen in organizations.
Aarnout Wennekers © 2025
#BoardGovernance #InternalAudit #ComplexityThinking #SystemsLeadership #AssuranceAndInsight #AuditRelevance