Domains II and V Frequently Asked Questions
The continued success of our ongoing webinars that focuses on the new 2024 Global Internal Audit Standards has prompted a list of the most frequently asked questions from those that have attended these presentations. We’ve asked Liz Sandwith to review these questions and provide her informed responses for additional consideration and clarity specific to her presentation on Domains I and IV – Purpose of Internal Auditing and Managing the Internal Audit Function.
Domain I: Purpose of Internal Auditing
Q: If the firm doesn’t include a Purpose Statement in Internal Audit Charter, aligned with Domain I guidance, then is that a gap in adhering to the IIA Standards from a Quality Assurance perspective?
A: There aren’t any standards detailed under Domain I, nor are there any examples of evidence of conformance. However, without a purpose statement embedded in everything it is unclear how the internal audit function could be seen to conform with the Standards and the essence of who and what the internal audit function is.
Domain I calls out internal audit’s value. It positions internal audit as helping organizations achieve their objectives and make the right decisions. The purpose statement replaces what was once the Mission statement, by combining elements from the current definition and mission. The purpose statement helps the internal audit function and internal auditors in their role by:
- Providing a clear and concise statement of the role of internal auditing to share with key stakeholders and outlines conditions that are necessary for internal audit and internal auditors to be effective in their role – essentially an elevator pitch.
- It establishes an effective framework for relationship building and having discussions with the Board and senior management.
- And, finally, the Chief Audit Executive (CAE) can use the Purpose Statement to explain and to validate to the Board and senior management the internal audit function’s vital role.
Q: Is Domain I considered a standard purpose statement or are we expected, required, or allowed to make it specific to our organization?
A: The Purpose Statement is intended to assist internal auditors and internal audit stakeholders in understanding and articulating the value of internal auditing.
The intention is that Domain I is appropriate for the majority of internal audit functions. However, if as the CAE you consider it appropriate to enhance the purpose statement to ensure that it is relevant to your organization, then that needs to be agreed with the Board, Audit Committee and senior management.
Q: What is foresight in auditing? Should foresight be the sole responsibility of internal audit? Surely, management is responsible for identifying, managing, and mitigating risks, which should include having foresight in identifying new potential risks. Internal audit can and should bring a perspective to help identify new and emerging risks and potentially the next crisis (i.e., issues around regulations and/or legislation).
A: No, the ability to horizon scan and look to the future isn’t the sole responsibility of the internal audit function. Foresight for internal auditors involves contemplating and preparing for key risks and challenges that organizations might encounter. It’s about anticipating future needs and sharing those perspectives with management and the board. It is also about using tools such as SWOT (strengths, weakness, opportunities, and threats) when assessing internal risks and PESTEL (political, environmental, social, technological, economic, and legislative) when assessing external risks.
Domain IV: Managing the Internal Audit Function
Q: What are the roles and responsibilities of a CAE?
A: Domain IV – Principle 9: The chief audit executive is responsible for managing the internal audit function in accordance with the internal audit charter and Global Internal Audit Standards. This responsibility includes strategic planning, obtaining, and deploying resources, building relationships, communicating with stakeholders, and ensuring and enhancing the performance of the function. The individual responsible for managing the internal audit function is expected to conform with the Standards, including performing the responsibilities described in this domain whether the individual is directly employed by the organization or contracted through an external service provider. The specific job title and responsibilities may vary across organizations. The chief audit executive may delegate appropriate responsibilities to other qualified professionals in the internal audit function but retains ultimate accountability.
Q: There is a requirement that the CAE and the internal audit function have an understanding around governance, risk management, and control processes. How might you meet this requirement if you know that you haven’t covered all of this in either assurance or advisory services?
A: Standard 9.1: The chief audit executive’s understanding is developed by gathering information broadly and viewing it comprehensively. Sources of information include discussions with the board and senior management, reviews of board and senior management minutes and presentations, communications and workpapers from internal audit engagements, and assessments and reports completed by other providers of assurance and advisory services. The internal audit function will also support the CAE regarding governance, risk management, and control as part of the outcomes of assurance and advisory work.
Q: Will the presentation and discussion with the Board/Audit Committee of the internal audit’s strategy, if evidenced by minutes of meetings, be sufficient to satisfy the Standard 9.2 Internal Audit Strategy?
A: Standard 9.2: The internal audit strategy is a key document that will support both the internal audit function and the organization achieving their objectives.
To develop the vision and strategic objectives of the internal audit strategy, the chief audit executive should start by considering the organization’s strategy and objectives and the expectations of the Board and senior management. The chief audit executive may also consider the types of services to be performed and the expectations of other stakeholders served by the internal audit function, as agreed in the internal audit charter.
The internal audit strategy should be adjusted whenever changes occur in the organization’s strategic objectives or stakeholders’ expectations.
The chief audit executive may design a timeline for implementation of the internal audit strategy and related performance measures. A periodic review of the internal audit strategy should include a discussion of the internal audit function’s progress on initiatives with the Board and senior management.
So yes, if the minutes evidence the conversation, then this should be sufficient to demonstrate conformance with Standard 9.2.
Q: What makes for an effective internal audit methodology (e.g., online platform, MS Word)? How do you strike the balance between clear guidance vs. length of methodology?
A: Standard 9.3: The form, content, level of detail, and degree of documentation of methodologies may differ based on the size, structure, complexity, industry/regulatory expectations, and maturity of the organization and the internal audit function. Methodologies may exist as individual documents (such as standard operating procedures) or may be collected into an internal audit manual or integrated into internal audit management software.
Internal audit methodologies supplement the Standards by providing specific instructions and criteria that help internal auditors implement the Standards and perform services with quality. Additionally, internal audit methodologies describe processes and procedures for communicating, handling operational and administrative matters, and overseeing the internal audit function.
The Standards do not specify length. It is about providing a framework methodology that is appropriate to the maturity of your internal audit function.
Q: Please elaborate on coordinating with assurance providers. Who are the related stakeholders?
A: Standard 9.5 talks about how the chief audit executive must coordinate with internal and external providers of assurance services and consider relying upon their work. Coordination of services minimizes duplication of efforts, highlights gaps in coverage of key risks, and enhances the overall value added by providers.
The chief audit executive should develop a methodology for evaluating other providers of assurance and advisory services that includes a basis for relying upon their work. The evaluation should consider the providers’ roles, responsibilities, organizational independence, competency, and objectivity, as well as the due professional care applied to their work. The chief audit executive should understand the objectives, scope, and results of the work performed.
Q: What will be some effective ways to build stakeholder relationships to improve engagements and enable them to adopt a risk mindset as some auditees may not have a risk background? Should the CAE attend senior leadership team meetings?
A: Principle 11 and Standard 11.1: The chief audit executive guides the internal audit function to communicate effectively with its stakeholders.
Effective communication requires building relationships, establishing trust, and enabling stakeholders to benefit from the results of internal audit services.
The chief audit executive is responsible for helping the internal audit function establish ongoing communication with stakeholders to build trust and foster relationships.
Additionally, the chief audit executive oversees the internal audit function’s formal communications with the Board and senior management to enable quality and provide insights based on the results of internal audit services.
The chief audit executive should be included in the organization’s communication channels to keep current with major developments and planned activities that could affect the objectives and risks of the organization.
The chief audit executive should also attend meetings with the board and key governance committees, as well as senior management and groups that report directly to senior management, such as compliance, risk management, and quality control.
Q: Is the IIA Quality Manual going to be updated to reflect the new standards?
A: Yes, The IIA is intending to update the Competency Framework to align with the Global Internal Audit Standards. Standard 12.3
Q: What is the frequency of an internal self-assessment and is there an intention that an external quality assessment would be performed, specifically to ensure conformance to the Standards?
A: Standard 12.1: Periodic self-assessments provide a more holistic, comprehensive review of the Standards and the internal audit function. Periodic self-assessments address conformance with every standard and may be conducted by senior members of the internal audit function, a dedicated quality assurance team, individuals within the internal audit function who have attained the Certified Internal Auditor® designation or have extensive experience with the Standards, or individuals with audit competencies from elsewhere in the organization.
The chief audit executive should consider including internal auditors in the periodic self-assessment process to improve their understanding of the Standards.
Periodic self-assessments enable the internal audit function to validate its conformance with the Standards. They also evaluate the adequacy of the internal audit function’s methodologies, how well the internal audit function supports the achievement of the organization’s objectives, the quality of internal audit services performed, and supervision provided, and the degree to which stakeholder expectations are met and performance objectives are achieved.
Therefore, a periodic self-assessment looks at conformance and performance. The best practice would be an annual self-assessment with the outcome reported to the Board and Audit Committee regardless of the size of the internal audit function.
Q: Identifying appropriate qualitative and quantitative Performance Measures can be challenging. Are there any examples you could suggest? Do we need to report on the performance measures to the board, Audit Committee, and senior management?
A: Standard 12.2: The chief audit executive must develop objectives to evaluate the internal audit function’s performance and consider the input and expectations of the Board and senior management when developing the performance objectives.
The chief audit executive must develop a performance measurement methodology to assess progress toward achieving the function’s objectives and to promote the continuous improvement of the internal audit function.
When assessing the internal audit function’s performance, the chief audit executive must solicit feedback from the board and senior management as appropriate. Examples of performance categories to consider when establishing performance objectives and measures may include:
- Coverage of engagement objectives expected to be reviewed according to the internal audit mandate.
- The extent to which the internal audit conclusions at the level of the business unit or organization address significant objectives of the organization. (See also Standard 11.3 Communicating Results.)
- The percentage of recommendations or action plans completed by management that result in desired outcomes, as monitored by the internal audit function.
- Percentage of the organization’s key risks and controls reviewed.
- Stakeholder satisfaction regarding understanding of engagement objectives, timeliness of engagement work, and clarity of engagement conclusions.
- Percentage of the internal audit plan (as adjusted and approved) completed on time.
- Balance of assurance and advisory engagements in the internal audit plan relative to the internal audit strategy.
- External quality assurance reviews confirming internal audit function conformance with the Standards.
- Quality assurance reviews confirming that adequate competencies are in place to perform the scheduled internal audit engagements.
- Internal auditor learning and development plans linked to the internal audit strategy and the organization’s developing risks.
- Staff holding at least one recognizable professional certification relevant to internal auditing.
Q: Is the IIA Quality Manual going to be updated to reflect the new standards, including self-assessment guidance and templates? Will it include new guidelines for the QAIP?
A: Yes, The IIA is intending to update the Competency Framework to align with the Global Internal Audit Standards. But, in the meantime, Standard 12.3 provides guidance on overseeing and improving engagement performance, which is a significant part of internal audit quality.
When planning engagements, the chief audit executive, or a designated engagement supervisor, should review the engagement objectives. Supervision may include opportunities for staff development, such as post-engagement meetings between the internal auditors who performed the engagement and the chief audit executive.
Assessing the skills of the internal audit staff is an ongoing process extending beyond reviewing engagement workpapers. Based on the results of skill assessments, the chief audit executive may identify which internal auditors are qualified to supervise engagements and assign tasks accordingly.
The primary criterion for approval of the work program is whether it achieves the engagement objectives efficiently. The work program includes procedures for identifying, analyzing, evaluating, and documenting engagement information. Engagement supervision also involves monitoring that the work program is completed and approving changes to the work program.
General questions
Q: The Audit Committee has asked us to have an external quality assessment in 2025. However, our internal audit function was only established in 2022. Should we delay the assessment to 2026, allowing more time to adapt to the new 2025 standards? Also, could the organization and/or the internal audit function decide not to have an external quality assessment?
A: Domain III – Standard 8.4: The Board and chief audit executive may determine that it is appropriate to conduct an external assessment more frequently than every five years.
There are several reasons to consider a more frequent review, including changes in leadership (for example, senior management or the chief audit executive), significant changes in internal audit methodologies, the merger of two or more internal audit functions, or significant staff turnover.
Additionally, some organizations, such as those in highly regulated industries may prefer or be required to increase the frequency or scope of the external quality assessments.
The frequency of an external quality assessment should be discussed with the Board/Audit Committee. It is a requirement of the Standards that, at a minimum, there should be an external quality assessment every five years. However, if the Board/Audit Committee doesn’t require an external quality assessment the CAE needs to explain the risks associated with such an approach (i.e., independent assurance as to the credibility of the internal audit functions - meaning the internal audit function isn’t conforming with the Standards).
Q: Has the IIA considered a supplement to the 2024 Standards that specifically focuses on how a small internal audit team (2-4 total members, including the CAE) and a small public sector audit shop, might endeavor to comply with each portion of the standard? Small teams have limited resources and time to develop a lot of what is being discussed in Domain IV.
The internal audit function’s ability to fully conform with the Standards may be affected by its size or the size of the organization. With limited resources, completing certain tasks may be challenging. Additionally, if the internal audit function comprises only one member, an adequate quality assurance and improvement program will require assistance from outside the internal audit function. (See also Standards 10.1 Financial Resource Management, 12.1 Internal Quality Assessment, and 12.3 Oversee and Improve Engagement Performance.)
While the Global Internal Audit Standards apply to all internal audit functions, internal auditors in the public sector work in a political environment under governance, organizational, and funding structures that may differ from those of the private sector. The nature of these structures and related conditions may be affected by the jurisdiction and level of government in which the internal audit function operates. Additionally, some terminology used in the public sector differs from that of the private sector. These differences may affect how internal audit functions in the public sector apply the Standards. The section “Applying the Global Internal Audit Standards in the Public Sector,” which follows Domain V: Performing Internal Audit Services, describes strategies for conformance amid the circumstances and conditions unique to internal auditing in the public sector.
Q: If our last EQA rating was "generally conforms" will that mean we will be "generally conforms" regarding conformance with the Global Internal Audit Standards? Might we need to undertake some enhancements rather than a transformative change? How might one engage with senior stakeholders without overwhelming them with too much information that promotes overthinking what should be a simple roadmap to get there?
A: Domain III: To assume that you would be ‘generally conforms’ with the 2024 Standards based on the latest quality assessment is the very rationale for undertaking a gap analysis. The new Standards, especially regarding Domain III, outlines senior management’s responsibilities that support the Board’s responsibilities and promotes strong governance of the internal audit function.
While the chief audit executive is responsible for the requirements in this domain, activities of the Board and senior management are essential to the internal audit function’s ability to fulfill the Purpose of Internal Auditing.
These activities are identified as “essential conditions” in each standard and establish a necessary foundation for an effective dialogue between the Board, senior management, and the chief audit executive, ultimately enabling an effective internal audit function.
Therefore, whilst not overwhelming senior stakeholders there will very much need to be a roadmap to help them understand their new and transparent role regarding Domain III.
Q: Do we need to conform with the Global Internal Audit Standards by January 9, 2025?
A: The Standards guide the worldwide professional practice of internal auditing and serve as a basis for evaluating and elevating the quality of the internal audit function.
The Standards set forth principles, requirements, considerations, and examples for the professional practice of internal auditing globally. The Standards apply to any individual or function that provides internal audit services, whether an organization employs internal auditors directly, contracts them through an external service provider, or both.
Organizations receiving internal audit services vary in sector and industry affiliation, purpose, size, complexity, and structure. The Standards apply to the internal audit function and individual internal auditors including the chief audit executive. While the chief audit executive is accountable for the internal audit function’s implementation of and conformance with all principles and standards, all internal auditors are responsible for conforming with the principles and standards relevant to performing their job responsibilities.
If it isn’t possible to be in a state of conformance by January 2025 then the creation of an action plan detailing the work to be completed to demonstrate conformance needs to be prepared and shared with the Board, Audit Committee, and senior management. The Board /Audit Committee will then monitor delivery of the actions.
Publications from the IIA
Q: When will a new Internal Audit Model Charter become available?
A: The IIA has already published the internal audit charter and mandate model. There is a model charter and mandate both for the public sector and for the private sector.
The links to the two documents are here:
Q: Where is the two-way mapping document created by The IIA?
The IIA has created two tables to help members understand the changes:
- The first maps the 2017 elements to their counterparts in the 2024 Global Internal Audit Standards.
- The second maps the requirements and essential conditions from the 2024 Standards to their equivalents in the 2017 IPPF.
The link to the document is here:
Q: What if the current CAE has no professional certifications, including the CIA? Should this be part of the CAE's job specs?
A: Domain III, Standard 7.2 cover CAE Qualifications: The Board/Audit Committee collaborates with senior management to determine which competencies and qualifications the organization expects in a chief audit executive.
The competencies may vary according to the internal audit mandate, the complexity and specific needs of the organization, the organization’s risk profile, and the industry and jurisdiction within which the organization operates, among other factors.
The desired competencies and qualifications are typically documented in a job description and may include:
- A comprehensive understanding of the Global Internal Audit Standards and leading internal audit practices.
- Experience building and managing an effective internal audit function by recruiting, hiring, and training internal auditors and helping them develop relevant competencies.
- Certified internal auditor designation or other relevant professional education, certifications, and credentials.
- Leadership experience.
- Industry or sector experience
In the CAE doesn’t have an appropriate certification then the Board/Audit Committee may require the CAE to take the CIA certification.
Q: The IIA Certifications will require new syllabi. When will the new exams be available?
A: Work is currently ongoing regarding the certifications.
- Detailed information and various scenarios are available at theiia.org/cia2025.
- The CIA exam will not change until May 2025.
- The Internal Audit Practitioner exam will not change before the January 2025 effective date.
- The CRMA exam is not affected by changes to the Standards.
- For questions about exam preparation materials, please reach out to the review providers directly.
If you are taking examinations, please monitor The IIA’s certifications page (see the link above).
Links to relevant documentation on the IIA website
-
Members only
- Public access
Additional resources
