Domain III: Governing the Internal Audit Function

Strengthening relationships

Domain III consists of three Principles (Principles 6 – Authorized by the Board, 7 – Positioned Independently, and 8 – Overseen by the Board) and nine Standards. Domain III examines several concepts necessary for understanding and strengthening the governance arrangements that support an effective internal audit function.

Many of these concepts existed in the 2017 Standards but more direct and clear details have been added to the revised Standards. While the CAE is responsible for the requirements in this Domain, activities of the Board/Audit Committee and senior management are identified as “Essential Conditions” in each Standard. They help establish the foundation for effective dialogue between the Board/Audit Committee, senior management, and the CAE, sharing, challenging, and supporting each other, and ultimately enabling an effective internal audit function.

Importance of the Internal Audit Charter

The Board/Audit Committee establishes, approves, and supports the mandate of the internal audit function as detailed in Principle 6. The mandate specifies the authority, role, and responsibilities of the internal audit function and is documented in the Internal Audit Charter. The internal audit function receives its mandate from the Board/Audit Committee (or applicable law in certain public sector environments).

What is the Internal Audit Mandate?

Standard 6.1 Internal Audit Mandate

Standard 6.1 Internal Audit Mandate, details the concepts of authority, role, and responsibilities that are combined into a single word: mandate. This captures the importance of the Board’s/Audit Committee’s role in initially authorizing the internal audit function. The mandate empowers the internal audit function to provide the Board/Audit Committee and senior management with objective assurance, advice, insight, and foresight, which is documented in the Internal Audit Charter.

What is the Internal Audit Charter?

Standard 6.2 Internal Audit Charter

Standard 6.2 Internal Audit Charter is a formal or codifying document that includes the mandate and detailed specifications about the function and the services it provides. Evidence of conformance includes Board/Audit Committee meeting minutes that show the Internal Audit Charter was discussed and approved. The CAE must also periodically review the Internal Audit Charter with the Board/Audit Committee and senior management.

Standard 6.3 Board and Senior Management Support

Standard 6.3 Board and Senior Management Support states the CAE must provide the Board/Audit Committee and senior management with the information needed to support and promote the internal audit function throughout the organization. This could be via meeting minutes or other communication between the Board/Audit Committee and senior management where the internal audit function was discussed. The chief audit executive should also have other interactions with the Board/Audit Committee between official meetings to keep the Board/Audit Committee apprised of the internal audit function’s progress. The types of information and the level of detail to be communicated by the chief audit executive to the Board/Audit Committee should be agreed upon by both parties.

What are Essential Conditions?

Essential Conditions are in each standard, in this Domain, and establish a necessary foundation for an effective dialogue between the Board/Audit Committee, senior management, and the chief audit executive, ultimately enabling an effective internal audit function. They are part of the mandatory requirements section of each Standard within Domain III.

There are several Essential Conditions in Principle 6, including:

• Enabling the function to have unrestricted access to information, personnel, and physical properties.
• Having regular, direct communication between the Board/Audit Committee and the CAE.
• Having the Board/Audit Committee approve the Internal Audit Charter, Internal Audit Mandate, internal audit plan, budget, and resource plan.

Establishing internal audit’s independence

Principle 7 addresses the Board’s/Audit Committee’s role. The board establishes and protects the internal audit function’s independence and qualifications.

Standard 7.1 Organizational Independence

Standard 7.1 Organizational Independence describes the CAE’s responsibilities for documenting reporting relationships and confirming the independence of the Internal Audit Function at least annually. This standard also outlines the requirements for safeguarding independence when the CAE has roles beyond internal auditing. Standard 7.1’s Essential Conditions describe attributes and practices of a direct reporting relationship between the Board/Audit Committee, senior management and the CAE.

Standard 7.2 Chief Audit Executive Qualifications

Standard 7.2 Chief Audit Executive Qualifications states that the CAE must help the Board/Audit Committee understand the CAE’s qualifications and competencies necessary to manage the internal audit function. Essential Conditions include involving the Board/Audit Committee engaging with senior management to appoint a chief audit executive with the qualifications and competencies necessary to manage the internal audit function effectively and ensure the quality performance of internal audit services. Consideration should also be given to succession planning for either a short-term or longer-term scenario.

Ensuring the internal audit function’s effectiveness

Principle 8 emphasizes that the Board/Audit Committee oversees the internal audit function to ensure the function’s effectiveness. Board/Audit Committee oversight is essential to enable the overall effectiveness of the internal audit function. Achieving this principle requires collaborative and interactive communication between the Board/Audit Committee and the chief audit executive as well as the Board/Audit Committee’s support in ensuring the internal audit function obtains sufficient resources to fulfill the internal audit mandate.

Standard 8.1 Board Interaction

Standard 8.1 Board Interaction requires the CAE to provide the Board/Audit Committee with the information to conduct its oversight responsibilities. The CAE should also seek guidance from the Board/Audit Committee about its perspectives and expectations related to understanding and oversight of a broad range of nonfinancial governance and risk management concerns, such as strategic initiatives, cybersecurity, health and safety, sustainability, business resilience, and reputation. Essential Conditions include the Board/Audit Committee and senior management establishing the criteria for determining which issues should be escalated to the Board, such as significant risks that exceed the Board’s risk tolerance.

Standard 8.2 Resources

Standard 8.2 Resources requires that the CAE must evaluate whether internal audit resources are sufficient to fulfill the internal audit mandate and deliver the internal audit plan. If not, the chief audit executive must develop a strategy to obtain sufficient resources and inform the Board/Audit Committee and senior management about the impact of insufficient resources and how any resource shortfalls will be addressed. The CAE may perform a gap analysis between the resources available within the internal audit function and those needed to perform internal audit services. Although the Board/Audit Committee and CAE typically discuss resources annually during the internal audit plan presentation, quarterly discussions are often a best practice.

Standard 8.3 Quality

Standard 8.3 Quality requires the CAE to develop, implement, and maintain a quality assurance and improvement program covering all aspects of the internal audit function. The program includes two types of assessments - external assessments and internal assessments.  Quality is fundamental if internal audit wants the Board/Audit Committee and senior management to view them as a credible resource when providing assurance. Senior management participate with the Board/Audit Committee in an annual assessment of the chief audit executive and internal audit function’s performance objectives.

Standard 8.4 External Quality Assessment

Standard 8.4 External Quality Assessment requires that the CAE must develop a plan for an external quality assessment and discuss the plan with the Board/Audit Committee and senior management. The external assessment must be performed at least once every five years by a qualified, independent assessor or assessment team, of which at least one member must hold an active Certified Internal Auditor credential. The requirement for an external quality assessment may also be met through a self-assessment with independent validation. The Board/Audit Committee and senior management must understand the robustness of the quality assessment process to build trust.

Essential Conditions state that senior management should review the results of the external quality assessment, collaborate with the chief audit executive and Board/Audit Committee to agree on action plans that address identified deficiencies and opportunities for improvement, if applicable, and agree on a timeline for completion of the action plans. The Standard states that this review takes place every five years, but there will be instances where this may be conducted more frequently e.g., a new CAE or Board/Audit Committee chair. 

When scoping the engagement, the evidence of the subject's assessment and treatment of appropriate Topical Requirements must be documented and retained, as it will form part of the EQA evaluation.

The link between the Three Lines Model and Domain III

The globally recognized Three Lines Model illustrates the governance structures and processes that best enable organizations to achieve their objectives. Similarly, Domain III describes the unique partnership between the Board/Audit Committee, and 1^st and 2^nd line management and the internal audit function and how it drives organizational success.

The IIA has linked the Three Lines Model with Domain III. Domain III’s three Principles and nine Standards support the approval and mandate for the Internal Audit Function and outline how to maintain its effectiveness and success.

The IIA has recently issued a Domain III toolkit to help chief audit executives understand and communicate with the Board/Audit Committee and senior management about the requirements and Essential Conditions of Domain III: Governing the Internal Audit Function in the Global Internal Audit Standards.

Three tips to help you adhere to Domain III

With just a few months to go until the January 9, 2025, effective date, ensuring conformance should be a top priority for your internal audit function. Here are three tips to help you adhere to Domain III:

• Create connections

  Invite the chair of your Board/Audit Committee to attend an internal audit team meeting so they get to know the people within the internal audit team. It also allows the internal audit team to begin to understand the challenges of the Board/Audit Committee.

• Document all conversations

  Ensure that any one-on-one conversations with the Audit Committee chair are documented (perhaps via email) and stored in the Audit Committee folder on your network with access restricted to Audit Committee members and the CAE.

• Build stronger relationships

  Recognize that Domain III is about strengthening relationships between senior management and the Board/Audit Committee and, therefore, needs to be a two-way conversation with all parties sharing, challenging, and supporting each other.

Domain III Frequently Asked Questions

The continued success of our ongoing webinars that focuses on the new 2024 Global Internal Audit Standards has prompted a list of the most frequently asked questions from those that have attended these presentations. We’ve asked Liz Sandwith to review these questions and provide her informed responses for additional consideration and clarity specific to her presentation on Domain III: Governing the Internal Audit Function.

Domain III - Standard 6.1 and 6.2 – IA Charter and Mandate

Q: Must the Internal Audit Mandate and Charter be different documents, or could they be unified as a single document?

A: They don't need to be two separate documents.  Whilst there are two Standards in Domain III, one covering the mandate - Standard 6.1 and the other the Charter Standard 6.2 - it doesn’t require the internal audit function to have two separate documents.

The Internal Audit Charter needs to include the Mandate as it is different requirements to the charter. 

The IIA has published a model Internal Audit Charter template that demonstrates how the Charter and the Mandate exist in the same document. For further reference, here is the link.

Q: Regarding the Internal Audit Charter, we review it annually with the Board/Audit Committee. Does Standard 6.2 require a review each quarter, or twice a year rather than annually?

A: In Standard 6.2, Domain III the considerations for implementation state - the chief audit executive and the Board/Audit Committee should also agree on the frequency with which to review and reaffirm whether the Charter’s provisions continue to enable the internal audit function to accomplish its objectives.

A leading practice is to review the Charter periodically, reference it when questions about the Internal Audit Mandate arise, and update it as needed.

Periodically is usually consider as annually.

Q: What are the differences between the Internal Audit Mandate and the Internal Audit Charter?

The Mandate specifies the authority, role, and responsibilities of the internal audit function and is documented in the Internal Audit Charter. 

The Internal Audit Charter specifies:

• The Purpose of Internal Auditing.
• Commitment to adhering to the Global Internal Audit Standards.
• The Mandate, including scope and types of services to be provided.
• The board’s responsibilities and expectations regarding management’s support of the internal audit function.
• Organizational position and reporting relationships. (See also Standard 7.1 Organizational Independence).

Domain III – Standard 7.1 – Organizational independence

Q: Should CAEs be part of the leadership team, not just as an observer? If yes, what would be some key safeguards to ensure CAE's independence and objectivity are not impaired?

One of the Board/Audit Committee’s Essential Conditions in Standard 7.1, Domain III requires that the chief audit executive be positioned at a level in the organization that enables internal audit services and responsibilities to be performed without interference from management.

This positioning provides the organizational authority and status to bring matters directly to senior management and escalate matters to the Board/Audit Committee when necessary. 

Attendance at senior management team meetings enables the CAE to have access to senior management and the authority to challenge management’s perspectives.

To achieve this authority, it is leading practice for the chief audit executive to report administratively to the chief executive officer or equivalent, although reporting to another senior officer may achieve the same objective if appropriate safeguards are implemented.

The considerations for implementation reflect that when the CAE is evaluating whether independence is impaired, the chief audit executive should consider reporting relationships, roles, and responsibilities to determine whether actual, potential, or perceived impairments exist. Additionally, through discussions with the concerned parties, the chief audit executive may be able to resolve any situations of perceived impairments that do not in fact affect the internal audit function’s ability to perform its responsibilities independently.

Q: Is it required to include in the Internal Audit Charter the safeguards to protect independence in instances where the CAE has roles/responsibilities beyond internal audit (e.g., responsibility for risk, insurance, data protection)?

Yes, Standard 7.1, Domain III states - The chief audit executive must document in the Internal Audit Charter the reporting relationships and organizational positioning of the internal audit function, as determined by the Board/Audit Committee. (See also Standard 6.2 Internal Audit Charter.)

The chief audit executive must discuss with the Board/Audit Committee and senior management any current or proposed roles and responsibilities that have the potential to impair the internal audit function’s independence, either in fact or appearance.

The chief audit executive must advise the Board/Audit Committee and senior management of the types of safeguards to manage actual, potential, or perceived impairments.

When the chief audit executive has one or more ongoing roles beyond internal auditing, the responsibilities, nature of work, and established safeguards must be documented in the Internal Audit Charter.

If those areas of responsibility are subject to internal auditing, alternative processes to obtain assurance must be established, such as contracting with an objective, competent external assurance provider that reports independently to the Board/Audit Committee.

When the chief audit executive’s non-audit responsibilities are temporary, assurance for those areas must be provided by an independent third party during the temporary assignment and for the subsequent 12 months.

Also, the chief audit executive must establish a plan to transition those responsibilities to management.

Domain III – Standard 7.2 – Chief audit executive qualifications

Q: Is it compulsory for the CAE to be a certified internal auditor going forward as per the new global Standards?

Standard 7.2, Domain III covers CAE qualifications and states - The chief audit executive must help the Board/Audit Committee understand the qualifications and competencies of a chief audit executive that are necessary to manage the internal audit function.

The chief audit executive facilitates this understanding by providing information and examples of common and leading qualifications and competencies. The chief audit executive must maintain and enhance the qualifications and competencies necessary to fulfil the roles and responsibilities expected by the Board/Audit Committee. (See also Principle 3 Demonstrate Competency and its standards.)

The answer is perhaps not initially but there is an expectation that if a newly appointed CAE isn’t CIA, then moving forward, they will seek to become CIA designated.

Domain III – Standard 8.1 – Board interaction

Q: How do you advise CAEs to put these new Standards together and use it as an onboarding to new and existing Board/Audit Committee members?

That is a challenging question. When first building the new Standards the IIA issued a short document, here is the link.

It is a short, insightful paper, useful to share with your Board/Audit Committee, senior leadership team, CEO.  I would then focus the Board/Audit Committee and senior management on Domain III, as a second publication was issued by the IIA that links Domain III to the 3 Lines Model. The following link might be a useful focal point for your Board/Audit Committee.

There are also the overview Standards that might be a helpful starting point on YouTube.

Q: For a well-established internal audit function, the requirements of Domain III seem like a lot of extra work to infuse into an already busy Board/Audit Committee agenda. Will inclusion of this information in pre-read materials to the Board/Audit Committee suffice?

In many internal audit functions, a significant number of the requirements under Domain III are already in place. Is it really, therefore, a 'lot of extra work/information?’  The CAE will already share all the documents discussed (e.g., Charter, risk-based plan, strategic plan, strategy etc.) with the Board/Audit Committee. Perhaps the key difference is documenting the discussions and encouraging the Board/Audit Committee to engage in the conversation. The minutes of the meeting will then act as the documented record.

Domain III – Standard 8.2 – Resources

Q: Internal audit budget approval is not typically a responsibility of the Board/Audit Committee - how are organizations navigating this new requirement?

The majority of Boards/Audit Committees don’t currently approve the final budget for the internal audit function. However, I am aware of CAE’s addressing this requirement in the 2024 Standards by discussing the budget with the CFO/FD initially seeking their input before presenting it to the Board/Audit Committee for final approval supported by the CFO/FD. The Board/Audit Committee may well challenge the CAE seeking formal verbal agreement from the CAE that the budget being presented meets internal audit functions’ requirements regarding capacity and capability within the team in relation to the delivery of the internal audit plan, and the need to upskill the internal audit team to meet new technology challenges.

Domain III – Standard 8.3 – Quality

Q: Does the internal quality assessment have to be performed by an external party or can it be performed internally by the internal audit function or someone within the organization? If so, do those undertaking the internal quality assessment need to be CIA designated?

Standard 12.1, Domain IV requires that the chief audit executive must develop and conduct internal assessments of the internal audit function’s conformance with the Global Internal Audit Standards and progress toward performance objectives.

It goes on to say in the Considerations for Implementation that periodic self-assessments provide a more holistic, comprehensive review of the Standards and the internal audit function.

Periodic self-assessments may be conducted by senior members of the internal audit function, a dedicated quality assurance team, individuals within the internal audit function who have attained the Certified Internal Auditor® designation or have extensive experience with the Standards, or individuals with audit competencies from elsewhere in the organization.

The chief audit executive should consider including internal auditors in the periodic self-assessment process to improve their understanding of the Standards. Periodic self-assessments enable the internal audit function to validate its conformance with the Standards.

To answer the question, an internal assessment doesn't have to be undertaken by someone with the CIA designation.

Q: It is at times challenging to get buy-in for Quality Assessment Reviews unless they are mandatory. Are there any plans to mandate this?

In the current economic climate, additional costs are very much front and center of an organization’s thinking. However, it is a requirement in the new Standards for an internal quality program.

The true benefit from assurance review and the quality assurance program is the assurance that it brings regarding conformance with the Standards and the performance of the internal audit function to key stakeholder (i.e., Board/Audit Committee and senior management).

The internal audit function needs to be credible within the organization as to the level of assurance it provides and whether the assurance can be relied upon. 

The internal quality improvement program and the external assessment provides that level of assurance around what we do, how we do it, and whether we are conforming with the Standards. 

Standard 8.3, Domain III requires that the chief audit executive must develop, implement, and maintain a quality assurance and improvement program that covers all aspects of the internal audit function.

The program includes two types of assessments:

• External assessments. (See also Standard 8.4 External Quality Assessment.)
• Internal assessments. (See also Standard 12.1 Internal Quality Assessment.)

At least annually, the chief audit executive must communicate the results of the internal quality assessment to the Board/Audit Committee and senior management.

The results of both the internal assessment and the external assessments must be reported to Board/Audit Committee and senior management when completed.

Domain III – Standard 8.4 – External Quality Assessment

Q: For an External Quality Assessment (EQA), must the external provider have at least one member of the team who is CIA designated?

Standard 8.4, Domain III - EQA clearly states that the chief audit executive must develop a plan for an external quality assessment and discuss the plan with the Board/Audit Committee.

The external assessment must be performed at least once every five years by a qualified, independent assessor or assessment team.

The requirement for an external quality assessment may also be met through a self-assessment with independent validation. 

When selecting the independent assessor or assessment team, the chief audit executive must ensure at least one person holds an active Certified Internal Auditor® designation. 

If you currently have an EQA provider, but none of the team hold the CIA designation, there are perhaps some options. The current EQA team could recruit/second someone who has the CIA designation, someone within the team obtains the CIA designation, or you seek another EQA provider who meets the requirements of Standard 8.4.

Q: Our Internal Audit Function is only 2 years old. We are still assessing the requirements of GIAS. Do we need to be aligned by Jan 2025?

The IIA Global Internal Audit Standards are effective from January 2025 and therefore there is an expectation that internal audit functions will have achieved conformance or will be working towards conformance. 

It will depend on the maturity of the internal audit function. In the example described in the question, I would suggest that as you have only been in existence for 2 years you need to develop a plan that will drive you towards conformance by a given point in time, perhaps around mid-year 2025? 

Then share that plan with the Board/Audit Committee as they will be able to support the internal audit function’s achievement of conformance and monitor progress towards conformance.

Q: Is an External Quality Assessment (EQA) recommended for small Internal Audit teams (7 person)? Should the EQA be every 5 years, at a minimum, or for a smaller team should there be a more frequent timeline for an EQA?

The internal audit function’s ability to fully conform with the Standards may be affected by its size, maturity, or the size and maturity of the organization.

With limited resources, completing certain tasks may be challenging. Additionally, if the internal audit function comprises only one member, an adequate quality assurance and improvement program will require assistance from outside the internal audit function. (See also Standards 10.1 Financial Resource Management, 12.1 Internal Quality Assessment, and 12.3 Oversee and Improve Engagement Performance.)

The Board/Audit Committee and chief audit executive may determine that it is appropriate to conduct an external assessment more frequently than every five years.

There are several reasons to consider a more frequent review, including changes in leadership (for example, senior management or the chief audit executive), significant changes in internal audit methodologies, the merger of two or more internal audit functions, or significant staff turnover.

Additionally, some organizations, such as those in highly regulated industries may prefer or be required to increase the frequency or scope of the external quality assessments.

General questions

Q: For the Head of Internal Audit to remain effective, is there a maximum number of years that should be observed?

The Chartered IIA produce a Code of Practice for the Private sector. Here is the link (available to non-members).

The Code of Practice states in paragraph 24 - This appraisal should consider the independence, objectivity, and tenure of the chief internal auditor. Where the tenure of the chief internal auditor exceeds seven years, the Board/Audit Committee should explicitly discuss annually the chair’s assessment of the chief internal auditor’s independence and objectivity.

But this isn't from the IIA, it is from the Chartered IIA UK and Ireland. Nevertheless, it may be helpful to review.

Q: Do the Essential Conditions require discussion with all senior managers on each relevant requirement in the Standards?

There wouldn’t be a need to speak to all senior managers, but you could look at the Standards and perhaps identify which of the senior managers might be most appropriate to 'own' which of the Essential Conditions within the Standards. This could be a quick win and avoid disrupting unnecessarily all senior managers.

Q: Are you required to show evidence of the Essential Conditions, or just the requirements and that you discussed the Essential Conditions with the Board/Audit Committee and senior management?

If either the Board/Audit Committee or senior management disagrees with one or more of the Essential Conditions, the chief audit executive must emphasize – with examples – how absence of the condition(s) may affect the internal audit function’s ability to fulfil its purpose or conform with specific standards.

The chief audit executive should also discuss alternatives to the Essential Conditions that may provide the same results.

The chief audit executive may reach agreement with the Board/Audit Committee and senior management that one or more of the Essential Conditions are not necessary to conform with the Standards. In such instances, the chief audit executive must document:

• The reasons for agreeing that a particular condition is unnecessary.
• Alternative conditions that compensate for the absent conditions, to support the judgments of the Board/Audit Committee and senior management.

If the chief audit executive does not agree with the Board’s/Audit Committee’s and/or senior management’s reasons for not performing one or more of the conditions, the chief audit executive may conclude that the internal audit function cannot conform with the Standards.

In such cases, the chief audit executive should document the reasons why the Board/Audit Committee and/or senior management will not perform the Essential Conditions.

The documentation should be shared with the Board/Audit Committee and senior management to ensure clarity regarding their positions and made available to an external quality assessor.

Q: What is considered advisory work or advisory services?

Advisory services - including advisory engagements and other advisory activities - are typically undertaken at the request of senior management, the Board/Audit Committee, or the management of an activity.

The nature and scope of advisory services are subject to agreement with the party requesting the services.

Examples of advisory engagements include internal auditors providing advice on the development and implementation of new policies and the design of processes and systems.

Other advisory activities include internal auditors providing facilitation and training. Advisory Services are included in Domain V unless specifically excluded from one of the Standards.

Q: Where does the strategic plan fall in the Domains?

Principle 9 Domain IV covers the CAE planning strategically and Standard 9.2 covers the internal audit strategy. I understand the IIA will share a template for the internal audit strategy either later in May or in June 2024.

Q: What are Topical Requirements and will conformance with them be expected in 2025?

Topical Requirements ensure that all internal audit functions – large, small, private, or public – apply consistent audit methodology when assessing the effectiveness of governance, risk management, and controls of a particular topical area.

Topical Requirements are intended to:

• Raise the internal audit function’s professionalism and performance.
• Improve the quality and value of internal audit services.
• Provide comfort to stakeholders that critical elements are addressed within a particular audit area.

Internal auditors are not required to include the subject matter of the Topical Requirements in their internal audit plan. But, where a subject covered by the Topical Requirements is included in the internal audit plan, then it becomes mandatory to apply the Topical Requirement to the internal audit engagement and demonstrate conformance with the Topical Requirements when executing the testing specific to the audit topic/engagement. It is likely that when undergoing an EQA the reviewer will seek to assess conformance with those Topical Requirements that were applicable to topics in your internal audit plan.