Domain III Frequently Asked Questions
The continued success of our ongoing webinars that focuses on the new 2024 Global Internal Audit Standards has prompted a list of the most frequently asked questions from those that have attended these presentations. We’ve asked Liz Sandwith to review these questions and provide her informed responses for additional consideration and clarity specific to her presentation on Domain III: Governing the Internal Audit Function.
Domain III - Standard 6.1 and 6.2 – IA Charter and Mandate
Q: Must the Internal Audit Mandate and Charter be different documents, or could they be unified as a single document?
A: They don't need to be two separate documents. Whilst there are two Standards in Domain III, one covering the mandate - Standard 6.1 and the other the Charter Standard 6.2 - it doesn’t require the internal audit function to have two separate documents.
The Internal Audit Charter needs to include the Mandate as it is different requirements to the charter.
The IIA has published a model Internal Audit Charter template that demonstrates how the Charter and the Mandate exist in the same document. For further reference, here is the link.
Q: Regarding the Internal Audit Charter, we review it annually with the Board/Audit Committee. Does Standard 6.2 require a review each quarter, or twice a year rather than annually?
A: In Standard 6.2, Domain III the considerations for implementation state - the chief audit executive and the Board/Audit Committee should also agree on the frequency with which to review and reaffirm whether the Charter’s provisions continue to enable the internal audit function to accomplish its objectives.
A leading practice is to review the Charter periodically, reference it when questions about the Internal Audit Mandate arise, and update it as needed.
Periodically is usually consider as annually.
Q: What are the differences between the Internal Audit Mandate and the Internal Audit Charter?
The Mandate specifies the authority, role, and responsibilities of the internal audit function and is documented in the Internal Audit Charter.
The Internal Audit Charter specifies:
- The Purpose of Internal Auditing.
- Commitment to adhering to the Global Internal Audit Standards.
- The Mandate, including scope and types of services to be provided.
- The board’s responsibilities and expectations regarding management’s support of the internal audit function.
- Organizational position and reporting relationships. (See also Standard 7.1 Organizational Independence).
Domain III – Standard 7.1 – Organizational independence
Q: Should CAEs be part of the leadership team, not just as an observer? If yes, what would be some key safeguards to ensure CAE's independence and objectivity are not impaired?
One of the Board/Audit Committee’s Essential Conditions in Standard 7.1, Domain III requires that the chief audit executive be positioned at a level in the organization that enables internal audit services and responsibilities to be performed without interference from management.
This positioning provides the organizational authority and status to bring matters directly to senior management and escalate matters to the Board/Audit Committee when necessary.
Attendance at senior management team meetings enables the CAE to have access to senior management and the authority to challenge management’s perspectives.
To achieve this authority, it is leading practice for the chief audit executive to report administratively to the chief executive officer or equivalent, although reporting to another senior officer may achieve the same objective if appropriate safeguards are implemented.
The considerations for implementation reflect that when the CAE is evaluating whether independence is impaired, the chief audit executive should consider reporting relationships, roles, and responsibilities to determine whether actual, potential, or perceived impairments exist. Additionally, through discussions with the concerned parties, the chief audit executive may be able to resolve any situations of perceived impairments that do not in fact affect the internal audit function’s ability to perform its responsibilities independently.
Q: Is it required to include in the Internal Audit Charter the safeguards to protect independence in instances where the CAE has roles/responsibilities beyond internal audit (e.g., responsibility for risk, insurance, data protection)?
Yes, Standard 7.1, Domain III states - The chief audit executive must document in the Internal Audit Charter the reporting relationships and organizational positioning of the internal audit function, as determined by the Board/Audit Committee. (See also Standard 6.2 Internal Audit Charter.)
The chief audit executive must discuss with the Board/Audit Committee and senior management any current or proposed roles and responsibilities that have the potential to impair the internal audit function’s independence, either in fact or appearance.
The chief audit executive must advise the Board/Audit Committee and senior management of the types of safeguards to manage actual, potential, or perceived impairments.
When the chief audit executive has one or more ongoing roles beyond internal auditing, the responsibilities, nature of work, and established safeguards must be documented in the Internal Audit Charter.
If those areas of responsibility are subject to internal auditing, alternative processes to obtain assurance must be established, such as contracting with an objective, competent external assurance provider that reports independently to the Board/Audit Committee.
When the chief audit executive’s non-audit responsibilities are temporary, assurance for those areas must be provided by an independent third party during the temporary assignment and for the subsequent 12 months.
Also, the chief audit executive must establish a plan to transition those responsibilities to management.
Domain III – Standard 7.2 – Chief audit executive qualifications
Q: Is it compulsory for the CAE to be a certified internal auditor going forward as per the new global Standards?
Standard 7.2, Domain III covers CAE qualifications and states - The chief audit executive must help the Board/Audit Committee understand the qualifications and competencies of a chief audit executive that are necessary to manage the internal audit function.
The chief audit executive facilitates this understanding by providing information and examples of common and leading qualifications and competencies. The chief audit executive must maintain and enhance the qualifications and competencies necessary to fulfil the roles and responsibilities expected by the Board/Audit Committee. (See also Principle 3 Demonstrate Competency and its standards.)
The answer is perhaps not initially but there is an expectation that if a newly appointed CAE isn’t CIA, then moving forward, they will seek to become CIA designated.
Domain III – Standard 8.1 – Board interaction
Q: How do you advise CAEs to put these new Standards together and use it as an onboarding to new and existing Board/Audit Committee members?
That is a challenging question. When first building the new Standards the IIA issued a short document, here is the link.
It is a short, insightful paper, useful to share with your Board/Audit Committee, senior leadership team, CEO. I would then focus the Board/Audit Committee and senior management on Domain III, as a second publication was issued by the IIA that links Domain III to the 3 Lines Model. The following link might be a useful focal point for your Board/Audit Committee.
There are also the overview Standards that might be a helpful starting point on YouTube.
Q: For a well-established internal audit function, the requirements of Domain III seem like a lot of extra work to infuse into an already busy Board/Audit Committee agenda. Will inclusion of this information in pre-read materials to the Board/Audit Committee suffice?
In many internal audit functions, a significant number of the requirements under Domain III are already in place. Is it really, therefore, a 'lot of extra work/information?’ The CAE will already share all the documents discussed (e.g., Charter, risk-based plan, strategic plan, strategy etc.) with the Board/Audit Committee. Perhaps the key difference is documenting the discussions and encouraging the Board/Audit Committee to engage in the conversation. The minutes of the meeting will then act as the documented record.
Domain III – Standard 8.2 – Resources
Q: Internal audit budget approval is not typically a responsibility of the Board/Audit Committee - how are organizations navigating this new requirement?
The majority of Boards/Audit Committees don’t currently approve the final budget for the internal audit function. However, I am aware of CAE’s addressing this requirement in the 2024 Standards by discussing the budget with the CFO/FD initially seeking their input before presenting it to the Board/Audit Committee for final approval supported by the CFO/FD. The Board/Audit Committee may well challenge the CAE seeking formal verbal agreement from the CAE that the budget being presented meets internal audit functions’ requirements regarding capacity and capability within the team in relation to the delivery of the internal audit plan, and the need to upskill the internal audit team to meet new technology challenges.
Domain III – Standard 8.3 – Quality
Q: Does the internal quality assessment have to be performed by an external party or can it be performed internally by the internal audit function or someone within the organization? If so, do those undertaking the internal quality assessment need to be CIA designated?
Standard 12.1, Domain IV requires that the chief audit executive must develop and conduct internal assessments of the internal audit function’s conformance with the Global Internal Audit Standards and progress toward performance objectives.
It goes on to say in the Considerations for Implementation that periodic self-assessments provide a more holistic, comprehensive review of the Standards and the internal audit function.
Periodic self-assessments may be conducted by senior members of the internal audit function, a dedicated quality assurance team, individuals within the internal audit function who have attained the Certified Internal Auditor® designation or have extensive experience with the Standards, or individuals with audit competencies from elsewhere in the organization.
The chief audit executive should consider including internal auditors in the periodic self-assessment process to improve their understanding of the Standards. Periodic self-assessments enable the internal audit function to validate its conformance with the Standards.
To answer the question, an internal assessment doesn't have to be undertaken by someone with the CIA designation.
Q: It is at times challenging to get buy-in for Quality Assessment Reviews unless they are mandatory. Are there any plans to mandate this?
In the current economic climate, additional costs are very much front and center of an organization’s thinking. However, it is a requirement in the new Standards for an internal quality program.
The true benefit from assurance review and the quality assurance program is the assurance that it brings regarding conformance with the Standards and the performance of the internal audit function to key stakeholder (i.e., Board/Audit Committee and senior management).
The internal audit function needs to be credible within the organization as to the level of assurance it provides and whether the assurance can be relied upon.
The internal quality improvement program and the external assessment provides that level of assurance around what we do, how we do it, and whether we are conforming with the Standards.
Standard 8.3, Domain III requires that the chief audit executive must develop, implement, and maintain a quality assurance and improvement program that covers all aspects of the internal audit function.
The program includes two types of assessments:
- External assessments. (See also Standard 8.4 External Quality Assessment.)
- Internal assessments. (See also Standard 12.1 Internal Quality Assessment.)
At least annually, the chief audit executive must communicate the results of the internal quality assessment to the Board/Audit Committee and senior management.
The results of both the internal assessment and the external assessments must be reported to Board/Audit Committee and senior management when completed.
Domain III – Standard 8.4 – External Quality Assessment
Q: For an External Quality Assessment (EQA), must the external provider have at least one member of the team who is CIA designated?
Standard 8.4, Domain III - EQA clearly states that the chief audit executive must develop a plan for an external quality assessment and discuss the plan with the Board/Audit Committee.
The external assessment must be performed at least once every five years by a qualified, independent assessor or assessment team.
The requirement for an external quality assessment may also be met through a self-assessment with independent validation.
When selecting the independent assessor or assessment team, the chief audit executive must ensure at least one person holds an active Certified Internal Auditor® designation.
If you currently have an EQA provider, but none of the team hold the CIA designation, there are perhaps some options. The current EQA team could recruit/second someone who has the CIA designation, someone within the team obtains the CIA designation, or you seek another EQA provider who meets the requirements of Standard 8.4.
Q: Our Internal Audit Function is only 2 years old. We are still assessing the requirements of GIAS. Do we need to be aligned by Jan 2025?
The IIA Global Internal Audit Standards are effective from January 2025 and therefore there is an expectation that internal audit functions will have achieved conformance or will be working towards conformance.
It will depend on the maturity of the internal audit function. In the example described in the question, I would suggest that as you have only been in existence for 2 years you need to develop a plan that will drive you towards conformance by a given point in time, perhaps around mid-year 2025?
Then share that plan with the Board/Audit Committee as they will be able to support the internal audit function’s achievement of conformance and monitor progress towards conformance.
Q: Is an External Quality Assessment (EQA) recommended for small Internal Audit teams (7 person)? Should the EQA be every 5 years, at a minimum, or for a smaller team should there be a more frequent timeline for an EQA?
The internal audit function’s ability to fully conform with the Standards may be affected by its size, maturity, or the size and maturity of the organization.
With limited resources, completing certain tasks may be challenging. Additionally, if the internal audit function comprises only one member, an adequate quality assurance and improvement program will require assistance from outside the internal audit function. (See also Standards 10.1 Financial Resource Management, 12.1 Internal Quality Assessment, and 12.3 Oversee and Improve Engagement Performance.)
The Board/Audit Committee and chief audit executive may determine that it is appropriate to conduct an external assessment more frequently than every five years.
There are several reasons to consider a more frequent review, including changes in leadership (for example, senior management or the chief audit executive), significant changes in internal audit methodologies, the merger of two or more internal audit functions, or significant staff turnover.
Additionally, some organizations, such as those in highly regulated industries may prefer or be required to increase the frequency or scope of the external quality assessments.
General questions
Q: For the Head of Internal Audit to remain effective, is there a maximum number of years that should be observed?
The Chartered IIA produce a Code of Practice for the Private sector. Here is the link (available to non-members).
The Code of Practice states in paragraph 24 - This appraisal should consider the independence, objectivity, and tenure of the chief internal auditor. Where the tenure of the chief internal auditor exceeds seven years, the Board/Audit Committee should explicitly discuss annually the chair’s assessment of the chief internal auditor’s independence and objectivity.
But this isn't from the IIA, it is from the Chartered IIA UK and Ireland. Nevertheless, it may be helpful to review.
Q: Do the Essential Conditions require discussion with all senior managers on each relevant requirement in the Standards?
There wouldn’t be a need to speak to all senior managers, but you could look at the Standards and perhaps identify which of the senior managers might be most appropriate to 'own' which of the Essential Conditions within the Standards. This could be a quick win and avoid disrupting unnecessarily all senior managers.
Q: Are you required to show evidence of the Essential Conditions, or just the requirements and that you discussed the Essential Conditions with the Board/Audit Committee and senior management?
If either the Board/Audit Committee or senior management disagrees with one or more of the Essential Conditions, the chief audit executive must emphasize – with examples – how absence of the condition(s) may affect the internal audit function’s ability to fulfil its purpose or conform with specific standards.
The chief audit executive should also discuss alternatives to the Essential Conditions that may provide the same results.
The chief audit executive may reach agreement with the Board/Audit Committee and senior management that one or more of the Essential Conditions are not necessary to conform with the Standards. In such instances, the chief audit executive must document:
- The reasons for agreeing that a particular condition is unnecessary.
- Alternative conditions that compensate for the absent conditions, to support the judgments of the Board/Audit Committee and senior management.
If the chief audit executive does not agree with the Board’s/Audit Committee’s and/or senior management’s reasons for not performing one or more of the conditions, the chief audit executive may conclude that the internal audit function cannot conform with the Standards.
In such cases, the chief audit executive should document the reasons why the Board/Audit Committee and/or senior management will not perform the Essential Conditions.
The documentation should be shared with the Board/Audit Committee and senior management to ensure clarity regarding their positions and made available to an external quality assessor.
Q: What is considered advisory work or advisory services?
Advisory services - including advisory engagements and other advisory activities - are typically undertaken at the request of senior management, the Board/Audit Committee, or the management of an activity.
The nature and scope of advisory services are subject to agreement with the party requesting the services.
Examples of advisory engagements include internal auditors providing advice on the development and implementation of new policies and the design of processes and systems.
Other advisory activities include internal auditors providing facilitation and training. Advisory Services are included in Domain V unless specifically excluded from one of the Standards.
Q: Where does the strategic plan fall in the Domains?
Principle 9 Domain IV covers the CAE planning strategically and Standard 9.2 covers the internal audit strategy. I understand the IIA will share a template for the internal audit strategy either later in May or in June 2024.
Q: What are Topical Requirements and will conformance with them be expected in 2025?
Topical Requirements ensure that all internal audit functions – large, small, private, or public – apply consistent audit methodology when assessing the effectiveness of governance, risk management, and controls of a particular topical area.
Topical Requirements are intended to:
- Raise the internal audit function’s professionalism and performance.
- Improve the quality and value of internal audit services.
- Provide comfort to stakeholders that critical elements are addressed within a particular audit area.
Internal auditors are not required to include the subject matter of the Topical Requirements in their internal audit plan. But, where a subject covered by the Topical Requirements is included in the internal audit plan, then it becomes mandatory to apply the Topical Requirement to the internal audit engagement and demonstrate conformance with the Topical Requirements when executing the testing specific to the audit topic/engagement. It is likely that when undergoing an EQA the reviewer will seek to assess conformance with those Topical Requirements that were applicable to topics in your internal audit plan.