Domains I and IV: Purpose and managing the internal audit function
Compliance10 outubro, 2024

Domains I and IV: Purpose and managing the internal audit function

In today’s complex business landscape, the internal audit function is crucial to managing risk and ensuring organizational success. Despite its critical role, internal audit often struggles with effectively highlighting its value to stakeholders.

The Institute of Internal Auditors (IIA) revised its Global Internal Audit Standards in January 2024 to elevate the quality of internal audit services and give internal auditors the guidance they need to remain relevant in a rapidly changing world. The 2024 Standards, which take effect on January 9, 2025, provide guidance to help internal audit elevate its role, value, and mandate. The 2024 Standards consist of five Domains, 15 Principles, and 52 Standards that cover internal audit’s purpose, ethics and professionalism, governance, management, and performance.

Introduction to Domains I and IV

Domain I: Purpose of Internal Auditing starts with a Purpose Statement. The Purpose Statement in Domain I builds on the current Definition of Internal Auditing and the Mission of Internal Audit from the International Professional Practices Framework (IPPF) 2017. However, it adds an essential layer of why internal auditors do what they do and the circumstances under which internal auditing is most effective.

Domain IV: Managing the Internal Audit Function gives the chief audit executive (CAE) greater specificity for quality and performance. The CAE must ensure that everything they do delivers on internal audit’s purpose outlined in Domain I. This responsibility includes strategic planning, obtaining and deploying resources, building relationships, communicating with stakeholders, and ensuring and enhancing the performance of the function.

Domain I: Purpose of Internal Auditing

Domain I could be compared to internal audit’s "elevator pitch." Domain I is unique because it does not contain Principles or Standards. Instead, the Purpose Statement is designed to help internal auditors and stakeholders understand the value of internal auditing. The Purpose Statement reads, “Internal auditing strengthens the organization’s ability to create, protect, and sustain value by providing the Board and management with independent, risk-based, and objective assurance, advice, insight, and foresight.”

Internal audit Purpose Statement

It’s important to note the use of “insight” and “foresight,” which are key to this Purpose Statement. Insight refers to what is happening now, and foresight anticipates the next risk or crisis. Both insight and foresight enable internal audit to enhance an organization’s:

  • Successful achievement of its objectives.
  • Governance, risk management, and control processes.
  • Decision-making and oversight.
  • Reputation and credibility with its stakeholders.
  • Ability to serve the public interest.

Internal audit’s primary function

While the primary function of internal auditing is to strengthen governance, risk management, and control processes, its impact extends beyond the organization. Domain I ensures that internal audit plays a critical role in enhancing an organization’s ability to serve the public interest. Internal auditing contributes to an organization’s overall stability and sustainability by providing assurance of operational efficiency, reliability of reporting, compliance with laws and regulations, safeguarding of assets, and ethical culture. This, in turn, fosters public trust and confidence in the organization and the broader systems of which it is a part.

How does Domain I impact the CAE?

Ultimately, the responsibility of the internal audit function sits with them. Domain I guides the CAE by providing a:

  • Clear statement of purpose, role, and conditions under which internal audit is most effective.
  • Simple and concise overview of the essence of internal auditing, easily communicated to stakeholders.
  • Clear terms of reference for discussions with the Board and senior management.
  • External validation of the internal audit function’s role from the authoritative voice of the profession.

Domain IV: Managing the Internal Audit Function

In simple terms, Domain IV is the CAE’s job description. It focuses on the CAE’s responsibility to manage the internal audit function in accordance with the internal audit charter and Global Internal Audit Standards. The specific job title and responsibilities may vary across organizations. However, the CAE may delegate appropriate responsibilities to other qualified professionals in the internal audit function while retaining ultimate accountability.

Like Domain III, Domain IV emphasizes the importance of working closely with management, the Board, and other key stakeholders. The direct reporting relationship between the Board and the CAE enables the internal audit function to fulfill its mandate.

CAEs are also asked to focus on developing a strategic plan for the long-term advancement of the internal audit function. The strategic plan should not simply be a multi-year plan of engagements but a concerted approach to adding greater value to the organization.

Significant emphasis on an internal audit strategy

Principle 9: Plan Strategically

The CAE must plan strategically to ensure the internal audit function fulfills its mandate and is positioned for long-term success.

Standard 9.2 Internal Audit Strategy requires the CAE to understand the internal audit mandate and the organization’s governance, risk management, and control processes. A properly resourced and positioned internal audit function enables auditors to work more collaboratively and efficiently, avoid audit fatigue, and remove duplication.

Standard 9.3 Methodologies states that the CAE creates and implements methodologies to guide the internal audit function in implementing the internal audit strategy, developing the internal audit plan, and conforming with the Standards. The CAE must also evaluate the effectiveness of the methodologies and update them as necessary to improve the internal audit function and respond to significant organizational changes.

Standard 9.5 Coordination and Reliance supports the Three Lines Model and formalizes a framework that was not clearly documented in the current 2017 IPPF.

The CAE must coordinate with internal and external assurance providers to minimize duplication of efforts, highlight gaps in coverage of key risks, and enhance the overall value added by providers. If the CAE cannot achieve an appropriate level of coordination, they must raise concerns with senior management and, if necessary, the Board. When the internal audit function relies on the work of other assurance providers, the CAE must document the basis for that reliance and is still responsible for the conclusions reached by the internal audit function.

Managing resources, including technological resources

Principle 10: Manage Resources

The CAE must manage the resources required to implement the internal audit function’s strategy, complete its plan, and achieve its mandate. This includes obtaining and deploying financial, human, and technological resources effectively and according to the methodologies established for the internal audit function.

Standard 10.3 Technological Resources is a new element and key to navigating ever-evolving technology. The Standard states that the CAE must ensure that the internal audit function has the necessary technology to support the internal audit processes. This includes regularly evaluating and pursuing opportunities to improve internal audit’s effectiveness and efficiency, using tools such as artificial intelligence, data analytics, ChatGPT, etc. The CAE should also collaborate with the organization’s information technology and security functions to overcome technology limitations and ensure new technology is properly implemented.

Building relationships and communicating with stakeholders

Who are internal audit’s stakeholders?

This is a question that is often asked, as the word covers a wide and unknown group of individuals, functions, etc. The Standards Glossary defines stakeholders as a party with a direct or indirect interest in an organization’s activities and outcomes. Stakeholders may include the Board, management, employees, customers, vendors, shareholders, regulatory agencies, financial institutions, external auditors, the public, and others.

Principle 11: Communicates Effectively

Effective communication is required to build relationships, establish trust, and enable stakeholders to benefit from the results of internal audit services.

Standard 11.1 Building Relationships and Communicating with Stakeholders reinforces the need to foster relationships and build trust with key stakeholders. The communication should include topics such as organizational interests and concerns, risk management, assurance, roles and responsibilities, and relevant regulatory requirements.

Standard 11.3 Communicating Results gives the CAE authority to oversee formal communication with the Board and senior management to ensure quality. The communication could include findings and conclusions from multiple engagements that reveal patterns, trends, or root causes. When the CAE identifies themes related to the organization’s governance, risk management, and control processes, the CAE must communicate, using insight, advice, and conclusions, to the Board and senior management.

Continuous performance improvement

Principle 12: Enhances Quality

Quality is a combined measure of internal audit’s conformance with the Global Internal Audit Standards, achievement of performance objectives, and the pursuit of continuous improvement. Principle 12 has a greater emphasis on performance management and measurement than before. It’s important to determine what the internal audit customer wants to derive from the engagement and what you, as an internal auditor, intend to deliver as the outcome.

Standard 12.1 Internal Quality Assessment states the CAE must establish a methodology for internal and external assessments of the internal audit function’s conformance with the Standards and its progress toward performance objectives.

Standard 12.2 Performance Measurement relies on establishing performance measurement methodologies to evaluate and assess internal audit’s performance and ensure continuous improvement of its services. This can include developing an action plan to address issues and provide opportunities for improvement. While performance measurement is vague in the current IPPF, this new Standard brings the concept to the forefront.

How does Domain V impact the CAE?

Domain V: Performing Internal Audit Services focuses on internal auditors’ daily work, outlining the steps they must take to effectively plan engagements, conduct work, collaborate and communicate findings to management, and, most importantly, deliver value to stakeholders. Domain V also ensures conformance with the Standards when providing assurance and advisory engagements.

The CAE will need to implement a development program, so the internal audit team knows what is expected of them when the Standards take effect on January 9, 2025. Preparation should include:

  • Working with the team to update internal audit’s methodologies for performing internal audit services and undertaking a gap analysis.
  • Reviewing and updating internal audit manuals, templates, training, job descriptions, etc.
  • Ensuring there is an agreed upon, straightforward approach to developing recommendations and actions with management, such as a framework or policy that covers risk acceptance.
  • Building training on the new Standards into resource planning and budgeting starting now and continuing into next year.

Are you ready?

The clock is ticking, and January 9, 2025, will be here before you know it. As you begin implementing the Standards, take note of the simplified numbering system and the more logical organization of the Standards. The mandatory elements of the 2017 IPPF have also been streamlined into the Standards. With the new structure of 5 Domains, 15 Principles, and 52 Standards, each Standard includes relevant requirements, considerations for implementation, and examples of evidence of conformance.

The IIA has created a conformance readiness assessment tool to help auditors identify the significant changes between the requirements of the 2017 IPPF and the 2024 Standards. When used with the results of past quality assessments, the tool enables you to compare current practices against the new requirements to evaluate and remedy gaps in conformance.

It is important to note that this does not provide an exhaustive list of changes in text or emphasis from the 2017 IPPF to the 2024 Standards, but it is a good start. It also is not a substitute for a full assessment of an internal audit function’s conformance with the Standards.

View a demo

Domains II and V Frequently Asked Questions

The continued success of our ongoing webinars that focuses on the new 2024 Global Internal Audit Standards has prompted a list of the most frequently asked questions from those that have attended these presentations. We’ve asked Liz Sandwith to review these questions and provide her informed responses for additional consideration and clarity specific to her presentation on Domains I and IV – Purpose of Internal Auditing and Managing the Internal Audit Function.

Domain I: Purpose of Internal Auditing

Q: If the firm doesn’t include a Purpose Statement in Internal Audit Charter, aligned with Domain I guidance, then is that a gap in adhering to the IIA Standards from a Quality Assurance perspective?

A: There aren’t any standards detailed under Domain I, nor are there any examples of evidence of conformance. However, without a purpose statement embedded in everything it is unclear how the internal audit function could be seen to conform with the Standards and the essence of who and what the internal audit function is.

Domain I calls out internal audit’s value. It positions internal audit as helping organizations achieve their objectives and make the right decisions. The purpose statement replaces what was once the Mission statement, by combining elements from the current definition and mission. The purpose statement helps the internal audit function and internal auditors in their role by:

  • Providing a clear and concise statement of the role of internal auditing to share with key stakeholders and outlines conditions that are necessary for internal audit and internal auditors to be effective in their role – essentially an elevator pitch.
  • It establishes an effective framework for relationship building and having discussions with the Board and senior management.
  • And, finally, the Chief Audit Executive (CAE) can use the Purpose Statement to explain and to validate to the Board and senior management the internal audit function’s vital role.

Q: Is Domain I considered a standard purpose statement or are we expected, required, or allowed to make it specific to our organization?

A: The Purpose Statement is intended to assist internal auditors and internal audit stakeholders in understanding and articulating the value of internal auditing.

The intention is that Domain I is appropriate for the majority of internal audit functions. However, if as the CAE you consider it appropriate to enhance the purpose statement to ensure that it is relevant to your organization, then that needs to be agreed with the Board, Audit Committee and senior management.

Q: What is foresight in auditing? Should foresight be the sole responsibility of internal audit?  Surely, management is responsible for identifying, managing, and mitigating risks, which should include having foresight in identifying new potential risks. Internal audit can and should bring a perspective to help identify new and emerging risks and potentially the next crisis (i.e., issues around regulations and/or legislation).

A: No, the ability to horizon scan and look to the future isn’t the sole responsibility of the internal audit function. Foresight for internal auditors involves contemplating and preparing for key risks and challenges that organizations might encounter. It’s about anticipating future needs and sharing those perspectives with management and the board. It is also about using tools such as SWOT (strengths, weakness, opportunities, and threats) when assessing internal risks and PESTEL (political, environmental, social, technological, economic, and legislative) when assessing external risks.

Domain IV: Managing the Internal Audit Function

Q: What are the roles and responsibilities of a CAE?

A: Domain IV – Principle 9: The chief audit executive is responsible for managing the internal audit function in accordance with the internal audit charter and Global Internal Audit Standards. This responsibility includes strategic planning, obtaining, and deploying resources, building relationships, communicating with stakeholders, and ensuring and enhancing the performance of the function. The individual responsible for managing the internal audit function is expected to conform with the Standards, including performing the responsibilities described in this domain whether the individual is directly employed by the organization or contracted through an external service provider. The specific job title and responsibilities may vary across organizations. The chief audit executive may delegate appropriate responsibilities to other qualified professionals in the internal audit function but retains ultimate accountability.

Q: There is a requirement that the CAE and the internal audit function have an understanding around governance, risk management, and control processes. How might you meet this requirement if you know that you haven’t covered all of this in either assurance or advisory services?       

A: Standard 9.1: The chief audit executive’s understanding is developed by gathering information broadly and viewing it comprehensively. Sources of information include discussions with the board and senior management, reviews of board and senior management minutes and presentations, communications and workpapers from internal audit engagements, and assessments and reports completed by other providers of assurance and advisory services. The internal audit function will also support the CAE regarding governance, risk management, and control as part of the outcomes of assurance and advisory work.

Q: Will the presentation and discussion with the Board/Audit Committee of the internal audit’s strategy, if evidenced by minutes of meetings, be sufficient to satisfy the Standard 9.2 Internal Audit Strategy?

A: Standard 9.2: The internal audit strategy is a key document that will support both the internal audit function and the organization achieving their objectives.

To develop the vision and strategic objectives of the internal audit strategy, the chief audit executive should start by considering the organization’s strategy and objectives and the expectations of the Board and senior management. The chief audit executive may also consider the types of services to be performed and the expectations of other stakeholders served by the internal audit function, as agreed in the internal audit charter.

The internal audit strategy should be adjusted whenever changes occur in the organization’s strategic objectives or stakeholders’ expectations.

The chief audit executive may design a timeline for implementation of the internal audit strategy and related performance measures. A periodic review of the internal audit strategy should include a discussion of the internal audit function’s progress on initiatives with the Board and senior management.

So yes, if the minutes evidence the conversation, then this should be sufficient to demonstrate conformance with Standard 9.2.

Q: What makes for an effective internal audit methodology (e.g., online platform, MS Word)? How do you strike the balance between clear guidance vs. length of methodology?

A: Standard 9.3: The form, content, level of detail, and degree of documentation of methodologies may differ based on the size, structure, complexity, industry/regulatory expectations, and maturity of the organization and the internal audit function. Methodologies may exist as individual documents (such as standard operating procedures) or may be collected into an internal audit manual or integrated into internal audit management software.

Internal audit methodologies supplement the Standards by providing specific instructions and criteria that help internal auditors implement the Standards and perform services with quality. Additionally, internal audit methodologies describe processes and procedures for communicating, handling operational and administrative matters, and overseeing the internal audit function.

The Standards do not specify length. It is about providing a framework methodology that is appropriate to the maturity of your internal audit function.

Q: Please elaborate on coordinating with assurance providers. Who are the related stakeholders?

A: Standard 9.5 talks about how the chief audit executive must coordinate with internal and external providers of assurance services and consider relying upon their work. Coordination of services minimizes duplication of efforts, highlights gaps in coverage of key risks, and enhances the overall value added by providers.

The chief audit executive should develop a methodology for evaluating other providers of assurance and advisory services that includes a basis for relying upon their work. The evaluation should consider the providers’ roles, responsibilities, organizational independence, competency, and objectivity, as well as the due professional care applied to their work. The chief audit executive should understand the objectives, scope, and results of the work performed.

Q: What will be some effective ways to build stakeholder relationships to improve engagements and enable them to adopt a risk mindset as some auditees may not have a risk background? Should the CAE attend senior leadership team meetings?

A: Principle 11 and Standard 11.1: The chief audit executive guides the internal audit function to communicate effectively with its stakeholders.

Effective communication requires building relationships, establishing trust, and enabling stakeholders to benefit from the results of internal audit services.

The chief audit executive is responsible for helping the internal audit function establish ongoing communication with stakeholders to build trust and foster relationships.

Additionally, the chief audit executive oversees the internal audit function’s formal communications with the Board and senior management to enable quality and provide insights based on the results of internal audit services.

The chief audit executive should be included in the organization’s communication channels to keep current with major developments and planned activities that could affect the objectives and risks of the organization.

The chief audit executive should also attend meetings with the board and key governance committees, as well as senior management and groups that report directly to senior management, such as compliance, risk management, and quality control.

Q: Is the IIA Quality Manual going to be updated to reflect the new standards?

A: Yes, The IIA is intending to update the Competency Framework to align with the Global Internal Audit Standards. Standard 12.3

Q: What is the frequency of an internal self-assessment and is there an intention that an external quality assessment would be performed, specifically to ensure conformance to the Standards?

A: Standard 12.1: Periodic self-assessments provide a more holistic, comprehensive review of the Standards and the internal audit function. Periodic self-assessments address conformance with every standard and may be conducted by senior members of the internal audit function, a dedicated quality assurance team, individuals within the internal audit function who have attained the Certified Internal Auditor® designation or have extensive experience with the Standards, or individuals with audit competencies from elsewhere in the organization.

The chief audit executive should consider including internal auditors in the periodic self-assessment process to improve their understanding of the Standards.

Periodic self-assessments enable the internal audit function to validate its conformance with the Standards. They also evaluate the adequacy of the internal audit function’s methodologies, how well the internal audit function supports the achievement of the organization’s objectives, the quality of internal audit services performed, and supervision provided, and the degree to which stakeholder expectations are met and performance objectives are achieved.

Therefore, a periodic self-assessment looks at conformance and performance. The best practice would be an annual self-assessment with the outcome reported to the Board and Audit Committee regardless of the size of the internal audit function.

Q: Identifying appropriate qualitative and quantitative Performance Measures can be challenging. Are there any examples you could suggest? Do we need to report on the performance measures to the board, Audit Committee, and senior management?

A: Standard 12.2: The chief audit executive must develop objectives to evaluate the internal audit function’s performance and consider the input and expectations of the Board and senior management when developing the performance objectives.

The chief audit executive must develop a performance measurement methodology to assess progress toward achieving the function’s objectives and to promote the continuous improvement of the internal audit function.

When assessing the internal audit function’s performance, the chief audit executive must solicit feedback from the board and senior management as appropriate. Examples of performance categories to consider when establishing performance objectives and measures may include:

  • Coverage of engagement objectives expected to be reviewed according to the internal audit mandate.
  • The extent to which the internal audit conclusions at the level of the business unit or organization address significant objectives of the organization. (See also Standard 11.3 Communicating Results.)
  • The percentage of recommendations or action plans completed by management that result in desired outcomes, as monitored by the internal audit function.
  • Percentage of the organization’s key risks and controls reviewed.
  • Stakeholder satisfaction regarding understanding of engagement objectives, timeliness of engagement work, and clarity of engagement conclusions.
  • Percentage of the internal audit plan (as adjusted and approved) completed on time.
  • Balance of assurance and advisory engagements in the internal audit plan relative to the internal audit strategy.
  • External quality assurance reviews confirming internal audit function conformance with the Standards.
  • Quality assurance reviews confirming that adequate competencies are in place to perform the scheduled internal audit engagements.
  • Internal auditor learning and development plans linked to the internal audit strategy and the organization’s developing risks.
  • Staff holding at least one recognizable professional certification relevant to internal auditing.

Q: Is the IIA Quality Manual going to be updated to reflect the new standards, including self-assessment guidance and templates? Will it include new guidelines for the QAIP?

A: Yes, The IIA is intending to update the Competency Framework to align with the Global Internal Audit Standards. But, in the meantime, Standard 12.3 provides guidance on overseeing and improving engagement performance, which is a significant part of internal audit quality.

When planning engagements, the chief audit executive, or a designated engagement supervisor, should review the engagement objectives. Supervision may include opportunities for staff development, such as post-engagement meetings between the internal auditors who performed the engagement and the chief audit executive.

Assessing the skills of the internal audit staff is an ongoing process extending beyond reviewing engagement workpapers. Based on the results of skill assessments, the chief audit executive may identify which internal auditors are qualified to supervise engagements and assign tasks accordingly.

The primary criterion for approval of the work program is whether it achieves the engagement objectives efficiently. The work program includes procedures for identifying, analyzing, evaluating, and documenting engagement information. Engagement supervision also involves monitoring that the work program is completed and approving changes to the work program.

General questions

Q: The Audit Committee has asked us to have an external quality assessment in 2025. However, our internal audit function was only established in 2022. Should we delay the assessment to 2026, allowing more time to adapt to the new 2025 standards? Also, could the organization and/or the internal audit function decide not to have an external quality assessment?

A: Domain III – Standard 8.4: The Board and chief audit executive may determine that it is appropriate to conduct an external assessment more frequently than every five years.

There are several reasons to consider a more frequent review, including changes in leadership (for example, senior management or the chief audit executive), significant changes in internal audit methodologies, the merger of two or more internal audit functions, or significant staff turnover.

Additionally, some organizations, such as those in highly regulated industries may prefer or be required to increase the frequency or scope of the external quality assessments.

The frequency of an external quality assessment should be discussed with the Board/Audit Committee. It is a requirement of the Standards that, at a minimum, there should be an external quality assessment every five years. However, if the Board/Audit Committee doesn’t require an external quality assessment the CAE needs to explain the risks associated with such an approach (i.e., independent assurance as to the credibility of the internal audit functions - meaning the internal audit function isn’t conforming with the Standards).

Q: Has the IIA considered a supplement to the 2024 Standards that specifically focuses on how a small internal audit team (2-4 total members, including the CAE) and a small public sector audit shop, might endeavor to comply with each portion of the standard? Small teams have limited resources and time to develop a lot of what is being discussed in Domain IV.

The internal audit function’s ability to fully conform with the Standards may be affected by its size or the size of the organization. With limited resources, completing certain tasks may be challenging. Additionally, if the internal audit function comprises only one member, an adequate quality assurance and improvement program will require assistance from outside the internal audit function. (See also Standards 10.1 Financial Resource Management, 12.1 Internal Quality Assessment, and 12.3 Oversee and Improve Engagement Performance.)

While the Global Internal Audit Standards apply to all internal audit functions, internal auditors in the public sector work in a political environment under governance, organizational, and funding structures that may differ from those of the private sector. The nature of these structures and related conditions may be affected by the jurisdiction and level of government in which the internal audit function operates. Additionally, some terminology used in the public sector differs from that of the private sector. These differences may affect how internal audit functions in the public sector apply the Standards. The section “Applying the Global Internal Audit Standards in the Public Sector,” which follows Domain V: Performing Internal Audit Services, describes strategies for conformance amid the circumstances and conditions unique to internal auditing in the public sector.

Q: If our last EQA rating was "generally conforms" will that mean we will be "generally conforms" regarding conformance with the Global Internal Audit Standards? Might we need to undertake some enhancements rather than a transformative change? How might one engage with senior stakeholders without overwhelming them with too much information that promotes overthinking what should be a simple roadmap to get there?

A: Domain III: To assume that you would be ‘generally conforms’ with the 2024 Standards based on the latest quality assessment is the very rationale for undertaking a gap analysis. The new Standards, especially regarding Domain III, outlines senior management’s responsibilities that support the Board’s responsibilities and promotes strong governance of the internal audit function.

While the chief audit executive is responsible for the requirements in this domain, activities of the Board and senior management are essential to the internal audit function’s ability to fulfill the Purpose of Internal Auditing.

These activities are identified as “essential conditions” in each standard and establish a necessary foundation for an effective dialogue between the Board, senior management, and the chief audit executive, ultimately enabling an effective internal audit function.

Therefore, whilst not overwhelming senior stakeholders there will very much need to be a roadmap to help them understand their new and transparent role regarding Domain III.

Q: Do we need to conform with the Global Internal Audit Standards by January 9, 2025?

A: The Standards guide the worldwide professional practice of internal auditing and serve as a basis for evaluating and elevating the quality of the internal audit function.

The Standards set forth principles, requirements, considerations, and examples for the professional practice of internal auditing globally. The Standards apply to any individual or function that provides internal audit services, whether an organization employs internal auditors directly, contracts them through an external service provider, or both.

Organizations receiving internal audit services vary in sector and industry affiliation, purpose, size, complexity, and structure. The Standards apply to the internal audit function and individual internal auditors including the chief audit executive. While the chief audit executive is accountable for the internal audit function’s implementation of and conformance with all principles and standards, all internal auditors are responsible for conforming with the principles and standards relevant to performing their job responsibilities.

If it isn’t possible to be in a state of conformance by January 2025 then the creation of an action plan detailing the work to be completed to demonstrate conformance needs to be prepared and shared with the Board, Audit Committee, and senior management. The Board /Audit Committee will then monitor delivery of the actions.

Publications from the IIA

Q: When will a new Internal Audit Model Charter become available?

A: The IIA has already published the internal audit charter and mandate model. There is a model charter and mandate both for the public sector and for the private sector.

The links to the two documents are here:

Q: Where is the two-way mapping document created by The IIA?

The IIA has created two tables to help members understand the changes:

  • The first maps the 2017 elements to their counterparts in the 2024 Global Internal Audit Standards.
  • The second maps the requirements and essential conditions from the 2024 Standards to their equivalents in the 2017 IPPF.

The link to the document is here:

Q: What if the current CAE has no professional certifications, including the CIA? Should this be part of the CAE's job specs? 

A: Domain III, Standard 7.2 cover CAE Qualifications: The Board/Audit Committee collaborates with senior management to determine which competencies and qualifications the organization expects in a chief audit executive.

The competencies may vary according to the internal audit mandate, the complexity and specific needs of the organization, the organization’s risk profile, and the industry and jurisdiction within which the organization operates, among other factors.

The desired competencies and qualifications are typically documented in a job description and may include:

  • A comprehensive understanding of the Global Internal Audit Standards and leading internal audit practices.
  • Experience building and managing an effective internal audit function by recruiting, hiring, and training internal auditors and helping them develop relevant competencies.
  • Certified internal auditor designation or other relevant professional education, certifications, and credentials.
  • Leadership experience.
  • Industry or sector experience

In the CAE doesn’t have an appropriate certification then the Board/Audit Committee may require the CAE to take the CIA certification.

Q: The IIA Certifications will require new syllabi. When will the new exams be available?

A: Work is currently ongoing regarding the certifications.

  • Detailed information and various scenarios are available at theiia.org/cia2025.
  • The CIA exam will not change until May 2025.
  • The Internal Audit Practitioner exam will not change before the January 2025 effective date.
  • The CRMA exam is not affected by changes to the Standards.
  • For questions about exam preparation materials, please reach out to the review providers directly.

If you are taking examinations, please monitor The IIA’s certifications page (see the link above).

Links to relevant documentation on the IIA website

Additional resources

Subscribe below to receive monthly Expert Insights in your inbox

Liz Sandwith
Internal Audit and Risk Management Consultant
Liz Sandwith has been a member of the IIA Standards Board for the last 6 years. Because of her involvement in the IPPF Evolution project, the IIA asked her to stay on as a Special Adviser to the Standards Board. 
Back To Top