Domains II and V: Ethics and Professionalism and Performing Internal Audit Services
Compliance09 agosto, 2024

Domains II and V: Ethics and professionalism and performing internal audit services

The Institute of Internal Auditors (IIA) revised its Global Internal Audit Standards in January 2024 to elevate the quality of internal audit services and give internal auditors the guidance they need to remain relevant in a rapidly changing business landscape. The 2024 Standards, which take effect on January 9, 2025, reflect the scope of the internal audit function to provide independent, objective, efficient, and impactful assurance and advice that supports the strategic objectives and success of the organization and aligns with the expectations of the board, senior management, and other key stakeholders.

The 2024 Standards consist of five Domains, 15 Principles, and 52 Standards that cover internal audit’s purpose, ethics and professionalism, governing the internal audit function, managing the internal audit function, and performing internal audit services.

In this article we will cover:

Introduction to Domain II and V

The principles and standards in Domain II: Ethics and Professionalism of the Global Internal Audit Standards replace The IIA’s former Code of Ethics and outline the behavioral expectations for professional internal auditors; including chief audit executives, other individuals, and any entities that provide internal audit services. Conformance with these principles and standards instills trust in the profession of internal auditing, creates an ethical culture within the internal audit function, and provides the basis for reliance on internal auditors’ work and judgment.

Domain V: Performing Internal Audit Services focuses on internal auditors’ daily work, requiring internal auditors to effectively plan engagements, conduct the engagement work to develop findings and conclusions, collaborate with management to identify recommendations and/or action plans that address the findings, and communicate with management and the employees responsible for the activity under review throughout the engagement and after it closes. Domain V also ensures conformance with the Standards when providing assurance and advisory engagements.

Domain II: Ethics and Professionalism — Building trust in internal audit

Domain II: Ethics and Professionalism clearly outlines the ethical behavior expected of internal audit practitioners. A noticeable shift in this Domain is the elevation of honesty, professional courage, and professional skepticism. These have all been implied by the Standards and advocated by chief audit executives and industry professionals for many years.

Conformance with Domain II’s principles instills trust in the profession of internal auditing, creates an ethical culture within the internal audit function, and provides the basis for reliance on internal auditors’ work and judgment. If internal auditors must abide by other codes of ethics, behavior, or conduct, such as those of an organization, conformance with the principles and standards of ethics and professionalism in Domain II is still expected.

Merging the IIA Code of Ethics and attribute standards

Domain II provides criteria for evaluating ethical issues that may arise within the internal audit function. It incorporates the Code of Ethics with the attribute standards, including those related to objectivity, competency, and due professional care. The Standards Board researched, discussed, and considered each word of the IPPF 2017 Code of Ethics to decide what to retain or change to ensure the Principles and Standards of Ethics and Professionalism are meaningful, relevant, and globally applicable.

The chief audit executive (CAE) is responsible for maintaining a work environment where internal auditors feel supported when expressing legitimate, evidence-based engagement results, whether favorable or unfavorable.

Building an ethical culture across the team

Principle 1: Demonstrate Integrity

Integrity is the foundation of the ethical principles. Principle 1: Demonstrate Integrity outlines expectations that internal auditors tell the truth and do the right thing, even when it is uncomfortable or difficult.

  • Standard 1.1 Honesty and Courage brings a new emphasis on exercising professional courage as part of internal auditing. For many years, internal auditors have talked about ‘speaking truth to power,' but this takes courage. It’s therefore critical to demonstrate honesty and act courageously based on relevant facts, even when facing pressure to do otherwise, or doing so might create potential adverse personal or organizational consequences.
  • Standard 1.2 Organization’s Ethical Expectations requires internal auditors to encourage and promote an ethics-based culture and recognize and report behavior inconsistent with the organization’s ethical expectations.
  • Standard 1.3 Legal and Ethical Behavior describes expectations around professional behavior, including not engaging in illegal or otherwise harmful behaviors to the organization or internal audit profession.

Importance of behavioral expectations of the internal audit function

Principle 2: Maintain Objectivity

Principle 2: Maintain Objectivity addresses the importance of an impartial and unbiased attitude when performing internal audit services and making decisions. An independently positioned internal audit function supports internal auditors’ ability to carry out its responsibilities in an unbiased manner.

Expectations relating to objectivity were consolidated from the IPPF 2017 Code of Ethics and various parts of the IPPF 2017 Standards into this Principle. Another important change is that objectivity has been separated from independence, which now appears in Domain III Principle 7.1: Governing the Internal Audit Function.

  • Standard 2.1 Individual Objectivity identifies specific examples of potential biases and requires the CAE to support and promote objectivity in its policies, procedures (methodologies), and training.
  • Standard 2.2 Safeguarding Objectivity incorporates the assurance and consulting standards from Standard 1130 in the Requirements section. Examples of conflicts of interest and how CAEs can reduce potential impairments to objectivity appear in the Considerations for Implementation, which provide clarity and detail.
  • Standard 2.3 Disclosing Impairments to Objectivity describes the requirements for internal auditors, including the CAE, to disclose objectivity impairments. If the CAE determines that an impairment is affecting an internal auditor’s ability to perform their duties objectively, the chief audit executive must discuss the impairment with the management of the activity under review, the board, and/or senior management and determine the appropriate actions to resolve the situation.

Framework for training, development, and guidance for internal auditors

Principle 3: Demonstrate Competency

Principle 3: Demonstrate Competency focuses on the knowledge, skills, and abilities that internal auditors must apply to successfully perform their roles and responsibilities. There are also many new areas that internal auditors need to upskill in, such as artificial intelligence, cybersecurity, data analytics, and agile ways of working. The IIA will issue a new competency framework later in 2024.

  • Standard 3.1 Competency combines the existing rules of conduct from the IPPF 2017 Code of Ethics with Standards 1200 and 1210 on proficiency. Internal auditors must possess or obtain the competencies suitable for their specific position, responsibilities, and experience level. CAEs are also responsible for ensuring the internal audit function collectively possesses the necessary competencies to fulfill its mandate
  • Standard 3.2 Continuing Professional Development requires internal auditors to continually develop their competencies and pursue professional development opportunities.

Exercising due care and professional skepticism

Principle 4: Exercise Due Professional Care

Principle 4: Exercise Due Professional Care states that internal auditors must apply due professional care in planning and performing internal audit services. The existing Standards on due professional care (found in the IPPF 2017 1220 series) and related expectations from the IPPF 2017 Code of Ethics were consolidated into this Principle, including a new addition on professional skepticism.

  • Standard 4.1 is based on the IPPF 2017 Code of Ethics Rule of Conduct 4.2, requiring internal auditors to perform services in conformance with Global Internal Audit Standards. Additionally, this Standard includes guidance on what the CAE must do in cases of nonconformance.
  • Standard 4.2 brings in the IPPF 2017 Standard 1220, which describes the basic aspects that internal auditors must consider when assessing the nature, circumstances, and requirements of the services to be provided.
  • Standard 4.3 adds the concept of professional skepticism, which is now recognized as necessary to demonstrate an “enquiring mind.” Professional skepticism requires curiosity and the willingness to explore beyond the surface level of a given topic. Internal auditors will apply professional skepticism by critically assessing and working to enhance the reliability of information. In other words, trust but verify. Examples of professional skepticism include:
    • Documenting the sources and custody of information.
    • Reconciling dates from two or more sources.
    • Communicating transparently about the evidence examined and the conclusions reached.
    • Being straightforward and honest when raising concerns about inconsistent information.
    • Seeking additional evidence to make a judgment about information and statements that might be incomplete, inconsistent, false, or misleading.

Maintaining confidentiality

Principle 5: Maintaining Confidentiality

Principle 5: Maintaining Confidentiality outlines the responsibility and care internal auditors must take to protect the confidential information they access in their daily work. Standard 5.1 and Standard 5.2 use more specific language than the IPPF 2017 Code of Ethics to describe how confidential information must be managed. 

Domain V: Performing Internal Audit Services

The three principles of Domain V

Domain V: Performing Internal Audit Services is comprised of three principles: effectively planning engagements, conducting the work, and communicating results and monitoring action plans. Although the standards for performing engagements are presented in a sequence, the steps in performing engagements are not always distinct, linear, and sequential. In practice, the order in which steps are performed may vary by engagement and have overlapping and iterative aspects. For example, engagement planning includes gathering information and assessing risks, which may continue throughout the engagement. Each step may affect another or the engagement as a whole. Therefore, internal auditors should review and understand all standards in this domain before beginning an engagement. While this information can be found in the IPPF 2017 Global Guidance, the earlier Standards were vague about what occurred between planning the engagement and presenting the final communication. Now, that entire process is clearly and methodically documented in Domain V.

More precise criteria for advisory and assurance engagements

The new methodological details provide clear criteria for conformance for advisory and assurance engagements. It’s also important to note that where the IPPF 2017 Standards identified requirements for “consulting work,” the updated standards apply to assurance and advisory except when otherwise specified in individual standards.

Principle 13: Plan Engagements Effectively

Principle 13: Plan Engagements Effectively details that engagement planning starts with understanding the initial expectations for the engagement and the reason the engagement was included in the internal audit plan. When planning engagements, internal auditors gather the information that enables them to understand the organization and the activity under review and to assess the risks relevant to the activity. The engagement risk assessment allows internal auditors to identify and prioritize the risks to determine the engagement objectives and scope. Internal auditors also identify the criteria and resources needed to perform the engagement and develop an engagement work program, which describes the specific engagement steps to be performed.

Steps and actions to take when conducting engagements

Principle 14: Conduct Engagement Work

Principle 14: Conduct Engagement Work contains more specific detail about the steps required for conducting engagement work. However, the IPPF 2017 Standard 2320 has one sentence about analysis and evaluation, and the 2024 Standards break down common activities using a step-by-step approach.

The steps outlined in Principle 14 enable internal auditors to:

  • Provide assurance and identify potential findings.
  • Determine the causes, effects, and significance of the findings.
  • Develop recommendations and collaborate with management to develop action plans.
  • Develop conclusions.

Standard 14.5 Developing Engagement Conclusions states there is now a requirement to include an engagement conclusion that summarizes the results relative to the engagement objectives and management’s desired outcome. The chief audit executive’s methodologies for the internal audit function may provide a rating scale indicating whether reasonable assurance exists regarding the effectiveness of controls.

Increased focus on outcomes and effective communication throughout the engagement

Principle 15: Communicate Engagement Conclusions and Monitor Action Plans

Principle 15: Communicate Engagement Conclusions and Monitor Action Plans provides specific details about communicating the engagement results to the appropriate parties and monitoring management’s progress toward implementing recommendations or action plans. One critical change to note is that there is more emphasis on “conclusions” than “opinions.” Although opinions may still be provided, conclusions are now more widely adopted as an appropriate language.

  • Standard 15.1 Final Engagement Communication enforces effective communication by adding the engagement objectives, scope, recommendations, and action plans, if applicable, and conclusions in the final communication.
  • Standard 15.2 Confirming the Implementation of Action Plans requires internal auditors to confirm that management has implemented recommendations or action plans. The CAE is responsible for determining if senior management’s delay or inaction means they have accepted a risk that exceeds the risk tolerance. The chief audit executive may become aware that management has accepted a risk by reviewing management’s response to engagement findings and monitoring management’s progress to implement recommendations and action plans. Building relationships and maintaining communication with stakeholders are additional means of remaining apprised of risk management activities including management’s acceptance of risk (Domain IV, Standard 11.5).

What are Topical Requirements?

Topical Requirements provide a baseline for engagement performance when the topic or risk area is subject to review and covers aspects of governance, risk management, and control processes. While Topical Requirements are mandatory, the risk-based internal audit plan determines its applicability, and any limitations must be documented.

4 steps to help implement the 2024 Standards in Domain II and V

With just a few months until the adoption date of January 9, 2025, ensuring conformance should be a top priority for your internal audit function. Here are some actions you can take.

  1. Review Domain V: Performing Internal Audit Services with your internal audit function.
  2. Review and update your internal audit methodology, manuals, templates, training, and job descriptions.
  3. Ensure you have a straightforward approach to developing recommendations and agreeing on actions with management.
  4. Build training on the 2024 Standards into your resource planning and budget starting now and continuing into next year.
View a demo

Domains II and V Frequently Asked Questions

The continued success of our ongoing webinars that focuses on the new 2024 Global Internal Audit Standards has prompted a list of the most frequently asked questions from those that have attended these presentations. We’ve asked Liz Sandwith to review these questions and provide her informed responses for additional consideration and clarity specific to her presentation on Domains II and V – Ethics and Professionalism and Performing Internal Audit Services.

Domain II: Ethics and Professionalism


Principle 1 - Demonstrate Integrity - Honesty and Courage - Standard 1.1


Q: The concept of professional courage isn't defined. What is the meaning of professional courage? How do you develop professional courage? How do we evidence honesty and professional courage during a quality assessment / external quality assessment? What are some examples of evidence of professional courage, (in relation to Standard 1.1)? Will interviews and feedback from management suffice?

A: Internal auditors should enhance their awareness and understanding of honesty and professional courage by seeking opportunities to obtain ethics-related continuing professional education. While education helps create awareness in hypothetical situations, workplace training, mentorship, and supervision allow internal auditors to learn and practice skills such as tact and respectful communication, which are needed to apply professional courage effectively in real situations.

When internal auditors encounter situations that challenge their honesty or professional courage, they should discuss the circumstances with a supervisor to determine the best course of action. Evidence of conformance, in relation to Standard 1.1 includes:

  • A training plan that includes ethics education and training.
  • Documents that evidence internal auditors’ attendance or participation in ethics education and training.
  • Performance evaluations showing honesty and professional courage as objectives.
  • Feedback from key stakeholders regarding the honesty and courage of internal auditors.

Principle 2 - Maintain Objectivity – Standards 2.1., 2.2, and 2.3


Q: What happens when the governance of internal audit is not independent? What is the difference between independence and objectivity? If your audit committee is comprised of organizational officers and there are no external members, would this still be in compliance with the new standards around objectivity and independence? How does internal audit maintain its independence and objectivity? How often should attestation forms occur?

A: Objectivity is an unbiased mental attitude that allows internal auditors to make professional judgments, fulfill their responsibilities, and achieve the Purpose of Internal Auditing without compromise.

An independently positioned internal audit function supports internal auditors’ ability to maintain objectivity. 

Objectivity means internal auditors perform their work without compromise or subordination of judgment to others. The Global Internal Audit Standards, along with the policies established and training arranged by the chief audit executive, support objectivity by providing requirements, procedures, and guidance that set forth a systematic and disciplined approach for gathering and evaluating information to provide a balanced assessment of the activity under review. Training may help internal auditors to better understand objectivity-impairing scenarios and how best to address them. 

Reference is made under evidence of conformance to use of attestation forms to confirm internal auditors' awareness of objectivity's importance. A periodic timeline would be appropriate, at least annually and perhaps more frequently if appropriate.

Principle 3 – Demonstrate Competency – Standards 3.1 and 3.2


Q: Will the IIA's internal audit competency framework be updated this year to reflect the requirements of the Global Internal Audit Standards? Does documenting cross training of internal auditors on essential technical and risk areas help ensure competency? What are some examples of conformance?

A: Demonstrating competency requires developing and applying the knowledge, skills, and abilities to provide internal audit services. Because internal auditors provide a diverse array of services, the competencies needed by each internal auditor vary. In addition to possessing or obtaining the competencies needed to perform services, internal auditors improve the effectiveness and quality of services by pursuing professional development.

The IIA is intending to issue an updated Competency Framework aligned to the Global Internal Audit Standards later in 2024.

Examples of Evidence of Conformance include:

  • Documentation listing the certifications, education, experience, work history, and other qualifications of internal auditors.
  • Internal auditors’ self-assessments of their competencies and plans for professional development.
  • Documentation of internal auditors’ completion of continuing professional education, such as courses, conference sessions, workshops, and seminars.
  • Documented performance reviews of internal auditors.
  • Documented supervisory reviews of engagements, post-engagement surveys completed by internal audit stakeholders, and other forms of feedback indicating competencies exhibited by individual internal auditors and the internal audit function.
  • The results of internal and external quality assessments.
  • Documentation of relevant competencies necessary to fulfill the internal audit plan, an analysis of resource gaps, and the identification of the training and budget necessary to fill the gaps.
  • Documentation such as an assurance map that indicates the competencies of other providers of assurance and advisory services upon which the internal audit function may rely.

Principle 4 – Exercise Due Professional Care – Conformance with the Global Internal Audit Standards – Standard 4.1


Q: Can members conform with the Standards if they do not undergo external assessments? Are outsourced internal audit functions required to comply with the Standards? What are some examples of evidence of conformance with the Standards? How is conformance with the Standards assessed if the internal auditor isn’t a member of IIA?

A: The chief audit executive or a designated engagement supervisor should ensure that engagement work programs align with the requirements of the Standards and that internal audit engagements are conducted in accordance with the Standards’ requirements.

While conformance with the requirements is expected, internal auditors or the internal audit function may occasionally be unable to conform with a requirement yet may take alternative actions to achieve the related principle.

Such circumstances are usually related to specific sectors, industries, and jurisdictions.

By documenting the circumstance, alternative actions taken, the impact, and the rationale, the chief audit executive provides information to support the external quality assessment such that the internal audit function may be able to achieve conformance with a principle, even when conformance with a standard is not possible.

Examples of Evidence of Conformance include:

  • Documentation of the internal audit function’s methodologies and an indication of when they were last updated.
  • If applicable, final engagement communications and communications with the Board and senior management where nonconformance has been disclosed.
  • Documentation referencing the laws and/or regulations with which internal auditors were required to comply that prevented their conformance with the Standards.
  • Documentation referencing authoritative requirements to which the internal audit function adheres in addition to the Standards.
  • Results of the quality assurance and improvement program.

The IIA Standards Board is very clear the Standards are applicable to all practicing internal auditors irrespective of whether they are members of the IIA.

There is also an expectation that is required in the Standards every internal audit function will undertake an internal annual assessment and, every 5 years, an external quality assessment, thus evidencing conformance with the Standards.

Principle 4 – Exercise Due Professional Care – Professional Skepticism – Standard 4.3


Q: Professional skepticism isn’t just about trust and verify but rather maintaining our professional challenge and obtaining the appropriate level of assurance required situation by situation. What does professional skepticism mean for internal auditors and why is it important? How do internal auditors apply professional skepticism?

A: A good point. Professional skepticism enables internal auditors to make objective judgments based on facts, information, and logic, rather than trust or belief.

Skepticism is the attitude of always questioning or doubting the validity and truthfulness of claims, statements, and other information. Internal auditors apply professional skepticism when they seek evidence to support and validate statements made by management, rather than simply trusting the information presented as true or genuine without question or doubt.

Professional skepticism requires curiosity and the willingness to explore beyond the surface level of a given topic.

Examples of Evidence of Conformance include:

  • Records of relevant training planned and completed, including a list of participants.
  • Workpapers identifying an internal auditor’s approach to evaluate and validate information gathered during an engagement.
  • Documentation that false or misleading information was handled as an engagement finding.
  • Workpapers and engagement communications, reviewed and signed or initialled by the engagement supervisor.

Principle 5 – Maintain Confidentiality – Standards 5.1 and 5.2


Q: If a regulator requests an internal audit report, should we as internal audit provide such a report to the regulator? Do we need to anonymize data within the internal audit function or only outside the internal audit function?

A: Because internal auditors have unrestricted access to the data, records, and other information necessary to fulfill the internal audit mandate, they often receive information that is confidential, proprietary, and/or personally identifiable.

This includes information in physical and digital form as well as information derived from oral communication, such as formal or informal meeting discussions.

Internal auditors must respect the value and ownership of information they receive by using it only for professional purposes and protecting it from unauthorized access or disclosure, internally and externally.

Requests for internal audit reports from external third parties would usually seek advice from the legal team, unless there are laws that require disclosure e.g., United Kingdom Freedom of Information legislation.

Domain V: Performing Internal Audit Services

Principle 13 - Plan Engagements Effectively - Standard 13.1 Engagement Communication – Changes to Scope


Q: Have you ever experienced a change in scope of the audit in the middle of an audit exercise? How should changes to the objectives or scope be communicated?

A: To ensure effective communication, a variety of methods should be used: formal, informal, written, and oral. Engagement communications may occur through scheduled meetings, presentations, emails and other documents, and informal discussions.

Requirements for the quality and content of engagement communications should be established by the chief audit executive in alignment with the expectations of the Board and senior management and documented in internal audit methodologies.

Ongoing communication throughout the engagement between internal auditors and the management of the activity under review is essential for transmitting information that requires immediate attention and updating relevant parties about engagement progress or changes to the objectives or scope.

I have indeed needed to change the scope during an internal audit engagement. The significance of the change in relation to the scope will influence the response. For example, is the change of scope related to bringing into the scope something that was previously shown as being out of scope, then I would always re-issue the terms of reference / letter of engagement. If it is a relatively minor amendment to the existing scope, then I would include it in an e-mail sent to all relevant stakeholders.

Principle 13 - Plan Engagements Effectively - Standard 13.2 Engagement Risk Assessment


Q: Should internal audit share the engagement risk assessment results with management of the activity being audited during the planning phase? Is it best practice to adopt such an approach as the Standards seem to encourage this? Regarding the engagement risk assessment, should reliance be placed on the completed internal audit universe risk assessment to determine the annual audit plan?

A: Internal auditors should consult with the engagement supervisor and the operational manager in the activity under review while planning. Such a collaborative approach will strengthen the risk assessment and help the internal auditor understand the objectives and risks associated with the activity under review.

To develop an understanding of the activity under review and assess relevant risks, internal auditors should start by understanding the internal audit plan, the discussions that led to its development, and the reason the engagement was included. Engagements included in the internal audit plan may arise from the internal audit function’s organization wide risk assessment or from stakeholder requests. Surveys, interviews, physical inspections, and process walk-throughs allow internal auditors to observe the current conditions in the activity under review.

Determining the significance of risks requires internal auditors to apply their knowledge, experience, and critical thinking to make judgments about the organization, the activity under review, and the engagement purpose and context. As part of due professional care, internal auditors should consider input from the management of the activity under review to gain insight into the business objectives, significant risks, and controls. Establishing a mutual understanding of the risks of the activity under review increases the usefulness of the engagement risk assessment. To ensure that the audit universe and risk assessment cover the organization’s key risks, the internal audit function should independently review and validate the key risks that were identified within the organization’s risk management system.

Principle 14 – Conduct Engagement Work – Standard 14.3 - Evaluation of Findings - Root cause


Q: The root cause should be identified during the audit and reported in the cause section of the audit report. Is it required to have the root cause in the audit recommendations? Should we have a list of root causes that can be standardized for all areas across the company? In our audits, we always conduct root cause analysis. Do we also need to perform a 'root cause analysis' for advisory engagements, like system pre-implementation reviews?

A: To develop engagement findings, internal auditors compare the established criteria to the existing condition in the activity under review.

The evaluation should explore:

  • The root cause of the difference, which often relates to a control deficiency and is a direct reason the condition exists.
  • To the extent feasible, internal auditors should determine the root cause, which is an underlying or deeper issue that contributed to the condition.
  • At its simplest, determining the root cause involves asking a series of questions about why the difference exists.
  • Identifying the root cause involves collaboration with management, who may be in a better position to understand the underlying causes for the difference

Standard 11.3 Communicating Results – States that the findings and conclusions of multiple engagements, when viewed holistically, may reveal patterns or trends, such as root causes, communications to the Board and senior management should include significant control weaknesses and robust root cause analysis.

An example of conformance would include a workpaper that lists the criteria, condition, root cause (when possible), effect (risk or potential exposure), and a prioritization of each finding. Domain V covers both assurance and advisory engagements and, as such, reference to root cause applies to both types of internal audit services.

Principle 14 – Conduct Engagement Work – Standard 14.5 - Engagement Conclusions


Q: Will the final report require a statement confirming that the report conforms with the IIA Standards be required (and/or a statement of the gaps relative to the IIA Standards)? For conclusion, do you need to express your conclusion on the overall engagement, or could this be expressed by each audit process we test?

A: The chief audit executive’s methodologies for the internal audit function may provide a rating scale indicating whether reasonable assurance exists regarding the effectiveness of controls.

For example, a scale may indicate satisfactory, partially satisfactory, needs improvement, or unsatisfactory depending on the internal auditors’ assessments.

A statement that the engagement is conducted in conformance with the Global Internal Audit Standards should be included in the final engagement communication.

The conclusion may add context regarding the impacts of the findings within the activity under review and the organization. For example, some findings may have a significant impact on achieving goals or managing risks at an activity level, but not at an organizational level. Internal auditors must develop an engagement conclusion that summarizes the engagement results relative to the engagement objectives and management’s objectives. The engagement conclusion must summarize the internal auditors’ professional judgment about the overall significance of the aggregated engagement findings.

Principle 15 - Communicate Engagement Results and Monitor Action – Standard 15.1 – Communicating Engagement Results


Q: Will the final report require a statement confirming that the report conforms with the IIA Standards be required (and/or a statement of the gaps relative to the IIA Standards)? Does communicating internal audit’s engagement results necessarily mean providing a standard report to senior management or Board or audit committee?

A: A statement that the engagement is conducted in conformance with the Global Internal Audit Standards should be included in the final engagement communication.

Indicating that the internal audit engagement conformed with the Standards is appropriate only if supported by the results of engagement supervision and the quality assurance and improvement program.

The style and format of final engagement communication varies across organizations. The chief audit executive may provide templates and procedures.

When issued as a report, the final communication may include the following components, in addition to the requirements:

  • Title.
  • Background (brief synopsis of the activity under review).
  • Recognition (positive aspects of activity under review and/or appreciation of cooperation).
  • Distribution list.

Examples of Evidence of Conformance include:

  • Written final communications.
  • Slides and/or meeting notes of presentations when final communication is oral.
  • Documentation indicating that the final communication was reviewed and approved.
  • Documentation that requirements for communicating with the activity under review were met.

Custom and practice within the internal audit profession is continuously evolving with one-page dashboard type reports becoming increasing popular.

Principle 15 - Communicate Engagement Results and Monitor Action – Standard 15.2 – Confirming the Implementation of Recommendations or Action Plans – Follow-Up


Q: To what extend does internal audit need to follow up recommendations? i.e., re-perform them? Should internal audit be held accountable for long, outstanding audit issues? Who should ideally conduct the follow ups? Could it be the same team that was conducting the audit or some other personnel within the audit function? Can you have a process to which you need to follow up in ‘x’ amount of time according to finding risk?

A: The methodology for confirming the implementation of management’s action plans should include criteria for determining when to perform follow-up assessments to confirm that management’s action plans have effectively addressed findings.

Follow-up assessments may be performed for completed action plans selectively, depending on the risk’s significance.

Under certain circumstances, regulators may require reporting on management’s action plans.

Examples of Evidence of Conformance include:

  • A routinely updated tracking system (for example, a spreadsheet, database, or other tool) that contains the finding, associated corrective action plan, status, and internal audit’s confirmation.
  • Corrective action status reports prepared for the Board and senior management.

There are mixed views as to who should undertake the follow-up process. In some organizations it is the auditors who undertook the engagement, in others it is a separate team within the internal audit function not involved in the engagement, and yet in other organizations it may be the corporate governance team. It is important is to ensure that agreed actions have been implemented and achieved the required outcome.

Principle 15 - Communicate Engagement Results and Monitor Action – Standard 15.2 – Confirming the Implementation of Recommendations or Action Plans – Acceptance of Risk


Q: Requires the chief audit executive to determine if senior management’s delay or inaction means they have accepted a risk that exceeds the risk tolerance. In such a scenario, what should we do? What should internal auditors do if management has not progressed in implementing actions according to completion dates? When following up on "implementation of our recommendations," if the business responds that they accept a risk, why would we as internal auditors challenge that as we are not the "business domain" expert? Who is responsible for determining if senior management has accepted a risk that exceeds the risk tolerance?

A: If management decides on an alternative action plan and internal auditors agree that the alternative plan is satisfactory or better than the original action plan, then progress on the alternative plan should be tracked until completion.

If management has not progressed in implementing the actions according to the established completion dates, internal auditors must obtain and document an explanation from management and discuss the issue with the chief audit executive.

The chief audit executive is responsible for determining whether senior management, by delay or inaction, has accepted a risk that exceeds the risk tolerance.

Standard 11.5 covers Communicating Acceptance of Risks - The chief audit executive may discuss and seek the Board’s agreement on methodologies for documenting and communicating the acceptance of risks that exceed the risk appetite or risk tolerance.

In addition to the requirements in the Standards, methodologies should consider the organization’s risk management process, policies, and procedures.

Building relationships and maintaining communication with stakeholders are additional means of remaining apprised of risk management activities including management’s acceptance of risk.

General Questions

Topical Requirements


Q: Does the IIA have a list of all the topics it plans to create Topical Requirements for? Is there a schedule of when they will be released? For Topical Requirements, the prior webinar stated that portions of the topical requirement can apply to any audit. With one Topical Requirement, this is reasonable. But as more requirements are created, how practical is it for auditors to stay on top of all the different Topical Requirements and all the different sections within them to be able to identify relevant sections? Does each engagement with a cybersecurity impact need to demonstrate the Topical Requirements have been considered and provide a rationale why it was not tested?

A: The current list as shared in the IIA webinar 11 June 2024:

  • Cybersecurity (in process – pilot project)
  • Third-party Risk Management
  • Culture
  • Business Resilience
  • Anti-Corruption / Bribery
  • People Management
  • Fraud Risk Management
  • Sustainability: ESG

Additional Topical Requirements will be developed. (Exact topics and dates to be determined)

The June 11, 2024 webinar provided examples of use of the topical requirements:

Example 1: Cybersecurity is identified for an internal audit engagement.
In this example, since the subject of a Topical Requirement has been identified during the internal audit planning process, then the requirements outlined in the Topical Requirement must be included during the engagement to assess that subject. If the cybersecurity engagement does not include all the requirements in the Cybersecurity Topical Requirement, internal auditors must document and retain the rationale for not including those specific requirements.

Is the Cybersecurity Topical Requirement Required? YES.

Example 2: The subject of cybersecurity is not identified during the internal audit planning process.
In this example, the topic of cybersecurity is not identified, and therefore, the Cybersecurity Topical Requirement does not apply. While most organizations commonly identify cybersecurity as a higher-risk topic, every organization is unique. Therefore, not every organization will assess cybersecurity as one of its higher-risk areas, and it is possible that cybersecurity may not be a topic on the internal audit plan.

Is the Cybersecurity Topical Requirement Required? NO. And no documentation is needed to justify the exclusion.

Example 3: An internal audit engagement is being performed that is not focused on cybersecurity but contains cyber related risks. Internal auditors identify elements of cybersecurity risks during an audit of the accounts payable process, such as the online / web-based submission of the initial purchase order (PO) request.
In this example, internal auditors should review the Cybersecurity Topical Requirement and determine which requirements are applicable, such as the internal controls in place to limit and restrict users to the web-based PO process.

Is the Cybersecurity Topical Requirement Required? YES. Relevant requirements are applicable. Document the rationale for not including the other requirements of the Cybersecurity Topical Requirement in the engagement workpapers.

Transition Period for the Global Internal Audit Standards


Q: Do we have a transition period for the implementation of the new 2024 Standards? Can internal audit functions start adopting the Standards now? When will the new Standards become effective?

A: The new Global Internal Audit Standards, released January 9, 2024, will become effective January 9, 2025.
Internal audit functions may start adopting the Standards now.
The transition period is in effect 2024

External Quality Assessment / Quality Assessment


Q: Will quality assessment span the two standards if one would be due in 2025? If we don't think we will be completely in line with the Standards until early next year, and we request an EQA at the end of 2025, will the EQA be limited to audit activity solely from the start of the new standards at start of 2025? For EQA, are we concentrating more on Conformance or our Performance to implementing the standards?

A: The Board and chief audit executive may determine that it is appropriate to conduct an external quality assessment more frequently than every five years.
There are several reasons to consider a more frequent review, including changes in leadership (for example, senior management or the chief audit executive), significant changes in internal audit methodologies, the merger of two or more internal audit functions, or significant staff turnover.

Additionally, some organizations, such as those in highly regulated industries may prefer or be required to increase the frequency or scope of the external quality assessments.
Once we move into 2025 then any EQA will be undertaken against the new Global Internal Audit Standards.

If it is likely that your internal audit function won’t be able to conform with the new Standards until perhaps later in 2025, then good practice would be to create an action place detailing the various Standards and a conformance date and share it with your audit committee and senior management.

The external quality assessment (EQA) will seek to establish conformance with the Standards but will also seek to assess an internal audit function’s maturity, which may give the chief audit executive, Board, audit committee, and senior management additional insight by benchmarking against other organizations or leading practices.

Quality Assessment Manual


Q: Do you have information on the new Quality Assessment Manual? Is it coming out soon?

A: The Standards will be effective for quality assessments January 9, 2025, 12 months after the date of the Standards publication. Learn more by watching the “What the New Standards Mean to Quality Assessments” webinar.

Options for conducting your next external quality assessment:

  • If your next assessment is due in 2024, you should proceed with your assessment when due under the existing IPPF.
  • If your assessment is due in 2025, you can choose to accelerate your assessment under the existing IPPF in 2024. The IIA recommends adding a supplementary gap/readiness assessment to assess how well your function is prepared to implement the new Standards.
  • Gap/readiness assessments may be scheduled at any point to help your internal audit function prepare to implement the new Standards effectively.

As far as I am aware, I believe the new Quality Manual will be issued later in 2024.

Agile


Q: Will agile audit approach work with the new Global Internal Audit Standards? If no, what are the challenges in adopting the new Standards?

A: Agile is about ways of working and will certainly work with the Global Internal Audit Standards. The key elements of an agile approach are:

Improved stakeholder satisfaction
Instead of getting results all at once at the end of the audit, stakeholders are getting actionable information as they go. Consequently, they’re often able to address findings before a report is even issued.

Prioritizing risks
Are there risks hidden beneath the surface? Agile’s iterative approach creates purposeful feedback loops to help keep internal audit aware of sudden changes and pivot accordingly.

More work in less time
Teams are often able to get work done sooner by starting with the most important risks, limiting the number of tasks in progress, and continuously reevaluating the plan. Frequent feedback with the client improves focus and allows the team to spend less time on smaller risks.

The three elements above will work effectively with the new Standards.

Insight and foresight


Q: What's a practical example of how internal audit can deliver on the new concepts of insight and foresight?

A: Insight is also used much more generally. It describes the way we develop a clear and in-depth understanding of a particular subject or situation that enables us to solve problems. We have all experienced an ‘Aha’ moment, the spark of inspiration when we solve a difficult question or problem.

Awareness - The first stage is awareness, the identification of some kind of problem to be solved. We haven’t yet thought hard enough about the problem, but we know there is an issue to resolve. In the workplace this might be duplicate payments occurring in the payment process, an increasing number of customer complaints, failing to deliver projects on time, etc.

Reflection - Studies have shown that during the reflection stage, we are not trying to solve the problem. We are creating links and tapping into more intelligence than the three to five pieces of information we can hold in our working memory. This is why we often have our best ideas when we are not actively thinking about the issue.

Illumination - In practical terms, it seems that to help people have insights (the illumination stage), we need to encourage them to reflect more, and think less, or at least less logically.

Motivation - Finally, the 'Aha' moment is a strong motivator. So, the best way to bring about insight and change is not to think about people’s issues for them but to help them reflect more deeply and support them in their ability to generate connections.

Foresight - Instead of solely looking at past data, internal auditors assess future scenarios, helping businesses prepare for upcoming challenges and capitalize on emerging trends. Foresight has been described as the ability to contemplate key risks and challenges that organizations could conceivably face, so that those perspectives can be shared with management and the Board.

This way, we help our clients prepare for challenges or opportunities before they materialize. Foresight enables us to warn of pending disasters that may befall our organizations in the event management is ignoring strategic or business risks. Of course, management might choose to ignore the foresight that internal auditors provide. But at least the flag will have been waved.

Delegation of authority and responsibility


Q: Can a CAE designate his/her responsibilities to the senior staff member regarding the objectives and scope? Can individual internal auditors be delegated responsibilities for maintaining communication with management of key functions? Who is responsible for reviewing and approving final engagement communications? Can supervisory responsibilities be delegated to other individuals?

A: The chief audit executive may delegate appropriate responsibilities to other qualified professionals in the internal audit function but retains ultimate accountability.

The chief audit executive may delegate individual internal auditors to be responsible for maintaining ongoing communication with the management of key functions such as business segment leaders, global operations, information technology, finance, compliance, and human resources.

The chief audit executive must review and approve final engagement communications, which include engagement conclusions, and decide to whom and how they will be disseminated before they are issued. If these duties are delegated to other internal auditors, the chief audit executive retains overall responsibility.

Supervisory responsibilities may be delegated to appropriate and qualified individuals, but the chief audit executive retains ultimate responsibility.

Links to Relevant Documentation on the IIA website

Subscribe below to receive monthly Expert Insights in your inbox

Liz Sandwith
Internal Audit and Risk Management Consultant
Liz Sandwith has been a member of the IIA Standards Board for the last 6 years. Because of her involvement in the IPPF Evolution project, the IIA asked her to stay on as a Special Adviser to the Standards Board. 
Back To Top