The global IIA’s International Standards for the Professional Practice of Internal Auditing have changed. This is good news for IIA members worldwide, but it will require some attention and adaptation to meet the new requirements. Hence, our series of webinars which we believe will support you in embedding the new Standards within your internal audit function.
In this overview we will cover:
The Global Internal Audit Standards contain:
Additional features of the Global Internal Audit Standards include:
The process for updating the Glossary involved reviewing each term for its relevance, researching and comparing against other standards and frameworks, conducting initial surveys, and reviewing thousands of public comments.
A few things to note:
The Purpose of Internal Auditing provides a simple and concise overview of the essence of internal auditing, meant to be easily communicated to stakeholders. It could be called an “elevator pitch.” It starts with a Purpose Statement: “Internal auditing strengthens the organization’s ability to create, protect, and sustain value by providing the board and management with independent, risk-based, and objective assurance, advice, insight, and foresight.”
The Purpose Statement combines elements from the current Definition of Internal Auditing and the Mission of Internal Audit and includes a list of the benefits from internal auditing. Internal auditing enhances these aspects and abilities of the organization.
The Purpose Statement also includes a list of conditions necessary to optimize the benefits from internal auditing.
Domain II incorporates and replaces the existing Code of Ethics and what are called the "attribute standards" in the 2017 Standards — specifically objectivity, competency, and due professional care — to remove duplication.
Domain III groups together Standards involving the relationship between the chief audit executive (CAE), the board, and senior management in governing the internal audit function. Many of these Standards and concepts exist in the 2017 Standards but more direct and clear detail has been added to give some weight to the importance of establishing and supporting the mandate (authority, role, and responsibilities), independence, and oversight of the internal audit function.
While the chief audit executive is responsible for the requirements in this domain, appropriate governance arrangements, supported by activities of the board and senior management, are essential to enable the internal audit function to be effective and to fulfill the Purpose of Internal Auditing (Domain I).
Domain III now has principles and standards, as well as essential conditions — callouts to the board and senior management. “Essential conditions,” along with the requirements for the chief audit executive, establish a necessary foundation for an effective internal audit function.
In Domain IV, all Principles and Standards address the chief audit executive, a term that’s defined in the glossary and in the introduction to this domain as the leadership role responsible for effectively managing all aspects of the internal audit function. The specific job title and/or responsibilities may vary.
The Standards in Domain IV cover how the chief audit executive plans strategically, manages resources, communicates effectively with stakeholders, and enhances the internal audit function’s quality.
Domain V includes the standards for planning, performing, and communicating engagement results. The Standards, requirements, and considerations for implementation in this domain are applicable to both assurance and advisory services, unless otherwise specified in individual standards. The reason for this was to present a consistent generalized approach to project management that identifies the fundamental elements of planning, performing, and communicating each engagement.
Although there are not separate assurance and advisory standards, the Standards Board working group added or modified language throughout Domain V to clarify when requirements may not apply to advisory services.
The Principles in Domain V cover engagement planning, fieldwork, developing and reporting findings, developing recommendations and/or action plans, and following-up on management’s corrective actions.
The first webinar in a series of presentations covering the 2024 Standards took a helicopter view of the 5 Domains, 15 Principles and 52 Standards. It focused primarily on the headline content within the 5 Domains. It is recognized and accepted that many of the changes are familiar and in common practice in mature internal audit functions e.g., Domain V Performing Internal Audit Services. But most practicing internal audit professionals will need to adapt some elements of what they do to ensure continued conformance, so please join us for the remainder of the webinars which will take a deep dive into each of the Domains.
For more information and detail visit this link.
The continued success of our ongoing webinars that focuses on the new 2024 Global Internal Audit Standards has prompted a list of the most frequently asked questions from those that have attended these presentations. We’ve asked Liz Sandwith to review these questions and provide her informed responses for additional consideration and clarity.
A: Domain I references the use of 'foresight'. Domain III Principle 6 also references the term 'foresight' and that it will be included in the Mandate. The Audit Committee/Board is required to approve the Mandate, (along with the Internal Audit Charter) with reference in Standard 6.1 to the support of the Audit Committee/Board for internal audit in achieving its Mandate. These are the only two references to 'foresight'. I think of foresight as horizon scanning and recall a conversation with a CEO who told me that they didn't want to "know where the fire is, but where the fire will be." Foresight is about internal audit supporting the organization in preparation for what is coming, when the next crisis may occur, and what the next crisis might be. But internal audit shouldn't be the only people in the organization looking to the future. The risk team and senior management also have a responsibility. Internal audit needs to be able to demonstrate that it has applied best endeavors when it scans the horizon.
A: The intention is that the IIA will bring the CIA exams up to date with the current global practice of internal auditing. There will be greater alignment between the CIA syllabi and the IIA’s new Global Internal Audit Standards. The IIA will seek to minimize duplication and overlap among the three exam parts. The CIA will seek to clarify the knowledge, skills, and abilities that exam candidates must possess to pass the exam. The new syllabi will be published no later than May 2024. Although, I believe the new exams won't be available until post March 2025.
A: It is difficult to comment on but if you have had a positive conforms assessment from your EQA against the 2017 IPPF and it is fairly recent, then I would suggest it will be straight forward to embed and conform with the new 2024 Global Internal Audit Standards. The challenge might be working with your Audit Committee/Board to encourage them to engage in Domain III.
A: The 2024 Global Internal Audit Standards reference 'conclusion' rather than 'opinion', which I believe is a positive language as the word 'opinion' has a subjective tone, whereas the word 'conclusion' implies that it is based on the work undertaken. I would encourage you to adopt the term conclusion.
A: The CIA exam will not change until May 2025. In-process candidates — those who have started the CIA exam process and already passed one or more exams — are allowed a three-year transition period to complete the program they initially applied to. Any completed exam parts are valid during the three-year period. However, when the period ends (the program expires), if the candidate hasn’t completed all three parts, then they will be required to start over. Those who apply now will receive information about changes and updates at least one year before they happen.
A: The Topical Requirements will become mandatory starting January 2025 where you have an internal audit engagement within your internal audit plan that is the same as the topical requirement. The IIA has recently published the cyber security topical requirements for consultation. The response to the consultation is open April 3 to July 3, 2024. It will enable you to gain a sense as to the format, approach, and content of the topical requirements.
A: There will likely only be the Topical Requirements. Topical Requirements, the newest component of the International Professional Practices Framework, will ensure that all internal audit functions — large, small, private, or public — apply consistent audit methodology when assessing the effectiveness of governance, risk management, and controls of a particular topical area. The use of Topical Requirements will be mandatory when an internal audit function scopes an audit engagement that includes the topic covered. However, other organization will likely produce additional guidance.
A: Based on the Internal Audit Charter published on March 28, 2024, the Mandate is included in the Charter document.
A: One person internal audit functions do struggle regarding the QAIP element. The internal audit function’s ability to fully conform with the new 2024 Global Internal Audit Standards may be affected by its size or the size of the organization. With limited resources, completing certain tasks may be challenging. Additionally, if the internal audit function comprises of only one member, an adequate quality assurance and improvement program will require assistance from outside the internal audit function. This may be provided by your quality team if you have one. Alternatively, I am aware of organizations seeking assurance regarding internal audit from their external auditors.
A: While the Global Internal Audit Standards apply to all internal audit functions, internal auditors in the public sector work in a political environment under governance, organizational, and funding structures that may differ from those of the private sector. The nature of these structures and related conditions may be affected by the jurisdiction and level of government in which the internal audit function operates. Additionally, some terminology used in the public sector differs from that of the private sector. Laws and/or regulations may establish the mandate, organizational position, reporting relationship, scope of work, funding, and other requirements of the internal audit function. If there are instances where laws and regulations contradict or challenge the Global Internal Audit Standards the expectation is that you would adhere to the laws and regulations but reference this in conversations with the Audit Committee (i.e. comply or explain).
A:The IIA have published new guidance regarding Domain III. The link can be found here. The new 2024 Global Internal Audit Standards requirements seek to elevate internal audit practice in five domains that cover the profession’s purpose, ethics and professionalism, governance, management, and performance. Domain III, which focuses on how the internal audit function is governed, may hold the greatest potential for transforming how the profession is viewed around the world. Domain III identifies a set of conditions necessary for internal audit to achieve effective collaboration with the board and senior management. Additionally, it articulates how the board and senior management should contribute to that collaboration.
A: The intention of the 2024 Global Internal Audit Standards is that they will be applicable to all practicing internal audit professionals. The Global Internal Audit Standards set forth principles, requirements, considerations, and examples for the professional practice of internal auditing globally. The Standards apply to any individual or function that provides internal audit services, whether an organization employs internal auditors directly, contracts them through an external service provider, or both. Organizations receiving internal audit services vary in sector and industry affiliation, purpose, size, complexity, and structure.
A:Standard 7.2 (Domain III) states: The board collaborates with senior management to determine which competencies and qualifications the organization expects in a chief audit executive. The competencies may vary according to the internal audit mandate, the complexity and specific needs of the organization, the organization’s risk profile, and the industry and jurisdiction within which the organization operates, among other factors. The desired competencies and qualifications are typically documented in a job description and include:
A: Yes, the Red Book is available and can be found here.
A: Internal auditors provide advisory services to advise an organization’s stakeholders without providing assurance or taking on management responsibilities. The nature and scope of advisory services are subject to agreement with relevant stakeholders. Examples include advising on the design and implementation of new policies, processes, systems, and products, as well as providing forensic services, training, and facilitating discussions about risks and controls. “Advisory services” are also known as “consulting services.”
A: Standard 7.1 states: The chief audit executive must discuss with the board and senior management any current or proposed roles and responsibilities that have the potential to impair the internal audit function’s independence, either in fact or appearance. The chief audit executive must advise the board and senior management of the types of safeguards to manage actual, potential, or perceived impairments. When the chief audit executive has one or more ongoing roles beyond internal auditing, the responsibilities, nature of work, and established safeguards must be documented in the internal audit charter. If those areas of responsibility are subject to internal auditing, alternative processes to obtain assurance must be established, such as contracting with an objective, competent external assurance provider that reports independently to the board.
A: It makes sense for every internal audit function to have a strategy that reflects where you and your internal audit function is now, where it wants to be, and how it will get there, regardless of which sector you are in. Standard 9.2 covers the internal audit strategy and states: The chief audit executive must develop and implement a strategy for the internal audit function that supports the strategic objectives and success of the organization and aligns with the expectations of the board, senior management, and other key stakeholders. An internal audit strategy is a plan of action designed to achieve a long-term or overall objective. The internal audit strategy must include a vision, strategic objectives, and supporting initiatives for the internal audit function. An internal audit strategy helps guide the internal audit function toward the fulfillment of the internal audit mandate. The chief audit executive must review the internal audit strategy with the board and senior management periodically.
A: The requirements for an EQA is the same for both public and private companies. Standard 8.4 provides details on the role of the CAE and the Audit Committee/Board in relation to the EQA: The chief audit executive must develop a plan for an external quality assessment and discuss the plan with the Board. The external assessment must be performed at least once every five years by a qualified, independent assessor or assessment team. The requirement for an external quality assessment may also be met through a self-assessment with independent validation.
A: The intention of Domain III and the essential conditions is to encourage internal audit and senior management to work more collaboratively than perhaps they do at present. The chief audit executive must discuss this Domain with the board and senior management. The discussions should focus on:
For more mature internal audit functions there isn't a significant change, but I do welcome the structured link between internal audit and senior management.
A: While the chief audit executive is responsible for the requirements in Domain III, activities of the Audit Committee/Board and senior management are essential to the internal audit function’s ability to fulfill the purpose of internal auditing. These activities are identified as “essential conditions” in each standard and establish a necessary foundation for an effective dialogue between the Audit Committee/Board, senior management, and the chief audit executive, enabling an effective internal audit function. I would suggest they have been included to strengthen the relation between the Audit Committee/Board, senior management, and internal audit and therefore strengthen the governance arrangements.
