2024 Global Internal Audit Standards FAQs
The continued success of our ongoing webinars that focuses on the new 2024 Global Internal Audit Standards has prompted a list of the most frequently asked questions from those that have attended these presentations. We’ve asked Liz Sandwith to review these questions and provide her informed responses for additional consideration and clarity.
Q: How will internal audit’s provision of foresight be measured? Will this be based on actual feedback from audit clients?
A: Domain I references the use of 'foresight'. Domain III Principle 6 also references the term 'foresight' and that it will be included in the Mandate. The Audit Committee/Board is required to approve the Mandate, (along with the Internal Audit Charter) with reference in Standard 6.1 to the support of the Audit Committee/Board for internal audit in achieving its Mandate. These are the only two references to 'foresight'. I think of foresight as horizon scanning and recall a conversation with a CEO who told me that they didn't want to "know where the fire is, but where the fire will be." Foresight is about internal audit supporting the organization in preparation for what is coming, when the next crisis may occur, and what the next crisis might be. But internal audit shouldn't be the only people in the organization looking to the future. The risk team and senior management also have a responsibility. Internal audit needs to be able to demonstrate that it has applied best endeavors when it scans the horizon.
Q: How will the new 2024 Global Internal Audit Standards impact the Certified Internal Auditor (CIA) certification process?
A: The intention is that the IIA will bring the CIA exams up to date with the current global practice of internal auditing. There will be greater alignment between the CIA syllabi and the IIA’s new Global Internal Audit Standards. The IIA will seek to minimize duplication and overlap among the three exam parts. The CIA will seek to clarify the knowledge, skills, and abilities that exam candidates must possess to pass the exam. The new syllabi will be published no later than May 2024. Although, I believe the new exams won't be available until post March 2025.
Q: If we already meet the 2017 Internal Audit Standards, do you feel more effort will be required to meet the new 2024 Global Internal Audit Standards?
A: It is difficult to comment on but if you have had a positive conforms assessment from your EQA against the 2017 IPPF and it is fairly recent, then I would suggest it will be straight forward to embed and conform with the new 2024 Global Internal Audit Standards. The challenge might be working with your Audit Committee/Board to encourage them to engage in Domain III.
Q: Are organizations required to adopt new terms such as ‘engagement conclusion vs opinion’ in their reports, etc.? How important is it to model the new IIA glossary language?
A: The 2024 Global Internal Audit Standards reference 'conclusion' rather than 'opinion', which I believe is a positive language as the word 'opinion' has a subjective tone, whereas the word 'conclusion' implies that it is based on the work undertaken. I would encourage you to adopt the term conclusion.
Q: Is it worth starting the Certified Internal Auditor (CIA) process now and finish it with the new 2024 Global Internal Audit Standards?
A: The CIA exam will not change until May 2025. In-process candidates — those who have started the CIA exam process and already passed one or more exams — are allowed a three-year transition period to complete the program they initially applied to. Any completed exam parts are valid during the three-year period. However, when the period ends (the program expires), if the candidate hasn’t completed all three parts, then they will be required to start over. Those who apply now will receive information about changes and updates at least one year before they happen.
Q: When is compliance with topical requirements required? Is this also expected in January 2025, even though the topical requirements are not final yet?
A: The Topical Requirements will become mandatory starting January 2025 where you have an internal audit engagement within your internal audit plan that is the same as the topical requirement. The IIA has recently published the cyber security topical requirements for consultation. The response to the consultation is open April 3 to July 3, 2024. It will enable you to gain a sense as to the format, approach, and content of the topical requirements.
Q: Will there be guidance on the types of audits that can be undertaken, such as thematic reviews, change management audits, outcomes-based, (any new audit services)?
A: There will likely only be the Topical Requirements. Topical Requirements, the newest component of the International Professional Practices Framework, will ensure that all internal audit functions — large, small, private, or public — apply consistent audit methodology when assessing the effectiveness of governance, risk management, and controls of a particular topical area. The use of Topical Requirements will be mandatory when an internal audit function scopes an audit engagement that includes the topic covered. However, other organization will likely produce additional guidance.
Q: Does Domain III of the 2024 Global Internal Audit Standards require the internal audit mandate to be documented separately from the Internal Audit Charter?
A: Based on the Internal Audit Charter published on March 28, 2024, the Mandate is included in the Charter document.
Q: For a single person audit shop, is it required that they involve external parties in their QAIP framework? Can the CAE conduct self-assessment both annually and a 5-year external review to be compliant? It is challenging to find another qualified person in the organization to assist with QAIP framework.
A: One person internal audit functions do struggle regarding the QAIP element. The internal audit function’s ability to fully conform with the new 2024 Global Internal Audit Standards may be affected by its size or the size of the organization. With limited resources, completing certain tasks may be challenging. Additionally, if the internal audit function comprises of only one member, an adequate quality assurance and improvement program will require assistance from outside the internal audit function. This may be provided by your quality team if you have one. Alternatively, I am aware of organizations seeking assurance regarding internal audit from their external auditors.
Q: What if local regulations include something that contradicts the new 2024 Global Internal Audit Standards (i.e. oversight and responsibility of Audit Committee or requiring regulatory approval for the CAE prior to joining the function)?
A: While the Global Internal Audit Standards apply to all internal audit functions, internal auditors in the public sector work in a political environment under governance, organizational, and funding structures that may differ from those of the private sector. The nature of these structures and related conditions may be affected by the jurisdiction and level of government in which the internal audit function operates. Additionally, some terminology used in the public sector differs from that of the private sector. Laws and/or regulations may establish the mandate, organizational position, reporting relationship, scope of work, funding, and other requirements of the internal audit function. If there are instances where laws and regulations contradict or challenge the Global Internal Audit Standards the expectation is that you would adhere to the laws and regulations but reference this in conversations with the Audit Committee (i.e. comply or explain).
Q: We are planning to provide an overview of key changes and updates that our internal audit function will make to the Audit Committee in April. What are the key messages we should convey?
A:The IIA have published new guidance regarding Domain III. The link can be found here. The new 2024 Global Internal Audit Standards requirements seek to elevate internal audit practice in five domains that cover the profession’s purpose, ethics and professionalism, governance, management, and performance. Domain III, which focuses on how the internal audit function is governed, may hold the greatest potential for transforming how the profession is viewed around the world. Domain III identifies a set of conditions necessary for internal audit to achieve effective collaboration with the board and senior management. Additionally, it articulates how the board and senior management should contribute to that collaboration.
Q: Who are the new 2024 Global Internal Audit Standards applicable to? Are all the standards mandatory?
A: The intention of the 2024 Global Internal Audit Standards is that they will be applicable to all practicing internal audit professionals. The Global Internal Audit Standards set forth principles, requirements, considerations, and examples for the professional practice of internal auditing globally. The Standards apply to any individual or function that provides internal audit services, whether an organization employs internal auditors directly, contracts them through an external service provider, or both. Organizations receiving internal audit services vary in sector and industry affiliation, purpose, size, complexity, and structure.
Q: How do you measure "qualified" internal auditors? What background, experience, certifications, if any, are required?
A:Standard 7.2 (Domain III) states: The board collaborates with senior management to determine which competencies and qualifications the organization expects in a chief audit executive. The competencies may vary according to the internal audit mandate, the complexity and specific needs of the organization, the organization’s risk profile, and the industry and jurisdiction within which the organization operates, among other factors. The desired competencies and qualifications are typically documented in a job description and include:
- A comprehensive understanding of the Global Internal Audit Standards and leading internal audit practices.
- Experience building and managing an effective internal audit function by recruiting, hiring, and training internal auditors and helping them develop relevant competencies.
- Certified Internal Auditor® designation or other relevant professional education, certifications, and credentials.
- Leadership experience.
- Industry or sector experience.
Q: Is the Internal Audit Red Book currently available with the new 2024 Global Internal Audit Standards?
A: Yes, the Red Book is available and can be found here.
Q: What is the difference between consulting and advisory services?
A: Internal auditors provide advisory services to advise an organization’s stakeholders without providing assurance or taking on management responsibilities. The nature and scope of advisory services are subject to agreement with relevant stakeholders. Examples include advising on the design and implementation of new policies, processes, systems, and products, as well as providing forensic services, training, and facilitating discussions about risks and controls. “Advisory services” are also known as “consulting services.”
Q: When the chief audit executive (CAE) takes responsibility beyond the internal audit function — such as a chief risk officer — to oversee the organization's Enterprise Risk Management (ERM), is it considered a good practice or impaired independence?
A: Standard 7.1 states: The chief audit executive must discuss with the board and senior management any current or proposed roles and responsibilities that have the potential to impair the internal audit function’s independence, either in fact or appearance. The chief audit executive must advise the board and senior management of the types of safeguards to manage actual, potential, or perceived impairments. When the chief audit executive has one or more ongoing roles beyond internal auditing, the responsibilities, nature of work, and established safeguards must be documented in the internal audit charter. If those areas of responsibility are subject to internal auditing, alternative processes to obtain assurance must be established, such as contracting with an objective, competent external assurance provider that reports independently to the board.
Q: The internal audit strategy is new to the standards. Is an internal audit strategy mandatory in the new 2024 Global Internal Audit Standards for internal audit in the public sector?
A: It makes sense for every internal audit function to have a strategy that reflects where you and your internal audit function is now, where it wants to be, and how it will get there, regardless of which sector you are in. Standard 9.2 covers the internal audit strategy and states: The chief audit executive must develop and implement a strategy for the internal audit function that supports the strategic objectives and success of the organization and aligns with the expectations of the board, senior management, and other key stakeholders. An internal audit strategy is a plan of action designed to achieve a long-term or overall objective. The internal audit strategy must include a vision, strategic objectives, and supporting initiatives for the internal audit function. An internal audit strategy helps guide the internal audit function toward the fulfillment of the internal audit mandate. The chief audit executive must review the internal audit strategy with the board and senior management periodically.
Q: Could you share more information on the External Quality Assessment (EQA), and the requirement of this assessment by non-public companies?
A: The requirements for an EQA is the same for both public and private companies. Standard 8.4 provides details on the role of the CAE and the Audit Committee/Board in relation to the EQA: The chief audit executive must develop a plan for an external quality assessment and discuss the plan with the Board. The external assessment must be performed at least once every five years by a qualified, independent assessor or assessment team. The requirement for an external quality assessment may also be met through a self-assessment with independent validation.
Q: For Standard 8.1, the chief audit executive (CAE) must report to senior management, like the board (e.g., audit plan, budget, revisions to plan, audit conclusions and themes, and QAIP results). Is this level of granular reporting to senior management expected to be at the same level as the Audit Committee and Board?
A: The intention of Domain III and the essential conditions is to encourage internal audit and senior management to work more collaboratively than perhaps they do at present. The chief audit executive must discuss this Domain with the board and senior management. The discussions should focus on:
- The purpose of internal auditing as articulated in Domain I: Purpose of Internal Auditing.
- The essential conditions outlined under each of the standards in Domain III: Governing the Internal Audit Function.
- The potential impact on the effectiveness of the internal audit function if the Board or senior management does not provide the support outlined in the essential conditions.
For more mature internal audit functions there isn't a significant change, but I do welcome the structured link between internal audit and senior management.
Q: What are the essential conditions/criteria within Domain III of the 2024 Global Internal Audit Standards? Why are these unique to the new IPPF standards when compared to the 2017 Internal Audit Standards?
A: While the chief audit executive is responsible for the requirements in Domain III, activities of the Audit Committee/Board and senior management are essential to the internal audit function’s ability to fulfill the purpose of internal auditing. These activities are identified as “essential conditions” in each standard and establish a necessary foundation for an effective dialogue between the Audit Committee/Board, senior management, and the chief audit executive, enabling an effective internal audit function. I would suggest they have been included to strengthen the relation between the Audit Committee/Board, senior management, and internal audit and therefore strengthen the governance arrangements.