Today’s global business landscape continues to change and evolve, and with it, new risks emerge. These risks can materialize quickly and disrupt the operational effectiveness of an organization and what it needs from its internal audit function.
To address this new risk landscape and deliver on heightened expectations from the board, management, and the multitude of other stakeholders, internal audit must chart a new course in response. Internal audit leaders within every organization should be knowledgeable of the recent changes to professional internal auditing standards (the Standards) announced by the Institute of Internal Auditors (IIA). Earlier in 2024, the IIA’s International Internal Audit Standards Board released the 2024 Global Internal Audit Standards, which on January 9, 2025 will replace the 2017 International Standards for the Professional Practice of Internal Auditing. While paying attention to the most high-impact changes will not only help you conform with the updated Standards, it will also provide guidance on how to improve the overall performance of your internal audit function.
Before examining the most significant changes, one should keep in mind that the International Internal Audit Standards Board referred to the 2024 updates as an evolution. Many of the changes are restructurings of existing internal audit requirements and elevating certain leading practices to mandatory requirements. Some internal audit functions that have already embraced these leading practices may not find the updates to the Standards to be significant.
Charting a New Course With the Updated Standards
The below diagram illustrates the updated Standards’ five domains. Domain I is the foundation and provides a streamlined description of internal auditing, its value to the organization, and the critical ingredients to ensure its effectiveness. Domain II prescribes the essential behavioral requirements of internal audit professionals. Domains III, IV, and V comprise the key activities of an internal audit function.
Domain III: Governing the Internal Audit Function | Domain IV: Managing the Internal Audit Function | Domain V: Performing Internal Audit Services |
---|---|---|
Highlights the relationship between the board, internal audit function, and the chief audit executive (CAE) to pinpoint roles and responsibilities of the board in governance.
| Details how the CAE’s roles entail strategic planning, managing resources, communicating effectively, and enhancing the quality of the internal audit function.
| Describes an approach to project management that includes elements such as planning, performing, and communicating about internal audit services.
|
Updated Standards Changes to Navigate
Although requirements in all the domains are important, think of Domains I and II as the foundation of any internal audit function. The following revisions in Domains III to V warrant chief audit executives’ (CAEs) focused attention to map out their internal audit function’s journey toward meeting new requirements in 2025 and elevate their internal audit function’s performance:
Domain III: Governing the Internal Audit Function
The updated Standards bring enhanced descriptions of expected roles and responsibilities between the board, internal audit function, and CAE. A close review of these newly created essential conditions compared to current organization practices will identify potential gaps in important responsibilities and actions among the board, senior management, and the internal audit function. If the board or senior management disagrees with or is not able to meet the essential conditions, the Standards provide a process for identifying and discussing these gaps, as well as documenting the board and senior management’s final disposition.
The updated Standards introduce the concept of an internal audit mandate. Although the mandate and audit charter are viewed as two sides of the same coin, there is an important distinction called out within the Standards. The mandate defines why internal audit exists within the organization and specifies its authority, role, responsibilities as granted by the board, or applicable laws and/or regulations. The internal audit charter is the formal documentation of the mandate plus other internal audit requirements. It is critical that internal audit functions and their boards/audit committees and senior management teams have a thorough and aligned understanding of internal audit’s mandate, which is typically accomplished through conversations and then officially recorded in the internal audit charter.
Domain IV: Managing Internal Audit
While previously considered an internal audit best practice, Standard 9.2 now requires the internal audit function to have formally documented long-range strategic plans beyond the year-over-year completion of internal audit workplans. If the internal audit function does not have a strategic plan or other documented long-range plans, the CAE will need to create a vision, strategic objectives, and supporting initiatives which would empower internal auditors to proactively contribute to their organization’s excellence and drive for positive change. This internal audit strategy document must be reviewed with the board and senior management.
Standard 9.5 elevates to a requirement that internal audit functions must coordinate with internal and external assurance providers. This new requirement compels internal audit functions to leverage the work of these other assurance providers, which can significantly improve efficiency and effectiveness of the organization’s governance, risk management, and control activities. Most importantly, the new requirements require the CAE to raise applicable concerns with senior management and, if necessary, the board, if the internal audit function is unable to achieve an appropriate level of coordination.
Domain V: Performing Internal Audit Function
This domain prioritizes efficiency, consistency, and quality by compelling functions to leverage a unified framework for both assurance and advisory services. These changes eliminated separate requirements for assurance versus consulting engagements and retitled consulting as advisory to reflect this more commonly used terminology and aspiration of internal audit functions to be seen as providing risk-based advice, insight, and foresight to their organizations. To the extent CAEs have operationalized separate approaches to consulting or advisory engagements, a closer review of Domain V requirements to the internal audit function’s methodologies and policies is warranted.
Mapping Out the Internal Audit Function of Tomorrow
Creating the momentum to embrace these updated Standards requires engagement by the CAE with the board of directors and/or audit committee and senior management. Here are the key actions CAEs should take now:
- Understand the potential changes and challenges faced in the road to adoption, assess conformance, identify gaps, and provide supplemental guidance as needed.
- Internal audit professionals or teams assigned to the Quality Assurance and Improvement Program should:
- Identify the potential changes along with potential challenges their function will face in adoption.
- Determine updates to be incorporated into quality assurance activities throughout 2024 to assess conformance, identify gaps, and provide supplemental guidance focused on conformance by January 1, 2025.
- Review existing internal audit policies, procedures, methodologies, and governing documents and map to the updated Standards to identify gaps and required enhancements.
- The CAE should:
- Meet with the board and senior management to educate them on the updated Standards and discuss the changes and the impacts to the internal audit function and the broader organization.
- Start educating and training management and internal audit staff.
- Evaluate the need to accelerate the internal audit’s external quality assessment (EQA). If the EQA is due in 2025, it is recommended to conduct the EQA in 2024 against the current Standards and include a gap analysis/readiness assessment against the updated Standards as part of this project.
The path forward for an effective internal audit function will require adept navigation of these updated Standards and preparing for organizational conformance by 2025.
If you have any questions or need assistance, please reach out to a professional at Forvis Mazars.