New Global Internal Audit Standards in 2024
Achieving a meaningful impact through internal audit is within reach when you focus on what truly matters to stakeholders. By leveraging data, experience, and comparative knowledge, you can develop a valuable perspective on your findings. It’s then crucial to communicate this perspective effectively.
In January 2024, the Institute of Internal Auditors (IIA) introduced the Global Internal Audit Standards, which must be implemented by January 9, 2025. During this transition period, the previous version, the International Standards for the Professional Practice of Internal Auditing (the 2017 Standards), remains valid for use.
Organizations need to make sure they have a rock-solid understanding of the key structural, content, and stakeholders’ changes to prepare for the implementation of the new Global Internal Audit Standards by January 9, 2025.
Global Internal Audit Standards: Key Structural Changes
- The new standards have been simplified through the combining of multiple guides into one comprehensive document. Previously, these guides only included the mandatory and implementation guidance sections within the 2017 Standards. The new Standards now include the five mandatory elements of the current framework (Mission of Internal Audit, Definition of Internal Auditing, Core Principles for the Professional Practice of Internal Auditing, Code of Ethics, and Standards), as well as one of the recommended non-mandatory elements, the Implementation Guidance. This change means that these elements will no longer exist as separate entities.
- There is no longer a division into “attribute” and “performance” categories, and the Standards no longer have a separate section for “interpretations.” The “A” [assurance] and “C” [consulting] implementation standards have been integrated into the main body of the proposed Standards.
- The numbering system and order of the Standards have been completely revamped. The new Standards are organized into five domains and 15 principles, simplifying the structure for easier understanding and application.
Global Internal Audit Standards: Key Content Changes in the New Global Internal Audit Standards
The updated Global Internal Audit Standards introduce several significant content changes to the 2017 Standards. These changes focus on key areas that impact the role of the Chief Audit Executive (CAE) and the overall effectiveness of the internal audit function:
- Essential Conditions for the Board and Senior Management: Domain III, “Governing the Internal Audit Function,” emphasizes the CAE’s role in supporting and encouraging the board and senior management to fulfill their oversight responsibilities for an effective internal audit function. The Standards outline “Essential Conditions” that should be present for the internal audit function to meet its mandate, with the CAE responsible for providing the necessary information for oversight discussions.
- Internal Audit Strategy: Standard 9.2 now requires the CAE to develop and implement an internal audit strategy that aligns with the organization’s strategic objectives and meets the expectations of key stakeholders. This strategic approach is crucial for ensuring the success of the internal audit function.
- Integrated Assurance and the Internal Audit Plan: Standard 9.4 mandates that the internal audit plan be based on a documented assessment of the organization’s strategies, objectives, and risks. This assessment, performed at least annually, should consider the effectiveness of the organization’s governance, risk management, and control processes. The Standards also suggest that internal audit should review the effectiveness of the organization’s risk management processes, including an examination of the 2nd line ERM function if applicable, to ensure objectivity. Standard 9.5 emphasizes the importance of coordinating with internal and external providers of assurance services to minimize duplication of efforts and address gaps in coverage of key risks.
- Report and Findings Ratings: While the 2017 Standards did not require rankings and ratings for internal audit findings, the new Standards introduce a requirement for “an engagement conclusion that summarizes the engagement results relative to the engagement objectives and management’s objectives” (Standard 14.5). While ratings and rankings are not mandatory, they are recommended as a best practice. This change aims to provide a clearer picture of the significance of findings and their impact on management’s objectives.
- Enhanced Requirements for External Quality Assessments: The new Standards maintain the requirement for an external quality assessment every five years, which can include self-assessment with independent validation. However, the new Standards now specify that at least one member of the assessment team must be an active Certified Internal Auditor, ensuring the assessment team has the necessary expertise.
These changes reflect the evolving nature of internal auditing and emphasize the importance of aligning internal audit practices with organizational goals and stakeholder expectations.
Global Internal Audit Standards: Key changes for stakeholders
The new standards bring several significant stakeholder changes aimed at enhancing the credibility and quality of the internal audit (IA) function. Requirements for quality assurance and improvement programs (QAIPs), expectations regarding professional skepticism and ethics, and guidance on continuing professional development are among the key updates. These changes seek to bolster the IA function’s credibility within the organization and in the broader public interest.
One notable change is the introduction of explicit definitions of board and senior management responsibilities, emphasizing the importance of aligning the IA function with the organization’s strategic objectives and stakeholder expectations. This change aims to enhance the influence of IA within the organization.
Public Sector
For those working in the public sector, additional considerations have been added to help practitioners apply the standards more effectively, providing clarity on applicable structures and terminologies.
In response to these new standards, stakeholders should consider various questions depending on their roles and responsibilities:
- Do we have the necessary oversight and support structures in place for the IA function?
- How are we communicating across functions and monitoring IA’s effectiveness?
- What technology, training, and information does IA need to conduct audits aligned with our strategic objectives?
- How can we use the new standards to drive transformative change in our organization?
Board and Senior Leadership
For the board and senior management, the new standards clarify the board’s role in governing IA, including oversight of the QAIP. Boards should ensure they are asking the right questions to evaluate and enhance the quality of IA. Senior management must support IA by providing the necessary information and tools to fulfill its mandate.
- Chief audit executives (CAEs): are tasked with managing resources effectively and establishing methodologies for the IA function. The new standards require CAEs to ensure at least one individual on the external quality assessment team is a certified internal auditor. As the demands on IA increase in a complex risk landscape, CAEs will need to demonstrate expertise in strategy, technology, and relationships.
For internal auditors, the focus on quality and continuous improvement is evident in the new standards related to professional skepticism, communication, and analysis. IA professionals will need to develop skills that demonstrate agility, critical thinking, and communication. Professional development concepts encourage internal auditors to identify areas for development and enhance their skills through continuous learning. The standards’ code of ethics emphasizes internal auditors’ duty to uphold integrity, objectivity, confidentiality, and competence.
Understanding the Impact of the New Global Internal Audit Standards
The new Global Internal Audit Standards will have a significant impact on the way internal auditing is conducted for organizations across the world. These standards introduce changes in how internal auditors evaluate findings, develop recommendations, and communicate with stakeholders. Key takeaways from these new standards:
- Evaluation of Findings: Internal Auditors are now required to evaluate each potential finding to determine its significance and collaborate with management to determine the root causes. This emphasizes the importance of thorough analysis and partnership with management in addressing issues.
- Documentation and Communication: When auditors determine there is a significant risk exposure, it must be documented and communicated as a finding. While ratings and rankings are not required, they are cited as examples of how prioritization may be demonstrated, ensuring clear and effective communication of risks.
- Developing Recommendations and Action Plans: Internal Auditors must now determine whether to develop recommendations related to findings or to request action plans from management, recognizing the varied approaches organizations may take in addressing issues.
- Engagement Conclusions: Auditors are required to summarize engagement results relative to objectives, including their professional judgment about the overall significance of the findings. Assurance engagements must include a judgment on the effectiveness of governance, risk management, and control processes, providing a comprehensive assessment of the audited areas.
- Documenting Engagements: The standards establish requirements for documenting the support for conclusions in a manner that would allow an informed internal auditor or similarly informed person to repeat the work and achieve the same results, ensuring transparency and repeatability of audit processes.
- Final Engagement Communication: The final engagement communication must include the engagement objectives, scope, recommendations, action plans (if applicable), and conclusions. Non-conformance with the standards must be disclosed in the report, enhancing the clarity and completeness of audit reporting.
- Confirmation of Action Plans: Internal Auditors are required to confirm that management has implemented recommendations or action plans and determine if senior management’s delay or inaction means they have accepted a risk that exceeds the risk tolerance, ensuring accountability and follow-up on audit findings.
- Topical Requirements: The IIA will develop mandatory requirements for specific risk areas to ensure a minimum level of quality and coherence in these often quite specific and complex risk domains. Topics may include cybersecurity, IT governance, broad risk management, third-party risk, and ESG, reflecting the evolving nature of risks faced by organizations.
- External Quality Assessments (EQAs): EQAs due in 2024 can be assessed against the current 2017 standards or the new standards. EQAs due in 2025 must comply with the new standards, providing a transition period for organizations to align their audit practices with the new standards.
- Certification Changes: Changes to the CIA exam and study materials will not occur before May 2025, with similar timelines for other certifications, allowing time for auditors to prepare for any changes in certification requirements.
These standards aim to enhance the effectiveness and quality of internal auditing practices globally. Internal auditors must familiarize themselves with these changes and ensure compliance to continue providing valuable insights and assurance to their organizations.
Implementation Guidance
Streamlining Internal Audits: A Closer Look at IBM OpenPages
iTech GRC’s expert implementation services, combined with the power of IBM OpenPages, provide a comprehensive solution for internal audit management. By automating processes, enhancing collaboration, and ensuring effective management of audit scope and objectives, iTech utilizing IBM OpenPages enables organizations to streamline their internal audit practices, reduce costs, and improve overall efficiency.