The Institute of Internal Auditors (IIA) has revised its Global Internal Audit Standards (standards) to enhance flexibility, address rapid and evolving changes in the business environment and emerging risks, and meet stakeholder expectations. The goal of the new standards is to elevate the internal audit function to better support organizational objectives and maximize the value it delivers through the following:
- Collaboration. The new standards emphasize the importance of involving various stakeholders, including the board, audit committee, and senior management, in the internal audit process.
- Consultative role. Internal auditors are encouraged to adopt a more consultative role, providing strategic insights and recommendations that go beyond traditional assurance activities.
- Outcome-focused. The standards highlight the need for internal audit functions to focus on outcomes and impact.
The primary responsibility for implementation lies with the chief audit executive (CAE), with executive management and board members playing a key role in supporting and overseeing implementation activities.
The board and management set the tone
Through effective oversight and leadership, the board and executive management support the CAE in efficient and effective implementation of the new standards. At the outset of implementation, as the CAE communicates steps for timely implementation of the new standards to the internal audit function and other departments, the board and executive management can help set the tone on the importance of this initiative. They should also make available necessary resources and dedicate time to monitoring the implementation.
Board members should support the internal audit function by making appropriate inquiries of senior management and the CAE to determine whether any restrictions on the internal audit function’s scope, access, authority, or resources limit the function’s ability to carry out its responsibilities effectively.
Both parties can also support the implementation of the new standards by performing essential conditions under the new standards. These are activities essential to an internal audit function’s ability to fulfill its purpose, including:
- Establishing internal audit’s role by clearly defining the internal audit function's authority, the role of internal audit, the scope of its responsibilities, and what services it provides. These details should be documented within the internal audit charter and approved by board members with executive management input.
- Maintaining internal audit independence by having the CAE report directly to the board. Alternatively, if the CAE must administratively report to an executive management team member, the board should maintain regular, direct communication with the CAE without executive management. In either scenario, the CAE should functionally report to the board.
- Overseeing internal audit activity: With input from senior management that doesn’t involve influence or pressure on the CAE, the board should review and approve the organization’s risk assessment, the internal audit strategy, the annual audit plan, and the budget with allocated resources. It’s best practice for the CAE to establish internal audit performance metrics (key performance indicators), present them for feedback and board approval, gather data and report progress against them. Lastly, the board should support the CAE by providing feedback on internal audit performance metrics, having a recurring meeting schedule and agenda, and making themselves available for the CAE to reach out with questions or concerns.
- Establishing a quality assurance and improvement program (QAIP): Board members, with input from executive management, should review and approve the CAE’s internal audit QAIP, which should include the most effective and efficient approach for periodic assessment of the internal audit function and its conformance to the standards.
The chief audit executive implements the plan
The CAE must discuss its plan to implement the new standards with executive management and board members. If that hasn’t been completed, executive management and board members should initiate a discussion with the CAE as soon as possible to ensure stakeholders have adequate visibility to the implementation plan and are updated on progress regularly. Here are some questions to consider:
- Executive management and board members should initiate a discussion with the CAE to evaluate when was the last external quality assessment (EQA) performed. Does it make sense to complete an EQA based on the current (2017), or new (2024) standards? To facilitate readiness for an EQA based on the new (2024) standards, should an assessment be completed to first determine what actions are required to conform with the new (2024) standards?
- Has a self-assessment been performed to identify areas requiring process or documentation changes? Is the CAE confident that changes impacting conforming with the standards have been identified? Has the CAE prioritized the areas where changes are required based on their significance in conformance with the new standards?
- Has the CAE developed a reasonable implementation plan that identifies phases of the project prioritized based on the most significant changes, the end deliverables and required actions to produce them, and due dates? Does it include the estimated time required for each step and assigned resources to complete?
- When can a detailed and summarized implementation plan be available for review? Is there a meeting scheduled to discuss the plan and answer questions? What’s the plan to update the board and executive management on implementing the plan? Does the plan include a process for communicating significant roadblocks and delays?
Establish and communicate desired implementation outcomes
The CAE should be clear on what board members and senior management expect from implementing the new standards. The following outcomes will be associated with a successful implementation of the new standards.
- Enhanced communication and clear expectations: The new standards emphasize the importance of enhanced, regular communication between stakeholders — defined by the new standards as the board, executive management, and the CAE — involving different internal audit activities. Stakeholders should agree on a minimum frequency and agenda for formal communications and set aside additional touchpoints. Discussions should increasingly focus on addressing new and emerging risks, updates to organization objectives, improving the organization’s governance, risk, and compliance, and implementing remediation plans to address recent audit findings.
- Enhanced collaboration in risk identification and management: The “three lines of defense” model in risk management involves operational management as the first line, risk and compliance functions as the second line, and internal audit as the third line, each providing distinct layers of oversight and assurance. The CAE should consult with the heads of other risk and compliance functions that act as the “second line of defense,” to consider and include their input in internal audit’s organizationwide risk assessment, at least annually. Risk should be evaluated holistically and completely, with high-priority risks addressed by at least one department’s risk mitigation activities, including internal audit projects, to ensure minimal coverage gaps or duplicative efforts.
- Alignment between organizational goals, effectiveness of the organization’s governance, risk, and compliance process, and internal audit activities: The CAE should engage board members and executive management to discuss organizational objectives and how the internal audit function can serve as a strategic partner in meeting those objectives. Some ways internal audit can better serve management as a consultative and strategic partner include: aligning audit activities with strategic goals to drive business improvement, proactive risk management to foster a culture of transparency and accountability, engaging in strategic discussions to provide risk and control implications, utilizing advanced analytics to provide deeper insights, and supporting organizational change to help accelerate learning and change.
- Improved audit quality through data insights, efficient delivery of results, and consultative recommendations: Executive management and the board should dedicate resources to providing internal auditors with opportunities to learn how to address emerging risks such as auditing new technologies, leverage data analytics in audit projects, and provide their internal audit functions with access to tools and technologies to perform data-driven audits. In return, the internal audit function should provide audit reports with more data insights, consultative recommendations that support organizational objectives, increase their capacity to complete audit projects, and assist the business in implementing more effective risk management and control activities, including continuous monitoring.
The bottom line
The new IIA 2024 Global Internal Audit Standards are designed to strengthen the internal audit function to meet the evolving risk landscape and enhance the consistency and quality of internal audit services across industries and sectors. Executive management and board members play an important role and should be kept informed of implementation progress — including challenges — ensure the CAE has the required resources, and make themselves available to discuss any potential concerns the CAE may have. By helping support their internal audit function through transition to the new IIA standards, boards and executive management can expect to gain increased value by transforming their IA function and CAE into a trusted strategic advisor.
