Global Internal Audit Standards

“Are you ready to take off to the new Global Internal Audit Standards?” This is the question we asked participants in our recent Internal Audit Insights webinar. And it is a question that IA leaders and Board members should now be asking themselves. In our webinar we outlined the key changes the new standards bring to the profession and concluded that IA functions need to use the transition period in 2024 to prepare for and implement the new requirements and discuss them with their Boards. In this article we highlight the areas you should focus on now, to be ready for 2025.

The background to the challenge

After an extensive public consultation process last year the new Global Internal Audit Standards were finally published on 9 January 2024 by the Institute of Internal Auditors (IIA). The new standards will become effective in early January 2025 after a 12-month transition period. The current standards (the so-called “IPPF” of 2017) will remain applicable throughout 2024, but early adoption of the new standards is encouraged by the IIA.

More than 80% of IA functions that participated in our webinar have not yet assessed the impact of the new standards, and 75% do not yet have a budget for implementation of the new standards during 2024. We therefore repeat the IIA’s encouragement on early adoption and believe it is important for IA functions and Boards to assess the impact of the new standards sooner rather than later. The effort required to conform with the new requirements should not be underestimated.

The extent of the gaps that need bridging depends on how mature your IA function is now. But even functions with relatively few gaps will have much to do because the structure and numbering system of the new standards is completely different to that of the current IPPF.

So what is changing exactly?

Changes to the Structure

In the illustration above you find the circle we are all familiar with: the IPPF 2017. The new Global Internal Audit Standards incorporate the five mandatory elements of the 2017 framework and the Implementation Guidance. These elements are now structured into five domains, 15 principles and 52 standards. Each standard is divided into three parts: the mandatory “Requirements” that contain the “must”-statements; the “Considerations for Implementation” that show the common and best practices that are expected though not mandatory; and, lastly, the “Examples of Evidence of Conformance”, which contains a non-exhaustive list of guidance on how to provide evidence of conformity with the requirements.

Introduction of new Topical Requirements

An entirely new element are the “Topical Requirements” which aim to enhance the consistency and quality of internal audit services. This is an interesting broadening of focus by the standard setters, as the IIA is now adding additional mandatory requirements to be observed when conducting audits in the topical domains covered by these requirements. The Topical Requirements don’t exist yet but the intention is to introduce them soon, for example, in Cybersecurity, Sustainability and ESG, Third-party Management, and IT Governance, to name just a few.

The good news is that prior to their publication there will be a public consultation process for these requirements, and we encourage all professionals with expertise in these areas to get involved in shaping them. The existence of the new Topical Requirements, and their evolving nature, will oblige IA functions to maintain a regular monitoring process. If not, new mandatory elements could be missed.
 

• Purpose and Strategy
  One of the main points of focus for Chief Audit Executives (CAE) is certainly the requirement to define a vision for the IA function for the next 3-5 years. This should be backed up by a detailed and documented strategic plan that should align with the expectations of stakeholders and be reviewed regularly by the Board. This includes considerations of a digital strategy and the development of meaningful key performance indicators that need to be measured and reported to the Board. A survey of our webinar participants highlighted that 80% of IA functions already have a documented strategy. This is a good starting point but whether these documents are sufficiently detailed and they meet all the requirements of the new standards remains to be seen.
  
• Strengthened CAE role and responsibilities and closer relationships with the Board
  Another important change is the introduction of more requirements for Boards and, notably, promotion of recognition of the Internal Audit function in the organisation. Boards should have more frequent interaction with their CAEs and be involved in the definition of strategy and monitoring of KPIs. The new standards recommend a strong relationship, built on trust, between the CAE and the Board. The CAE in turn must demonstrate the IA function's commitment to due professional care and adequate management of its resources, and share with the Board regular insights that go beyond the mere results of the audit engagements.

• Technology and Methodology
  There are many other new requirements, more focused on audit delivery, the use of technology, and the way findings and recommendations are to be reported (including root cause analysis). CAEs must regularly evaluate the technology used by the IA function and pursue opportunities to improve its effectiveness and efficiency, and communicate any technology limitations to the Board and senior management.

What can you do now to be ready for 2025?

As outlined above, a lot of IA functions have yet to assess the full implications of the new standards, and their conclusions will also depend on the relative maturity of their current practices and methodology. In our view, Internal Audit Leaders and Boards should embrace this opportunity for transformational change. The standards equip you with a toolbox to shape the brand of Internal Audit and become strategic partners for your organisation's leadership.

Start by assessing your current practices and what is needed to meet the new minimum requirements and discuss your conclusions, vision and strategic objectives with the Board. Also discuss the budget that will be needed. Once you have a view on the impact, define an action plan for the implementation of any gaps you identify. And for each gap, consider how closing these gaps can improve your practices, optimise your processes, empower your people, and increase the use of technology to elevate your IA function.

If your next External Quality Assessment (EQA) is due in 2024, ask your assessor to perform the gap assessment to the new standards as part of the EQA. This can easily be combined with the assessment of conformity and will free up your own resources. If your EQA is planned for 2025, think about moving it forward to 2024, or scheduling it early in 2025, so that the assessment will still be performed against the 2017 standards, but allowing the opportunity to combine it with the assessment of the gap to the new standards.

• We can perform a readiness assessment or gap assessment for the new standards.
•  We can combine our EQA exercise with a gap assessment against the new standards and advise you on how to close any gaps in the most efficient way.
• We provide tailored trainings for Internal Audit functions and Boards on the new standards.
• We offer Internal Audit Strategy Lab workshops to support you with the definition of your vision and strategic plan, the definition of meaningful KPIs, the alignment to your organisation’s strategic objectives, and the elevation of your function’s impact through transformation.

Please reach out to us should you wish to discuss the opportunities the new standards may offer for your Internal Audit function. We would be pleased to guide you through the new requirements and suggest the most effective ways to bridge any gaps.