• Search in Protiviti.com

Understanding the Global Internal Audit Standards

by Andrew Struthers-Kennedy and Kristen Kelly

Republished from a three-part series of articles on The Protiviti View, our blog featuring commentary, insights and points of view from Protiviti leaders and SMEs on key challenges and risks companies are facing today, along with new and emerging developments in the market.

The final updated Global Internal Audit Standards (“Standards”) issued by The Institute of Internal Auditors become effective January 9, 2025. In this blog series, we introduce the key Standards updates, explore the impacts of the updates on the internal audit (IA) function, provide practical guidance for adopting the changes required for compliance and consider the opportunities to move beyond conformance, with a particular emphasis on quality.

Part 1: Engaging Internal Audit Stakeholders to Build the Base for Adoption

What drives the need to update the Standards?

The goals of the IIA Standards Board (Board) for the update are to:

  • Clarify responsibilities and standard requirements, including considerations for public sector and smaller functions
  • Provide further guidance beyond high-level principles by adding considerations for implementation and examples of evidence of conformance for each standard
  • Elevate the quality of internal auditing and enhance the IA function’s role as an essential business partner to boards and senior management

The Board updated the construct of the Standards to align all requirements within one of five domains, providing direction to each stakeholder group within one framework. However, there is overlap and shared responsibility among the chief audit executive (CAE), the board (in most cases, the audit committee) and senior management in establishing and maintaining governance over the IA function. While this overlap and shared responsibility has always existed, the updated Standards attempts to formalise it more explicitly.

Where to begin?

While a number of the “must” requirements in the initial proposal were reduced to “should” considerations, there are substantive changes in a number of areas that IA functions will need to address over the next 11 months (and we encourage the review, gap assessment and closure planning processes to start soon). Even if the CAE has already begun discussing the Standards update and the allocation of time to address it in the 2024 audit plan with the board and senior management, there are decisions to be made. The CAE must first decide on the vision for the function, but this vision must consider the needs and expectations of the IA stakeholders. The CAE should test the waters with the board and senior management early on, as both will likely have strong opinions to contribute.

Many organisations will still face challenges reaching the step changes called for in the final Standards. Implementation of the Standards places the onus on the CAE to emphasise and clarify the importance of collaboration and respective responsibilities in governing an IA function effectively. Each organisation’s CAE, board and senior management will then collectively need to decide the level of compliance they want to achieve with the Standards and whether they want to take steps to leverage the Standards to support more transformative change in the IA function. Needless to say, implementation approaches will likely vary across organisations.

What do stakeholders need to know?

The tide continues to turn to the importance of governance. The fact that the Committee of Sponsoring Organisations (COSO) and the National Association of Corporate Directors (NACD) are moving forward with the development of their Corporate Governance Framework to complement the widely accepted COSO Internal Control Framework and ERM Framework points in this direction. The Standards are no different, calling on the board, senior management and the CAE not only to establish or clarify the mandate and expectations for the IA function but also to work to formalise board governance and oversight in several areas.

The table below summarises key changes in the mandatory responsibilities of the board, often fulfilled by the audit committee.

Key changes in the mandatory responsibilities of the board

 

How do we set the stage for change?

CAEs will need to decide which changes outlined in the new Standards they plan to adopt, the time frame for adoption, and the rigor and formality of adoption. The IIA Standards Board, recognising the variety in the size, maturity and organisational placement of functions, has included the “comply or explain” concept in this update. CAEs will need to lead their function in digesting the updated Standards and prioritising adoption activities. However, they first need to educate and consult with stakeholders and collectively decide on the nature, extent and timing of the adoption plan.

With the collaboration required among the board, senior management and the CAE, it is paramount that the CAE build awareness of the Standards’ changes (the intent behind them, as well as their substance and implementation considerations specific to the organisation) with the board and senior management. The CAE must educate the board and senior management on the Essential Conditions, defined in the Standards as the “table stakes” for the IA function to operate.

For change to be successful, the CAE must obtain input from these stakeholders and work toward obtaining their buy-in on these collective governance concepts as well as clearly aligning on expectations and the definition of value related to IA’s efforts. By building on this base, the CAE can begin to lead the stakeholders to own the various responsibilities outlined by the Standards. The CAE’s objective in this change process is to drive stakeholder agreement on the organisation’s response to the updated Standards and document the collective conclusions and agreed upon approach. Without this baseline understanding and establishment of collective stakeholder buy-in and ownership, the function’s efforts to adopt the mandated governance changes will not be successful.

What should the stakeholder group consider in designing the adoption approach?

Beyond basic conformance, the explicit new requirements for the mandate — along with the strategy and performance objectives of the function, to be agreed upon among the CAE, senior management and the board — provide the opportunity for functions to clarify and advance the direction and maturity of IA in their organisations. The stakeholder group must decide how far they want to go over the next three to five years in formalising and memorialising the strategic direction for the IA function.

While progress continues in the elevation of the IA function, many organisations continue to struggle with establishing the function’s seat at the table and direct reporting to the board. IA’s senior management and board sponsors may have strong views about the capacity of the organisation to achieve full conformance as outlined in the Standards. Moving from the current state to the final updated IIA standards may be difficult to accomplish in the short term. Thus, the transition may be more of a phased journey over time. That said, the vast majority of CAE and other IA leaders that we have spoken with on this topic expect to be in conformance with the new standard either prior to or during 2025.

One area deserving of special notice is the need for flexibility in the rigor of the formal documentation of approvals. For example, the audit committee can still advise and support management on the IA function’s matters without formally documenting their approval in minutes or another specific medium. There can be a lot of flexibility in the level of formality of approval documentation. Approval may even be tacit and will vary based on what the board members desire to capture in the minutes. Flexibility in the manner of approval maintained will be necessary, especially to avoid the updated Standards resulting in a checklist approach or mentality. The point is that the CAE should strive for substance, not form.

Why start now?

Proactively communicating and laying the groundwork with stakeholders for the formalisation of collective governance required by the Standards’ changes will avoid surprises and facilitate the change process. It is crucial to set the stage for constructive discussion and allow for agreement on the nature, extent and timing of adoption.

Learn more about the Global Internal Audit Standards update by registering for our webinar here.

Part 2: Focusing on Impact Areas

In Part 1 of this blog series, we stressed the importance of educating internal audit’s stakeholders and laying the groundwork for the change management needed to support the required collaboration for effective governance of the internal audit (IA) function. In this post, we summarise key areas of change most likely to impact your organisation, and we explore in further detail areas that will require revisions to current practices to not only accomplish conformance but drive improvements in quality that the Standards have been revised to deliver. To that point, we’ll also discuss areas that provide opportunities for the chief audit executive (CAE) and other leaders to leverage the final updated Global Internal Audit Standards (“Standards”) to advance the function.

How should you approach the revised Standards?

While the final Standards updates may not be as dramatic as those initially proposed, there are substantive changes CAEs must drive, both within the IA function and within stakeholder relationships, to remain in conformance with the Standards. Additionally, The Institute of Internal Auditors (IIA) Standards Board (“Board”) has advised functions to think of the update as intended to deliver “conformance plus performance,” with improvements in overall quality being the sum of these parts. The Board’s goal to elevate the profession by requiring board-approved performance objectives to propel continuous improvement for the function emphasises their desire to raise the bar for IA. In the aforementioned Part 1, we discussed the IA stakeholders’ collective conclusion on how far along this continuum they wish to push the function beyond simply a “Generally Conforms” conclusion, which most in the profession would acknowledge has been historically relatively easy to attain.

How will the new standards impact the IA function?

While this post is not intended to be a complete summary of the Standards updates or to take the place of a detailed implementation review, we have summarised key areas and themes of change below. Addressing these four areas of change will require additional analysis and documentation. The Governance/Mandate and Internal Audit Strategy areas will require increased stakeholder collaboration, including related to strategic priorities for IA, and formal strategic planning.

Key Areas of Change to Review

Four areas of change will require additional analysis and documentation

 

The Standards require the board, CAE and senior management to collaborate in more areas, including collectively defining a mandate and performance objectives for the IA function. The Standards also require the board to approve the initial annual audit plan, budget and resource plan, as well as any significant changes to the aforementioned, and the approach to external quality assessment. The updated Standards also call for increased CAE focus on defining the function’s strategic goals and supporting initiatives. We will focus on reviewing this IA function strategy (a historical gap for many IA functions) in further detail in Part 3 of this blog series.

How can the CAE communicate additional actions required from the board and senior management?

Because multiple sections of the revised Standards call for increased collaboration among the CAE, the board and senior management, we have summarised the required and suggested responsibilities of these roles in the table below to clarify ownership, consultation and approval requirements for the governance of the IA function. The CAE can utilise this summary to begin planning for the required adjustments in communication protocols and documentation of formal approvals.

Internal Audit Governance Matrix

 

What actions does the CAE need to take?

While the revised standards go into effect in 2025, the time to evaluate, plan for and start transitioning to the needed changes is now. IA needs to set or refine strategic direction, redefine the rules of collaboration and retain more formal documentation. Below are four action steps the CAE can take to advance the implementation now.

Understand

Once the organisation aligns on its approach, the individuals focused on the implementation process should read and digest the applicable Standards changes and create a plan, with defined milestones and ownership, to address adoption of the new Standards, leveraging the function’s quality assurance improvement programme if possible. This group should also utilise the educational resources from The IIA and other providers and networking groups to address any questions. The IIA has provided supporting materials as follows:

These are great resources that we highly encourage you to take the time to review and digest.

Evaluate

Completing a gap assessment to identify the areas where the current IA function activities and methodologies differ from the Standards will help identify and plan for the layers of change required. Documentation updates will be required simply due to the changes in the structure and organisation of the Standards. Others will require updates to the methodology or the implementation of new procedures altogether. Capturing the level of impact and effort will help prioritise which gaps to address most urgently and inform the timeline for methodology updates in advance of the January 2025 effective date.

Strategise

Take this opportunity to formalise and enhance the IA function’s vision, strategic objectives and supporting initiatives through execution of the following steps:

  • Define IA performance objectives with input from senior management and the board.
  • Incorporate evaluation of enabling technology into the strategic assessment of the function’s capabilities.
  • Refresh the Quality Assurance Improvement programme and refresh or document the external quality of the assessment plan.
  • Develop or refine IA methodology to assess the root cause and rate or prioritise findings to address the driver of identified issues and provide actionable guidance to management on required remediation and follow-up.

Establishing or refreshing the IA strategic plan is a great opportunity to engage the full IA team – solicit input, generate excitement and gain alignment on the future of the IA function.

Communicate

Building on the stakeholder collaboration approach outlined in Part 1, begin with agreement on IA’s mandate (the authority, role(s) and responsibilities of IA) and leverage the content in these blog posts to continue discussion of the final revised standards with IA stakeholders. Continuing to educate and take action to address the required collaboration areas in conjunction with the stakeholders will help create and sustain the necessary alignment to achieve the desired results.

Learn more about the Global Internal Audit Standards update by registering for our webinar here.

Part 3: From Conformance to Performance

In Parts 1 and 2, we focused on the necessity to work alongside the board and senior management as IA stakeholders to agree collectively on the expectations for IA beginning with the function’s mandate, and we highlighted the areas of change that impact the IA function the most. In this concluding Part 3 of the blog series, we focus on one key area — IA strategy — that requires additional collaboration, but also provides an opportunity to elevate the IA function and drive transformative change.

With what mindset should IA approach strategic planning?

To improve the performance of the IA function, the CAE should view the establishment of the strategic plan and vision as an exercise that challenges traditional thinking and stretches the entire team to think outside of its day-to-day activities. In addition to aligning with the organisation’s overall strategy and risk profile, IA’s strategy can help to enable continuous improvement to improve the quality, relevance and value of the services delivered.

While more mature IA functions may have long had a well-defined strategy, this remains a gap for many, and all functions can benefit from a fresh and objective look at the direction they have set and a straightforward assessment of historical success on department initiatives — especially in these dynamic times. It is important for less mature functions to understand that an audit plan is not a strategy. The strategic plan, supported by a manageable number of initiatives, should allow for real progress in targeted areas with an objective of collaborating closely with key stakeholders to channel audit resources to their highest and best use and drive the overall performance and capability of the function forward.

What is a logical approach IA can follow to set or confirm the IA function’s strategic direction?

The following outlines a series of nine steps that IA can take to create a longer-term strategy in accordance with the 2024 Global Internal Audit Standards (Note: For starters, three years might be an appropriate time frame to consider.):

  1. Understand the overall company strategy and objectives: The first step toward alignment with stakeholders is a thorough understanding of the organisation’s mission, vision, goals and strategic objectives. This includes identifying risks and opportunities that may impact achievement of these objectives and understanding both short-term operational targets and long-term strategic plans, as well as key initiatives and transformation activities the organisation is undertaking. IA will need to have the right seat at the table and develop strong relationships with stakeholders to obtain this information and maintain a pulse on the organisation’s strategic direction and awareness of changes in the threats to the organisation achieving its goals and objectives. For public companies, the CAE should be aware of the company’s public communications and filings.
  2. Engage with stakeholders: Proactively engage with senior management, board members and any other stakeholders to understand their expectations for the direction of the IA function and how it can better support company objectives and deliver with relevance and value. This will help in identifying potential areas of additional focus and aligning expectations.
  3. Assess current alignment: Assess how well current IA activities align with company objectives, incorporating the lens of stakeholder expectations. Identify any gaps or areas where alignment could be improved.
  4. Define strategic vision: Based on the understanding of company strategy and stakeholder expectations, establish the function’s strategic vision. The vision should be realistic yet have aspects that are aspirational; defining success for the function while focusing on core activities that align with company objectives. Integrating innovation within the function’s strategic planning process is essential to maintaining relevance over time and ensuring the function will be Future Ready.
  5. Develop long-term objectives: Define clear objectives and goals to guide the IA function over the next three years. These goals may be related to:
    • Governance of the function (including coordination and alignment with other assurance functions as well as how the function is structured and organised, including talent and resource management)
    • Methodology (risk assessment and audit planning, communications, and reporting, integrating relevant principles of agile methodology), or
    • Enabling technology (e.g., GRC, analytics, automation, AI) to drive overall audit effectiveness and relevance
  6. Establish supporting initiatives: Develop three to five main initiatives outlining how the function will achieve the objectives and improve itself over this period and what investments, internal and external partnerships, upskilling or other initiatives will help drive the accomplishments of each strategic priority.
  7. Set performance objectives: Establish specific measurable goals for the IA function against which the performance of these initiatives and the broader strategic objectives will be measured. Measurement criteria should be sufficiently detailed to support tracking and reporting. Metrics could range from quantitative ones like the level of stakeholder satisfaction to qualitative ones like improved control awareness, or other indicators relevant to the organisation’s goals.
  8. Report progress: Develop regular reporting mechanisms (quarterly or biannual reports) to communicate progress made against established performance criteria back to stakeholders including senior management and the board.
  9. Continually review and adjust: Regularly review and adjust the IA strategy as necessary based on changes in company strategy and objectives, feedback from stakeholders, developments in the profession, or performance against established measures.

It is important to note that this process is iterative; as organisational strategies evolve over time so too should the IA function’s approach to remain aligned with overarching goals.

By following these steps, the CAE should be able to develop a robust long-term strategic plan that not only aligns with, but also supports, the organisation’s overarching strategy while fostering a culture of continuous improvement within the audit team.

What meaningful and realistic performance metrics do IA functions utilise?

A balanced scorecard can be a useful tool to analyse and communicate the multifaceted aspects of IA function performance. In developing a balanced scorecard that effectively assesses the performance of an IA function, the CAE should consider including measures that reflect not only traditional audit metrics but also incorporate innovative aspects that can drive continuous improvement and strategic alignment. While meaningful metrics will vary by function, and the following performance measures are not intended to constitute an all-inclusive list or checklist, they could be impactful and innovative for inclusion in an IA function’s balanced scorecard:

Strategic Alignment

Number of strategic initiatives/committees in which internal auditors are involved (versus target)

Proportion of the organisation’s strategic priorities addressed in the audit plan

Degree of alignment between IA recommendations and business strategies

Innovation and Improvement

Innovative audit tools or techniques implemented

Innovations contributed to the company by the IA function (e.g., process improvements, cost savings, controls turned over to first- and second-line functions)

Governance Enhancements

Impact of IA on improving governance structures within the organisation (e.g., policy revisions influenced by audits)

Percentage of recommendations accepted and/or implemented (versus target)

Resource Optimisation

Ratio of productive to unproductive audit time (include target)

Alignment of IA personnel competency and skills to areas within IA mandate and audit plan

Coordinated activities with other lines of defense (e.g., ERM, compliance, ESG)

Level of internal audit staff turnover versus target

Stakeholder Engagement and Satisfaction

Stakeholder satisfaction scores via surveys or interviews

Extent of stakeholder engagement in defining audit focus areas

Number or percentage of hours aligned to support management requests

Risk Management Improvement

Contribution to risk identification and mitigation effectiveness

Trends in key risk indicators impacted by IA activities

Extent of coordination, alignment with other risk management and assurance functions (include consideration of efficiency gains)

Performance Against Objectives

Achievement rate of defined IA strategic objectives

Progress made on key initiatives outlined in the strategic plan

Learning and Growth

Training opportunities per auditor for professional development

Skills enhancement reflected through certifications or specialised expertise gained

Value Creation

Quantitative benefits realised by the organisation from IA interventions (e.g., financial recoveries, efficiency gains)

Qualitative benefits such as improved organisational culture toward compliance and control awareness

 

The measures selected by the IA function and affirmed by its stakeholders should provide a comprehensive view of both quantitative outputs (like audit finding implementation rates) as well as qualitative outcomes (like efficiency improvements and enhanced governance practices in target audit areas). It is essential to customise these metrics based on specific organisational contexts while ensuring they support informed decision-making, demonstrate value added by the IA function, encourage innovation within the team, and align with corporate objectives for long-term success.

These performance metrics will and should change over time. The IA function may need to shift the focus of its activities to be responsive to evolving stakeholder expectations as well as business conditions and priorities. There may be times when a focus on identifying potential cost reductions adds the most value to the organisation, and others when establishing stronger controls is a collective focus. Beyond conforming with the Standards, it is important for the CAE to revisit the IA function’s performance objectives with senior management and the board at least annually or as the circumstances of the organisation change.

Learn more about the Global Internal Audit Standards update by registering for our webinar here.
 

Loading...