Reinventing your internal audit function – how far have you got?
Earlier in the year, we highlighted the new Global Internal Audit Standards. While the deadline for implementing the changes is January 2025, many internal audit functions are still in the early phases of review and realisation.
They are broadly aware of the new standards and have read the high-level requirements but many have not yet identified, clear action to prepare for conformance. Some internal auditors have begun an external quality (EQA) under the current standards. But they are also seeking external advice regarding their internal gap analysis to make sure they’re ready for the deadline.
The principles set out the description and intent under each of the five domains. But it is the supporting standards which explain the mandatory practice and evidence requirements to show conformance. The key challenge for internal auditors is to meet all those essential requirements in a practical and appropriate way.
What are the main areas of focus?
We have identified five key focus areas in the new standards:
- Create a clear strategy and vision, with transparent and measurable performance indicators. Ultimately, the Institute of Internal Auditors wants teams to strive to be better and continually improve. They are prompted to rebrand and revitalise their purpose and scope. Requirements for internal reviews and EQAs are expanded. This is evident throughout the new standards, with a very clear message that the effectiveness of internal audit is a growing priority to ensure they meet the objectives of their firm.
- Ensure a robust oversight and governance framework. A significant responsibility will lie with the Board and senior management to govern, oversee and support the internal audit function. Effective and collaborative communication, discussion and evidence to support this will be required.
- Be forward thinking and dynamic. Internal audit functions should tailor their planning, work and purpose/scope to meet strategic objectives, build resilience and
- Consider external risk factors. The Institute of Internal Auditors recognises the evolving and complex external risk environment that firms face. So it’s important that internal auditors provide effective assurance and adhere to specific guidance on critical and emerging risk areas. These might include cybersecurity, information technology governance, ESG, privacy risk management.
- Achieve effective communication and improve quality of outputs. Guidance for communication and reporting has been enhanced. This is an area to watch closely as there may be additional reporting requirements as part of the new UK Internal Audit Code of Practice, which is in consultation.
How could the standards be summarised?
From our detailed review of the standards, we have created this guidance tool, setting out the key changes, expectations and areas of greatest emphasis.
Standard update | Actions for firms / internal audit functions |
DOMAIN I – Internal Audit purpose | |
No significant changes to the overall purpose of Internal Audit. | As part of Domain III it is expected that Internal Audit functions discuss and confirm this purpose with thee Board and Senior Managers |
DOMAIN II: Ethics and professionalism | |
The Code of Ethics accompanied the 2017 standards. All ethics-based requirements are now captured under Domain II.
| There are no significant changes to the fundamental behaviours that internal auditors are expected to demonstrate. But specific ways to demonstrate understanding of ethics and ethical practices has been made more explicit. The key expectations are:
|
DOMAIN III: Governing the internal audit function | |
This Domain is a key update. There are several clear, essential conditions. The Board and senior management are required to take greater responsibility for governing, supporting and providing direction to their internal audit functions.
| Chief audit executives (CAEs) will hold comprehensive meetings with audit committee members and relevant senior management to discuss essential requirements. Board and senior management will take responsibility for:
o Discussing and setting internal audit performance objectives that are aligned to internal audit charter and strategy. o Ensuring adequate quality assurance and improvement – at least annually. o Reviewing outputs and results (internal assessments, ongoing monitoring, self-assessments) and taking appropriate actions. o Stakeholder and senior management input on setting performance objectives and assessing performance.
|
Domain IV: Managing the internal audit function | |
The CAE remains responsible for managing the internal audit function in accordance with the internal audit charter and Global Internal Audit Standards. But more detailed guidance has been provided. | The core principles and expectations remain similar. But there is stronger messaging in certain areas, such as:
o Developing a vision with a 3-5 year strategy defining the function’s ideal future state. This should include opportunities for developing competencies, improving the function as a whole and using technology. o Carrying out a SWOT analysis of the internal audit function in order to improve it.
|
Domain V: Performing internal audit services | |
This Domain requires internal auditors to plan, execute and report on individual engagements effectively. | While there are no significant changes, here are some areas to note:
|
Going beyond compliance
The changes in the new standards reflect a comprehensive and forward-looking approach, which should help to navigate today’s rapidly evolving business challenges. Internal audit functions should use our guidance tool to consider and refresh any traditional views on their ultimate objectives and vision.
We recommend they give serious thought to what a successful function looks like, and how they want to achieve this. This will require input from senior management and a deep understanding of the firm’s strategy, objectives, economic and external pressures, as well as internal and external risks.
This isn’t just about conformance. It’s about refreshing your internal audit function and ensuring there is a scope and purpose that’s tailored specifically to your firm and that delivers assurance of the highest quality.
For further information or guidance on the points raised in this article, please contact Samiha Shaikh.