Insights

Reinventing your internal audit function – how far have you got?

read timeRead time: 7 mins

Earlier in the year, we highlighted the new Global Internal Audit. While the deadline for implementing the changes is January 2025, many internal audit functions are still in the early phases of review and realisation.

They are broadly aware of the new standards and have read the high-level requirements but many have not yet identified, clear action to prepare for conformance. Some internal auditors have begun an external quality (EQA) under the current standards. But they are also seeking external advice regarding their internal gap analysis to make sure they’re ready for the deadline.

The principles set out the description and intent under each of the five domains. But it is the supporting standards which explain the mandatory practice and evidence requirements to show conformance. The key challenge for internal auditors is to meet all those essential requirements in a practical and appropriate way.

What are the main areas of focus?

We have identified five key focus areas in the new standards:

  1. Create a clear strategy and vision, with transparent and measurable performance indicators. Ultimately, the Institute of Internal Auditors wants teams to strive to be better and continually improve. They are prompted to rebrand and revitalise their purpose and scope. Requirements for internal reviews and EQAs are expanded. This is evident throughout the new standards, with a very clear message that the effectiveness of internal audit is a growing priority to ensure they meet the objectives of their firm.

  2. Ensure a robust oversight and governance framework. A significant responsibility will lie with the Board and senior management to govern, oversee and support the internal audit function. Effective and collaborative communication, discussion and evidence to support this will be required.

  3. Be forward thinking and dynamic. Internal audit functions should tailor their planning, work and purpose/scope to meet strategic objectives, build resilience and

  4. Consider external risk factors. The Institute of Internal Auditors recognises the evolving and complex external risk environment that firms face. So it’s important that internal auditors provide effective assurance and adhere to specific guidance on critical and emerging risk areas. These might include cybersecurity, information technology governance, ESG, privacy risk management.

  5. Achieve effective communication and improve quality of outputs. Guidance for communication and reporting has been enhanced. This is an area to watch closely as there may be additional reporting requirements as part of the new UK Internal Audit Code of Practice, which is in consultation.

How could the standards be summarised?

From our detailed review of the standards, we have created this guidance tool, setting out the key changes, expectations and areas of greatest emphasis.

Standard update

Actions for firms / internal audit functions

DOMAIN I – Internal Audit purpose

No significant changes to the overall purpose of Internal Audit.  

As part of Domain III it is expected that Internal Audit functions discuss and confirm this purpose with thee Board and Senior Managers

DOMAIN II: Ethics and professionalism

The Code of Ethics accompanied the 2017 standards. All ethics-based requirements are now captured under Domain II.

 

 

There are no significant changes to the fundamental behaviours that internal auditors are expected to demonstrate. But specific ways to demonstrate understanding of ethics and ethical practices has been made more explicit. The key expectations are:

  • Adequate to cover all ethical principles/standards including relevant reference in audit mandates and charters.

  • Internal audit plan to include/align to the organisation’s ethics-based objectives, risks and controls processes.

  • Evidential, practical and tailored ethics-based training to be provided to all staff. Self-certification forms for this.
  • Adequate escalation procedures for ethical breaches, including internal audit disclosures where ethical conflicts arise.
  • Feedback/surveys from stakeholders to attest conformance.
  • Remuneration strategy/plans that promote ethical behaviours.

  • EQA to provide external assurance regarding ethical behaviours.

  • The importance of professional scepticism is emphasised. Internal auditors must maintain a questioning mindset, be honest, assess information critically and seek additional evidence to form a judgement.

DOMAIN III: Governing the internal audit function

This Domain is a key update. There are several clear, essential conditions.

The Board and senior management are required to take greater responsibility for governing, supporting and providing direction to their internal audit functions.

 

 

Chief audit executives (CAEs) will hold comprehensive meetings with audit committee members and relevant senior management to discuss essential requirements. Board and senior management will take responsibility for:

  • Clarity regarding internal audit’s authority, roles and responsibilities. The mandate/charter must contain the minimum components listed under this Domain.

  • Supporting/championing the internal audit function to achieve its mandate and enable unrestricted access and collaborative working.

  • Facilitating ways to safeguard the independence of the internal audit function. Evidence includes key meetings, Board minutes and documented procedures and policies.

  • Assessing the ability of the CAE’s role to manage the internal audit function under Domain IV. Evidence including proof of approval for CAE’s job description and evaluation of competence/qualification including succession planning.

  • Effective oversight methods including planning, budgets, changes to mandates, reviewing internal audit outputs/insights, ensuring they are appropriate for the firm’s strategies, objectives and risks. Assessing and actioning results from EQAs  and stakeholder feedback.

  • Adequate review and provision for resources including annual review of numbers and capabilities to fulfil mandates and consider any insufficiencies. Evidence including meeting notes, gap analysis and resourcing budgets and plans.

  • Quality control and oversight (also covered under Domain IV):

o   Discussing and setting internal audit performance objectives that are aligned to internal audit charter and strategy.

o   Ensuring adequate quality assurance and improvement – at least annually.

o   Reviewing outputs and results (internal assessments, ongoing monitoring, self-assessments) and taking appropriate actions.

o   Stakeholder and senior management input on setting performance objectives and assessing performance.

  • Overseeing and agreeing scope and frequency of EQAs by an independent qualified team, including review of results and adequate actions. When selecting the independent assessor or assessment team, the CAE must ensure at least one person holds an active Certified Internal Auditor designation.

 

Domain IV: Managing the internal audit function

The CAE remains responsible for managing the internal audit function in accordance with the internal audit charter and Global Internal Audit Standards. But more detailed guidance has been provided.

The core principles and expectations remain similar. But there is stronger messaging in certain areas, such as:

  • Internal audit functions considering what long-term success looks like and continually improve, setting realistic and achievable goals and specific performance measures. For example:

o   Developing a vision with a 3-5 year strategy defining the function’s ideal future state. This should include opportunities for developing competencies, improving the function as a whole and using technology.

o   Carrying out a SWOT analysis of the internal audit function in order to improve it.

  • Internal audit functions needing to become dynamic and forward thinking in their approach and consideration of the firm’s risk priorities.

  • Introducing a methodology to place reliance and coordinate  with other assurance providers. Ultimate responsibility remains with the internal audit functions.  Assurance maps are also highlighted, reflecting significant risk areas mapped to various sources of assurance. 

  • Adopting a talent management approach. Use of technology to extend beyond data analytics and science. Careful thought will be required regarding implementation, data security and training, ensuring testing and integrity of data and disclosure of limitations of assurance.

  • Implementing methodologies that promote accurate, objective, clear, concise, constructive, complete and timely communications to the Board and senior management.

  • Training for internal audit staff is encouraged in relation to effective communications.

  • Furthermore, the new standards refer to the use of themes and patterns identified across audit results. Findings and conclusions from multiple engagements can reveal patterns or trends, including root causes, and should be communicated along with other findings.

Domain V: Performing internal audit services

This Domain requires internal auditors to plan, execute and report on individual engagements effectively.

While there are no significant changes, here are some areas to note:

  • Expectations for how to deal with management challenge on internal audit findings, with a clear methodology on how to report and disclose such disagreements.

  • Consider evidence on how information/data is gathered and used for audit fieldwork, ensuring it is fit for the purpose and sufficient for analysis. 

  • Methodology to implement recommendations and actions that are based on risk prioritisation and tracking of actions in relation to significant findings.

Going beyond compliance

The changes in the new standards reflect a comprehensive and forward-looking approach, which should help to navigate today’s rapidly evolving business challenges. Internal audit functions should use our guidance tool to consider and refresh any traditional views on their ultimate objectives and vision.

We recommend they give serious thought to what a successful function looks like, and how they want to achieve this. This will require input from senior management and a deep understanding of the firm’s strategy, objectives, economic and external pressures, as well as internal and external risks.

This isn’t just about conformance. It’s about refreshing your internal audit function and ensuring there is a scope and purpose that’s tailored specifically to your firm and that delivers assurance of the highest quality.

For further information or guidance on the points raised in this article, please contact Samiha Shaikh.