The Impact of the New Global Internal Audit Standards

The Institute of Internal Auditors’ (IIA) new Global Internal Audit Standards provide a modernized and comprehensive framework for internal audit functions to implement that will drive positive transformation within the organization. The transition to the new Global Internal Audit Standards signifies a significant opportunity for organizations to adjust to rapidly evolving business environments, technological advancements, and emerging risks. 

While the new Standards emphasize performance and continuous improvement in addition to conformance, CAEs and internal audit functions as a whole need to understand what is changing, the shifts that will need to take place, and what steps need to be taken this year.

A Modernized Framework and Taxonomy

The elements of the IIA’s current International Professional Practices Framework (IPPF) have been restructured in a new modernized framework comprising five domains, 15 principles, and 52 standards. The new standards are more prescriptive in nature and provide a framework and taxonomy that enables agility, risk-focused methodologies and enhancing internal audit’s strategic alignment with the organization. Each standard now includes requirements, considerations for implementation and considerations for evidencing conformance, replacing the information contained in the current implementation guides and practice advisories.

Key Takeaways of the New Standards

While companies operate at different levels of maturity with respect to corporate governance and risk management, it is critical for an internal audit function to be able to rapidly respond to changing risk landscapes. The new standards provide internal auditors with clear guidance and an increased level of agility related to executing their role within an organization. It will be crucial to understand the changes incorporated into the new Standards, the go-forward expectations related to how your internal audit function will need to operate, and the level of effort required to reshape your internal audit function. 

Below are several key takeaways related to the new Global IA Standards.

1. Define the value of internal audit within an organization. The purpose of internal auditing has been revised to state that “Internal auditing strengthens the organization’s ability to create, protect, and sustain value by providing the board and management with independent, risk-based, and objective assurance, advice, insight, and foresight,” the new Standards state. This includes Internal Audit helping organizations accomplish their objectives “by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of governance, risk management, and control processes,” as written in the Glossary definition of the function. The new Standards enable Internal Audit and its stakeholders to understand and express the significance of internal auditing within the organization. For example:
   • An internal audit mandate is now required within the organization’s internal audit charter, which must reflect Internal Audit’s role, responsibility, and authority levels, as well as stakeholders’ expectations of the internal audit function.
   • The new Standards highlight the importance of the internal audit function to build relationships with the first and second lines of defense, its external auditors, as well as any other external assurance providers. Internal Audit should engage in meaningful collaboration with these stakeholders to promote effective governance and communication.
   • The Code of Ethics has been refined to evolve with stronger ethical practices, clearer guidelines on conflicts of interest, and evolving professional standards of internal auditing.
2. Implement a formal internal audit strategy and performance measurement methodology. Internal Audit must develop an internal audit strategy and performance measurement methodology, and report periodically to the board. While incorporating an internal audit strategy is not a new practice, this is now a requirement under the new Standards. It will require a close focus between Internal Audit and the board to tailor performance metrics and monitor progress against strategy, while promoting continuous improvement of the internal audit function.
3. Innovate and maximize the use of technology. The Standards facilitate Internal Audit to have a defined digital strategy to support the evolution of the internal audit function’s mission, objectives, and value to the organization. While not a new concept, the utilization of technology goes well beyond utilizing core analytics to support the delivery of audits and assessments. Technology should be used comprehensively through various tools, techniques, and platforms to enhance the efficiency, effectiveness, and value of internal audit processes and operations. Some examples of technologies and tools to be considered include:
   • Audit Delivery:
     • Governance, risk, and compliance (GRC) technology automation
     • Workflow automation
     • Data analytics and fraud detection
     • Continuous monitoring and exception alerting
     • AI and machine learning
     • Cybersecurity
   • Audit Operations:
     • Collaboration platforms
     • Project management
     • Human resource allocation
     • Training and skills development
     • Remote audit tools
     • Document management
4. Enhance value through quality. The new Standards bring forth a transformative approach around elevating Internal Audit’s value through enhanced quality. Several quality standards have been refined to be more prescriptive; key changes to underscore this commitment include:

• Evaluation of Findings – When developing conclusions around a particular topical area or subject matter, internal audit functions are now required (no longer optional) to determine the significance of the risk when reporting an issue by including a rating, ranking, or other indication of significance or priority. 
• Quality Assurance – The requirements around an organization’s Quality Assurance and Improvement Program (QAIP) have been elevated. Programs should now include: 
• Assessments around the internal audit function’s contribution to the organization’s governance, risk, and control processes
• Evidence of QAIP documentation to demonstrate an effective program
• Assessing progress toward identified success factors and performance objectives through key performance indicators
• Continuous monitoring of any corrective actions
• External Quality Assessments – The new Standards require at least one member of the Quality Assurance Review (QAR) team to hold an active Certified Internal Auditor (CIA) designation. 

How to Respond to the New Standards (What Organizations Should Be Considering)

The updated Standards bring the need for thoughtful consideration by the internal audit function and concerted collaboration with the board, senior management, the first and second lines of defense, and other key stakeholders. Consider the following steps to assess, plan, and implement the Standards efficiently and effectively.

1. Perform a readiness assessment by reviewing the new Standards and determining the extent of change needed.
2. Communicate the impact of changes with the board and key stakeholders. This may require training and/or facilitated workshops.
3. Consider accelerating the timing of an external quality assessment to measure conformance to the Standards, identify gaps, and recommend actions required for implementation. This will assist with validating the size of the conformance gap.
4. Review current capabilities with respect to technology, audit methodology, and resources to determine level of effort needed to effectively implement to the new Standards.
5. Update quality assurance programs to address future conformance with the new Standards and changes needed to current methodology.
6. Develop an internal audit implementation plan to include new opportunities, priorities for change, technology changes, response to future topical requirements, and the corresponding dependencies and investment.

The new Standards provide significant transformative changes for internal audit functions to consider while capitalizing on new avenues for growth, innovation, and value creation within organizations. Internal audit functions may require additional resources and expertise to bridge the gap between the current and new Standards. CAEs and boards should consider leveraging external resources to help bridge any identified gaps and transition to an internal audit co-sourcing model. Adopting innovative and collaborative approaches will help elevate the value of your internal audit function, amplify the positive impact that Internal Audit has within the organization related to overall risk management activities, and create greater board and stakeholder confidence in strategic decision-making. 

This article was reprinted with permission of CohnReznick.