Global Internal Audit Standards 2024 – Addressing the requirements of Domain III

In January 2024, the Institute of Internal Auditors (IIA) issued its Global Internal Audit Standards (“the Standards”), coming into force in January 2025 and updating the previous standards documentation published in 2017. A key change in the Standards is the inclusion of Domain III – Governing the Internal Audit Function. The intention behind this domain is to emphasise the responsibilities of the Board to authorise the internal audit function, ensure its independent positioning and to oversee its performance.

Responsibilities of the Board

In the Exposure Draft version of the Standards issued for consultation in 2023 the responsibilities of the Board were set out as follows:

  • · Internal audit mandate – the Board understanding and approving the mandate and reviewing this at least annually.
  • Board support – ensuring the recognition and authority of the internal audit function throughout the business including a sufficiently senior reporting line for the Head of Internal Audit, unrestricted access to data, records, people and physical properties, direct communication with the Head of Internal Audit, approval of the internal audit mandate, charter and budget, meeting with the Head of Internal Audit without senior management being present.
  • Organisational independence – establishing a direct reporting relationship between the Board and the Head of Internal Audit and internal audit function, Board appointment of Head of Internal Audit, positioning the Head of Internal Audit at a level that enables internal audit activity to be undertaken without interference and with authority to bring matters directly to the Board and senior management.
  • Roles, responsibilities and qualifications – approving the Head of Internal Audit’s role and responsibilities, ensuring that the individual is appropriately qualified and experienced, understanding any potential impairments to the internal audit function’s independence.
  • Safeguarding independence – ensuring that safeguards to manage the risk of impairment of the internal audit function’s independence are designed adequately and operating effectively.
  • Board interaction – interacting with the internal audit function to understand the effectiveness of the organisation’s governance risk and control processes, oversight including confirming the internal audit function is fulfilling its mandate, communicating the Board perspective on strategies, objectives and risk when the Head of Internal Audit is identifying priorities for internal audit.
  • Resources - ensuring there are sufficient resources to deliver the internal audit mandate and plan.
  • Quality- ensuring the Head of Internal Audit implements a quality assurance and improvement plan, approving internal audit’s performance objectives, conducting or participating in annual assessment of the Head of Internal Audit’s performance.
  • External Quality Assessment (“EQA”) – ensuring an EQA is undertaken at least every five years, defining the scope based on understanding the responsibilities of the Head of Internal Audit, the internal audit charter and relevant regulatory requirements.

Following consultation on the Exposure Draft, the final version of the Standards removed these specified responsibilities recognising that the internal audit function cannot control Board actions. However, the crucial importance of the Board’s role and responsibilities as an enabler of effective internal audit remains and these are all now set out as “essential conditions.”

Essential conditions

The essential conditions cover three key areas: Principle 6 - Authorised by the Board, Principle 7 – positioned independently and Principle 8 – Overseen by the Board. These arrangements need to be supported by the Board and senior management.

Authorised by the Board

To be appropriately authorised by the Board the internal audit mandate, charter, resource plan and budget are to be discussed and approved by the Audit Committee. This includes the purpose, authority, unrestricted access and reporting level of the internal audit function.

Positioned independently

The Board and Audit Committee should set up a direct reporting line to the Head of Internal Audit and internal audit function, which is independent, has the right qualifications and skills, and has enough resources and power to work across the organisation without any obstacles. The Board should approve the role and responsibilities and appointment of the Head of Internal Audit, and the Board and Audit Committee should have a say in their performance assessment.

Board oversight

Board oversight requires the Audit Committee to understand its role in supporting the internal audit function and the internal audit mandate, setting clear objectives and resourcing the internal audit function sufficiently. The Audit Committee also needs to have established and agreed performance and quality assurance reporting and escalation protocols so that through the work of the internal audit function it understands the effectiveness of governance, risk management and control processes.

Heads of Internal Audit need to collaborate closely with the Audit Committee and senior management to make sure each of these essential conditions are put into place and formally approved where required.

So, what is new?

Domain III consists of key elements that were already part of the former version of the Standards as Attribute Standards. These included an internal audit charter, organisational independence, objectivity, proficiency, quality assurance and revealing non-compliance. Performance Standards also demanded reporting to senior management and the Board. However, the new Standards are much more elaborate than the former version and Domain III reflects this. There are 22 pages of text just for Domain III. The whole of the previous attribute and performance standards only spanned 25 pages.

Each principle contains requirements, considerations for implementation and examples of evidence of conformance. Requirements are mandatory therefore must be put into place to conform with the Standards. Essential conditions are included within the requirements section of each standard within Domain III and since these are defined as “those activities of the Board and senior management that are essential for the internal audit function to fulfil the Purpose of Internal Auditing” – taking action to address these should also be considered mandatory.

Considerations for implementation are practices that are “common and preferred” but not mandatory. The listed examples of evidence of conformance are good practice examples and not therefore a checklist of requirements. The Standards also recognise that it may be possible to achieve “the intent of a standard” even though there may be non-conformance with some aspects of the standard.

What does this mean for Heads of Internal Audit?

The Standards are very clear on the action that Heads of Internal Audit need to take in respect of Domain III. They “must discuss this domain with the Board and senior management. The discussions should focus on:

  • Purpose of Internal Auditing – providing the Board and management with independent risk-based and objective assurance, advice, insight and foresight
  • The essential conditions outlined within each of the principles for Domain III
  • The potential impact on the effectiveness of the internal audit function if the Board or senior management does not provide the support outlined in the essential conditions.”

Every year, the Head of Internal Audit presents the internal audit charter, the annual plan and reporting, which include an indirect discussion of many of the essential conditions. The former Attribute standards dealt with such matters. However, the new Standards have a different focus. The Head of Internal Audit and the Audit Committee and senior management are now expected to talk and agree on whether the essential conditions are met. They may decide that some of the essential conditions are not needed to comply with the Standards. For instance, there may be other conditions that make up for this. But if the Head of Internal Audit is not satisfied with the reasons for not doing some of the conditions, the Head of Internal Audit may determine that the internal audit cannot follow the Standards and should communicate this view to the Audit Committee and senior management.

The Audit Committee and senior management will expect Heads of Internal Audit to lead the discussion – preparing the paper for the Audit Committee listing the essential conditions. It may be useful for the Head of Internal Audit to start the discussion by including their own perspective on each condition and focusing on those areas where conformance is least certain.

References

Institute of Internal Auditors - International Standards for the Professional Practice of Internal Auditing (Standards) January 2017

Institute of Internal Auditors – Global Internal Audit Standards January 2024 

BDO LLP UK – The new IIA Global Standards - What now? March 2024