The new IIA Global Standards: what now?

The new IIA standards have landed. This is a significant change for the profession and obliges organisations, Heads of Internal Audit (HIA) and Audit Committees to take stock of their Internal Audit function and the role of the Audit Committee in overseeing the assurance provision.

More formal definitions of the Internal Audit Mandate and Charter provide an opportunity to reflect on the consider whether there needs to be a shift change. This could be in the organisational position, reporting relationships, scope of work or types of services provide by the function.

Alongside an updated purpose of Internal Audit which focuses more on organisational value - specifically, that internal audit strengthens a company’s ability to ‘create, protect and sustain value’ through ‘risk-based, and objective, assurance advice, insight and foresight’, there are significant changes for the Board and Senior Management in Domain III: Governing the Internal Audit Function.

Domain III: Governing the Internal Audit Function

This Domain emphasises the importance of appropriate governance arrangements for the internal audit function to be effective. The HIA is responsible for working closely with the Board to establish the internal audit function, position it independently, and oversee its performance. Senior management also has responsibilities that support the board's responsibilities and promote strong governance of the internal audit function. The Board (through the Audit Committee), Senior Management, and the HIA must establish an effective dialogue to enable an impactful internal audit function. To comply with the standards, the HIA is responsible for the requirements in the Domain, but they are reliant on activities of the Board and Senior management, and these activities are identified as "essential conditions" in each standard.

The HIA must discuss the requirements of this Domain with the Audit Committee and Senior Management, focusing on:

• The Purpose of Internal Audit: this ensures a common understanding of the value of internal auditing.
• The essential conditions specified within each of the three standards in Domain III: Governing the Internal Audit Function
• Where the essential conditions are not supported – the impact on the internal audit function’s effectiveness.

Where any essential conditions are not agreed by the Audit Committee or Senior Management following discussions, the HIA will need to document the reason a condition is unnecessary and alternative compensating conditions that are in place.

Essential conditions include discussions and/or approvals covering (but not limited to) the following:

• The authority, role, and responsibilities of the internal audit function
• What should be included in the Internal Audit Charter – the mandate, scope, and types of internal audit services
• Budgets and resources plans
• Internal and external quality assessments and improvement plans.

Whilst none of these areas are particularly new, there is subjectivity running through some of the detail and careful consideration will need to be given as to how conformance will be demonstrated.

What do Heads of Internal Audit need to do?

Plan your response, the Standards become effective 9 January 2025 so use this time to plan how you are going to comply accordingly.

• If you haven’t already briefed the Audit Committee and Senior Management on the new Standards, then do so covering:
  • The timeframe for conforming
  • The structural changes
  • The greater emphasis on the Board and Senior Management responsibilities
  • The topical requirements that will need to be used for certain audits.
• Consider a strategic review of your internal audit function to take a holistic view of the current shape, structure, and remit of the function and how that contributes to your organisation successfully achieving its objectives. Think about how it supports your organisation to create, protect and sustain value. As an organisation, think about:
  • The scope and objectives of the strategic review, including the areas of focus and the timeline for completion.
  • Evaluate the alignment between your organisational strategy and your current internal audit function, including its mandate, strategy, and resource model
  • Assess the coordination and collaboration between internal audit, the second line of defence and other assurance providers
  • Review the competencies of your internal audit team and identify any gaps in skills or knowledge
  • Assess the use of technology and data in internal audit and identify opportunities for improvement
  • Evaluate whether the mandate, scope, types of internal audit services and resources available are fit for purpose or where change is required
  • Develop a set of recommendations for improving the strategic alignment and effectiveness of internal audit, including changes to the mandate, types of services, strategy, and resource model
  • The Audit Committee should discuss, prioritise, and approve recommendations and resource required for implementation
  • Implement the approved recommendations, ensuring conformance with the new Standards and monitor their effectiveness over time.

Your strategic review should involve engagement with Senior Management, the Board/Audit Committee, the HIA and team and the wider business.

• If your organisation is comfortable with the current scope and type of service it receives, you should perform a more straightforward gap analysis.
  • Assess your internal audit function’s current practices, methodologies, and operations against the new Standards to identify where you currently conform and where you need to act
  • Where the function currently conforms, capture how you can demonstrate this with evidence
  • Discuss the outcome with the Audit Committee and your Senior Management, ensure any essential conditions not met are highlighted
  • Agree actions and priorities that will have the best outcomes for the organisation
  • Develop a plan to implement change, consider the technology, people, and process requirements. Take advantage of the opportunity to transform your internal audit function, create value and establish stronger alignment with the organisation and other assurance providers
  • The plan should consider all aspects of your internal audit function and will involve documenting or revising your internal audit methodologies, policies, procedures, and templates to reflect changes to:
    • The Internal Audit Charter including the mandate
    • The Internal Audit Strategy, including vision and objectives for the internal audit function
    • Coordination and collaboration with the second line and other external assurance providers
    • The resource plan and competencies, including skills gaps and how these will be addressed
    • Internal Audit reporting and communications
    • The Quality Assurance and Improvement Programme (QAIP) for internal audit.

Once released, incorporate the IIA’s new Topical Guidance into your internal audit methodologies, policies, and procedures. Training and development plans for the internal audit team may need updating and implementing.

When you are done, brief the wider organisation on the changes they can expect from the internal audit function, and how they can better engage with internal audit to create value for the organisation.

How can BDO help you?

It’s an exciting time to be part of the internal audit profession and the updated standards showcase internal audit’s evolving, value-added role in today’s organisations and dynamic environment. Our expert team would be delighted to support you in aligning with the latest International Internal Audit Standard. It is not just a compliance checkpoint exercise – it's about setting a benchmark in quality and innovation to increase the strategic value and impact of internal audit work.

Regardless of the size and maturity of your internal audit function, we can help you to reach compliance with the new standards. These changes reflect require agility, technical expertise, and a broader focus on risks, particularly those associated with governance, so it is the perfect time to consider the following focus areas:

Governance and refreshing the Internal Audit strategy: Whilst the IIA cannot require governance practices of the Board; the new standards do provide HIAs with a sound foundation to engage the Board and Audit Committee in a discussion around internal audit transformation. We can support HIAs and help enable drive better engagement between the Audit Committee and Senior Management. We facilitate workshops to work through what the changes to the standards mean to parties affected. This will in turn reinforce the standards, building on having a mandate, and HIAs needing to develop a strategy to fulfil this mandate. We can ensure your Internal Audit Strategy is linked to the mandate as required by the standards and that this is developed with realistic timeframes to implementation. Please refer to our Corporate Governance Hub for more information across this space.

EQA: If your Internal Audit function is planning an External Quality Assessment in 2024, we can incorporate a strategic review and/or a gap analysis into this exercise. For organisations due to have an EQA in 2025, a quality assessment can be accelerated to help get ahead in your implementation journey.

BDO can take care of any heavy lifting so as not to impact the delivery of Internal Audit

Whether it’s starting from scratch to create a transition plan, or revisiting an existing roadmap, we can help. Our team will be on standby to support you with updating your charter, methodology, policies and templates. If you need to formalise a performance measuring methodology, we have specific resource available to work with you to develop this and ensure that conformance is sustainable without jeopardising day to day delivery.

To find out more about what Heads of Internal Audit should be thinking about, read our latest Internal Audit & Risk Agenda.