The final updated Global Internal Audit Standards require substantive changes within the IA function and stakeholder relationships to remain in conformance and elevate the profession.
What you need to know: Increased collaboration among the CAE, the board and senior management is required for the governance of the IA function.
Key takeaway: IA needs to work with its stakeholders to set or refine strategic direction, redefine the rules of collaboration and retain more formal documentation.
Action to take now: While the revised standards go into effect in 2025, the time to evaluate, plan for and start transitioning to the needed changes is now.
___ ____ ___
In Part 1 of this blog series, we stressed the importance of educating internal audit’s stakeholders and laying the groundwork for the change management needed to support the required collaboration for effective governance of the internal audit (IA) function. In this post, we summarize key areas of change most likely to impact your organization, and we explore in further detail areas that will require revisions to current practices to not only accomplish conformance but drive improvements in quality that the Standards have been revised to deliver. To that point, we’ll also discuss areas that provide opportunities for the chief audit executive (CAE) and other leaders to leverage the final updated Global Internal Audit Standards (“Standards”) to advance the function.
How should you approach the revised Standards?
While the final Standards updates may not be as dramatic as those initially proposed, there are substantive changes CAEs must drive, both within the IA function and within stakeholder relationships, to remain in conformance with the Standards. Additionally, The Institute of Internal Auditors (IIA) Standards Board (“Board”) has advised functions to think of the update as intended to deliver “conformance plus performance”, with improvements in overall quality being the sum of these parts. The Board’s goal to elevate the profession by requiring board-approved performance objectives to propel continuous improvement for the function emphasizes their desire to raise the bar for IA. In the aforementioned Part 1, we discussed the IA stakeholders’ collective conclusion on how far along this continuum they wish to push the function beyond simply a “Generally Conforms” conclusion, which most in the profession would acknowledge has been historically relatively easy to attain.
How will the new standards impact the IA function?
While this post is not intended to be a complete summary of the Standards updates or to take the place of a detailed implementation review, we have summarized key areas and themes of change below. Addressing these four areas of change will require additional analysis and documentation. The Governance/Mandate and Internal Audit Strategy areas will require increased stakeholder collaboration, including related to strategic priorities for IA, and formal strategic planning.
The Standards require the board, CAE and senior management to collaborate in more areas, including collectively defining a mandate and performance objectives for the IA function. The Standards also require the board to approve the initial annual audit plan, budget and resource plan, as well as any significant changes to the aforementioned, and the approach to external quality assessment. The updated Standards also call for increased CAE focus on defining the function’s strategic goals and supporting initiatives. We will focus on reviewing this IA function strategy (a historical gap for many IA functions) in further detail in Part 3 of this blog series.
How can the CAE communicate additional actions required from the board and senior management?
Because multiple sections of the revised Standards call for increased collaboration among the CAE, the board and senior management, we have summarized the required and suggested responsibilities of these roles in the table below to clarify ownership, consultation and approval requirements for the governance of the IA function. The CAE can utilize this summary to begin planning for the required adjustments in communication protocols and documentation of formal approvals.
What actions does the CAE need to take?
While the revised standards go into effect in 2025, the time to evaluate, plan for and start transitioning to the needed changes is now. IA needs to set or refine strategic direction, redefine the rules of collaboration and retain more formal documentation. Below are four action steps the CAE can take to advance the implementation now.
Understand
Once the organization aligns on its approach, the individuals focused on the implementation process should read and digest the applicable Standards changes and create a plan, with defined milestones and ownership, to address adoption of the new Standards, leveraging the function’s quality assurance improvement program if possible. This group should also utilize the educational resources from The IIA and other providers and networking groups to address any questions. The IIA has provided supporting materials as follows:
- Report on Proposed to Final Standards
- Final Standards
- Condensed Mandatory Only Standards
- Getting to Know the Internal Audit Standards
These are great resources that we highly encourage you to take the time to review and digest.
Evaluate
Completing a gap assessment to identify the areas where the current IA function activities and methodologies differ from the Standards will help identify and plan for the layers of change required. Documentation updates will be required simply due to the changes in the structure and organization of the Standards. Others will require updates to the methodology or the implementation of new procedures altogether. Capturing the level of impact and effort will help prioritize which gaps to address most urgently and inform the timeline for methodology updates in advance of the January 2025 effective date.
Strategize
Take this opportunity to formalize and enhance the IA function’s vision, strategic objectives and supporting initiatives through execution of the following steps:
- Define IA performance objectives with input from senior management and the board.
- Incorporate evaluation of enabling technology into the strategic assessment of the function’s capabilities.
- Refresh the Quality Assurance Improvement Program and refresh or document the external quality of the assessment plan.
- Develop or refine IA methodology to assess the root cause and rate or prioritize findings to address the driver of identified issues and provide actionable guidance to management on required remediation and follow-up.
Establishing or refreshing the IA strategic plan is a great opportunity to engage the full IA team – solicit input, generate excitement and gain alignment on the future of the IA function.
Communicate
Building on the stakeholder collaboration approach outlined in Part 1, begin with agreement on IA’s mandate (the authority, role(s) and responsibilities of IA) and leverage the content in these blog posts to continue discussion of the final revised standards with IA stakeholders. Continuing to educate and take action to address the required collaboration areas in conjunction with the stakeholders will help create and sustain the necessary alignment to achieve the desired results.
Learn more about the Global Internal Audit Standards update by registering for our webinar here.