Q&A: you asked us - July 2024

Q: I am looking for guidance on sample size methodologies – in particular, is there any guidance on sample sizes based on the frequency of control operation?

A: In some internal audit functions, data analytics techniques have replaced the need for sampling when testing, but many others still use manual sampling techniques to determine sample sizes and selection of the fields to test. Getting this right is important as the testing supports the credibility and validity of the findings and, therefore, the recommendations.

In the new Global Standards, sampling is included in the “Considerations for Implementation” in Domain V for Standards 13.6 – Work Program and 14.2 – Analyses and Potential Engagement Findings. Neither provides any detail on sample sizes or the selection methods that can be used.

Our guidance discusses sampling methods and sizes, but we expect each organisation to establish its own sample size selection methodology based on the confidence and precision level required and tolerance for sampling risk. The culture and the credibility of the internal audit function with stakeholders are key factors for determining how large a sample size is needed, but this should be balanced with the resources available to complete the internal audit engagement. You will therefore need to make a risk-based decision here.

Many organisations include a standardised selection sample size and selection methodology in their internal audit manual to support consistency and to reflect the needs of the individual internal audit function.

Q: Given the new Global Internal Audit Standards 2024, is there a new model internal audit charter that we can access?

A: Yes! IIA Global is issuing supporting guidance for the transition to, and ongoing conformance with, the new Global Standards on a regular basis. This includes issuing two new model internal audit charters.

The first is a generic model internal audit charter that can be used for any type of organisation. The second is specifically for the public sector. Both include guidance on how you can customise them for your organisation. These serve as a good template to benchmark against, or to create a new one. Both can be accessed from the same location on IIA Global’s website – you will need to sign in as a member using your IIA Global log-on details (not your Chartered IIA log-on) to access these.

Q: The new Global Internal Audit Standards state that the chief audit executive (CAE) needs to be “qualified”. What is your view on what this means?

A: The new Global Standards state that the CAE (or equivalent) MUST be qualified. However, they do not specify the qualification. Other principles in the Global Standards can help to determine what this means, as it is more than just having a professional qualification.

In Domain II the principles around competency due diligence are explained, and the need for the audit committee to be involved to help determine which qualification and what level of experience and skills the CAE requires.

The regulators’ requirements also need to be considered, for example CAEs in the public sector currently need to hold a Chartered level professional qualification (such as CMIIA), and this is also best practice in financial services organisations. In addition, internal audit apprenticeships define being competent to a certain level as having an internal audit certification as well as the required knowledge, skills and behaviours.

It is therefore important that each organisation considers which specific attributes they require in the CAE role, given these factors.

This article was published in July 2024.