Raising the bar - the new Global Internal Audit Standards
The Global IIA’s International Standards for the Professional Practice of Internal Auditing are changing. This is good news for IIA members worldwide – but it will require some attention and adaptation to meet the new requirements. There is no immediate change to syllabi for existing students.
Billed as “an evolution”, rather than a revolution, the new Global Internal Audit Standards build on the existing ones to clarify what good internal audit looks like in a rapidly changing world and enhance consistency worldwide. They will support chief audit executives (CAEs) by providing explicit guidance on the position of internal audit within organisations and the resources it needs to perform at the required level. They will also enable the IIA, centrally and nationally, to build the reputation of the profession and increase understanding of its value.
Many of the changes are already common practice in mature internal audit functions, but most CAEs will need to adapt some elements of what they do to ensure continued conformance. However, all IIA members stand to gain in the long term from increased consistency, clearer explicit details of roles and responsibilities and a stated purpose that can be used to inform, educate and influence those who need to know more about the profession. Raising the bar for all internal audit functions strengthens the reputation of the function and the profession everywhere.
The Chartered IIA has played an important role in shaping The Standards and ensuring that members in the UK and Ireland have had a voice in their development. It has been represented on the global IIA Standards Board by Liz Sandwith, who has worked with the Chartered IIA as its Chief Professional Practices Adviser, and, more recently, by Peter Elam, its Immediate Past President, who will continue to be a member of the global IIA Standards Board for the next six years.
Sandwith was involved from the beginning of the process, which began when the global IIA surveyed members for their views of the current IPPF and what could be improved. Her term finished last year, but she was invited to continue as a special adviser to the project. Elam joined the board in July last year.
“The Chartered IIA is one of the biggest IIA affiliates and we have a very active membership, so our perspective and input is highly valued,” Elam says.
The IPPF and the Standards had not been significantly overhauled for many years and there was a consensus – backed by about 19,000 comments from members and relevant bodies worldwide – that the world and the profession had changed. What good looks like now is different from when they were first drafted. New audit topics have become standard, new tools are widely used and the scope of internal audit work has developed. Organisations need and expect more wide-ranging support than was previously common.
IIA Global’s IPPF survey in 2021 showed that many people also perceived the existing Standards to be fragmented and difficult to follow. Updating them was an opportunity to review the way they are structured.
“The Global Internal Audit Standards document is substantial and provides the basis for a consistent model of good internal audit practice that should be applicable regardless of where you are in the world, the sector you work in and the size of your internal audit function,” explains Sandwith. “For me the really positive message is that it states our purpose ( in ‘Domain’ 1). This is key to what we do and what we are as a profession. It’s the elevator pitch you need if you are standing in a lift with the CEO and they ask what exactly you do. It’s a document you can discuss with the board and the audit committee and the potential benefits are phenomenal.”
What is changing?
Many organisations with well-structured, high-performing internal audit functions that enjoy a strong reputation and good relationship with the audit committee and board will need to make only minor adjustments to conform with The Global Internal Audit Standards – but they will still need to read the new document thoroughly and understand the changes, Elam warns.
Others will need to do more, but the intention is that the revised Standards document will provide a useful template that a CAE can use as a basis for a conversation with their team and their stakeholders. It sets out the basis for good internal audit practice, so those who do not currently conform in all areas will have evidence of what needs to change and can use this to educate management and secure any structural alterations or additional resources.
One area that CAEs should consider carefully is Domain 3 of The Global Standards, “Governing the Internal Audit Function”, which concerns the oversight of the internal audit function. This defines explicitly for the first time not only the CAE’s role and responsibility to report to the audit committee and board, but also the audit committee’s responsibilities to engage with and oversee the internal audit function.
“This is important because it provides comprehensive terms of reference for the audit committee, defining the kind of relationship it should have with internal audit and demonstrating the strength and importance of this relationship,” says Sandwith. “It’s a massive opportunity for CAEs who can now take it to the audit committee and say ‘this is how we should be working together and this is what we need to build on’.”
While neither the internal audit function nor IIA Global can dictate how boards or audit committees respond, it is a strong indicator of what good looks like, adds Elam. “Many board members are part-time, or come to the role with little experience of internal audit, so this explicit description of their responsibilities will help to educate and inform them.”
The Global Standards will be referenced in external quality assessments (EQAs), so oversight weaknesses could be mentioned as an area for improvement in an otherwise positive report. “It’s about creating a two-way relationship – internal audit and the audit committee working closely together for the good of the whole organisation, with responsibility going both ways,” Sandwith explains.
Domain 4, “Managing the Internal Audit Function”, also turns actions that were previously good practice into requirements for a strong function. New CAEs will therefore have guidance stating their responsibilities and what constitutes good performance.
“It’s brilliant that this is now explicit because it can be used as a template for new CAEs, to educate management and to support negotiations for resources, as well as a timely reminder for those who have been in the role for some time,” Sandwith points out.
Domain 2, “Ethics and Professionalism”, incorporates IIA Global’s Code of Ethics, which is another important area in an increasingly complex internal audit environment. This too should support CAEs by providing detailed guidance that can used within the internal audit function and in the wider organisation.
The last, Domain 5 “Performing Internal Audit Services”, sets out how to plan and conduct engagements and how to communicate findings and monitor action plans.
New guidance on topical areas for internal audit (Topical Requirements) are also being published to support those embarking on specific audit areas.
More information about the scope and detail of these requirements will be provided by the Chartered and Global IIA and in future articles in Audit & Risk.
This article was published in January 2024.