Tools for the job: preparations for the new Global Standards

As we enter the last few months before the implementation of the new Global Internal Audit Standards, more internal audit functions are starting to identify their conformance gaps and assessing the guidance being published by IIA Global. While many internal audit teams will find that they conform in some areas, there will be others where they need to make changes – and, if you have not done so already, it’s a good idea to start now.

If you are currently due for an external quality assessment (EQA) it may be useful to consider the Chartered IIA’s optional extra EQA service assessing organisations against their conformance with the Global Standards. Current EQAs are still being assessed against the 2017 Standards, but clients are also requesting an additional piece of work against the new global standards to help them prepare. From January 2025 the Chartered IIA will also be performing full EQAs using the Global Standards. Ann Brook, Head of Technical Content and Research, says the assessors will always take a practical approach to the EQA assessments, and clients see EQAs as an opportunity for improvement, rather than a tick box exercise.

Those functions that are not preparing for an EQA should also be assessing the Global Standards against their processes and policies and working out where they need to make additions or changes – and what these will involve.

Vincent Lynch, an EQA assessor for the Chartered IIA in Ireland, has been talking to three organisations that recently underwent EQAs about their preparations for the Global Standards. The responses vary widely.

All were aware of the Global Standards and had begun planning their responses and mapping out actions. One said it was still at early planning stages, but was drawing up a presentation to explain what they would be doing to the audit committee.

Another was at a more advanced stage. This team had an in-house chief audit executive (CAE) and an outsourced team at KPMG. They had started a gap analysis and said they had found sessions on the Global Standards at the Chartered IIA’s conference in Dublin helpful.

“This team has identified the main issues and is now working through these in line-by-line detail to determine actions,” says Lynch. “They have also undertaken high-level presentations to the audit and risk committee about what their involvement should be. They said they found IIA Global’s model template for the audit charter helpful.”

The third organisation that Lynch spoke to was planning to start a gap analysis this month, but had already undertaken training and had been reading the guidance and support available so far.

All the CAEs told Lynch that they knew they had work to do to make their functions fully compliant, but they also had to explain the changes to their audit committees and help management to understand why the changes would help them and support them better in future.

Common questions

Many internal audit functions said they would like to have information about what other teams are doing and what they should have done by now – and what to have done at various dates up to commencement on 9 January 2025 – so they can see the situation in organisations of different sizes and sectors. They said they would welcome a template presentation for management that explains why the new Global Standards are necessary and how they will support the organisation’s work.

Some said they would like more help with what good planning for the Global Standards looks like. One public sector organisation told Lynch they would like to see some real-world work examples that demonstrate what would be considered effective and what won’t be adequate, particularly in areas requiring judgment.

Common areas of concern included where they should draw a line between internal audit and risk roles and when internal audit should use root cause analysis and when they should advise management to do this.

The idea of auditing strategy and advising on the risks of action and inaction was an issue for some internal audit teams, who were concerned they didn’t yet have the reasoned arguments to convince management. On all these issues, most felt that the more guidance they could access the better.

“Most internal auditors I’ve spoken to were more concerned about how they should frame conversations with management than about changes that directly affect internal audit processes, because processes are fully within their own power,” Lynch explains. “There were more questions about how best to get management to respond positively to the changes and win hearts and minds.”

Unsurprisingly, larger organisations seem to be more advanced in their preparations, but, as Lynch points out, they will also have more to do. What is clear, is that many organisations intend to start their serious work on the Global Standards this autumn. There is still time to prepare, but it’s important to engage with all the guidance and support now.

IIA Global is publishing regular pieces of guidance on the new Standards. Recent additions include a Quality Assessment Manual and two new Model Internal Audit Charters (public sector and general purpose). The first topical requirement, on cyber security, is currently out for consultation. There is also a page of FAQs on IIA Global’s website.

The Chartered IIA is updating all the resources on its website, and has produced guidance and a tool-kit to support audit committees with the changes. The institute has also published support for CAEs to use when educating senior management about their responsibilities, as well as a self-assessment tool-kit and an internal audit strategy tool kit.

For more details see Tools for the Job, A&R July/August.

This article was published in September 2024.