On 20 March 2024, K2 Integrity hosted a webinar on the implications of the recent updates to the Global Internal Audit Standards (“Standards”). The discussion included David Hyman, senior vice president and senior audit director at US Bank; Raakhee Jagwani, director and interim head of quality assurance and methodology at Mizuho Bank; and moderator Yelena Talmazan, managing director in the financial services, internal audit, and risk advisory practice at K2 Integrity. To watch a recording of the full webinar, click here. To learn more about K2 Integrity’s Internal Audit services, click here.
Significant changes
The new 2024 Global Internal Audit Standards has two mandatory sections, Global Internal Audit Standards and Topical Requirements, along with Supplemental Global Guidance. The Global Internal Audit Standards are made up of 5 Domains, 15 Guiding Principles, and 52 Standards and are clearer and more concise than past guidance. Significant changes include, but are not limited to:
- Use of Internal Audit function instead of Internal Audit activity
- Addition of public interest
- Examples of evidence of conformance included in every principle
- Additions of Internal Audit Strategy and mandate for the Board to approve the Internal Audit Budget
- Essential conditions for the Board and senior management
- Requirement that Internal audit or CAE must document lack of specific requirements and parts of requirements for conformance
- Requirement that CAE must establish methodologies to address impairments of objectivity
- A focus on technology, including resources, tools, and new implementation, that is evaluated regularly and is used to improve effectiveness and efficiencies
- Board and senior management have requirements that set their “musts”
- Further definition of what effective communication entails and timeliness of communication
- An emphasis on the performance management of the internal audit function and how that gets communicated to senior management, the board, and the audit committee
- Addition of Themes in the Engagement Conclusion and root causes
- Guidance on strategic plans outlining the vision, objectives, and the supporting initiatives, generally for the three- to five-year timeframe
- Topical requirements to improve the quality and consistency of an internal audit, starting with cybersecurity.
Implementation Considerations
The 2024 IIA Global Internal Audit Standards go into effect in January 2025. Internal audit functions should be preparing a plan now to ensure timely implementation of changes and to confirm conformance. How this is best done depends on the firm size, function, and global context.
A good first step is to begin with a gap analysis from the 2017 to the 2024 version. The Institute of Internal Auditors’ (IIA) two-way mapping document allows organizations to compare current and previous standards in order to identify your focus areas. Audit functions should use that comparison to self-assess/rate how far away from the new standard they currently are in order to prioritize the steps needed to meet the requirements and to quantify the level of effort. Creating a project plan, working backwards from the deadline, ensures key resources’ awareness of the additional requirements and enables all to be on the same page in determining how to address areas new to your function.
TIP: Do a quick search of “Must” within the Standards and the two-way mapping document to identify what is required.
Other implementation considerations include:
Essential Conditions for the Board and Senior Management
The 2024 standards have introduced new activities, referred to as “Essential Conditions,” for the board and senior management. The essential conditions dictate that the board and senior management perform specific activities in relation to the internal audit function and get evidence of conformance with supporting documentation from the internal audit function. This means having conversations with the board and senior management, which are not always easy.
The traditional view of internal audit without the support of the board and senior management is no longer acceptable. The goal is to increase the role that the board and senior management play and share responsibility for the success of the internal audit function in fulfilling its purpose. The new approach aims to foster better alignment and acceptance between the board, senior management, and internal audit, aiming for a more integrated and effective audit process. When connecting with the board and senior management, the internal audit function should:
- Provide a concise summary of the updated standards to the board and senior management, highlighting the benefits of their partnership, such as enhanced alignment with business and more effective risk coverage, and what you need from them and any potential costs.
TIP: Leverage peers, communities, and consultancy resources such as K2 Integrity to discuss and review content and get buy-in for internal audit presentations.
TIP: Test your pitch with these groups before meeting with senior management.
- Apply input you receive from stakeholders to better plan and execute audits, and to provide additional insights that can help improve the business.
Communication Requirements
The 2024 standards have also expanded communication requirements. While there are many benefits to improving communication among internal audit, the board, and senior management, there are some potential challenges both in terms of how many resources the updated communication approach is going to require and the effort needed to capture this information and perform the reporting. These changes will also impact the quality assurance and improvement program (QAIP) within the internal audit department, perhaps resulting in additional QAIP workload, as well as a need to update the methodology.
At the same time, the new requirements give an opportunity for the internal audit function to lead by example. Given the expectation that the business areas have their strategies and evidence documented supervision, internal audit should be leading the way. There is an opportunity to improve the processes and practices, and the updated standards give internal audit functions an opportunity to outline the methodologies and to make them proportionate and pragmatic to the size and the scope of what the functions are covering within a particular country, region, or globally.
TIP: Any changes within your function should be proportionate, pragmatic, in line with the intent of the standards, and supported by rationales where a standard cannot fully be complied with.
Themes
The new standards now specifically include themes at a business unit or organization level rather than looking at thematic control issues and thematic reviews as best practices or, for example, as part of the Federal Reserve Bank (FRB) SR 13-1 requirements.
Data analysis and consistent communication among auditors is important to identify and report on thematic issues. These issues deserve greater attention than typical issues and should be addressed through audit planning, risk assessment, reporting, and monitoring. CAEs and audit managers should engage in discussions with auditors across the team, consistently asking where else similar issues might exist within the company. Internal audit should communicate not only within the specific business area but also alert executives and senior risk leaders across business lines.
TIP: Leverage your stakeholder matrix to determine who should receive regular updates and/or copies of reports.
Jurisdictional and Regulatory Requirements
Local law takes precedence, and if an internal audit function cannot fully conform with the standards due to a conflict with local law, that should be documented, disclosed, and approved by the appropriate authority. Exceptional circumstances may prevent full conformance, but the intent of the standards should be followed. Local jurisdictions may have their own guidance. For example, in the UK the Corporate Governance Code was also updated in January 2024, and the Internal Audit Financial Services Code is in the process of being updated in light of the Standards updates.
TIP: Speak to peers, consultant firms such as K2 Integrity, and your regulator to understand if jurisdictional changes for internal audit are expected.
Performance Measurement Methodologies
The new standards explicitly include performance measurement methodology to assess progress toward achieving the function’s objectives. It is important to document processes, procedures, and performance objectives, though it can become difficult to maintain consistency as a company grows. Internal audit function plans and objectives are expected to look forward a few years rather than the traditional annual approach. The advantage here is that the function, without losing its independence, is considered in the firm’s future plans and is appropriately resourced and funded. Organizations should also focus on the alignment of QAIP to new standards, starting with a gap analysis and updating methodologies based on the “must” statements and new/updated sections in the standards.
TIP: External QAs will assess against the new standards from 2025. As long as you have a gap-analysis and a plan with evidence of activity to address areas of non-conformance, your EQA vendor should give you the credit, just as internal audit would to its stakeholders.
In closing, the new global internal audit standards give internal audit a voice, allowing for more strategic planning and alignment with management’s goals and strategic objectives. If the company is moving toward digitization, internal auditors should advocate for the internal audit function to follow suit. When the firm invests in AI and other technologies, the internal audit function should also be included in the plans and adapted with support from the firm. Effective communication, relationship-building, and clear explanations to the board, audit committee, and senior management are crucial for ensuring everyone understands the evolving expectations of internal audit.
Disclaimer: The views, opinions, and advice expressed during the webinar and found in this summary are those of the speakers and do not reflect those of The Institute of Internal Auditors.