7 Things Every Internal Auditor Should Know About the New Standards

7 Things Every Internal Auditor Should Know About the New Standards

Following a multi-year effort involving thousands of stakeholders worldwide, The Institute of Internal Auditors (IIA) released the Global Internal Audit Standards (Standards) on January 9, 2024. The Standards take effect one year from publication (January 9, 2025). While there’s no need to panic, internal auditors should be proactive in addressing key changes. In what areas are functions likely to find gaps, and which gaps may deserve priority status on action plans? Above all, what do you need to know in the short term?

At 119 pages, the Standards don’t qualify as light reading, but The IIA also issued a condensed version with mandatory guidance only, cutting the page count in half. However, many internal auditors may still find the Standards a bit daunting to quickly digest. With that in mind, we reviewed the Standards to identify the most noteworthy changes we believe every internal auditor should be aware of now. 

Before diving in, the International Internal Audit Standards Board (IIASB) should be acknowledged for the hard work, focus, and careful deliberation they have devoted to this process. Research and outreach focused on evolving the International Professional Practices Framework (IPPF) began in 2019, culminating in the March 2023 release of draft Standards for public exposure and comment. Articles, blogs, and discussions on social media proliferated; we ourselves spotlighted six proposed changes in an April 2023 blog

In short, internal auditors and other stakeholders worldwide made their voices heard — and the IIASB listened. They addressed the concerns and major themes that emerged from approximately 19,000 comments and 60+ comment letters, including those we featured. We write today not to parse or question the final Standards, but to heighten awareness of key changes and potential near-term implications. 

1. New Emphasis on Serving the Public Interest

The introduction to the new Standards states that The IIA “is committed to setting standards with input from the public and to benefit the public,” and that the IIASB “is responsible for establishing and maintaining the Standards in the interest of the public.” The Domain I Purpose Statement emphasizes that internal auditing enhances the organization’s “ability to serve the public interest.” This new purpose represents a nontrivial evolution of the IPPF’s Mission Statement — which describes what internal audit aspires to accomplish in their organizations — by adding an important layer of why we do what we do. In the context of internal auditing, “serving the public interest” typically refers to the expectation that internal auditors should act in a manner that benefits the public at large, and not just their own organizations. This includes ensuring transparency, accountability, and good governance in the organizations they audit. 

The Standards acknowledge the context-specific nature of questions of public interest and encourage consideration of cultural norms and values, ethics, fairness, and potential impacts. CAEs serving global organizations may nonetheless face challenges given differing views of what constitutes the interest and well-being of societies around the world. 

2. Different Structure — More Logical and Seamless

The IPPF’s natural growth had resulted in a “patchwork” Framework that some found difficult to navigate. By starting with a fresh page, the IIASB has succeeded in integrating all of the old IPPF’s key components into a more logical and intuitive structure. There are now 52 standards grouped into five domains: I. Purpose, II. Ethics and Professionalism (replacing a standalone Code of Ethics), III. Governing the Internal Audit Function, IV. Managing the Internal Audit Function, and V. Performing Internal Audit Services. These domains comprise a total of 15 principles; each principle is followed by the related standard(s) (the mandatory “Requirements”) and the related guidance, called “Considerations for Implementation.” 

The new Standards alter the IPPF’s entire structure and numbering system, such that audit handbooks, policies and procedures, software, worksheets, and other documents referencing the old IPPF sections and numbering scheme will have to be updated. Further, the integration of requirements and guidance under the banner of Standards — beyond creating a rather long document to digest — may lead to confusion on mandatory versus recommended procedures. Ultimately, however, the new structure makes finding needed definitions, requirements, and guidance more intuitive. 

3. More Prescriptive Standards

We all understand the basic relationship between “policies” and “procedures.” Policies explain what is expected, and procedures give detailed instructions describing how policies are carried out. This analogy helps us understand a fundamental shift from the old IPPF to the new Standards. Generally speaking, the IPPF stated principles (policies) that CAEs were charged to implement, and CAEs decided what procedures to use. The new Standards, however, often include specific procedures as standards, requiring both policy and procedure simultaneously.

The exposure draft generated substantial discussion regarding this increased prescriptiveness. The exposure had replaced the old IPPF with restated principles followed by extensive rules, nearly all of which were stated as “musts.” While the final Standards greatly reduce the number of “musts” from the exposure, they still include more specific requirements than the preceding IPPF. CAEs should take the time to read through each standard — most particularly in Domain V (Performing) — to confirm that the requirements noted reflect current practices, or update practices as needed. 

4. Less Differentiation Between Assurance and Advisory Requirements

While the old IPPF clearly distinguished requirements for “consulting” work, the new Standards apply to both assurance and advisory services except when otherwise specified in individual standards. 

Concerns about the need to more “precisely and consistently differentiate between requirements for assurance and advisory engagements” emerged as a top-ranking theme in the exposure draft survey responses. The IIASB instituted certain changes in response. The Domain V (Performing) introduction and select Domain V standards now offer limited commentary regarding application to advisory engagements (see 13.2, 13.3, 13.4, 13.6, 14.2, and 14.5). That said, CAEs who perform a variety of advisory services may find it challenging to conform with every requirement noted, particularly if the advisory work does not include audit testing, such as with facilitation, training, or offering suggestions on potential policy changes. In particular, certain Domain V requirements are likely to prove challenging. 

5. Greater Emphasis on Internal Audit Strategy, Relationship-Building, and Communication

A few new standards have been created that did not explicitly exist, including Standard 9.2 (Internal Audit Strategy), Standard 11.1 (Building Relationships and Communicating with Stakeholders), and Standard 12.2 (Performance Measurement). We know that some internal audit functions have been addressing these areas historically. However, AuditBoard’s 2024 Focus on the Future survey found that only one in five functions have “a comprehensive, well-documented strategic plan” looking out three to five years. 

These new standards promote these practices to mandatory requirements, arguably forcing a more strategic approach to the internal auditing function. CAEs are advised to carefully read the relevant standards and consider if the new requirements are met. Additional detail or documentation may be needed to demonstrate conformance. 

The Standards also set higher expectations for CAE communications with the board and senior management, providing clear requirements to discuss specific matters. Many CAEs will therefore be holding discussions of greater depth and breadth than they have historically. Each Domain III (Governing) standard’s requirements define several “musts” for the CAE and delineate specific board and senior management activities as “essential conditions” supporting internal audit’s ability to fulfill the “Purpose of Internal Auditing.” Board or senior management disagreement with essential conditions requires CAE follow-up (i.e., feedback, documentation).

6. New Emphasis on Performance Measurement 

As noted above, a new standard (12.2) requires the CAE to develop and assess objectives to evaluate the function’s performance, considering the input and expectations of the board and senior management. The standard does not require the use of specific performance objectives, but the related guidance provides example categories such as audit coverage, action plans implemented, stakeholder satisfaction, percentage of the organization’s key risks and controls reviewed, and so on. As the CAE’s “performance measurement methodology” must “promote the function’s continual improvement” while assessing progress toward achieving the function’s objectives, it seems it will be critical to embed measurable metrics in the newly required strategic plan.

It will also be critical for CAEs to rationalize their performance objectives against the Standards, as there’s a risk they will not align. For example, while the board may assume the need for an objective of completing the audit plan by year-end, the Standards require auditors to continually assess risk and adjust plans accordingly. Finishing the plan must be balanced against staying flexible and risk-focused

7. Raised Bar for Quality Assessments

Quality assessment standards for both internal and external assessments have changed in important ways. Both types of assessments must now consider not just conformance with the Standards, but also achievement of performance objectives. Further, for external assessments, CAEs must ensure that the independent assessor, or at least one member of the assessment team, holds an active Certified Internal Auditor designation.  

Some CAEs will be challenged to complete implementation of the new Standards by January 2025. Accordingly, CAEs with external assessments due in 2025 may choose to move assessments into 2024 against the old IPPF requirements. These CAEs should also consider gap assessments in 2024 to smooth the eventual transition to the new Standards

Committing to Meaningful Transformation

For CAEs, The IIA’s release of the new Standards reflects the beginning — not the end — of the process of ensuring conformance. With less than a year until the deadline for full adoption, ensuring conformance should be a top priority in every internal audit function. At a minimum, we believe CAEs should take the following steps: 

  1. Review and understand new requirements in the Standards
  2. Undertake a “gap analysis” to ascertain the extent of current conformance. 
  3. Identify key actions needed to achieve full conformance. 
  4. Forge a project plan to address conformance gaps with milestones and success measures. 
  5. Brief key stakeholders on new requirements and keep them informed on actions being taken to achieve conformance. 
  6. Undertake a “readiness assessment” to assess conformance as 2025 approaches.  

While the effort to be expended over the next year may feel like a heavy lift for already overburdened internal audit functions, the payoff will be worth the effort. Our professional standards differentiate us from a myriad of other risk and oversight functions. Conformance is imperative. 

Patty

Patricia Miller, CIA, CRMA QIAL, CPA, CISA is the owner of PKMiller Risk Consulting, LLC, previously a member of the COSO Board of Directors, and serves as an internal audit Advisor for CNM, LLP. Previously, Patty was an enterprise risk services partner with Deloitte & Touche LLP, and served as global chairman of the board of The Institute of Internal Auditors (IIA).

Richard

Richard Chambers, CIA, CRMA, CFE, CGAP, is the CEO of Richard F. Chambers & Associates, a global advisory firm for internal audit professionals, and also serves as Senior Internal Audit Advisor at AuditBoard. Previously, he served for over a decade as the president and CEO of The Institute of Internal Auditors (IIA). Connect with Richard on LinkedIn.