On January 9, 2024, the highly anticipated updates to The Institute of Internal Auditors (IIA) Global Internal Audit Standards were released, marking a significant update in modernizing the previous version that was released in 2017, known as Standards (2017). With an implementation date set for January 9, 2025, internal audit functions have one year to review and update their existing internal audit frameworks.
The challenge ahead of most internal audit departments is the time necessary to review and understand the changes to the new set of Standards in order to update corresponding policies, procedures and charters. Below, we breakdown the new Standards and how they differ from the old:
Guiding Principles within Domains
The major change to the Standards is the transition from “Attribute and Performance Standards” to the 15 guiding principles within five domains. They are organized as:
- Domain I: Purpose of Internal Auditing
- Domain II: Ethics and Professionalism
- Domain III: Governing the Internal Audit Function
- Domain IV: Managing the Internal Audit Function
- Domain V: Performing Internal Audit Services
Changes to Discussions with Management & Board
Terminology within the Standards have changed: one noteworthy example includes changes in certain terminology that affect discussions between internal audit functions and their senior management and Board (e.g., “should” be performing is now “must” be performing in the old Standards #1010 and the new Standards 6.1). External assistance from a reputable firm can prove invaluable in interpreting these changes and providing strategic guidance.
Clarity on Requirements & Conforming
The Standards include greater detail and clarity on its requirements, as well as consideration for implementation and examples of evidence that could be used to conform with the Standards. Additionally, the 2024 Standards provide guidance on who should perform the various requirements (such as the Board, senior management, chief audit executive, etc.). This new information aims to help internal auditors achieve the principles and fulfill the purpose of internal auditing without having to interpret what may be needed to conform with the Standards. Such clarity, in turn, streamlines the self-assessment processes undertaken by internal audit departments.
While the goal is conformance to the new Standards, there may be situations in which the internal audit function can’t conform to certain parts. The 2024 version provides guidance on how to handle these instances, as well as further insight for small audit functions and the application of the Standards in the public sector.
Internal & External Quality Assessments
A critical component of an internal audit department’s quality assurance program is the language incorporated into Standards 8.3, 8.4 and 12.1 concerning the quality assurance and improvement program. This includes provisions on designing the program to evaluate conformity with the Standards, attainment of performance objectives, and the pursuit of continuous improvement. In addition, criteria should be developed to assess the performance of the engagements, internal auditors and the internal audit function.
The sections related to quality assessments have been updated to include additional criteria. Some of the highlights noted include:
Internal quality assessments
- While some organizations have informally discussed non-conformance to the Standards with senior management and the Board, action plans must now be formally developed and documented for any areas of non-conformance and then communicated to the Board and senior management.
- The Standards require Board approval of the internal audit function’s performance objectives annually, at minimum.
- Senior management must provide input on internal audit’s performance objectives.
External quality assessment
- As part of the “Consideration for Implementation” section, the Standards now state that at least one member of the external assessment team must be a Certified Internal Auditor (CIA).
- Considerations for more frequent external assessments (than the standard five years) should occur if: there are changes in leadership (Chief Audit Executive, senior management, etc.); there has been a merger of two internal audit functions; or if there is significant staff turnover.
- If a Chief Audit Executive chooses to conduct a self-assessment with independent validation (SAIV), they must provide their rationale for choosing to conduct this instead of an external quality assessment to the Board for approval.
The 2024 changes to the Standards, representing an evolution to align with governance, risk and compliance advancements, pose challenges that extend beyond the typical “check the box approach.” At Sikich, we distinguish ourselves by offering more than just standard external quality assurance (QAR) reviews. With Sikich IAEdge™, we combine the traditional QAR with the Internal Audit Capability Maturity Model (IA-CM) into one comprehensive assessment that provides the conformance baseline required by the IIA, while also creating a roadmap to elevate the maturity and performance of internal audit departments. To learn more about how we can help your organization, contact us below.
This publication contains general information only and Sikich is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or any other professional advice or services. This publication is not a substitute for such professional advice or services, nor should you use it as a basis for any decision, action or omission that may affect you or your business. Before making any decision, taking any action or omitting an action that may affect you or your business, you should consult a qualified professional advisor. In addition, this publication may contain certain content generated by an artificial intelligence (AI) language model. You acknowledge that Sikich shall not be responsible for any loss sustained by you or any person who relies on this publication.