New IIA Standards Reflect Changing Role of Internal Audit

This year, the Institute of Internal Auditors (IIA) released updated Global Internal Audit Standards™, replacing the 2017 international standards for the professional practice of internal auditing. The new standards are scheduled to take effect in January 2025. These updates reflect an overall change in the role of the internal audit (IA) function in organizations of all sizes.

Traditionally, internal auditors have been expected to ensure the effectiveness of internal controls within the organization, add credibility and reliability to financial reports and identify fraud. These functions are still important. But over time, the internal auditor’s role has evolved in response to more complex pressures and risks.

The goal of today’s internal auditor is to support the overall development of the organization, identify areas to improve efficiency and effectiveness of operations and contribute more directly to the successful achievement of broader objectives. Internal auditors are expanding their skills beyond accounting, compliance, fraud and finance to technical areas like data science, analytics, IT, cybersecurity and privacy.

With these tools, the IA function increases its value within the organization as a whole, may bring more strategic recommendations to management, enhance governance frameworks and serve as a sounding board for the board and management.

What will this change mean within the organization?

Taking this change into account, the new standards call for more board and management involvement in the IA function, with an emphasis on aligning IA with the organization’s strategic objectives and stakeholder expectations. They also call for more effective planning, tracking and performance measuring.

Depending on the maturity level of the IA function within the organization, conforming to the standard may require changes to the structure and governance of the organization. IA professionals may need to strengthen their professional skills to demonstrate agility and critical thinking and a greater acumen for strategy and technology.

Start with a readiness assessment

To align with the new requirements, IA executives should perform a readiness assessment by comparing existing methodologies and policies with the new standards, communicating any necessary changes to the board and senior management and developing a roadmap and implementation plan. The readiness assessment should align the IA function with the organization’s objectives, stakeholder expectations and industry leading practices.

The new standards incorporate the five mandatory elements of the existing framework: mission of internal audit, definition of internal auditing, core principles for the professional practice of internal auditing, code of ethics and standards, and one recommended element, the implementation guidance.

The IIA made significant changes in these areas:

Board and management support

The new standards provide more guidance on the board’s oversight of the IA function, including quality assurance. They call for the board to evaluate and elevate the effectiveness of the IA function and ensure senior management understands its role in supporting IA. In turn, IA should seek feedback from senior management on its performance.

Internal audit strategy

The chief audit executive should develop an internal audit strategy that is aligned with strategic objectives of the organization and the expectations of the board and senior management. The vision provides the direction of internal audit within the organization and initiatives supporting the strategy, including development of competencies and use of enhanced technologies.

Communicating results and evaluating findings

The findings of an internal audit should be ranked and rated and identify themes. They should evaluate cause and effect and residual risk considering the design and effectiveness of other existing controls. Internal audit reports should support the findings by including data, diagrams and graphs showing trends. Communications to the board and senior management should consider significant control weaknesses, root causes and themes across issues.

Protection of information

Internal auditors must manage the risk of exposing information and adhere to data privacy requirements, a new element of these standards. Conformance may include implementing or enhancing policies and procedures for restricting access to information protecting data through encryption, password protection and restrictions on emailing information, physical access and use of social media.

External quality assessments

While requirement to perform external quality assessments every five years has not changed, the new standards require at least one member of the assessment team to hold an active certified internal auditor designation. This can be supported through providing documentation of the assessor’s credentials.

How Weaver can help

The 2024 Global Internal Audit Standards provide an opportunity for internal audit to enhance practices and contribute in a more significant way to the success of the organization. If you would like more information about how to assess your organization’s current IA function and move toward alignment with the new standards, contact us.

©2024