Get aligned with new global standards for internal audit

How to plan for implementation and build stakeholder support

Internal auditors will soon have a new and comprehensive framework for their work, guiding them as they develop a holistic function that works in sync with the organization’s strategy, making full use of technology, analytics and automation.

The change becomes official on Jan. 9, 2025, when the latest updates to the global standards issued by The Institute of Internal Auditors© go into effect. It is the first such revision in seven years, and it includes a significant regrouping and rewriting of the guiding documents for internal audits, as well as a new focus on emerging areas for risk management.

“There's been a journey to really transform the standards to align with the needs of the modern-day auditor,” said Monica Nickel, Grant Thornton Advisors LLC Risk Advisory Senior Manager, who joined other professionals from the firm in a recent webinar to explain the new standards and how best to implement them.

The updated standards are grouped into five domains, which include 15 principles and 52 standards. Also new is the introduction of Topical Requirements. These are standards for special risk topics such as cybersecurity, ESG, IT governance, etc., and are only relevant when the audit plan includes these areas.

The five domains cover:

• Internal audit's purpose and value.
• Ethics and professionalism.
• Governance of the internal audit function, including the activities of the board and senior management that are essential to the internal audit function’s ability to fulfill the purpose of internal auditing.
• Managing the internal audit function, including strategic planning and quality management and measurement.
• Performance of internal audit services, from planning and conducting engagements to communicating results and monitoring action plans.

Along with focusing on collaboration with the board and senior management, the standards emphasize the importance of internal audit functions collaborating with organizational stakeholders as part of supporting the organization’s risk management strategy; an increased focus on the use of technology; and measuring conformance with the standards.

The IIA also designed the principles and standards to allow for practical application as they consider situations that may not allow for perfect compliance, and other special considerations applicable to smaller audit shops and those operating in the public sector. In addition, the standards document facilitates compliance by including considerations for implementation and examples of evidence of conformance.

Steps to get started

With deadlines fast approaching, internal audit must lay the groundwork for change — both within the internal audit function and beyond.

Level setting

“As a CAE, before you start developing a strategy for implementation, you must be honest with yourself and understand your current level of compliance,” said Kevin Stoutermire, Risk Advisory Managing Director for Grant Thornton Advisors LLC. Historically, if you have made it a point to be generally compliant with the previous standards, kept up with your QAIP, had regular EQAs/SAIVs, etc., then the new standard will not be much of an uplift. However, if you are a newer audit function, or the issuance of the new standards is the catalyst for you to start your compliance journey, then your strategy for compliance will take longer and you will need to develop a structured plan with defined milestones along the way. Take your time, but be intentional. Full compliance with the standards involves others outside internal audit, so you will need to get them on board as well.

“Make sure your plan aligns to not only the size of your organization, but with the information technology resources that you have on hand,” said Stephen Logan, Grant Thornton Advisors LLC Risk Advisory Director.

Outside organizations can support the development and execution of strategic changes, both through outsourcing and co-sourcing.

Get others engaged

Changes to internal audit will require support from other stakeholders. An implicit concept of the new standards is that it takes a village for an internal audit function to be most effective. While internal audit is a third-line function, its effectiveness within the organization’s overall risk management process is based on a carefully orchestrated role relative to those charged with risk oversight and those charged with risk management. The new standards set expectations for the board and senior management that are essential for the internal audit function’s ability to fulfill its purpose. For example, the board must act as “champions” for the internal audit function.

Conversations with the board, as they are introduced to what the standards require them to do, should be carefully managed. The conversation should never begin with an absolute “mandate” from internal audit related to what they must do because the IIA said so, Stoutermire said. Instead, he advised the following steps:

• Begin with a quick introduction of the new standards, including high-level differences with the previous standards, and your strategy for compliance.

• Later, update leadership with the results of internal audit’s self-assessment and strategy for addressing in gaps.

• Finally, while the standards identify essential conditions that include responsibilities of the board and senior management, explain these in the context of how the board and senior management can help maximize internal audit's effectiveness at strengthening the organization’s ability to create, protect and sustain value.

“Taking this approach, taking it step by step, and bringing them along will probably be the most effective way of communicating with them,” Stoutermire said, adding that it is important to provide options and acknowledge the board’s authority.