Salient points of the global internal audit standards
The New Standards elevate quality from conformance to performance
The finalised Global Internal Audit Standards (Standards) were issued by The IIA on 9 January 2024, after a 90-day public consultation period last year. It will be effective 9 January 2025 and the updated Quality Assessment Review (QAR) Manual is expected to be ready by the fourth quarter of this year.
Previously, there were disparate callouts in the previous draft regarding internal audit functions (IAF) within the public sector; these have since been consolidated into a standalone chapter addressing the challenges faced by such IAFs.
The Standards have also been organised into 5 Domains, 15 Principles, and 52 Standards. For each Standard, there are requirements, considerations for implementation, and examples of evidence of conformance.
The structure and organisation vary significantly from the 2017 International Professional Practices Framework (IPPF) with the following key differences:
- The Standards do not differentiate between attribute standards and performance standards.
- The Standards make no distinction between consulting and assurance activities.
- The Standards appear to be much longer (120 pages) than the 2017 IPPF (25 pages). However, this is because implementation guidance has already been subsumed into the Standards.
- There is no clear distinction between mandatory and recommended elements. Instead, users should interpret the use of “must”, “should”, “may” in the Standards to establish what are the requirements vs best practices.
Some highlights of the Standards will be discussed in this article.
Internal Audit and the Public Interest
The Standards start with a devotion to internal audit (IA) and the public interest. It talks about how IA, when done right, contributes to an organisation’s ability to serve the public interest and foster public trust. This serves as an important reminder for us all to view our work not only in relation to the auditee, but also in terms of its broader societal impact and contribution to the greater good.
Internal Audit provides Foresight
The purpose statement then describes “Internal Audit… providing… foresight.” Long gone are the days when auditors can get by with just providing assurance on historical transactions. Telling an auditee that a Purchase Order from 15 months ago was not properly authorised is no longer deemed adequate value to a company with a fast changing risk landscape.
Years ago, the IA fraternity moved to agile auditing to audit risks that are more current to the organisation. We then started using data analytics to provide insights, and now, to ensure the continued relevance of IA, the Purpose Statement reminds us to provide foresight on what is needed in the future. We must upskill ourselves and stay ahead of the organisation in areas such as potential compliance risks, upcoming regulatory changes, and also advise on the risk implications of new businesses, processes and systems within the organisation which we serve.
The IAF Ecosystem
The Standards also recognise that an IAF’s effectiveness is not solely determined by the IAF itself; but is subject to the IAF’s ecosystem, including the Board, the Management, and other stakeholders, and has stipulated the roles played by these stakeholders.
For example, the 2017 IPPF stipulated that the “The Chief Audit Executive must report to a level within the organisation that allows the internal audit activity to fulfil its responsibilities”. However, the reporting line of the Chief Audit Executive (CAE) is often not within the control of the CAE. The Standards remove any ambiguity over the responsibility by clearly stating that “The Board establishes and protects the IAF’s independence and qualifications.”
Each IAF should examine the Standards’ requirements relating to its stakeholders in detail and document the necessary conversations highlighted in Domain 3 with the Board and Senior Management as soon as possible.
Two areas of documentations are particularly important:
Succession Planning for the CAE
A CAE, like all other employees, may resign or leave the organisation at any time. A good succession plan should always be in place to cater for such contingencies and involve consideration of the following:
- Identification of a suitable replacement candidate based on the skill sets of the CAE role and the skill sets of the candidate.
-
A gap analysis and corresponding training plan for the candidate.
-
A clearly defined arrangement for the candidate to be involved in key matters such that the candidate can take over the CAE role immediately should the current CAE becomes unavailable.
Impact on the QAR
The revised QAR manual is currently being drafted, and many aspects of how it will address the changes in the Standards are still unclear. However, there are a few areas for which the IAF can prepare itself for.
In terms of timing, the Standards is effective from 9 January 2025. For IAFs slated to have their QARs between now till early 2025, it is likely to have little impact as your QAR assessor should be assessing your IAF based on the 2017 IPPF. If your QAR is scheduled for the second half of 2025, your IAF should have a discussion with the Audit Committee on whether to complete the QAR earlier to allow for assessment based on the 2017 IPPF, or to delay until February 2026 onwards. This will enable your QAR assessor to assess your conformance with the Standards based on 12 months of IA activities.
Use of Self-Assessment with Independent Validation
It was stated in the previous draft Standards that “self-assessment with independent validation does not fully replace the requirement for the internal audit function to conduct external quality assessments. The self-assessment may be alternated with the external quality assessment once every ten years.”
The International Internal Audit Standards Board has since considered the feedback received, and the final Standards, specifically Standard 8.4, states that “the requirement for an external quality assessment may also be met through a Self-Assessment with Independent Validation”. However, the IAF must note that “when selecting the independent assessor or assessment team, the chief audit executive must ensure at least one person holds an active Certified Internal Auditor designation”.
Other than the points discussed above, there are many other salient updates in the Standards that this article will not be able to cover. If you have any questions on the Standards and its implications, please do not hesitate to send your queries to IIA Standards at Standards@iia.org.sg.
Conclusion
At first glance, the Standards may appear very daunting with many differences from what we are familiar with. However, upon careful examination of the requirements, it becomes clear that these requirements are a mere reflection of what many IAFs have already been doing.
For more information on how we can support you, contact:
Nicodemus Tan
Partner
Governance, Risk and Sustainability
CA (Singapore), Fellow (IIA Singapore), CIA, CFSA, CRMA, CCSA
DISCLAIMER: The views and opinions expressed in this article are those of the author who is from the internal audit function. They do not represent the views and opinions of people or organisations that the author may or may not be associated with in professional or personal capacity unless explicitly stated.
This article was first published in the April 2024 issue of The Institute of Internal Auditors Singapore's newsletter.