Articles Katleen Seeuws, CIA, CRMA, CGAP, CFE Feb 05, 2024
The Standards are part of a new, broader framework that clarifies the internal auditor’s mission, elevates the profession, and better tells its story.
The release of the new Global Internal Audit Standards last month is the culmination of years of work by dedicated individuals from around the world. This journey involved IIA global affiliates and more than , internal audit practitioners, volunteers, IIA staff members, and stakeholders — all of whom came together to reimagine the many elements of The IIA’s International Professional Practices Framework (IPPF).
The IIA has never undertaken a revision of this magnitude, and the process required agility, collaboration, and external engagement. The International Internal Audit Standards Board (IIASB), the architect of the new Standards, gathered input via surveys, webinars, roundtables, and Global Assembly meetings. The IIASB also consulted with regulators and other standards-setting bodies for benchmarking. The entirety of the internal audit community, as well as external stakeholders, were invited to review and comment on a draft of the Standards.
Today, internal auditors have an exemplary set of professional Standards. The Standards are part of a new, broader framework that doesn’t reinvent the profession; instead, it clarifies the internal auditor’s mission, elevates the profession, and better tells its story.
The update of the framework, which came to be known as the “IPPF Evolution,” is, indeed, an evolution. The structure of the previous IPPF came together over time, and its elements were not well-integrated. The new IPPF has a completely new structure that is user-friendly and logical, with all elements contained within three components: the Global Internal Audit Standards, Global Guidance, and the new Topical Requirements (see “An IPPF Evolution”).
The Global Internal Audit Standards. Within the new Standards, all the former elements of mandatory and implementation guidance are integrated into five domains: Purpose, Ethics & Professionalism, Governing, Managing, and Performing (see “The 5 Domains: A Deep Dive”). Beneath this level, the 52 standards are categorized within 15 Principles. Within each standard, all requirements, considerations for implementation, and examples of evidence of conformance are integrated and in one place. The numbering system and order of the Standards were completely changed and are now better organized and easy to use.
In addition to being structured differently, the new Standards raise the bar for the internal audit profession, a recognition of how the profession has matured over the years. There has been a huge shift from compliance to performance; quality is defined within the new Standards as conformance plus performance. Internal audit functions are no longer just complying with the standards; they are continuously enhancing their own performance.
The new Standards also clarify board and management responsibilities. Governance structures, mutual expectations between the board and the CAE, and the relationship between the CAE and the board are much more explicit. The new Standards empower the CAE to work more effectively with the board (see “Domain III: Strengthening Governance”).
Raising the bar for the internal audit profession also involves raising the profile of the profession, itself. The Standards need to serve the public interest. That’s why Domain I, Purpose of Internal Auditing, provides a clear explanation to the outside world of what internal auditing is and how it adds value to organizations. Internal auditing plays an important role in enhancing an organization’s ability to serve the public interest, as its effects go beyond the organization’s boundaries.
Launching the Standards involved the input and dedication of many. On March 1, 2023, the Standards draft was opened for public comment. Practitioners responded to nine mandatory questions, but they also were able to provide additional comments on any level and section of the framework. Over the nearly four-month exposure period, The IIA received more than 1,600 survey replies — yielding nearly 19,000 comments — as well as feedback from more than 140 stakeholder groups and over 60 written letters.
The IIA team ran quantitative and qualitative statistical analyses on the comments and the responses to the nine mandatory questions to determine trends in the feedback and the overall level of agreement with the new Standards. The findings revealed most respondents were satisfied with the structure and general content of the draft.
Next, every comment was read and categorized. This was no easy feat, as the comments arrived in many different languages — the draft was available in 23 languages.
The next step was organizing the comments into themes. Working groups, comprising IIASB members and IIA staff, reviewed and discussed the comments and themes and reported their decisions to the full IIASB every two weeks. The groups also met in person twice: once in Amsterdam at the International Conference and once at IIA headquarters.
Each IIASB member had the opportunity to comment and vote on every theme — and on a more detailed level. Board decisions were put forward once more to the working groups to determine whether any issues still needed to be resolved.
Throughout the entire comment and review period, the IPPF Oversight Council, which includes representatives from the International Federation of Accountants, Organisation for Economic Co-operation and Development, World Bank, National Association of Corporate Directors, International Organization of Supreme Audit Institutions, and the Global Network of Director Institutes, was involved. The Council evaluated and advised on the standard-setting process adopted by the IIASB and ensured the due process was followed.
Global Guidance. Global Practice Guides and Global Technology Audit Guides will still exist as recommended guidance in the new IPPF. These elements allow for more in-depth exploration of internal audit practices and subjects, as well as closely considering challenges, legislation, and regulations around the world.
Topical Requirements. New to the Standards, the Topical Requirements will cover governance, risk management, and control processes for specific audit subjects. Although the requirements are still under development, potential topics include cybersecurity, sustainability, fraud, and third-party management.
The requirements are designed to enhance the consistency and quality of internal audit services in the related audit subjects and to support internal auditors performing engagements in those risk areas. Internal auditors must conform with the relevant requirements when the scope of an engagement includes one of the identified topics.
New Topical Requirements will be added as areas that internal auditors regularly work with come into maturity. Internal auditors can expect to see emerging topics addressed first in IIA research and thought leadership, later in guidance, and finally, as Topical Requirements when the area is stable and mature.
The new Standards will take effect in January 2025, 12 months after their issuance. This will give internal audit functions around the world time to study them and conduct a gap analysis to determine where they may fall short. The Standards will be available in at least 23 languages.
Internal audit functions undergoing an external quality assessment before the Standards go into effect will be assessed using the 2017 Standards, unless they opt to be assessed against the new Standards. Audit functions undergoing an external assessment after the Standards go into effect will need to comply with the new Global Internal Audit Standards.
For those functions that are less mature, or in very specific situations, there is a way to explain why they cannot comply with some part of the new Standards. This explanation will be assessed for validity during the external assessment.
To help internal auditors everywhere prepare, The IIA will be conducting webinars, presentations, and training on the changes and how to implement them throughout 2024. These opportunities will be available online, at conferences, as well as at the affiliate and chapter levels.
Looking further out, in 2025, The IIA will update the Certified Internal Auditor exam and study materials to include the new Standards. As the profession evolves, The IIA will continue to assess the need for updating the Standards and for developing additional guidance to support internal auditors in delivering high-quality audit work.
The IPPF journey was undertaken to elevate the Standards and, in doing so, to elevate the internal audit profession and its impact. Everyone who participated in this laudable effort is to be congratulated. The journey to this moment was a long one, but one that was well worth it. The new Global Internal Audit Standards will positively affect internal auditing for decades to come.
Learning Resources: