Third, the CAE should consider inviting the chairs of the board and audit committee to attend an internal audit meeting, where they can meet the team, listen to the discussion, ask questions, and respond to questions from the team. This supports the conformance requirements and strengthens the relationship between the chair and the internal audit function.
Last, the Standards raise the issue of the board, audit committee, or senior management’s disagreement with one or more essential conditions. If this happens, the CAE must emphasize, with examples, how the absence of the conditions may affect internal audit’s ability to fulfill its purpose and mandate or conform with specific standards — and offer alternative solutions.
Engagement with key stakeholders — the board, audit committee, and senior management — helps drive conformance. It provides an opportunity to strengthen relationships and support of internal audit.
Domain IV — Managing the Internal Audit Function. The CAE’s responsibility is to manage the internal audit function in accordance with the internal audit charter, mandate, and Standards. Stated simply, this domain describes the CAE’s job. One way to document and demonstrate conformance is by revising the CAE’s job description or creating an appendix to the job description that details the requirements. If it’s created as an appendix, the CAE could use it as a tool for the performance appraisal discussion with the chair of the board and audit committee.
To create a conformance culture for the internal audit function, CAEs must undertake several key steps:
- Document the internal audit strategy, including vision, strategic objectives, and supporting initiatives, along with minutes or correspondence from meetings with the board, audit committee, senior management, or other stakeholders where expectations were discussed. Reviewing Vision 2035 is a great starting point for this exercise.
- Create methodologies, policies, processes, and procedures to guide the internal audit function and enhance its effectiveness in a systematic and disciplined way, including a schedule of internal audit training and attendance records. Results of quality assessments should include an assessment of the effectiveness of methodologies.
- Provide documentation for all assurance provider roles — first and second lines — such as an assurance map and minutes detailing discussions with senior management and the board regarding coordination issues and how they were addressed.
- Document training plans that evidence completed training and assessments of the internal audit function’s and individual auditor’s performance.
- Identify performance objectives (both qualitative and quantitative), including input and expectations of the board, audit committee, and senior management. Performance objectives should advance desired outcomes and be balanced across outcome areas. Performance measures should be documented and reported to the board and senior management.
- Consider new technology resources. The CAE should work closely with the IT function. Documentation of a technology implementation plan evidencing the involvement of IT and security is a requirement.
- Track action plans for issues and improvement opportunities and communicate them to the board and senior management.
The new Standards focus not only on conformance but also on demonstrating performance and continuous improvement to ensure the highest quality internal audit services.
Domain V — Performing Internal Audit Services. Internal audit services involve providing assurance, advice, or both. This domain requires internal auditors to effectively plan engagements, conduct the engagement work to develop findings and conclusions, collaborate with management to identify recommendations or action plans that address the findings, and communicate with management and the employees responsible for the activity under review during and after the engagement.
Domain V reflects the working practices of most audit functions, so practices should already be in place to support conformance with the Standards. However, there are some steps that may be helpful to ensure conformance:
- Review and update the internal audit methodology, manuals, templates, training, and job descriptions.
- Ensure internal audit has a straightforward approach to developing recommendations and agreeing actions with management.
- Explore with stakeholders different ways to format audit reports (e.g., using tools such as Power BI and Tableau to produce dashboards and easy-to-read and understandable communications).
- Create a tiered approach to follow up on audit actions, ensuring higher-risk items receive prompt attention.
- Create a framework for risk acceptance when management chooses not to implement a recommendation. The potential consequences of the acceptance of risk may go beyond the area under review and impact the organization.
The Clock Is Ticking
The Global Internal Audit Standards are designed to elevate the quality of internal audit services, empowering auditors through a strong mandate and charter, while also enhancing governance by fostering a trust-based relationship between the CAE and the board or audit committee, and senior management. This positions internal audit to provide independent, objective assurance and efficient, impactful insight and foresight that aligns with organizational goals. As the January deadline approaches, CAEs who use the remaining time strategically will be better equipped to fully conform with the new Standards, demonstrating their commitment to raising the bar for internal audit functions.