Skip to Content

Ready to Conform

Articles Liz Sandwith, CFIIA Oct 07, 2024

The Standards introduce several important elements, including essential conditions, implementation considerations, examples of conformance evidence, a focus on performance alongside conformance, a requirement for continuous improvement, and upcoming topical requirements that will address specific risk areas. The 12-month transition period for internal audit functions to update their methodologies and demonstrate conformance with the new Standards will end on Jan. 9, 2025. CAEs must use the time that remains to ensure a seamless transition.

Assess Internal Audit’s Current Position

Before implementing any changes, it’s crucial to understand where the organization’s internal audit function currently stands. CAEs can start by conducting a gap analysis to help create an action plan that can be shared with the board, audit committee, and senior management. The plan should be supported by key stakeholders and enable internal audit to amend its working practices and develop a methodology to meet the January deadline. “Conducting a Gap Analysis” on this page provides resources to assist with this step.

The results of internal audit’s last external quality assessment also should be revisited. These results, in conjunction with the gap analysis, can help determine where the audit function currently is and where it needs to be by January to achieve conformance.

Conducting a Gap Analysis

The IIA has published two tools that can aid in conducting a gap analysis:

  • Two-way Mapping, which maps the 2017 IPPF Standards to the 2024 Standards. 
  • Conformance Readiness Assessment Tool, which identifies the significant changes between the requirements of the 2017 IPPF and the 2024 Standards to help CAEs and their teams implement the new Standards.

Implement the Five Domains

The Standards are organized into five domains that can be followed to help drive conformance and improve the quality of internal audit services. 

Domain I — Purpose of Internal Auditing. This domain articulates the value of internal auditing and serves as the “elevator pitch” for the function. Its purpose should be embedded in everything internal audit does, from including it as part of an email signature, to board communications and audit committee papers, to using it as a reference in each audit engagement. It helps reinforce internal audit’s purpose across the organization and within the function, itself.

Domain II — Ethics and Profes­sionalism. While there is no longer a separate Code of Ethics, conformance with the principles and standards of Domain II instills trust in the internal audit profession, creates an ethical culture within the audit function, and provides the basis for reliance on internal auditors’ work and judgment. 

Within this domain, The IIA suggests CAEs create a clear outline of behavioral expectations for internal audit that instills trust in its work; a framework for training, development, and guidance; a basis for developing an ethical culture across the team; and criteria when handling ethical issues within the internal audit function. Read “Domain II: Demonstrating Conformance” for additional suggestions.

Domain II places objectivity in the realm of ethical and professional behavior of internal auditors, while independence is rightly separated into Domain III.

Domain III — Governing the Internal Audit Function. Appropriate governance arrangements are essential for the audit function to be effective. Domain III outlines the requirements for the CAE to work closely with the board, audit committee, and senior management to establish the function, position it independently, and oversee its performance.

Previously, the Standards only referred to the charter. The new Standards describe a mandate that details internal audit’s authority, roles, and responsibilities. The mandate should be developed with the board and audit committee, along with senior management’s agreement to support it (refer to The IIA’s recently published Model Internal Audit Charter Tool and User’s Guide). It changes the relationship between the CAE and the board chair and audit committee by creating a two-way communication process. It also adds the element of senior management involvement and ongoing support for internal audit.

How to demonstrate conformance to this domain is a recurring question, with many requirements being new. First, conversations between the chairs of the board and audit committee and the CAE need to be documented. This can be done via an email to the chairs confirming the conversation, what was discussed, any actions to be taken, and who owned the actions.

Second, the CAE needs to review the board and audit committee meeting minutes to ensure that the conversations have been recorded accurately. For example, the minutes need to reflect the questions asked by the board and audit committee and the CAE’s response.

Domain II: Demonstrating Conformance

Internal audit teams can demonstrate conformance by focusing on four elements: 

  1. Training Plan. Create a training plan that links to the annual staff development element of the performance appraisal process and to the risk-based plan to ensure the internal audit function can deliver the plan.
  2. Ethics DocumentationDocument evidence of internal auditors’ attendance at or participation in ethics education and training. This documentation should be signed by individual internal auditors acknowledging their understanding of, and commitment to, following the organization’s ethics policies and procedures. For example, consider using technology to demonstrate a team meeting where the required training was delivered and an attendance record was kept. 
  3. Stakeholder Feedback. Standard 1.1, Honesty and Professional Courage, is not an easy standard to demonstrate conformity with. Consider using stakeholder feedback surveys and annual performance appraisal conversations to discuss honesty and professional courage. The CAE’s regular conversations with stakeholders may help ensure the internal audit function is demonstrating honesty and courage when “speaking truth to power.”
  4. Professional Skepticism. Standard 4.3, Professional Skepticism, addresses critically assessing and evaluating information. Workpapers need to identify an internal auditor’s approach to evaluate and validate information gathered during an engagement. This will be demonstrated as part of the day-to-day supervision requirement of the quality assurance process as detailed in Standard 12.1, Internal Quality Assessment. 

Third, the CAE should consider inviting the chairs of the board and audit committee to attend an internal audit meeting, where they can meet the team, listen to the discussion, ask questions, and respond to questions from the team. This supports the conformance requirements and strengthens the relationship between the chair and the internal audit function.

Last, the Standards raise the issue of the board, audit committee, or senior management’s disagreement with one or more essential conditions. If this happens, the CAE must emphasize, with examples, how the absence of the conditions may affect internal audit’s ability to fulfill its purpose and mandate or conform with specific standards — and offer alternative solutions. 

Engagement with key stakeholders — the board, audit committee, and senior management — helps drive conformance. It provides an opportunity to strengthen relationships and support of internal audit.

Domain IV — Managing the Internal Audit Function. The CAE’s responsibility is to manage the internal audit function in accordance with the internal audit charter, mandate, and Standards. Stated simply, this domain describes the CAE’s job. One way to document and demonstrate conformance is by revising the CAE’s job description or creating an appendix to the job description that details the requirements. If it’s created as an appendix, the CAE could use it as a tool for the performance appraisal discussion with the chair of the board and audit committee.

To create a conformance culture for the internal audit function, CAEs must undertake several key steps:

  1. Document the internal audit strategy, including vision, strategic objectives, and supporting initiatives, along with minutes or correspondence from meetings with the board, audit committee, senior management, or other stakeholders where expectations were discussed. Reviewing Vision 2035 is a great starting point for this exercise. 
  2. Create methodologies, policies, processes, and procedures to guide the internal audit function and enhance its effectiveness in a systematic and disciplined way, including a schedule of internal audit training and attendance records. Results of quality assessments should include an assessment of the effectiveness of methodologies. 
  3. Provide documentation for all assurance provider roles — first and second lines — such as an assurance map and minutes detailing discussions with senior management and the board regarding coordination issues and how they were addressed.
  4. Document training plans that evidence completed training and assessments of the internal audit function’s and individual auditor’s performance.
  5. Identify performance objectives (both qualitative and quantitative), including input and expectations of the board, audit committee, and senior management. Performance objectives should advance desired outcomes and be balanced across outcome areas. Performance measures should be documented and reported to the board and senior management. 
  6. Consider new technology resources. The CAE should work closely with the IT function. Documentation of a technology implementation plan evidencing the involvement of IT and security is a requirement.
  7. Track action plans for issues and improvement opportunities and communicate them to the board and senior management.

The new Standards focus not only on conformance but also on demonstrating performance and continuous improvement to ensure the highest quality internal audit services.

Domain V — Performing Internal Audit Services. Internal audit services involve providing assurance, advice, or both. This domain requires internal auditors to effectively plan engagements, conduct the engagement work to develop findings and conclusions, collaborate with management to identify recommendations or action plans that address the findings, and communicate with management and the employees responsible for the activity under review during and after the engagement. 

Domain V reflects the working practices of most audit functions, so practices should already be in place to support conformance with the Standards. However, there are some steps that may be helpful to ensure conformance:

  1. Review and update the internal audit methodology, manuals, templates, training, and job descriptions. 
  2. Ensure internal audit has a straightforward approach to developing recommendations and agreeing actions with management. 
  3. Explore with stakeholders different ways to format audit reports (e.g., using tools such as Power BI and Tableau to produce dashboards and easy-to-read and understandable communications). 
  4. Create a tiered approach to follow up on audit actions, ensuring higher-risk items receive prompt attention. 
  5. Create a framework for risk acceptance when management chooses not to implement a recommendation. The potential consequences of the acceptance of risk may go beyond the area under review and impact the organization. 

The Clock Is Ticking

The Global Internal Audit Standards are designed to elevate the quality of internal audit services, empowering auditors through a strong mandate and charter, while also enhancing governance by fostering a trust-based relationship between the CAE and the board or audit committee, and senior management. This positions internal audit to provide independent, objective assurance and efficient, impactful insight and foresight that aligns with organizational goals. As the January deadline approaches, CAEs who use the remaining time strategically will be better equipped to fully conform with the new Standards, demonstrating their commitment to raising the bar for internal audit functions.

Liz Sandwith, CFIIA

Liz Sandwith is managing partner, Sandwith Internal Audit Services in Leeds, U.K., and a former member of The International Internal Audit Standards Board.