Following a consultation phase, the Institute of Internal Auditors (IIA) published the Global Internal Audit Standards (hereinafter: Standards) on 9 January 2024. These are to be applied accordingly by Internal Audit from 2025.
The "International Standards for the Professional Practice of Internal Auditing" (IPPF) from 2017 will thus be replaced. The standards represent a further development of internal audit practice and have an impact on the working methods of internal audit, interaction with stakeholders and, in particular, other corporate governance functions.
The standards at a glance
The standards are divided into five domains with 15 principles and a further 52 concrete requirements as well as considerations for implementation and examples.
The five domains are
- Objectives of internal auditing
- Ethics and professionalism
- Governance of internal audit
- Management of internal audit
- Provision of auditing services
Mark Frederik Schmidt
Senior Manager, Risk & Compliance Services
KPMG AG Wirtschaftsprüfungsgesellschaft
The standards are supplemented by the so-called "topical requirements". These are requirements of the IIA for currently eight known risk topics (including cyber security, sustainability/ESG, service provider management, information technology governance). The specifications for the "Topical Requirements" are currently being defined and concretised by the IIA in the consultation phase, which is expected to run until mid-2024. In response to the increasingly complex risk landscape of companies, they are to be included in audit activities where applicable.
Relevant changes to the Global Internal Audit Standards include, for example
- Binding requirements for the (further) development of an audit mission statement and an audit strategy for the first time
- Greater involvement and need for interaction between internal audit and the management/supervisory body and recommendation of the reporting line to the CEO Understanding the risk map of the entire organisation and the audits of the risk management function
- Increased use of data analytics & tools in audit activities
- Clarification of the requirements for reporting and communicating findings
- Specification of the information protection requirements
- Greater focus on measuring the performance of auditing activities
- Increased requirements for external quality assessments
What is important for a successful implementation
A number of measures are necessary for organisations to ensure compliance with the new IIA Global Internal Audit Standards. This process is also a suitable opportunity for internal audit organisations to question and adjust their existing audit system in line with the new requirements and to strengthen the focus on added value and stakeholder needs. In this context, we recommend the following three-stage approach:
Analyse the new requirements and standards
- Analyse the Global Internal Audit Standards and derive relevant changes
- Classify the necessary adjustments, taking into account the current status quo of the individual internal audit system
- Creating a roadmap for the implementation of relevant adjustments
Implementation and transformation
- Deriving work packages and priorities
- Involving the relevant stakeholders
- Releasing and implementing the requirements
- Monitoring the implementation
Communication and training
- Communication with the relevant stakeholders about the changes
- Training of audit staff on the application of the new standards
- The type and scope of measures required to comply with the new standards can vary significantly depending on the size of the audit organisation and the sector in which it operates.
A certain level of capacity within Internal Audit is required to derive and coordinate measures with the relevant stakeholders and to effectively implement the new standards. This should be taken into account as an audit project in the 2024 audit planning. In addition, an audit review can be carried out as a kind of "dry run" in 2024 in order to train the handling of the new standards.
Outlook: External quality assessment
Conformity with the IIA Global Internal Audit Standards is an integral part of the high quality standards for internal audit activities.
This is also reflected in an external assessment of the internal audit system in accordance with DIIR Auditing Standard No. 3 or IDW PS 983, which remains mandatory at least every five years. The new standards will also be incorporated here. In this respect, the new standards will change the quality assessment requirements and thus the target object for internal audit functions after a transition phase.
In this context, carrying out a GAP assessment on the new standards as part of an external quality assessment in 2024 may well make sense.
Conclusion
The need to share information and collaborate intensively across functions in the interests of efficient corporate governance cannot be overlooked - not least because compliance is a cost factor.
The new standards offer a good opportunity to further develop internal auditing, to further intensify interaction with stakeholders and to strengthen the integration of governance, risk and compliance systems while maintaining independence and objectivity. The following measures are recommended in this context:
Discussion with management and the supervisory body about their expectations, the mission statement and the strategic contribution of internal audit to supporting the corporate vision, safeguarding corporate values and increasing resilience
- Discussion of the company-wide risk map and the analysis and management of these (new) risks by risk management
- Use of tools, technology and data & analytics to generate added value in audit activities
- Clear commitment to high quality standards in internal auditing
- Training & further development of audit staff
The extent and maturity of corporate governance and, in particular, internal auditing varies depending on the sector and size of the company.
In conclusion, it can be said that the IIA's new Global Internal Audit Standards will have a considerable impact on the interaction and working methods of internal audit - with a clear commitment to audit quality, dealing with relevant corporate risks, technology and data & analytics as well as increasing integration of the GRC function and interaction with the relevant stakeholders such as management and the supervisory body.