The Institute of Internal Auditors (IIA) released the 2024 Global Internal Audit Standards (Standards) on January 9, 2024. The Standards are the main component of the International Professional Practices Framework (IPPF).
The Standards will be effective from 9 January 2025 which provides an opportunity for Internal Audit (IA) functions to reflect on current practices. The 2017 Standards remain effective during the one-year transition period. Whilst much of the Standards may seem familiar, the increased specificity and rigor of the Standard requirements are intended to enhance IA functions.
The Standards clearly reflect the considerable feedback the IIA received during its consultation process after the release of the draft Standards in March 2023. While the draft Standards were widely considered to be too prescriptive and difficult to implement, especially for smaller IA functions, many of the ‘must’ have elements contained in the draft 2023 Standards have been moved into the ‘Considerations for Implementation’ sections of the Standards, thus providing more flexibility to Chief Audit Executives (CAEs) in how they implement the Standards.
Our Risk and Regulatory team cover below an overview of the significant structural and content changes to the Standards and we provide suggested next steps for IA functions on how to meet the requirements of the Standards.
Significant structural changes
The Standards combine into one document the five mandatory components of 2017 IPPF (Mission of Internal Audit, Definition of Internal Auditing, Core Principles for the Professional Practice of Internal Auditing, Code of Ethics, and Standards) as well as one of the recommended non-mandatory elements, the Implementation Guidance. These will no longer exist as separate components. The 2017 IPPF was considered fragmented and duplicative while the new Standards is a more unified document.
As set out below the Standards comprise five Domains, 15 Principles and 52 supporting Standards. Each Standard contains Requirements, Considerations for Implementation, and, Examples of Evidence of Conformance.
The Standards are no longer divided into ‘attribute’ and ‘performance’ categories (Standard 1000 and 2000 series, respectively) and do not contain ‘Interpretations’ as a separate section of the Standard.
The Standards do not differentiate between assurance and advisory (formally consulting) projects and both are incorporated into the main body of the Standards. Requirements for ad hoc and advisory projects are now similar to risk-based assurance audits with limited exceptions.
In addition to the Standards, the other mandatory component of the IPPF is ‘Topical Requirements’ which will cover topics such as Cybersecurity, Environmental, Social & Governance (ESG), and Third-party Management. While the Draft Cybersecurity Topical Requirement has been released, the remainder are expected during 2024.
It is important to note that the issuance of the ‘Topical Requirements’ is not a directive for all IA functions to audit those areas immediately, but rather they are additional requirements to be followed when the IA function chooses to review that subject area.
The one non-mandatory section of the IPPF is the IIA’s ‘Global Guidance’ which includes non-mandatory information, advice and best practices for performing engagements.
The IPPF also provides guidance on applying the global Standards in smaller and public sector IA functions.
Content changes
While not an exhaustive list, we have set out some of the more significant updates and/or changes from the 2017 Standards:
Domain III, ‘Governing the Internal Audit Function’, which encompasses Standard 6.1 through 8.4, specifies what the CAE must do to support the Board and Senior Management to perform necessary oversight responsibilities for an effective IA function.
Each of the Standards in Domain III defines ‘Essential Conditions’ for the Board and Senior Management that must be present for the IA function to be able to meet its mandate and fulfil the Purpose of Internal Auditing.
The responsibility rests with the CAE to provide and discuss with the Board and Senior Management the information necessary for oversight of the IA function.
KPMG Insight:
While many IA functions may already have processes and supporting documented evidence in place to demonstrate compliance with the Board ‘Essential Conditions’requirements, many IA functions may currently struggle to demonstrate compliance with the Senior Management ‘Essential Conditions’ requirements.
The Domain also outlines how any disagreement on ‘Essential Conditions’ of the Board and/or Senior Management should be managed.
The CAE is now required to develop and implement an IA strategy (Standard 9.2) that supports the strategic objectives and success of the organisation and aligns with the expectations of the Board, Senior Management, and other key stakeholders.
This includes the development of a vision, strategic objectives, and supporting initiatives for the IA function.
Standard 9.5 requires the CAE to coordinate with internal and external providers of assurance services and consider relying on their work. While the 2017 Standards said the CAE ‘should’ coordinate with internal and external providers, the new Standards say the CAE ‘must’. Standard 9.5 also includes the new stipulation that the CAE must report to the Board and Senior Management when they are unable to achieve an appropriate level of coordination.
Standard 11.1 requires the CAE to develop an approach for the IA function to build relationships and trust with key stakeholders. Guidance suggests surveys, interviews, and, workshops, as well as ongoing informal interactions with the organisation’s employees.
The CAE must establish objectives to evaluate the IA functions performance (Standard 12.2). The Consideration for Implementation section lists example Key Performance Indicators (KPIs) to be considered when implementing the Standard.
The objectives/KPIs should form part of the CAEs performance measurement methodology which must also include development of an action plan to address issues and opportunities for improvement.
- The 2017 Standards required essential communication of engagement findings and results but did not require rankings or ratings. While the new Standards do not require an overall report rating, there is now a requirement to include ‘an engagement conclusion that summarises the engagement conclusion results relative to the engagement objectives and management's objectives’ (Standard 14.5). Engagement findings must be prioritised based on each individual level of significance (Standard 14.3). Ratings/rankings are not required but are recommended in the Consideration for Implementation section as a better practice. However it is required that the ranking is based on methodologies established by the CAE.
- Standard 14.3 requires Internal Auditors to collaborate with Management to identify root causes of engagement findings when possible.
The Standards continually highlight the use of technology to better position IA as drivers of value. To help build technology into all areas of the IA function, the Standard 10.3 requires the CAE to ensure that the IA function has technology to support the IA process by regularly evaluating the technology employed to continuously identify opportunities for improvement and to engage with the organisations IT and cyber security functions.
IA functions still require an EQA to be completed every five years. However, now one member of the independent EQA assessment team must be an active Certified Internal Auditor.
Where to start
How can KPMG help?
In 2024, IA functions will experience a period of transformation as they integrate the 2024 Global Internal Audit Standards into their processes. If you want to stay ahead of the curve and prepare for compliance with these Standards by January 9, 2025, a gap assessment is essential.
Our team at KPMG has the expertise to assist you in understanding and integrating these Standards into your department, enabling your team to stay focused on the audit plan for the year. Allow us to guide you through this process and make it efficient for your department. If interested, please reach out to us.
