A summary on the major themes and key changes announced.
In March 2023, the Institute of Internal Auditors (IIA) released the Proposed Standards for public comment until May 30, 2023. The IIA has long communicated its overall goal to refresh the Global Internal Audit Standards (Standards) to provide enhanced guidance to ensure value, quality, and effectiveness of the profession’s services. The Standards apply to internal audit departments globally, regardless of purpose, size, complexity or structure, and are designed to provide guidance to internal audit functions operating at all levels of maturity.
While there are many structural improvements in the Proposed Standards, including the provision of implementation guidance for each Standard and the consolidation of the various Standard supporting documents into a single document, they also represent a shift for the internal audit (IA) profession. They are organized into five domains: Purpose of Internal Auditing; Ethics and Professionalism; Governing the Internal Audit Function; Managing the Internal Audit Function; and Performing Internal Audit Services. We have summarized the three foundational themes and key changes that would impact various IA functions should the Proposed Standards be implemented.
According to the Proposed Standards, the IA function should only rely on management's knowledge of the risks and controls, including the risk universe, if it has determined that the organization's risk management process is effective. Before executing projects on the annual plan, IA may need to assess and/or audit the organization's integrated assurance function.
The Proposed Standards mandate the following strategies for the Board to demonstrate its backing and involvement: sessions held in public and private to talk about the overall IA plan, personnel and information access, and talent and technological resources; ensuring that the CAE reports administratively to the proper level within the organization, specifically one that permits the IA to carry out its duties free from management interference; and ensuring there is an escalation process to communicate unmitigated risks to the Board.
Within each domain, the Proposed Standards continually highlight the use of technology to better position IA as drivers of value. To help build technology into all areas of the IA function, the Proposed Standards require a regular assessment of technology during resource and budget discussions.
Although many of the changes within the Proposed Standards focus on foundational elements of the profession, IA departments may find themselves equally impacted by other key changes if the Proposed Standards are implemented:
Although many IA departments have charters and high-level methodologies for their function, the Proposed Standards are more prescriptive and outline specific methodologies and policies to be documented. In addition, the Proposed Standards require appropriate training on all policies and evidence of compliance with the policies.
The Proposed Standards require IA departments to issue a rating or ranking, or other indication of priority/significance, for individual findings as well as the overall audit. Current Standards require IA to communicate the findings and results of the audit, but do not require a rating, ranking, or other indication of priority/significance.
Although not mandated, the Proposed Standards recommend IA departments report administratively to the CEO to reach a level of authority appropriate to challenge management on assumptions and operations. The Proposed Standards further state IA functions can achieve the same objective by implementing appropriate safeguards.
The Proposed Standards allow a self-assessment with independent validation once every ten years, alternating with a full external assessment. A full external assessment is always permitted to satisfy this requirement. Further, the Proposed Standards require that at least one member of the assessment team be an active Certified Internal Auditor and all team members be trained through the IIA’s external quality assessment training.
Evidence of conformance with the organization’s information protection policies is required by the Proposed Standards, including acknowledgment from internal auditors of their understanding. Depending on the maturity of a CAE’s organization’s information protection policies, the CAE may need to create supplemental material to educate and inform the IA department of all appropriate requirements.
While current Standards require internal auditors to have the requisite knowledge needed to conduct an audit, the Proposed Standards require 20 hours of continuing professional development training. CAEs would need to consider this new requirement when planning departmental training budgets for the year.
Read our paper for more information about the foundational themes and important changes outlined in the Proposed Standards:
IIA's Proposed Standards
Download PDF