2024 Global Internal Audit Standards
A summary on the major themes and key changes announced.
In January 2024, the Institute of Internal Auditors (IIA) issued the Global Internal Audit Standards (the Standards) with implementation required by January 9, 2025. The previous version, the International Standards for the Professional Practice of Internal Auditing, released in 2017 (the 2017 Standards), remains approved for use during this transition period.
We have summarized the foundational themes and key changes that would impact various IA functions should the Proposed Standards be implemented.
Key Structural Changes:
- The new Standards combine into one all-inclusive document multiple guides which previously encompassed the mandatory and implementation guidance sections within the 2017 Standards. Specifically, the new Standards incorporate the five mandatory elements of the current framework (Mission of Internal Audit, Definition of Internal Auditing, Core Principles for the Professional Practice of Internal Auditing, Code of Ethics, and Standards) as well as one of the recommended non-mandatory elements, the Implementation Guidance. These will no longer exist as separate elements.
- The Standards are not divided into “attribute” and “performance” categories and do not contain “interpretations” as a separate section of the standard. The “.A” [assurance] and “.C” [consulting] implementation standards have been incorporated into the main body of the proposed Standards.
- The numbering system and order of the Standards has changed completely. The new Standards are organized into five domains and 15 principles.
Key Content Changes:
In addition to a number of smaller changes throughout the new Standards, the areas below represent the more significant updates to the 2017 Standards:
1
Essential Conditions for the Board and Senior Management
Domain III “Governing the Internal Audit Function,” which encompasses Standards 6.1 through 8.4, specifies what the CAE must do to support/encourage the board and senior management to perform necessary oversight responsibilities for an effective IA function. Each of these Standards defines “Essential Conditions” for the board and senior management that should be present for the IA function to be able to meet its mandate and fulfill the Purpose of Internal Auditing. The responsibility rests with the CAE to provide and discuss with the board and senior management the information necessary for oversight of the IA function.
2
Internal Audit Strategy
Standard 9.2 requires the CAE to develop and implement a strategy for the IA function that supports the strategic objectives and success of the organization and aligns with the expectations of the board, senior management, and other key stakeholders.
3
Integrated Assurance and the Internal Audit Plan
Standard 9.4 requires that the IA plan must be based on a documented assessment of the organization’s strategies, objectives and risks. This assessment must be informed by…the CAE’s understanding of the organization’s governance, risk management and control processes and must be performed at least annually. The Considerations for Implementation state the IA function should only rely on management’s information about risks if IA has concluded that the organization’s risk management processes are effective. Practically speaking, this seems to indicate that IA should perform a review of the 2nd line ERM function (if applicable) to reach a conclusion. If ERM reports through IA, an external review of ERM would need to be performed to preserve objectivity.
Standard 9.5 requires the CAE to coordinate with internal and external providers of assurance services and consider relying on their work. Coordination of services minimizes duplication of efforts and highlights gaps in coverage of key risks.
4
Report and Findings Ratings
The 2017 Standards noted that IA must communicate the findings and results of its work but did not require rankings and ratings. The new Standards do not require an overall report rating, but do require “an engagement conclusion that summarizes the engagement results relative to the engagement objectives and management’s objectives…” (Standard 14.5). Individual engagement findings must be prioritized based on significance (Standard 14.3). Ratings/rankings are not required but are recommended in the Considerations for Implementation section as a better practice.
Practically speaking, it seems that if IA chooses not to include any rating/ranking/overt prioritization of findings in each report, they could simply take the approach “if an engagement finding is included in the report, then it is deemed important” as their method of prioritizing findings. They would still need some type of overall engagement conclusion, but it wouldn’t have to be an actual rating.
5
Enhanced requirements for external quality assessments
Consistent with the 2017 Standards, the new Standards require an external quality assessment to be performed every five years which can be accomplished via self-assessment with independent validation, if desired. The new Standards require that at least one member of the assessment team be an active Certified Internal Auditor.
Implementation Guidance:
In 2024, internal audit departments will experience a period of transformation as they integrate the 2024 Global Internal Audit Standards into their processes. If you want to stay ahead of the curve and prepare for compliance with these standards by January 9, 2025, a gap assessment is essential. Our team at KPMG has the expertise to assist you in understanding and integrating these standards into your department, enabling your team to stay focused on the audit plan for the year. Allow us to guide you through this process and make it efficient for your department. If interested, please reach out to us.
Dive into our thinking:
2024 Global Internal Audit Standards
Download PDFMeet our team
