Deloitte’s Center for Board Effectiveness has released Governing a relevant, effective, and valued internal audit function, a publication in its On the Audit Committee’s Agenda series. This paper provides an overview of the Institute of Internal Auditors' new Global Internal Audit Standards (IIA Standards) and offers suggestions for how audit committees can support their implementation. In Deloitte’s view, “For audit committees, understanding the new Standards and their implications is crucial to helping ensure that their organization is leveraging the internal audit function effectively. By staying informed and proactive, audit committees can help their organizations navigate the complexities of the new Standards and achieve greater value from their internal audit activities.”
The Global International Audit Standards
The IIA released the new Standards on January 9, 2024, and they will become effective on January 9, 2025. The IIIA Standards guide the professional practice of internal auditing and serve as a basis for evaluating and elevating the quality of the internal audit function. There are fifteen Standards organized into five Domains (I: Purpose of Internal Auditing, II: Ethics and Professionalism, III: Governing the Internal Audit Function, IV: Managing the Internal Audit Function, and V: Performing Internal Audit Services).
Domain I is not linked to any of the 15 standards. Domains II through V each consist of Principles (broad descriptions of a related group of requirements and considerations applicable to the domain) and between three and five Standards. Each Standard includes Requirements (mandatory practices for internal auditing), Considerations for Implementation (common and preferred practices to consider when implementing the requirements), and Examples of Evidence of Conformance (ways to demonstrate that a Standard’s Requirements have been implemented).
Attributes of an Effective Internal Audit Function
Deloitte’s paper distills the IIA Standards into ten attributes that “demonstrate an effective internal audit function and promote internal audit activities being conducted with a high level of professionalism, consistency, and quality.”
Independence and Objectivity. Internal audit should be independent of the activities it audits. Typically, internal audit has a direct reporting line to the audit committee. Internal auditors must maintain an unbiased mindset and avoid conflicts of interest.
Governance and Oversight. The internal audit function should have a strong governance framework including a clear mandate and support from the audit committee and senior management.
Competence and Professionalism. Internal auditors should possess the required qualifications, skills, and experience and participate in ongoing training and professional development.
Risk-Based Approach. “Internal audit activities should be prioritized based on a comprehensive and dynamic risk assessment, focused on addressing the most significant risks of the organization and aligned with the organization’s strategic objectives and risk profile.”
Balance of Assurance and Advisory Services. Internal audit should provide both assurance and advice. A balanced approach to these two functions combines “the thoroughness of assurance services with the forward-looking perspective of and insights from advisory services.”
Resilience. “The internal audit function should be adaptive and agile, capable of responding to changes in the organization’s risk profile and external environment.”
Use of Technology. Technology and digital capabilities enhance the efficiency and effectiveness of internal audit activities.
Effective Communication and Reporting, With a Focus On Value. “Internal audit reports should provide valuable insights and recommendations to management and the audit committee. Reporting should be clear, concise, and actionable.”
Quality Assurance And Improvement. The internal audit function should have a robust quality assurance and improvement program in place, including both internal and independent external assessments.
Adherence to Ethical Standards. Integrity and objectivity in internal audit activities help establish trust among stakeholders. Internal auditors should adhere to a code of ethics that promotes integrity, confidentiality, and professional behavior.
Essential Activities of the Audit Committee and Senior Management
Domain III addresses the governance of the internal audit function. Each Standard in Domain III includes essential conditions for board (i.e., the audit committee) and management support of effective internal audit. The chief audit executive (CAE) should discuss with the audit committee and senior management the importance of the essential conditions and “gain alignment” around fulfilling these conditions or understand the potential impact if there is disagreement about the essential conditions. The essential conditions in Domain III that are specific to the board/audit committee are:
Governance framework. Audit committees should ensure that the internal audit function has a clear mandate and safeguard the function’s independence and objectivity.
Resource allocation. Audit committees should collaborate with senior management to provide adequate resources to the internal audit function and invest in continuous professional development).
Communication and reporting. Audit committees should support open and transparent communication between the internal audit function, management, and the audit committee; share information to align the function with the organization’s goals; and require reports to be clear, concise, and actionable).
Support of the internal audit function. Audit committees should champion internal audit, demonstrate support through internal audit’s positioning within the organization, and ensure there is a quality improvement and assurance program to support continuous improvement).
Deloitte provides more detail on each of these essential conditions. The paper notes: “It is important that audit committees understand these essential conditions and their implications in order to effectively oversee the internal audit function and help it add significant value to the organization.”
Considerations for the Audit Committee in Supporting Adoption of the New Standards
Deloitte identifies five specific audit committee responsibilities that support the implementation and adoption of the IIA Standards:
Oversight and guidance. The audit committee should provide oversight and guidance to the CAE regarding implementation, including alignment with the essential conditions.
Resource allocation and readiness preparation. The audit committee should determine if internal audit has the required resources and discuss with the CAE any expected challenges to implementation. In light of the January 2025 effective date, internal audit should already be performing a readiness assessment and identifying required actions.
Stakeholder communications. The audit committee should communicate with key stakeholders, including management and the external auditor, about the implications of implementing the new IIA Standards.
Monitor performance and progress. The audit committee should understand the internal audit function’s progress toward implementation and provide input to the CAE as to strategy, performance objectives, and performance measures.
Maturity expectations. The audit committee should communicate to the CAE the committee’s priorities for the internal audit function and ensure they are incorporated into internal audit’s longer-term strategy, performance objectives, and performance measures.
Audit Committee Takeaways
Audit committees should familiarize themselves with the basics of the IIA Standards and monitor how the company’s internal audit function is implementing them. Deloitte’s paper provides a good overview of the objectives of the Standards and of the role that the audit committee can play. Since the effective date is only about 13 months away, the CAE should already be assessing internal audit’s current practices against the Standards and identifying actions necessary for implementation. As Deloitte points out: “While more mature internal audit functions may be more aligned with the new Standards, many internal audit functions are finding that they need to take some action for conformance.” If the new IIA Standards have not previously been discussed with the CAE, the audit committee may want to get up to speed on what steps he or she is taking.
Comments