“Are you ready to take off to the new Global Internal Audit Standards?” This is the question we asked participants in our recent Internal Audit Insights webinar. And it is a question that IA leaders and Board members should now be asking themselves. In our webinar we outlined the key changes the new standards bring to the profession and concluded that IA functions need to use the transition period in 2024 to prepare for and implement the new requirements and discuss them with their Boards. In this article we highlight the areas you should focus on now, to be ready for 2025.
After an extensive public consultation process last year the new Global Internal Audit Standards were finally published on 9 January 2024 by the Institute of Internal Auditors (IIA). The new standards will become effective in early January 2025 after a 12-month transition period. The current standards (the so-called “IPPF” of 2017) will remain applicable throughout 2024, but early adoption of the new standards is encouraged by the IIA.
More than 80% of IA functions that participated in our webinar have not yet assessed the impact of the new standards, and 75% do not yet have a budget for implementation of the new standards during 2024. We therefore repeat the IIA’s encouragement on early adoption and believe it is important for IA functions and Boards to assess the impact of the new standards sooner rather than later. The effort required to conform with the new requirements should not be underestimated.
The extent of the gaps that need bridging depends on how mature your IA function is now. But even functions with relatively few gaps will have much to do because the structure and numbering system of the new standards is completely different to that of the current IPPF.
In the illustration above you find the circle we are all familiar with: the IPPF 2017. The new Global Internal Audit Standards incorporate the five mandatory elements of the 2017 framework and the Implementation Guidance. These elements are now structured into five domains, 15 principles and 52 standards. Each standard is divided into three parts: the mandatory “Requirements” that contain the “must”-statements; the “Considerations for Implementation” that show the common and best practices that are expected though not mandatory; and, lastly, the “Examples of Evidence of Conformance”, which contains a non-exhaustive list of guidance on how to provide evidence of conformity with the requirements.
An entirely new element are the “Topical Requirements” which aim to enhance the consistency and quality of internal audit services. This is an interesting broadening of focus by the standard setters, as the IIA is now adding additional mandatory requirements to be observed when conducting audits in the topical domains covered by these requirements. The Topical Requirements don’t exist yet but the intention is to introduce them soon, for example, in Cybersecurity, Sustainability and ESG, Third-party Management, and IT Governance, to name just a few.
The good news is that prior to their publication there will be a public consultation process for these requirements, and we encourage all professionals with expertise in these areas to get involved in shaping them. The existence of the new Topical Requirements, and their evolving nature, will oblige IA functions to maintain a regular monitoring process. If not, new mandatory elements could be missed.
As outlined above, a lot of IA functions have yet to assess the full implications of the new standards, and their conclusions will also depend on the relative maturity of their current practices and methodology. In our view, Internal Audit Leaders and Boards should embrace this opportunity for transformational change. The standards equip you with a toolbox to shape the brand of Internal Audit and become strategic partners for your organisation's leadership.
Start by assessing your current practices and what is needed to meet the new minimum requirements and discuss your conclusions, vision and strategic objectives with the Board. Also discuss the budget that will be needed. Once you have a view on the impact, define an action plan for the implementation of any gaps you identify. And for each gap, consider how closing these gaps can improve your practices, optimise your processes, empower your people, and increase the use of technology to elevate your IA function.
If your next External Quality Assessment (EQA) is due in 2024, ask your assessor to perform the gap assessment to the new standards as part of the EQA. This can easily be combined with the assessment of conformity and will free up your own resources. If your EQA is planned for 2025, think about moving it forward to 2024, or scheduling it early in 2025, so that the assessment will still be performed against the 2017 standards, but allowing the opportunity to combine it with the assessment of the gap to the new standards.