Engaging Internal Audit Stakeholders to Build the Base for Adoption — Understanding the Global Internal Audit Standards (Part 1 of 3) This blog post was authored by Andrew Struthers-Kennedy - Managing Director, Global Practice Lead, Internal Audit and Financial Advisory and Kristen Kelly - Director, Internal Audit and Financial Advisory on The Protiviti View.The final updated Global Internal Audit Standards become effective January 9, 2025.Why it matters: The update established an emphasis on quality, clarifies responsibilities, provides further guidance, and enhances the role of internal auditing as a business partner.Why start now: Proactively communicating, engaging in discussions, and laying the groundwork with stakeholders for the formalisation of collective governance required by the Standards’ changes will avoid surprises and facilitate the change process.Bottom line: It is crucial to set the stage for constructive discussion and allow for agreement on the nature, extent and timing of adoption.The final updated Global Internal Audit Standards (“Standards”) issued by The Institute of Internal Auditors become effective January 9, 2025. In this blog series, we introduce the key Standards updates, explore the impacts of the updates on the internal audit (IA) function, provide practical guidance for adopting the changes required for compliance and consider the opportunities to move beyond conformance, with a particular emphasis on quality. Topics Internal Audit and Corporate Governance Risk Management and Regulatory Compliance What drives the need to update the Standards?The goals of the IIA Standards Board (“Board”) for the update are to:Clarify responsibilities and standard requirements, including considerations for public sector and smaller functionsProvide further guidance beyond high-level principles by adding considerations for implementation and examples of evidence of conformance for each standardElevate the quality of internal auditing and enhance the IA function’s role as an essential business partner to boards and senior managementThe Board updated the construct of the Standards to align all requirements within one of five domains, providing direction to each stakeholder group within one framework. However, there is overlap and shared responsibility among the chief audit executive (CAE), the board (in most cases, the audit committee) and senior management in establishing and maintaining governance over the IA function. While this overlap and shared responsibility has always existed, the updated Standards attempts to formalise it more explicitly.Where to begin?While a number of the “must” requirements in the initial proposal were reduced to “should” considerations, there are substantive changes in a number of areas that IA functions will need to address over the next 11 months (and we encourage the review, gap assessment and closure planning processes to start soon). Even if the CAE has already begun discussing the Standards update and the allocation of time to address it in the 2024 audit plan with the board and senior management, there are decisions to be made. The CAE must first decide on the vision for the function, but this vision must consider the needs and expectations of the IA stakeholders. The CAE should test the waters with the board and senior management early on, as both will likely have strong opinions to contribute.Many organisations will still face challenges reaching the step changes called for in the final Standards. Implementation of the Standards places the onus on the CAE to emphasise and clarify the importance of collaboration and respective responsibilities in governing an IA function effectively. Each organisation’s CAE, board and senior management will then collectively need to decide the level of compliance they want to achieve with the Standards and whether they want to take steps to leverage the Standards to support more transformative change in the IA function. Needless to say, implementation approaches will likely vary across organisations.What do stakeholders need to know?The tide continues to turn to the importance of governance. The fact that the Committee of Sponsoring Organisations (COSO) and the National Association of Corporate Directors (NACD) are moving forward with the development of their Corporate Governance Framework to complement the widely accepted COSO Internal Control Framework and ERM Framework points in this direction. The Standards are no different, calling on the board, senior management and the CAE not only to establish or clarify the mandate and expectations for the IA function but also to work to formalise board governance and oversight in several areas.The table below summarises key changes in the mandatory responsibilities of the board, often fulfilled by the audit committee. Image How do we set the stage for change?CAEs will need to decide which changes outlined in the new Standards they plan to adopt, the time frame for adoption, and the rigor and formality of adoption. The IIA Standards Board, recognising the variety in the size, maturity and organisational placement of functions, has included the “comply or explain” concept in this update. CAEs will need to lead their function in digesting the updated Standards and prioritising adoption activities. However, they first need to educate and consult with stakeholders and collectively decide on the nature, extent and timing of the adoption plan.With the collaboration required among the board, senior management and the CAE, it is paramount that the CAE build awareness of the Standards’ changes (the intent behind them, as well as their substance and implementation considerations specific to the organisation) with the board and senior management. The CAE must educate the board and senior management on the Essential Conditions, defined in the Standards as the “table stakes” for the IA function to operate.For change to be successful, the CAE must obtain input from these stakeholders and work toward obtaining their buy-in on these collective governance concepts as well as clearly aligning on expectations and the definition of value related to IA’s efforts. By building on this base, the CAE can begin to lead the stakeholders to own the various responsibilities outlined by the Standards. The CAE’s objective in this change process is to drive stakeholder agreement on the organisation’s response to the updated Standards and document the collective conclusions and agreed upon approach. Without this baseline understanding and establishment of collective stakeholder buy-in and ownership, the function’s efforts to adopt the mandated governance changes will not be successful.What should the stakeholder group consider in designing the adoption approach?Beyond basic conformance, the explicit new requirements for the mandate — along with the strategy and performance objectives of the function, to be agreed upon among the CAE, senior management and the board — provide the opportunity for functions to clarify and advance the direction and maturity of IA in their organisations. The stakeholder group must decide how far they want to go over the next three to five years in formalising and memorialising the strategic direction for the IA function.While progress continues in the elevation of the IA function, many organisations continue to struggle with establishing the function’s seat at the table and direct reporting to the board. IA’s senior management and board sponsors may have strong views about the capacity of the organisation to achieve full conformance as outlined in the Standards. Moving from the current state to the final updated IIA standards may be difficult to accomplish in the short term. Thus, the transition may be more of a phased journey over time. That said, the vast majority of CAE and other IA leaders that we have spoken with on this topic expect to be in conformance with the new standard either prior to or during 2025.One area deserving of special notice is the need for flexibility in the rigor of the formal documentation of approvals. For example, the audit committee can still advise and support management on the IA function’s matters without formally documenting their approval in minutes or another specific medium. There can be a lot of flexibility in the level of formality of approval documentation. Approval may even be tacit and will vary based on what the board members desire to capture in the minutes. Flexibility in the manner of approval maintained will be necessary, especially to avoid the updated Standards resulting in a checklist approach or mentality. The point is that the CAE should strive for substance, not form.Why start now?Proactively communicating and laying the groundwork with stakeholders for the formalisation of collective governance required by the Standards’ changes will avoid surprises and facilitate the change process. It is crucial to set the stage for constructive discussion and allow for agreement on the nature, extent and timing of adoption.Learn more about the Global Internal Audit Standards update by registering for our webinar here.This is part 1 of a 3 part blog series. Read blog 2 and blog 3 to further understand the Global Internal Audit Standards. Find out more about our solutions: Internal Audit Consulting Protiviti’s Internal Audit solution combines industry-centric and technical expertise with leading technologies to deliver world-class internal audit services. Audit Transformation We help establish transformation priorities and plans, and support in their implementation, offering advice on leading practices and strategies to deliver successful outcomes and enable change. Audit Innovation Challenge how you think and operate. Transform your strategy and talent management processes, evolve your delivery and methodologies, enable everything you do with data and technology. Leadership Shane Silva Shane is an accomplished managing director based in Sydney, leading the data governance and technology assurance practices. With a career spanning more than 16 years in the professional services industry, Shane is recognised for his exceptional expertise and proficiency ... Learn More Garran Duncan With over 30 years of internal and risk management experience, Garran's focus is driving the practice forward and building a firm that incorporates diversity, equity, and inclusion in everything we do. As a founding director of Protiviti Australia at its ... Learn More Lauren Brown Lauren is the country lead for Australia. With over 14 years' experience in governance, risk, and internal control, she specialises across multiple industries including health, higher education, government, consumer products, and energy. She is an active member and ... Learn More Featured insights BLOGS Focusing on Impact Areas — Understanding the Global Internal Audit Standards Updates (Part 2 of 3) In Part 1 of this blog series, we stressed the importance of educating internal audit’s stakeholders and laying the groundwork for the change management needed to support the required collaboration for effective governance of the internal audit (IA)... BLOGS From Conformance to Performance — Understanding the Global Internal Audit Standards (Part 3 of 3) The Institute of Internal Auditors (IIA) final updated Global Internal Audit Standards provide the opportunity for transformative change. The update requires the internal audit (IA) function to have a strategic plan aligned with the organisation’s... IN FOCUS Understanding the Global Internal Audit Standards A three-part blog series and webinar, featuring commentary, insights and points of view from Protiviti leaders and SMEs on key challenges and risks companies are facing today, along with new and emerging developments in the market.The final updated... SURVEY Achieving Audit Relevance As internal audit functions face a continuing talent crunch and demands to support the organisation’s strategic moves in response to external events, chief audit executives (CAEs) are focused on growing internal audit’s relevance with the board,... SURVEY From AI to Cyber - Deconstructing a Complex Technology Risk Landscape Protiviti’s global internal audit survey 2024 highlights the challenges and technology risk trends faced by internal auditors worldwide. Download the report. Button Button