Engaging Internal Audit Stakeholders to Build the Base for Adoption — Understanding the Global Internal Audit Standards (Part 1 of 3)

This blog post was authored by Andrew Struthers-Kennedy - Managing Director, Global Practice Lead, Internal Audit and Financial Advisory and Kristen Kelly - Director, Internal Audit and Financial Advisory on The Protiviti View.

The final updated Global Internal Audit Standards become effective January 9, 2025.

Why it matters: The update established an emphasis on quality, clarifies responsibilities, provides further guidance, and enhances the role of internal auditing as a business partner.

Why start now: Proactively communicating, engaging in discussions, and laying the groundwork with stakeholders for the formalisation of collective governance required by the Standards’ changes will avoid surprises and facilitate the change process.

Bottom line: It is crucial to set the stage for constructive discussion and allow for agreement on the nature, extent and timing of adoption.

The final updated Global Internal Audit Standards (“Standards”) issued by The Institute of Internal Auditors become effective January 9, 2025. In this blog series, we introduce the key Standards updates, explore the impacts of the updates on the internal audit (IA) function, provide practical guidance for adopting the changes required for compliance and consider the opportunities to move beyond conformance, with a particular emphasis on quality.

What drives the need to update the Standards?

The goals of the IIA Standards Board (“Board”) for the update are to:

  • Clarify responsibilities and standard requirements, including considerations for public sector and smaller functions
  • Provide further guidance beyond high-level principles by adding considerations for implementation and examples of evidence of conformance for each standard
  • Elevate the quality of internal auditing and enhance the IA function’s role as an essential business partner to boards and senior management

The Board updated the construct of the Standards to align all requirements within one of five domains, providing direction to each stakeholder group within one framework. However, there is overlap and shared responsibility among the chief audit executive (CAE), the board (in most cases, the audit committee) and senior management in establishing and maintaining governance over the IA function. While this overlap and shared responsibility has always existed, the updated Standards attempts to formalise it more explicitly.

Where to begin?

While a number of the “must” requirements in the initial proposal were reduced to “should” considerations, there are substantive changes in a number of areas that IA functions will need to address over the next 11 months (and we encourage the review, gap assessment and closure planning processes to start soon). Even if the CAE has already begun discussing the Standards update and the allocation of time to address it in the 2024 audit plan with the board and senior management, there are decisions to be made. The CAE must first decide on the vision for the function, but this vision must consider the needs and expectations of the IA stakeholders. The CAE should test the waters with the board and senior management early on, as both will likely have strong opinions to contribute.

Many organisations will still face challenges reaching the step changes called for in the final Standards. Implementation of the Standards places the onus on the CAE to emphasise and clarify the importance of collaboration and respective responsibilities in governing an IA function effectively. Each organisation’s CAE, board and senior management will then collectively need to decide the level of compliance they want to achieve with the Standards and whether they want to take steps to leverage the Standards to support more transformative change in the IA function. Needless to say, implementation approaches will likely vary across organisations.

What do stakeholders need to know?

The tide continues to turn to the importance of governance. The fact that the Committee of Sponsoring Organisations (COSO) and the National Association of Corporate Directors (NACD) are moving forward with the development of their Corporate Governance Framework to complement the widely accepted COSO Internal Control Framework and ERM Framework points in this direction. The Standards are no different, calling on the board, senior management and the CAE not only to establish or clarify the mandate and expectations for the IA function but also to work to formalise board governance and oversight in several areas.

The table below summarises key changes in the mandatory responsibilities of the board, often fulfilled by the audit committee.

Image

 

How do we set the stage for change?

CAEs will need to decide which changes outlined in the new Standards they plan to adopt, the time frame for adoption, and the rigor and formality of adoption. The IIA Standards Board, recognising the variety in the size, maturity and organisational placement of functions, has included the “comply or explain” concept in this update. CAEs will need to lead their function in digesting the updated Standards and prioritising adoption activities. However, they first need to educate and consult with stakeholders and collectively decide on the nature, extent and timing of the adoption plan.

With the collaboration required among the board, senior management and the CAE, it is paramount that the CAE build awareness of the Standards’ changes (the intent behind them, as well as their substance and implementation considerations specific to the organisation) with the board and senior management. The CAE must educate the board and senior management on the Essential Conditions, defined in the Standards as the “table stakes” for the IA function to operate.

For change to be successful, the CAE must obtain input from these stakeholders and work toward obtaining their buy-in on these collective governance concepts as well as clearly aligning on expectations and the definition of value related to IA’s efforts. By building on this base, the CAE can begin to lead the stakeholders to own the various responsibilities outlined by the Standards. The CAE’s objective in this change process is to drive stakeholder agreement on the organisation’s response to the updated Standards and document the collective conclusions and agreed upon approach. Without this baseline understanding and establishment of collective stakeholder buy-in and ownership, the function’s efforts to adopt the mandated governance changes will not be successful.

What should the stakeholder group consider in designing the adoption approach?

Beyond basic conformance, the explicit new requirements for the mandate — along with the strategy and performance objectives of the function, to be agreed upon among the CAE, senior management and the board — provide the opportunity for functions to clarify and advance the direction and maturity of IA in their organisations. The stakeholder group must decide how far they want to go over the next three to five years in formalising and memorialising the strategic direction for the IA function.

While progress continues in the elevation of the IA function, many organisations continue to struggle with establishing the function’s seat at the table and direct reporting to the board. IA’s senior management and board sponsors may have strong views about the capacity of the organisation to achieve full conformance as outlined in the Standards. Moving from the current state to the final updated IIA standards may be difficult to accomplish in the short term. Thus, the transition may be more of a phased journey over time. That said, the vast majority of CAE and other IA leaders that we have spoken with on this topic expect to be in conformance with the new standard either prior to or during 2025.

One area deserving of special notice is the need for flexibility in the rigor of the formal documentation of approvals. For example, the audit committee can still advise and support management on the IA function’s matters without formally documenting their approval in minutes or another specific medium. There can be a lot of flexibility in the level of formality of approval documentation. Approval may even be tacit and will vary based on what the board members desire to capture in the minutes. Flexibility in the manner of approval maintained will be necessary, especially to avoid the updated Standards resulting in a checklist approach or mentality. The point is that the CAE should strive for substance, not form.

Why start now?

Proactively communicating and laying the groundwork with stakeholders for the formalisation of collective governance required by the Standards’ changes will avoid surprises and facilitate the change process. It is crucial to set the stage for constructive discussion and allow for agreement on the nature, extent and timing of adoption.

Learn more about the Global Internal Audit Standards update by registering for our webinar here.

This is part 1 of a 3 part blog series. Read blog 2 and blog 3 to further understand the Global Internal Audit Standards.

Featured insights

Loading...