Publication

Seven steps to apply new global IA standards

Sara McAllister
By:
Sara McAllister
25 Jul 20256 min read
insight featured image
For internal auditors, especially heads of internal audit (HOIAs), the stakes are high as value expectations shift. Internal Audit must continuously pre-empt business priorities and challenges and position itself as a true business partner and advisor to genuinely deliver on its mandate.

For internal auditors, especially heads of internal audit (HOIAs), the stakes are high as value expectations shift. Internal Audit must continuously pre-empt business priorities and challenges and position itself as a true business partner and advisor to genuinely deliver on its mandate.

What do the new internal audit standards cover?

The new standards offer clearer, more direct guidance than previous standards, and are built around a clear framework of 15 operating principles across five domains:

  • Purpose of internal auditing
  • Ethics and professionalism
  • Governing internal audit function
  • Managing internal audit function
  • Performing internal audit services.

At Grant Thornton, we see the standards as clearly aligned to six key themes:

  • Emphasis on risk management
  • Defining objectives and methodology
  • Technology-driven
  • Culture and communication
  • Operational and governance
  • Conformance.

To whom do the new internal audit standards apply?

The new standards insist on a more holistic, collaborative approach to internal audit, in which auditors, management and the Board work together to service the organisation and the broader public interest. 

Anyone worldwide providing IA services must comply with the standards, including employees and contractors, although there are special considerations for small audit functions and those in the public sector. The Chief Audit Executive (or person in that role if their title is different) must ensure all IA work aligns with the standards.

While everyone on the team doesn’t have to be deeply knowledgeably about all aspects of the standards, at a minimum, IA staff should familiarise themselves with Domain II (Ethics) and Domain V (Performing Internal Audit Services).

Note that under the standards, an external quality assessment will look for at least one member of the team to hold an active certified internal auditor designation.

What every Head of Internal Audit needs to know
New IA Standards Guide

What every Head of Internal Audit needs to know

Download our summary of the new Global Internal Audit Standards and how HOIAs can meet their obligations with confidence. 

Download PDF [5760 kb]

What do Heads of Internal Audit need to do?

Familiarise yourself with the standards

If you haven’t already, ensure you understand the changes from the 2017 standards and develop a transition plan. This should include a plan outlining where specific actions or revisions of responsibilities are required, as well as an internal training programme for your team. 

Bear in mind you may already be working in ways set out by the standards, such as by showing courage in difficult situations, but you will need to be able to show that compliance during an external quality assessment (EQA).

Consider performing a self-assessment

To know where you need to introduce or change processes and procedures, it’s vital to carry out a gap analysis on where you stand compared with the new standards. Think of this as a mini self-assessment with independent validation (SAIV), without that external validation.

Rank your opportunities for improvement as ‘critical’, ‘important’ and so on, and work out where you need to fill policy, procedural or talent gaps, or introduce new templates supported by enhanced technology.

Develop or update your internal audit strategy

Based on the results of your self-assessment, draw up a timeline for implementing the changes needed, including the introduction or amendment of IA KPIs to help with monitoring and accountability.

At the same time, examine if and how you might need to update your IA strategy and your charter. Discuss your IA mandate with your board and consider if you should carry out a risk assurance mapping exercise.

Connect with your stakeholders and customers

Managing change as part of implementing new requirements under the standards presents an ideal opportunity to communicate more around IA and work to build strong, respectful relationships with stakeholders. 

This will not only increase the perceived value of IA, it will also encourage others internally to approach rather than avoid IA and help to improve overall organisational risk management. 

Develop a plan to stay informed on new topical requirements

Make sure you review your plans to account for topical requirements, which are mandatory under the new standards. They’re designed to improve IA services for specific audit subjects. 

IAs must conform with these requirements if one of the topics falls within the scope of an engagement, and they will be a basis for measurement for an EQA if relevant. The first two of these requirements are cybersecurity and third party risk management, with ESG and fraud risk to follow.

Discuss new IA obligations with the board and senior management 

Under Domain III of the new standards, your board and senior management are subject to essential conditions, meaning they must carry out specific actions to enable the IA function. These include acting as IA champions across the organisation and having to approve the HOIA’s role and responsibilities, among other tasks. 

Rather than racing to the board to say it has new obligations, flag the new standards are in place and advise you will share a plan to address them. Once you have completed the self-assessment, the strategic review and other preparatory work, you can meet the board and senior management to discuss how they can support compliance.

Re-assess your quality assurance strategy

While needing to carry out an EQA at least every five years is not a new requirement under the standards, there is a new preference for an EQA over an SAIV. Discuss your EQA plan with the board and ensure it understands the changes. 

At the same time, update your QAIP process to incorporate changes in the standards, paying particular attention to standard 12 (Enhance Quality) within Domain IV (Managing the IA Function).

Future-proofing the IA function

While new standards can sometimes seem onerous, the new Global Internal Audit Standards™ have been designed to focus on ethics, improve organisational culture around IA, to focus on beneficial outcomes and to encourage tech-enabled assurance, with more extensive use of AI, data automation and data analytics. 

At Grant Thornton, our global internal audit framework aligns with the IIA’s new Global Internal Audit Standards. Spanning risk assessment and planning, audit execution and reporting and remediation, it allows us to focus continuously on your business objectives, risks and operating environment. 

We audit efficiently and effectively, using advanced audit techniques. Once done, we provide useful, well aligned balanced reporting and recommendations – all of which ensures no surprises for you all the way.

To discuss how we can help your organisation align with the new standards, get in touch with us today.

Contact us
Discover how our Internal Audit solutions can support you
Visit our Internal Audit page
Discover how our Internal Audit solutions can support you
TAGS  
Authors
  • Sara McAllister
    Sara McAllister Sara is a Partner in the Business Risk Services team. She is a highly accomplished risk professional with over 25 years national and international experience across all aspects of enterprise risk, operational risk and controls assurance. View Profile