In a “special issue” of its Global Perspectives and Insights newsletter the Institute of Internal Auditors provided an early view of the changes it is considering to its professional practice standards, which govern how it expects its members to act as they conduct their work as internal auditors.
In 2020, the IIA embarked on a project, headed by its International Internal Audit Standards Board, to completely overhaul its professional practice standards. In addition to a host of changes it is considering, the IIA is changing the name of the standards from the clumsy, “International Standards for the Professional Practice of Internal Auditing” and the “International Professional Practices Framework” or IPPF, to the more succinct, “Global Internal Audit Standards.” Most practitioners refer to them simply as “the Standards.”
An official draft of the new version of the standards is expected to drop on March 1, and then a public review and comment period will open and continue through May 30. The IIA says it will release the draft in 23 languages. After analyzing the responses and making necessary revisions, the IIA says it expects to release the new version of the Standards officially before the end of 2023.
“More than two years of hard work by our staff and Standards Board has resulted in a remarkable draft of the new Global Internal Audit Standards, which I believe will help lead internal auditors into the future,” says Anthony Pugliese, IIA president and CEO in the special edition of the newsletter. “I am confident the draft will be well received and look forward to feedback during the public comment period.”
Summary of Proposed Changes
The IIA offered a high-level summary of the proposed changes and the goals of the new edition of the standards. They are:
- Simplify the structure of the standards.
- Consolidate the six existing elements in the new standards, including Mission, Definition, Code of Ethics, Core Principles, Standards, and Implementation Guides.
- Create a new section on the “Purpose of Internal Auditing.”
- Enrich the Ethics and Professionalism sections by adding “due professional care.”
- Add nuances for public sector, small internal audit functions, and advisory services.
- Clarify the board’s role in governing the internal audit function.
- And more.
The new standards will be organized into five domains, including the following:
- Domain I — Purpose of Internal Auditing unifies descriptions of the profession previously spread across various
IPPF elements. - Domain II — Ethics and Professionalism incorporates the Code of Ethics and standards relating to practitioner conduct and is enriched by the inclusion of standards addressing due professional care.
- Domain III — Governing the Internal Audit Function clarifies the board’s role. This change outlines for the first time important board responsibilities in support of effective internal auditing and addresses how the chief audit executive (CAE) can support the board in carrying out its responsibilities.
- Domain IV — Managing the Internal Audit Function clarifies the role of the CAE and provides direction on running and internal audit function
- Domain V — Performing Internal Audit Services includes additional requirements and practices for providing effective day-to-day internal audit services.
Before and After
The IIA also offered “before and after” scenarios to highlight the key changes being considered in the new standards:
Before: The responsibilities of the internal audit function, the chief audit executive, and the board were unclear.
After: The standards grouped into Domain III — Governing the Internal Audit Function describe what is needed from the board in support of an effective internal audit function and clarifies the roles and responsibilities of the board and the chief audit executive. When the board authorizes and fully supports the role of the chief audit executive and the internal
audit function, internal auditing can serve the board and other stakeholders effectively.
Before: Requirements for strategically managing a high-quality internal audit function were not thorough.
After: Domain IV —Managing the Internal Audit Function outlines new requirements and recommended practices for chief audit executives to develop strategy and performance indicators to help the chief audit executive lead a quality internal audit function.
Before: Standards describing how to perform practical aspects of individual internal audit engagements lacked detail.
After: Domain V —Performing Internal Audit Services provides new requirements and recommended practices for performing engagements, particularly about assessing risks and analyzing information to develop findings and conclusions.
Before: Essential guidance about implementing and demonstrating conformance with the Standards were in separate documents, making them difficult to access.
After: The Global Internal Audit Standards comprise one comprehensive document. Each standard incorporates sections on requirements and recommended practices for implementation and demonstrating conformance.
“As a working internal auditor, I understand the value of professional standards that are clear, precise and relevant to the work I do on a daily basis,” said Benito Ybarra, IIA Global Board Chairman. “We need to amplify and extend this recognition to engage our key stakeholders. The proposed Global Internal Audit Standards simplify the structure, add recommended
practices, and align their relevance to real-world business objectives. I would love to see input and insights from my fellow practitioners and other key stakeholders on the public comment draft.”
It’s too early to tell how the proposed new standards will be received by internal audit professionals, but most have embraced the idea to update the old version. Norman Marks, a former chief audit executive and risk expert who has written several books on internal audit, says the update is “necessary.” He wrote in a recent blog post that he hoped the IIA used the update to push internal audit more in the direction of business-objective and risk-based audits. “I have asked the IIA to use the opportunity of the IPPF update to jolt people out of poor practices,” he says.
Joseph McCafferty is editor & publisher of Internal Audit 360°