The new Global Internal Auditing Standards are here! (Well, almost here at the time of this writing.) The Institute of Internal Auditors (IIA) plans to release the new Standards in the coming days, likely sometime next week.
When I thought of what I wanted to say for this article, I kept harkening back to the 1979 movie starring comedian Steve Martin called The Jerk. (If you are under 50, google it.) In the movie, the Martin character, Navin Johnson, gets extremely excited when the new phone books arrive following a period of anxious anticipation. Johnson is striving to “be somebody,” and searching for his name in the phone book when it finally arrives is a source of great excitement. Funny clip, from a funny movie.
While I suspect the IIA and its International Internal Audit Standards Board (IIASB) are extremely excited to be done with the multi-year project to remake the Standards and International Professional Practices Framework (IPPF), their arrival, like the annual delivery of the Whitepages, will not be a major source of excitement for most of us. Still, it is an especially important event that will impact the global internal audit profession for years to come.
I do not want to predict what we will and won’t see in the final version of the Standards and IPPF, but I would like to acknowledge the substantial work done by the IIASB to consider and adjust the proposed draft Standards based on the many comments it received. These folks worked tirelessly to provide the internal audit profession with what they honestly believe it needs going forward. Their well-intentioned and painstaking efforts should be recognized.
See also, “An Open Letter to the IIA Regarding the Draft Standards Update.”
With the final publication, it really doesn’t matter much now what we do and don’t like about the end result. The task before internal auditors in 2024 will be to evaluate what the Standards say; consider how they affect their own internal audit functions; and determine if, when, and how they will seek to implement them.
Once the “new phone book” arrives, regardless of your level of excitement, here are my thoughts on what internal audit departments will need to do in response.
First, Don’t Panic
The Standards document is expected to be long, if the exposure draft was any indication, so take your time with it. Remember, conformance (yes, it is “conformance,” not “compliance,” and that distinction is especially important) is not expected until one year after publication, so January 2025 at the very earliest. If you aren’t getting an external quality assessment (EQA) done in 2025, you have even more time to strive for conformance.
First, take the time to read it thoroughly and ensure the entire internal audit staff has read it thoroughly too. Then discuss it with the staff and with others in the internal audit profession. While the IIA and others will likely hold webinars on the new Standards, most will only be an hour or two in length and won’t cover them in enough detail to do much more than function as the “Cliff Notes” version to your reading and active discussions.
In the early going, it may also be wise to advise your audit committee members of the new Standards and of the internal audit team’s plans to evaluate and address them. Then keep them posted as the year progresses. They will not want to read the Standards in detail, nor should they, but they should rely on internal audit leaders to brief them accordingly.
Second, Build a Strategy and Methodology
The IIA Standards will include many things that the internal audit department is already doing; some things it isn’t doing, but maybe should be; and possibly certain things that you don’t see the internal audit function needing to do now or ever.
So, what’s the best approach to digesting the new Standards and IPPF? If your staff is large enough to assign a deep dive to an experienced person (or small group), then great. If not, the chief audit executive (CAE) might need to lead the charge on how to approach the Standards. I would suggest creating a matrix that lists out all the things the new Standards require … all things, not just the new things. Then have columns for “we do this now,” “we do it, but could improve what we do,” “we don’t do it, but should,” and “we have no plans to do this at this time.” I would not worry about establishing action plans just yet. Just get the inventory done.
Where will you find time to do this? Perhaps you could borrow from the time you had planned in 2024 for your Quality Assurance Improvement Program (QAIP). I would argue that this could even take the place of your 2024 QAIP work, but that’s your call. Perhaps you could consider this a training and development exercise for staff and use some of that time. But plan for this effort to take time away from audit projects and adjust your resources budgets accordingly.
Remember, conformance doesn’t need to begin until 2025, at the earliest. So, 2024 is a time to digest, assess, and strategize. The CAE should provide its administrative boss with updates, as is appropriate, as well as the audit committee. But they typically won’t care all that much so long as you demonstrate you are on top of it, so be brief.
Internal auditors might also consider purchasing the new Quality Assessment Manual that will be published by the IIA sometime this spring. The manual will provide insight into what a quality assessor will be looking for when performing an external quality assessment according to the new Standards.
Third, Develop An Action Plan
Now that you have your matrix complete, you have three lists that require attention. The “we do it, but could improve,” the “we don’t do it, but should,” and the “we have no plans to do this at this time.” Let’s talk about each as it relates to an action plan.
For the things you could improve upon, build that into your internal audit team’s QAIP and go ahead and work on those items on the timetable that makes sense for you and your available resources. Easy. Possibly time consuming, but easy.
For the things that you don’t do, but you believe you should, ditto. More time invested here, though.
Now, for the things that you have no plans to do, for whatever reason, this will take a bit of finesse on the part of internal audit leaders. Why might you not do something even if the IIA thinks you should, you may ask? Perhaps you don’t have the resources, perhaps it doesn’t make sense in your environment, perhaps you are doing something else that you feel addresses the essence of the new requirement, or, quite frankly, you just don’t agree with it. For each of these, document your rationale. And, importantly, make sure your administrative boss and the audit committee know about these items. It is extremely likely that they will agree with you. This documentation will be important when that EQA eventually rolls around. The point is to take a “conform or explain” approach, which I recommend.
Fourth, Communicate Conclusions
Your communications with the audit committee should be brief, and only hit the important highlights. How you assessed the new IIA Standards and IPPF, what the internal audit team did in response, what it is still planning to do, and what it will not be doing (if applicable). Tailor the depth or brevity to the way the audit committee members are used to receiving information from the CAE. And don’t ever surprise them. If you think there may be discussion or disagreement with your conclusions, make sure you’ve had advance conversations with your administrative boss, the CEO (if the CEO is not your administrative boss), and the audit committee chair before you are presenting any updates to the full committee.
Fifth, Execute the Action Plan
Put the plan into operation. You don’t need my suggestions or advice on how to do that. Just be sure you’ve adjusted your QAIP as needed.
Sixth, Document as Necessary
Just as we look for an audit trail of documentation when we audit something, your future EQA team will be looking for documentation of what the internal audit team did in response to the new internal audit Standards, what you concluded, and why. So, err on the side of a little too much documentation.
Last, Prepare for the Next EQA
If you are striving for conformance to most, or all, of the IIA Standards, don’t forget that the internal audit department will be getting an EQA within five years of the last one. (The “once every five years” requirement for a EQA is not expected change with the new Standards.) For some, that may be in 2025, but could be as late as 2029 if the internal audit function will be evaluated this year. As you perform your annual QAIP efforts (continuously or periodically) against the new Standards you will want to have documentation of your internal assessment against the new Standards.
I always counsel CAEs that in an audit committee meeting before you have your EQA done, it would be wise to have a discussion with your administrative boss and the audit committee, separately, on how well you are conforming to the Standards from your own perspective. (I also suspect, but can’t guarantee, that EQA team leaders will be somewhat lenient on areas that might signal a notable change from past practice, but time will tell.)
If there are areas you know you are not in conformance with, or have even made the conscious decision to not conform to certain things, make sure these parties are briefed on the areas of non-conformance. No surprises, right?
Shout About it!
The new Standards are (almost) here. There is certain to be a wide range of reactions to what they include from both individuals as well as the profession at large. Take your time, have a plan, seek to conform where it is logical to do so, and take a “conform or explain” approach to anything you can’t do or won’t do. Adopting the new Standards will be relatively easy for some internal audit functions, and possibly more difficult for others, but either way it will take time.
Take a deep breath, and approach it in a methodical fashion. And, if anyone is genuinely excited about it, feel free to shout aloud, as Navin Johnson surely would, “The new Standards are here! The new Standards are here!”
Hal Garyn is Managing Director and Owner of Audit Executive Advisory Services, LLC based in FL.
Dear Hal, I love the structure you put in.
This is very useful. I’m taking a cue from it to prepare for my clients, as a consultant.
Very good article indeed.
Very useful.
Very strategic.
Very practical.
It will influence significantly my forthcoming presentation on the new Standards in a seminar for my country’s IIA chapter.
Good article Hal
Lynn Fountain
It is lengthy but educative and inspiring. Good piece.