Masegare & Associates Incorporated
Overview of the new Global Internal Audit Standards - 2024
In January 2024, the Institute of Internal Auditors (IIA) published the New Global Internal audit Standards (the Standards) to support the evolution of the profession and to aid organizations in mitigating a constantly changing and dynamic risk landscape.
This new development calls for action on the part of Internal Audit, Audit Committees, and wider stakeholders to assess readiness and ensure compliance on or before 9 January 2025.
The International Standards for the Professional Practice of Internal Auditing (IPPF), issued in 2017, remain authorized for use during the transitional period. The new standards must be implemented by 9th January 2025, for Masegare & Associates Incorporated (MAI) encourages early adoption of the new Standards.
The Global Internal Audit Standards are drafted with the objective of assisting organizations stay ahead of the constantly evolving and dynamic risk landscape. They are a guide for practices used globally, and are critical essential component of an effective and efficient Internal Audit (IA) function. Developing practices in line with these Standards will enable an IA function to conduct purpose-driven and digitally powered Audits that align with the organization’s strategy, anticipate risk, and assist management in putting in place the correct processes and controls to meet future challenges effectively.
Masegare & Associates Incorporated (MAI), in efforts to assist its clients, has compiled a summary of the most significant changes in the new Standards to emphasize their importance. Our extensive experience with Internal Audit clients and Quality Assessment Reviews in South Africa has allowed us to identify some of the new requirements that IAF may not yet have in place. These areas are where Chief Audit Executives (CAE) may wish to concentrate their efforts when reviewing the new Standards. We have also included key considerations for the Audit Committee, along with implementation guidance and how MAI can be of assistance to your organization.
The Global Internal Audit www.theiia.org consist of:
The 5 domains, the 15 principles and 52 standards. Each standard includes requirements, considerations for implementation and Examples of Evidence of Conformance. The requirements are mandatory practices for internal auditing , recognized by the use of “must” in each statement, while the consideration for implementation are common and preferred practices to consider when implementing the requirements and the statements for these sections use the terms “should” or “may” and the examples of Evidence of Conformance are to demonstrate that the requirements have been implemented, these examples are not meant to be an exhaustive list.
It provides a simple and concise overview of the essence of internal auditing, meant to be easily communicated to stakeholders. It could be called an “paternoster pitch.”
It starts with a Purpose Statement: “Internal auditing strengthens the organization’s ability to create, protect, and sustain value by providing the board and management with independent, risk-based, and objective assurance, advice, insight, and foresight.
It incorporates & replaces the existing Codes of Ethics and what are called “Attributes Standards” in the 2017 specifically objectivity, competency and due professional care to remove duplication.
This involves relationships between CAE, board, and senior management interactions.
The principles and standards, as well as essential conditions — callouts to the board and senior management. “Essential conditions,” along with the requirements for the chief audit executive, establish a necessary foundation for an effective internal audit function.
All Principles and Standards address the chief audit executive, a term that’s defined in the glossary and in the introduction to this domain as the leadership role responsible for effectively managing all aspects of the internal audit function. The specific job title and/or responsibilities may vary.
This includes the standards for planning, performing, and communicating engagement results. The Standards, requirements, and considerations for implementation in this domain are applicable to both assurance and advisory services, unless otherwise specified in individual standards.
Topical Requirements-New
A Topical Requirement is, required when providing assurance on a specified risk area, and those areas require to be reviewed, and it covers aspects of Governance, Risk management, and Control, (GRC) processes, as well as the external quality assessment.
The importance of topical requirements, includes strengthening the ongoing relevance of the IPPF by addressing pervasive and evolving risks, and also ensure consistency and quality of engagement performance.
Components of the Topical Issues Under Consideration:
Synopsis of our Implementation Guidance:
Undertake a gap analysis against the new Standards to understand the current level of conformance:
Masegare & Associates Incorporated,(MAI) team of experts will conduct an Internal Audit gap analysis with a view of understanding the necessary changes required to meet the new Standards is an important first step. It is crucial to engage with key stakeholders, including the Board/Audit Committee, Senior Management, and Risk and Compliance functions in stakeholder workshops, to discuss the implications of the identified changes. Our execution of a gap analysis will based on the ‘as-is’–assessment state.
Develop an Action Plan,(AP) to address gaps and align with the Standards :
Once the team of our experts, has completed the impact assessment, we can then collaboratively agree on the most appropriate actions and priorities that will yield the best outcomes for the organization. It is advised that a formal action plan is developed, including the relevant agreed action, tagged action owner(s) and timelines, in line with the assigned priorities. MAI help will develop to develop an implementation plan to achieve the ”to-be’ state.
Implement the plan to achieve conformance:
Our team will ensure that the action plan is formally disseminated to all impacted stakeholders, requiring periodic updates to ensure timely completion. Our implementation plans may include updates to IA’s; Mandate and strategy, policies and procedures, reporting lines and communication, quality assurance programme and plan, and technology, systems and data.
Masegare & Associates Incorporated will help by implementing the action plan while utilizing our knowledge and materials to streamline the process. MAI will conduct training and maintain conformance.
Skills Transfer and Development through training and maintaining conformance:
Internal Audit should undergo training on the new Standards to understand the requirements. The IA training programme and methodology should be updated to reflect the new Standards, incorporating the IIA’s new Topical Guidance. Further, ongoing monitoring and improvement mechanism of the implemented processes and activities should be established. MAI can help through conducting training for IA, covering key changes and guidance to best equip the team. .
The Fundamentals section: An introductory section that describes the structure, applicability, and how to use the Standards, as well as an overview of the standard-setting process and description of the connection between internal auditing and the public interest.
The Glossary: Provides definitions of key terms used throughout the Standards. The Standards use certain terms in very specific, internal-audit-centered ways that correspond to their definition in the Glossary.
A special section: “Applying the Global Internal Audit Standards in the Public Sector,” which follows Domain V: Performing Internal Audit Services and describes strategies for conformance amid the circumstances and conditions unique to internal auditing in the public sector.
What are some of the key changes to the Glossary?
The process for updating the Glossary involved reviewing each term for its relevance, researching and comparing against other standards and frameworks, conducting initial surveys, and reviewing thousands of public comments.
A Few things to note:
Some terms have either been excluded or new terms have been added. 32 new terms and definitions have been added to the 2024 Global Internal Audit Standards (e.g. activity under review, assurance, competency). The link to the full glossary document can be found here; Glossary Comparison: 2024 Global Internal Audit Standards to 2017 Standards (www.theiia.org). 13 terms from 2017 have been excluded from the 2024 Global Internal Audit Standards Glossary. These include — add value, adequate control, information technology governance overall opinion. The Glossary helps internal auditors understand the Standards, but it does not mean that these are the only terms that can be used. We know people use different terms to mean the same thing and that’s generally not a problem. But it allowed for the development of the Domains where information was missing before. Other terms may be used elsewhere to mean the same or a similar thing.
Inferences
The first series of presentations is covering the 2024 Standards and it took a helicopter view of the 5 Domains, 15 Principles and 52 Standards. It focused primarily on the headline content within the 5 Domains. It is recognized and accepted that many of the changes are familiar and in common practice in mature internal audit functions e.g., Domain V Performing Internal Audit Services. But most practicing internal audit professionals will need to adapt some elements of what they do to ensure continued conform.