In March 2023, the Institute of Internal Auditors (IIA) released the Proposed Standards for public comment until May 30, 2023. The IIA has long communicated its overall goal to refresh the Global Internal Audit Standards (Standards) to provide enhanced guidance to ensure value, quality, and effectiveness of the profession’s services. The Standards apply to internal audit departments globally, regardless of purpose, size, complexity or structure, and are designed to provide guidance to internal audit functions operating at all levels of maturity.
While there are many structural improvements in the Proposed Standards, including the provision of implementation guidance for each Standard and the consolidation of the various Standard supporting documents into a single document, they also represent a shift for the internal audit (IA) profession. They are organized into five domains: Purpose of Internal Auditing; Ethics and Professionalism; Governing the Internal Audit Function; Managing the Internal Audit Function; and Performing Internal Audit Services. We have summarized the three foundational themes and key changes that would impact various IA functions should the Proposed Standards be implemented.
According to the Proposed Standards, the IA function should only rely on management's knowledge of the risks and controls, including the risk universe, if it has determined that the organization's risk management process is effective. Before executing projects on the annual plan, IA may need to assess and/or audit the organization's integrated assurance function.
Active Board involvement:
The Proposed Standards mandate the following strategies for the Board to demonstrate its backing and involvement: sessions held in public and private to talk about the overall IA plan, personnel and information access, and talent and technological resources; ensuring that the CAE reports administratively to the proper level within the organization, specifically one that permits the IA to carry out its duties free from management interference; and ensuring there is an escalation process to communicate unmitigated risks to the Board.
Within each domain, the Proposed Standards continually highlight the use of technology to better position IA as drivers of value. To help build technology into all areas of the IA function, the Proposed Standards require a regular assessment of technology during resource and budget discussions.