The new 2024 Global Internal Audit Standards by The Institute of Internal Auditors (IIA) introduce several significant updates designed to enhance the practice and relevance of internal auditing in today’s turbulent and complex business environment. The key changes reflect the profession’s evolution, accommodating newer challenges and ensuring the standards meet current needs effectively. The Standards will be effective from 9 January 2025 which provides an opportunity for Internal Audit (IA) functions to reflect on their current practices.
The Chief Audit Executives (CAE) now has a significant opportunity to incorporate the latest developments in good practice and drive transformation to increase the value that IA can provide to stakeholders.
The Key Changes
The 2024 Global Internal Audit Standards mark a significant step forward in aligning internal audit practices with modern business challenges and governance expectations. By structuring the standards into 5 specific domains and emphasizing areas like cybersecurity, IT governance, and ethical conduct, the IIA aims to enhance the professionalism, efficiency, and impact of internal audit functions globally. Organisations are encouraged to transition to these updated standards ahead of their January 2025 effective date to maximize their internal audit function’s alignment with contemporary governance and risk management practices.
A Restructure – One Document
The 2024 Standards have been restructured for better clarity and practical application. The Standards are now combined into one document, the five mandatory components – Purpose of Internal Auditing, Ethics and Professionalism, Governing the Internal Audit Function, Managing the Internal Audit Function, and Performing Internal Audit Services, as well as one of the recommended non-mandatory elements, the Implementation Guidance. The Standards use the word “must” in the Requirements sections and the words “should” and “may” to specify common and preferred practices in the Considerations for Implementation sections
This new structure aims to streamline the standards for easier navigation and application in diverse auditing environments.
Both assurance and advising (formerly consulting) initiatives are included in the main body of the Standards and are not distinguished from one another by the Standards. With very few exceptions, the requirements for advisory and ad hoc initiatives now resemble those of risk-based assurance audits.
The only non-mandatory section of the International Professional Practices Framework (IPPF) is the IIA’s ‘Global Guidance’ which includes non-mandatory information, advice and best practices for performing engagements.
The 5 Domains and 15 Principles of the new International Professional Practices Framework (IPPF)
Refined Purpose of Internal Auditing
The previous Standards focused broadly on the purpose and necessity of standards for internal auditing effectiveness. The 2024 Standards clarify that internal auditing serves to enhance and protect organisational value, guiding adherence to a systematic, disciplined approach.
Stronger Emphasis on Ethics and Professionalism
The 2024 revision introduces a stronger emphasis on ethics and professionalism, consolidating related standards to ensure internal auditors uphold integrity, objectivity, and confidentiality in their conduct.
New Governance Framework
The Governing the Internal Audit Function domain is new in 2024 and underscores the importance of proper governance structures for internal auditing, highlighting roles and responsibilities from the board and executive management in supporting the audit function.
According to the IIA, the new standards aims strengthen governance frameworks to help organisations be more responsive to rapidly changing conditions.
Unified Approach and Leadership Involvement
The standards emphasize the need for a unified approach to internal auditing that involves board or equivalent oversight. This alignment is intended to strengthen the organisation’s overall approach to risk management and optimize assurance and monitoring activities.
Domain III, ‘Governing the Internal Audit Function’, specifies what the CAE must do in order to support the Board and Senior Management to perform necessary oversight responsibilities for an effective IA function.
Each of the Standards in Domain III now define the ‘Essential Conditions’ for the Board and Senior Management that must be present for the IA function to be able to meet its mandate and fulfil the Purpose of Internal Auditing.
Aligning Internal Audit Planning and Performance Evaluation
There is additional focus on the internal audit’s mandate, vision, strategic planning, and performance measurement. This is aimed at ensuring that internal audits are strategically aligned with the organisation’s goals and are effectively tracking and evaluating their findings and impact.
In order to support the organisation’s success and strategic objectives, the CAE must now create and implement an IA strategy that meets the expectations of the Board, Senior Management, and other important stakeholders. Creating a vision, strategic goals, and auxiliary projects for the IA function are all included in this.
Building Trust and Relationships
The CAE must create a strategy for the IA function to cultivate strong relationships, connections and confidence with important stakeholders. Surveys, interviews, workshops, and continuing unofficial contacts with the organisation’s staff are all recommended by guidance.
There’s a greater emphasis on how internal audit functions serve the public interest, alongside new requirements for quality assurance and improvement programs. This reflects a broader scope in the governance role of internal audits.
Execution – Planning, Performing and Reporting
The latest standards enhance the focus on the execution of internal audit engagements, detailing methodologies for risk assessment, engagement planning, and reporting. The standards also incorporate current trends such as cybersecurity and information technology governance
It is now a requirement to have “an engagement conclusion that summarises the engagement conclusion results relative to the engagement objectives and management’s objectives.” According to each unique level of relevance, engagement findings must be prioritised. In the section under “Consideration for Implementation,” ratings and rankings are suggested as an improved practice but are not necessary.
Internal Audit Technology
While the 2017 Standards focused on individual and organisational attributes for effective auditing, the 2024 Standards provide a comprehensive framework on managing audit resources, skills, and technological tools to maintain functionality and adapt to organisational changes.
The chief audit executive must now regularly evaluate the technology used by the internal audit function and pursue opportunities to improve effectiveness and efficiency and to engage with the organisations IT and cyber security functions.
Internal Audit Performance
In order to assess the effectiveness of the IA function, the CAE must set objectives and evaluate IA performance. Example Key Performance Indicators (KPIs) to be taken into account when implementing the Standard include:
- Percentage of the organisation’s key risks and controls reviewed,
- Percentage of internal audit plan (as adjusted and approved) completed on time
- The percentage of recommendations or action plans completed by management
The objectives and KPIs should be a component of the CAEs performance measuring approach, which also needs to involve creating an action plan to deal with problems and areas that might use improvement.
More Flexibility and Relevance
The standards have been updated to be more flexible, allowing them to be more relevant across various industries and geographic regions. This includes specific guidance for public sector audits and smaller audit functions, ensuring adaptability to different global contexts.
Whilst the previous draft Standards were widely considered to be too prescriptive and difficult to implement, especially for smaller IA functions, Chief Audit Executives (CAEs) now have more leeway in how they execute the Standards as many of the “must” have aspects from the draft 2023 Standards have been moved to the “Considerations for Implementation” portions of the Standards.
New Topical Requirements
New guidance addresses contemporary risk areas like Cybersecurity, Information Technology Governance, Privacy Risk Management, Sustainability, ESG (Environmental, Social & Governance), and Third-party Management. These additions aim to help internal audit functions focus on strategic risks and enhance their value to stakeholders.
Emphasis on Quality Assurance and Improvement
There is a renewed focus on continuous improvement and quality assurance in internal auditing, urging functions to implement regular and systematic reviews of their activities and outcomes.
Implications for Key Stakeholders
So what does this mean for key stakeholders like the Board, Audit and Risk Committee and the C suite?
- The 2024 IPPF emphasises a more strategic role for internal auditing within governance frameworks. This includes a greater emphasis on risk management and ensuring that internal audit activities are aligned with the broader strategic objectives of the organisation. This alignment is crucial for ensuring that internal audit provides value in identifying and mitigating potential risks before they impact the organisation.
- There is a renewed focus on ethics and professionalism within the internal audit sector. The 2024 IPPF consolidates standards related to ethical behaviour, integrity, objectivity, and confidentiality. This ensures that internal auditors are held to a high standard of conduct, which is critical for maintaining stakeholder trust and the credibility of the audit function.
- The new framework incorporates contemporary risk areas such as cybersecurity and information technology governance. This update acknowledges the increasing significance of technology in business processes and the associated risks. Ensuring that internal audits cover these areas can help protect organisations against emerging threats and enhance their resilience.
Step-by-Step Guide to Adapting to the 2024 Changes
As a Chief Audit Executive, you play a critical role in transitioning your organisation to align with the new 2024 Global Internal Audit Standards. Here’s our strategic roadmap to guide your next steps:
- Begin by thoroughly understanding the key changes in the 2024 standards that are likely to impact your IA function and organisation. Focus on the restructured domains, new focus areas like cybersecurity, and the enhanced requirements for governance and risk management.
- Conduct a comprehensive review of your current internal audit practices against the 2024 standards. Identify areas of compliance and gaps where enhancements are needed, particularly in the areas of IT governance, ethics, and professionalism.
- Revise your internal audit charter and other key documents to reflect the changes in the standards. This includes updating the audit plan, risk assessment methodologies, and reporting formats. Ensure you enhance your quality assurance and improvement program to ensure continuous compliance with the new standards. Set up regular reviews and audits to monitor adherence and effectiveness.
- Review IA resources and potential capability and training needs.
- Engage with key stakeholders, including the board of directors, senior management, and audit committees, to discuss the implications of the new standards and the expected changes in the internal audit function.
- Clearly communicate the changes and enhancements in your internal audit function to relevant stakeholders. Ensure transparency in how these changes improve governance, risk management, and overall organisational resilience.
- Begin implementing the necessary changes to align with the new standards. This may involve enhancing IT systems, revising governance structures, and introducing new audit tools and technologies.
- Continuously monitor the effectiveness of the new practices and make adjustments as necessary. Stay informed about any further updates from the IIA regarding the standards.
Ready to Transform Internal Audit?
Are you ready to elevate your internal audit function, protect organisational value, and lead with confidence? Your journey towards internal audit excellence starts here. Here is how we can help:
Establishing a new internal audit function: We specialise in setting up comprehensive internal audit systems tailored to your specific business needs and budget. Our expert team provides end-to-end solutions—from assessing your current risk and controls and developing a strategic audit plan to implementing auditing processes that are in line with the new standards.
Co-sourcing: We work alongside your internal audit team on specific projects, providing additional expertise or manpower where needed.
Specialised expertise: We bring specialised knowledge that your internal team might not possess, such as IT audits, cybersecurity, regulatory compliance, insurance, reinsurance, ESG, sustainability and environmental audits.
Technology support: With the increasing integration of technology in auditing processes, external auditors can assist in implementing new audit software, analytics tools, or other technologies that enhance the internal team’s capabilities.
Contact us today to schedule a consultation and discover how our services can help your audit function rise to the challenges of the 2024 standards.