The 2024 changes to the IIA Standards are the biggest in a generation. Here are seven things you really need to know.
In the last 12 months, the Institute of Internal Auditors embarked on one of the largest reviews of their standards.
While the standards have held up well, their previous focus was more on conformance than performance.
I often used to say that perfect compliance with the IIA Standards without an equal focus on performance was a recipe for the board and management hiring a new Chief Auditor.
After nearly 25 years of this view, I am no longer convinced that this is true.
That’s a big deal.
There has been a shift from conformance (how you need to work), to performance (what you want to achieve) and a lot more along the way.
Here are seven things you need to know.
1. There’s an annual assessment due in January 2026
An annual assessment/report to the Board is required on the standards. The starting gun will be fired in January 2025, so you’ve got until January 2026 to report out.
At least annually, the chief audit executive must communicate the results of the internal quality assessment to the board and senior management.
This annual assessment should cover:
- The internal audit function’s conformance with the Standards
- Achievement of performance objectives
- Organisational independence
As the standards are effective from January 2025, this gives you until January 2026 to get ready. The IIA even has a countdown clock on their standards page to remind you of the starting date. It’s just over 95 days until the starting whistle at the time of penning this article. Time to get across this and get it programmed in.
2. Prescriptive reporting and engagement with “the Board”
The board reporting and engagement are prescriptive and detailed. Make sure you get across it. But do it within your strategy and meaningful engagement.
In most organisations, the board means the Board Audit Committee or the head of the organisation if you don’t have a board.
The Standards provide details on what proper reporting and engagement between the board and internal audit look like. Much of it is now mandatory. For example:
- The internal audit plan and budget and subsequent significant revisions to them.
- Changes potentially affecting the mandate or charter.
- Potential impairments to independence.
- Results of internal audit services, including conclusions, themes, assurance, advice, insights, and monitoring results.
- Results from the quality assurance and improvement program.
These things need to be done, but don’t go to them with a list of things to do or with all of it at once for the sake of compliance. Couch it in something useful and meaningful. You’ve got 12 months to work with, so phase it well and make it count. A review of your strategy might be the best way to sequence and get in front of this.
3. Internal Audit needs a Strategy
Alignment and expectation gaps are perennial. Unless nothing changes (including stakeholders) you’ve got to work at this constantly to stop gaps forming. The strategy gives you an opportunity to do so. Use it.
The chief audit executive must develop and implement a strategy for the internal audit function that supports the strategic objectives and success of the organisation and aligns with the expectations of the board, senior management, and other key stakeholders.
Yes, that’s not a 3-year audit plan or an external audit strategy about materiality and risk of significant misstatement. It’s a deeper conversation with internal audit’s stakeholders on what the organisation wants and needs from its investment in internal audit. Why internal audit exists, what outcomes it wants, how it works with others and how it wants it done.
Practice and expectations evolve constantly and even more so when stakeholders or context changes.
This is a chance to get everyone on the same page and get a budget and support to match.
Strategy and stakeholder alignment is core business for us. Get in touch if you need a hand getting everyone on the same page.
4. Performance Measures. And not just the old tired ones.
Measure what’s important and not just what’s easy to measure. This comes from your strategy and what the organisation wants and needs from internal audit.
“The chief audit executive must develop objectives to evaluate the internal audit function’s performance. The chief audit executive must consider the input and expectations of the board and senior management when developing the performance objectives.”
There are top-line measures. Things like improving control environment or management capability, reducing leakage, maybe improving quality and performance in your wake, firming up the 1st and 2nd lines, or intentionally leaning into some of these roles. These link to the strategy and mandate. These are why internal audit exists.
Then there are efficiency measures, like coverage and turnaround times. They’re important to keep things ticking at a vibrant pace.
And then there are potentially meaningless ones like how many CPE hours the audit team took while eating tea and biscuits instead of whether the team is match-fit and fit for purpose.
It doesn’t matter how efficient you are if you’re looking at the wrong areas and not making an impact. Measures that don’t address relevance and impact are quickly seen through by experienced stakeholders.
Align your measures with the strategy, and then backstop it with the efficiency measures. Pin these down and refresh these when updating your strategy. Get agreement in context, not as a separate exercise.
5. Tech-enabled everything
Tech is no longer an afterthought or a bolt-on. It needs to be built in by design and into every audit and every team.
This was always coming. It now appears in three different places.
Your strategy needs a technology strategy, and not just the same old stuff that people have been doing or thinking about for years. Time to beat the bushes, set up the skunkworks, explore, experiment, test, learn and see what’s possible.
And do it by design in every step, and not as an afterthought or solely for the tech person in the corner.
6. Coordination with others
Coordinated assurance has always been a challenge. IA now needs to step up and lead or find its role alongside the other lines of assurance.
The chief audit executive must coordinate with internal and external providers of assurance services and consider relying upon their work. Coordination of services minimises duplication of efforts, highlights gaps in coverage of key risks, and enhances the overall value added by providers. If unable to achieve an appropriate level of coordination, the chief audit executive must raise any concerns with senior management and, if necessary, the board.
Internal Audit plays the role of working with and reviewing the other two lines of defence.
The role of reviewing others is challenging but clear. Partnering can be more challenging. Assurance mapping is essential to avoid unintentional gaps and duplication. This is a project, and it needs sponsorship. Put it in your strategy.
7. There’s a lot in the Standards
The Standards are elegant to explain – 15 Principles grouped in 5 sections. But they’re also a beast of a thing to implement. They need a dedicated project until they’re embedded. Put outcomes at the centre. Tick box won’t get you where you need to go.
Yes, it looks innocuous and pleasant. Easy to read even. But it’s a bigger beast than you thought when you have to implement it.
Here’s the stats:
- 15 Principles in 5 Sections (That’s more than 1 a month)
- 52 Standards: 2-6 Standards per Principle (What you need to comply with – that’s one a week)
- 223 Mandatory Requirements within the standards (What you must do, or have a very good reason not to – that’s one for every working day of the year)
- 226 Additional things you’re strongly encouraged to do (What IIA says you should do, or be able to explain why not)
Simply put, you can’t add this to the end of the day’s to-do list and expect to get it done. It needs a dedicated focus between now an January 2026 (or by January 2025 if you want to comply from day 1).
If done well, internal audit should be much more match-fit, aligned, engaged and delivering outcomes. But it needs investment now. Otherwise tick-box compliance is an (expensive) missed opportunity.
The five sections allow for clear deployment and allocation. Get additional help if you need it.
If you need help working out how to do this in a way that puts outcomes and stakeholders at the centre, please get in touch.
8. Wait, there’s more – Topical Requirements
IIA has a proposal for even more (conditional) mandatory requirements through their Topical Requirements. In our view, this is a bridge too far. You can read our blog on why the Topical Requirements are a bad idea which explains what they are, why they matter and what you can do to help the IIA get everyone to a better place.
Additional resources
The Davies Report is our infrequent digest of what we’re seeing and doing on risk and assurance.
You can subscribe and see previous articles here or get latest updates by following Todd on LinkedIn.
Want audio?
Here’s the Google Deep Dive conversation on this article.