How to plan for implementation and build stakeholder support
Internal auditors will soon have a new and comprehensive framework for their work, guiding them as they develop a holistic function that works in sync with the organization’s strategy, making full use of technology, analytics and automation.
The change becomes official on Jan. 9, 2025, when the latest updates to the global standards issued by The Institute of Internal Auditors© go into effect. It is the first such revision in seven years, and it includes a significant regrouping and rewriting of the guiding documents for internal audits, as well as a new focus on emerging areas for risk management.
“There's been a journey to really transform the standards to align with the needs of the modern-day auditor,” said Monica Nickel, Grant Thornton Advisors LLC Risk Advisory Senior Manager, who joined other professionals from the firm in a recent webinar to explain the new standards and how best to implement them.
The updated standards are grouped into five domains, which include 15 principles and 52 standards. Also new is the introduction of Topical Requirements. These are standards for special risk topics such as cybersecurity, ESG, IT governance, etc., and are only relevant when the audit plan includes these areas.
The five domains cover:
- Internal audit's purpose and value.
- Ethics and professionalism.
- Governance of the internal audit function, including the activities of the board and senior management that are essential to the internal audit function’s ability to fulfill the purpose of internal auditing.
- Managing the internal audit function, including strategic planning and quality management and measurement.
- Performance of internal audit services, from planning and conducting engagements to communicating results and monitoring action plans.
Along with focusing on collaboration with the board and senior management, the standards emphasize the importance of internal audit functions collaborating with organizational stakeholders as part of supporting the organization’s risk management strategy; an increased focus on the use of technology; and measuring conformance with the standards.
The IIA also designed the principles and standards to allow for practical application as they consider situations that may not allow for perfect compliance, and other special considerations applicable to smaller audit shops and those operating in the public sector. In addition, the standards document facilitates compliance by including considerations for implementation and examples of evidence of conformance.
Steps to get started
With deadlines fast approaching, internal audit must lay the groundwork for change — both within the internal audit function and beyond.
Level setting
“As a CAE, before you start developing a strategy for implementation, you must be honest with yourself and understand your current level of compliance,” said Kevin Stoutermire, Risk Advisory Managing Director for Grant Thornton Advisors LLC. Historically, if you have made it a point to be generally compliant with the previous standards, kept up with your QAIP, had regular EQAs/SAIVs, etc., then the new standard will not be much of an uplift. However, if you are a newer audit function, or the issuance of the new standards is the catalyst for you to start your compliance journey, then your strategy for compliance will take longer and you will need to develop a structured plan with defined milestones along the way. Take your time, but be intentional. Full compliance with the standards involves others outside internal audit, so you will need to get them on board as well.
“Before you start developing a strategy for implementation, you must be honest with yourself and understand your current level of compliance"
Review the standards
Implementing the new standards starts with a bit of reading.
The first step is to familiarize yourself with the standards. The full standards document contains requirements (“must” do’s), considerations for implementation, and examples of evidence of conformance. It is important that you clearly understand the distinction between the requirements (the standards) and evidence of conformance, so you do not take unnecessary prescriptive steps. As you assess your readiness, chief auditors will want to read the entire document. However, as you develop your implementation strategy, reading the IIA’s condensed summary, which contains only the standards, is a good starting point so you have a clear understanding of what is actually required.
The goal is to become familiar with the standards, while thinking through their application to a particular organization. Understand that nonconformance does not always mean noncompliance; the standards often allow for compliance with the “intent” rather than the strict wording of the document.
The CAE’s initial review should also include a focus on delegation: which areas of the new standards are required to be completed by the CAE, and which ones can be delegated to other members of the internal audit team.
Understand gaps in the standards
Conducting a gap assessment will help clarify your next steps. This assessment is about looking at your overall processes and procedures as they compare to the new standards.
If you are a mature audit function, “don’t make this a cumbersome exercise. It really is just taking a step back,” Stoutermire says.
As a CAE, ask yourself, “Am I really where I want to be? How can I use the standards to move me along a little faster, or in a different direction?”
A self-assessment can also identify potential new templates, new uses of technology, and general ideas for changes to organizational structure.
Make a plan
Next, it is time to get specific by developing a strategy and timeline for adopting the new standards as you understand the steps that need to be taken to address the gaps identified. Before you start making wholesale changes, recognize that you’ll probably find that “most of the time, you're probably already doing a lot what’s required and it's just a matter of documenting them,” Stoutermire said.
This also is an opportunity to reassess internal audit’s mandate and charter — reviewing how they align with the organization’s overall strategy and with the standards.
As a plan and timeline for implementation develops, keep technology top of mind. The new standards are a chance to better integrate technology, but it is also important to keep your organization’s constraints in mind during this process.
“Make sure your plan aligns to not only the size of your organization, but with the information technology resources that you have on hand,” said Stephen Logan, Grant Thornton Advisors LLC Risk Advisory Director.
Outside organizations can support the development and execution of strategic changes, both through outsourcing and co-sourcing.
Get others engaged
Changes to internal audit will require support from other stakeholders. An implicit concept of the new standards is that it takes a village for an internal audit function to be most effective. While internal audit is a third-line function, its effectiveness within the organization’s overall risk management process is based on a carefully orchestrated role relative to those charged with risk oversight and those charged with risk management. The new standards set expectations for the board and senior management that are essential for the internal audit function’s ability to fulfill its purpose. For example, the board must act as “champions” for the internal audit function.
Conversations with the board, as they are introduced to what the standards require them to do, should be carefully managed. The conversation should never begin with an absolute “mandate” from internal audit related to what they must do because the IIA said so, Stoutermire said. Instead, he advised the following steps:
- Begin with a quick introduction of the new standards, including high-level differences with the previous standards, and your strategy for compliance.
- Later, update leadership with the results of internal audit’s self-assessment and strategy for addressing in gaps.
- Finally, while the standards identify essential conditions that include responsibilities of the board and senior management, explain these in the context of how the board and senior management can help maximize internal audit's effectiveness at strengthening the organization’s ability to create, protect and sustain value.
“Taking this approach, taking it step by step, and bringing them along will probably be the most effective way of communicating with them,” Stoutermire said, adding that it is important to provide options and acknowledge the board’s authority.
“Be a good partner with the board and seek organizational alignment through continuous communication,” Logan added.
The new standards also can be a catalyst. They can reignite engagement with the rest of the organization. While the rollout of the new standards is an exciting time for those who have been living in the risk and controls space, Stoutermire acknowledged that the topic can be “a bit of a sleeper” for functions outside audit that historically may have been somewhat disconnected from the standards. The solution is to reconnect with other stakeholders and explain not just how the new standards will affect the internal audit function, but how the changes will facilitate internal audit providing a better service and being a better partner to them.
Contacts:
Kevin E. Stoutermire
Managing Director, Risk Advisory Services
Grant Thornton Advisors LLC
Kevin is a Managing Director within our advisory practice with 25+ years of finance, controls, and business risk experience.
Detroit, Michigan
Industries
- Construction & real estate
- Healthcare
- Manufacturing, Transportation & Distribution
- Banking
Service Experience
- Advisory
- Audit & Assurance
Content disclaimer
This Grant Thornton Advisors LLC content provides information and comments on current issues and developments. It is not a comprehensive analysis of the subject matter covered. It is not, and should not be construed as, accounting, legal, tax, or professional advice provided by Grant Thornton Advisors LLC. All relevant facts and circumstances, including the pertinent authoritative literature, need to be considered to arrive at conclusions that comply with matters addressed in this content.
Grant Thornton Advisors LLC and its subsidiary entities are not licensed CPA firms.
For additional information on topics covered in this content, contact a Grant Thornton Advisors LLC professional.
Our featured insights
No Results Found. Please search again using different keywords and/or filters.