Preparing for the new Global Internal Audit Standards: Insights and Strategies for Internal Audit Functions

Over the break, I want to bring together some various elements of Internal Audit and share personal professional insights with my LinkedIn network.? This is something I feel passionate about, and I hope that you will be kind enough to comment and share your views and improvements on my weekly blog.

Why now?

As many of you will already know, the Global Internal Audit Standards (GIAS) are due to be finalised in January 2024.? These standards signify a crucial development for Internal Audit functions worldwide.? They will provide more stringent guidance for Chief Audit Executives (CAEs) when they come into force from the start of 2025.

My blog posts will serve as a guide for readers to understand the significance of these new standards and the need for a gap analysis to be conducted in early 2024.? This is an important opportunity to map out ways you wish to improve your Internal Audit function to make it 'future proof'.?

What is the current state of Internal Audit?

The gap analysis that you undertake might assume that the current state of Internal Audit is good, or at least adequate, and the improvements you have in mind are only about uplift against the new GIAS.? Recent worldwide benchmarking of Internal Audit functions that I conducted suggests that not all functions may be ready for such an uplift: a few gaps exist.?

How will I break this topic down for the reader?

My posts aim to provide insights and recommendations to enhance the efficacy of Internal Audit functions, ensuring they are well-prepared for the impending GIAS.

It will delve into the varying effectiveness levels of Internal Audit functions globally, covering both foundational elements, like the establishment of these functions, and more dynamic aspects, such as strategy, annual planning and reporting.

Foundations would include the establishment of the Internal Audit function, from the IA charter and the IA Universe to an IA methodology and different ways of providing appropriately skilled resources and adequate budget for the function.

Dynamic aspects would include the IA Strategy, and Annual Risk Assessment and Planning, plus the execution of different types of engagement to deliver results.? I feel that Board Audit Committee reporting is also worthy of some focus, as well as different methods to create, track and validate recommendations.

If you have any suggestions or thoughts on what you might like me to cover, please don't hesitate to contact me.

Foundation Topic 1: Strengthening Internal Audit’s Brand, Mandate and Governance

The foundational topic I propose to start with is the Internal Audit Charter.? This first topic will focus on the key role IA Charters play in guiding the IA practice, and how charters and functions differ.? Preparing this blog, it did occur to me that even for internal auditors, IA Charters could be a bit of a dry first topic.? Conversely, I do believe in being intellectually curious, so no matter what we look at it will become interesting once we really get into the subject matter.

Governance has been evolving rapidly, and this is not likely to stop any time soon.? IA Charters are a cornerstone of the brand, mandate and governance of IA functions themselves.? They are important to keep up to date and adapt to growing expectations.

IA standards have also developed, with the existing IPPF in effect since 2017, as well as the current International Standards for the Professional Practice of Internal Auditing. The GIAS is due to be published digitally in early 2024 and come into effect in 2025. IA charters have also been developing to align to organisations' strategies.? The Australian Stock Exchange (ASX) Corporate Governance Code Edition 5 is expected to be published soon, and we anticipate it will ask all ASX companies to comply or explain with the recommendation to have an IA Charter.

With the move to the to GIAS, many points where the ‘CAE should...’ will change to stronger wording that the ‘CAE must...’, so I want to support all of you in preparing for uplift and to perform well in your annual Internal Quality Assurance and External Quality Assurance at least every five years.?

A few other publications in Australia you might like to consider when reviewing your IA Charter could include the Australian Institute of Company Directors (AICD) 3rd Edition of Audit Committees, A Guide to Good Practice (2017), plus the IIA-Australia’s publications on Managing Culture, A good practice guide (2018) and Auditing Risk Culture, A practical guide (2021).

Key contents of an Internal Audit Charter – for an initial ‘gap analysis’

Current State:

One place to start our review of the current state of the Internal Audit Charter could be the existing IPPF and IIA guidance.

The IPPF (2017) defines an Internal Audit Charter as:

A formal document that defines internal audit’s purposes, authority and responsibility. It establishes internal audit’s position within the organisation; authorises access to records, personnel and physical properties relevant to the performance of engagements; and defines the scope of internal audit activities.

The IIA-Australia has published an IA charter template that includes seven ‘vital components’:

1.????? Mission and purpose;

2.????? Professional standards (for the practice of internal auditing);

3.????? Authority,

4.????? Independence and objectivity;

5.????? Scope of IA activities;

6.????? Responsibility, and,

7.????? Quality assurance and improvement program (QAIP).

My insights are based on Financial Services Internal Audit Charters in the UK, France, the Netherlands, Hong Kong and Australia.? I identified that existing IA Charters sometimes omit aspects of the seven ‘vital components’, as follows:

To help with your assessment of the current state of your IA Charter, consider using the IIA-Australia template (try this link) and focusing on elements 1, 2 & 7 above, which my research identified as typically weaker areas.

In terms of conformance to the requirements of Attribute Standard 1000 as part of periodic review by the Chief Audit Executive (CAE), consider the following definitions, including 1000.A1 and 1000.C1:

1000: The purpose, authority, and responsibility of the internal audit activity must be formally defined in an internal audit charter, consistent with the Mission of Internal Audit and the mandatory elements of the International Professional Practices Framework (the Core Principles for the Professional Practice of Internal Auditing, the Code of Ethics, the Standards, and the Definition of Internal Auditing). The chief audit executive must periodically review the internal audit charter and present it to senior management and the board for approval.

1000.A1 – The nature of assurance services provided to the organization must be defined in the internal audit charter. If assurances are to be provided to parties outside the organization, the nature of these assurances must also be defined in the internal audit charter.

1000.C1 – The nature of consulting services must be defined in the internal audit charter.

?

Future State:

When considering the future state, and gap analysis of the IA Charter, we could refer to the current draft of the proposed GIAS definition of an Internal Audit Charter as:

A formal document that defines the internal audit function's mandate and other requirements.

I would recommend leveraging the existing guidance as a starting point, then conducting your gap analysis in early 2024. With so many changes a roadmap or summary-level plan to implement the changes could be helpful.