IIA Standards Conformance: Perspectives on Frequently Asked Questions
With the deadline to conform to the new IIA Standards set for January 9, 2025, internal audit leaders are strategizing to ensure compliance. Organizations prioritizing the new Standards have already begun their gap assessments; however, many are just getting started. I recently interviewed three audit leaders to discuss their transition to the new Standards.
In this article, I will share insights from Kristen Kelly (Director of Internal Audit and Financial Advisory at Protiviti), Adam Heppe (Director of Data Analytics & Audit Operations at Boeing), and Jon Taber (Internal Audit Manager at Casey’s) on how they’re approaching preparation, the Quality Assessment Review, key areas of change, and enabling technology.
Read on for perspectives on frequently asked questions about IIA Standards conformance — and download IIA Standards Roadmap: 6 Practical Tips to Elevate Your Audit Function for a deeper dive into six areas of focus, a comprehensive checklist of deliverables, and strategies to leverage technology to streamline your conformance efforts.
What are other organizations doing in preparation to conform to the new Standards?
Generally speaking, if you have hopes of conforming to the new IIA standards, you should have your team in conformance with the Standards by 1/9/2025. Some forward-thinking companies who deemed the Standards very important would have started the gap assessment in the first quarter of 2024 — and some would even have completed a gap assessment of the proposed standards last year, to provide plenty of time to implement any needed improvements and make documentation updates before January of 2025.
However, for the vast majority of us, this perfectly laid-out plan is not a reality. So where are audit teams on their conformance journey? A June 6, 2024 flash poll of 1630 audit professionals found that just over 10% had completed gap assessments, with 27% having just started the process. What’s clear from the poll is that the vast majority of us still need to take action on the Standards.
- If you’re a part of the 26% who have yet to read the Standards — it’s a good start that you’re reading this! We’ll do our best to convince you that conformance to the Standards is a worthwhile endeavor.
- If you find yourself a part of the 37% who have read the Standards (but not much else) or the 27% who have started on the gap assessment — you’re on the right track, but you’re going to need to take action now.
While extensive, the transition is more manageable if broken down and tackled systematically. Adam Heppe emphasizes, “I cannot stress enough the importance of early action and collaboration. As an initial step, engage several team members to perform a gap assessment. Even a small team can realistically manage the task within a week.” This proactive approach will ensure that you are well-prepared for the transition.
Jon Taber offered these words to auditors who might be feeling overwhelmed: “Keep three things in mind. Number one: don’t sweat. If you were conforming before, you’ll likely be conforming now. Number two: do a gap analysis. Number three: involve your team. Don’t make it a one-person exercise. By involving your team, you’re going to get more engagement, they’ll understand why, and it will be easier for you to execute on the plan.”
Conformance is a team sport — keeping this top of mind as you embark on the journey will lead to better outcomes for yourself, your team, and your organization. From conversations with multiple other audit leaders, the consensus is that it will take an internal audit team 50–60 hours to complete the gap assessment and document an implementation action plan to conform.
How are teams approaching their Quality Assessment Review if they are due this year or next?
At a minimum, an external Quality Assessment Review (QAR) is due once every five years; an internal QAR is due once a year. Because of the significant changes to the Standards, many internal audit leaders are performing their gap assessments as part of their internal QAR efforts.
In addition to providing insight on potential gaps and prioritization, external firms like Protiviti are able to assist with areas such as better defining and formalizing strategic plans, performance objectives, training plans, skillset assessments, and reporting, among other activities. Kristen Kelly points out that “Many organizations are in the process of conducting gap assessments and seeking external consultation to help mitigate the risk of non-conformance.”
Discover how AuditBoard’s IIA Standards Gap Assessment and Protiviti’s implementation expertise can help your organization identify and address required changes and help move your internal audit function forward.
A number of organizations that are due for external QARs in 2025 or 2026 are accelerating those into 2024 and opting for a review under the 2017 Standards. This allows for additional implementation time before the next external assessment and allows assessors to also provide insights on gap assessments against the 2024 Standards and other best practices derived during the QAR process.
A June 13, 2024 flash poll of 814 internal audit professionals found that half of those surveyed acknowledged conformance through internal and external QARs in the past — which means that the other half were not fully conforming appropriately because the Standards required an internal and external QAR. For audit departments that were not previously conforming, it’s crucial to understand that you will have some ground to make up when aiming for conformance with the new Standards, underscoring the importance of starting early and completing a gap assessment to ensure conformance.
What are the greatest areas of change within the Standards when planning for conformance?
While the new IIA Standards cover the same themes as the prior version, there are notable differences to consider when planning for conformance. For example, the new Standards place significant responsibilities on the board and senior management. A June 6, 2024 flash poll of 207 internal audit professionals who had already completed or were in the process of completing their gap assessment revealed that strategic planning and metrics, communication with the board, and better GRC process understanding are top areas needing attention.
Strategic Plan and Metrics
Richard Chambers recently noted that “only one in five functions (20%) say they have “a comprehensive, well-documented strategic plan” looking out three to five years.” If you are part of the 80%, you can take steps to meet this requirement. Adam Heppe says, “Having a strategic plan formalizes internal audit’s strategy and initiatives that enhance our value and contribute to the broader enterprise’s strategic initiatives.” Measuring performance against the strategic plan requires audit leaders to rethink the metrics they report to the board.
Meaningful metrics are more risk-focused. For example, we can report metrics such as the number of audit projects focusing on enterprise key risks and the number of issues remediated vs. still outstanding associated with key risks to the organization. Some audit leaders are also introducing the concept of leading and lagging metrics, with leading metrics helping to predict future outcomes and take proactive measures, while lagging metrics confirm trends and measure the results of past actions.
Communicating with Board
One area of new Standards causing concern among many organizations is Domain 3 – Governing the Audit Department. Some may feel that The IIA is putting internal auditors in a difficult situation by having them dictate how to manage the audit department to their boards and senior management teams — but a mindset shift is in order here. Rather, as Adam Heppe points out, “This domain is really about building the partnership between the internal audit function and the audit committee. This domain is a way to enhance and grow that relationship.” The IIA also acknowledges that the relationship between the CAE and the board is a partnership, and they recently released specific guidance and a toolkit for internal audit leaders to use when working toward conformance in this area.
Better Understanding of GRC Processes
The new Standards require internal auditors to understand the organization’s GRC processes to develop an effective internal audit strategy and plan. Companies succeeding in this area will likely build strong relationships with second-line teams like ERM, internal controls, and compliance. Jon Taber shared that his organization “meets monthly with second-line teams to hear their concerns.”
Also, as outlined Standard 9.5, Kristen Kelly reminded us that, “Now is a good time to refine procedures for reviewing work done by different providers and considering reliance on their work. We can identify potential overlaps or gaps in assurance coverage across the organization through that coordination.”
Finally, some internal audit teams are obtaining a better awareness of their GRC processes by being a driving force to lead their organization’s connected risk strategy. Specifically, these forward-thinking audit leaders are identifying and mapping out key data, teams, and responsibilities to identify who owns what, which risks are covered by more than one team, and which risks lack coverage. Armed with a clearer understanding of their organization’s GRC processes, auditors can help drive awareness of key audit, risk, and compliance roles and responsibilities on the first lines, as well as consolidate work performed by the second and third lines — with the ultimate goal of providing more reliable GRC information to executive management and the board.
How can technology help with conformance to the Standards?
The new Standards now require audit teams to document a technology plan, and audit management technology like AuditBoard plays a crucial role in helping internal audit teams achieve conformance to the new Standards. These solutions provide a centralized source of truth, consolidating all documents and supporting evidence in one location and streamlining the audit lifecycle through improved risk assessments, testing workflows, and issue remediation. A key capability to look for is support for resource planning, enabling audit teams to better align resource skill sets to audits on the project plan and track training hours per resource.
As a part of a larger connected risk platform with a centralized data core used across multiple second and third-line functions further aligns coordination of information, teams, and processes. Adam Heppe said, ”Connected risk technology is the only enabler to get everybody on the same page” by connecting teams to key organizational risks and their mitigating controls. This technology empowers audit teams and makes the conformance process more efficient.
Seize the Opportunity to Take Internal Audit to New Heights
Internal audit leaders should view the new IIA Standards as more than just a compliance exercise — they are an opportunity to drive positive change. By adopting a proactive approach, conducting thorough gap assessments, and leveraging technology, audit teams can enhance their functions and secure necessary resources for continuous improvement.
Now is the perfect time to baseline your program, benchmark against your peers, and gain consensus with the senior management team and the board on improvement areas. Let’s embrace this chance to drive internal audit transformation and achieve excellence.
To take a deeper dive into IIA conformance strategies employed by leading audit teams and how to implement them in your organization, download AuditBoard’s IIA Standards Roadmap: 6 Practical Tips to Elevate Your Audit Function.
Tom O’Reilly is the Field Chief Audit Executive and Connected Risk Advisor at AuditBoard. In his role, Tom meets, collaborates, and shares internal audit and connected risk strategies and tactics with the AuditBoard community and customers to help improve the practice of internal audit and how second and third line functions work together. Connect with Tom on LinkedIn.