Three Key Actions for Conformance With the New IIA Standards
The updated IIA Global Internal Audit Standards, effective January 9, 2025, presents a unique opportunity for audit teams to reimagine their role and enhance their strategic value. AuditBoard’s guide, IIA Standards Roadmap: 6 Practical Tips to Elevate Your Audit Function, offers actionable insights based on interviews with over 20 audit leaders.
Read on for three actions to get you started on your conformance journey, and download the full guide here for a deeper dive into additional areas of focus, a comprehensive checklist of deliverables, and strategies to leverage technology to streamline your conformance efforts.
Focus Areas for Conformance With the New IIA Standards
Based on our research and interviews with audit leaders, we’ve identified several critical areas where audit teams should focus their efforts to align with the new Standards and elevate their function.
1. Perform an Initial Gap Assessment to the New Standards
To better understand where you want to go, it’s important first to appreciate where you are. Performing an initial gap assessment of your current internal audit process against the new IIA Standards is a good starting point. Here are some resources to help with your assessment.
- To understand the changes between the old and new Standards, the IIA has created a Two-Way Mapping document. Understanding the differences between the old and new Standards may quickly identify areas that require attention and change.
- The IIA’s Conformance Readiness Assessment Tool should also be leveraged to provide additional context for areas of significant change in the Standards. This can be helpful for companies already in conformance with the previous Standards to easily evaluate any gaps in conformance.
- Review the Examples of Evidence of Conformance. In the full Standards document, each Standard has a section called “Examples of Evidence of Conformance.” The examples provided are not requirements but a great resource of suggestions and inspiration for what is needed to prove conformance with the principles of each Standard.
- Make the gap assessment a team event. Many internal audit teams are engaging their members by assigning them different domains, principles, and standards to review. Team members will share their perspectives and their initial gap assessments, involving everyone in the process. This approach not only helps improve the internal audit process, but also creates more buy-in for the agreed changes.
- Develop a detailed action plan with action items broken down by category (e.g., people, process, technology) and assign owners to each section with specific deadlines.
AuditBoard’s IIA Standards Gap Assessment Template
AuditBoard has created an out-of-the-box IIA Standards Gap Assessment template containing all of the Standards’ requirements and examples of conformance. This template helps internal auditors streamline the process of performing their initial gap assessment to the new Standards and documenting action plans to address identified gaps.
- AuditBoard customers can find the IIA Standards Gap Assessment template in the Help Center — or reach out to your customer success manager.
- Not an AuditBoard customer? To see it in action, schedule a personalized walkthrough.
2. Create and Document Internal Audit’s Strategy
Perhaps the biggest change of the new IIA Standards is found in Standard 9.2 Internal Audit Strategy; specifically, that the CAE must develop and implement an internal audit strategy. To do so, many CAEs are creating and documenting their internal audit’s strategic plan.
As Richard Chambers wrote in a recent article on internal audit strategic planning, “Strategic plans exist to help you ask the right questions, assess your options for responding, get everyone on the same page, and proceed accordingly.”
In AuditBoard’s 2024 Focus on the Future Report, Richard Chambers also cited that only 20% of internal audit teams have a well-defined and comprehensive strategic plan. If you are part of the 80%, here are some steps to help build out or further formalize your plan.
Start with the three must-haves.
- Internal audit’s vision should describe the desired future state. Example: “To be recognized as a proactive and trusted advisor, contributing to organizational resilience and integrity through assurance and advisory services.”
- Strategic objectives can be determined by strategies to address gaps identified in your initial gap assessment, or other initiatives that are aimed to up-level internal audit’s performance and achieve its desired state. Example: “Enhance audit effectiveness and influence by leveraging advanced data analytics and technology.”
- Supporting initiatives can revolve around development of competencies, skills, and advancement of technology. Example: “Implement an audit management software solution and data analytics tool to enhance audit capabilities and deliver deeper insights into data and risks.”
Use the Strategic Plan as a basis to obtain needed skill sets, competencies, and budget.
- Does the internal audit team have an established process to recruit, develop, and retain team members that have needed competencies or skill sets to carry-out audit projects on the proposed internal audit plan (Standard 10.2 Human Resource Management)?
- Is the Human Resource Plan supported by a process to obtain needed subject matter expertise when the internal audit team does not have the needed competencies and skill sets (Standard 8.2 Managing Resources)?
- Does the internal audit team have necessary technology to support the achievement of internal audit’s vision and strategic objectives timely (Standard 10.3 – Technologies Resources)?
- Does the internal audit budget include enough resources to support the human and technology resources needed to achieve internal audit’s vision and strategic objectives?
3. Strengthen the Internal Audit Planning Process
The new IIA Standards demand a more risk-focused internal audit function, which is pushing many teams to change their approach to developing the internal audit plan.
Historically, many internal audit leaders created an audit plan by:
- Interviewing stakeholders to identify their organization’s main risks.
- Ranking key risks based on quantitative assessments of a risk or audit universe.
- Assessing past control performance and audit focus.
- Proposing an audit plan.
However, many of the audit teams we spoke with are using the updated Standards to streamline their risk assessment and audit plan development. Some specific changes include:
- Collaborating with the strategy and planning functions to understand strategic initiatives and areas of significant investment.
- Using purpose-built technology to solicit risk data from a larger number of key stakeholders.
- Evaluating, measuring, and documenting risk scores exceeding risk tolerance.
- Evaluating risk via a risk universe and mapping key enterprise risks to responsible auditable entities in an audit universe.
- Assessing if assurance providers (internal or external) have already done or plan to do work for each key risk, then deciding if internal audit can rely on their work.
- Choosing the appropriate assurance or advisory service to fulfill the audit plan’s needs as they evolve.
- Evaluating the internal audit team’s skills, and if needed, consider additional training or engage external experts.
- Focusing on strengthening collaboration between internal audit and other risk assurance functions, such as a single standardized risk scoring methodology or a single aggregated view of risk trends across the organization.
- Focusing on stronger alignment between the organization’s top risks and audit activities.
- Focusing on developing an adequate understanding of risks relevant to audit engagements (Standard 13.2).
Leveraging the IIA Standards to Elevate Internal Audit
By focusing on the key areas outlined in the guide, IIA Standards Roadmap: 6 Practical Tips to Elevate Your Audit Function, and leveraging appropriate technology solutions, audit teams can not only align with the new Standards but also transform their function to deliver greater value to their organizations.
The most forward-thinking audit shops are leveraging the Standards to campaign for more audit resources, including increased headcount and advanced technology solutions such as data analytics, audit management technology, and governance, risk management, and control process mapping applications.
Discover additional focus areas and take a deeper dive into strategies employed by leading audit teams and how to implement them in your organization by downloading the full guide: IIA Standards Roadmap: 6 Practical Tips to Elevate Your Audit Function.
Tom O’Reilly is the Field Chief Audit Executive and Connected Risk Advisor at AuditBoard. In his role, Tom meets, collaborates, and shares internal audit and connected risk strategies and tactics with the AuditBoard community and customers to help improve the practice of internal audit and how second and third line functions work together. Connect with Tom on LinkedIn.
Vi Tran, CPA, CIA, is a Product Marketing Manager at AuditBoard, where she leverages her background in audit and internal controls to enhance marketing strategies and outreach efforts. Prior to joining AuditBoard, Vi served as an external auditor at PwC, Internal Controls Senior Analyst at Targa Resources, and Associate Manager at The Siegfried Group. Connect with Vi on LinkedIn.