With the new Global Internal Audit standards from the Charted Institute of Internal Auditors (CIIA) set to take effect for quality assessments starting January 9th, 2025, many organizations are finding it challenging to determine where to begin.
These new standards, in conjunction with domestic compliance requirements, e.g. UK Corporate Governance Code, are reshaping the landscape for risk functions. This means that Internal Audit functions will need to conduct a self-assessment to evaluate readiness for these changes. Failure to do so could result in non-compliance, lack of assurance, and disruptions as you try to catch up.
In this blog, we’ll outline our key insights from the new Global Internal Audit standards and highlight additional requirements for Internal Audit function compliance. Read on for guidance on how to enable effective internal auditing across a dynamically changing risk landscape and provide increased assurance to senior stakeholders.
How have the new Global Internal Audit standards changed?
The Chartered Institute of Internal Auditors has revised its code, which now encompasses five domains for the Internal Audit (IA) function and includes 15 principles and 52 standards across all domains. The five domains are:
There are several reasons why this happened for the client, all of which are commonplace in many organizations using SAP:
-
Purpose
-
Ethics & Professionalism
-
Governing
-
Managing
-
Performing
Familiarity with these domains and identifying gaps in your current processes and approaches is crucial to align with the 2025 requirements. The new standards set by the CIAA align with the UK Corporate Governance Code, US SOX, and other international control compliance requirements, which means that joint compliance will be easier to coordinate.
5 key details to note
Turnkey has reviewed the updated Global Internal Audit standards and identified critical changes that will affect your existing audit practices. The key factors and strategies outlined below will help streamline your transition to full compliance.
-
Support for Control Compliance Reporting Requirements: Internal Audit may need to assist with local control compliance requirements e.g. UK’s Corporate Governance Code, US SOX, or other local requirements. Internal Audit’s role in assurance and risk management will be vital in providing information to support any conclusions reached, especially where material controls will be concluded and disclosed by the Board.
-
Standard 4.2: Increased Collaboration with Technology Teams: The standard recommends organizations further leverage IA tools and system-based reporting, including continuous controls monitoring, to enhance assurance for material controls disclosures and reduce the laborious nature of certain control executions. We recommend ongoing controls optimization and automation occurs alongside any existing process or technological transformation to reduce the control burden on the business.
-
Standard 9.4: Cybersecurity and Digital Risk Requirements: These represent specific ‘topical requirements’ that must be included in the Internal Audit plan. Where Internal Audit teams identify a need for specialism, aligning with internal or external resources to meet the required level of professional skepticism and challenge in these technical fields is a critical success factor. Cybersecurity and Digital risk should be considered within ongoing risk assessments to identify changes in principal risks or emerging risks.
-
Standard 13.2: ESG Assurance: Internal Audit must consider and gain assurance over Environmental, Social, and Governance (ESG) factors either through internal teams or external providers. This may require additional alignment to synchronize the work and understanding between Internal Audit and those responsible for ESG assurance. The Task Force on Climate-related Financial Disclosures (TCFD) framework, for example, has shown positive progress from large companies since its introduction. The Financial Reporting Council (FRC) reviewed 25 larger companies more impacted by ESG climate change. While they saw improvements, further advancements such as linking climate risk with other risk management and governance processes have yet to be implemented.
-
Principle 9: Clear IA Strategy and Plan: All organizations will need to ensure that a clear Internal Audit strategy, plan, methodology, and training is in place. Any known gaps should be identified and clear plans created to address them.
The new standards provide a framework for Internal Audit to deliver significant value by providing assurance across key risk areas in an efficient manner. Audit findings and reports can contribute towards continuous business improvement, transforming the function and the wider organization. This represents an opportunity for Internal Audit to place itself at the center of business change, ensuring a company remains risk focused as it goes through significant wider transformations, e.g. new operating models or system implementations like SAP S/4HANA that present material changes to risks.
How Turnkey can support you
Standard 9.5: Coordination and Reliance calls out that ‘the Chief Audit Executive must coordinate with internal and external providers of assurance services and consider relying upon their work’, highlighting the benefits of minimizing duplication of work and revealing gaps in the coverage of key risks. Turnkey can help provide external assurance whilst navigating the changing IA standards. We provide the right technical skills with controls skills, cyber skills and transformational systems experience to make external declarations with greater certainty. With that in mind, there are a few key ways Turnkey can support you across an Internal Audit function:
-
Technical Specialism: We provide expert advisory across Internal Audit, UK Corporate Governance, US SOX, and other control frameworks as well as technology implementation, cyber risk, and fraud risk support. Our specialist resources can augment your team with specialized expertise such as digital risk and cybersecurity within internal audits.
-
Self-Assessment EQA Assistance: Turnkey offers independent assessment evaluating your Internal Audit department against the practices established by the Institute of Internal Auditors (IIA) as part of your mandatory requirements to the Audit Committee. We’ll equip you with recommendations to enhance your Internal Audit function to higher levels of maturity.
-
Internal Audit Maturity Assessment: Our Internal Audit Maturity Assessment identifies gaps between your current approach and the expected standards and guidance on actions needed to meet compliance requirements. This may include policy and process changes or longer-term projects to achieve the appropriate level of maturity for your IA function.
-
UK Corporate Governance Maturity Assessment: We can help you prepare for the UK Corporate Governance Code, benchmarking your current maturity against the COSO Framework and developing areas of the UK Corporate Governance Code (e.g. Provision 29). We provide prioritized recommendations including a plan to meet your target maturity level.
-
Cyber Security Maturity Assessment: Turnkey will assess your current cyber maturity and advise on the target maturity level and possible next steps based on the NIST CSF V.2 framework or another suitable framework.
We are ready to help you achieve optimal efficiency, value, and compliance within your Internal Audit function. Our expert consultants can also assist with appropriate external assurance provider documentation as mandated by the Institute of Internal Auditors (IIA) to ensure your team is fully equipped to demonstrate compliance. Contact our team today to navigate your compliance journey with confidence.
