The Institute of Internal Auditors presents all things internal audit. In this episode, Liz Sandwith talks with Lauressa Nelson about the changes in the I'S new Global Internal Audit standards. They discuss how internal auditors can prepare for these changes, the challenges they may face, and practical strategies to ensure conformance by January 9th, 2025. Hi, Liz, thank you so much for joining me today.
I'm excited to have this conversation. Thank You very much for inviting me, and I'm really looking forward to sharing some thoughts. So we are coming closer and closer to the official effective date for the new Global Internal Audit Standard. So how are you sensing that people are preparing, how are they feeling about it? Are internal auditors feeling that they're ready?
I think it would be fair to say probably no. So I'm, I'm saying generically, no, I think some sectors, financial services sector probably, you know, got it. Well and truly, um, sorted because they will have a professional practices team that will support the internal audit function in conforming with the standards. Some of the public sector no, and some smaller private sector, and certainly some of the charities are not there yet. I did, um, a, a webinar today.
I did one last week, and in both, more than 33% haven't even read them yet, Really?
So I, I think there is, there are challenges in terms of, I sort of think, and I, I don't think it was confused in any way, shape or form, but I'm sensing that people think, ah, right from 9th of January, 2025, I now need to start doing something about conforming They haven't seen 2024 as a transition year in terms of taking time to read them, do a gap analysis, understand where they're weak, where they're strong, what they need to do. I think they've just thought, oh, right.
And they'll start in January next year. Right. I think the challenge is going to be if they've recently had an external quality assessment, maybe 2023 or indeed this year, I think in their heads they're probably thinking we're good for the next three or four years, so we can, IM embed the standards in our own time, whereas if they've got an EQA due this year, they're beginning to panic a little.
Right. Um, you know, and what I've been saying to people I talk to, because you've given them options, either make sure you do it this year and do it in accordance with the IPPF 2017 or then, or delay it and do it in 2025, but maybe do it later in the year rather than beginning of the year.
Uh, and I think a, a number of people, what they've done is they've brought forward their, um, external quality assessment to 2024, but they've also asked who's ever doing the external quality assessment to do a validated self-assessment of a gap analysis that they've done in relation to, you know, how far are we from conforming with the, um, with the new global internal audit standards.
I did one of those for a customer quite recently, um, a large organization, and they, they had a EQA this year, and I did the gap analysis, and they have a lot of work to do. Wow. Okay. Well that is very interesting. How does this gap analysis idea work? So for people that are saying, boy, I wasn't thinking about this, but January 9th, 2025 is almost here, what would you recommend to, for them to get started right now doing?
I think what I would suggest is think about, um, when you last had your EQA or your external quality assessment, what, where were you strong? Where were you weak? So I I I would almost link it to a SWOT analysis. What were the, what are the strengths of the internal audit function? What are its weaknesses? Are there opportunities to use the global internal audit standards to raise their bar? And are there some threats?
Maybe you have a, um, an audit committee or a board that's not very supportive of the internal audit function. So I'd do my SWOT analysis first, and I'd document that, and then I'd look at my last EQA, even if it was back in 2022, what were the findings? What were the outcomes of that external quality assessment? Then I would, so I'd use that as my base.
Then I would look at the two-way mapping document that the I i A has produced to see, you know, the ones where I did, okay, what are we now saying, the, the global internal audit standards say and where they're on new standards. I would flag those as things I need to work on because I haven't got conformance. Sure. And then I'd also, sorry,
I was just gonna say Sure. So, so the 2017 standards would be your last EQA would've been performed against those, and then now you're looking at not just what did I do well on and what didn't I do well on, but also now I'm looking at 2024, what's new and different between then and now? Right. I think the other u really useful document, and, and I think, you know, the i i a has done a brilliant job is the conformance readiness assessment, because that's picked up the new standard.
So like standard 1.1, honesty and professional courage, standard 4.3, you know, professional skepticism because they're very new, and therefore it's shown you what sort of evidence of conformance you need for those. Because some of these more behavioral ones are, I think, causing some challenges for internal function CAEs in terms of how do I demonstrate honesty and professional courage? That's quite difficult to be able to demonstrate.
Sure. There's not necessarily tangible evidence as there is with most other standards where you have documentation to support it. Yeah. So you have to kind of have some tangential, uh, evidence. Like what would be some examples of things you would use? We've always had this struggle with the code of ethics or the, and now in this case it's the standards and principles of ethics and professionalism, but what are some ways that people can demonstrate performance in those areas?
I think with those ones now, I, I think the objectivity element is, it's fairly straightforward, not vastly different from what we've done in the past, but I think that, you know, the honesty and professional courage, I, I think you use, I, I would use customer feedback. So I've done an e qa, uh, sorry, I've done an internal audit engagement. Um, and now, you know, customer, you know, how did you think the internal auditors performed?
Were they, were they honest with you when you, you know, when they were highlighting things that you hadn't done particularly well? Did they demonstrate that they had the courage to call out to you things that you weren't doing particularly well?
So I think it's about redoing your customer feedback and bringing these things to the fore in terms of, you know, how do you as a customer feel, the internal auditors demonstrated those elements of our, um, ethics and, um, professionalism, uh, domain two standards. Sure. And those are particularly related to the behavior of individual internal auditors. What about, um, the purpose domain?
It doesn't have standards and principles, but why is that important and, um, how does that relate to the rest of the standards? I, I, I think that that is probably the most important, uh, domain that that speaks to who I am as an internal auditor. It, it talks about what I can deliver to you, my organization in my capacity as a professional, competent internal auditor.
I love the, the two words at the end of the professional statement with, uh, purpose statement around insight and, uh, foresight. It's very easy for us to do engagements and say, thank you very much. There are the findings. Um, this is more telling what, what's happening now, what are we seeing now in the organization and looking across the organization.
So I might be doing an audit on, you know, customer services, but, but also what's happening is my organization going through lots of change and therefore, you know, how do you know what I do as part of my internal audit engagement? How is it meeting my purpose statement? But also how is it adding value and enhancing the organization's ability to achieve its objectives? I think the foresight bit is absolutely key as well.
And we've talked about this over the years, but it's never been anywhere before. Now it's saying, okay, internal audit, although you are not the only person in the organization who can apply some foresight, internal audit, where do you think the next crisis might be? What, what are the key risks in our organization that are being exacerbated by the volatility of the environment we find ourselves, um, in? And, and the challenges that that presents.
So, you know, wall Street, according to the business news this morning, uh, lowest levels since 2015 yesterday when it closed.
And therefore, you know, what does that mean to your organization in terms of challenges, uh, and how do we demonstrate as internal auditors that we are looking beyond the walls of our organization and seeing what's coming down the track, uh, and what, you know, how can we share that with the business and support the business in dealing with these new crises, complex risks, et cetera.
So it sounds like the purpose and domain one have sort of elevated the expectation or put into words at least, uh, all the expectations, um, that internal auditors aspire to deliver on. And how have the other domains, I specifically am thinking about domain three and governing the internal audit function, also brought in that idea of raising the expectations, raising the bar for the function, what's new?
And I know domain three is governing the internal audit function, which sounds a little bit like basically new terminology and concepts, but how does that relate also to delivering on the purpose? It's about the relationship. So, you know, internal audit has a relationship with the audit committee, and I have spoken to, um, chief Audit execs, and some of them go, domain three is a walk in the park.
We do it already. Um, we have conversations, we take reports, you know, they sign our charter, they look at our plan, you know, all of that sort of thing. Okay. Um, and then I say, um, what do they say when, when you present these documents often, what are the conversations? And you know, a bit like I have done over 25 years of reporting to audit committees. Sometimes you get the Thank you, Liz, that was most interesting.
And, you know, they haven't got a clue what you've just been talking about. Um, but they're ticking a box. And, and I was saying to them, and you know, that people have nodded and said, yeah, I absolutely get that. And I've said, yeah, but that's not enough. Now what we need to see is this two way street. What we need to see is the audit committee saying, well, Liz, why is reputational risk, uh, not on your radar? Why are you not including customer services in your internal audit plan?
Do you have the capacity and capability, the skills and the resources to deliver this plan? I need, we need to see those sorts of conversations. And I was stunned to realize quite recently that a number of CAEs only attend the audit committee for the internal audit bit. They don't attend for the full committee who know, we should be there for the whole of the audit committee meeting, and they never see the minutes.
Well, no. Moving forward, if we're going to want to use the minutes evidence, our relationship, then we absolutely need to have sight of those. So align in the minutes that says internal audit presented a report, no, that's not evidence of this governing responsibility, this overarching obligation on the audit committee or your exec board, whoever you report into the governing body, to show that they are meeting the requirements of domain three.
And my crystal ball and it, and it's not always right, but my crystal ball is sensing that when we start seeing e QAs happen, maybe mid 25 onwards, I'm, I think domain three will be the one that presents the failure to evidence conformance in the report. Because I think there is a risk that people will go, yeah, I know that's what I do already. And, and it's more than way more than you do already in terms of that relationship. And don't forget domain three's got the essential conditions in.
So we also need to be able to demonstrate that we've had re we've had conversations with senior management as well, and how are we evidencing that? So I think domain three is going to need a bit of thinking, but again, the i i a have produced a toolkit that helps with this, helps with the conversation and the webinar I did today, more than 40% of the people on the webinar haven't even started the conversations with their exec board or audit committee.
When you only have four meetings a year, what we've got perhaps one left Mm-Hmm. It's Really challenging. Yeah. It really sounds like those conversations need to come first, you know, even to inform the board of the changes in the standards and what new things, um, the function's going to be doing as well as these essential conditions, what the function needs to have in place to be able to essentially deliver the purpose of internal auditing.
It, it seems like that conversation, that foundational conversation that is in the introduction of domain three is so key to everything else really working well. Yeah. I, I think that's really, that's really right. I think the other thing you, you know, we talked, you talked a moment ago about, uh, domain one, the purpose. There's no standards, there's no evidence of conformance. It's really quite challenging.
But what I have said is one of the things that as internal audit we talk a lot about is, you know, promoting ourselves across the organization. And I've said, you know, I've suggested to people, and I know a number have done, already done this, and said, wow, does it work? Is, you know, amend your email signature on all of your emails to include the purpose statement, not the other bits, but the purpose statement.
Uh, and then you are constantly reminding yourself, but also you are reminding the recipients of your email just who you are and what you are bringing to the organization Interested in learning more. Don't miss Liz Sand's article, right to Conform. You can find it in the October issue of Internal Auditor Magazine. In the article, Liz unpacks the crucial steps for internal audit functions to meet the new standards by January, 2025, packed with practical advice.
It's a must read for every CAE check the show notes with a link. What other things for the CAE did they really need to be thinking about in domain four? Um, preparing not just for their relationship with the Board for Audit committee, but also, uh, leading the function. A really good question, and, and I I am thrilled to see at standard 9.2 in domain four is the requirement for an internal audit strategy. Um, there is some confusion. So I'm hearing people say, well, it asks for a strategy.
It doesn't ask for a strategic plan in the standards. And I'm saying, well, hang on a minute. How do you deliver your strategy without a strategic plan? I think that one and the same sort of thing, uh, and then people are going, oh, yeah, get that. Uh, I think the importance of creating a strategy is that it avoids distraction.
So often as an internal audit function, you put together your risk-based plan, you take it to your governing body, um, for approval, your audit committee, everybody goes fine. And you start working, then, you know, somebody will say, oh, you know, we have a project. Can you do some assurance work on that? Or, I'm concerned about this. The CEO might say, will you have a look at that? And we end up doing lots of bits of advisory work as well.
And, you know, without some strategic plan and strategy that says what it is we do, it's very easily, uh, very easy to get distracted. So for me, the, the strategy and the strategic plan of the anchor in the ground that says, okay, I know where I am now. I know where I want to be and I know how I'm going to get there. Don't distract me.
Let me deliver my plan for this year, my risk-based plan, but let me also build my internal audit team, ensure they're competent, ensure that I'm developing the team, um, so that they have the knowledge and the skills needed. Be it data analytics, be it artificial intelligence, you know, use of chat GPT or Microsoft copilot. Do they have the skills to be able to use that and to use it well to make sure the internal audit function is efficient and effective in terms of what we deliver?
Mm-Hmm, sure. So that strategy then sounds like it needs to tie in with the organization's vision, the, you know, the leadership and, and the strategy of the organization as well. If, if it is something they're focused on, then the internal audit strategy also needs to align with that. Um, I think if it doesn't, I think we will end up with, with, you know, everybody going in different directions and pulling against each other.
So, you know, I, your starting point has got to be what your organization's, um, strategic objectives are, and then how does what we as internal audit do align with those and help ensure, remember, we're back to our purpose again, help ensure that, you know, we can contribute to the delivery of your strategic goals and objectives, protecting the business, et cetera.
Mm-Hmm. I also think that, you know, that there was a requirement for an internal audit strategy in the core principles in the IPF 2017, but I don't think the majority of internal audit functions, um, had, uh, an internal audit strategy and a strategic plan. Perhaps very large, more mature ones did. But again, I noticed today on social media, um, Anthony Pel talking about a new document that you've created about building, uh, and creating an internal audit strategy.
So again, the i a is helping us in terms of delivering, um, what we need to do to make sure that we are conforming with the standards. Mm-Hmm. The other thing I would say about domain four, um, being a very simple girl is to, for me, it is simply the job description of your chief audit exec. And, you know, what I've been doing is creating a, um, an appendix to job descriptions so that the, um, CAE can evidence what they have done throughout the year to meet the requirements of, um, domain four.
And I think that would then be useful in terms of your performance appraisals with your CEO or your audit committee chair, so that you are looking to say, yeah, I, I did that really well. Hmm, that wasn't so good. I struggled with that this year. Um, perhaps it's around technology. Um, you know, I haven't really been able to bring the team on to demonstrate that we are using tools like data analytics in every audit. There's been some challenges with people in that respect.
So, no, I haven't quite achieved that, but I have made a start on that. So it's, for me, it's, it's a supporting document to the job description of the CAE, this appendix, and, you know, it's there to be reviewed by whoever you, you know, the CEO and or the audit committee chair. Mm-Hmm. And are there other, uh, documentation needed, or how are we, our internal auditors, thinking about the coordination and reliance standard that's changed a little bit?
Um, is that requiring more documentation or a different approach? I think it's interesting that you use the word documentation. I have deliberately used the word evidence because I think sometimes when we say documentation, people think that's more bureaucratic. And I, and I, I don't, I personally don't think the standards are more bureaucratic. What they are requiring you to do is to be able to evidence what you've done. We're internal auditors. Evidence is the very air we breathe.
And therefore, I think if you think about it in terms of evidence to support, then it, it's everything we do. And I think that, you know, nine five, the coordination and reliance is absolutely key because more and more I'm hearing cas tell me that it's difficult to recruit. They're carrying vacancies. So, you know, why don't we think smarter and look at other areas in the business? Who else is providing assurance and what is the level and rigor with which that assurance is being provided?
And second line, if you are doing something around compliance and it links to an order time doing, can we collaborate? And, you know, maybe you can do the heavy lifting and I can do, um, you know, the more high level stuff, the, you know, the conversations with senior management, et cetera, you know, is there opportunities, and we're calling it combined assurance or integrated assurance.
And what about, um, the quality assurance and improvement program that also falls into domain four, and specifically there seems to be a new emphasis on performance objectives, performance planning, how has the QAIP changed and just in general internal audit functions reporting on itself, um, and, and its planning for improvement. I don't really think the QAIP has changed significantly. There is still the requirement for supervision, ongoing monitoring, um, continuous assessment.
What I do think has changed is our outcome indicators. So, you know, we talk a lot about, um, performance indicators. Oh, we achieved 85% of our plan, 43% of my internal audit function hold the CIA qualification, which is all great, and as a CAE it's really helpful to have that information. But as a customer of internal audit, be you senior management or board or audit committee, what you want to know is how effective have we been? What have our internal audit engagements delivered?
Have they identified inefficiencies? Have they streamlined processes? Have we in strengthened risk management? Have we improved governance? Have we tightened internal control? Those are the outcome measures that I think that audit committee, and I am an audit committee chair, and they're certainly the outcome measures I look for from my internal audit function. They are the ones that tell us whether you are adding value to the organization or not.
So I think the process, the QA IP concept hasn't changed, but I I, I'm hoping that CAEs will look at both the quantitative and the qualitative measures and build up the qualitative ones moving forward. Mm-Hmm. And in terms of evidence of conformance or showing that we're conforming here, when, um, I look at domain five, I see there's talk about now findings, um, recommendations, agreed upon actions and so forth.
So what should internal auditors be doing individually to make sure that they're conforming, have, have a lot of things changed in terms of the way that they do their services and the way that they document them, uh, the way that they communicate about them? I think, um, that the, the answer to that is no. I, I think that a lot of what is in there is what a, um, let me use the word in inverted commas, but what a professional internal audit function would've been doing anyway.
I think what it touches on without really saying it, is perhaps, um, adopting a more agile mindset, um, approach to, to your internal audit engagement. So don't wait until the closing meeting to start listing all of the things that you've found that you know need addressing your findings.
Maybe we can talk daily with the manager, the operational manager in the area, responsible for the area so that we can take them on the journey with us so that there's that sense of internal audit engagement isn't something being done to them, but something they are collaborating with, participating with in terms of the approach. And it even goes as far as to say your opening meeting, you know, we should be agreeing with the, uh, operational manager, um, the deliverables.
What's gonna come outta this audit? What was the purpose of us doing this audit? What are we planning on looking at? Where are we going to test? What are the areas that we are going to focus on, the risks, the scope, the objectives, and then what do we anticipate the value is going to be as a result of the engagement? Now, I think that's a real positive upfront.
I think it's a great way to start an internal audit engagement, bringing management on with us at the very beginning, rather than perhaps in the past, as we may have said, you know, I'm internal audit. I'm here to do an audit, you know, and get on with it without really sharing it. It's, for me, we're almost back to that three lines model where it talks about internal audit, collaborating, coordinating, aligning, and communicating with both first and second line colleagues.
I think that's the exciting bit. I think the caveat, and I know there are conversations around this on social media at the moment, might be the perception that our independence is being compromised by this. Now, I, I personally don't think it is, but I can see there is talk at the moment, um, around social media, about whether internal audit can still be deemed to be independent. I absolutely think so.
Back to domain three, positioning in internal audit, independently standard 7.1, making sure that that's in place and I think your independence can be protected. Sure, yes. I think that standard and that principle are still there, and in fact, maybe more appropriately where they should be aligning with governance. And so there's an emphasis there. What are the roles of senior management and, and the board and helping to establish independence and protect it?
I think this is, again, it's a, a collaborative bit. I think sometimes, you know, as internal auditors, we've talked about, oh, you know, we are independent objective. And everyone goes, yeah, we get the objective bit independent. You work for the organization, you're paid, you're on the salary. How does that make you independent?
But I think this new role of internal audit and, and this trio of audit committee or or exec board, whoever you, the governing body and senior management and internal audit working together just strengthens, um, internal audit in the organization. It strengthens our independence. It means that management can see where we're coming from, what we're seeking to achieve. They can engage with that process, and we can actually go to senior management and say, do you know what?
We've got a real problem in your area. We have a manager who's being less than cooperative, won't share information with us. And you know what our role and responsibility is. Can we have your help now? I think that's a positive way forward, Right? Yeah, absolutely. Um, are there any other tools that you're recommending or suggestions that you have for people to, to continue preparing to implement the new standards and, and be in conformance for January, 2025?
Um, I think that, that, that's challenging in terms of that the clock is ticking. Uh, I think you need a training plan. So, you know, if I was the ca I'd look at my team, I'd look at the skills they've got, I'd be applying my foresight, my purpose statement, what's coming down the track, you know, thinking about AI in particular, which everybody is talking about, uh, and, you know, even quantum computing, uh, in terms of a tool for internal audit moving forward.
How many of my people have those sorts of skills? So I, I think we need a training plan supported by performance appraisals, et cetera. Well, thank you so much for your time and wisdom and insight. I think we've covered all of the global internal audit standards, um, from front to back. And I hope that everyone is preparing and can use this information to help them. And I'll talk to you again in the future. Thank you very much, and thank you for allowing me to share some thoughts.
If you like this podcast, please subscribe and rate us. You can subscribe wherever you get your podcasts. You can also catch other episodes on YouTube or@theiia.org. That's THE iia.org.