Gunita Saulite

PwC senior associate, risk assurance services

Agnese Bankava

PwC Head of Risk Management Services

The International Internal Audit Standards Board has been working for several years to update and improve the current international standards for the professional practice of internal auditing to promote the profession’s evolution and internal audit quality and to provide added support for internal audit functions facing ever-changing external and internal risks. This work resulted in the updated and improved international internal audit practice standards being published on 9 January 2024 and coming into force on 9 January 2025. This year, all internal audit functions have time to assess their compliance with the new standards’ requirements and to identify any necessary improvements. We believe this is a great opportunity to make long-term changes to your internal audit function and help it provide even more significant support in achieving your organisation’s goals.

As the business environment continues to evolve, with external pressures mounting and becoming more complex, we are still experiencing uncertainty. The changes to the standards will offer an opportunity for organisations to enhance the role and position of internal audit in achieving their goals. This article explores what we see as key amendments to the standards and how those can drive the internal audit function’s long-term performance. In this article the body supervising the internal audit function is referred to as ‘council’, yet in organisations without a council this task can be performed by a different unit, such as the shareholders meeting, the board, or the audit committee.

Key changes affecting the internal audit function

The internal audit mandate

Being independent of the organisation’s management and operational units, the internal audit function commonly reports on its performance to the council. The role, duties and powers of the internal audit function are determined by an internally approved policy. The 2017 version of the standards also requires that those be defined, yet the latest version of the updated standards emphasises the need to clearly define the internal audit function’s activities considering the resources made available to it. So the internal documentation of internal audit activities is expected to determine, for example:

• Whether the internal audit function manages the organisation’s risks comprehensively or whether it focuses on testing internal controls
• Whether all activities receiving the internal audit function’s attention are determined, including additional activities outside the annual review plan (controls testing, compliance assessment, investigations, advice etc.)

We encourage you to:

• Identify all activities the internal audit function does or provides during the year, including support for the management, plus the geographical scope of internal audit activities if the organisation operates in more than one country.
• Identify potential areas where the engagement of internal audit could be necessary in the future.
• Discuss your initial view with your stakeholders and define the internal audit mandate.

A strategic plan for internal audit

The updated standards state the need to develop a strategic plan for internal audit that sets the function’s development goals, considering the organisation’s strategic growth directions.

Similar to your organisation’s medium-term strategy, the internal audit function should set priorities for the next three to five years. The strategic plan then serves as a basis for addressing your investment, resource, talent and technology needs, as well as allowing you to more effectively link the internal audit function’s strategic goals with the organisation’s overall strategic goals.

Our experience in working with clients suggests that the current practice focuses on separately identified short-term desires or needs, yet this is different from a strategic plan that analyses the internal audit function’s current position and defines successful performance in the long term, as well as determining steps to achieve it.

When it comes to devising a strategic plan, you should start with the following steps:

• Revise or update the internal audit mandate by defining all expected areas of activity, as well as the vision and mission of internal audit.
• Analyse your organisation’s strategic development goals, initiatives, the external environment and changes.
• Engage with and receive feedback from your clients and stakeholders (i.e. senior management and units being audited that can provide an idea of the internal audit function’s contribution and further improvements).
• Identify the internal audit function’s strengths and weaknesses as well as opportunities and threats (SWOT analysis).
• Based on this information, set strategic development priorities that will serve as a basis for developing an annual plan of activities.
• Monitor progress and make adjustments according to the changing conditions.

Council oversight

The standards determine the need to seek approval from the council not only for the internal audit function’s regulatory framework and annual plan but also its powers. The Chief Audit Executive should encourage conversations with the council and/or the audit committee to provide information and discuss the resources, competences and skills necessary to exercise the internal audit function’s powers and duties. The Chief Audit Executive is responsible for ensuring the function operates in line with the standards’ requirements, yet Domain III, Governing the Internal Audit Function, prescribes the role and duties to be carried out by the council to promote the role of internal audit in the organisation and allocate sufficient resources for the function’s activities.

The Chief Audit Executive is responsible for presenting sufficient and accurate information to the council and management, which includes information on performing the annual plan and the strategic plan, budget sufficiency and circumstances capable of affecting performance of the internal audit mandate or independence of the internal audit function, as well as on the outcome of measures taken to improve quality.

It’s crucial to define the proposed approach to how and how often the internal audit function communicates with the council, as well as what action is taken when information is escalated, what outcomes are reported to the council and how often. It’s also worth encouraging a discussion on whether the current and planned communication is sufficient for both the council and the management, and on ways to make it more effective as well as interactive (e.g. data analysis and visualisations).

Coordinated assurance

To promote the efficient use of internal audit resources, organisations have to ensure that the work carried out by and information available from other (both external and internal) assurance providers is used in internal audit work. The standards state that before using other assurance providers’ information, it’s essential for the Chief Audit Executive to document the rationale indicating facts and circumstances that allow the internal audit function to rely on an information analysis provided by a different (e.g. risk management) function. It’s important to bear in mind that internal audit findings should be based on findings made by the function.

To make this happen, the Chief Audit Executive should develop methodology for assessing how work carried out by other assurance providers can be used in internal audit work.

The standards also urge an evaluation of ways to improve the cooperation between assurance providers and the coordination of their duties, for example:

• Coordinating the substance, scope and time frame of tasks to be done
• Promoting a uniform understanding of methods for obtaining assurance and terminology
• Providing access to materials, findings and other deliverables and reports
• Using a risk assessment prepared by the risk management function at the internal audit planning stage
• Setting up a single register of risks
• Promoting a single reporting framework as far as possible and useful

We also encourage you to consider ways of improving the effectiveness of your communication and information sharing to make the collaboration model work successfully.

Technology resources

The updated standards provide for the need to regularly assess the internal audit function’s technology resources. The Chief Audit Executive is responsible for ensuring that the function is provided with sufficient technology solutions to perform its tasks accurately and efficiently.

We encourage chief audit executives to identify existing opportunities, including an assessment of the team’s expertise and resources allocated to the function, and promote the availability and use of technology resources on this basis, improving team competence. When it comes to identifying areas to be improved, we encourage you to work with other units, including the team responsible for information technology, to discuss possible advantages and disadvantages in putting systems in place and ways of making new systems compatible with your existing technology solutions and driving your organisation’s overall efficiency.

Other changes

We also emphasise other practical changes to the internal audit function:

• When conducting an external quality assessment of your internal audit function, you should ensure there is at least one certified internal auditor on the assessment team.
• The internal audit function is responsible for informing the council about the outcome of quality assessments carried out internally.
• An individual assessment of internal audit risks should be undertaken and the work programme should be documented.
• You should offer your own findings on the overall effectiveness of the process being audited and on the materiality of internal audit recommendations.
• The internal audit report should contain a statement or note if the internal audit was not performed according to the standards’ requirements.

The changes to the internal audit professional practice standards truly open up an opportunity for the internal audit function to plan and carry out their work in a way that helps the organisation achieve its strategic goals, as well as promoting team competence and the quality and effectiveness of work being done. We urge chief audit executives and auditors to evaluate where you are today and what tasks you need to carry out to continue working with confidence under the updated standards on 9 January 2025.

If you need any help in assessing your compliance levels, PwC has developed a special methodology for such assessments and our experienced internal audit professionals are happy to provide support. Our support can be tailored to your organisation’s needs, including:

• Conducting a comprehensive assessment of your internal audit function against the standards’ requirements
• Assessing and, if necessary, updating your internal audit function’s internal regulatory framework
• Devising a strategic plan for your internal audit function in close liaison with your stakeholders
• Advising you on effective solutions for communicating with the council
• Training your staff on a topic of your choice