The goal was to deliver a clearer, more user-friendly set of requirements and guidance.
The new Standards are certainly more accessible, logical and aligned to a user’s individual needs through a simple, tripartite structure of:
- The Standards (5 Domains, 15 Principles and 52 underlying Standards);
- Topical Requirements; and
- Guidance.
Across the profession they have been largely well received, with perhaps the greatest concern being around the perceived inflexibility of the Topical Requirements. We have spent some time talking to our clients about their impressions.
Setting expectations for the future
For those Internal Audit teams that have fully embraced the spirit and performance expectations of the Standards, it’s clear that the degree of change underway – and the rewards — has been significant. Leading functions are now setting the standards that will become the expected and accepted norms for tomorrow’s generation of Internal Audit leaders.
Having completed their initial gap assessments last year, the areas to be addressed vary from business to business. But there are some themes that it might be helpful to reflect on.
Activity clusters and themes
In our experience there are seven clusters of activities, or themes, that functions are focussed on:
- Internal audit strategy alignment – while organisations typically have a Charter (as required by the Internal Audit Code of Practice in the UK), leading functions are using this opportunity to revisit it and ensure it is aligned with the wider corporate governance environment.
- Mapping, evaluating and coordinating assurance with other functions – streamlining assurance not only avoids duplication and supports improved relationships with the wider management team, but also allows an efficient approach to monitoring and testing material control effectiveness.
- Updating and executing revised audit methodologies – particularly in areas such as root cause analysis and the prioritisation of individual findings.
- Behavioural assessment, assurance and benchmarking – responding to the mandatory requirement to provide cultural assurance and the opportunity this creates to play a more central role with board and executive level discussions.
- Re-evaluating technology and tools – considering the potential opportunities in cloud-based solutions that enable AI and data analytics
- Team development: “non-technical” skills and abilities – the Standards recognise the need for mature interpersonal skills to enable rigorous challenge with both empathy and pragmatism.
- Strengthening quality assurance and performance improvement – adopting a more strategic approach to QAIP using techniques such as in-flight quality checks and real time data analysis.
Underpinning necessary change
The Standards were developed as an international framework – to meet the needs of over 100 countries that apply the same requirements. In the UK they have landed at the same time as other governance initiatives, including Provision 29 of the revised UK Corporate Governance Code and the requirement to embed adequate procedures to prevent fraud within the Economic Crime & Corporate Transparency Act. These requirements elevate the need for non-financial risk management, controls, monitoring and assurance.
Now is the time for Internal Audit to take its place as a critical enabler of strategic insight and value. We are the centre of excellence for non-financial risk oversight and assessment within our organisations. The Standards should drive the change required to step up into that role.