ARTICLE
30 October 2024

IPPF 2024: Revolution In Internal Auditing Or Just Fine-Tuning?

Boege Rohde Luebbehuesen

Contributor

BRL is an internationally oriented partnership of lawyers, auditors and tax consultants that was founded in 2006. Today, we have around 400 employees at eight offices in Hamburg, Berlin, Bochum, Hanover, Dortmund, Essen, Munich and Bielefeld. Through Moore BRL GmbH, BRL is a network partner of Moore Global in Germany, a global network of independent audit and accounting firms. BRL is therefore ideally positioned to provide reliable and efficient solutions for cross-border issues in the areas of Tax, Legal, Insolvency & Restructuring as well as Risk Advisory Services (RAS). The fully dedicated RAS Team at BRL Risk Consulting is dedicated to a professional service offering with regards to Corporate Governance, Risk Management, Compliance, Internal Audit, Internal Controls (SOX), ESG, IT, Cyber Security and Data Science & Artificial Intelligence.
On January 9th, 2024, the "Institute of Internal Auditors (IIA)" introduced the updated Global Internal Audit Standards, which are set to replace the existing "International Professional Practices
Germany Accounting and Audit

On January 9th, 2024, the "Institute of Internal Auditors (IIA)" introduced the updated Global Internal Audit Standards, which are set to replace the existing "International Professional Practices Framework" (IPPF) after a one-year transition period. The new standards will be compulsory as of January 9th, 2025.

The significance of these standards are highlighted by their worldwide applicability. In Germany, the "Deutsches Institut für Interne Revision e.V. (DIIR)" has already translated these standards, which will be formally adopted in 2025, and recommends applying the standards in advance.

Serving as a binding framework, these standards provide a foundation for the practices, processes, and methodologies of internal audit. The primary objective is to improve the quality of internal audit activities. The standards are not limited to internal auditors who are employed directly by an organization, but also includes internal auditor who are commissioned via an external service provider.

Elements and Structure of IPPF 2024

The new "Global Internal Audit Standards" are divided into five domains, to which fifteen principles and a further fifty-two standards are assigned. Each standard is based on requirements with binding procedures for internal auditing, associated considerations for implementing these procedures and examples of the evidence that can be retained and provided to demonstrate implementation of the standards.

The updated standards are divided into the following five domains:

  1. Purpose of Internal Auditing
  2. Ethics and Professionalism
  • Governing the Internal Audit Function
  1. Managing the Internal Audit Function
  2. Performing Internal Audit Services

1436396a.jpg

For the first time, the IPPF 2024 incorporates "Topical Requirements" which define additional mandatory structures and requirements for global audit topics with increased risks. The objective is to improve the quality of internal audits in specific risk areas and ensure a consistent methodology in validating the effectiveness of governance, risk management, and control processes (Governance, Risk, and Control – GRC) for these risk topics.

The IIA has published a preliminary list of eight global risk topics, which have not yet been finalized. The first topics published include cybersecurity, service provider management, sustainability / ESG (Environmental, Social & Governance), data protection risk management, fraud risk management, IT governance, organizational governance, and performance audits in the public sector. As of today, the IIA has only released a draft for the cybersecurity topic.

In addition to the mandatory standards and topical requirements, the IIA will furthermore provide non-binding information, advice, and best practices ("Global Guidance"). Therefore the IPPF 2024 consists of the three key elements: Global Internal Audit Standards, Topical Requirements, and Global Guidance.

Key Updates Compared to IPPF 2017

In revising the framework, the IIA has not only restructured and refined definitions but also introduced new content priorities and expanded existing ones.

The most significant changes include:

  1. Communication & relationship between senior management / board and internal auditing (Standard 6.3): The standard specifies the expectations for the chief audit executive in coordinating communication and interaction between the internal audit function, senior management, and the board.
  2. Development and implementation of an internal audit strategy (Standard 9.2): While the IPPF 2017 required that internal audit activities align with organizational objectives and the purpose and responsibilities of the internal audit charter, the 2024 standards introduce an explicit requirement for the chief audit executive to develop an independent internal audit strategy.
  3. Use of technological resources (Standard 10.3): The revised standards emphasize the use of appropriate technologies to support internal audit activities across several standards. This also includes a closer collaboration between the internal audit function and the organization's information technology and security function.
  4. Performance measurement (Standard 12.2): The 2017 standards already covered aspects of performance measurement for compliance with the standards as well as validating the efficiency and effectiveness of the internal audit function. The updated standard explicitly designates the chief audit executive as responsible for implementing a performance measurement system for internal auditing.
  5. Findings and final communication in internal audit activities (Standards 14.3; 15.1): While the IPPF 2017 required auditors to base their conclusions on appropriate analyses and evaluations, internal auditors will now be expected to analyze and evaluate the materiality, cause, and potential impact of findings, if possible. Findings must then be prioritized based on their materiality and categorized according to their impact on the organization's GRC processes. Reporting must explicitly identify specific owners for addressing a finding and include a clear deadline for its remediation.

Recommendations for implementing the IPPF 2024 Requirements

The IIA continues to require organizations to conduct an external quality assessment of their internal audit system at least every five years to ensure compliance with the "Global Internal Audit Standards". In Germany, where this was previously carried out by accredited "Prüfer für interne RevisionssystemeDIIR", an active certification as a "Certified Internal Auditor" will now be required.

The new requirements for internal audit quality pose a challenge for organizations to implement these changes during the transition period. The time leading up to the effective date of the new standards is ideal for this implementation.

As part of its "Global Guidance" the IIA has already recommended some best practices for implementation, including conducting a gap analysis and training auditors and stakeholders.

Our practical experience aligns with these guidance and we recommend the following three-step implementation process:

  1. Standards analysis & gap analysis: Organizations should first assess the updated standards to identify relevant changes and check current processes, practices, and documentation. Based on the assessment, a gap analysis should be performed comparing current practices with the new requirements.
  2. Implementation phase: Based on the gap analysis results, organizations should develop a detailed implementation plan defining clear responsibilities, a timeline, and individual process steps. All relevant stakeholders should be involved at this stage to ensure the standards are appropriately addressed (e.g. senior management and board).
  3. Stakeholder training: The first step involves training internal auditors and senior management, along with the board, as relevant stakeholders. In the second step, training should be extended to other stakeholders involved in GRC processes and affected by the new standards to ensure that they understand and internalize the changes made during the implementation phase.

Conclusion and Outlook

The increased requirements reflect the IIA's commitment to enhance internal audit quality by increasing interaction between all relevant stakeholders, emphasizing the use of appropriate technologies and data analysis tools, and introducing specific requirements for certain risk topics and processes. However, it remains to be seen which internal audit requirements in particular will be published by the IIA within the "Topical Requirements" and the extent of significant changes to the announced quality assessment handbook. The corresponding requirements and the handbook are expected to be published during 2024.

The extent to which IPPF 2024 will impact organizations' internal audit functions depends not only on the size of the internal audit department and the industry but also significantly on the current state of processes and practices within the departments. Concerning the mandatory external quality assessment every five years, the IIA recommends conducting a gap analysis in 2024 to validate to what extent the internal audit function already meets the new requirements.

The emphasis on technology may pose challenges for internal audit functions due to the broad range of available options. Organizations are encouraged to engage data analysis experts when developing and implementing data, BI, and analytics frameworks.

In conclusion, while the updated standards do not require a complete restructuring in internal audit, they offer the opportunity to elevate the quality of internal audit to the next level and further strengthen GRC processes.

Source of the illustration:

The Institute of Internal Auditors (2024): Global Internal Audit Standards;

https://www.theiia.org/globalassets/site/standards/editableversions/globalinternalauditstandards_2024january9_editable.pdf (page 7)

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Find out more and explore further thought leadership around Accounting Law and Audit Law

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More