IIA’s new Global Internal Audit Standards: Shifting technology from a consideration to an obligation
The Institute of Internal Auditors (IIA) recently released the updated Global Internal Audit Standards, which are required for implementation by the 9th of January, 2025. These latest Standards will better equip internal audit (IA) functions worldwide to navigate today’s complex risk landscape and provide more value to their organisations.
Businesses should expect the IIA’s updated Standards to affect the larger organisation, not just their IA capabilities. The chief audit executive (CAE) holds the responsibility of working through this transition period with the board and other stakeholders to ensure compliance with the new standards.
Whether mission or mandate, purpose-built audit technology is now an obligation of CAEs
The updated Standards reflect an evolving view of the appropriate role of technology in professional audit practice. The existing 2017 International Standards for the Professional Practice of Internal Auditing (Section 120.A2) states, “In exercising due professional care internal auditors must consider the use of technology-based audit and other data analysis techniques.”
In contrast, the new 2024 Standards say in Section 10.3 that the CAE, “must strive to ensure that the internal audit function has the technology to support the internal audit process” and “regularly evaluate the technology used by the internal audit function and pursue opportunities to improve effectiveness and efficiency.” Technology is now not just for a CAE’s consideration, but an obligation they should pursue for optimum IA performance.
The new Standards also require CAEs to report to the board and senior management on limitations that hamper the performance of the IA function. These can span the IA function’s “scope, access, authority or resources,” including any inadequacies in technology that keep the audit team from accomplishing their tasks. CAEs are also responsible for collaborating with information technology (IT) and information security (infosec) departments for the proper implementation of technologies.
Internal audit teams grapple with vast amounts of data distributed across disparate systems and siloed teams. The need for dedicated audit technology capable of harmonising these efforts and bolstering the IA function significantly hampers organisational efficacy.
CAE’s need to collaborate closely with their IA teams to clearly convey the importance of investing in the necessary technology. The right audit technology not only benefits the IA team but also brings advantages to the whole business. These benefits trickle into the audit committee, the board, senior management and even first and second lines, resulting in a more productive environment for the whole organisation.
Dedicated audit and analytics technology is the only way for organisations to navigate the increasingly complex risk landscape while operating efficiently and effectively.
The role of audit in mitigating business risks
Risks are a natural aspect of business, but how these risks are addressed will make or break an organisation.
Risk management efforts span the whole organisation. The updated Standards recognise this interconnected nature of risks, acknowledging that input from departments outside of risk and assurance teams help determine the quality of an organisation’s risk mitigation efforts.
Section 10.3 points out that CAEs should work with different departments on shared governance, risk and control management (GRC) systems. Maintaining a relationship of trust and competence between relevant parties helps build a fuller grasp of the organisation’s risks and assurance priorities, while promoting adaptability to future changes. In this context, robust technology that fosters strong interoperability not only within GRC team tools but also with broader organisational systems such as ERP, HR, CRM, IT, etc., becomes imperative for seamless collaboration and holistic risk management.
The CAE is in charge of establishing effective communication between IA and stakeholders; they oversee IA communication efforts to ensure that insights are properly presented to the board and senior management. This kind of collaboration can be made simpler with a GRC platform that connects seamlessly across the entire business.
Diligent stands out as the sole GRC platform that consolidates activities spanning audit, risk, compliance, sustainability, governance and the board. GRC teams benefit from a centralised platform with cutting-edge tools for every task, streamlining operations and enhancing connectivity within the GRC environment. This solution also reduces workload by eliminating duplication and the necessity of searching for information across widely scattered systems and elevating what’s most important to the board and business with market-leading dashboards and reports.
A greater understanding of risk coverage
The new Standards emphasise the need for audit teams to possess a good grasp of risk management principles, frameworks and models, along with the latest professional advice from within their organisation’s industry and sector. IA teams play a vital role in helping organisations identify, assess and manage risks to achieve their objectives effectively and efficiently. However, most audit teams face numerous resource shortages that act as barriers to giving the board an understanding of the full breadth of risks the organisation faces.
Audit management and analytics software are key to addressing these roadblocks. Diligent empowers audit teams to efficiently measure and monitor risks by leveraging real-time data aggregation and advanced analytics capabilities. The solution also provides extensive data integration capabilities, ensuring that results from other critical systems can be rapidly and effortlessly incorporated into audit projects –linking audit work to key metrics. By aligning risk assessments with the company's specific risk profile and board's concerns, audit teams can identify, prioritise and communicate actionable guidance on a wide range of risks, from financial and operational to reputational risks such as cyberattacks.
These solutions streamline post-assessment activities by continuously monitoring sources of risk, leveraging machine learning for predictive analysis and alerting leadership to potential issues. The reporting features, including customisable reports, provide real-time insights into risk management's impact on key performance indicators, enhancing oversight across the organisation. Additionally, the integrated governance platform fosters collaboration across teams, ensuring that audit functions are aligned with IT, compliance, finance and other relevant functions, ultimately elevating the audit's role as a strategic advisor. The solution also maintains a live registry of issue and action tracking with automated reminders, ensuring full transparency and accountability across risk and control owners.
These, combined with other workflow efficiencies afforded from technology gives IA teams more time to focus on addressing risks.
National Risk and Assurance Manager, Vincent Verlinde from Daikin Australia reported that time spent on J-SOX, ISO and other routine audits was reduced due to the adoption of Diligent audit solutions, which has allowed the team to pay greater attention to issues raised by management.
The addition of continuous controls monitoring can facilitate proactive risk management and compliance oversight by automating the detection of anomalies, deviations and patterns in real-time data streams. It also allows IA teams to remain productive by removing manual workload and avoiding risks caused by human error.
Streamlining board communication
Increasing obligations for CAEs necessitates a more efficient and effective means of communicating audit insights to the board, which also requires more audit oversight. The partnership between the two ensures ongoing alignment with the audit strategy and better focus on business objectives.
The new IIA Standards notes this active collaborative relationship between the board and CAE. Board oversight enables IA functions to remain effective, and their support ensures that IA functions have resources at their disposal to fulfil the organisation’s IA mandate.
However, IA teams often face the challenge of clearly conveying audit findings to the board and executives. The Diligent Board Reporting Dashboards for Audit have out-of-the-box and customisable board-ready templates. These allow the IA function to securely share dynamic dashboards and contextual reports directly into Diligent’s Board Portal in just a few clicks while securing an organisation’s data strictly inside the system at all times.
Once received, the company secretary or board admin has complete control over determining when and which directors or committees have permission to access.
The reports are dynamic and interactive, enabling directors to delve into specific details or filter through insights as per their preferences. This functionality ensures that everyone, regardless of their preferred depth or visualisation method, can explore and comprehend the information without necessitating custom report creation. These unique capabilities typically save the IA team hours of manual work preparing graphs, charts and reports — work that leaves more room for error than automated processes.
Choosing technology that addresses your organisation’s IA needs is essential to future-proof your business and keep it ahead of rapidly evolving threats. Face an ever-changing risk landscape with a centralised audit solution for your organisation. Request a demo of the Diligent One Platform today.
