Article
Domain IV: Managing the internal audit function
Jul 26, 2024 · Authored by Ashley Deihr, Michael Brennan
By now, you’re likely familiar with the updated Global Internal Audit Standards (the Standards) released by the Institute of Internal Auditors (IIA) on Jan. 9, 2024. The Standards, which take effect in January 2025, will meaningfully impact the internal audit profession through the coming years.
Baker Tilly internal audit specialists have produced several exploratory insights examining the Standards as a whole and diving deep into Domain I (competence, independence and objectivity), Domain II (ethics and professionalism) and Domain III (greater expectations on board governance).
Below, we examine notable changes to—and likely impacts from—Domain IV, which focuses entirely on managing the internal audit function. From strategic planning and resource management to effective communication and quality assurance, significant changes abound in Domain IV of the recently released Standards.
Heavy focus on the Chief Audit Executive (CAE)
The CAE is responsible for managing the internal audit function in accordance with the Standards and the internal audit charter. The responsibilities included in Domain IV are applicable whether the CAE is directly employed by the organization or through an external service provider.
Though job titles and internal audit management responsibilities vary across organizations, and though CAEs can delegate responsibilities to other qualified professionals in the internal audit function, the CAE retains ultimate accountability.
Below we have outlined key points from the Principles within Domain IV of the Standards.
Planning strategically requires the CAE to understand the internal audit mandate as well as the organization’s governance, risk management and control processes. A properly resourced and positioned internal audit function develops and implements a strategy to support the organization’s success. The CAE creates and implements methodologies to guide the internal audit function and develop the internal audit plan.
What’s new/different in Principle 9:
- The CAE’s understanding of an organization’s risk management processes will need to be more extensive and incorporate direct conversations with the board and senior management.
- Understanding the organization’s control processes may result in the development of an organization-wide risk and control matrix.
- Internal audit strategies will need to be more formally documented and include strategic objectives and supporting initiatives that enable fulfillment of the internal audit mandate.
- Internal audit staff must receive training on the internal audit methodologies, policies and procedures—including 12 methodologies the Standards identify as most likely to be necessary to implement the internal audit strategy.
- The internal audit plan guidance includes information on the development of an organization-wide audit universe and suggests presenting the “next set of engagements” that would be performed if additional resources were available.
- Coordination and reliance on other “providers of assurance services” is going to require a more detailed approach and could result in the CAE discussing concerns with senior management and possibly the board.
Successful resource management—led by the CAE—is crucial for implementing the internal audit function’s strategy and achieving its plan and mandate. Resources—including financial, human and technological—should be utilized according to the function’s established methodology.
What’s new/different in Principle 10:
- The budget must be presented for board approval and, if applicable, outline the impact of insufficient financial resources.
- If the function does not have appropriate or sufficient resources to complete the audit plan, communication with the board and senior management—specifically detailing the impact of resource limitations—is required.
- Technological limitations that impact effectiveness or efficiency of the function must be communicated to the board and senior management.
CAE’s must establish ongoing communication with stakeholders to build trust and develop relationships. They must also communicate with the board and senior management on the results of internal audit activities.
What’s new/different in Principle 11:
- Provides insight into how to determine key stakeholders and how to identify areas for mutual understanding.
- Emphasizes the establishment of a methodology on effective communication.
- Provides specific guidance on communicating engagement conclusions, multiple engagement themes and making conclusions at the level of the business unit or organization.
- If the CAE determines that management has accepted a level of risk exceeding the organization’s risk tolerance, the CAE must discuss said determination with senior management and the board (if not appropriately addressed by senior management).
The CAE is responsible for ensuring both the internal audit function’s conformance with the Standards and continuous performance improvement.
The internal audit function’s quality program must incorporate conformance with both the Standards and the function’s performance objectives. The internal audit function should develop measures for assessing performance and the CAE should use said measures when evaluating progress on performance objectives.
What’s new/different in Principle 12:
- Requires the internal audit function to have a methodology for performing internal assessments and provides guidance on what needs to be included in said methodology. If the function is noncompliant with the Standards—and this noncompliance impacts the scope or operation of the function—it must be reported to senior management and the board.
- The CAE must work with the board and senior management on the development of the function’s performance objectives and, when assessing the function’s performance, the CAE must receive feedback from senior management and the board.
- Requires methodologies for engagement supervision, quality assurance and the development of competencies. The CAE must verify engagements are performed in conformance with the Standards.
- The CAE is responsible for supervising engagements—whether performed by internal staff or outside service providers—and ensuring evidence is documented and retained as required by the function’s established methodology.
The bottom line
The CAE or equivalent position is responsible for managing the internal audit function in accordance with the IA charter and Global Internal Audit Standards. This responsibility includes strategic planning, obtaining and deploying resources, building relationships, communicating with stakeholders and ensuring the quality of the function.
The CAE is expected to conform with the Standards whether the individual is directly employed by the organization or contracted through an external service provider. The specific job title, responsibilities and coordination with management and the board may vary across organizations, but the CAE is ultimately accountable for the activities laid out in Domain IV.
Explore more details on these regulations from The Institute of Internal Auditors.
Need help navigating these changes?
We’ve got you covered — through IIA Standards readiness assessments, gap analysis, quality assurance reviews, internal audit health checks and more.