Changes to the Internal Audit IPPF: What You Need to Know and How to Prepare
Article
Changes to the Internal Audit IPPF: What You Need to Know and How to Prepare
by Bianca Sarrach
May 15, 2023

Updated August 15, 2023

On March 1, 2023, the Institute of Internal Auditors (IIA) released a draft of their proposed changes to the International Professional Practices Framework (IPPF), with the plan to issue final standards in late 2023. The IPPF is the conceptual framework that provides authoritative guidance to internal audit practitioners worldwide.

While it’s not mandatory to implement the framework, it benefits your organization to follow it so that key stakeholders — including investors, banks, external auditors, customers, vendors or your board of directors — can rely on your internal audits and their findings and recommendations. Applying the IPPF also adds value to your organization by empowering those who oversee audits to meet stakeholder expectations for efficiency and risk mitigation.

While some of the proposed changes might not find their way into the final IPPF framework, we expect most of the changes and requirements to stick around. Below is a summary of the key proposed changes and what you can do to prepare.

Noteworthy Changes

The most significant change in the proposed framework is a new structure for the IPPF, which will organize content from the six elements of the current IPPF (Mission, Definition, Code of Ethics, Core Principles, Standards and Implementation Guides) into five domains to better align roles and responsibilities within the Internal Audit function:

Domain I: Purpose of Internal Auditing
Focuses on how the internal audit function achieves success and the environment that makes internal auditing effective

Domain II: Ethics and Professionalism
Incorporates the code of ethics, including practitioner conduct, objectivity and competency while also addressing due professional care and confidentiality

Domain III: Governing the Internal Audit Function
Clarifies the board’s role, the board’s independence and its responsibility in overseeing the internal audit function

Domain IV: Managing the Internal Audit Function
Focuses on the chief audit executive (CAE)’s role in overseeing and governing the internal audit function, including planning, resource management, communication and quality management

Domain V: Performing Internal Audit Services
Addresses internal audit engagements and how to plan and effectively conduct the work while providing quality services to an organization

You can find further detail about the new structure on the IIA website.

Other changes include:

  • Aligning the standards with the principles: For the first time, the 15 ethics and professionalism principles and standards, which comprise internal auditors’ code of ethics, will be considered first before standards are written, creating better alignment between the two.
  • Code of ethics: The Code of Ethics for Internal Auditors receives an overhaul by dividing the concept of objectivity from independence and adding professional skepticism as a separate standard.
  • Purpose of the internal audit function: The updated content focuses on the purpose of the internal audit function as well as the board’s role and requirements, adding more oversight responsibilities for the board and establishing a stronger reporting and communication line between the board and the CAE. The IIA document “The Board's Role in Governing the Internal Audit Function” is meant to help CAEs and CFOs clarify and emphasize the importance of the board's governance roles and responsibilities that enable the internal audit function to achieve its purpose.
  • The role of the CAE: The new proposed standards clarify and enhance the role of the CAE, requiring internal audit functions to have policies and procedures documenting methodologies, performance evaluations, and purpose, as well as a vision, strategic objectives and supporting initiatives. Additionally, the CAE is specifically tasked with developing an approach for building relationships with stakeholders and communicating effectively.
  • The role of the internal auditor: While there was always a focus on quality for the internal auditor role, the new framework aims to codify it better. The new standards focus heavily on communication with the board as well as auditees and incorporate added requirements for quality internal audit services, such as:
    • Requiring a root cause determination
    • Assessment of the significance of findings
    • A requirement for internal auditors to formulate recommendations for their internal audit findings
    • A management action plan
  • Other: More consideration has been given to the public sector as it relates to statutory requirements for final communications and access to workpapers as well as considerations for outsourced and small internal audit functions.

How to Prepare Your Internal Audit Department

Some of the things business leaders and internal audit teams should consider now to prepare for the final release of the new framework include:

  • As a board member, CFO or internal audit practitioner, you should start familiarizing yourself with the proposed changes to understand how much they impact your current internal audit practices.
  • As the CAE, you want to start understanding how you approach communication with the board and auditees. Do you have a communications plan in place that is followed for all of your internal audit engagements and identifies who should receive what type of communication (e.g., board reporting on audit status, kick-off communication to auditees before an audit starts, status updates to senior management during the audit year)? Does your board feel like they have an appropriate reporting line with you?
  • As an internal audit practitioner, start looking at the quality aspect of your work. Do you have proper workpapers and workpaper storage in place? Is all of your work reviewed and are review notes properly addressed? Are findings and recommendations properly supported, and do you work closely with management on action plans to remediate findings?

As a general best practice for your organization, consider:

  • Do you have policies and procedures as well as documented methodologies on how to conduct an internal audit?
  • What are your current quality standards and requirements for internal audit engagements? Are these understood and followed by your staff?
  • Make sure your staff are training on emerging risks, such as supply chain disruption, cybersecurity, environmental risk factors, etc.

The IIA is planning on releasing their final, updated framework by the end of 2023.


Contact our Risk Assurance and Advisory experts to learn more about what the proposed IPPF changes mean for your organization and how to prepare, as well as other ways to successfully navigate change.

Stay In Touch

Sign up to stay up-to-date with the latest accounting regulations, best practices, industry news and technology insights to run your business.

Resources
Related News & Insights
Data Governance: A Guide for Managing Enterprise Risk
Article
Learn why proper data governance is a critical component of managing enterprise risk.

August 03, 2023
Analytics Company Gains Strategic Edge by Validating Its Data Model
Case Study
Granular evaluation of NCS Analytics’ data model provides peace of mind for company and customers.

June 05, 2023
How the NIST Frameworks Can Benefit Your Privacy and Cybersecurity Programs
Article
Maintain regulatory compliance, reassure stakeholders and safeguard your organization against evolving risks.

May 16, 2023