Updated August 15, 2023
On March 1, 2023, the Institute of Internal Auditors (IIA) released a draft
of their proposed changes to the
International Professional Practices Framework (IPPF), with the plan to issue final standards in late 2023. The IPPF
is
the conceptual framework that provides authoritative guidance to internal audit practitioners worldwide.
While it’s not mandatory to implement the framework, it benefits your organization to follow it so that key
stakeholders
— including investors, banks, external auditors, customers, vendors or your board of directors — can
rely on your
internal audits and their findings and recommendations. Applying the IPPF also adds value to your organization by
empowering those who oversee audits to meet stakeholder expectations for efficiency and risk mitigation.
While some of the proposed changes might not find their way into the final IPPF framework, we expect most of the
changes
and requirements to stick around. Below is a summary of the key proposed changes and what you can do to prepare.
Noteworthy Changes
The most significant change in the proposed framework is a new structure for the IPPF, which will organize content
from
the six elements of the current IPPF (Mission, Definition, Code of Ethics, Core Principles, Standards and
Implementation
Guides) into five domains to better align roles and responsibilities within the Internal Audit function:
Domain I: Purpose of Internal Auditing
Focuses on how the internal audit function achieves success and the environment that makes internal auditing
effective
Domain II: Ethics and Professionalism
Incorporates the code of ethics, including practitioner conduct, objectivity and competency while also addressing due
professional care and confidentiality
Domain III: Governing the Internal Audit Function
Clarifies the board’s role, the board’s independence and its responsibility in overseeing the internal
audit function
Domain IV: Managing the Internal Audit Function
Focuses on the chief audit executive (CAE)’s role in overseeing and governing the internal audit function,
including
planning, resource management, communication and quality management
Domain V: Performing Internal Audit Services
Addresses internal audit engagements and how to plan and effectively conduct the work while providing quality
services
to an organization
You can find further detail about the new
structure on the IIA website.
Other changes include:
- Aligning the standards with the principles: For the first time, the 15 ethics and professionalism principles and standards, which comprise internal
auditors’ code of ethics, will be considered first before standards are written,
creating better alignment between the two.
- Code of ethics: The Code of Ethics for Internal Auditors receives an overhaul by dividing the concept
of objectivity
from independence and adding professional skepticism as a separate standard.
- Purpose of the internal audit function: The updated content focuses on the purpose of the internal
audit function as
well as the board’s role and requirements, adding more oversight responsibilities for the board and
establishing a
stronger reporting and communication line between the board and the CAE. The IIA document “The Board's Role in Governing the Internal Audit Function” is meant to help CAEs
and CFOs clarify and emphasize the importance of the board's
governance roles and responsibilities that enable the internal audit function to achieve its purpose.
- The role of the CAE: The new proposed standards clarify and enhance the role of the CAE, requiring
internal audit
functions to have policies and procedures documenting methodologies, performance evaluations, and purpose, as
well as a
vision, strategic objectives and supporting initiatives. Additionally, the CAE is specifically tasked with
developing an
approach for building relationships with stakeholders and communicating effectively.
- The role of the internal auditor: While there was always a focus on quality for the internal auditor
role, the new
framework aims to codify it better. The new standards focus heavily on communication with the board as well as
auditees
and incorporate added requirements for quality internal audit services, such as:
- Requiring a root cause determination
- Assessment of the significance of findings
- A requirement for internal auditors to formulate recommendations for their internal audit findings
- A management action plan
- Other: More consideration has been given to the public sector as it relates to statutory requirements
for final
communications and access to workpapers as well as considerations for outsourced and small internal audit
functions.
How to Prepare Your Internal Audit Department
Some of the things business leaders and internal audit teams should consider now to prepare for the final release of
the
new framework include:
- As a board member, CFO or internal audit practitioner, you should start familiarizing yourself with the proposed
changes to understand how much they impact your current internal audit practices.
- As the CAE, you want to start understanding how you approach communication with the board and auditees. Do you
have a
communications plan in place that is followed for all of your internal audit engagements and identifies who
should
receive what type of communication (e.g., board reporting on audit status, kick-off communication to auditees
before an
audit starts, status updates to senior management during the audit year)? Does your board feel like they have an
appropriate reporting line with you?
- As an internal audit practitioner, start looking at the quality aspect of your work. Do you have proper
workpapers and
workpaper storage in place? Is all of your work reviewed and are review notes properly addressed? Are findings
and
recommendations properly supported, and do you work closely with management on action plans to remediate
findings?
As a general best practice for your organization, consider:
- Do you have policies and procedures as well as documented methodologies on how to conduct an internal audit?
- What are your current quality standards and requirements for internal audit engagements? Are these understood
and
followed by your staff?
- Make sure your staff are training on emerging risks, such as supply chain disruption, cybersecurity,
environmental
risk factors, etc.
The IIA is planning on releasing their final, updated framework by the end of 2023.
Contact our Risk Assurance and
Advisory experts to learn more about what the proposed IPPF changes mean for your
organization and how to prepare, as well as other ways to successfully navigate change.