Resources

AAP Roundtable on Implementing the New IIA Standards

On February 11, 2025, the ACUA Auditing and Accounting Principles (AAP) Committee hosted a roundtable discussion on implementing the Institute of Internal Auditors (IIA) Global Internal Audit Standards (Standards), which became effective on January 9, 2025. This event drew 35 ACUA members, who were divided into breakout rooms to share their questions and solutions on five topics with significant changes: reporting, governance/charter, performance metrics, strategic planning, and quality assessments. The AAP committee members facilitated the discussion and contributed to the following summary.

Reporting Requirements

The IIA added reporting elements in “Standard 15.1 Final Engagement Communication.” Changes include prioritizing findings, adding an overall summary of governance, risk, and controls, and adding an owner and due date to the management response.

How are departments reporting conformance in their audit reports while working on implementing the new Standards?  The internal audit departments that have already completed a gap analysis or an internal assessment and have modified their practices to agree with the new Standards continue to use the “in conformance” phrase in their reports. Departments that are still adjusting to the new Standards, or will have an external assessment soon, are temporarily omitting that phrase from their reports.

How are you prioritizing your findings? All members said they are consciously prioritizing their findings, but the methodologies varied. Some departments have defined a matrix for categorizing their findings as “high, medium, or low.” These ratings and definitions are sometimes presented in the reports for context. Other departments are relying on professional judgment in prioritizing their findings and are documenting their reasoning in the work papers. Most departments are including the phrase “findings are listed in order of priority” in the final reports.

How are departments concluding on the effectiveness of the governance, risk management, and control processes (GRC) of the activity reviewed? Most participants have not had to address this new requirement yet. Members are planning to give a conclusion on GRC as a whole, rather than addressing the three elements separately. Many plan to describe GRC from a selection of options, such as “needs improvement/adequate/good” or “satisfactory/enhancement required/significant enhancements required/ineffective.” Departments have begun developing criteria to facilitate consistent rankings of these areas.

Naming the individuals responsible for addressing the findings and the planned completion date is a new requirement, but is this a departure from your current practice? Most members said they are used to providing the estimated completion date on the final report but have not necessarily named the responsible party or division. Some departments that formerly only retained this information in the workpapers will now include this information in the management response section of the report. All agreed that providing the role or division responsible, rather than the name of the specific person, is sufficient.

Governance and Charters

“Standard 6.2 Internal Audit Charter” requires the internal audit charter to include the purpose of internal auditing, commitment to adhering to the Standards, a mandate including scope and types of services to be provided, and defines organization position and reporting relationships.

What changes are departments making to their audit charter? Many departments have been comparing their audit charter to the new Standards to determine what, if any, modifications are necessary. A few schools are using this opportunity to develop their initial charter. Minor changes include updating definitions, such as advisory services, and incorporating language from the IIA charter[TM1]  template, available from the IIA website. Another school looked at the “musts” in the Standards and ensured all were met. Other changes include adding required communications, enhancing the Standards on managing the internal audit function in Domain IV, and adding a section on ethics and professionalism.

Has anyone received any pushback or enthusiastic buy-in on their updated charters? Most members said neither, but mostly because people outside of the Internal Audit Department do not really understand the implication of these changes. However, most felt the Board and Audit Committees have been supportive.

How is the chief audit executive (CAE) managing the changes in communication with the board? Many schools have made presentations to their board regarding the changes to the Standards. Some CAEs are creating a document to formalize the discussions that take place between the CAE and the Board or Audit Committee. All agreed it is important to document what is required to be communicated to the Board.

Performance Metrics

“Standard 12.2 Performance Measurement” is new and states the CAE must develop objectives to evaluate the internal audit function’s performance and promote continuous improvement.

Which performance metrics have you found to be the best measurements of success? The most common metrics discussed at the roundtable included:

  • Status of the audit plan
  • Implementation of corrective actions
  • Post-engagement client surveys
  • Engagement time versus administrative time
  • Continuing professional education
  • Results of internal and external assessments
  • Project timeliness, such as completing engagements within time budgets, reports issued within X days of fieldwork, and hotline reports closed within X days.

Which new performance metrics are being considered as a result of this new standard? All schools said they did not make any changes to their existing performance metrics, though some did add existing metrics to their audit manual. Some were considering adding potential metrics about increasing the automation of work and applying data analytics to more projects. One school said their Board wanted a better understanding of the financial savings achieved, though it is difficult to quantify the value of compliance audits and process improvements.

Do you have performance metrics that tie to an individual auditor or manager? Most schools said their goals are related to the entire team. One school said their managers have additional key performance indicators of timely review of reports and a percentage of their team’s engagements completed. Another said they tie annual merit increases to the number of projects completed.

Strategic Planning

“Principle 9 Plan Strategically” focuses on planning strategically, and “Standard 9.2 Internal Audit Strategy” requires the CAE to develop and implement a strategy for the internal audit function that supports the strategic objectives and success of the organization and aligns with the expectations of the board, senior management, and other key stakeholders.

Is strategic planning a new area for internal audit departments? If not, what are your plans for meeting this new standard? Some departments already had a strategic plan and were taking the opportunity to revisit their plan. Many smaller departments had not yet implemented a strategic plan and were preparing to do so.

What resources have you found to be most helpful for developing a strategic plan? The roundtable group discussed some webinars they have attended on the subject. Others have found peer input and online searches on organizational goals and strategies to be helpful.

What types of input did you receive when building your strategic plan? Those who have completed their strategic plan used team feedback, client survey responses, management analysis, their internal audit mission and objectives, and audit committee feedback. Completed plans were shared with the Board and senior management.

Internal and External Quality Assessments

Assessments of internal audit departments now fall under different standards. “Standard 8.3 Quality” requires the CAE to develop, implement, and maintain a quality assurance and improvement function. “Standard 12.1 Internal Quality Assessment” covers ongoing monitoring, periodic self-assessments, and communicating results to the board and senior management about adherence with the Standards. “Standard 8.4 External Quality Assessment” requires an external review conducted every 5 years and include at least one Certified Internal Auditor (CIA) on the external review team.

For those who have completed an internal assessment or gap analysis, what resources did you use? All participants said they used the ACUA AAP – IIA Global Standards 2025 – Self-Assessment Tool and found it helpful in evaluating compliance with the new Standards. Members can download this workbook from the ACUA Resource Library after logging in and searching for “self-assessment tool.”

What were the biggest changes found in your gap assessment? Most felt the enhanced reporting and communication with the Board was the biggest change. Smaller changes needed to be addressed by revising audit manuals, audit charters, and strategic plans. The new ethics and professionalism domain and reporting requirements also needed to be incorporated into the audit manual. Roundtable attendees cited the need for training team members on the changes in the Standards to be able to effectively review engagement workpapers.

Which new topics have the most ambiguity for implementation? Small audit shops and those combined with other areas such as risk and compliance expressed difficulties in demonstrating conformance with the Standards due to inherent differences in organizational and operational structures. The group discussed ways to document conflict of interest disclosures and project-level independence. Others felt the requirements in “Domain III Governing the Internal Audit Function” are quite overarching and may be difficult to implement and document.

Who has plans to have an external assessment in 2025? Only one university said they were due for an external assessment in 2025. Others ensured they completed their assessment before the change in the Standards to allow for more time to conform. All acknowledged they will need to have a CIA on their next review team, though some cited this new criterion may be a challenge as there are not many CIAs in their current pool of assessors.

Conclusion

The first AAP roundtable on the new Standards was a big success. The participants appreciated hearing how fellow members are tackling these changes. Members enjoyed the small breakout group format and the ability to share and collaborate with peer universities on these topics. In the post-event survey, the roundtable attendees unanimously found the roundtable to be helpful and would be interested in attending future roundtables related to the Standards. Please watch for future roundtable opportunities hosted by the AAP!

ACUA 2024 Award Winners and Board Members

By C&U Journal Staff

Congratulations to the following 2024 award winners and new board members announced during AuditCon in Atlanta:

Outstanding Professional Contributions Award

John McDaniel is currently the Director of Internal Audit at the University of Alabama System and has 25 years of experience in higher education and academic medical center administration, compliance, and risk management. Since 2021, John has been a key member of the ACUA Professional Education Committee, contributing to the success of several AuditCon events, and currently serves as the Director of Audit Interactive. John also plays an active role on the ACUA Standards and Best Practices Committee, was instrumental in founding the ACUA Sideline Committee alongside other ACUA members and has published many articles in the ACUA journal and for other organizations. John is also a dedicated participant and leader in external Quality Assurance initiatives for fellow ACUA members and has served in leadership roles outside of ACUA.

Rising Star Awards

Jocelyn Edge joined the Duke University internal audit department in 2021 and has embraced the higher education industry. Jocelyn has already made significant contributions to ACUA by serving as presenter at several AuditCons. Serving on the Communications Committee, Jocelyn  supports social media content creation, design, posting and coordination with other committees. She took the initiative to standardize social media request processes to ensure individuals and committees have a clear path to promote ACUA activities and announcements. She continues to develop innovative ways to increase content posting to reach our members across several platforms and introducing video content to help engage members.

Erin Egan is the director of audit and advisory services for Rutgers University.Erin has been an active member of ACUA for the past ten years and was a member of the second cohort of the ACUA Leads program. Erin has served in a number of roles for ACUA over the years, including: Governmental Affairs committee co-chair, ACUA Journal article author, Conference speaker and proctor, and Mentor to other members. Erin has served as the director of the Auditing and Accounting Principles (AAP) sub-committee of the Standards and Best Practices committee, which has been focused on the changes to the IIA’s International Professional Practices Framework, specifically those to the new Global Internal Audit Standards.

Please make sure to congratulate our 2024 award winners and thank them for their outstanding work on behalf of ACUA and the profession!

New Board Members

The 2024-2025 ACUA Board of Directors officially assumed their new roles at AuditCon and thanked Melissa Hall, Emory University for her prior role as past-president. The 2024-2025 Board of Directors are: 

  • Laura Buchhorn, President, University of Texas at San Antonio
  • Nikki Pittman, Vice President, University of Alaska
  • Eulonda Whitmore, Secretary/Treasurer, Wayne State University
  • Marion Candrea, Immediate Past President, Boston University

ACUA thanked Deidre Melton for her past service as a board member and welcomed Amy Kozak in her new role. The Board Members-at-Large are:

  • Jana Clark, Kansas State University
  • Kara Kearney-Saylor, University of Buffalo
  • William Hancock, Jr., Auburn University
  • Andre’ McMillan, University of Delaware
  • Amy Kozak, University of California, Santa Cruz

ACUA committee chairs and sub-committee directors were also celebrated at AuditCon.

Agile Auditing: Three Pillars for Effective Implementation

With the changing landscape of both internal and external audit environments, industry researchers are eager to suggest that the traditional waterfall approach to conducting audits needs to be adjusted to make way for a more flexible, responsive, transparent, and engaged audit process. G.L. Joshi belives agile auditing, when implemented effectively, can “elevate the performance and value of internal audits.” Agile auditing is based on the principles and values from agile methodologies used extensively in software development. It consists of focusing on individuals and interactions, working products and services, customer collaboration, and responding to change.

This methodology adapts to focus on the needs of the stakeholders, expedite audit cycles, reduce effort and time, and create less unnecessary documentation. Liz Berger, former Director at Protiviti, explained that as an alternative to the traditional and sequential waterfall process, agile auditing does not necessarily change what auditors do, but how an audit is done. Agile auditing can offer opportunities to evolve auditing with the times. Agile auditing’s application to audit, risk, and compliance, and effective implementation relies on three pillars: risk-based audits, stakeholder management, and agile ceremonies.

agile auditing tree
Figure 1. Three Pillars of Agile Auditing: risk-based audits, stakeholder management, and agile ceremonies

Risk-Based Audits

A crucial step for internal auditors is to prioritize and audit the highest risk to the organization. Auditors need to focus on the areas most likely to impact the organization’s business objectives. Effective audits result from the application of key aspects in risk-based auditing including risk identification and assessment, risk-based audit plan, testing and evaluation, and reporting and communication.

Spiros Alexiou explained in an ISACA article that agile models involve the bare minimum required documentation, making the process more streamlined. This, in turn, gives the auditors an opportunity to focus on the “insights, risks, and opportunities that stakeholders need,” according to Galvanize (now Diligent). Joshi also emphasized that agile auditing enables auditors to become more flexible and adaptive as they are able to check their progress in short intervals instead of waiting until the whole audit process has been completed, thus increasing value and risk-specific insights. When applied to higher education audits, for example, an agile audit can improve risk management practices across the institution. Agile audit practices can enable colleges and universities to identify, assess, and mitigate risks more effectively, safeguarding the institution’s assets, reputation, and compliance with regulatory requirements.

Stakeholder Management

There is an art and a science in managing both internal and external audit stakeholders. Identification and prioritization of impacted stakeholders is an important step. The level of stakeholder influence and interest in the audit process can influence the success or failure of an audit. Hence, it is important to manage expectations proactively by fostering collaboration and engagement. There needs to be a clear and timely communication channel tailored to each stakeholder’s specific needs and information level. Most importantly, auditors need to invest time in building and maintaining positive relationships with key stakeholders using skills such as regular engagement, professionalism, and empathy when addressing stakeholder concerns.

For agile auditing to be implemented successfully, KPMG cites the vision must be shared by top management and leadership, auditors, and clients. DBS, the largest bank in Singapore and Southeast Asia, was one of the early adopters of agile auditing. According to DBS, the secret to their success implementation was the supportive tone from management across the board, auditors who fully immersed themselves in the methodology, and clients who were knowledgeable of agile auditing, which allowed for close collaboration. As a result, the DBS Internal Audit team was able to boost the number and gravity of the risks they found, which improved the level of audit assurance they were able to provide to their stakeholders. In the bigger scheme, the process does not really change, but auditors become more equipped and knowledgeable about where to look harder.

Agile Ceremonies

The ceremonies within agile auditing facilitate effective communication, collaboration, and planning within Agile Teams. The four main Agile ceremonies are: Sprint Planning, Daily Stand-up, Sprint Review and Sprint Retrospective/Lessons Learned.

  • Sprint Planning’s goal is to prioritize the highest risks, define the scope for the upcoming schedule/sprint and requires audit teams to estimate the work according to their personal velocity and bandwidth.
  • Daily Stand-ups help the audit team identify roadblocks and adjust plans as needed. Each team member focuses on three main questions: what I worked on yesterday, what will I work on today, and what roadblocks prevent me from completing assigned audit work.
  • Sprint Review showcases the completed work and gathers feedback for completed audit workpapers and reports. This allows the audit management team to strategize and define the next audit work to be completed.
  • Sprint Retrospective allows the team to identify areas for improvement and agree on action items for implementation in the next sprint.

KPMG describes how a global banking institution implemented agile auditing by doing organizing daily stand-up meetings within the audit teams. This allowed them to evaluate whether the execution and performance corresponded with planning. These daily stand-up meetings gave the teams an opportunity to check for bottlenecks, assess prioritization, and provide feedback. They also organized a bi-weekly “market place” where sprint reviews were evaluated and discussed with all the teams involved so they could review the total audit plan’s progress and provide mutual feedback.

Agile auditing is more than the ceremonies, as it also must work hand-in-hand with risk-based audits and effective stakeholder management. Success in agile auditing requires an agile mindset, dedicated to continuous improvement.

References

Joshi, P. L. (2021). A review of agile internal auditing: Retrospective and prospective. International Journal of Smart Business and Technology, 9(2), 13 – 32.
KPMG. (2020, October). Agile internal audit. White paper on working Agile within internal audit functions. https://assets.kpmg.com/content/dam/kpmg/cn/pdf/en/2020/10/agile-internal-audit-white-paper-on-working-agile-within-internal-audit-functions-part-2.pdf
Deloitte. (2017). Becoming agile: A guide to elevating internal audit’s performance and value. https://www2.deloitte.com/content/dam/Deloitte/uk/Documents/finance/deloitte-uk-understanding-agile-ia.pdf
Berger, L. (2020, January 2020). Agile internal audit: How to audit at the speed of risk. Protiviti. https://blog.protiviti.com/2020/01/27/agile-internal-audit-how-to-audit-at-the-speed-of-risk/
Galvanize. (2019, April 23). An overview of agile auditing. Galvanize. https://www.wegalvanize.com/audit/an-overview-of-agile-auditing/#:~:text=The%20main%20difference%20between%20agile,work%2C%20and%20increased%20collaboration).
Alexiou, S. (2017). Agile audit. ISACA Journal (2), 27 – 35. https://www.isaca.org/resources/isaca-journal/issues/2017/volume-2/agile-audit