AAP Roundtable on Implementing the New IIA Standards

On February 11, 2025, the ACUA Auditing and Accounting Principles (AAP) Committee hosted a roundtable discussion on implementing the Institute of Internal Auditors (IIA) Global Internal Audit Standards (Standards), which became effective on January 9, 2025. This event drew 35 ACUA members, who were divided into breakout rooms to share their questions and solutions on five topics with significant changes: reporting, governance/charter, performance metrics, strategic planning, and quality assessments. The AAP committee members facilitated the discussion and contributed to the following summary.
Reporting Requirements
The IIA added reporting elements in “Standard 15.1 Final Engagement Communication.” Changes include prioritizing findings, adding an overall summary of governance, risk, and controls, and adding an owner and due date to the management response.
How are departments reporting conformance in their audit reports while working on implementing the new Standards? The internal audit departments that have already completed a gap analysis or an internal assessment and have modified their practices to agree with the new Standards continue to use the “in conformance” phrase in their reports. Departments that are still adjusting to the new Standards, or will have an external assessment soon, are temporarily omitting that phrase from their reports.
How are you prioritizing your findings? All members said they are consciously prioritizing their findings, but the methodologies varied. Some departments have defined a matrix for categorizing their findings as “high, medium, or low.” These ratings and definitions are sometimes presented in the reports for context. Other departments are relying on professional judgment in prioritizing their findings and are documenting their reasoning in the work papers. Most departments are including the phrase “findings are listed in order of priority” in the final reports.
How are departments concluding on the effectiveness of the governance, risk management, and control processes (GRC) of the activity reviewed? Most participants have not had to address this new requirement yet. Members are planning to give a conclusion on GRC as a whole, rather than addressing the three elements separately. Many plan to describe GRC from a selection of options, such as “needs improvement/adequate/good” or “satisfactory/enhancement required/significant enhancements required/ineffective.” Departments have begun developing criteria to facilitate consistent rankings of these areas.
Naming the individuals responsible for addressing the findings and the planned completion date is a new requirement, but is this a departure from your current practice? Most members said they are used to providing the estimated completion date on the final report but have not necessarily named the responsible party or division. Some departments that formerly only retained this information in the workpapers will now include this information in the management response section of the report. All agreed that providing the role or division responsible, rather than the name of the specific person, is sufficient.
Governance and Charters
“Standard 6.2 Internal Audit Charter” requires the internal audit charter to include the purpose of internal auditing, commitment to adhering to the Standards, a mandate including scope and types of services to be provided, and defines organization position and reporting relationships.
What changes are departments making to their audit charter? Many departments have been comparing their audit charter to the new Standards to determine what, if any, modifications are necessary. A few schools are using this opportunity to develop their initial charter. Minor changes include updating definitions, such as advisory services, and incorporating language from the IIA charter[TM1] template, available from the IIA website. Another school looked at the “musts” in the Standards and ensured all were met. Other changes include adding required communications, enhancing the Standards on managing the internal audit function in Domain IV, and adding a section on ethics and professionalism.
Has anyone received any pushback or enthusiastic buy-in on their updated charters? Most members said neither, but mostly because people outside of the Internal Audit Department do not really understand the implication of these changes. However, most felt the Board and Audit Committees have been supportive.
How is the chief audit executive (CAE) managing the changes in communication with the board? Many schools have made presentations to their board regarding the changes to the Standards. Some CAEs are creating a document to formalize the discussions that take place between the CAE and the Board or Audit Committee. All agreed it is important to document what is required to be communicated to the Board.
Performance Metrics
“Standard 12.2 Performance Measurement” is new and states the CAE must develop objectives to evaluate the internal audit function’s performance and promote continuous improvement.
Which performance metrics have you found to be the best measurements of success? The most common metrics discussed at the roundtable included:
- Status of the audit plan
- Implementation of corrective actions
- Post-engagement client surveys
- Engagement time versus administrative time
- Continuing professional education
- Results of internal and external assessments
- Project timeliness, such as completing engagements within time budgets, reports issued within X days of fieldwork, and hotline reports closed within X days.
Which new performance metrics are being considered as a result of this new standard? All schools said they did not make any changes to their existing performance metrics, though some did add existing metrics to their audit manual. Some were considering adding potential metrics about increasing the automation of work and applying data analytics to more projects. One school said their Board wanted a better understanding of the financial savings achieved, though it is difficult to quantify the value of compliance audits and process improvements.
Do you have performance metrics that tie to an individual auditor or manager? Most schools said their goals are related to the entire team. One school said their managers have additional key performance indicators of timely review of reports and a percentage of their team’s engagements completed. Another said they tie annual merit increases to the number of projects completed.
Strategic Planning
“Principle 9 Plan Strategically” focuses on planning strategically, and “Standard 9.2 Internal Audit Strategy” requires the CAE to develop and implement a strategy for the internal audit function that supports the strategic objectives and success of the organization and aligns with the expectations of the board, senior management, and other key stakeholders.
Is strategic planning a new area for internal audit departments? If not, what are your plans for meeting this new standard? Some departments already had a strategic plan and were taking the opportunity to revisit their plan. Many smaller departments had not yet implemented a strategic plan and were preparing to do so.
What resources have you found to be most helpful for developing a strategic plan? The roundtable group discussed some webinars they have attended on the subject. Others have found peer input and online searches on organizational goals and strategies to be helpful.
What types of input did you receive when building your strategic plan? Those who have completed their strategic plan used team feedback, client survey responses, management analysis, their internal audit mission and objectives, and audit committee feedback. Completed plans were shared with the Board and senior management.
Internal and External Quality Assessments
Assessments of internal audit departments now fall under different standards. “Standard 8.3 Quality” requires the CAE to develop, implement, and maintain a quality assurance and improvement function. “Standard 12.1 Internal Quality Assessment” covers ongoing monitoring, periodic self-assessments, and communicating results to the board and senior management about adherence with the Standards. “Standard 8.4 External Quality Assessment” requires an external review conducted every 5 years and include at least one Certified Internal Auditor (CIA) on the external review team.
For those who have completed an internal assessment or gap analysis, what resources did you use? All participants said they used the ACUA AAP – IIA Global Standards 2025 – Self-Assessment Tool and found it helpful in evaluating compliance with the new Standards. Members can download this workbook from the ACUA Resource Library after logging in and searching for “self-assessment tool.”
What were the biggest changes found in your gap assessment? Most felt the enhanced reporting and communication with the Board was the biggest change. Smaller changes needed to be addressed by revising audit manuals, audit charters, and strategic plans. The new ethics and professionalism domain and reporting requirements also needed to be incorporated into the audit manual. Roundtable attendees cited the need for training team members on the changes in the Standards to be able to effectively review engagement workpapers.
Which new topics have the most ambiguity for implementation? Small audit shops and those combined with other areas such as risk and compliance expressed difficulties in demonstrating conformance with the Standards due to inherent differences in organizational and operational structures. The group discussed ways to document conflict of interest disclosures and project-level independence. Others felt the requirements in “Domain III Governing the Internal Audit Function” are quite overarching and may be difficult to implement and document.
Who has plans to have an external assessment in 2025? Only one university said they were due for an external assessment in 2025. Others ensured they completed their assessment before the change in the Standards to allow for more time to conform. All acknowledged they will need to have a CIA on their next review team, though some cited this new criterion may be a challenge as there are not many CIAs in their current pool of assessors.
Conclusion
The first AAP roundtable on the new Standards was a big success. The participants appreciated hearing how fellow members are tackling these changes. Members enjoyed the small breakout group format and the ability to share and collaborate with peer universities on these topics. In the post-event survey, the roundtable attendees unanimously found the roundtable to be helpful and would be interested in attending future roundtables related to the Standards. Please watch for future roundtable opportunities hosted by the AAP!