Interested in this topic? Find more articles and resources to support internal auditors conforming to the new standards below:
Check out the October issue of Internal Auditor magazine for Liz Sandwith’s article, “Ready to Conform,” packed with practical advice for meeting the new Standards by January 2025.
Visit The IIA's website or YouTube channel for related topics and more.
00:00:02 The IIA
The Institute of Internal Auditors presents All Things Internal Audit.
00:00:07 The IIA
In this episode, Liz Sandwith talks with Larissa Nelson about the changes in the IIA's new global internal audit standards.
00:00:17 The IIA
They discuss how internal auditors can prepare for these changes, the challenges they may face, and practical strategies to ensure conformance by January 9, 2025.
00:00:30 Lauressa Nelson
Hi, Liz.
00:00:32 Lauressa Nelson
Thank you so much for joining me today.
00:00:34 Lauressa Nelson
I'm excited to have this conversation.
00:00:36 Liz Sandwith
Thank you very much for inviting me, and I'm really looking forward to sharing some thoughts.
00:00:41 Lauressa Nelson
So we are coming closer and closer to the official effective date for the new Global Internal Audit Standard.
00:00:48 Lauressa Nelson
So how are you sensing that people are preparing?
00:00:52 Lauressa Nelson
How are they feeling about it?
00:00:54 Lauressa Nelson
Are internal auditors feeling that they're ready?
00:00:57 Liz Sandwith
I think it would be fair to say probably no.
00:01:01 Liz Sandwith
So I'm saying generically no.
00:01:04 Liz Sandwith
I think some sectors, financial services sector, probably got it well and truly sorted because they will have a professional practices team that will support the internal audit function in conforming with the standards.
00:01:21 Liz Sandwith
Some of the public sector, no.
00:01:24 Liz Sandwith
And some smaller private sector, and certainly some of the charities are not there yet.
00:01:31 Liz Sandwith
I did a webinar today, I did one last week, and in both, more than 33% haven't even read them yet.
00:01:40 Liz Sandwith
Really?
00:01:42 Liz Sandwith
So I think there are challenges in terms of, I sort of think, and I don't think it was confused in any way, shape or form,
00:01:53 Liz Sandwith
but I'm sensing that people think, ah, right, from 9th of January, 2025, I now need to start doing something about conforming.
00:02:05 Liz Sandwith
They haven't seen 2024 as a transition year in terms of taking time to read them, do a gap analysis, understand where they're weak, where they're strong, what they need to do.
00:02:19 Liz Sandwith
I think they've just thought, oh, right,
00:02:22 Liz Sandwith
and they'll start in January next year.
00:02:25 Liz Sandwith
Right.
00:02:26 Liz Sandwith
I think the challenge is going to be if they've recently had an external quality assessment, maybe 2023 or indeed this year, I think in their heads they're probably thinking we're good for the next three or four years.
00:02:43 Liz Sandwith
So we can embed the standards in our own time.
00:02:48 Liz Sandwith
Whereas if they've got an EQA due this year, they're beginning to panic a little.
00:02:54 Lauressa Nelson
Right.
00:02:55 Liz Sandwith
You know, and what I've been saying to people I talk to, because you've given them options, either make sure you do it this year and do it in accordance with the IPPF 2017, or then, or delay it and do it in 2025, but maybe do it later in the year rather than at the beginning of the year.
00:03:18 Liz Sandwith
And I think a number of people, what they've done is they've brought forward their external quality assessment to 2024, but they've also asked who's ever doing the external quality assessment to do a validated self-assessment of a gap analysis that they've done in relation to, you know, how far are we from conforming with the new global internal audit standards?
00:03:45 Liz Sandwith
I did one of those for a customer quite recently, a large organization, and they had an EQA this year, and I did the gap analysis, and they have a lot of work to do.
00:04:01 Lauressa Nelson
Wow, okay.
00:04:03 Lauressa Nelson
Well, that is very interesting.
00:04:04 Lauressa Nelson
How does this gap analysis idea work?
00:04:08 Lauressa Nelson
So for people that are saying, Boy, I wasn't thinking about this, but January 9th, 2025 is,
00:04:15 Lauressa Nelson
almost here, what would you recommend for them to get started right now doing?
00:04:22 Liz Sandwith
I think what I would suggest is think about when you last had your EQA or your external quality assessment, where were you strong?
00:04:35 Liz Sandwith
Where were you weak?
00:04:36 Liz Sandwith
So I would almost link it to a SWOT analysis.
00:04:40 Liz Sandwith
What are the strengths of the internal audit function?
00:04:44 Liz Sandwith
What are its weaknesses?
00:04:45 Liz Sandwith
Are there opportunities to use the global internal audit standards to raise their bar?
00:04:51 Liz Sandwith
And are there some threats?
00:04:52 Liz Sandwith
Maybe you have an audit committee or a board that's not very supportive of the internal audit function.
00:05:00 Liz Sandwith
So I'd do my SWOT analysis first and I'd document that.
00:05:05 Liz Sandwith
And then I'd look at my last EQA, even if it was back in 2022,
00:05:10 Liz Sandwith
What were the findings?
00:05:11 Liz Sandwith
What were the outcomes of that external quality assessment?
00:05:16 Liz Sandwith
Then I would, so I'd use that as my base.
00:05:19 Liz Sandwith
Then I would look at the two-way mapping document that the IIA has produced to see, you know, the ones where I did okay, what are we now saying the global internal audit standards say, and where they're on new standards,
00:05:35 Liz Sandwith
I would flag those as things I need to work on because I haven't got conformance.
00:05:40 Liz Sandwith
And then I'd also, sorry.
00:05:43 Lauressa Nelson
I was just gonna say, sure.
00:05:44 Lauressa Nelson
So the 2017 standards would be your last EQA would've been performed against those.
00:05:51 Lauressa Nelson
And then now you're looking at not just what did I do well on and what didn't I do well on, but also now I'm looking at 2024, what's new and different between then and now, right?
00:06:03 Liz Sandwith
I think the other really useful document, and I think the IIA has done a brilliant job, is the conformance readiness assessment, because that's picked up the new standard.
00:06:15 Liz Sandwith
So like standard 1.1, honesty and professional courage, standard 4.3, professional skepticism, because they're very new, and therefore it's shown you what sort of evidence of conformance you need for those.
00:06:30 Liz Sandwith
Because some of these more behavioral ones are, I think, causing some challenges for internal audit functions, CAEs, in terms of how do I demonstrate honesty and professional courage?
00:06:44 Liz Sandwith
That's quite difficult to be able to demonstrate.
00:06:50 Lauressa Nelson
Sure, there's not necessarily tangible evidence as there is with most other standards where you have documentation to support it.
00:07:00 Liz Sandwith
Yeah.
00:07:01 Lauressa Nelson
So you have to kind of have some tangential evidence, like what would be some examples of things you would use?
00:07:08 Lauressa Nelson
We've always had this struggle with the code of ethics or the and now in this case, it's the standards and principles of ethics and professionalism.
00:07:16 Lauressa Nelson
But what are some ways that people can demonstrate conformance in those areas?
00:07:21 Liz Sandwith
I think with those ones now, I think the objectivity element is it's fairly straightforward, not vastly different from what we've done in the past.
00:07:30 Liz Sandwith
But I think that, you know, the honesty and professional courage, I think you use, I would use customer feedback.
00:07:39 Liz Sandwith
So I've done an EQA, sorry, I've done an internal audit engagement and now, you know, customer, you know, how did you think the internal auditors performed?
00:07:50 Liz Sandwith
Were they honest with you when you, you know, when they were highlighting things that you hadn't done particularly well?
00:07:58 Liz Sandwith
Did they demonstrate that they had the courage to call out to you things that you weren't doing particularly well?
00:08:06 Liz Sandwith
So I think it's about redoing your customer feedback and bringing these things to the fore in terms of, you know, how do you as a customer feel the internal auditors demonstrated those elements of our ethics and professionalism?
00:08:27 Liz Sandwith
domain two standards.
00:08:30 Lauressa Nelson
Sure, and those are particularly related to the behavior of individual internal auditors.
00:08:36 Lauressa Nelson
What about the purpose domain?
00:08:39 Lauressa Nelson
It doesn't have standards and principles, but why is that important and how does that relate to the rest of the standards?
00:08:50 Liz Sandwith
I think that that is probably the most important domain here.
00:08:56 Liz Sandwith
That speaks to who I am as an internal auditor.
00:09:00 Liz Sandwith
It talks about what I can deliver to you, my organization, in my capacity as a professional, competent internal auditor.
00:09:12 Liz Sandwith
I love the two words at the end of the professional statement, purpose statement around insight and foresight.
00:09:23 Liz Sandwith
it's very easy for us to do engagements and say, thank you very much, there are the findings.
00:09:28 Liz Sandwith
And this is more telling what's happening now, what are we seeing now in the organization and looking across the organization.
00:09:38 Liz Sandwith
So I might be doing an audit on, you know, customer services, but also what's happening is my organization going through lots of change and therefore, you know, how do,
00:09:51 Liz Sandwith
you know, what I do as part of my internal audit engagement, how is it meeting my purpose statement, but also how is it adding value and enhancing the organization's ability to achieve its objectives?
00:10:05 Liz Sandwith
I think the foresight bit is absolutely key as well.
00:10:10 Liz Sandwith
And we've talked about this over the years, but it's never been anywhere before.
00:10:15 Liz Sandwith
Now it's saying, okay, internal audit,
00:10:18 Liz Sandwith
Although you are not the only person in the organization who can apply some foresight, internal audit, where do you think the next crisis might be?
00:10:27 Liz Sandwith
What are the key risks in our organization that are being exacerbated by the volatility of the environment we find ourselves in and the challenges that that presents?
00:10:40 Liz Sandwith
So, you know, Wall Street, according to the business news this morning, lowest levels since 2015,
00:10:48 Liz Sandwith
yesterday when it closed.
00:10:50 Liz Sandwith
And therefore, you know, what does that mean to your organization in terms of challenges?
00:10:55 Liz Sandwith
And how do we demonstrate as internal auditors that we are looking beyond the walls of our organization and seeing what's coming down the track?
00:11:05 Liz Sandwith
And what, you know, how can we share that with the business and support the business in dealing with these new crises, complex risks, et cetera?
00:11:16 Lauressa Nelson
So it sounds like the purpose
00:11:18 Lauressa Nelson
and domain one have sort of elevated the expectation or put into words at least all the expectations that internal auditors aspire to deliver on.
00:11:30 Lauressa Nelson
And how have the other domains, I specifically am thinking about domain three and governing the internal audit function also brought in that idea of raising the expectations, raising the bar for the function, what's new,
00:11:48 Lauressa Nelson
And I know domain three is governing the internal audit function, which sounds a little bit like basically new terminology and concepts, but how does that relate also to delivering on the purpose?
00:12:01 Liz Sandwith
It's about the relationship.
00:12:02 Liz Sandwith
So, you know, internal audit has a relationship with the audit committee.
00:12:08 Liz Sandwith
And I have spoken to chief audit execs, and some of them go, Domain three is a walk in the park, we do it already.
00:12:17 Liz Sandwith
We have conversations, we take reports, you know, they sign our charter, they look at our plan, you know, all of that sort of thing.
00:12:26 Liz Sandwith
Okay.
00:12:28 Liz Sandwith
And then I say, what do they say when you present these documents?
00:12:33 Liz Sandwith
Often, what are the conversations?
00:12:36 Liz Sandwith
And, you know, a bit like I have done over 25 years of reporting to audit committees, sometimes you get the, thank you, Liz, that was most interesting.
00:12:46 Liz Sandwith
And you know, they haven't got a clue what you've just been talking about, but they're ticking a box.
00:12:52 Liz Sandwith
And I was saying to them, and you know, that people have nodded and said, Yep, I absolutely get that.
00:12:58 Liz Sandwith
And I've said, Yep, but that's not enough now.
00:13:00 Liz Sandwith
What we need to see is this two-way street.
00:13:03 Liz Sandwith
What we need to see is the audit committee saying, Well, Liz, why is reputational risk
00:13:11 Liz Sandwith
not on your radar?
00:13:14 Liz Sandwith
Why are you not including customer services in your internal audit plan?
00:13:19 Liz Sandwith
Do you have the capacity and capability, the skills and the resources to deliver this plan?
00:13:27 Liz Sandwith
We need to see those sorts of conversations.
00:13:30 Liz Sandwith
And I was stunned to realise quite recently that a number of CAEs only attend the audit committee for the internal audit
00:13:41 Liz Sandwith
bit.
00:13:42 Liz Sandwith
They don't attend for the full committee.
00:13:44 Liz Sandwith
Well, no, we should be there for the whole of the audit committee meeting.
00:13:49 Liz Sandwith
And they never see the minutes.
00:13:51 Liz Sandwith
Well, no.
00:13:52 Liz Sandwith
Moving forward, if we're going to want to use the minutes to evidence our relationship, then we absolutely need to have sight of those.
00:14:02 Liz Sandwith
So a line in the minutes that says internal audit presented a report, no, that's not evidence of this governing
00:14:10 Liz Sandwith
responsibility, this overarching obligation on the audit committee or your exec board, whoever you report into, the governing body, to show that they are meeting the requirements of domain three.
00:14:25 Liz Sandwith
And my crystal ball, and it's not always right, but my crystal ball is sensing that when we start seeing EQAs happen, maybe mid 25 onwards, I'm
00:14:39 Liz Sandwith
I think domain three will be the one that presents the failure to evidence conformance in the report.
00:14:47 Liz Sandwith
Because I think there is a risk that people will go, Yeah, I know, that's what I do already.
00:14:53 Liz Sandwith
And it's more than, way more than you do already in terms of that relationship.
00:14:59 Liz Sandwith
And don't forget domain three's got the essential conditions in.
00:15:03 Liz Sandwith
So we also need to be able to demonstrate that we've had conversations with senior management as well, and how are we evidencing that?
00:15:14 Liz Sandwith
So I think domain three is going to need a bit of thinking, but again, the IIA have produced a toolkit that helps with this, helps with the conversation.
00:15:27 Liz Sandwith
And the webinar I did today, more than 40%
00:15:33 Liz Sandwith
of the people on the webinar haven't even started the conversations with their exec board or audit committee.
00:15:40 Liz Sandwith
When you only have four meetings a year, what, we've got perhaps one left?
00:15:45 Liz Sandwith
It's really challenging.
00:15:49 Lauressa Nelson
Yeah, it really sounds like those conversations need to come first, you know, even to inform the board of the changes in the standards and what new things the function's going to be doing,
00:16:03 Lauressa Nelson
as well as these essential conditions, what the function needs to have in place to be able to essentially deliver the purpose of internal auditing.
00:16:12 Lauressa Nelson
It seems like that conversation, that foundational conversation that is in the introduction of Domain 3 is so key to everything else really working well.
00:16:22 Liz Sandwith
Yeah, I think that's really right.
00:16:26 Liz Sandwith
I think the other thing, you know, you talked a moment ago about
00:16:32 Liz Sandwith
domain one, the purpose, there's no standards, there's no evidence of conformance.
00:16:37 Liz Sandwith
It's really quite challenging.
00:16:39 Liz Sandwith
But what I have said is one of the things that as internal audit, we talk a lot about is, you know, promoting ourselves across the organization.
00:16:49 Liz Sandwith
And I've said, you know, I've suggested to people, and I know a number have already done this and said, wow, does it work?
00:16:56 Liz Sandwith
Is, you know, amend your e-mail signature on all of
00:17:00 Liz Sandwith
of your emails to include the purpose statement, not the other bits, but the purpose statement.
00:17:07 Liz Sandwith
And then you're constantly reminding yourself, but also you're reminding the recipients of your e-mail just who you are and what you're bringing to the organization.
00:17:18 The IIA
Interested in learning more?
00:17:20 The IIA
Don't miss Liz Sandwitz's article, Write to Conform.
00:17:24 The IIA
You can find it in the October issue of Internal Auditor Magazine.
00:17:28 The IIA
In the article, Liz unpacks the crucial steps for internal audit functions to meet the new standards by January 2025.
00:17:37 The IIA
Packed with practical advice, it's a must-read for every CAE.
00:17:41 The IIA
Check the show notes for the link.
00:17:44 Lauressa Nelson
What other things for the CAE do they really need to be thinking about in domain 4?
00:17:51 Lauressa Nelson
Preparing not just for their relationship with the board or audit committee, but also leading the function.
00:17:59 Liz Sandwith
A really good question.
00:18:00 Liz Sandwith
And I am thrilled to see at standard 9.2 in domain four is the requirement for an internal audit strategy.
00:18:08 Liz Sandwith
There is some confusion.
00:18:10 Liz Sandwith
So I'm hearing people say, well, it asks for a strategy.
00:18:14 Liz Sandwith
It doesn't ask for a strategic plan in the standards.
00:18:17 Liz Sandwith
And I'm saying, well, hang on a minute.
00:18:19 Liz Sandwith
How do you deliver your strategy without a strategic plan?
00:18:23 Liz Sandwith
I think they're one and the same sort of thing.
00:18:26 Liz Sandwith
And then people have gone, oh yeah, get that.
00:18:29 Liz Sandwith
I think the importance of creating a strategy is that it avoids distraction.
00:18:36 Liz Sandwith
So often as an internal audit function, you put together your risk-based plan, you take it to your governing body for approval, your audit committee, everybody goes fine and you start work.
00:18:48 Liz Sandwith
And then
00:18:49 Liz Sandwith
You know, somebody will say, oh, you know, we have a project.
00:18:51 Liz Sandwith
Can you do some assurance work on that?
00:18:53 Liz Sandwith
Or I'm concerned about this.
00:18:55 Liz Sandwith
The CEO might say, will you have a look at that?
00:18:58 Liz Sandwith
And we end up doing lots of bits of advisory work as well.
00:19:02 Liz Sandwith
And, you know, without some strategic plan and strategy that says what it is we do, it's very easily, very easy to get distracted.
00:19:14 Liz Sandwith
So for me,
00:19:15 Liz Sandwith
the strategy and the strategic plan of the anchor in the ground that says, Okay, I know where I am now, I know where I want to be, and I know how I'm going to get there.
00:19:26 Liz Sandwith
Don't distract me.
00:19:28 Liz Sandwith
Let me deliver my plan for this year, my risk-based plan, but let me also build my internal audit team, ensure they're competent, ensure that I'm developing the team,
00:19:42 Liz Sandwith
so that they have the knowledge and the skills needed, be it data analytics, be it artificial intelligence, you know, use of ChatGPT or Microsoft Copilot.
00:19:54 Liz Sandwith
Do they have the skills to be able to use that and use it well to make sure the internal audit function is efficient and effective in terms of what we deliver?
00:20:07 Lauressa Nelson
Sure, so that strategy then,
00:20:11 Lauressa Nelson
Sounds like it needs to tie in with the organization's vision, the, you know, the leadership and the strategy of the organization as well.
00:20:21 Lauressa Nelson
If it's something they're focused on, then the internal audit strategy also needs to align with that.
00:20:27 Liz Sandwith
I think if it doesn't, I think we will end up with, you know, everybody going in different directions and pulling against each other.
00:20:35 Liz Sandwith
So, you know, your starting point has got to be what your organization's
00:20:41 Liz Sandwith
strategic objectives are.
00:20:43 Liz Sandwith
And then how does what we as internal audit do align with those and help ensure, remember we're back to our purpose again, help ensure that, you know, we can contribute to the delivery of your strategic goals and objectives, protecting the business, et cetera.
00:21:01 Liz Sandwith
I also think that, you know, that there was a requirement for an internal audit strategy in the core principles.
00:21:08 Liz Sandwith
in the IPPF 2017, but I don't think the majority of internal audit functions had an internal audit strategy and a strategic plan.
00:21:19 Liz Sandwith
Perhaps very large, more mature ones did.
00:21:22 Liz Sandwith
But again, I noticed today on social media, Anthony Palasi talking about a new document that you've created about building and creating an internal audit strategy.
00:21:35 Liz Sandwith
So again, the IIA is helping us
00:21:38 Liz Sandwith
in terms of delivering what we need to do to make sure that we are conforming with the standards.
00:21:46 Liz Sandwith
The other thing I would say about domain four, being a very simple girl, is for me, it is simply the job description of your chief audit exec.
00:21:58 Liz Sandwith
And you know, what I've been doing is creating an appendix to job descriptions
00:22:07 Liz Sandwith
so that the CAE can evidence what they have done throughout the year to meet the requirements of domain four.
00:22:18 Liz Sandwith
And I think that would then be useful in terms of your performance appraisals with your CEO or your audit committee chair so that you're looking to say, yeah, I did that really well, that wasn't so good, I struggled with that this year.
00:22:36 Liz Sandwith
Perhaps it's around technology.
00:22:38 Liz Sandwith
You know, I haven't really been able to bring the team on to demonstrate that we're using tools like data analytics in every audit.
00:22:46 Liz Sandwith
There's been some challenges with people in that respect.
00:22:50 Liz Sandwith
So no, I haven't quite achieved that, but I have made a start on that.
00:22:55 Liz Sandwith
So it's, for me, it's a supporting document to the job description of the CAE, this appendix.
00:23:03 Liz Sandwith
And you know, it's there to be reviewed by whoever you, you know, the CEO and or the audit committee chair.
00:23:13 Lauressa Nelson
And are there other documentation needed or how are we, are internal auditors thinking about the coordination and reliance standard?
00:23:25 Lauressa Nelson
That's changed a little bit.
00:23:28 Lauressa Nelson
Is that requiring more documentation or a different approach?
00:23:33 Liz Sandwith
I think it's interesting that you use the word documentation.
00:23:36 Liz Sandwith
I have deliberately used the word evidence because I think sometimes when we say documentation, people think that's more bureaucratic.
00:23:47 Liz Sandwith
And I personally don't think the standards are more bureaucratic.
00:23:52 Liz Sandwith
What they are requiring you to do is to be able to evidence what you've done.
00:23:56 Liz Sandwith
We're internal auditors, evidence is the very air we breathe.
00:24:01 Liz Sandwith
And therefore, I think if you think about it in terms of evidence to support, then it's everything we do.
00:24:08 Liz Sandwith
And I think that, you know, 95, the coordination and reliance is absolutely key because more and more I'm hearing
00:24:19 Liz Sandwith
CAEs tell me that it's difficult to recruit, they're carrying vacancies.
00:24:25 Liz Sandwith
So, you know, why don't we think smarter and look at other areas in the business?
00:24:31 Liz Sandwith
Who else is providing assurance?
00:24:33 Liz Sandwith
And what is the level and rigor with which that assurance is being provided?
00:24:39 Liz Sandwith
And second line, if you're doing something around compliance and it links to an audit I'm doing, can we collaborate?
00:24:47 Liz Sandwith
And maybe you can do the heavy lifting and I can do the more high level stuff, the conversations with senior management, et cetera.
00:24:58 Liz Sandwith
Is there opportunities?
00:24:59 Liz Sandwith
And we're calling it combined assurance or integrated assurance.
00:25:04 Lauressa Nelson
And what about the quality assurance and improvement program that also falls into domain four?
00:25:11 Lauressa Nelson
And specifically, there seems to be a new emphasis on performance
00:25:16 Lauressa Nelson
objectives, performance planning.
00:25:18 Lauressa Nelson
How has the QAIP changed and just in general, internal audit functions reporting on itself and it's planning for improvement?
00:25:32 Liz Sandwith
I don't really think the QAIP has changed significantly.
00:25:35 Liz Sandwith
There is still the requirement for supervision, ongoing monitoring, continuous assessment,
00:25:43 Liz Sandwith
What I do think has changed is our outcome indicators.
00:25:48 Liz Sandwith
So, you know, we talk a lot about performance indicators.
00:25:53 Liz Sandwith
Oh, we achieved 85% of our plan.
00:25:56 Liz Sandwith
43% of my internal audit function hold the CIA qualification, which is all great.
00:26:02 Liz Sandwith
And as a CAE, it's really helpful to have that information.
00:26:06 Liz Sandwith
But as a customer of internal audit, be you senior management or board or audit committee,
00:26:13 Liz Sandwith
What you want to know is how effective have we been?
00:26:17 Liz Sandwith
What have our internal audit engagements delivered?
00:26:21 Liz Sandwith
Have they identified inefficiencies?
00:26:24 Liz Sandwith
Have they streamlined processes?
00:26:26 Liz Sandwith
Have we strengthened risk management?
00:26:30 Liz Sandwith
Have we improved governance?
00:26:32 Liz Sandwith
Have we tightened internal control?
00:26:35 Liz Sandwith
Those are the outcome measures that I think
00:26:39 Liz Sandwith
the audit committee, and I am an audit committee chair, and they're certainly the outcome measures I look for from my internal audit function.
00:26:46 Liz Sandwith
They are the ones that tell us whether you're adding value to the organisation or not.
00:26:52 Liz Sandwith
So I think the process, the QAIP concept hasn't changed, but I'm hoping that CAEs will look at both the quantitative and the qualitative measures.
00:27:06 Liz Sandwith
build up the qualitative ones moving forward.
00:27:12 Lauressa Nelson
And in terms of evidence of conformance or showing that we're conforming here, when I look at domain five, I see there's talk about now findings, recommendations,
00:27:26 Lauressa Nelson
agreed upon actions and so forth.
00:27:28 Lauressa Nelson
So what should internal auditors be doing individually to make sure that they're conforming?
00:27:34 Lauressa Nelson
Have a lot of things changed in terms of the way that they do their services and the way that they document them, the way that they communicate about them?
00:27:43 Liz Sandwith
I think that the answer to that is no.
00:27:48 Liz Sandwith
I think that a lot of what is in there is what a
00:27:53 Liz Sandwith
And let me use the word in inverted commas, but what a professional internal audit function would've been doing anyway.
00:28:00 Liz Sandwith
I think what it touches on without really saying it is perhaps adopting a more agile mindset approach to your internal audit engagement.
00:28:12 Liz Sandwith
So don't wait until the closing meeting to start listing all of the things that you've found that, you know, need addressing your findings.
00:28:22 Liz Sandwith
Maybe we can talk daily with the manager, the operational manager in the responsible for the area so that we can take them on the journey with us.
00:28:32 Liz Sandwith
So that there's that sense of internal audit engagement isn't something being done to them, but something they are collaborating with, participating with in terms of the approach.
00:28:46 Liz Sandwith
And it even goes as far as to say your opening meeting
00:28:50 Liz Sandwith
you know, we should be agreeing with the operational manager and the deliverables.
00:28:56 Liz Sandwith
What's going to come out of this audit?
00:28:58 Liz Sandwith
What was the purpose of us doing this audit?
00:29:01 Liz Sandwith
What are we planning on looking at?
00:29:04 Liz Sandwith
Where are we going to test?
00:29:05 Liz Sandwith
What are the areas that we are going to focus on, the risks, the scope, the objectives?
00:29:11 Liz Sandwith
And then what do we anticipate the value is going to be as a result of the engagement?
00:29:17 Liz Sandwith
Now, I think that's
00:29:18 Liz Sandwith
a real positive upfront.
00:29:20 Liz Sandwith
I think it's a great way to start an internal audit engagement, bringing management on with us at the very beginning, rather than perhaps in the past, as we may have said, you know, I'm internal audit, I'm here to do an audit, you know, and get on with it without really sharing.
00:29:38 Liz Sandwith
It's for me, we're almost back to that three lines model where it talks about internal audit, collaborating, coordinating,
00:29:47 Liz Sandwith
aligning and communicating with both first and second line colleagues.
00:29:52 Liz Sandwith
I think that's the exciting bit.
00:29:55 Liz Sandwith
I think the caveat, and I know there are conversations around this on social media at the moment, might be the perception that our independence is being compromised by this.
00:30:07 Liz Sandwith
Now, I personally don't think it is, but I can see there is talk at the moment
00:30:13 Liz Sandwith
around social media about whether internal audit can still be deemed to be independent.
00:30:19 Liz Sandwith
I absolutely think so.
00:30:21 Liz Sandwith
Back to domain three, positioning internal audit independently, standard 7.1, making sure that that's in place.
00:30:30 Liz Sandwith
And I think your independence can be protected.
00:30:34 Lauressa Nelson
Sure, yes.
00:30:35 Lauressa Nelson
I think that standard and that principle are still there and in fact, maybe more appropriately where they should be aligning with governance.
00:30:46 Lauressa Nelson
And so there's an emphasis there.
00:30:49 Lauressa Nelson
What are the roles of the senior management and the board in helping to establish independence and protect it?
00:30:58 Liz Sandwith
I think this is, again, it's a collaborative bit.
00:31:02 Liz Sandwith
I think sometimes, you know, as internal auditors, we've talked about, oh, you know, we are independent and objective, and everyone goes, yeah, we get the objective bit, independent.
00:31:12 Liz Sandwith
You work for the organization, you're paid, you're on the salary, how does that make you independent?
00:31:17 Liz Sandwith
But I think this new role of internal audit and this trio of audit committee or exec board, whoever you, the governing body, and senior management and internal audit,
00:31:31 Liz Sandwith
Working together just strengthens internal audit in the organization.
00:31:38 Liz Sandwith
It strengthens our independence.
00:31:40 Liz Sandwith
It means that management can see where we're coming from, what we're seeking to achieve.
00:31:45 Liz Sandwith
They can engage with that process.
00:31:48 Liz Sandwith
And we can actually go to senior management and say, do you know what?
00:31:52 Liz Sandwith
We've got a real problem in your area.
00:31:54 Liz Sandwith
We have a manager who's being less than cooperative, won't share information with us, and you know
00:32:01 Liz Sandwith
what our role and responsibility is.
00:32:04 Liz Sandwith
Can we have your help?
00:32:05 Liz Sandwith
Now, I think that's a positive way forward.
00:32:09 Lauressa Nelson
Right.
00:32:09 Lauressa Nelson
Yeah, absolutely.
00:32:11 Lauressa Nelson
Are there any other tools that you're recommending or suggestions that you have for people to continue preparing to implement the new standards and be in conformance for January 2025?
00:32:29 Liz Sandwith
I think that
00:32:30 Liz Sandwith
that that's challenging in terms of that the clock is ticking.
00:32:34 Liz Sandwith
I think you need a training plan.
00:32:36 Liz Sandwith
So, you know, if I was the CAA, I'd look at my team, I'd look at the skills they've got.
00:32:42 Liz Sandwith
I'd be applying my foresight, my purpose statement, what's coming down the track, you know, thinking about AI in particular, which everybody is talking about.
00:32:52 Liz Sandwith
and even quantum computing in terms of a tool for internal audit moving forward.
00:32:57 Liz Sandwith
How many of my people have those sorts of skills?
00:33:00 Liz Sandwith
So I think we need a training plan supported by performance appraisals, et cetera.
00:33:07 Lauressa Nelson
Well, thank you so much for your time and wisdom and insight.
00:33:13 Lauressa Nelson
I think we've covered all of the global internal audit standards from front to back, and I hope that everyone is preparing.
00:33:21 Lauressa Nelson
and can use this information to help them.
00:33:24 Lauressa Nelson
And I'll talk to you again in the future.
00:33:27 Liz Sandwith
Thank you very much.
00:33:28 Liz Sandwith
And thank you for allowing me to share some thoughts.
00:33:31 The IIA
If you like this podcast, please subscribe and rate us.
00:33:35 The IIA
You can subscribe wherever you get your podcasts.
00:33:38 The IIA
You can also catch other episodes on YouTube or at the iia.org.
00:33:44 The IIA
That's T-H-E-I-I-A dot O-R-G.
