Article
Domains I and II: Diving deep on the IIA Standards
On Jan. 9, 2024, the Institute of Internal Auditors (IIA) released updated Global Internal Audit Standards (the Standards) which will meaningfully impact the internal audit profession through the coming years. From increased focus on how internal audit serves the public interest, to clarifications on the role of the board in governing internal audit and new requirements for quality assurance and improvement programs, significant changes abound in the recently released Standards.
It’s not a matter of if these changes will impact your organization—but rather how and when. To that end, Baker Tilly internal audit specialists dove deep into Domains I and II to highlight the main points of emphasis and most noteworthy impacts facing your organization. In the coming weeks, we will continue to explore Domains III, IV and V.
Domain I: Competency, independence and objectivity
The Standards have been designed to guide the professional practice of internal auditing and elevate the role, value and mandate of the internal audit (IA) function. Within this framework, Domain I highlights the fundamental purpose of internal auditing, emphasizing its role to strengthen the organization’s ability to create, protect and sustain value. This is accomplished by delivering independent risk-based and objective assurance, advice, insight and foresight to the board and management.
An effective IA function can enhance an organization's:
- Successful achievement of its objectives
- Governance, risk management and control processes
- Decision-making and oversight
- Reputation and credibility with its stakeholders
- Ability to serve the public interest
Domain I of the Standards introduces some key concepts as to the effectiveness of internal audit competency, independence and objectivity.
Internal auditing is most effective when:
- It is performed by competent professionals in conformance with the Standards
- The IA function is independently positioned with direct accountability to the board
- Internal auditors are free from undue influence and committed to making objective assessments
Details on the competencies an auditor needs to fulfill their responsibilities effectively and successfully can be found in Domain II. A broad range of skills—including technical knowledge of organizational risk areas, analytical skills and interpersonal skills for communicating and collaborating—are necessary for a successful internal audit function. While not every internal auditor needs to possess or develop each competency described in the Standards, having a well-rounded internal audit function that collectively possesses the various internal audit competencies will lead to a successful function.
The independence of internal audit is at the core of how an audit function effectively executes its responsibilities. As described in detail in Domain III, the chief audit executive (CAE) must communicate to the board the independence of the internal audit function at least annually, as well as document independence in the internal audit charter. For organizations where the CAE does not report administratively and directly to the chief executive officer (CEO) or president, IA should consider documenting in its charter key safeguards to independence, such as functional reporting to the audit committee and open communication channels to the CEO.
Finally, each internal auditor within the function must be objective when making conclusions or judgments. Identifying and managing potential biases or impairments to objectivity is critical in the development of a successful internal auditor.
The ability to demonstrate competency, independence, and objectivity can help display to the board and management the purpose and value of internal auditing, and how it can support the achievement of organizational goals and success.
Domain II: Ethics and professionalism
Domain II of the Standards focuses on ethics and professionalism, specifically behavioral expectations for internal auditors. This domain comprises five principles and thirteen standards, replacing the former IIA Code of Ethics. It aims to “instill trust in the profession of internal auditing, create an ethical culture within the internal audit function and provide the basis for reliance on internal auditor’s work and judgment.”
Each principle within Domain II acts as a foundational pillar that upholds and strengthens the integrity, effectiveness and credibility of internal audit practices. These principles not only guide the profession but also shape the ethical culture and professional conduct within the internal audit function, promoting trust and reliability.
Internal auditors are expected to demonstrate integrity in their professional conduct, which involves acting with honesty, displaying professional courage and adhering to ethical principles by telling the truth and doing the right thing, even in challenging situations. To foster an ethical culture, the CAE must, “maintain a work environment where internal auditors feel supported when expressing legitimate, evidence-based engagement results,” regardless of their nature. As integrity helps establish trust and earn respect, this principle serves as the foundation for the remaining principles and standards within this domain.
Objectivity is the impartial mindset that internal auditors must maintain while exercising professional judgment and conducting internal audit services, thus enabling the achievement of the “Purpose of Internal Auditing (Domain I).” To maintain objectivity, an internal auditor must, “recognize, avoid and mitigate actual, potential and perceived impairments to objectivity.” This could look like an auditor avoiding a certain function or area in which they have recently worked or performed advisory services, as well as disclosing any actual or potential impediments to objectivity.
By leveraging the knowledge, skills and abilities essential for fulfilling the responsibilities of an internal auditor, individuals demonstrate competency in their role. As emphasized in Domain I, the internal audit function is most effective when the function employs competent professionals who adhere to the Standards. When developing the strategic plan for internal audit, as described in Domain IV, the CAE should assess the competencies within the team and determine whether additional capabilities are necessary, whether through external recruitment, co-sourcing or internal development, to meet the plan’s objective and fulfill its mandate. A properly resourced and strategically positioned internal audit function is imperative to support an organization’s success.
Internal auditors must exercise due professional care when conducting internal audit activities, utilizing sound judgment and adhering to the standards. The CAE, in coordination with the board and senior management, is responsible for reviewing and updating the internal audit function's existing practices and methodologies to ensure compliance with the Standards. This encompasses the methodologies employed when exercising due professional care and applying professional skepticism.
Given the sensitive nature of the information often involved during internal audit services, internal auditors are obligated to use confidential and/or sensitive information appropriately. This entails using the information solely for professional purposes and safeguarding it against unauthorized access or disclosure. Internal auditors must adhere to relevant policies and procedures set forth by the organization, as well as any applicable regulations governing the access of third-party information.
Explore more details on these regulations from The Institute of Internal Auditors.
Domain III: Greater expectations on board governance
In our deep (yet brief) dives above, we examined the more pertinent and profound changes to Domains I and II of the new IIA standards. As you know, however, there are five domains, 15 principles and 52 standards in total to explore. In a recently published article for Agenda, Baker Tilly’s own Anthony Casey unpacks the focus of Domain III: board governance.
