The Global Internal Audit (GIA) Standards released in January 2024 (mandatory adoption by January 2025) push for an innovative approach to risk management. Internal audit teams should be prepared to implement strategies, frameworks, and responsibilities that may be incremental evolutions for leading organizations but larger transformations for others.
The forward-thinking, holistic internal audit framework detailed in the standards aims to confirm and elevate the effectiveness and efficiency of internal controls, risk management, and governance processes. This is carried out in a variety of ways, but primarily through a risk-based use of technology and the alignment of key stakeholders in support of a more resilient internal audit function.
Below are three critical components emphasized within the GIA Standards, all of which must inform the practices of internal auditors moving forward:
Standard 8.2 Resources
“The chief audit executive must evaluate whether internal audit resources are sufficient to fulfill the internal audit mandate and achieve the internal audit plan. If not, the chief audit executive must develop a strategy to obtain sufficient resources and inform the board about the impact of insufficient resources and how any resource shortfalls will be addressed.”
Obtaining the resources necessary to properly run the internal audit function during economic uncertainty and persistent technology disruption can be a challenge. However, there are several ways leaders can find and strategically source key resources, including:
- Conducting a skills assessment to evaluate the internal audit team’s skillsets, competencies with existing technologies, communication preferences, and management frameworks. With this baseline information, it becomes clearer where there are skills gaps and inefficiencies.
- Working with HR and other department heads to ensure appropriate staffing levels of the core internal audit team while also discussing the possibility of leveraging resources from other teams with specific skill sets (e.g., a data analyst or information security specialist).
- Adding a co-sourced subject matter expert to lead or enable a plan for embedding technology that removes inefficiencies and saves on labor hours. This partner can also collaborate on a plan to cross-train employees in multiple areas of the business beyond internal audit, such as cybersecurity, IT transformation, or data engineering.
- Optimizing information and infrastructure levels to ensure internal auditors have not just the talent and numbers but also the access to records, physical/virtual space, software, and data permissions they need to work efficiently.
To understand your organization’s internal audit maturity and transformation potential, CrossCountry Consulting’s proprietary framework can help:
Standard 10.3 Technological Resources
“The chief audit executive must strive to ensure that the internal audit function has technology to support the internal audit process. The chief audit executive must regularly evaluate the technology used by the internal audit function and pursue opportunities to improve effectiveness and efficiency.”
Compliance with this standard can take many forms, including:
- Selecting the right governance, risk, and compliance (GRC) tool for internal audit to gain visibility into the organization’s broader risk landscape. A GRC tool can also enhance communications by providing a common platform to manage risks and compliance and identify themes and emerging risks across the organization.
- Educating the internal audit department on the advantages of automation and data analytics from GRC tools, cloud-based platforms, and other modern data systems that leverage machine learning (ML) and artificial intelligence (AI).
- Building integrated teams that can work cross-functionally on diverse projects organically creates functional and technological synergies. As more employees from more departments fully leverage shared platforms, it becomes easier to identify and streamline recurring tasks, standardize templates, celebrate wins, and share lessons learned. Technology is often the connective tissue that enables integration of teams.
Explore expert Risk Management solutions that solve real-world problems
Increase the value of internal audit and transform your enterprise risk function holistically to stay ahead of new standards, complexities, technologies, and threats.
Standard 11.1 Building Relationships and Communicating With Stakeholders
“The chief audit executive must develop an approach for the internal audit function to build relationships and trust with key stakeholders, including the board, senior management, operational management, regulators, and internal and external assurance providers and other consultants.”
Here’s what that might look like in practice:
- Establishing clear communication channels and protocols for collaboration with external auditors and other assurance providers. This can involve joint planning meetings, information-sharing procedures, and conflict-resolution mechanisms. In some situations, the external provider might take the lead on coordinating with stakeholders, especially when their role supersedes the internal audit function (e.g., during a major investigation).
- Be intentional with board member and audit committee relationships. Schedule recurring time to gain the perspectives of the board and the audit committee, which will shed light on their specific needs and how/when they prefer to receive information.
- Using collaborative tools and flexible project management practices to build positive working relationships with executives and key stakeholders. Whether it’s a GRC tool or relationship management system, the goal is to maximize time spent with these stakeholders, specifically with visual aids, concise reporting, and seamless distribution of content.
For internal audit teams wanting to better understand and implement the new GIA standards, it’s important to note that mere compliance is just the start. To anticipate and adapt to emerging risks and align the internal audit function to the larger corporate strategy, it takes comprehensive risk transformation.
To integrate pragmatic, purpose-built strategies for maximum risk management and value creation, contact CrossCountry Consulting.