AUTHOR: JULIE BAKER

With over 15 years of experience in internal audit I have gained firsthand insight into the transformative role of internal audit. My current role is at Sententia Consulting in the internal audit service line and previously I held a Chief Audit Executive (CAE) equivalent role in the ACT Government. My passion for the profession stems from the powerful impact we have in enhancing organisational processes and offering invaluable insights into the health of an organisation.

The introduction of the new Global Internal Audit Standards (the Standards), effective January 9, 2025, marks a significant milestone for the internal audit profession. These Standards add a new layer of rigor to our profession and underscore the importance of maintaining the highest standards of professionalism in our work. As internal auditors, it is crucial that we not only understand these changes but actively embrace them to fulfill our obligations.

In this article I explore two key components that not only highlight important changes but also reflect the evolving demands placed on CAE’s to shape the future of the internal audit function

CAE Reporting to the Board and Senior Executive

One of the most prominent changes introduced by the Standards is the expanded scope of CAE reporting to the Board and Senior Executive. Historically, CAEs have reported critical aspects of the internal audit function, including:

• The Internal Audit Work Program (IAWP)
• Budget management
• Audit Charter
• Any disagreements between the CAE senior management on scope, findings or other aspects of the engagement, among other things.

However, the new Standards require CAEs to include additional elements, such as:

• The IAWP discussions with the Senior Executive
• Evaluating the adequacy of resources, including technological resources, and strategies to address shortfalls
• CAE qualifications and competencies
• Developing an Internal Audit Strategy that outlines future direction.

These new requirements provide an opportunity to further elevate the professionalism and transparency of the internal audit function. However, they also introduce new challenges – particularly in how we engage with the Senior Executive. Below is my take on these requirements from the perspective of a CAE.

Discussing the IAWP with the Senior Executive

As a CAE, I have witnessed firsthand the impact that discussions with Senior Executives can have on the independence of the IAWP. I have found that Senior Executives and Branch Heads often provide a mix of valuable insights into topics, but they may also suggest their own area not be audited or provide reasons for delays. More importantly if Senior Executives expect they can shape the IAWP, it can jeopardise its independence. To maintain independence, I recommend an IAWP process that includes:

• Interviewing Senior Executives (including branch heads) to gather potential IAWP topics.
• Compiling and ranking the suggested topics with the input of external Audit and Risk Committee (ARC) members.
• Submitting the draft IAWP, based on ARC members rankings for discussion at the ARC.
• Finalising the IAWP based on the ARC’s feedback.

By clearly defining the role of the Senior Executive in IAWP discussions it is possible to gain valuable insights into specific topics across the organisation, while safeguarding the independence of the IAWP.

Evaluation of resources and addressing shortfalls

The Standards include a requirement for CAEs to carry out an evaluation on resources with a strategy including how to address shortfalls. A common tension for CAEs is managing limited resources while delivering the IAWP. Whether it is technological tools or personnel, this balance can be challenging. In my experience, resource shortfalls were better addressed through managing expectations rather than seeking additional funding.

I focused on optimising existing resources, managing what I had and taking a proactive approach to avoid shortfalls in audit delivery. Resource allocation began with the number of audits in the IAWP and budgeted days. Some audits were high level and others deep dives. My scopes were broad, budgets modest, the topics complex and the time to carry out the work was limited. I had a
government panel of providers that expanded from 7 to 12 service providers.

Methods I used to optimise audit outcomes within existing resource levels included:

• Sending requests for services (RFS) to a group of providers with prior knowledge of the organisation as this knowledge is beneficial.
• Carefully evaluating submissions to ensure the offer clearly aligned with my needs and proposed staff were appropriately experienced.
• Attending entry and exit meetings and always listening to all contributions with a lens of improving practices across the organisation.
• Holding a preliminary meeting with the assigned service providers prior to exit meetings with business areas to understand progress and findings and ensure the scope had been fully addressed.
• Reviewing the draft report before it was distributed more broadly, ensuring it could be understood by readers unfamiliar with the content and that recommendations were beneficial and allocated to the right section to support a smoother review process with business areas.

For me, these practices were requirements for all internal audit reports, regardless of the budget, to support clear oversight and enable the management of expectations to get quality outcomes with limited resources.

From a broader perspective, addressing technological resource gaps does not necessarily mean acquiring bespoke internal audit tools. When relying on outsourcing internal audits to service providers, the service providers use the internal audit tools available to them. When performing in-house internal audits, the tools available within the Microsoft Office suite are usually sufficient to manage the process when used effectively, demonstrating that technological resources do not have to be elaborate. Regardless of the resources available, the key to overcoming technological
resource challenges is utilising what is available and communicating with senior leadership regarding what is realistically possible.

CAE qualifications and competencies

Another significant change is the reporting of CAE qualifications and competencies to the Board and Senior Executive. While qualifications and competencies were always an expected part of the CAE role, they were not typically reported to the Board. The new Standards suggest the Board approve the CAE’s job description and encourage pursuit of opportunities for continuing professional education,
membership in professional associations and opportunities for professional development.

This shift raises important questions about the role of professional development and the value of qualifications versus on-the-job competencies. It seems to me that these suggestions imply that if competencies were the reason for the CAE appointment, then there is an expectation qualifications would follow. From my experience, CAE qualifications are an important factor in establishing credibility, but the ongoing development of competencies is equally critical. The Standards suggest that Boards encourage continuous professional development, which is a positive step toward fostering a culture of learning and growth within the internal audit function.

The requirement to report CAE qualifications and competencies to the Board leaves me wondering what form this could take. I see delivery of the IAWP, including the quality of the internal audit reports and secretariat function as practical measures of the competencies.

Would the reports include:

• A CV listing CAE qualifications and work experience.
• The CAE’s ability to resolve action items from ARC meetings
• On the job training provided to the team
• A combination of all these factors?

Would it be self-reporting? Or would it be a survey of key stakeholders like the Board Chair, Senior Executives, selected service providers and the internal audit team? Consider the scenario, given the bias often held against internal audit – How would recommendations that improve practices across the organisation, but increase the workload for a Senior Executive be reflected in a CAE competency review?

It is my view that all these considerations would need to be factored in to make reporting CAE qualification and competencies have real value.

Developing an Internal Audit Strategy to deliver the Internal Audit Work Plan

One of the new requirements in the Standards is the formal expectation for CAEs to develop an Internal Audit Strategy that aligns with the organisation’s strategic objectives. This strategy should detail how the IAWP will be delivered and ensure that the internal audit function supports broader organisational goals.

When I was first tasked with developing an internal audit strategy, it was at the
request of a five-year external assessment of my internal audit function. Once I created the strategy, it became an invaluable tool for guiding the internal audit function and ensuring that the team was aligned with both internal and external expectations.

My strategy included elements such as:

• Vision and mission for the internal audit function
• Delivery methods (including the management of external service
  providers).
• Timelines for IAWP, Charter review and approvals and financial
  statement reviews
• Budget management processes and tracking
• Recommendation implementation tracking and reporting
• The Board Secretariat.

While my internal audit team was relatively small, creating a strategy helped ensure that team members understood their roles and expectations. It also made it easier to communicate with senior management and the Board, fostering a more transparent and collaborative relationship. Now, with the new Standards, this strategic approach is a requirement for all CAEs, regardless of the size of the
internal audit function. Embrace the strategy as a beneficial, centralised document containing the internal audit function deliverables.

Act Now

The new Standards present both opportunities and challenges for CAEs. The expanded reporting requirements and the development of an Internal Audit Strategy are essential for ensuring that internal audit functions are aligned with organisational goals and are delivering value. However, these changes also require careful thought, especially regarding the independence of the IAWP, resource
management, and the reporting of qualifications and competencies.

As CAEs, we must be proactive in understanding and implementing these new requirements. The Standards provide an opportunity to further elevate the internal audit profession and demonstrate the value we bring to organisations. By embracing these changes and leading the internal audit function with transparency, professionalism, and foresight, we can build stronger relationships with governance bodies and enhance our ability to add value to our organisations.

It’s time to act now—to align ourselves with the new Standards and ensure our internal audit functions are equipped for success. Let’s take this opportunity to advance our profession and continue to drive meaningful impact in the organisations we serve.

If you would like any additional information contact Sententia Consulting on Sententia@sentcon.com.au.