Five Things Directors Should Know When Working With the Internal Audit Function

Earlier this year, The Institute of Internal Auditors (IIA) released the 2024 Global Internal Audit Standards^TM, designed to improve internal audit functions across industries by providing a cohesive framework for understanding and executing internal audit principles and requirements. The standards become effective in 2025.

An internal audit function that conforms to standards is crucial for effective corporate governance. Emerging risks are expanding the responsibilities and workloads of boards, especially their audit committees. By enhancing the value of the internal audit function through strong collaboration and frequent communication, organizations can provide greater oversight of potential threats and consistently deliver value to stakeholders.

Below are five things directors should consider when working with their internal audit teams.

1. What the New Standards Mean for Boards

The new standards place a strong emphasis on optimizing the relationship between the board, senior management, and the leader responsible for overseeing the internal audit function, the chief audit executive (CAE). 

In particular, the new standards require the CAE to discuss “essential conditions” to be established by the board and senior management, such as supporting the independent positioning and overseeing the performance of the internal audit function, elements crucial to ensuring the function’s effectiveness. As such, boards and their audit committees should work closely with their CAEs to ensure a strong understanding of the essential conditions as well as the requirements that the CAE is expected to follow to conform with the standards. 

By clarifying essential conditions for internal audit effectiveness, the new standards encourage a successful working relationship between management, boards, and the internal audit function. 

2. Internal Auditors Are the Organization’s “Eyes and Ears”

The relationship between boards and the internal audit function can take many forms depending on the organization, industry, and risk landscape. First and foremost, audit committees should view the internal audit function as their eyes and ears for assessing the evolving risk environment. This includes leveraging the internal audit function to understand the following: 

• emerging risks and how they might impact the organization,
• steps management is taking to manage those risks appropriately, and
• the effectiveness of current risk management processes, both in design and operation.

It is important for the board to ensure that the internal audit function operates independently from management with a responsibility and accountability to the board, typically through the audit committee. This critical distinction is designed to maintain the objectivity and integrity of internal audit functions. 

3. How to Keep Pace With Emerging Risks

The current risk environment is evolving rapidly with new threats arising daily across cybersecurity, data privacy, and artificial intelligence, among other areas.

When it comes to navigating emerging risks, audit committees have a responsibility to provide direct oversight to ensure that the internal audit function stays on task with its responsibilities. These responsibilities include but are not limited to developing a process to identify and assess emerging risks for inclusion in the audit plan and staying current with new trends and technologies that may impact the organization and the way that the internal audit function operates.

The board and management should regularly discuss trends and potential emerging risks with the CAE and the internal audit function directly. Additionally, boards may consider conducting surveys, interviews, or group workshops to ensure that they have a full understanding of internal audit results. 

If emerging risks have the potential to impact the quality of financial statements in particular, audit committees should work with the internal audit function to evaluate the adequacy of procedures performed by an external auditor. 

4. The Board’s Role in Audit Plan Development

The process to develop the internal audit plan is fundamental to ensuring that the internal audit function is focused on the right risks. Audit committees should look critically at internal audit plans to ensure that the most crucial risks are being addressed. This includes reviewing and approving the internal audit plan and budget on an annual basis at minimum. The purpose of this exercise is to ensure that the internal audit function is focused on the most pressing risk areas and has the resources it needs to execute on its responsibilities. 

5. How to Work Effectively With CAEs

It is the board’s responsibility to work closely with the CAE to ensure that the internal audit function has the resources needed to properly evaluate new and emerging risks. If this is not the case, boards must ensure that the CAE has the budget available to utilize outside resources, including specialized skill-sets and technology, to meet the expectations set by the audit committee. 

Audit committee meetings should incorporate executive sessions with the CAE to ensure uninhibited communication. These meetings may include a discussion of the completeness, accuracy, and timeliness of representations made by management and the next steps for follow-up items resulting from the discussions. An effective working relationship requires an open line of communication between the chair of the audit committee and the CAE between meetings as well.

Organizations today operate in an increasingly complex and intricate risk landscape which places additional pressure on boards. The new standards provide a timely opportunity to deepen the relationship between boards, senior management, and their internal audit function to better understand and manage emerging risks.

Anthony J. Pugliese is president and CEO of The Institute of Internal Auditors, the internal audit profession's leader in standards, certifications, education, research, and technical guidance worldwide.