GIAS: Governing the Internal Audit Function
In our previous article, “What is GIAS?,” we outlined the new Domain structure for the IIA’s Global Internal Audit Standards (GIAS) and delved into the basics of the Purpose of Internal Auditing (Domain I), and Ethics and Professionalism (Domain II). In this article we will focus on Domain III: Governing the Internal Audit Function, changing gears from the perspective of the internal auditor to an organization’s senior leadership. We will explore the three principles in this Domain: The Internal Audit Mandate, Audit Function Independence, and Board Oversight to show how there is an interdependence to these principles which makes each one vital to an effective internal audit (IA) function.
Principle 6: Authorized by the Board
(Associated Standards: 6.1 & 6.2)
In Principle 6, we are introduced to the IA Mandate (Mandate), which is the document that you can think of as a constitution and bill of rights for the IA function. The Mandate identifies roles and responsibilities, specifies the scope and type of the IA function, and contains a high-level summary of related organizational policies. In the current Standards, this is referred to as the IA Charter. The GIAS takes many bullet points and implied directives about the Charter from the current Standards and coordinates them into a cohesive and direct call to action.
The Mandate is a product of cooperation between the organization’s Chief Audit Executive (CAE) or the organization’s senior audit manager, and the Board or the organization’s equivalent leadership. The Board and the CAE must discuss and agree upon the IA function’s mandate and should meet at least annually to discuss any necessary changes to the Mandate’s, scope, role, and objectives.
Principle 7: Positioned Independently
(Associated Standards: 7.1, 7.2, 7.3)
Principle 7 discusses organizational independence of the IA function, the recommended qualifications of the CAE, and safeguards for the independence of the IA function. The draft defines independence as, “the freedom from conditions that impair the ability of the IA function to carry out IA responsibilities in an unbiased manner.” This again requires two-way communication between the board and the CAE to accomplish. The board must position the CAE in a way that frees them from potential interference from company management, have an open communication channel, and allow the CAE to bring sensitive issues to senior management and above. In return, the CAE should provide the board with information about incidents, policy changes, etc., where independence may be threatened.
Principle 7 gathers five of the current Standards (1100, 1110, 1112, 1113, and 2060) which cover independence into one place and emphasizes the role of the CAE as central to the IA function, while expanding the qualifications and skills recommended for the CAE.
Principle 8: Overseen by the Board
(Associated Standards: 8.1, 8.2, 8.3, 8.4)
Principle 8 puts an emphasis on the need for the board to have a meaningful understanding of the IA function while setting an expectation for the frequency of interactions with the CAE, and defining what the CAE should escalate to the board. For every expectation placed on the IA function and the CAE, the board should ensure that adequate resources are made available to accomplish their mission. Principle 8 has two standards which address quality, one of which outlines a quality assurance and improvement program, and the other requires an external quality assessment. This internal and external approach to quality assurance borrows elements from five of the current Standards (1300, 1310, 1311, 1312, 1320), and expands upon the requirements of the external quality assessment by an independent assessor. The draft defines the elements that are to be reviewed by the assessor – the results of which should give the board a better understanding of IA performance, roadblocks, and strengths.
For more information regarding our internal audit experience, be sure to visit our Internal Audit Services page and don’t hesitate to reach out to a member of our internal audit team, such as Elaine Nissley.