Domain III: Governing the Internal Audit Function, Evolution from the IPPF 2017

Domain III of the Global Internal Audit Standards defines the necessary attributes to ensure that the chief audit executive, together with the board and senior management, maintains the independence of the internal audit function, ensuring its effectiveness.

In the IPPF 2017, the attribute standards already emphasized the need for a solid relationship between internal audit and the board to ensure independence. The new standards expand and strengthen this concept, consolidating essential principles.

This domain is structured into three principles and nine standards, providing the foundation for meeting normative requirements. Below, we highlight the key advancements compared to the previous model.

1. Formalization of Internal Audit Function Authorization

Principle 6 reinforces the need for the board’s formal authorization of the internal audit function, supported by the following standards:

• Standard 6.1 - Audit Mandate
• Standard 6.2 - Audit Charter
• Standard 6.3 - Board and Senior Management Support

The mandate defines the authority, role, and responsibilities of internal audit, which, through a systematic and disciplined approach, aims to enhance governance, risk management, and internal controls.

The Internal Audit Charter becomes an essential document, formalizing the purpose, scope of activities, organizational positioning, responsibilities, and authority of internal audit.

Senior management and the board play a fundamental role in supporting internal audit by ensuring unrestricted access to data, information, and assets, enabling the effective execution of its work.

2. Strengthening Organizational Independence

Principle 7 addresses the independent positioning of internal audit, supported by two standards:

• Standard 7.1 - Organizational Independence
• Standard 7.2 - Chief Audit Executive Qualifications

Independence is ensured through the direct reporting line of the chief audit executive to the board, without interference from senior management. This communication channel must allow open discussions, including without the presence of management.

A new addition is Standard 7.2, which details the desired competencies for the chief audit executive, previously addressed in a general manner under the ethical principle of competence in the IPPF 2017. Now, five essential competencies are explicitly defined:

• Deep understanding of the Global Internal Audit Standards and best practices;
• Experience in establishing and managing an effective internal audit function;
• Certified Internal Auditor® (CIA) designation or equivalent credentials;
• Leadership experience;
• Industry-specific expertise.

This clearer definition strengthens the relevance of internal audit and its ability to add value to corporate governance.

3. Board Oversight of Internal Audit

Principle 8 establishes the board’s responsibility for overseeing internal audit, ensuring its effectiveness. The related standards are:

• Standard 8.1 - Interaction with the Board
• Standard 8.2 - Resources
• Standard 8.3 - Quality
• Standard 8.4 - External Quality Assessment

The board must ensure that internal audit has adequate resources, enabling it to fulfill its mandate efficiently. The chief audit executive must transparently communicate any resource limitations and their impact on the audit plan’s execution.

Quality management is also reinforced, requiring an internal and external quality assessment program, with periodic review by the board.

4. Challenges for Organizations Without a Formal Governance Structure

In organizations lacking a formal board, the concept of independence may be compromised. The definition of a board, according to the global standards glossary, includes any high-level governing body responsible for oversight, such as audit committees or advisory boards.

To ensure compliance in these cases, a more robust external assessment program with documented evidence is recommended, including:

• Board meeting minutes discussing audit-related topics;
• Approved audit charter;
• Validated audit plan and budget;
• Audit manual;
• Continuing education plan for the chief audit executive;
• Records of participation in professional events.

Conclusion

Domain III of the Global Internal Audit Standards enhances concepts already present in the IPPF 2017, emphasizing internal audit independence, qualifications, and board oversight. The board’s role is strengthened in ensuring resources and quality supervision, guaranteeing that internal audit has a strategic impact within the organization.

My recommendation is to conduct a compliance assessment against the standards in this domain and, for any identified gaps, define the necessary actions to ensure adherence.

Be happy!

Produced with the help of human intelligence

Demystifying the concept of risk-based auditing, back to basics

 

Risk has always been at the core of internal auditing, serving as an essential element for defining priorities, evaluating controls, and identifying opportunities for improvement. Risk-based auditing is not an alternative approach or a passing trend; rather, it is the correct and structured way to conduct audits effectively and in alignment with corporate governance. Below, we explore three fundamental aspects that highlight the importance of risk in auditing.

1. Corporate Risk as a Driver for the Annual Audit Plan

Internal auditing must be aligned with the organization's strategic objectives and corporate risks. The development of the Annual Audit Plan should consider the identified risks and prioritize critical areas that could impact business continuity and success.

The Global Internal Auditing Standards reinforce this approach:

• Standard 9.4, under Principle 9, states that the head of audit must develop an audit plan based on a documented assessment of the organization's strategies, objectives, and risks.
• Standard 9.1 requires the audit manager to understand the organization's governance, risk management, operational, and control processes.

By following this structured approach, the audit function ensures that efforts are focused on evaluating high-risk areas, generating real impact, and contributing to a more efficient and secure management process.

2. Evaluating the Effectiveness of Risk Management

Internal auditing plays a crucial role in assessing the effectiveness of risk management. The primary objective is to verify whether the organization's processes and controls are sufficient to keep risks within acceptable levels. To achieve this, auditors should:

• Assess whether the inherent risks in the audited processes have been correctly identified.
• Examine the management of IT risks, ensuring information security and system resilience.
• Evaluate integrity and legal compliance risks, ensuring that the organization adheres to its ethical values, laws, and applicable regulations.
• Analyze whether the established controls are sufficient and effective in mitigating risk factors and keeping them within acceptable limits.
• Recommend improvements to strengthen risk management and enhance process efficiency.

If auditing identifies gaps in risk management, these represent potential vulnerabilities that may compromise the organization's objectives and should be addressed as soon as possible. The same applies to opportunities for improvement or refinements that can enhance operational efficiency.

3. Considering the Risk of Auditing

Beyond evaluating organizational risks, internal auditing must also consider audit risk, which refers to the possibility that the applied auditing procedures and techniques are insufficient to detect failures, non-compliance, or significant events. This risk can be minimized through:

• Proper selection of tests and sampling methods.
• Application of appropriate techniques for data and evidence analysis.
• Use of analytical tools to identify patterns and anomalies.

Ensuring that auditing is rigorously planned and executed using sound methodologies strengthens its credibility and enhances the reliability of findings and recommendations.

Final Reflections

Risk-based auditing is not an option; it is the correct way to ensure that internal auditing delivers real value to the organization. Risk guides planning, directs the assessment of control effectiveness, and demands that auditors remain aware of the limitations of their own analyses. By following this approach, internal auditing strengthens governance and helps the organization become more resilient, transparent, and prepared for future challenges.

Questions for Reflection:

1. Is your organization’s annual audit plan aligned with key strategic risks?
2. Is internal auditing evaluating whether risk management for the audited entity is effective and sufficient to keep inherent, IT, integrity, and legal compliance risks at acceptable levels?
3. How does your audit team assess and mitigate audit risk to ensure reliable results? Are detection risks being considered in the audit planning process?

Reflect on these points and consider how you can contribute to the evolution of internal auditing, ensuring it adds even more value to the organization!

Be happy!

Governance Without Culture Is Just a Concept; With Culture, It Becomes a Transformative Force!

 

Corporate governance, when reduced to rules and bureaucratic processes, is nothing more than a set of cold, disconnected guidelines. Without culture, the essence of what truly sustains ethics, transparency, and excellence in management is lost. Governance is not about rules, it is about behavior. And what shapes behavior? Culture.

If we want governance to go beyond theory and become a transformative force, we must embed it into the organization’s DNA, ensuring that its principles are naturally incorporated into daily decisions and conduct. Without this cultural foundation, governance remains fragile, superficial, and, in many cases, ineffective.

Governance Without Culture: A Structure Without a Soul

Many companies implement governance policies believing that simply adopting codes of conduct, audits, and controls will be enough to ensure integrity and efficiency. However, without a culture that supports these principles, such initiatives become mere formalities—easily bypassed or neglected when pressures and challenges arise.

Culture is what happens when no one is watching. It determines whether professionals follow the rules because they believe in them or are merely out of obligation. In an organization without a governance culture, processes exist but are not lived; guidelines are written but not respected.

When Culture Strengthens Governance

Governance gains strength when it is supported by a solid organizational culture. And this culture is built through examples, consistency, and genuine commitment from leadership. A company that wants to solidify its governance must ensure that its values are not just communicated but practiced.

Organizations with a strong governance culture have teams that understand that best practices are not burdens but foundations for sustainable growth. When this happens, controls are no longer seen as bureaucracy but as tools for protection and excellence.

From Concept to Real Impact

Organizational culture must be the foundation upon which governance is built. To achieve this, some key pillars are essential:

1. Exemplary Leadership – A flawless code of ethics is meaningless if leadership does not practice it. Governance starts at the top. Leaders must embody the values they preach.
2. Alignment Between Speech and Action – Governance cannot be a set of rules disconnected from the company’s reality. It must be integrated into the organization’s identity and purpose.
3. Engagement at All Levels – Effective governance is not just the responsibility of compliance officers or senior management. Every employee must understand their role in building an ethical and sustainable environment.
4. Continuous Education – Culture is not imposed; it is built. This construction happens through training, dialogue, and experiences that reinforce the importance of governance in daily operations.

When governance is anchored in a strong culture, it becomes a natural part of the company. It does not need to be enforced because it is understood, valued, and lived by everyone. Governance without culture is an empty theory; with culture, it is the driving force that propels organizations toward excellence.

 

Be Happy

Courage: The Foundation of Objectivity in Auditing – Are You Prepared?

 Auditing is an essential pillar of corporate governance, requiring professionals to commit fully to objectivity. Objectivity represents the auditor's independence in expressing their opinion without being influenced by external forces or personal conflicts. However, this objectivity cannot be sustained without a fundamental component: courage. When conducting their work, auditors must be prepared to face challenges, resist external pressures, and communicate their conclusions with unwavering ethics and transparency.

Courage and Independence: Inseparable in Auditing

An auditor’s independence goes beyond rules and regulations. It manifests in a resolute stance against attempts at influence and manipulation. In many instances, auditors encounter conflicting interests that seek to mitigate or even conceal critical information. In this scenario, courage becomes the anchor that ensures a rigorous and impartial assessment, protecting stakeholders and safeguarding the integrity of financial reports.

According to Domain II of the Global Auditing Standards, objectivity and courage are fundamental ethical principles for auditors. This domain establishes that auditors must maintain independent thinking and demonstrate resilience in the face of challenges that could compromise their professional integrity. Thus, courage becomes an essential element in ensuring that professional judgment is exercised freely and impartially.

Facing Pressures and Ethical Dilemmas

Internal and external pressures can arise from various directions, from managers attempting to downplay irregularities to clients seeking to influence opinions. Without the necessary courage to resist these pressures, audit objectivity is undermined. Therefore, auditors must align their ethical stance with emotional resilience, ensuring that their work remains uncompromised by adverse circumstances.

Transparent Communication: A Reflection of Courage

Courage is not limited to resisting pressures; it also manifests in the clarity and firmness with which auditors communicate their findings. Audit reports often contain sensitive information that may be uncomfortable for those involved. However, truth and transparency must always prevail, regardless of potential retaliation or dissatisfaction from the audited parties.

Building a Culture of Courage in Auditing

To strengthen objectivity in auditing, organizations must foster a culture of courage. Continuous training, institutional support, and guidelines that protect auditors from retaliation are fundamental elements of this process. Furthermore, audit leadership must set an example, demonstrating that ethics and truth are non-negotiable values.

Final Reflection

Complete objectivity in auditing can only exist when accompanied by courage. The auditor who stands firm in their ethical and professional principles significantly contributes to the reliability and transparency of governance processes, even if this stance may cost them adversaries or even their job.

Therefore, it is important for you to reflect: How is your objectivity? How do you escalate your findings or opinions? Are you prepared to face the challenges that auditing imposes and maintain your unwavering integrity?

Remember: ethics and truth are non-negotiable values.

Be happy!