Last month, The IIA’s new Global Internal Audit Standards went into effect, ushering in a new era in modern internal auditing. Much has been written and debated about the new Standards. Indeed, the changes in the profession’s guiding document are substantive in terms of its organization and clarity, as well as its articulation of internal audit’s value to an organization. Overall, I believe they provide a stronger vision for how internal audit functions should operate in the 21^st century.

However, as I noted in AuditBoard’s 2025 Focus on the Future report published last year, more than a third of internal audit functions (35%) did not expect to meet the Jan. 9 conformance deadline for the new Standards. At least for some, that would mean failing to conform to Standard 6.2 Internal Audit Charter.

IIA Standards have always required an internal audit charter, which is intended to provide written guidance and clarity on how the internal audit function operates within an organization. The new Standard 6.2 adds new – and potentially tricky – requirements that could create friction with executive management and confusion with audit committees and boards if not handled discreetly. This raises the questions posed in the title of this post, “What is in your audit charter?” and, more significantly, “Does the Audit Committee Even Care?”

I have long believed that many audit committees are unaware or indifferent to a requirement that internal operate under a charter that members approve and periodically review with the CAE. In preparing to write this post, I wanted to affirm my suspicions by launching a LinkedIn poll. Unfortunately, the survey results strongly affirmed my fears. The survey question and results were as follows:

“Which of the following best describes how your audit committee members engage on or feel about your internal audit charter?”

• Knowledgeable – review annually – 51%
• Aware – but no annual review – 24%
• Indifferent – not a priority – 18%
• Unaware of its existence – 7%

If these survey results are indicative of the broader population of audit committees (which I fear they are), it is a sad commentary on their engagement with internal audit. A quarter of the audit committees are indifferent or unaware of the contents or existence of the charter. Another quarter are aware of the charter but are not ensuring it is current. That leaves only about half of the audit committees out there who demonstrate ongoing interest in internal audit’s charter.

Before continuing, I should make one thing clear. The audit committee not only should care about what is in the internal audit charter, it also should play a leading role in drafting the charter and ensure it remains up to date. One of the features of the new IIA Standards is emphasizing the roles and responsibilities of the board/audit committee and executive management. The “Essential Conditions” identified for each of the Standards provides clear direction on where each should be.

When it comes to the internal audit charter the essential conditions for the board include:

• Discussing with the chief audit executive (CAE) and senior management what should be included in the charter to enable an effective internal audit function.
• Approving the internal audit charter.
• Reviewing the charter with the CAE to consider changes affecting the organization.

The new Standards require the CAE to develop and maintain a charter that at minimum includes the new Purpose of Internal Auditing, a commitment to adhering to the Standards, and a “mandate” that articulates the scope and types of services the internal audit function will provide. The charter also must clarify internal audit’s reporting relationship.

Most, if not all, existing internal audit charters should by now have been updated to reflect the new Purpose of Internal Auditing language and the internal audit mandate. And this is where things could get touchy, and here’s why. I believe most organizations with established internal audit functions have not comprehensively examined internal audit’s role. More often than not, the bottom line in the relationship between internal audit and its stakeholders can be summed up in one phrase – “Keep us out of trouble.”

Internal audit’s stakeholders have lots on their respective plates. Frankly, delving into where and how internal audit ideally should fit in doesn’t typically rise to the top of their list of duties. However, it shouldn’t be hard to make the case that they should care. The challenge for CAEs is to help them understand and embrace the value of independent assurance.

I recently hosted an AuditBoard webinar looking ahead to 2025 titled, “5 New Year’s Resolutions for the Year Ahead.” Three of the five resolutions apply here.

• Finalize and Ensure Ongoing IIA Standards Conformance
• Amplify Audit Committee Communications to Ensure Transparency
• Articulate Internal Audit’s Value in the Face of a Changing Compliance Landscape

First, let’s look at why conformance to the Standards is critical for any internal audit function and why failing to conform has long-term consequences for the profession.

1. Diminished audit quality and effectiveness. Thanks to the professional and volunteer leadership of hundreds – if not thousands – of practitioners, the Standards have been the only globally accepted guidance for internal auditors since 1978. The IIA has maintained and updated the Standards to keep pace with an ever-changing risk landscape. Deviating from the Standards in any substantive way threatens the quality and effectiveness of our work product.
2. Reputational risks. Because of its consistent performance and global acceptance, the Standards have become synonymous with high-quality internal auditing. Failing to conform with the Standards creates doubt in the quality and value of an internal audit function.
3. Increased regulatory and compliance risks. A dynamic and evolving risk landscape invariably generates new rules and regulations and related compliance risks. Without a systematic and disciplined approach to risk management assurance provided by the Standards, those risks multiply.
4. Erosion of stakeholder trust. Internal audit stakeholders need a level of assurance about the quality and value of internal auditing, and conforming to the Standards provides it. Granted, it may seem contradictory to claim stakeholder trust can be eroded if we don’t conform to Standards while also questioning if they are even aware of their existence. But here’s the rub: One of the key features in the updated Standards is the requirement for CAEs to pursue a dialogue with the board and senior management that ensures that awareness.
5. Missed opportunities for improvement. This is one of the more subtle yet critical aspects of Standards conformance. Consider the following:
6. An internal audit function that fully conforms to IIA Standards is positioned to succeed. It is sufficiently resourced; has direct access to the board; and the CAE understands and supports the organization’s goals and strategies.
7. The new Standards’ Purpose Statement clearly articulates how internal auditing adds value to the organization: “Internal auditing strengthens the organization’s ability to create, protect, and sustain value by providing the board and management with independent, risk-based, and objective assurance, advice, insight, and foresight.”
8. The Standards continue to require CAEs to develop, implement, and maintain a quality assurance and improvement program (Standard 8.3 Quality), and they require periodic external quality assessments (Standard 8.4 External Quality Assessment).

Simply put, we miss the opportunities to improve internal audit services when we fail to strive for conformance.

The two remaining 2025 resolutions are inextricably tied to Standards conformance:

Amplify Audit Committee Communications to Ensure Transparency. A CAE who crafts an effective dialogue with the audit committee as required by the Standards will invariably enjoy greater transparency.

Articulate Internal Audit’s Value in the Face of a Changing Compliance Landscape. Similarly, conformance to Standards ensures stakeholder understanding of internal audit’s value, particularly internal audit’s foresight when it comes to anticipating and preparing for new regulations and assuring compliance when those rules are in place.

I cannot conclude a discussion on this topic without noting that the survey results above are also an indictment of many chief audit executives. If the audit committee is unaware of internal audit’s charter, whose fault is that? Internal auditors often lament that their audit committees don’t have their back when push comes to shove. If we expect someone to have our back, we better make sure they fully understand who we are and what we do.