Agefi Luxembourg - décembre 2025

Décembre 2025 21 AGEFI Luxembourg Consultance ByTanjaH ERING, Director,CIA,JasminW EINGARTEN , Senior, CIA & Jérôme S OSNOWSKI , Partner, Internal Audit leader, Deloitte Luxembourg O n 9 January 2024, the Institute of Internal Auditors (IIA) issued the Global Internal Audit Standards (Global Standards), effectively overhau- ling and rewriting the existing framework in place to this date. The new framework replaces the 2017 International Professio- nal Practices Framework (IPPF), initiating the first step for transforming Internal Audit Functions (IAF) worldwide. Grantingaone-year transitionperiod, the IIAset out to improve the qualityof internal audits performed, clarify and intensify requirements and guidelines, and focus onareas that havebecomemoreprevalent in recent years. For organisations and IAFs, under- standing the scope, impact, and intent of the changes is not only necessary to comply with the Global Standards, but also an opportunity to learn, improve, and evolve. The following aims to examine the structure and trace the differences between the 2024 Global Standards and 2017 IPPF by identifying gaps, assessing impacts, andoutliningadjustments. It also dives into the key focus areas, explores challenges of implementation, and outlines possible implica- tions to uncover the main points arising from the transformative shift that shapes the future of IAFs. A fresh structure An effectively employed IAF is the cornerstone in supporting effective governance, risk manage- ment, and control processes (GRC) within organ- isations. By helping maintain compliance with regulations and internal policies, IAFs are a critical defence line against operational, financial, and strategic risks. And as organisations evolve and adapt to customer demands, the external environ- ment, new regulations, or technological develop- ments, IAFs need to adapt alongside them. The 2024 IPPF recognises that IAFs remain a rele- vant and effective internal control function, and introduces a newstructure to improve quality and address globally emerging risks, covering three areas: Global Standards, Global Guidance, and Topical Requirements. TheGlobal Standards is the main pillar, and consists of five domains, split into 15 principles covering 52 standards, creating an integrated and easily understandable model. Those standards are structured to include clearly defined requirements, considerations for imple- mentation, and examples of evidence of confor- mance. ( see chart above) Besides the Global Internal Audit Standards, the IIA introduced Topical Requirements, which are still being developed. The IIA’s Topical Requirements will centre on global risks. Right now, only two are final andpub- lished: Cybersecurity and Third-Party. Two oth- ers—Organisational Behaviour andOrganisational Resilience—are out for review or consultation. The IIA has also listed other topics under consid- eration: - Sustainability: Environmental, Social&Governance - InformationTechnologyGovernance -AssessingOrganisational Governance - FraudRiskManagement - PrivacyRiskManagement - Public Sector: PerformanceAudits Topical Requirements are mandatory, aiming to im- prove audit quality for GRC aspects of the topics ad- dressed. However, the IIA stresses that IAFs should still exercise professional judgment and adopt a risk- basedapproachtodeterminewhethertheTopicalRe- quirements are applicable for their audits. Lastly,GlobalGuidanceistherecommendedelement ofthe2024IPPF,designedtoenhancetheadaptability andpracticality of the framework. 2024 versus 2017:What are the differences? Atfirstglance,the2024and2017Standardsmayseem verydifferent. Lookingcloser,thecoreessenceofinternalauditingis unchanged:itremainsaninternalcontrolfunctionthat provides independent, risk-based, and objective as- surance, advice, insight, and foresight, to support on- goingoperationalimprovement.Manyprocessesalso remain the same and IAFs all around theworldkeep working behind the scenes to strengthen control mechanisms, maintain compliance with regulations andinternalpolicies,andboostoperationalefficiency. The biggest difference is how the Standards are or- ganised.The2017versionusedAttributeandPerfor- mance Standards tied to framework elements (like purposeandmission, authority, responsibility, inde- pendence andobjectivity, andqualityassurance and improvement programme). The 2024 version aligns withthelogicalinternalauditprocess.Italsoincludes the Code of Ethics and previously mandatory and recommendedguidance,whichmakesrequirements much easier to follow. While it seems mainly structural, the overhaul also bringskeychangesintheinternalauditguidanceand practices. The core content remains the same, but the Global Standards aim to modernise and expand on internal audit principles and focus on addressing emergingrisksandadaptingtothecomplexitiesofthe ever-evolving business landscape. It also stresses the importance of a future-focusedap- proach,anchoringforesightintheverypurposeofin- ternal auditing. The 2024 Standards shift from2017’s flexible approach to prioritise innovation and global consistencybyintegratingbestpracticesandmethod- ologies from around the world. Additionally, they focusonmanagingrisksrelatedtocybersecurity,con- fidentialityanddataprotection,ESG,andArtificialIn- telligence, all of which are issuesmany organisations see as significant risk areas. The Global Standards emphasise governance, high- lighting the Board’s responsibilities. The IAF’s effec- tiveness mostly depends on the Board and, where thereisone,theAuditCommittee.Itiscrucialthatthe Boardproactivelyhelpsnavigatetheimplementation of the Global Standards and elevate the relevance of the IAF. The Board needs to give the IAF enough re- sources, grant adirect reporting relationship, anden- able professional growth. For example, the Global Standards requirenowa certified internal auditor for external quality assessments, which was not previ- ously required. The Board’s responsibilities further include: - Oversight andguidance - Communicationswith stakeholders - IAF’s strategy, objectives, and performancemon- itoring - Setting clear expectations with and for the Chief Audit Executive Another noteworthy area of increased focus is the need todevelopan independent internal audit strat- egy,whichgoesbeyondtheorganisationalobjectives emphasised within the 2017 IPPF. IAFs also need a performancemeasurement systemandbetteruseof technology to improve their work. Ultimately, the 2024 framework positions the IAF not just as an internal control and compliance mechanism, but as a strategic driver of organisa- tional resilience andvalue. By improving clarity, in- corporating topical guidance, and strengthening governance ties, the updated standards are holistic, forward-looking, and purpose-driven to meet the demands of a constantly changing world. Impacts and challenges Thepublicationof theGlobal Standardsbringsmany changes,including increasedquality,clearerrequire- ment structure, and the ability to remain relevant. They highlight emerging risks—such as cybersecu- rity, ESG, andAI—and encourage Internal Auditors to create valuemore proactively. However, impacts are not only positive. The ex- panded scope and modernisation make the Global Standardsmore complex to implement than the pre- vious structure. Organisations used to the previous structureshouldreviewthegapsbetweenwhatisand whatshouldbeandtakereasonablestepstomeetthe intent where full conformance is not feasible due to size,resources,ororganisationalconstraints.Adapting andinvestingintheIAFisneededfromtheIAFitself, the Board, andother relevant stakeholders. Training programmes, technological upgrades, and consulting services may increase costs, especially for the small IAFs.Another challenge could be the resis- tance to change. People rely on habits, so teams may struggle to shift from familiar practices to new methodologies, especiallywhen building an internal audit strategy, setting performance measures, and covering emerging risks that add to theworkload. Conclusion With the introduction of the 2024 Global Standards, IAFs face newopportunities and challenges alike. By modernising and unifying the Internal Audit frame- work,incorporatingglobalbestpractices,andempha- sising the need to be future-oriented, the IIA aims to elevateinternalauditing.Usingarisk-basedapproach to emerging risks can improve quality, support re- silience and success, and create room to innovate, learn, andproactively addvalue. Though organisations may first struggle with in- creasedcosts,resistancetochange,andtrainingneeds, oncetheupdatesareembedded,the2024GlobalStan- dards are likely todeliver long-termbenefits, helping the IAF stay relevant, impactful, and adaptable to a fast-changing environment. As IAFs navigate the growing complexities arising from the Global Stan- dards,collaboration,andwillingnesstoadaptarekey to continuouslydeliver thehighest qualityandexcel- lence to anorganisation and its stakeholders. One year after implementation: The impact of the 2024 Global Internal Audit Standards Source:GettoknowtheGlobalInternalAuditStandards–TheIIA I n today’s connected world com- pliance has evolved from a back-office necessity into the role of a strategic advisor. Orga- nisations face mounting regula- tory pressures ranging from GDPR, CSRD to emerging frame- works such as the EUAI Act. Nowadays, traditional compli- ance models that rely onmanual audits, static checklists and siloed reporting are increas- ingly inadequate. But could adopting a software-defined compliance model – built on the pillarsofstrategy,processes,met- rics/KPI,peopleandtechnology- enablethecompliancefunctionto meet future challenges? This article explores the foundations of a software- defined compliance, its transformative potential and the challenges organisations must navigate during the implementation. The software-defined compliance approach A software-defined compliance is completely em- bedded in the IT-infrastructure of the organisation. The centre piece of the software-defined compli- ance is a digital compliance platformwith the fol- lowing key characteristics: - Automation of the compliance controls Continuous monitoring of the workflows and ap- plications against regulatory standards - Dynamic adaptability Ability to update compliance rules rapidly to reg- ulatory changes - Transparency and auditability Data-driven reporting that reduces human error and enhances trust Benefits of a software-defined compliance Theimplementationofadigitalcompliance platformsupportsaproactivecompliance risk management. The continuous monitoring of regulatory re- quirements connected with the automative compliance controls ensures the identifi- cation of compliance issues before they escalate. The cornerstone of a suc- cessful implementation is breaking down silos and defining firm-wide compli- ance standards, while ensuring that the linkage betweendifferent IT-systems andappli- cations supports the efficiency and accuracy of the organisation’s governance framework. Implementation Asuccessful implementationdepends on the buy-in of executive leadership team and the collaboration with the different teams.An early involvement of IT specialists andoperationsmanagers ensures realistic timelines and alignment across the departments. Choosingtherightcompliancedigitalplatformiscrit- ical.Theplatformshouldbecustomisableandacom- plete integration with the existing IT infrastructure andtheAIstrategyoftheorganisationshouldbepos- sible. But before implementing a digital compliance platform, the organisationmust reviewexistingdata sourcesandresolveinconsistencies,sincecompliance software relies on accurate data. Last but not least, and equally important to all tech- nical aspects, is the training of the employees. Staff must understand how compliance automation works,whatalertsmean,andhowtorespondtosys- tem-generated reports. Conclusion Implementing a software-defined compliance is a strategic investment. By defining objectives, involv- ing stakeholders, selecting the right digital compli- ance platform, preparing data, and designing meaningful compliance dashboards, organisations cantransformcompliancefromareactiveburdeninto a proactive enabler of trust and innovation. Nicole SCHADECK, Director Regulatory Compliance, PwCLuxembourg, driving the ComplianceMonitoring Plan (CMP) initiative Pierre-Jean ECK, Director, PwCLuxembourg Is a software-defined compliance the answer to future compliance challenges?