New Global Internal Audit Standards™
In March 2023, the International Internal Audit Standards Board (IIASB) released a draft of the new Global Internal Audit Standards for public comment. The Standards were designed to provide more clarity and further help internal auditors deliver high-quality performance. After reviewing responses to surveys and the draft, the IIASB published a digital version of the new Standards, with a print version following in March 2024. However, the new Standards won’t be effective until January 2025.
This is a major step in the International Professional Practices Framework (IPPF) evolution that aims to increase the relevance and responsiveness of The Institute of Internal Auditor’s (IIA) IPPF to current challenges in the profession. The IIA’s IPPF includes the International Standards for the Professional Practice of Internal Auditing (now named Global Internal Audit Standards), Guidance, and Topical Requirements.
Changes to the Standards
The Global Internal Audit Standards now incorporate content from six elements of the current IPPF (Mission, Definition, Code of Ethics, Core Principles, Standards, and Implementation Guides). These no longer exist as separate elements and are organized into five domains that clearly indicate key roles and responsibilities:
Purpose of Internal Auditing: Contains elements of the Mission of Internal Audit and the Definition of Internal Auditing and addresses how internal auditing helps the organization serve the public interest.
Ethics and Professionalism: Incorporates and builds upon the current Code of Ethics. In addition, this domain contains standards on due professional care, professional skepticism, and minimum requirements for continuing professional development for all internal auditors.
Governing the Internal Audit Function: Focuses on the relationship between the board, the board’s roles, and the chief audit executive. The responsibilities of the board include overseeing the chief audit executive, internal audit function, and external quality assessments.
Managing the Internal Audit Function: Focuses on the requirements for the chief audit executive to manage the internal audit function effectively.
Performing Internal Audit Services: Focuses on performing assurance and advisory engagements.
The “considerations for implementation” offer common and preferred practices for implementing the requirements, and the “considerations for evidence of conformance” are examples of recommended ways to demonstrate the implemented requirements. These sections incorporate information from the existing Implementation Guides and other authoritative guidance. Additionally, the sections include nuances for the public sector and small internal audit functions, when appropriate.
The Standards introduce and define terms, such as: criteria, condition, finding, inherent risk, residual risk, risk tolerance, root cause, and public sector.
There are new clarifications and requirements for the Quality Assurance and Improvement Program (QAIP), including a description of the requirements for board oversight of the program and the requirement for at least one reviewer in an external quality review to be a Certified Internal Auditor (CIA).
The Standards are no longer divided into “attribute” and “performance” categories and do not contain “interpretations” as a separate section of the standard.
The “A” and “C” subsections are incorporated into the main body of the Implementation Standards, along with a new numbering system and order.
Guidance remains as a recommended element, which allows for more in-depth attention to internal audit practices and subjects.
Topical Requirements were added to the IPPF to enhance the consistency and quality of internal audit services. These requirements ensure that all internal audit functions apply consistent audit methodology when assessing the effectiveness of governance, risk management, and controls of a particular topical area. These requirements are intended to:
Raise the internal audit function’s professionalism and performance.
Improve the quality and value of internal audit services.
Provide comfort to stakeholders that critical elements are addressed within a particular audit area.
Topical Requirements are applicable only to specific audit topics or engagements that are designated within an organization’s audit plan. Here, it becomes mandatory to demonstrate conformance when executing testing specific to the audit topic/engagement. Auditors are not required to include Topical Requirements in their audit plans.
Additionally, Topical Requirements will strengthen the ongoing relevance of the IPPF to the evolving risks organizations face, such as cybersecurity, sustainability, privacy, and fraud. To identify topics, market research and surveys will be conducted to obtain input from internal auditors and stakeholders with a public comment period scheduled prior to approval and implementation. The proposed audit subjects include:
Assessing Organizational Governance
Fraud Risk Management
Information Technology Governance
Privacy Risk Management
Sustainability: Environmental, Social & Governance
Public Sector-specific: Performance Audits
Quality Assessment & IIA Certification Exams
The Standards are effective for quality assessments 12 months from the official IIA publish date of January 9, 2024. If your next assessment is due in 2024, you may proceed following the original due date under the existing IPPF. However, if your assessment is due in 2024 or in 2025, you can choose to accelerate your assessment under the existing IPPF in early 2024. If your assessment is due in 2025, you can elect to have a gap assessment performed by IIA Quality Services in 2024 to assess your readiness in implementing the new Standards.
A new quality assessment manual will be published in early 2024, but the current manual remains in effect and valid until then.
The CIA exam and Learning System will not change or be updated before March 2025. The IIA’s Professional Certifications Board (PCB) will assess how the new Standards and other changes affecting the internal audit profession will impact the current CIA program and determine how and when they should be updated. The IIA will provide notice of changes to the CIA exam at least one year in advance of the effective date.
There will be a transition period for candidates pursuing the CIA that have already passed one or more exams, allowing ample time to complete the program they initially applied to.
There are no plans to update the CRMA exam.
The Internal Audit Practitioner learning module and exam will not be updated before July 2024.
Important Dates to Remember (from the Institute of Internal Auditors)
Global Internal audit Standards™ publication in English available as PDF, along with disposition report and other tools
Global Internal audit Standards™ publication available as digitally enhanced eBook
New instructor-led training and updated learning library
Global Internal audit Standards™ publication available in hardcover format
Updated Quality Assessment Manual publication available
New Standards become effective, no sooner than 12 months after release
Updated CIA exam and study materials, not before effective date
Updated Internal Audit Practitioner exam, not before effective date
For help with Internal Audit Standards:
If you have any further questions regarding Internal Audit Standards, please reach out to CSC and we will be happy to help.