Overview of the Global Internal Audit Standards 2024
Compliance03 april, 2024

Overview of the new Global Internal Audit Standards 2024

The global IIA’s International Standards for the Professional Practice of Internal Auditing have changed. This is good news for IIA members worldwide, but it will require some attention and adaptation to meet the new requirements. Hence, our series of webinars which we believe will support you in embedding the new Standards within your internal audit function.

In this overview we will cover:

What is the new IIA Standards structure?

The Global Internal Audit Standards contain:

  • 5 Domains, we’ll take a closer look at those in just a moment.
  • 15 Principles, which are broad descriptions of a related group of requirements and considerations.
  • 52 Standards, with each standard including:
    • Requirements – mandatory practices for internal auditing, recognized by the use of “must” in each statement.
    • Considerations for Implementation – common and preferred practices to consider when implementing the requirements; the statements in these sections use the terms “should” or “may.”
    • Examples of Evidence of Conformance – examples to demonstrate that the requirements have been implemented. The examples are not meant to be an exhaustive list.

Additional features of the Global Internal Audit Standards include:

  • The Fundamentals section. An introductory section that describes the structure, applicability, and how to use the Standards, as well as an overview of the standard-setting process and description of the connection between internal auditing and the public interest.
  • The Glossary. Provides definitions of key terms used throughout the Standards. The Standards use certain terms in very specific, internal-audit-centered ways that correspond to their definition in the Glossary.
  • A special section. “Applying the Global Internal Audit Standards in the Public Sector,” which follows Domain V: Performing Internal Audit Services and describes strategies for conformance amid the circumstances and conditions unique to internal auditing in the public sector.

What are some of the changes to the Glossary?

The process for updating the Glossary involved reviewing each term for its relevance, researching and comparing against other standards and frameworks, conducting initial surveys, and reviewing thousands of public comments.

A few things to note:

  • Some terms have either been excluded or new terms have been added.
  • 32 new terms and definitions have been added to the 2024 Global Internal Audit Standards (e.g. activity under review, assurance, competency). The link to the full glossary document can be found here: Glossary Comparison: 2024 Global Internal Audit Standards to 2017 Standards (theiia.org).
  • 13 terms from 2017 have been excluded from the 2024 Global Internal Audit Standards Glossary. These include — add value, adequate control, information technology governance overall opinion.
  • The Glossary helps internal auditors understand the Standards, but it does not mean that these are the only terms that can be used. We know people use different terms to mean the same thing and that’s generally not a problem. But it allowed for the development of the Domains where information was missing before. Other terms may be used elsewhere to mean the same or a similar thing.

How does this impact the profession?

Domain I – Purpose of Internal Auditing

The Purpose of Internal Auditing provides a simple and concise overview of the essence of internal auditing, meant to be easily communicated to stakeholders. It could be called an “elevator pitch.”  It starts with a Purpose Statement: “Internal auditing strengthens the organization’s ability to create, protect, and sustain value by providing the board and management with independent, risk-based, and objective assurance, advice, insight, and foresight.”

The Purpose Statement combines elements from the current Definition of Internal Auditing and the Mission of Internal Audit and includes a list of the benefits from internal auditing. Internal auditing enhances these aspects and abilities of the organization.

The Purpose Statement also includes a list of conditions necessary to optimize the benefits from internal auditing.

Domain II – Ethics and Professionalism

Domain II incorporates and replaces the existing Code of Ethics and what are called the "attribute standards" in the 2017 Standards — specifically objectivity, competency, and due professional care — to remove duplication.

Domain III – Governing the Internal Audit Function

Domain III groups together Standards involving the relationship between the chief audit executive (CAE), the board, and senior management in governing the internal audit function. Many of these Standards and concepts exist in the 2017 Standards but more direct and clear detail has been added to give some weight to the importance of establishing and supporting the mandate (authority, role, and responsibilities), independence, and oversight of the internal audit function.

While the chief audit executive is responsible for the requirements in this domain, appropriate governance arrangements, supported by activities of the board and senior management, are essential to enable the internal audit function to be effective and to fulfill the Purpose of Internal Auditing (Domain I).

Domain III now has principles and standards, as well as essential conditions — callouts to the board and senior management. “Essential conditions,” along with the requirements for the chief audit executive, establish a necessary foundation for an effective internal audit function.

Domain IV – Managing the Internal Audit Function

In Domain IV, all Principles and Standards address the chief audit executive, a term that’s defined in the glossary and in the introduction to this domain as the leadership role responsible for effectively managing all aspects of the internal audit function. The specific job title and/or responsibilities may vary.

The Standards in Domain IV cover how the chief audit executive plans strategically, manages resources, communicates effectively with stakeholders, and enhances the internal audit function’s quality.

Domain V – Performing Internal Audit Services

Domain V includes the standards for planning, performing, and communicating engagement results. The Standards, requirements, and considerations for implementation in this domain are applicable to both assurance and advisory services, unless otherwise specified in individual standards. The reason for this was to present a consistent generalized approach to project management that identifies the fundamental elements of planning, performing, and communicating each engagement.

Although there are not separate assurance and advisory standards, the Standards Board working group added or modified language throughout Domain V to clarify when requirements may not apply to advisory services.

The Principles in Domain V cover engagement planning, fieldwork, developing and reporting findings, developing recommendations and/or action plans, and following-up on management’s corrective actions.

Conclusion

The first webinar in a series of presentations covering the 2024 Standards took a helicopter view of the 5 Domains, 15 Principles and 52 Standards. It focused primarily on the headline content within the 5 Domains. It is recognized and accepted that many of the changes are familiar and in common practice in mature internal audit functions e.g., Domain V Performing Internal Audit Services. But most practicing internal audit professionals will need to adapt some elements of what they do to ensure continued conformance, so please join us for the remainder of the webinars which will take a deep dive into each of the Domains.

For more information and detail visit this link.

View a demo

2024 Global Internal Audit Standards FAQs

The continued success of our ongoing webinars that focuses on the new 2024 Global Internal Audit Standards has prompted a list of the most frequently asked questions from those that have attended these presentations. We’ve asked Liz Sandwith to review these questions and provide her informed responses for additional consideration and clarity.


Q: How will internal audit’s provision of foresight be measured? Will this be based on actual feedback from audit clients?

A: Domain I references the use of 'foresight'. Domain III Principle 6 also references the term 'foresight' and that it will be included in the Mandate. The Audit Committee/Board is required to approve the Mandate, (along with the Internal Audit Charter) with reference in Standard 6.1 to the support of the Audit Committee/Board for internal audit in achieving its Mandate. These are the only two references to 'foresight'. I think of foresight as horizon scanning and recall a conversation with a CEO who told me that they didn't want to "know where the fire is, but where the fire will be." Foresight is about internal audit supporting the organization in preparation for what is coming, when the next crisis may occur, and what the next crisis might be. But internal audit shouldn't be the only people in the organization looking to the future. The risk team and senior management also have a responsibility. Internal audit needs to be able to demonstrate that it has applied best endeavors when it scans the horizon.


Q: How will the new 2024 Global Internal Audit Standards impact the Certified Internal Auditor (CIA) certification process?

A: The intention is that the IIA will bring the CIA exams up to date with the current global practice of internal auditing. There will be greater alignment between the CIA syllabi and the IIA’s new Global Internal Audit Standards. The IIA will seek to minimize duplication and overlap among the three exam parts. The CIA will seek to clarify the knowledge, skills, and abilities that exam candidates must possess to pass the exam. The new syllabi will be published no later than May 2024. Although, I believe the new exams won't be available until post March 2025.


Q: If we already meet the 2017 Internal Audit Standards, do you feel more effort will be required to meet the new 2024 Global Internal Audit Standards?

A: It is difficult to comment on but if you have had a positive conforms assessment from your EQA against the 2017 IPPF and it is fairly recent, then I would suggest it will be straight forward to embed and conform with the new 2024 Global Internal Audit Standards. The challenge might be working with your Audit Committee/Board to encourage them to engage in Domain III.


Q: Are organizations required to adopt new terms such as ‘engagement conclusion vs opinion’ in their reports, etc.? How important is it to model the new IIA glossary language?

A: The 2024 Global Internal Audit Standards reference 'conclusion' rather than 'opinion', which I believe is a positive language as the word 'opinion' has a subjective tone, whereas the word 'conclusion' implies that it is based on the work undertaken. I would encourage you to adopt the term conclusion.


Q: Is it worth starting the Certified Internal Auditor (CIA) process now and finish it with the new 2024 Global Internal Audit Standards?

A: The CIA exam will not change until May 2025. In-process candidates — those who have started the CIA exam process and already passed one or more exams — are allowed a three-year transition period to complete the program they initially applied to. Any completed exam parts are valid during the three-year period. However, when the period ends (the program expires), if the candidate hasn’t completed all three parts, then they will be required to start over. Those who apply now will receive information about changes and updates at least one year before they happen.


Q: When is compliance with topical requirements required? Is this also expected in January 2025, even though the topical requirements are not final yet?

A: The Topical Requirements will become mandatory starting January 2025 where you have an internal audit engagement within your internal audit plan that is the same as the topical requirement. The IIA has recently published the cyber security topical requirements for consultation. The response to the consultation is open April 3 to July 3, 2024. It will enable you to gain a sense as to the format, approach, and content of the topical requirements.


Q: Will there be guidance on the types of audits that can be undertaken, such as thematic reviews, change management audits, outcomes-based, (any new audit services)?

A: There will likely only be the Topical Requirements. Topical Requirements, the newest component of the International Professional Practices Framework, will ensure that all internal audit functions — large, small, private, or public — apply consistent audit methodology when assessing the effectiveness of governance, risk management, and controls of a particular topical area. The use of Topical Requirements will be mandatory when an internal audit function scopes an audit engagement that includes the topic covered. However, other organization will likely produce additional guidance.


Q: Does Domain III of the 2024 Global Internal Audit Standards require the internal audit mandate to be documented separately from the Internal Audit Charter?

A: Based on the Internal Audit Charter published on March 28, 2024, the Mandate is included in the Charter document.


Q: For a single person audit shop, is it required that they involve external parties in their QAIP framework? Can the CAE conduct self-assessment both annually and a 5-year external review to be compliant? It is challenging to find another qualified person in the organization to assist with QAIP framework.

A: One person internal audit functions do struggle regarding the QAIP element. The internal audit function’s ability to fully conform with the new 2024 Global Internal Audit Standards may be affected by its size or the size of the organization. With limited resources, completing certain tasks may be challenging. Additionally, if the internal audit function comprises of only one member, an adequate quality assurance and improvement program will require assistance from outside the internal audit function. This may be provided by your quality team if you have one. Alternatively, I am aware of organizations seeking assurance regarding internal audit from their external auditors.


Q: What if local regulations include something that contradicts the new 2024 Global Internal Audit Standards (i.e. oversight and responsibility of Audit Committee or requiring regulatory approval for the CAE prior to joining the function)?

A: While the Global Internal Audit Standards apply to all internal audit functions, internal auditors in the public sector work in a political environment under governance, organizational, and funding structures that may differ from those of the private sector. The nature of these structures and related conditions may be affected by the jurisdiction and level of government in which the internal audit function operates. Additionally, some terminology used in the public sector differs from that of the private sector. Laws and/or regulations may establish the mandate, organizational position, reporting relationship, scope of work, funding, and other requirements of the internal audit function. If there are instances where laws and regulations contradict or challenge the Global Internal Audit Standards the expectation is that you would adhere to the laws and regulations but reference this in conversations with the Audit Committee (i.e. comply or explain).


Q: We are planning to provide an overview of key changes and updates that our internal audit function will make to the Audit Committee in April. What are the key messages we should convey?

A:The IIA have published new guidance regarding Domain III. The link can be found here. The new 2024 Global Internal Audit Standards requirements seek to elevate internal audit practice in five domains that cover the profession’s purpose, ethics and professionalism, governance, management, and performance. Domain III, which focuses on how the internal audit function is governed, may hold the greatest potential for transforming how the profession is viewed around the world. Domain III identifies a set of conditions necessary for internal audit to achieve effective collaboration with the board and senior management. Additionally, it articulates how the board and senior management should contribute to that collaboration.


Q: Who are the new 2024 Global Internal Audit Standards applicable to? Are all the standards mandatory?

A: The intention of the 2024 Global Internal Audit Standards is that they will be applicable to all practicing internal audit professionals. The Global Internal Audit Standards set forth principles, requirements, considerations, and examples for the professional practice of internal auditing globally. The Standards apply to any individual or function that provides internal audit services, whether an organization employs internal auditors directly, contracts them through an external service provider, or both. Organizations receiving internal audit services vary in sector and industry affiliation, purpose, size, complexity, and structure.


Q: How do you measure "qualified" internal auditors? What background, experience, certifications, if any, are required?

A:Standard 7.2 (Domain III) states: The board collaborates with senior management to determine which competencies and qualifications the organization expects in a chief audit executive. The competencies may vary according to the internal audit mandate, the complexity and specific needs of the organization, the organization’s risk profile, and the industry and jurisdiction within which the organization operates, among other factors. The desired competencies and qualifications are typically documented in a job description and include:

  • A comprehensive understanding of the Global Internal Audit Standards and leading internal audit practices.
  • Experience building and managing an effective internal audit function by recruiting, hiring, and training internal auditors and helping them develop relevant competencies.
  • Certified Internal Auditor® designation or other relevant professional education, certifications, and credentials.
  • Leadership experience.
  • Industry or sector experience.

Q: Is the Internal Audit Red Book currently available with the new 2024 Global Internal Audit Standards?

A: Yes, the Red Book is available and can be found here.


Q: What is the difference between consulting and advisory services?

A: Internal auditors provide advisory services to advise an organization’s stakeholders without providing assurance or taking on management responsibilities. The nature and scope of advisory services are subject to agreement with relevant stakeholders. Examples include advising on the design and implementation of new policies, processes, systems, and products, as well as providing forensic services, training, and facilitating discussions about risks and controls. “Advisory services” are also known as “consulting services.”


Q: When the chief audit executive (CAE) takes responsibility beyond the internal audit function — such as a chief risk officer — to oversee the organization's Enterprise Risk Management (ERM), is it considered a good practice or impaired independence?

A: Standard 7.1 states: The chief audit executive must discuss with the board and senior management any current or proposed roles and responsibilities that have the potential to impair the internal audit function’s independence, either in fact or appearance. The chief audit executive must advise the board and senior management of the types of safeguards to manage actual, potential, or perceived impairments. When the chief audit executive has one or more ongoing roles beyond internal auditing, the responsibilities, nature of work, and established safeguards must be documented in the internal audit charter. If those areas of responsibility are subject to internal auditing, alternative processes to obtain assurance must be established, such as contracting with an objective, competent external assurance provider that reports independently to the board.


Q: The internal audit strategy is new to the standards. Is an internal audit strategy mandatory in the new 2024 Global Internal Audit Standards for internal audit in the public sector?

A: It makes sense for every internal audit function to have a strategy that reflects where you and your internal audit function is now, where it wants to be, and how it will get there, regardless of which sector you are in. Standard 9.2 covers the internal audit strategy and states: The chief audit executive must develop and implement a strategy for the internal audit function that supports the strategic objectives and success of the organization and aligns with the expectations of the board, senior management, and other key stakeholders. An internal audit strategy is a plan of action designed to achieve a long-term or overall objective. The internal audit strategy must include a vision, strategic objectives, and supporting initiatives for the internal audit function. An internal audit strategy helps guide the internal audit function toward the fulfillment of the internal audit mandate. The chief audit executive must review the internal audit strategy with the board and senior management periodically.


Q: Could you share more information on the External Quality Assessment (EQA), and the requirement of this assessment by non-public companies?

A: The requirements for an EQA is the same for both public and private companies. Standard 8.4 provides details on the role of the CAE and the Audit Committee/Board in relation to the EQA: The chief audit executive must develop a plan for an external quality assessment and discuss the plan with the Board. The external assessment must be performed at least once every five years by a qualified, independent assessor or assessment team. The requirement for an external quality assessment may also be met through a self-assessment with independent validation.


Q: For Standard 8.1, the chief audit executive (CAE) must report to senior management, like the board (e.g., audit plan, budget, revisions to plan, audit conclusions and themes, and QAIP results). Is this level of granular reporting to senior management expected to be at the same level as the Audit Committee and Board?

A: The intention of Domain III and the essential conditions is to encourage internal audit and senior management to work more collaboratively than perhaps they do at present. The chief audit executive must discuss this Domain with the board and senior management. The discussions should focus on:

  • The purpose of internal auditing as articulated in Domain I: Purpose of Internal Auditing.
  • The essential conditions outlined under each of the standards in Domain III: Governing the Internal Audit Function.
  • The potential impact on the effectiveness of the internal audit function if the Board or senior management does not provide the support outlined in the essential conditions.

For more mature internal audit functions there isn't a significant change, but I do welcome the structured link between internal audit and senior management.


Q: What are the essential conditions/criteria within Domain III of the 2024 Global Internal Audit Standards? Why are these unique to the new IPPF standards when compared to the 2017 Internal Audit Standards?

A: While the chief audit executive is responsible for the requirements in Domain III, activities of the Audit Committee/Board and senior management are essential to the internal audit function’s ability to fulfill the purpose of internal auditing. These activities are identified as “essential conditions” in each standard and establish a necessary foundation for an effective dialogue between the Audit Committee/Board, senior management, and the chief audit executive, enabling an effective internal audit function. I would suggest they have been included to strengthen the relation between the Audit Committee/Board, senior management, and internal audit and therefore strengthen the governance arrangements.

Subscribe below to receive monthly Expert Insights in your inbox

Liz Sandwith
Internal Audit and Risk Management Consultant
Liz Sandwith has been a member of the IIA Standards Board for the last 6 years. Because of her involvement in the IPPF Evolution project, the IIA asked her to stay on as a Special Adviser to the Standards Board. 
Back To Top