The new Global Internal Audit Standards: Lessons and action steps

The Institute of Internal Auditors (IIA) introduced a major update to its standards in January 2024, replacing the 2017 International Standards for the Professional Practice of Internal Auditing. These Global Internal Audit Standards (GIAS) took effect January 9, 2025, and represent a significant shift in structure, terminology, and expectations for internal audit functions worldwide.

The new Standards redefine internal auditing’s purpose and introduce conditions for the Board and senior management engagement, emphasizing governance alignment, risk-based planning, and technology enablement.

For institutions, this is an opportunity to strengthen governance, enhance risk management, and elevate the strategic role of internal audit. Below are key lessons learned and practical steps for adoption.

Five Immediate Recommendations

1. Conduct a Gap Assessment
   
   • Identify areas where your current practices fall short of the new Standards. Document findings to demonstrate conformity and prioritize remediation.
2. Engage Leadership Early
   
   • Secure governance support and strategic alignment. The Board (or audit committee) must approve the charter, budget, and strategic plan, and confirm audit independence annually.
3. Update Frameworks and Documentation
   
   • Refresh audit manuals, quality assurance and improvement programs (QAIPs), and templates. Pay special attention to:
     
     • Replacing the old definition of internal auditing with the new purpose statement (Domain 1).
     • Removing references to the IIA Code of Ethics.
     • Updating glossary terms (e.g., “consulting” becomes “advisory”).
     • Incorporating Standard 6.1 requirements for the internal audit mandate.
4. Train Your Team
   
   • Communicate the new structure, terminology, and engagement-level risk assessment requirements for auditors. Each audit must include documented risk assessments that identify significant risks, fraud considerations, and management’s performance criteria.
5. Leverage External Resources
   
   • Use IIA tools, updated charter templates, and consulting support to accelerate the transition.

Strategic Planning, Performance Objectives, and Risk Assessment

The Standards call for a strategic plan that includes a vision, objectives, and supporting initiatives for the internal audit function, typically spanning three to five years. Consider:

• Technology adoption and data analytics
• Talent development and certification goals
• Audit rotation and quality assurance programs

Performance objectives should extend beyond simple budget compliance. Incorporate SMART goals (specific, measurable, achievable, relevant, and time-bound) to track progress effectively. Examples include increasing in-house compliance expertise or implementing new audit technology.

In addition, every audit engagement must include a documented risk assessment. This process should:

• Identify significant risks to the activity’s objectives
• Consider fraud risks
• Prioritize risks for review
• Define management’s criteria for success

Document these assessments in audit files and link them to your audit platform for transparency and efficiency.

Reporting and Root Cause Analysis

Final engagement communications must include:

• Objectives, scope, and conclusions
• Findings with significance and prioritization
• Recommendations or agreed action plans
• Scope limitations, if any

When documenting findings and action plans, define the root cause so that corrective measures can adequately address the underlying issues. Auditors must also credit management for corrective actions implemented before the final communication is issued.

The Standards require Chief Audit Executives to regularly evaluate audit technology and report limitations to the Board. If your function relies solely on basic tools like Word and Excel, perform a documented analysis and present options for improvement. Consider outsourcing data-intensive audits as a mitigating control.

Finally, Domain III emphasizes the Board and senior management’s responsibility for meeting “Essential Conditions,” such as approving plans, budgets, resources, and charters, as well as confirming independence. To sustain an effective internal audit function, the Chief Audit Executive should engage in candid discussions with both parties about these requirements.

We Can Help

Adopting the Global Internal Audit Standards equips institutions that act now with the tools to drive organizational resilience.

Ready to start? Contact Elliott Davis for a comprehensive gap assessment and build a roadmap that aligns with your vision and strategic priorities.

The information provided in this communication is of a general nature and should not be considered professional advice. You should not act upon the information provided without obtaining specific professional advice. The information above is subject to change.