Seven steps to apply new global IA standards

For internal auditors, especially heads of internal audit (HOIAs), the stakes are high as value expectations shift. Internal Audit must continuously pre-empt business priorities and challenges and position itself as a true business partner and advisor to genuinely deliver on its mandate.  

Given the constantly evolving and challenging risk landscape in which internal auditors operate, the clarity provided by the updated Global Internal Audit Standards is both timely and welcome. These enhancements will only serve to strengthen the internal audit function.

With input from stakeholders, the International Internal Audit Standards Board has introduced updated, performance-focused standards that raise the bar for assurance. These standards replace the former International Professional Practices Framework and officially came into effect on 9 January 2025. 

The new standards are already helping internal auditors deliver objective and high-impact assurance and advice to tackle real-world challenges effectively. In doing so, they support their organisations in achieving strategic goals and creating value for shareholders. 

It is essential for heads of internal audit and their teams to understand what is required to meet the standards and fulfil their responsibilities while also responding to board expectations for real-time risk insight and stronger internal control assurance.

What do the new internal audit standards cover?

The new standards provide clearer and more direct guidance than their predecessors. They are structured around 15 operating principles, organised into five distinct domains:

• Purpose of internal auditing
• Ethics and professionalism
• Governing internal audit function
• Managing internal audit function
• Performing internal audit services. 

At Grant Thornton, we see the standards as clearly aligned to six key themes:

• Emphasis on risk management
• Defining objectives and methodology
• Technology-driven
• Culture and communication
• Operational and governance
• Conformance.

To whom do the new internal audit standards apply?

The revised standards advocate a more integrated and collaborative approach to internal audit, where auditors, management and the Board jointly support the organisation and serve the wider public interest. 

All individuals delivering IA services globally whether employees or contractors, are required to adhere to the standards, with tailored provisions for smaller audit functions and public sector entities. The Chief Audit Executive (or equivalent role) holds responsibility for ensuring all IA activities conform to these standards.

While not all team members need in-depth knowledge of every aspect of the standards, IA staff should, at a minimum, familiarise themselves with Domain II (Ethics) and Domain V (Performing Internal Audit Services).

Note that under the standards, an external quality assessment will look for at least one member of the team to hold an active certified internal auditor designation.

New IA standards

What every Head of Internal Audit needs to know

Download our summary of the new Global Internal Audit Standards and how HOIAs can meet their obligations with confidence. 

Download PDF [5760 kb]

What do Heads of Internal Audit need to do?

Familiarise yourself with the standards

If not already done, take steps to understand the changes from the 2017 standards and establish a transition plan. This should detail where specific actions or adjustments to responsibilities are needed, alongside an internal training programme for your team.

Keep in mind that you may already be operating in line with the standards for example, by demonstrating courage in challenging situations but you must be able to evidence that compliance during an external quality assessment (EQA).

Consider performing a self-assessment

To identify where processes and procedures may need to be introduced or revised, it’s essential to conduct a gap analysis against the new standards. Consider this a mini self-assessment with independent validation (SAIV), albeit without external verification.

Prioritise your improvement opportunities as ‘critical’, ‘important’, and so forth, and identify where policy, procedural or talent gaps need addressing, or where new templates supported by enhanced technology should be introduced.

Develop or update your internal audit strategy

Following your self-assessment, establish a timeline for implementing the necessary changes, including the introduction or revision of IA KPIs to support effective monitoring and accountability.

In parallel, assess whether updates to your IA strategy and charter are required. Engage your board in a discussion around your IA mandate and consider conducting a risk assurance mapping exercise.

Connect with your stakeholders and customers

Managing change during the implementation of new standards offers a valuable opportunity to enhance communication around IA and foster strong, respectful stakeholder relationships. 

This will not only enhance the perceived value of IA, but also encourage internal stakeholders to engage proactively with IA, thereby strengthening overall organisational risk management. 

Develop a plan to stay informed on new topical requirements

Ensure your plans are reviewed to incorporate topical requirements, which are mandatory under the new standards and intended to enhance IA services for specific audit subjects. 

IA teams must comply with these requirements when a relevant topic falls within the scope of an engagement, as they will form part of the evaluation criteria during an EQA where applicable. The initial requirements cover cybersecurity and third-party risk management, with ESG and fraud risk to follow. 

Discuss new IA obligations with the board and senior management 

Under Domain III of the new standards, your board and senior management are subject to essential conditions, meaning they must carry out specific actions to enable the IA function. These include acting as IA champions across the organisation and having to approve the HOIA’s role and responsibilities, among other tasks. 

Instead of immediately alerting the board to new obligations, acknowledge that the standards have been updated and confirm you will present a plan to address them. Once the self-assessment, strategic review and preparatory work are complete, engage with the board and senior management to discuss how they can support compliance.

Re-assess your quality assurance strategy

Although conducting an EQA at least every five years remains a standing requirement, the updated standards now express a preference for an EQA over an SAIV. Engage the board in a discussion around your EQA plan and ensure they are clear on the implications of this change. 

At the same time, update your quality assurance and improvement program (QAIP) process to incorporate changes in the standards, paying particular attention to standard 12 (Enhance Quality) within Domain IV (Managing the IA Function).

Future-proofing the IA function

Although new standards may initially appear demanding, the Global Internal Audit Standards™ are purposefully designed to emphasise ethics, strengthen organisational culture around IA, promote beneficial outcomes, and support tech-enabled assurance through broader use of AI, data automation and analytics. 

At Grant Thornton, our global internal audit framework aligns with the IIA’s new Global Internal Audit Standards. Spanning risk assessment and planning, audit execution and reporting and remediation, it allows us to focus continuously on your business objectives, risks and operating environment. 

We audit efficiently and effectively, using advanced audit techniques. Once done, we provide useful, well aligned balanced reporting and recommendations – all of which ensures no surprises for you all the way.

To discuss how we can help your organisation align with the new standards, get in touch with us today.

Contact us

Discover how our Internal Audit solutions can support you

Visit our Internal Audit page