Ready or not, here they come: Global Internal Audit Standards become effective January 9, 2025

Justin Gwin
Alexis Wong
January 9, 2025

The Institute of Internal Auditors (IIA) released the Global Internal Audit Standards (GIAS) on January 9, 2024, and allowed one year for internal audit functions to adopt and implement. It is anticipated that the new GIAS will elevate the profession and serve as a benchmark of quality for Internal Audit (IA) functions around the globe. The ‘principles-based’ set of standards contains 15 guiding principles that serve as the foundation and heart of the overall GIAS. The principles are supported by 52 standards, several of which are completely new requirements which were previously considered best practices. And although many of the new standards aligned with the 2017 version, the IIA has expanded requirements of those standards with this update.

Why follow the new standards?

This is a question that we hear occasionally from board members and some Chief Audit Executives (CAE) who do not make specific efforts to follow all the standards or do not have a Quality Assessment Improvement Program (QAIP). The IIA is not a regulatory body, although some regulators, jurisdictions, and industries may strongly recommend and encourage following the standards.

The expectations of regulators and stakeholders are increasing. The ability to demonstrate conformance with a globally recognized set of standards reflects a commitment to high quality processes and strong due diligence exhibited by an organization. It can also enhance an organization’s reputation both internally and externally.

Further, there have been multiple instances where organizations have been severely impacted in a negative way due to data breaches, internal fraud, or other risks materializing, where internal audit has come under heavy scrutiny. In several of these instances, executive leadership, regulators, auditors, and prosecutors have put spotlight on internal audit. The companies who were able to prove conformance with leading standards were in a much better position than those who could not prove conformance.

What should we do if we have not implemented the new standards yet?

Do not hit the panic button just yet. Neither the IIA special forces nor any FBI agents will be kicking in your door anytime soon. And given the overall minimal regulatory requirements, fines and penalties are rare without specific incidents. Further, if you ‘Generally Conformed’ with the prior standards, there is a good chance you will still ‘Generally Conform’ with the new standards. Keep in mind that even though an IA department may ‘not conform’ or ‘Partially Conform’ to a specific standard or principle, an assessor may still determine that they have achieved ‘General Conformance’ overall by meeting the purpose of Internal Auditing.

However, there are multiple new standards, and several where requirements have been vastly expanded. As such, it is difficult to conclude continued conformance in absence of reviewing and understanding the new standards. The first step in achieving conformance with the GIAS is to conduct a gap assessment or full self-assessment against current practices. This may be performed internally or by a third party. Our team has significant experience conducting assessments over the past year, and we’ve found that these are the top five areas where IA functions need to improve to achieve conformance with the new GIAS:

  1. IA strategy: The CAE must develop and implement an IA strategy. This is not the IA Charter or IA annual plan. The IA strategy must include a vision, strategic objectives, and supporting initiatives for the IA function. This was once viewed as a best practice and is now a mandatory requirement.  Very few IA functions have a defined strategy and even those that do may not meet the required elements outlined in the GIAS. The IA Strategy is intended to guide the IA function toward fulfillment of its purpose. The vision should describe the desired future state in three to five years. Strategic objectives define achievable targets to attain the vision. Finally, supporting initiatives outline the specific tactics and steps for achieving the objectives.
  2. Assurance vs. advisory (formerly consulting) engagements: The 2017 version of the standards included a separate set of standards for assurance (.A) and consulting (.C) engagements. Approximately 30% of the prior standards had such differentiation and allow for far less documentation for consulting engagements. In the new GIAS, this separation was largely eliminated, significantly elevating the requirements for those ad-hoc, advisory projects conducted by the IA function. This is an area where almost every IA team will need to improve their processes to ensure all engagements are performed at the same level.
  3. Essential conditions of Domain III: Although the CAE holds responsibility for implementing the GIAS, activities of the board and senior management are essential to the IA function’s ability to fulfill its purpose. These activities are identified as ‘essential conditions’ to governing the IA function. The CAE must discuss this domain with the board and senior management and specifically communicate the essential conditions and the potential impact of the effectiveness of the IA function if not supported. The IIA has developed a set of slides to facilitate this discussion, which are available on their website.
  4. Building relationships: The CAE must develop and document a plan for managing relationships and building trust with key stakeholders. Guidance suggests both formal (e.g., surveys, workshops, meetings) and consistent informal interactions to gain trust with the organization’s employees. A simple tracking tool outlining stakeholders, current/desired relationship level (such as A, B, C), assigned owners, and completed activities may be used to achieve conformance with this new standard.
  5. Performance measurement: The CAE must establish performance objectives, i.e., key performance indicators (KPIs), which are designed to evaluate the IA function’s performance. Some CAEs do not identify or monitor quantitative or qualitative measurements to demonstrate performance. This is often attributed to their respective Board not requesting such data. Once again, what was previously considered a best practice is now a mandatory requirement.  The GIAS does offer numerous examples of performance categories for CAEs to consider when establishing these KPIs.

Conformance with the GIAS allows CAEs to protect their organization, align with stakeholder expectations and ensures the IA function continues to provide value. At Socorro Partners, we can help assess your IA function’s current practices, identify areas where improvements are required, and help implement solutions.

Justin Gwin
Managing Director
jgwin@socorropartners.com
Alexis Wong
Managing Director
awong@socorropartners.com
+1.305.204.0884
Our latest content,
straight to your inbox.
Read about our privacy policy.
Thank you.
Oops! Something went wrong while submitting the form.