The new Global Internal Audit Standards

The Global Internal Audit Standards (short: Standards) published by the Institute of Internal Auditors (IIA) in January 2024 have been effective for quality assessments from 9 January 2025. At the same time, they will replace the "International Standards for the Professional Practice of Internal Auditing" (IPPF) from 2017.

The standards are divided into five domains with 15 principles and a further 52 concrete requirements ("essential conditions") as well as considerations for implementation and examples.

The five domains are:

1. Objectives of internal auditing
2. Ethics and professionalism
3. Governance of internal audit
4. Management of internal audit
5. Provision of auditing services

The standards are supplemented by the so-called "Topical Requirements". These are requirements of the IIA for currently eight known risk topics (including cybersecurity, third-party, organizational behavior, and organizational resilience). In response to the increasingly complex risk landscape faced by companies, these requirements are mandated to be integrated into audit activities¹. For example, the Cybersecurity Topical Requirements published in February 2025 will come into effect on 5 February 2026. According to the KPMG GIAS survey, 45 percent of participants indicated that their internal auditors largely or fully possess the necessary skills and knowledge to cover the Topical Requirements. The IIA has announced that public consultation on the Topical Requirements related to organizational behavior and organizational resilience is expected for 2025/2026.

Relevant changes to the Global Internal Audit Standards include, for example 

• Binding requirements for the (further) development of an audit mission statement and an audit strategy for the first time (Standard 6.2, 9.2)
• Necessary integration and interaction between internal audit and management or supervisory body, along with the recommendation of a reporting line to the executive board (“Essential conditions” in Domain III)
• Understanding of GRC processes as well as the organizational GRC risk profile (Standard 9.1)
• Enhanced collaboration with other governance functions (2nd line) within the organization, as well as external assurance providers (Standard 9.5)
• Increased use of technological resources, such as data analytics and AI tools in audit activities to enhance efficiency and effectiveness (Standard 10.3)
• Updated reporting requirements for a mandatory overall assessment of the effectiveness of GRC processes within the audit scope and a professional judgement on the overall significance of the findings based on a consistent methodology (Standard 14.5)
• Specification of the information protection requirements (Standard 5.1, 5.2)
• Greater focus on measuring the performance of internal audit activities (Standard 12.2)
• Increased requirements for external quality assessments (Standard 8.4)

Organizations need to implement several measures to ensure compliance with the new IIA Global Internal Audit Standards. This transition presents a valuable opportunity for internal audit teams to evaluate and refine their current audit systems, aligning them with the updated requirements. Additionally, it allows for a stronger emphasis on delivering added value and addressing stakeholder needs. This process can also serve as a catalyst for future-oriented transformations, such as enhancing flexibility to respond to emerging risks, reinforcing collaboration with GRC functions within the organization² and integrating new technologies into internal audit activities³.

In this context, we recommend the following approach:

In addition, we have gathered several common challenges that may arise during the implementation of the GIAS requirements by Internal Audit: 

• Efforts to ensure consistency across all IA documentation during the update process, including strategy, manual, instructions, templates, checklists, etc.
• Time pressure and capacity constraints – Balancing the GIAS implementation with ongoing audit activities
• Change management, especially regarding people and culture, training and skills development
• Communication plan and strategy to engage key stakeholders and secure their buy-in
• Lack of leading practice examples and benchmarking information within the company's peer group.

A certain level of capacity within Internal Audit is required to derive and coordinate measures with the relevant stakeholders and to effectively implement the new standards. This should be taken into account as an ongoing project in the 2025/2026 audit planning. In addition, a readiness assessment can be carried out as a kind of "dry run" in 2025 in order to monitor the appropriateness and effectiveness of implemented measures, identify potential gaps and adopt improvement measures before upcoming quality assessments.

Conformity with the IIA Global Internal Audit Standards is an integral part of ensuring high-quality expectations for internal audit activities. With the release of the new Global Internal Audit Standards (GIAS), the IIA and DIIR have revised the framework for external quality assessments of internal audit system, which are now represented in the IIA QA Manual and the applicable draft (“anwendbarer Entwurf”) of DIIR No. 3. In addition, the draft of the updated version has been released by the main technical committee (HFA) for comments (IDW EPS 983  n.F.). The final version (IDW AsS 983 n.F.) is expected to be published in fourth quarter 2025. The existing principles of internal auditing have not been fundamentally changed, but there are some modifications that need to be taken into account.

• Quality requirements include not only “Conformance” with GIAS, Topical Requirements, Global Guidance and other legal requirements but also “Performance” of the internal audit system.
• Greater emphasis on strategic alignment, “real” risk orientation of the audit activities (Standard 9.1 organizational risk profile) and consideration of stakeholder expectations.
• No minimum requirements for determining significant deficiencies and no K.O. criteria. All criteria are equally weighted.
• Review the conformance and consider whether the objective of the standard could be achieved.
• The EQA must be performed every five years and the effectiveness review requires coverage of an adequate period. Moreover, there should be at least one CIA in the assessment team.
• Updated quality assessment model, proposed in DIIR No. 3 (draft):
  • The 110 criteria in DIIR No. 3 (draft) are fully derived from GIAS and cover all GIAS requirements including essential conditions
  • The hierarchical evaluation process begins with assessing compliance with 110 criteria, progress to evaluating the compliance and achievement of objectives for 52 standards and 15 principles, culminates in an overall assessment of the effectiveness of the Internal Audit System
  • DIIR proposes a four-point scale for optional scoring. A full score of 3 indicates complete compliance or achievement of objectives, while scores of 2 and 1 reflect partial compliance with potential for improvement or need for improvement, respectively. A score of 0 is given for non-compliance.

In this context, it can be quite beneficial to conduct a readiness assessment based on the new standards, such as DIIR No. 3 or EPS 983 n.F., before the upcoming appropriateness and effectiveness review of the Internal Audit System (IAS). Additionally, peer group benchmarking is valuable for analyzing the maturity level of Internal Audit in areas such as methodology, performance, and strategy. This can provide a solid foundation for the strategic direction of further development in Internal Audit.