IIA Standards for Internal Audit Teams

The Institute of Internal Auditors Inc.'s new Global Internal Audit Standards™ (January 2025) represents a significant overhaul of our professional framework. They consolidate fragmented guidance into a cohesive structure. What stands out is the introduction of Topical Requirements - providing standardized approaches for complex audit areas while maintaining flexibility through principles-based guidance. This balance between consistency and adaptability is precisely what our profession needs in today's risk environment. I've partnered with Diligent to create a comprehensive four-part series on this transition: 1. New Global Internal Audit Standards™: What internal auditors need to know https://lnkd.in/g4RuKJCN 2. Introducing Topical Requirements: Enhancing consistency in internal auditing https://lnkd.in/gzqAY3q5 3. Preparing for quality assessments under the Global Internal Audit Standards https://lnkd.in/g4nxCY95 4. The future of internal auditing: Embracing the 2024 IPPF evolution https://lnkd.in/gcvepQbH For those leading audit functions, I recommend reviewing our series while conducting your gap analysis. With the standards emphasizing quality assurance and emerging risks, early adoption positions your function as a governance leader. #TheIIA #InternalAudit #AuditStandards #GRC #oneiia

Out now: Cybersecurity Topical Requirement (CTR) What do internal auditors need to do? The IIA has released the Cybersecurity Topical Requirement (CTR) --setting a mandatory baseline for cybersecurity audits. What it covers: 1. Governance: cybersecurity strategy, policies, roles, and stakeholder engagement. 2. Risk management: identifying threats, managing risks, incident response, and communication. 3. Controls: network security, asset management, encryption, access controls, and monitoring. What internal auditors should do: 1. Align with existing frameworks: map CTR to NIST, COBIT, ISO 27001 to avoid duplication. 2. Integrate cyber into audit planning: ensure cybersecurity risks are part of annual assessments. 3. Build cybersecurity expertise: get trained or involve external specialists. 4. Engage leadership: communicate cyber risks and audit findings to management and the board. 5. Leverage technology: use automation and analytics to enhance cybersecurity audits. 📅 Effective Date: February 2026 (Link to the publication: in the comments) Will you implement this requirement? #ITaudit #internalaudit #digitaltransformation

When Internal Audit only rates individual issues without providing an overall report rating, their work may lack the broader context needed for senior management and the board to understand whether the audited process, risk, or initiative is performing in line with management's expectations. When Internal Audit only rates the audit report, and not individual issues, it can invite skepticism to their work because of the subjectivity involved in assigning an overall rating, without the necessary context to help support the rating. When Internal Audit rates both the audit report and individual issues, sufficient context should be able to be provided. However, this approach risks portraying Internal Audit as a policing function, and potentially hinder its ability to be seen as a value-added business partner. When Internal Audit refrains from rating both the audit report and individual issues, they risk providing limited assurance unless their write-ups on findings and the overall audit opinion are exceptionally detailed and descriptive. No matter your report rating style, there are factors and potential downsides to consider for each one. According to a 2021 AuditBoard survey, 37% of Internal Audit departments didn't rate their audit reports, and another 37% didn't rate their audit issues. According to the The Institute of Internal Auditors Inc. newly released Global Internal Audit Standards, Internal Audit teams are now required to rate both individual audit issues and provide an overall rating (or other indicator of significance) for each internal audit report. Due to these new standards, many Internal Audit teams may need to reevaluate how they communicate their work results and the assurance they provide. If you find yourself in this situation, I encourage you to read these articles by Richard Chambers and Norman Marks (links in comments below) before your team makes a decision. Both Richard and Norman offer valuable insights and perspectives on including ratings in audit reports. I'd also recommend reading an insightful article by my friend Chris Patrick, CIA from 2019. As a CAE, he articulated his reasoning for discontinuing overall report ratings and focusing solely on issue ratings. It's an excellent piece that offers valuable perspectives on this topic. And for your ease of reference, I've also included a link to the IIA's new Global Internal Audit Standards. AuditBoard #InternalAudit #EnablingPositiveChange

𝗙𝗿𝗼𝗺 𝗜𝗻𝘁𝗲𝗿𝗻𝗮𝗹 𝗔𝘂𝗱𝗶𝘁𝗼𝗿 𝘁𝗼 𝗕𝘂𝘀𝗶𝗻𝗲𝘀𝘀 𝗣𝗮𝗿𝘁𝗻𝗲𝗿 It's been nine months since the Global Internal Audit Standards from The Institute of Internal Auditors became effective. Having had some time to reflect, I would like to remind everyone of some key shifts that I believe will truly elevate our profession from a backward-looking function to a forward-thinking business partner. 𝗛𝗲𝗿𝗲'𝘀 𝘄𝗵𝗮𝘁 𝘀𝘁𝗮𝗻𝗱𝘀 𝗼𝘂𝘁 𝘁𝗼 𝗺𝗲: 1️⃣ 𝗙𝗼𝗿𝗲𝘀𝗶𝗴𝗵𝘁, not just hindsight. The new Purpose statement for internal auditing now explicitly mentions "foresight". This marks a step forward. It focuses on anticipating risks and providing proactive advice to help the business thrive. 2️⃣ 𝗘𝘀𝘀𝗲𝗻𝘁𝗶𝗮𝗹 𝗖𝗼𝗻𝗱𝗶𝘁𝗶𝗼𝗻𝘀. The Standards introduce "Essential Conditions" that must be in place for internal audit to be effective. This means the Chief Audit Executive (CAE) needs to sit down with the Board and Senior Management to discuss and agree on these conditions. It formalises the support we need to do our jobs right. 3️⃣ 𝗧𝗵𝗲 𝘀𝘁𝗿𝗮𝘁𝗲𝗴𝗶𝗰 𝗿𝗼𝗮𝗱𝗺𝗮𝗽. The CAE must now develop an internal audit strategy. This is not a one-year plan but a long-term vision and plan of action for the internal audit function. It's the roadmap for fulfilling our mandate and achieving long-term success. 4️⃣ 𝗔𝘀𝘀𝘂𝗿𝗮𝗻𝗰𝗲, not duplication. The new Standards emphasise working with other assurance providers, such as external auditors, to reduce overlapping efforts and uncover gaps in risk coverage. 5️⃣𝗖𝗵𝗮𝗿𝗮𝗰𝘁𝗲𝗿 𝗺𝗮𝘁𝘁𝗲𝗿𝘀. The Standards now emphasise professional courage and scepticism. We are expected to speak up and critically evaluate information, even when it is uncomfortable or difficult. It’s about having the conviction to do what is right, based on the facts. 6️⃣ 𝗤𝘂𝗮𝗹𝗶𝘁𝘆 has two parts. It isn't just about following the rules (conformance), but also about meeting performance objectives (performance). It serves as a good reminder that the value of our work is judged not only by how well we follow standards but also by the real impact we create. What are your thoughts on these new Standards? 𝙒𝙝𝙖𝙩 𝙘𝙝𝙖𝙣𝙜𝙚𝙨 𝙝𝙖𝙫𝙚 𝙮𝙤𝙪 𝙛𝙤𝙪𝙣𝙙 𝙢𝙤𝙨𝙩 𝙞𝙢𝙥𝙖𝙘𝙩𝙛𝙪𝙡?