The Institute of Internal Auditors (IIA) recently released an update to the GIAS, which is the main component of the International Professional Practices Framework’s (IPPF). The new update resulted in substantial changes that were intended to simplify and clarify the standards as well as elevate the profession into the future.
The full 120-page document — and even the 62-page condensed version — provides a comprehensive set of standards and guidance for internal audit professionals. To highlight important updates in the new GIAS, we have provided a high-level overview on the most significant changes from the 2017 version. Based on BDO’s experience with our Internal Audit (IA) clients and performing quality assessment reviews, we have also detailed some of the new GIAS requirements that IA departments may be less likely to already have in place. These are areas where chief audit executives (CAE) may want to focus their efforts when reviewing the updated standards.
Overview of Key Changes
- Structural changes: The 2017 IPPF consisted of Mandatory Guidance (Principles, Definition of IA, Code of Ethics, and Standards) as well as Recommended Guidance (Implementation & Supplemental Guidance). The 2017 version was disconnected and contained duplicates across the Principles, Code of Ethics, and Standards. The prior version comprised two main categories for Standards: Attribute and Performance Standards (1000 and 2000 series, respectively). All these aspects have been completely restructured in the 2024 version, and virtually all elements now map to a new structure.
The GIAS is organized into five Domains: I) The Purpose of Internal Auditing, II) Ethics & Professionalism, III) Governing the IA Function, IV) Managing the IA Function, and V) Performing IA Services. A total of 15 Principles span across the Domains. These guiding principles are the heart of the GIAS and are designed to enable effective internal auditing. Each principle is supported by standards (52 in total), which contain requirements, considerations for implementation, and examples of evidence of conformance. This new structure helps to simplify IPPF and supports a true principle-based framework.
- Assurance and Advisory (formerly Consulting) Standards: The 2017 version included requirements applicable to assurance (.A) or consulting (.C) services. Almost 30% of the 2017 Standards had separate requirements for consulting engagements. The language for those consulting standards was somewhat vague and often less stringent as it related to requirements for a work program, documenting information, communicating progress and results, etc. This allowed IA departments to be much less formal in the amount of documentation need for those engagements. The new GIAS do not differentiate between assurance and advisory (formally consulting) projects, for the most part. IA activities and documentation requirements for ad hoc, advisory projects should now be highly similar to risk-based assurance audits, with only three exceptions: a) engagement risk assessment, b) evaluation criteria, and c) analysis of engagement findings (Standards 13.2, 13.4, 14.2, respectively).
- Essential Conditions: The IIA has introduced a new concept with the latest update to the Standard: “essential conditions.” These exist solely in Domain III: Governing the IA Function. The Domain states that appropriate governance arrangements are essential to enable the IA function to be effective. While the CAE is responsible for the requirements in the Domain, activities of the board and senior management are essential to the IA function’s ability to fulfill its purpose. These activities are identified as “essential conditions” and establish a foundation for an effective IA function. Each of the nine Standards within this Domain have essential conditions.
CAEs should set a meeting to discuss the essential conditions with the board and senior management. The Domain provides further guidance on actions to take for any disagreements, but communication of these expectations is required by the new Standards.
Highlighting New Requirements / Areas of Focus
- Standard 9.2 IA Strategy – The CAE must develop and implement an IA Strategy, including: the vision, strategic objectives, and supporting initiatives for the IA function. The IA Strategy is intended to guide the IA function toward fulfillment of its purpose. The vision should describe the desired future state in three to five years. Strategic objectives define achievable targets to attain the vision. Finally, supporting initiatives outline the specific tactics and steps for achieving the objectives.
- Standard 11.1 Building Relationships – The CAE must develop and document a plan for managing relationships and building trust with key stakeholders. Guidance suggests both formal (surveys, workshops, meetings) and consistent informal interactions to gain trust with the organization’s employees.
- Standard 12.2 Performance Measurement – The CAE must establish performance objectives, i.e., key performance indicators (KPI), which are designed to evaluate the IA function’s performance. Further, the CAE must develop an action plan to address issues and opportunities for improvement when KPI are not met. Guidance for this standard offers numerous examples of performance categories for CAEs to consider when establishing these KPI.
- Standard 14.3 Evaluation of Findings – This standard requires internal auditors to evaluate each finding and determine its significance. In the glossary, a “finding” (or “observation”) is described as a gap between the evaluation criteria and the condition. Findings are not best practices or opportunities for improvement. This standard requires the IA function to prioritize each engagement finding based on its significance.
- Standard 14.5 Engagement Conclusion – Internal auditors must develop an engagement conclusion that summarizes the overall significance of the aggregated engagement findings. The “Considerations for Implementation” suggests a rating scale, such as satisfactory, partially satisfactory, needs improvement, or unsatisfactory.