The New Global Internal Audit Standards

The International Internal Audit Standards Board released the new Global Internal Audit Standards (the new “IIA Standards”) on 9 January 2024, and the internal audit functions were required to adopt the new Standards by 9 January 2025 

Based on the new IIA Standards, the Institute of Internal Auditors (“IIA”) has introduced several key changes that can impact the selection of consulting firms a company, such as a financial institution, engages to carry out its internal audit as an outsourced service provider.  

• Stricter independence of the internal audit services (the new “Organizational Independent Standard”) 

• Greater emphasis on risk-based auditing (the new “Engagement Risk Assessment Standards”) 

• Higher expectations for internal audit quality and objectivity 

• More focus on environmental, social and governance (“ESG”), and cybersecurity audits 

• Adoption of technology and data analytics 

Enhanced Internal Audit Standards 

Organisational Independence 

Under the new Organizational Independence Standard, internal audit service providers are expected to follow stricter independence requirements when providing internal audit and consulting services for the same client. The chief audit executive is required to be qualified and report directly to the board of directors (the “Board”) and the function is positioned at a level within the organization that enables the internal audit function to discharge its service and responsibilities without interference.  

Risk-based Audit 

The new Engagement Risk Assessment Standards reinforce a risk-based approach, requiring internal audits to focus on high-risk areas. Consulting firms that perform internal audits based on regulation or SOX requirements may need to adjust audit methodologies or approaches to align with these new expectations. Internal auditors need to consult with their clients to identify high-risk areas and assess the inherent risk, including alignment with the company’s risk appetite and industry best practices. 

Competency 

The new Competency Standard requires internal auditors to possess or obtain the relevant industry knowledge and auditing standards to perform their responsibilities successfully. For example, to conduct internal audits in the financial sector, the internal audit staff should have the knowledge about applicable regulations and business models, experience to understand the operations of the financial institutions and applicable industry practices, and the skills and abilities to conduct the test of design and test of execution of the financial institution in accordance with the IIA Standards and clearly communicate the findings to the financial institution’s Board and senior management. 

Focus on ESG and Cybersecurity 

The chief audit executive should seek inputs from the Board on the governance and risk management concerns related to non-financial matters such as strategic initiatives, cyber security, health and safety, sustainability, business resilience and reputation and address them as part of the proposed internal audit plan.  

Use of Technology and Data Analytics 

As part of their due professional care, internal auditors are required to consider the efficient use of techniques, tools, and technology and the extent and timeliness of work to achieve the engagement objective. For this purpose, internal auditors may use data analysis software and technologies. 

How We Can Help