For the first time in seven years, the Institute of Internal Auditors (IIA) has published a significant update to the International Professional Practice Framework (IPPF).

Known as the Global Internal Audit Standards (GIAS), it aims to improve and clarify both mandatory requirements and recommended guidance for the Internal Audit function, in turn improving the quality of Internal Audit across the industry. 

What are the changes?


Within the new 2024 IPPF, the GIAS is the new primary component, superseding the previous five mandatory elements of the 2017 framework. The GIAS will be further supported by the Topical Requirements and Global Guidance, which the IIA plan to release in late 2024 or early 2025. 

While additional elements have been added to the GIAS, nothing has been outright removed from the previous framework. Instead, to remove duplication across the Principles, Code of Ethics and Standards and simplify guidance, requirements have been remapped and restructured from 10 Core Principles into 15 principles split into five domains.

Essential Conditions

Several ‘Essential Conditions’ have been added to the GIAS within Domain 3 – Governing the Internal Audit Function (Principles 6 to 8). While many of these previously existed in the 2017 standard as recommendations for the Internal Audit function and key stakeholders, the guidance has now been expanded into mandatory requirements to guide effective Internal Audit oversight, alignment and operation. Some of these have been highlighted below for CAEs to discuss with the Board and assess whether any changes need to be made. These changes include:

  • 6.3 – Chief Audit Executive (CAE), Board and Senior Management Communication
    • The CAE, Board and Senior Management must communicate about any other expectations for inclusion within the Charter and support/champion the Internal Audit function throughout the organisation.
  • 7.1 – Independence of IA
    • The Board and Senior Management now have additional obligations to engage with the CAE and each other to understand any potential conflicts and discuss any safeguards.
  • 7.2 – Appointment of the CAE
    • The Board and Senior Management are required to consult each other on the appointment of a CAE, taking into consideration their qualifications, experience and competency to carry out the role.
  • 8.4 External Quality Assessment
    • An independent quality assessment is now required to be reported to the board at least once every 5 years. The independent assessment team must include at least one holder of a Certified Internal Auditor qualification.

Expanded obligations

The CAE and Internal Audit should also familiarise themselves with a number of expanded obligations outside of Domain 3. As these are based on better practices, many organisations and their Internal Audit functions may already have these in place, partially, informally or otherwise. A subset of the key changes are outlined below:

  • 3.2 Where the Internal Auditor has already achieved their professional certification, they must fulfill the requirements to maintain these certification/s. 
  • 4.3 Internal Auditors must exercise professional scepticism when performing internal audit services
  • 5.2 Internal Auditors should be aware of, understand and abide by relevant confidentiality, information security and privacy laws and manage the associated risk accordingly.
  • 9.2 The CAE must develop and implement a long-term IA strategy (3-5 years) to guide the IA function and development of the IA Plan.
  • 10.2 and 3 The CAE must ensure that the IA function is appropriately resourced by qualified internal auditors with appropriate competency and that IA is supported by appropriate technology to carry out the IA process.
  • 12.2 The CAE must establish KPIs to evaluate IA’s performance and develop action plans to address remediation of any issues or improvements to be implemented.

Advisory, consulting and assurance

While the previous framework included separate requirements for assurance and consulting services, the new GIAS now makes minimal distinction between the two and advisory engagements. 

The only exceptions to this lie in Standards 13.2, 13.4 and 14.2, which cover engagement risk assessment, evaluation criteria and engagement finding analysis respectively. Whereas previously almost a third of the standard was dedicated to requirements for consulting engagements, these have now largely been consolidated with advisory, removing significant duplication and potentially confusing or conflicting guidance. 

We’re here to help

To allow organisations time to review and implement any changes necessary because of the update GIAS, the IIA is giving 1 year for IA functions to adopt the new standard by 9 January 2025.

Grant Thornton offers a range of services that can be done individually or as part of a concerted implementation plan to help your IA function address adoption of the new standard. These include:

  • A gap analysis of your current Internal Audit function’s compliance with the new framework.
  • Development and/or implementation support for a plan to address any gaps identified.
  • Post-implementation reviews to assess any residual gaps.
  • Provision of training/workshops with your internal audit team/Board/senior management to address the changes to the framework.

For a more detailed breakdown of all the changes made please refer to the pdf linked below or reach out to one of our Risk Consulting team members.

Click here for more information

Learn more about how our Risk services can help you
Learn more about how our Risk services can help you
Visit our Risk page