Standards and Guidance
The International Professional Practices Framework® (IPPF®), which organises The IIA’s authoritative body of knowledge on the professional practice of internal auditing, was updated in 2024. Three components comprise the IPPF:
New Global Internal Audit Standards, Effective 9 January 2025
Global Internal Audit Standards™ guide the worldwide professional practice of internal auditing and serve as a basis for evaluating and elevating the quality of the internal audit function.
The Standards introduce several important elements, including essential conditions, implementation considerations, examples of conformance evidence, a focus on performance alongside conformance, a requirement for continuous improvement, and topical requirements that addresses specific risk areas.
At the heart of the Standards are:
- 5 Domains
- 15 Guiding Principles - each principle is supported by Standards that contain requirements, considerations for implementation, and examples of evidence of conformance.
- 52 Standards, with each standard including:
- Requirements – mandatory practices for internal auditing and uses the word “must”.
- Considerations for Implementation – common and preferred practices to consider when implementing the requirements and uses the words “should” and “may” to specify common and preferred practices.
- Examples of Evidence of Conformance – ways to demonstrate that the requirements of the Standards have been implemented.
Overview of the Standards:
Each domain has its distinct purpose:
| Domain I: Purpose of Internal Auditing |
Assists internal auditors and internal audit stakeholders in understanding and articulating the value of internal auditing. |
| Domain II: Ethics and Professionalism |
Outlines the behavioral expectations for professional internal auditors, including chief audit executives, other individuals, and any entities that provide internal audit services. Conformance with these principles and standards instills trust in the profession of internal auditing, creates an ethical culture within the internal audit function, and provides the basis for reliance on internal auditors’ work and judgment. |
| Domain III: Governing the Internal Audit Function |
Outlines the requirements for chief audit executives to work closely with the board to establish the internal audit function, position it independently, and oversee its performance. Describes senior management’s responsibilities that support the board’s responsibilities and promote strong governance of the internal audit function. |
| Domain IV: Managing the Internal Audit Function |
The chief audit executive is responsible for managing the internal audit function in accordance with the internal audit charter and Global Internal Audit Standards. This responsibility includes strategic planning, obtaining and deploying resources, building relationships, communicating with stakeholders, and ensuring and enhancing the performance of the function. |
| Domain V: Performing Internal Audit Services |
Performing internal audit services requires internal auditors to effectively plan engagements, conduct the engagement work to develop findings and conclusions, collaborate with management to identify recommendations and/or action plans that address the findings, and communicate with management and the employees responsible for the activity under review throughout the engagement and after it closes. |
Key elements to take note of:
- Specific Guidance for Different Sectors
- The new Standards include specific guidance tailored to the needs of public sector auditors and smaller internal audit functions, acknowledging their unique challenges and operational contexts00B.
- Quality Assurance and Improvement
- New requirements have been introduced for quality assurance and continuous improvement programmes. These enhancements are designed to ensure that internal audit functions maintain high Standards and are committed to ongoing improvement00B.
- Introduction of Topical Requirements - Focus on Critical Emerging Areas
- A notable addition to the IPPF is the introduction of Topical Requirements, designed to address key global risks. The first of these, focusing on cybersecurity, is still in the feedback phase.
- Internal Audit Strategy
- Domain IV – Managing the Internal Audit Function requires the chief audit executive to develop an Internal Audit Strategy for the internal audit function that supports the strategic objectives and success of the organisation and aligns with the expectations of the board, senior management and other stakeholders.
- Essential Conditions for the Board and Senior Management
- Domain III: Governing the Internal Audit Function states that while the chief audit executive is responsible for the requirements in this domain, activities of the board and senior management are essential to the internal audit function’s ability to fulfill the Purpose of Internal Auditing. These activities are identified as “essential conditions” in each standard and establish a necessary foundation for an effective dialogue between the board, senior management, and the chief audit executive, ultimately enabling an effective internal audit function.
- Technological Considerations
- The chief audit executive must strive to ensure that the internal audit function has technology to support the internal audit process. The chief audit executive must regularly evaluate the technology used by the internal audit function and pursue opportunities to improve effectiveness and efficiency.
Topical Requirements
Topical Requirements are a new, mandatory component of the International Professional Practices Framework. Depending on the results of the internal audit function’s risk assessment, internal auditors must apply Topical Requirements in conformance with the Global Internal Audit Standards when providing assurance services on the topic. Topical Requirements are recommended but not required for advisory services. Each Topical Requirement is accompanied by a user guide to help internal audit functions implement the requirements. The Topical Requirement becomes effective 12 months after it is issued.
| Issued Topical Requirements | |
| Cybersecurity Issued: 5 February 2025 | Effective: 5 February 2026 |
The Cybersecurity Topical Requirement provides a consistent, comprehensive approach to assessing the design and implementation of cybersecurity governance, risk management, and control processes. The requirements represent a minimum baseline for assessing cybersecurity in an organisation. |
| Third-Party Issued: 15 September 2025 | Effective: 15 September 2026 |
The Third-Party Topical Requirement provides a consistent, comprehensive approach to assessing the design and implementation of third-party governance, risk management, and control processes. It establishes a baseline for providing assurance services in this specific risk area. |
| Organisational Behavior Issued: 15 December 2025 | Effective: 15 December 2026 |
The Organisational behaviour Topical Requirement provides a minimum baseline and consistent, comprehensive approach to help auditors assess the design and effectiveness of control processes related to behaviour. |
Public Consultation results under review
- Organisational Resilience
Available Resources
Get to Know the Global Internal Audit Standards by watching the webinar playback here.
New IPPF Search Tool Available
Browse IPPF Global Internal Audit Standards™, Topical Requirements, Global Practice Guides, Global Technology Audit Guides®, and IIA Audit Tools here.
Training Courses on Global Internal Audit Standards
We are offering two courses to assist professionals in enhancing their knowledge and skills to align with the revised International Professional Practices Framework (IPPF) and the Standards established by The Institute of Internal Auditors (IIA).
Take a look at the overview of these training courses and secure your spot now!
Navigating the Global Internal Audit Standards
Course Dates: Fri, 10 Apr & Mon, 13 Apr 2026
Register here.
Ethically Mastering the Global Internal Audit Standards
Course Date: Mon, 27 Jul 2026
Register here.
Topics and Resources
The IIA guides the international profession of internal audit not only with Standards, but with numerous guidance resources to help internal auditors worldwide implement best practices in our ever-changing and growing field.
Technical Support
Technical support is available exclusively for our members. Members can receive support and guidance, including access to our technical guidance, bi-weekly updates and e-newletters, plus a host of other membership benefits. IIA Singapore will attend to queries only from its members (with limited exceptions for regulatory bodies and the news media). Queries shall be in writing and to include information of the member's name, membership number and contact telephone number. Please send the technical queries to iia-academy@iia.org.sg.
