Standards and Guidance
The International Professional Practices Framework® (IPPF®), which organises The IIA’s authoritative body of knowledge on the professional practice of internal auditing, was updated in 2024. Three components comprise the IPPF:
-
Global Internal Audit Standards
-
Topical Requirements
-
Global Guidance
New Cybersecurity Topical Requirement and User Guide, Released 5 February 2025
Topical Requirements are a new, mandatory component of the International Professional Practices Framework. Depending on the results of the internal audit function’s risk assessment, internal auditors must apply Topical Requirements in conformance with the Global Internal Audit Standards when providing assurance services on the topic. Topical Requirements are recommended but not required for advisory services. Each Topical Requirement is accompanied by a user guide to help internal audit functions implement the requirements. The Topical Requirement becomes effective 12 months after it is issued.
Cybersecurity, the first Topical Requirement, was released on 5 February 2025 by IIA Global. It promotes quality and consistency when performing internal audit assessments of an organisation’s cybersecurity governance, risk management, and controls. Conformance is expected by February 2026.
Download the cybersecurity topical requirements documents now.
New Global Internal Audit Standards, Effective 9 January 2025
We are excited to share that the Global Internal Audit Standards™ are now effective. The Standards guide the worldwide professional practice of internal auditing and serve as a basis for evaluating and elevating the quality of the internal audit function.
The Standards introduce several important elements, including essential conditions, implementation considerations, examples of conformance evidence, a focus on performance alongside conformance, a requirement for continuous improvement, and topical requirements that addresses specific risk areas.
At the heart of the Standards are:
- 5 Domains
- 15 Principles, which are broad descriptions of a related group of requirements and considerations.
- 52 Standards, with each standard including:
- Requirements – mandatory practices for internal auditing and uses the word “must”.
- Considerations for Implementation – common and preferred practices to consider when implementing the requirements and uses the words “should” and “may” to specify common and preferred practices.
- Examples of Evidence of Conformance – ways to demonstrate that the requirements of the Standards have been implemented.
Overview of the Standards:
Each domain has its distinct purpose:
Domain I: Purpose of Internal Auditing: The purpose statement is intended to assist internal auditors and internal audit stakeholders in understanding and articulating the value of internal auditing.
Domain II: Ethics and Professionalism: The principles and Standards in this domain replace The IIA’s former Code of Ethics and outline the behavioural expectations for professional internal auditors; including chief audit executives, other individuals, and any entities that provide internal audit services.
Domain III: Governing the Internal Audit Function: This domain outlines the requirements for chief audit executives to work closely with the board to establish the internal audit function, position it independently, and oversee its performance. This domain also outlines senior management’s responsibilities that support the board’s responsibilities and promote strong governance of the internal audit function. This domain introduces “essential conditions” which along with the requirements for the chief audit executive, establish a necessary foundation for an effective internal audit function.
Domain IV: Managing the Internal Audit Function: This domain covers how the chief audit executive is responsible for managing the internal audit function in accordance with the internal audit charter and the Standards. This responsibility includes strategic planning, managing resources, building relationships, communicating with stakeholders, and ensuring and enhancing the performance of the function.
Domain V: Performing Internal Audit Services: This domain covers the performance of internal audit services incorporating engagement planning, fieldwork, developing and reporting findings, developing recommendations and/or action plans, and following-up on management’s corrective actions.
Key elements to take note of:
- Specific Guidance for Different Sectors
- The new Standards include specific guidance tailored to the needs of public sector auditors and smaller internal audit functions, acknowledging their unique challenges and operational contexts00B.
- Quality Assurance and Improvement
- New requirements have been introduced for quality assurance and continuous improvement programmes. These enhancements are designed to ensure that internal audit functions maintain high Standards and are committed to ongoing improvement00B.
- Introduction of Topical Requirements - Focus on Critical Emerging Areas
- A notable addition to the IPPF is the introduction of Topical Requirements, designed to address key global risks. The first of these, focusing on cybersecurity, is still in the feedback phase.
- Internal Audit Strategy
- Domain IV – Managing the Internal Audit Function requires the chief audit executive to develop an Internal Audit Strategy for the internal audit function that supports the strategic objectives and success of the organisation and aligns with the expectations of the board, senior management and other stakeholders.
- Essential Conditions for the Board and Senior Management
- Domain III: Governing the Internal Audit Function states that while the chief audit executive is responsible for the requirements in this domain, activities of the board and senior management are essential to the internal audit function’s ability to fulfill the Purpose of Internal Auditing. These activities are identified as “essential conditions” in each standard and establish a necessary foundation for an effective dialogue between the board, senior management, and the chief audit executive, ultimately enabling an effective internal audit function.
- Technological Considerations
- The chief audit executive must strive to ensure that the internal audit function has technology to support the internal audit process. The chief audit executive must regularly evaluate the technology used by the internal audit function and pursue opportunities to improve effectiveness and efficiency.
Available Resources
Get to Know the New Global Internal Audit Standards by watching the webinar playback here.
Visit The IIA Standards Knowledge Centre here for tools and resources to help internal auditors understand and implement the Global Internal Audit Standards.
Training Courses on Global Internal Audit Standards
We are offering two courses to assist professionals in enhancing their knowledge and skills to align with the revised International Professional Practices Framework (IPPF) and the Standards established by The Institute of Internal Auditors (IIA).
Take a look at the overview of these training courses and secure your spot now!
Navigating the Global Internal Audit Standards
Course Runs: We currently do not have the dates for the next course run. Please contact us at iia-academy@iia.org.sg to request for the information.
Course Timings: 9.00am to 5.00pm
CPE Hours: 16
Find out more about the course here.
Ethically Mastering the Global Internal Audit Standards
Course Runs: 7 Feb 2025
Course Timings: 9.00am to 3.30pm
CPE Hours: 8 hours (classroom training) | 2 hours (self-study module)
Find out more about the course here.
Topics and Resources
The IIA guides the international profession of internal audit not only with Standards, but with numerous guidance resources to help internal auditors worldwide implement best practices in our ever-changing and growing field.
Technical Support
Technical support is exclusively for our members only. Members will receive support and guidance, including getting access to our technical guidance, bi-weekly updates and e-newletters, plus a host of other membership benefits. IIA Singapore will attend to queries only from its members (with limited exceptions for regulatory bodies and the news media). Queries shall be in writing and to include information of the member's name, membership number and contact telephone number. Please send the technical queries to iia-academy@iia.org.sg.
