Global Internal Audit Standards: Are you ready for them? - Banking blog


2024 is the year of strategy and transformation for Internal Audit (IA) functions. The new Global Internal Audit Standards are an excellent opportunity to elevate IA’s value and impact.

“Are you ready to take off to the new Global Internal Audit Standards?” This is the question we asked participants in our recent Internal Audit Insights webinar. And it is a question that IA leaders and Board members should now be asking themselves. In our webinar we outlined the key changes the new standards bring to the profession and concluded that IA functions need to use the transition period in 2024 to prepare for and implement the new requirements and discuss them with their Boards. In this article we highlight the areas you should focus on now, to be ready for 2025.

The background to the challenge
After an extensive public consultation process last year the new Global Internal Audit Standards were finally published on 9 January 2024 by the Institute of Internal Auditors (IIA). The new standards will become effective in early January 2025 after a 12-month transition period. The current standards (the so-called “IPPF” of 2017) will remain applicable throughout 2024, but early adoption of the new standards is encouraged by the IIA.

More than 80% of IA functions that participated in our webinar have not yet assessed the impact of the new standards, and 75% do not yet have a budget for implementation of the new standards during 2024. We therefore repeat the IIA’s encouragement on early adoption and believe it is important for IA functions and Boards to assess the impact of the new standards sooner rather than later. The effort required to conform with the new requirements should not be underestimated.

The extent of the gaps that need bridging depends on how mature your IA function is now. But even functions with relatively few gaps will have much to do because the structure and numbering system of the new standards is completely different to that of the current IPPF.

So what is changing exactly?
• Changes to the Structure


In the illustration above you find the circle we are all familiar with: the IPPF 2017. The new Global Internal Audit Standards incorporate the five mandatory elements of the 2017 framework and the Implementation Guidance. These elements are now structured into five domains, 15 principles and 52 standards. Each standard is divided into three parts: the mandatory “Requirements” that contain the “must”-statements; the “Considerations for Implementation” that show the common and best practices that are expected though not mandatory; and, lastly, the “Examples of Evidence of Conformance”, which contains a non-exhaustive list of guidance on how to provide evidence of conformity with the requirements.

• Introduction of new Topical Requirements
An entirely new element are the “Topical Requirements” which aim to enhance the consistency and quality of internal audit services. This is an interesting broadening of focus by the standard setters, as the IIA is now adding additional mandatory requirements to be observed when conducting audits in the topical domains covered by these requirements. The Topical Requirements don’t exist yet but the intention is to introduce them soon, for example, in Cybersecurity, Sustainability and ESG, Third-party Management, and IT Governance, to name just a few.

The good news is that prior to their publication there will be a public consultation process for these requirements, and we encourage all professionals with expertise in these areas to get involved in shaping them. The existence of the new Topical Requirements, and their evolving nature, will oblige IA functions to maintain a regular monitoring process. If not, new mandatory elements could be missed.

• Main changes to the Requirements

Purpose and Strategy
One of the main points of focus for Chief Audit Executives (CAE) is certainly the requirement to define a vision for the IA function for the next 3-5 years. This should be backed up by a detailed and documented strategic plan that should align with the expectations of stakeholders and be reviewed regularly by the Board. This includes considerations of a digital strategy and the development of meaningful key performance indicators that need to be measured and reported to the Board. A survey of our webinar participants highlighted that 80% of IA functions already have a documented strategy. This is a good starting point but whether these documents are sufficiently detailed and they meet all the requirements of the new standards remains to be seen.

Strengthened CAE role and responsibilities and closer relationships with the Board
Another important change is the introduction of more requirements for Boards and, notably, promotion of recognition of the Internal Audit function in the organisation. Boards should have more frequent interaction with their CAEs and be involved in the definition of strategy and monitoring of KPIs. The new standards recommend a strong relationship, built on trust, between the CAE and the Board. The CAE in turn must demonstrate the IA function's commitment to due professional care and adequate management of its resources, and share with the Board regular insights that go beyond the mere results of the audit engagements.

Technology and Methodology
There are many other new requirements, more focused on audit delivery, the use of technology, and the way findings and recommendations are to be reported (including root cause analysis). CAEs must regularly evaluate the technology used by the IA function and pursue opportunities to improve its effectiveness and efficiency, and communicate any technology limitations to the Board and senior management.

What can you do now to be ready for 2025?
As outlined above, a lot of IA functions have yet to assess the full implications of the new standards, and their conclusions will also depend on the relative maturity of their current practices and methodology. In our view, Internal Audit Leaders and Boards should embrace this opportunity for transformational change. The standards equip you with a toolbox to shape the brand of Internal Audit and become strategic partners for your organisation's leadership.

Start by assessing your current practices and what is needed to meet the new minimum requirements and discuss your conclusions, vision and strategic objectives with the Board. Also discuss the budget that will be needed. Once you have a view on the impact, define an action plan for the implementation of any gaps you identify. And for each gap, consider how closing these gaps can improve your practices, optimise your processes, empower your people, and increase the use of technology to elevate your IA function.

If your next External Quality Assessment (EQA) is due in 2024, ask your assessor to perform the gap assessment to the new standards as part of the EQA. This can easily be combined with the assessment of conformity and will free up your own resources. If your EQA is planned for 2025, think about moving it forward to 2024, or scheduling it early in 2025, so that the assessment will still be performed against the 2017 standards, but allowing the opportunity to combine it with the assessment of the gap to the new standards.

How can Deloitte help you?
• We can perform a readiness assessment or gap assessment for the new standards.
• We can combine our EQA exercise with a gap assessment against the new standards and advise you on how to close any gaps in the most efficient way.
• We provide tailored trainings for Internal Audit functions and Boards on the new standards.
• We offer Internal Audit Strategy Lab workshops to support you with the definition of your vision and strategic plan, the definition of meaningful KPIs, the alignment to your organisation’s strategic objectives, and the elevation of your function’s impact through transformation.

Please reach out to us should you wish to discuss the opportunities the new standards may offer for your Internal Audit function. We would be pleased to guide you through the new requirements and suggest the most effective ways to bridge any gaps.

Key contact


Alexandre Buga - Partner, Audit & Assurance, Financial Services

Alexandre is the Romandie Market Leader and the lead partner for Deloitte's Audit & Assurance Financial Services and Banking practices in Switzerland. He brings a wealth of experience and a deep understanding of the financial sector and the economy and businesses in Romandie. Alexandre is an accredited audit expert, including for banks and asset managers. His career at Deloitte, starting in 1995, is marked by a strong focus on financial institutions, corporate governance, and sustainability, leading audit, assurance and advisory projects. Alexandre’s clients include regional, international, global, listed and family-controlled organisations. In his roles, Alexandre excels in navigating complex client challenges, delivering high-quality services, and driving strategic market development. His commitment to societal impact and corporate integrity ensures a holistic approach to client solutions and market growth. Alexandre's leadership fosters collaboration and innovation, positioning Deloitte as a trusted partner in the financial services industry and a key player in the dynamic Romandie market.

Email | LinkedIn 


Sandro Schönenberger - Partner, Audit & Assurance, Financial Services

Sandro acts as the deputy leader of the bank audit & assurance team of Deloitte Switzerland. He is a financial services partner supporting you as auditor or adviser in effectively managing capital, risk and reputation. Sandro brings more than 15 years of experience as auditor and advisor of international financial institutions and he is lead partner on a number of audit or regulatory remediation engagements, in particular with focus on wealth management, capital markets and family office services.

Email | LinkedIn 


Christian Jung - Director, Audit & Assurance, Financial Services

Christian is a Director in Deloitte’s Audit and Assurance practice in Switzerland. With over 16 years of experience in the financial services industry, he helps clients with internal audit services, sustainable finance, transformation of control functions, and regulatory compliance advisory for the banking, asset management and insurance sector. Christian is a Chartered Accountant with professional experience in Switzerland, the European Union, and the United Kingdom. He regularly speaks on current developments and trends and regulatory topics related to internal audit at industry conferences and events.

Email | LinkedIn 


Claire Ledrich - Senior Manager, Audit & Assurance, Financial Services

Claire is a Senior Manager within our Financial Services practice. Claire has over 15 years of experience of banking and financial industry, global investment banks and institutional securities firms, private banks, retail banks and asset managers. Prior to joining Deloitte, Claire has been working in category 3 banks in France and Switzerland in Internal Audit function and operations. Before Claire joined Deloitte, she had spent 2 years at a bank as Head of Internal Audit in France and in Switzerland where she was a member of the Risk and Audit committee. She is currently in charge of Internal Audit in Geneva for Private Banking and Trade Financing clients who have outsourced their internal audit function to Deloitte. She also supervises regulatory audits for our Private Banking clients in Geneva and supports clients on Risk Management, Compliance and Internal Control System topics.

Email | LinkedIn 


Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment

Comments are moderated, and will not appear until the author has approved them.


!-- OneTrust Cookies Settings button start -->