The Structural Change: From Attribute and Performance to Domains
The most visible structural change in GIAS 2024 is the replacement of the two-category framework (Attribute Standards and Performance Standards) with a five-domain architecture. The domains are: Governance of the Internal Audit Function, Managing the Internal Audit Function, Required Communication and Reporting, Engagement Planning and Execution, and Performing Internal Audit Services.
This restructuring is not cosmetic. It reflects a deliberate repositioning of internal audit as a governance function rather than a technical service. Domain I's emphasis on board oversight, independence protections, and the mandate communicates clearly that the governance context of internal audit is foundational — not incidental.
The Internal Audit Mandate: A New Requirement
Standard 6.1 — Internal Audit Mandate — is one of the genuinely new elements in GIAS 2024. The mandate is a formal statement of the internal audit function's purpose, authority, and responsibilities, distinct from but complementary to the internal audit charter. The mandate must define the types of services the function provides, confirm that the function reports to the board, and establish the minimum scope of activities.
Many internal audit functions have been operating with charters that do not meet the mandate requirements. A charter describing what internal audit does is not the same as a mandate establishing what internal audit is authorised and required to do. Functions that simply relabelled their existing charter as a "mandate" without substantive revision are likely not in conformance with this Standard.
Independence: Stronger Protections and New Language
The GIAS 2024 independence requirements are more prescriptive than their predecessors. Standard 2.1 requires the CAE to be free from interference that could compromise the function's independence — including resource constraints deliberately applied to limit audit coverage. CAEs who have been operating with inadequate budgets without formally escalating this to the board may need to revisit their compliance with this standard.
The Topical Requirements: A New Category of Mandatory Standards
One of the most significant structural additions in GIAS 2024 is the introduction of Topical Requirements as a separate, mandatory category within the IPPF. These are mandatory requirements for specific risk areas — currently including Organizational Behavior, with more expected to follow. Topical Requirements sit alongside the Standards; they do not replace them.
The existence of Topical Requirements fundamentally changes how internal audit functions should think about competency planning. Proactive competency development is now a strategic necessity, not merely a professional development nicety.
Standard 9.1: Understanding Governance, Risk Management, and Control Processes
Standard 9.1 requires the CAE to evaluate the adequacy of the risk management process itself — not merely to use its outputs for audit planning. Functions that have been using management's risk register as a primary input without evaluating its quality are not meeting this standard.
Domain V: Performing Internal Audit Services
The work program requirements (Standard 13.6) now require explicit CAE approval of work programs before fieldwork commences. The Standards require substantive review and approval, not merely signing. Additionally, the Standards mandate an overall conclusion for each engagement — not merely a summary of findings — and this conclusion must include acknowledgment of effective controls where they exist. Audit reports consisting entirely of findings lists do not meet GIAS 2024 requirements.
The QAIP Under GIAS 2024
Standard 8.3 expands the Quality Assurance and Improvement Programme requirements substantially. The QAIP must now evaluate conformance with Topical Requirements in addition to the Standards themselves. Functions that conducted external quality assessments against the 2017 Standards should plan for their next assessment to be conducted against GIAS 2024 — the frameworks are sufficiently different that a separate assessment is warranted.
A Roadmap for Functions Not Yet Fully Conformant
Functions that have not yet completed a systematic GIAS 2024 conformance assessment should prioritise: a self-assessment against all standards with documented gap identification; review of the internal audit mandate and charter against Standard 6.1; an assessment of independence arrangements against Standard 2.1; an update to the QAIP methodology to cover Topical Requirements; and evaluation of engagement communication practices against the conclusion requirements of Standards 14.5 and 15.1.