HomeAbout UsServices Our ExpertsResources InsightsGet in Touch
Professional Reference Tool

GIAS 2024 Interactive Navigator

A comprehensive, searchable guide to the Global Internal Audit Standards โ€” 5 Domains, 15 Principles, 52 Standards โ€” with plain-English summaries, practical applications, and CIA exam guidance. Developed by CTC Global.

5Domains
15Principles
52Standards
26Glossary Terms
52 Standards ยท 15 Principles ยท 5 Domains

GIAS 2024 Standards Navigator

Select any Domain, Principle, or Standard from the left panel โ€” or use the search bar above โ€” to explore the Global Internal Audit Standards with plain-English explanations, practical applications, and CIA exam tips.

Domain I Purpose of Internal Auditing
Domain II Ethics & Professionalism
Domain III Governing the Function
Domain IV Managing the Function
Domain V Performing Services
Domain I

Purpose of Internal Auditing

Domain I establishes the foundational purpose of the internal audit profession. It contains no principles or standards โ€” instead, it provides the core purpose statement that anchors everything else in the GIAS framework.

Purpose Statement
"Internal auditing strengthens the organisation's ability to create, protect, and sustain value by providing the board and management with independent, risk-based, and objective assurance, advice, insight, and foresight."

What Internal Auditing Enhances

  • Internal auditing enhances the successful achievement of organisational objectives
  • It improves governance, risk management, and control processes
  • It strengthens decision-making and oversight at the board level
  • It builds reputation and credibility with stakeholders
  • It is most effective when performed by competent, independent professionals in conformance with GIAS
CIA Exam Note

CIA Part I candidates must understand the purpose statement precisely. The phrase 'assurance, advice, insight, and foresight' reflects the expanded value proposition in GIAS 2024 compared to earlier standards.

Domain II

Ethics and Professionalism

Domain II replaces the former IIA Code of Ethics and establishes the behavioural expectations for all internal auditors. These principles and standards apply to every individual providing internal audit services โ€” from staff auditors to the CAE.

Principle 1Domain II: Ethics and Professionalism

Demonstrate Integrity

Internal auditors must demonstrate integrity in all their work and professional behaviour. Integrity is the foundation of every other ethical principle โ€” without it, trust in the profession cannot exist.

Standard 1.1Domain II › Principle 1: Demonstrate Integrity

Honesty and Professional Courage

All Internal Auditors CAE

Internal auditors must perform their work with honesty and professional courage. They must be truthful, accurate, clear, open, and respectful in all communications โ€” including when expressing disagreement or scepticism. They must not make false, misleading, or deceptive statements and must disclose all material facts known to them.

Key Requirements

  • Perform work with honesty and professional courage
  • Be truthful, accurate, clear, open, and respectful in all professional relationships
  • Never make false, misleading, or deceptive statements
  • Disclose all material facts that could affect informed decision-making
  • CAEs must create an environment where auditors feel supported in reporting unfavourable findings
Practical Application

Professional courage is required when audit findings are unwelcome. An auditor who softens or omits significant findings to avoid conflict with management is in breach of this standard.

CIA Exam Tip

Questions often present scenarios where an auditor faces pressure to modify findings. The correct answer almost always involves maintaining honesty and disclosing the finding as observed.

Standard 1.2Domain II › Principle 1: Demonstrate Integrity

Organisation's Ethical Expectations

All Internal Auditors CAE

Internal auditors must understand the ethical expectations of their organisation and act in a manner consistent with those expectations, while still conforming with GIAS. When organisational ethical expectations conflict with GIAS, GIAS takes precedence.

Key Requirements

  • Understand the organisation's ethical expectations and culture
  • Act consistently with those expectations where they do not conflict with GIAS
  • Where organisational expectations are lower than GIAS, GIAS requirements prevail
  • CAEs must promote an ethical culture within the internal audit function
Practical Application

Internal auditors working in organisations with weak ethical cultures must maintain their own professional standards regardless. The existence of organisational misconduct does not excuse auditor non-conformance.

CIA Exam Tip

Remember that GIAS requirements always take precedence over organisational codes of conduct when there is a conflict. This is a frequently tested principle.

Standard 1.3Domain II › Principle 1: Demonstrate Integrity

Legal and Ethical Behavior

All Internal Auditors CAE

Internal auditors must comply with applicable laws and regulations and behave ethically in all professional activities. They must not participate in or facilitate illegal or unethical acts and must report suspected violations through appropriate channels.

Key Requirements

  • Comply with all applicable laws and regulations
  • Behave ethically in all professional activities
  • Refrain from participating in or facilitating illegal or unethical acts
  • Report suspected violations through appropriate channels
  • Protect confidential information while fulfilling disclosure obligations
Practical Application

If an internal auditor discovers evidence of illegal activity during an engagement, this standard โ€” combined with confidentiality obligations โ€” creates a tension that requires careful professional judgement and consultation with the CAE and legal counsel.

CIA Exam Tip

Understand the difference between an auditor's obligation to report violations internally vs. externally. Externally mandated reporting (e.g., to regulators) overrides internal confidentiality.

Principle 2Domain II: Ethics and Professionalism

Maintain Objectivity

Internal auditors must maintain an impartial and unbiased mental attitude in all professional activities. Objectivity is both a personal responsibility and a functional requirement โ€” impairments must be identified, managed, and disclosed.

Standard 2.1Domain II › Principle 2: Maintain Objectivity

Individual Objectivity

All Internal Auditors

Individual internal auditors must maintain objectivity when performing their work. They must not subordinate their professional judgement to others, and must avoid situations that could compromise or appear to compromise their impartial assessment.

Key Requirements

  • Maintain an impartial, unbiased mental attitude in all work
  • Make professional judgements without undue influence from others
  • Avoid situations that create or appear to create conflicts of interest
  • Assess all relevant conditions fairly and without favouritism
  • Not allow personal relationships to bias professional judgements
Practical Application

An internal auditor asked to audit a process they previously managed, or a department led by a close personal friend, has an objectivity impairment that must be disclosed regardless of their confidence in their own impartiality.

CIA Exam Tip

Objectivity is a mental attitude โ€” independence is an organisational condition. Both are required but they are distinct concepts. Knowing the difference is critical for CIA Part I.

Standard 2.2Domain II › Principle 2: Maintain Objectivity

Safeguarding Objectivity

CAE

The CAE must establish safeguards to protect the objectivity of the internal audit function. These include structural measures such as rotation policies, restrictions on auditing recently managed areas, and cooling-off periods.

Key Requirements

  • CAE must establish policies and procedures to safeguard objectivity
  • Implement cooling-off periods before auditing areas where auditors previously worked
  • Consider rotation of audit assignments to prevent over-familiarity
  • Restrict internal auditors from auditing activities they have recently performed
  • Document objectivity safeguards in the internal audit methodology
Practical Application

A common safeguard is a one-year or two-year cooling-off period before an auditor can audit an area they previously managed. The CAE must define and enforce this policy consistently.

CIA Exam Tip

The standard requires the CAE to proactively safeguard objectivity โ€” not just respond to identified impairments. This is an ongoing structural responsibility, not a reactive one.

Standard 2.3Domain II › Principle 2: Maintain Objectivity

Disclosing Impairments to Objectivity

All Internal Auditors CAE

Internal auditors must disclose any impairments to objectivity โ€” real or perceived โ€” to the CAE. The CAE must disclose function-level impairments to the board. Disclosure does not eliminate the impairment; reassignment may be necessary.

Key Requirements

  • Disclose any real or perceived objectivity impairments to the CAE promptly
  • CAE must disclose function-level impairments to the board
  • Document all disclosed impairments and the actions taken
  • Consider reassignment of the affected auditor when disclosure alone is insufficient
  • Impairments must be disclosed even when the auditor believes they can remain objective
Practical Application

The appearance of impairment is as damaging as actual impairment to the audit function's credibility. Even if an auditor is genuinely objective, if stakeholders reasonably perceive bias, the engagement result loses credibility.

CIA Exam Tip

Disclosure of impairment does not automatically mean the auditor is removed from the engagement โ€” the CAE makes that determination. But non-disclosure is a clear standards violation.

Principle 3Domain II: Ethics and Professionalism

Demonstrate Competency

Internal auditors must possess and apply the knowledge, skills, and abilities required to perform their responsibilities effectively. Competency is both an individual and a functional obligation โ€” the CAE must ensure the overall function has adequate collective capability.

Standard 3.1Domain II › Principle 3: Demonstrate Competency

Competency

All Internal Auditors CAE

Internal auditors must possess the knowledge, skills, and abilities needed to fulfil their individual responsibilities. The CAE must ensure that the collective competencies of the internal audit function are sufficient to perform the planned internal audit services.

Key Requirements

  • Possess knowledge, skills, and abilities appropriate to individual responsibilities
  • Apply competencies effectively in each engagement
  • Decline or seek assistance for work that exceeds individual competency
  • CAE must assess and ensure collective function competency
  • Obtain external expertise when internal competency is insufficient
  • Maintain competency through ongoing professional development
Practical Application

A generalist auditor assigned to a complex cybersecurity audit without adequate technical knowledge must either obtain specialist assistance or the scope must be adjusted. Proceeding without adequate competency violates this standard.

CIA Exam Tip

Competency is assessed at two levels: individual (can this auditor do this work?) and functional (does the audit function collectively have what it needs?). The CAE is responsible for both levels.

Standard 3.2Domain II › Principle 3: Demonstrate Competency

Continuing Professional Development

All Internal Auditors CAE

Internal auditors must maintain and enhance their knowledge, skills, and abilities through ongoing continuing professional development. The CAE must support CPD opportunities for all members of the internal audit function.

Key Requirements

  • Maintain and continuously develop professional knowledge and skills
  • Participate in continuing professional education relevant to responsibilities
  • Stay current with evolving standards, regulations, and best practices
  • CAE must provide CPD opportunities for the internal audit team
  • Document CPD activities as evidence of conformance
Practical Application

The CIA designation requires 40 hours of CPE annually. GIAS 2024 elevates CPD from a certification requirement to a standards obligation for all internal auditors, whether certified or not.

CIA Exam Tip

CPD is mandatory under GIAS 2024 โ€” not optional. Questions may present scenarios where resource constraints are used as justification for skipping CPD. The correct answer maintains the CPD obligation.

Principle 4Domain II: Ethics and Professionalism

Exercise Due Professional Care

Internal auditors must apply the care, skill, and diligence that a reasonably prudent and competent internal auditor would exercise in similar circumstances. Due care does not require perfection, but it does require rigorous professional judgement.

Standard 4.1Domain II › Principle 4: Exercise Due Professional Care

Conformance with the Global Internal Audit Standards

All Internal Auditors CAE

Internal auditors must conform with GIAS. Where full conformance is not possible, alternative actions must be implemented to achieve the intent of the relevant standard, and the deviation must be documented and disclosed appropriately.

Key Requirements

  • Conform with all applicable GIAS requirements
  • Where full conformance is not possible, implement alternative actions to achieve standard intent
  • Document and disclose any deviations with rationale and alternative actions taken
  • CAE is accountable for the function's overall conformance
  • Communicate non-conformance to the board when it affects overall scope or operation
Practical Application

A small audit function that cannot conduct a full external quality assessment due to resource constraints must implement alternative measures (such as peer review) and document the deviation. Silence about non-conformance is not acceptable.

CIA Exam Tip

GIAS acknowledges that full conformance is not always possible โ€” particularly for small functions and public sector organisations. The key is documentation, disclosure, and achieving the intent through alternative means.

Standard 4.2Domain II › Principle 4: Exercise Due Professional Care

Due Professional Care

All Internal Auditors

Internal auditors must exercise due professional care in performing all aspects of internal audit work, including planning, fieldwork, and communication. Due care is the application of skill and diligence that a reasonably prudent and competent professional would apply in similar circumstances.

Key Requirements

  • Apply the care and skill expected of a reasonably prudent, competent internal auditor
  • Consider the adequacy of engagement scope relative to the risk being assessed
  • Evaluate the sufficiency and reliability of evidence gathered
  • Consider the cost of assurance relative to the potential benefits
  • Document the basis for professional judgements made during engagements
Practical Application

Due care does not mean an auditor must find every possible issue โ€” it means they must apply the level of diligence that a competent professional would reasonably apply. Missing an issue is not automatically a violation; applying insufficient procedures is.

CIA Exam Tip

Due professional care is tested through scenarios where auditors must decide how much evidence is enough, whether a scope is adequate, or how to document judgements. The 'reasonably prudent auditor' is the benchmark.

Standard 4.3Domain II › Principle 4: Exercise Due Professional Care

Professional Skepticism

All Internal Auditors

Internal auditors must exercise professional scepticism โ€” a questioning mindset that critically assesses information, challenges assumptions, and remains alert to the possibility of fraud, error, and misrepresentation throughout the engagement.

Key Requirements

  • Maintain a questioning mindset throughout all phases of an engagement
  • Critically evaluate the reliability and sufficiency of information obtained
  • Remain alert to conditions that may indicate fraud, misrepresentation, or error
  • Challenge assumptions rather than accepting explanations at face value
  • Document the application of professional scepticism in workpapers
Practical Application

Professional scepticism does not mean assuming management is dishonest โ€” it means not assuming they are automatically correct either. When management explanations are plausible but unverified, scepticism requires the auditor to seek corroborating evidence.

CIA Exam Tip

GIAS 2024 elevates professional scepticism to its own standard, reflecting its importance in modern audit practice. Expect exam questions testing the difference between appropriate scepticism and unwarranted suspicion.

Principle 5Domain II: Ethics and Professionalism

Maintain Confidentiality

Internal auditors must protect the information they acquire in the course of their work and must not use or disclose it in ways that are contrary to the organisation's interests, applicable law, or professional standards.

Standard 5.1Domain II › Principle 5: Maintain Confidentiality

Use of Information

All Internal Auditors

Internal auditors must use information obtained during an engagement only for purposes related to that engagement or other legitimate internal audit purposes. Information must not be used for personal benefit or in ways that are contrary to law or the organisation's interests.

Key Requirements

  • Use engagement information only for legitimate internal audit purposes
  • Never use confidential information for personal gain
  • Never use information in ways that harm the organisation or third parties
  • Share engagement information only with those who have a legitimate need
  • Respect legal and regulatory restrictions on information use
Practical Application

An internal auditor who shares sensitive financial information learned during an engagement with a family member who then trades on it has violated this standard โ€” and likely committed a criminal offence. The standard applies even after the auditor leaves the organisation.

CIA Exam Tip

Information obtained during an audit engagement remains confidential even after the engagement ends. The obligation persists beyond employment. This is a commonly tested point.

Standard 5.2Domain II › Principle 5: Maintain Confidentiality

Protection of Information

All Internal Auditors CAE

Internal auditors must protect information from unauthorised access, disclosure, or misuse. The CAE must establish policies and procedures to protect the confidentiality and security of the information held by the internal audit function.

Key Requirements

  • Protect information from unauthorised access, disclosure, loss, or theft
  • Handle sensitive documents and data with appropriate security controls
  • CAE must establish information protection policies for the audit function
  • Ensure workpapers and engagement records are stored securely
  • Dispose of confidential information in a secure manner when no longer needed
Practical Application

In digital work environments, information protection includes secure access controls on audit software, encrypted transmission of sensitive documents, and clear policies on remote working with confidential data.

CIA Exam Tip

The obligation to protect information applies to all formats โ€” paper documents, electronic workpapers, verbal discussions, and digital communications. No format is exempt.

Domain III

Governing the Internal Audit Function

Domain III describes the governance responsibilities of the board over the internal audit function. GIAS 2024 significantly strengthened this domain, placing explicit obligations on the board โ€” not just the CAE โ€” to ensure the function is properly authorised, positioned, and overseen.

Principle 6Domain III: Governing the Internal Audit Function

Authorized by the Board

The internal audit function must be formally authorised by the board with a mandate that gives it the authority, access, and resources needed to perform its work effectively.

Standard 6.1Domain III › Principle 6: Authorized by the Board

Internal Audit Mandate

Board CAE

The board must formally establish the internal audit function with a mandate that defines its purpose, authority, and responsibility. The mandate must be consistent with the GIAS purpose statement and give the function unrestricted access to records, personnel, and property.

Key Requirements

  • Board must formally establish and maintain the internal audit function
  • Mandate must define purpose, authority, and responsibilities
  • Grant unrestricted access to records, personnel, and physical property
  • Mandate must be consistent with the GIAS purpose statement
  • The board must periodically review and reaffirm the mandate
Practical Application

If the CAE is denied access to certain records or areas by senior management, the mandate should give the board the information needed to intervene and enforce the function's access rights.

CIA Exam Tip

The mandate is the board's document โ€” not the CAE's. It is established by the board, not simply approved by them. This is a key distinction in GIAS 2024 versus earlier standards.

Standard 6.2Domain III › Principle 6: Authorized by the Board

Internal Audit Charter

CAE Board

The CAE must develop and maintain an internal audit charter that documents the internal audit function's purpose, authority, responsibility, accountability, and position within the organisation. The board must approve the charter.

Key Requirements

  • CAE must develop and maintain a written internal audit charter
  • Charter must document purpose, authority, responsibility, and accountability
  • Charter must describe the function's position and reporting relationships
  • Board must approve the charter
  • Charter must be reviewed and updated at least annually or when significant changes occur
  • Charter must reference conformance with GIAS
Practical Application

The charter is the operational document that flows from the mandate. While the mandate establishes the function's existence and authority, the charter defines how it operates. Both are required under GIAS 2024.

CIA Exam Tip

The charter must be board-approved โ€” not simply acknowledged. Updates also require board approval. Exam questions frequently test who approves versus who maintains the charter.

Standard 6.3Domain III › Principle 6: Authorized by the Board

Board and Senior Management Support

Board Senior Management CAE

The board and senior management must demonstrate active support for the internal audit function. This includes providing adequate resources, maintaining the function's independence, and taking appropriate action on audit findings and recommendations.

Key Requirements

  • Board and senior management must provide active, visible support for internal audit
  • Support includes adequate funding, staffing, and access to resources
  • Management must respond to audit findings and recommendations in a timely manner
  • Board must protect the function's independence from management interference
  • CAE must communicate resource constraints that affect the function's ability to conform with GIAS
Practical Application

Active support means more than formal approval โ€” it means management responding to findings, not obstructing access, and the board holding management accountable for corrective actions. Passive tolerance of internal audit is not sufficient.

CIA Exam Tip

This standard makes board and senior management support an explicit GIAS requirement โ€” not just a best practice. If support is absent, the CAE has an obligation to communicate the impact to the board.

Principle 7Domain III: Governing the Internal Audit Function

Positioned Independently

The internal audit function must be positioned within the organisation to allow it to perform its work without undue influence or interference. Organisational independence is the structural foundation of the function's credibility.

Standard 7.1Domain III › Principle 7: Positioned Independently

Organizational Independence

CAE Board

The CAE must report functionally to the board and administratively to a level of senior management that allows the internal audit function to fulfil its responsibilities without interference. The board must approve the CAE's appointment and removal.

Key Requirements

  • CAE must report functionally to the board โ€” not to management
  • Administrative reporting must be at a level that does not impair independence
  • Board must approve the CAE's appointment, removal, and remuneration
  • CAE must have direct, unrestricted access to the board
  • Function must be free from management interference in its work
  • Independence impairments must be disclosed to the board
Practical Application

A CAE who reports functionally to the CFO โ€” rather than to the audit committee โ€” has a structural independence impairment. Even if the relationship is professional, the structural position creates the appearance of dependence on the finance function.

CIA Exam Tip

Functional reporting is to the board; administrative reporting can be to senior management. This dual reporting structure is a core GIAS concept. Independence impairments require disclosure โ€” not just management.

Standard 7.2Domain III › Principle 7: Positioned Independently

Chief Audit Executive Qualifications

CAE Board

The CAE must possess the knowledge, skills, and abilities necessary to effectively manage all aspects of the internal audit function. The board is responsible for ensuring the CAE has appropriate qualifications.

Key Requirements

  • CAE must have qualifications appropriate to effectively lead the internal audit function
  • Qualifications include relevant knowledge, experience, and professional credentials
  • Board is responsible for assessing and confirming CAE qualifications
  • CAE must maintain qualifications through ongoing professional development
  • Gaps in CAE qualifications must be supplemented by appropriate team competencies
Practical Application

The board โ€” not management โ€” is responsible for evaluating the CAE's qualifications. This is a significant governance responsibility that many boards historically delegated to management, but which GIAS 2024 explicitly assigns to the board.

CIA Exam Tip

CAE qualifications are a board responsibility under GIAS 2024, not just an HR matter. The board must actively assess whether the CAE has the right capabilities โ€” not simply accept management's recommendation.

Principle 8Domain III: Governing the Internal Audit Function

Overseen by the Board

The board must provide active, ongoing oversight of the internal audit function โ€” including its resources, quality, and conformance with GIAS. This oversight cannot be delegated to management.

Standard 8.1Domain III › Principle 8: Overseen by the Board

Board Interaction

Board CAE

The board must interact regularly and directly with the CAE to provide oversight, direction, and support. This includes private meetings without management present, review of the audit plan and results, and action on significant audit findings.

Key Requirements

  • Board must meet regularly and directly with the CAE
  • Meetings must include private sessions without management present
  • Board must review and approve the internal audit plan
  • Board must act on significant audit findings and risks escalated by the CAE
  • Board must assess and discuss the CAE's performance
  • CAE must have the ability to escalate concerns directly to the board
Practical Application

Private sessions between the CAE and the audit committee โ€” without management present โ€” are one of the most important mechanisms for maintaining the function's independence. Without them, the CAE cannot safely share concerns about management.

CIA Exam Tip

Private sessions with the CAE are not optional under GIAS 2024 โ€” they are a board requirement. The frequency and structure of these sessions is a common exam scenario.

Standard 8.2Domain III › Principle 8: Overseen by the Board

Resources

Board CAE

The board must ensure that the internal audit function has adequate funding, staffing, and other resources to carry out its responsibilities effectively and in conformance with GIAS.

Key Requirements

  • Board must ensure adequate resources for the internal audit function
  • Resources include financial, human, and technological capabilities
  • CAE must communicate resource needs and constraints to the board
  • Board must act when resource constraints impair the function's ability to conform with GIAS
  • Board approval is required for the internal audit budget
Practical Application

If the CAE believes the audit function is under-resourced relative to the audit universe and risk profile, the obligation is to communicate this to the board โ€” not to silently prioritise. The board must then decide whether to increase resources or accept the coverage limitation.

CIA Exam Tip

Resource adequacy is a board responsibility โ€” the board must ensure adequate resources, not simply accept whatever management proposes. The CAE must proactively communicate resource needs and gaps.

Standard 8.3Domain III › Principle 8: Overseen by the Board

Quality

Board CAE

The board must oversee the quality assurance and improvement programme (QAIP) of the internal audit function. This includes reviewing the results of both internal and external quality assessments.

Key Requirements

  • Board must oversee the QAIP of the internal audit function
  • Board must review the results of internal quality assessments
  • Board must ensure external quality assessments are conducted as required
  • Board must act on quality assessment findings that indicate conformance gaps
  • CAE must report QAIP results and conformance status to the board
Practical Application

The board's oversight of quality is active โ€” not passive receipt of quality reports. The board must understand what the QAIP found, whether the function is conforming with GIAS, and what action is being taken on gaps.

CIA Exam Tip

Quality oversight is a board responsibility under GIAS 2024. The CAE runs the QAIP, but the board is accountable for ensuring it functions effectively. This is a new and strengthened element in the 2024 update.

Standard 8.4Domain III › Principle 8: Overseen by the Board

External Quality Assessment

CAE Board

The internal audit function must have an external quality assessment (EQA) conducted by a qualified, independent assessor at least once every five years. The CAE must communicate the results to the board, and the board must act on significant findings.

Key Requirements

  • External quality assessment must be conducted at least every five years
  • Assessor must be qualified and independent of the organisation
  • CAE must communicate EQA results โ€” including conformance rating โ€” to board and senior management
  • Conformance rating must be disclosed (Generally Conforms, Partially Conforms, or Does Not Conform)
  • Board must review and act on EQA findings
  • Self-assessment with independent validation may substitute for a full EQA in certain circumstances
Practical Application

The three conformance ratings have real implications. 'Does Not Conform' requires significant corrective action and broader disclosure. 'Partially Conforms' identifies specific gaps. 'Generally Conforms' is the target but does not mean perfection.

CIA Exam Tip

The five-year EQA cycle is mandatory, not advisory. Exam questions frequently test the conformance rating levels, disclosure requirements, and who conducts the EQA (independent of the organisation โ€” not just the internal audit function).

Domain IV

Managing the Internal Audit Function

Domain IV covers the CAE's responsibilities for managing the internal audit function โ€” strategic planning, resource management, stakeholder communication, and quality. These standards apply primarily to the CAE and internal audit management.

Principle 9Domain IV: Managing the Internal Audit Function

Plan Strategically

The CAE must develop and maintain a strategic approach to internal auditing that aligns with the organisation's objectives, risk profile, and governance structure. Strategic planning is the foundation of a risk-based, value-adding audit function.

Standard 9.1Domain IV › Principle 9: Plan Strategically

Understanding Governance, Risk Management, and Control Processes

CAE

The CAE must develop and maintain an understanding of the organisation's governance, risk management, and control processes sufficient to plan and prioritise internal audit services effectively.

Key Requirements

  • Develop and maintain understanding of the organisation's governance structure
  • Understand the organisation's risk management framework and risk profile
  • Understand key control processes and their design and effectiveness
  • Use this understanding to inform audit planning and prioritisation
  • Update understanding continuously as the organisation and its environment change
Practical Application

A CAE who builds the audit plan without understanding what management considers its top risks will miss the most significant audit opportunities. This standard requires active engagement with governance, risk, and control stakeholders โ€” not just review of documentation.

CIA Exam Tip

This standard establishes the information foundation for risk-based audit planning. Exam questions test whether the CAE understands where to get this information (board, management, risk function) and how to use it.

Standard 9.2Domain IV › Principle 9: Plan Strategically

Internal Audit Strategy

CAE

The CAE must develop a long-term internal audit strategy that describes how the function will achieve its purpose and fulfil the mandate over multiple years, aligned with the organisation's strategic direction.

Key Requirements

  • Develop a multi-year internal audit strategy aligned with organisational strategy
  • Strategy must describe how the function will fulfil its purpose and mandate
  • Consider the organisation's long-term risks and strategic priorities
  • Communicate the strategy to the board for input and approval
  • Review and update the strategy regularly as the organisation's environment evolves
Practical Application

An internal audit strategy document is different from an annual audit plan. The strategy is a multi-year directional document โ€” covering capability development, technology, staffing, and coverage priorities over three to five years. The annual plan executes the strategy.

CIA Exam Tip

GIAS 2024 requires a formal internal audit strategy โ€” not just an annual plan. This is a new and frequently tested element of the updated standards.

Standard 9.3Domain IV › Principle 9: Plan Strategically

Methodologies

CAE

The CAE must develop and maintain methodologies for conducting internal audit services. These methodologies provide the framework for consistent, quality-driven execution of audit work across all engagements.

Key Requirements

  • Develop and maintain documented methodologies for all types of internal audit services
  • Methodologies must be consistent with GIAS requirements
  • Cover assurance and advisory services with appropriate rigour
  • Include procedures for engagement planning, fieldwork, documentation, and communication
  • Review and update methodologies regularly to reflect evolving standards and practices
Practical Application

Methodologies are the internal playbook of the audit function โ€” they ensure consistency across different auditors, engagement types, and time periods. Without them, quality varies and conformance with GIAS cannot be reliably demonstrated.

CIA Exam Tip

Methodologies support the QAIP โ€” they are the standard against which internal assessments measure performance. A function without documented methodologies cannot meaningfully assess its own conformance.

Standard 9.4Domain IV › Principle 9: Plan Strategically

Internal Audit Plan

CAE Board

The CAE must develop a risk-based internal audit plan that prioritises internal audit services based on the organisation's risk profile. The plan must be approved by the board and communicated to senior management.

Key Requirements

  • Develop an annual (or multi-period) risk-based internal audit plan
  • Prioritise engagements based on assessed risk to the organisation's objectives
  • Include assurance and advisory services as appropriate
  • Submit the plan to the board for approval
  • Communicate the plan to senior management
  • Update the plan when significant changes in risk or organisational circumstances occur
  • Disclose coverage limitations and resource constraints that affect the plan
Practical Application

The audit plan must be genuinely risk-based โ€” not habit-based. A plan that mirrors last year's coverage without reassessing risk does not conform with this standard. The CAE must document the risk rationale for every inclusion and exclusion.

CIA Exam Tip

Board approval of the audit plan is required โ€” not just senior management acknowledgement. The plan must also address what is NOT being covered (coverage gaps) and why. This disclosure is frequently tested.

Standard 9.5Domain IV › Principle 9: Plan Strategically

Coordination and Reliance

CAE

The CAE must coordinate with other assurance and advisory providers to avoid duplication, identify gaps in coverage, and consider reliance on the work of others where appropriate and reliable.

Key Requirements

  • Coordinate internal audit activities with external auditors and other assurance providers
  • Evaluate the competency and objectivity of other providers before relying on their work
  • Consider reliance on work of the second line to optimise overall assurance coverage
  • Avoid unnecessary duplication of assurance effort
  • Document coordination arrangements and reliance decisions
  • Communicate coordination plans to the board
Practical Application

Coordination with external audit includes sharing the internal audit plan, workpapers (where appropriate), and findings to avoid duplication. Reliance on second-line work (such as compliance testing) requires assessment of that work's quality and independence.

CIA Exam Tip

Reliance on the work of others requires evaluation of competency and objectivity โ€” not just acceptance. The CAE cannot simply assume that second-line or external audit work is reliable without assessment.

Principle 10Domain IV: Managing the Internal Audit Function

Manage Resources

The CAE must effectively manage the financial, human, and technological resources of the internal audit function to ensure it can deliver the planned internal audit services with appropriate quality.

Standard 10.1Domain IV › Principle 10: Manage Resources

Financial Resource Management

CAE

The CAE must manage the internal audit function's financial resources โ€” including its budget โ€” effectively and transparently. Resource constraints that impair the function's ability to conform with GIAS must be disclosed to the board.

Key Requirements

  • Develop and manage the internal audit budget effectively
  • Seek board approval for the internal audit budget
  • Monitor actual expenditure against budget throughout the year
  • Disclose resource constraints that impair conformance with GIAS to the board
  • Advocate to the board for adequate resources when constraints exist
  • Manage co-sourcing and outsourcing arrangements within approved budgets
Practical Application

Budget management is not merely an administrative function for the CAE โ€” it is a governance matter. When the budget is insufficient to execute the risk-based audit plan, the CAE must communicate this to the board, not quietly reduce coverage.

CIA Exam Tip

The CAE advocates for the budget to the board โ€” not to senior management. Senior management may influence the budget recommendation but the board has final authority over it.

Standard 10.2Domain IV › Principle 10: Manage Resources

Human Resources Management

CAE

The CAE must manage the internal audit function's human resources effectively, ensuring adequate staffing levels, appropriate competencies, and a working environment that supports quality performance.

Key Requirements

  • Maintain adequate staffing levels to execute the approved internal audit plan
  • Ensure staff have appropriate qualifications and competencies for assigned work
  • Develop and maintain a team-level competency framework
  • Provide supervision, mentorship, and development opportunities for staff
  • Address performance issues promptly and professionally
  • Use co-sourcing or outsourcing to supplement competencies when needed
Practical Application

The CAE must actively manage the human capital of the audit function โ€” including succession planning for key roles, skills gap analysis relative to the audit plan, and structured development programmes for staff at all levels.

CIA Exam Tip

Human resource management includes the use of co-sourced or outsourced audit resources. When these are used, the CAE retains responsibility for quality oversight โ€” the responsibility cannot be outsourced.

Standard 10.3Domain IV › Principle 10: Manage Resources

Technological Resources

CAE

The CAE must identify and leverage appropriate technological resources to enhance the efficiency and effectiveness of internal audit services, including data analytics, audit management software, and other digital tools.

Key Requirements

  • Identify and use technology appropriate to the function's needs and complexity
  • Leverage data analytics to improve risk assessment and audit coverage
  • Maintain technological resources that support quality workpaper management
  • Stay current with evolving audit-relevant technologies
  • Advocate for technology resources to the board when needed
Practical Application

Technology is no longer optional in modern internal auditing. A function that still relies entirely on manual procedures when analytical tools are available is not fulfilling its obligation to apply due professional care and manage resources effectively.

CIA Exam Tip

Standard 10.3 creates an expectation that CAEs will actively pursue technology solutions โ€” not simply accept the technology status quo. Resource constraints must be disclosed to the board, not used as a permanent justification for technological inadequacy.

Principle 11Domain IV: Managing the Internal Audit Function

Communicate Effectively

The CAE must establish and maintain effective communication with the board, senior management, and other stakeholders. Communication includes ongoing relationship management as well as formal engagement reporting.

Standard 11.1Domain IV › Principle 11: Communicate Effectively

Building Relationships and Communicating with Stakeholders

CAE

The CAE must build and maintain productive relationships with the board, senior management, external auditors, and other stakeholders to support the effective delivery of internal audit services.

Key Requirements

  • Build and maintain effective relationships with key stakeholders
  • Communicate proactively with the board and senior management on emerging risks
  • Coordinate regularly with external auditors and other assurance providers
  • Understand stakeholder expectations and incorporate them into audit planning
  • Maintain independence while building collaborative relationships
Practical Application

Effective stakeholder relationships are the intelligence network of the internal audit function. CAEs who meet only during formal audit reporting cycles miss the informal signals about emerging risks and management concerns that inform the most valuable audit work.

CIA Exam Tip

Relationship building must not compromise independence. A CAE who becomes so aligned with management that they lose the ability to report critical findings objectively has crossed the line from relationship management to independence impairment.

Standard 11.2Domain IV › Principle 11: Communicate Effectively

Effective Communication

All Internal Auditors CAE

All internal audit communications โ€” verbal and written โ€” must be clear, concise, complete, constructive, timely, and accurate. They must be tailored to the audience and must clearly convey the significance of issues identified.

Key Requirements

  • Communications must be clear, concise, complete, constructive, and timely
  • Tailor communication style and content to the intended audience
  • Clearly convey the significance and risk implications of findings
  • Ensure all communications are accurate and not misleading
  • Verbal communications of significance must be confirmed in writing
Practical Application

A technically correct audit report written in impenetrable audit jargon that the board cannot understand has failed this standard. Effective communication means the message was received and understood โ€” not just transmitted.

CIA Exam Tip

The word 'constructive' in effective communication is important โ€” findings must be communicated in a way that helps management address the issue, not simply criticise. The framing of recommendations matters as much as their content.

Standard 11.3Domain IV › Principle 11: Communicate Effectively

Communicating Results

CAE

The CAE must communicate the results of internal audit engagements โ€” including significant findings, conclusions, and recommendations โ€” to appropriate stakeholders in a timely manner.

Key Requirements

  • Communicate engagement results to appropriate stakeholders in a timely manner
  • Distribute final engagement communications to those who can act on them
  • Significant findings must be communicated to the board as appropriate
  • Include management responses to findings in final communications
  • Maintain a record of all engagement communications
Practical Application

Timely communication is not simply speed โ€” it is ensuring that results reach decision-makers when they can still act. A report issued six months after fieldwork is complete may be technically compliant but practically valueless.

CIA Exam Tip

The standard requires distribution to those who can act on the findings โ€” not just those who requested the audit. If a finding affects an area beyond the engagement scope, communication must reach the relevant decision-makers.

Standard 11.4Domain IV › Principle 11: Communicate Effectively

Errors and Omissions

CAE

If an internal audit communication contains a material error or omission, the CAE must communicate the corrected information to all parties who received the original communication as soon as practicable.

Key Requirements

  • Identify and correct material errors or omissions in audit communications
  • Communicate corrections to all parties who received the original erroneous communication
  • Determine the significance of the error or omission before communicating the correction
  • Identify the cause of the error and take corrective action to prevent recurrence
  • Document the error, correction process, and corrective actions taken
Practical Application

Discovering a factual error in a distributed audit report requires prompt correction โ€” even if the finding conclusion remains unchanged. The CAE must determine whether the error was material and, if so, issue a corrected communication to all original recipients.

CIA Exam Tip

Not all errors require formal correction communications โ€” the materiality threshold must be assessed. But when an error is significant enough to affect the reader's understanding or conclusions, correction is mandatory.

Standard 11.5Domain IV › Principle 11: Communicate Effectively

Communicating the Acceptance of Risks

CAE

When the CAE concludes that management has accepted a level of risk that exceeds the organisation's risk appetite or tolerance, this must first be discussed with senior management. If unresolved, it must be escalated to the board.

Key Requirements

  • Identify instances where management has accepted risk beyond the organisation's risk appetite
  • Discuss the concern directly with senior management first
  • If unresolved by senior management, escalate to the board
  • Document all discussions and the escalation process
  • It is not the CAE's responsibility to resolve the risk โ€” only to communicate it
Practical Application

This standard gives the CAE a specific escalation pathway for unacceptable risk acceptance. The sequence is clear: operational management โ†’ senior management โ†’ board. Bypassing steps without cause is inappropriate.

CIA Exam Tip

The CAE's role is communication, not resolution. The board decides what to do about the risk โ€” the CAE's obligation ends when the board has been informed. This distinction is frequently tested.

Principle 12Domain IV: Managing the Internal Audit Function

Enhance Quality

The CAE is responsible for the internal audit function's conformance with GIAS and for continuously improving performance. The quality assurance and improvement programme (QAIP) is the mechanism through which this responsibility is fulfilled.

Standard 12.1Domain IV › Principle 12: Enhance Quality

Internal Quality Assessment

CAE

The CAE must develop and conduct internal quality assessments to evaluate the function's conformance with GIAS and progress toward performance objectives. These must include ongoing monitoring and periodic self-assessments.

Key Requirements

  • Establish a methodology for internal quality assessment
  • Conduct ongoing monitoring of GIAS conformance and performance objectives
  • Conduct periodic self-assessments of overall function conformance
  • Develop action plans for identified non-conformance
  • Communicate internal assessment results to board and senior management
  • Document all internal quality assessment activities
Practical Application

Ongoing monitoring happens daily โ€” through supervisory reviews, workpaper sign-offs, and engagement feedback. Periodic self-assessments are scheduled, comprehensive reviews of conformance across all standards. Both are required.

CIA Exam Tip

Internal assessment has two components: ongoing monitoring (continuous) and periodic self-assessment (scheduled, comprehensive). Questions often distinguish between these two mechanisms and their different purposes.

Standard 12.2Domain IV › Principle 12: Enhance Quality

Performance Measurement

CAE

The CAE must develop performance objectives and measurement methodologies to assess the internal audit function's effectiveness and drive continuous improvement.

Key Requirements

  • Develop objectives to evaluate the internal audit function's performance
  • Consider board and senior management input when developing performance objectives
  • Develop a performance measurement methodology
  • Track and report progress toward performance objectives
  • Use performance data to identify improvement opportunities
Practical Application

Performance measurement goes beyond tracking whether engagements are completed on time and within budget. Meaningful metrics include stakeholder satisfaction, finding recurrence rates, management response quality, and the quality of audit evidence.

CIA Exam Tip

Performance objectives must reflect board and senior management input โ€” they are not set unilaterally by the CAE. This stakeholder input requirement is a key element of this standard.

Standard 12.3Domain IV › Principle 12: Enhance Quality

Oversee and Improve Engagement Performance

CAE

The CAE must ensure that each internal audit engagement is adequately supervised and that individual engagement performance is continuously monitored and improved.

Key Requirements

  • Provide adequate supervision of each internal audit engagement
  • Supervision begins at planning and continues through final communication
  • Evaluate individual auditor performance on each engagement
  • Identify and address performance gaps at the engagement level
  • Use engagement performance data to improve methodologies and training
Practical Application

Engagement supervision is not a one-time sign-off at the end of fieldwork โ€” it is a continuous process from planning through reporting. The CAE or a designated supervisor must be actively engaged throughout each engagement.

CIA Exam Tip

Supervision is a quality control mechanism โ€” it protects both audit quality and individual auditor development. Questions may test whether supervision is adequate at different stages of the engagement lifecycle.

Domain V

Performing Internal Audit Services

Domain V covers the performance of individual internal audit engagements โ€” from planning through fieldwork, documentation, and final communication. These standards apply to all internal auditors conducting engagement work.

Principle 13Domain V: Performing Internal Audit Services

Plan Engagements Effectively

Every internal audit engagement must be planned with sufficient rigour to ensure that objectives are clear, scope is appropriate, risks are assessed, and resources are adequate before fieldwork begins.

Standard 13.1Domain V › Principle 13: Plan Engagements Effectively

Engagement Communication

All Internal Auditors CAE

Internal auditors must communicate with relevant stakeholders at the outset of each engagement to confirm objectives, scope, timing, and the roles and responsibilities of all parties involved.

Key Requirements

  • Communicate engagement objectives, scope, and timing to relevant stakeholders
  • Clarify roles and responsibilities of all parties at the engagement outset
  • Discuss any access requirements or constraints with management
  • Confirm engagement communication plans with the engagement sponsor
  • Document initial stakeholder communication as part of engagement planning
Practical Application

The opening communication โ€” typically an opening meeting โ€” sets the tone for the entire engagement. It is the auditor's opportunity to establish collaboration, clarify expectations, and identify any potential access or data issues before they become problems.

CIA Exam Tip

Engagement communication is the first step in the planning process โ€” before risk assessment or work program development. It establishes the foundation for everything that follows.

Standard 13.2Domain V › Principle 13: Plan Engagements Effectively

Engagement Risk Assessment

All Internal Auditors

Internal auditors must perform a risk assessment for each engagement to identify the risks relevant to the area being audited and to determine the nature, timing, and extent of procedures to be performed.

Key Requirements

  • Perform a risk assessment for each engagement
  • Identify risks relevant to the objectives of the activity under review
  • Assess the significance and likelihood of identified risks
  • Consider the potential for fraud in the area under review
  • Use risk assessment results to determine engagement scope and procedures
  • Document the engagement risk assessment
Practical Application

The engagement risk assessment is not the same as the function-level risk assessment used for annual planning. It is a focused analysis of the specific risks within the engagement scope โ€” the foundation on which the work program is built.

CIA Exam Tip

The engagement risk assessment must explicitly consider fraud risk โ€” this is a GIAS requirement, not an optional consideration. Missing this element is a conformance gap.

Standard 13.3Domain V › Principle 13: Plan Engagements Effectively

Engagement Objectives and Scope

All Internal Auditors

Internal auditors must establish clear engagement objectives that address the risks identified in the risk assessment, and define a scope that is sufficient to achieve those objectives.

Key Requirements

  • Establish clear, specific engagement objectives
  • Objectives must address the risks identified in the engagement risk assessment
  • Define a scope that is sufficient to achieve the objectives
  • Identify the time period and organisational units covered by the scope
  • Document and communicate objectives and scope to relevant stakeholders
Practical Application

Vague objectives like 'assess the adequacy of controls over procurement' are insufficient. Objectives should specify what aspects of procurement controls will be assessed, against what criteria, and what 'adequate' means in this context.

CIA Exam Tip

Objectives and scope are distinct concepts. Objectives describe what the engagement will achieve; scope describes the boundaries within which it will operate. Both must be clearly documented.

Standard 13.4Domain V › Principle 13: Plan Engagements Effectively

Evaluation Criteria

All Internal Auditors

Internal auditors must identify and agree on the criteria against which the activity under review will be evaluated before fieldwork begins. Criteria provide the benchmark for assessing whether controls and processes are effective.

Key Requirements

  • Identify appropriate criteria for evaluating the activity under review
  • Criteria may include policies, standards, regulations, industry benchmarks, or contractual requirements
  • Discuss and agree criteria with relevant stakeholders where appropriate
  • Apply criteria consistently throughout the engagement
  • Document the criteria used in engagement workpapers
Practical Application

Without pre-established criteria, the auditor cannot determine whether observed conditions represent a deficiency. Criteria are the 'should be' against which the 'as is' (condition) is compared in each finding.

CIA Exam Tip

Criteria must be established before fieldwork โ€” not selected to justify a conclusion already reached. Criteria chosen after the fact to support a predetermined finding is a serious professional standards violation.

Standard 13.5Domain V › Principle 13: Plan Engagements Effectively

Engagement Resources

CAE All Internal Auditors

Internal auditors must ensure that each engagement is assigned the appropriate resources โ€” including personnel with the right competencies, adequate time, and necessary tools โ€” to achieve the engagement objectives.

Key Requirements

  • Assign personnel with competencies appropriate to the engagement
  • Allocate sufficient time to achieve engagement objectives with due professional care
  • Provide access to necessary tools, technology, and data for the engagement
  • Obtain specialist expertise when internal competency is insufficient
  • Document resource decisions and their rationale
Practical Application

Resource allocation is a planning decision with quality implications. Understaffed or under-skilled engagement teams will either produce inadequate work or expand timelines. Either outcome creates risk โ€” for the organisation and the audit function.

CIA Exam Tip

Engagement resources must match engagement requirements โ€” the CAE cannot assign available staff without considering whether they have the competencies the specific engagement requires.

Standard 13.6Domain V › Principle 13: Plan Engagements Effectively

Work Program

All Internal Auditors

Internal auditors must develop a written work program that describes the procedures to be performed during the engagement, aligned with the objectives, scope, risk assessment, and evaluation criteria established in planning.

Key Requirements

  • Develop a written work program for each engagement before fieldwork begins
  • Work program must align with objectives, scope, risk assessment, and criteria
  • Include specific procedures to be performed, evidence to be gathered, and analyses to be conducted
  • CAE must approve the work program before starting fieldwork
  • Update the work program during fieldwork if circumstances change and approval from CAE
Practical Application

The work program is both a planning document and a quality control tool. It ensures that fieldwork is directed at the right areas, that procedures are pre-approved by supervision, and that completeness can be assessed at the end of fieldwork.

CIA Exam Tip

Work programs must be approved before fieldwork begins โ€” not after. This is a supervision and quality requirement. Deviations from the approved work program during fieldwork must be documented and, in significant cases, re-approved.

Principle 14Domain V: Performing Internal Audit Services

Conduct Engagement Work

Internal auditors must gather sufficient, reliable evidence; perform rigorous analyses; identify and evaluate findings; develop appropriate recommendations; and reach well-supported conclusions during fieldwork.

Standard 14.1Domain V › Principle 14: Conduct Engagement Work

Gathering Information for Analyses and Evaluation

All Internal Auditors

Internal auditors must gather information that is sufficient, reliable, relevant, and useful to support engagement findings and conclusions. The nature and extent of information gathered must be commensurate with the risk and significance of the area under review.

Key Requirements

  • Gather information that is sufficient, reliable, relevant, and useful
  • Use a variety of information-gathering techniques appropriate to the engagement
  • Assess the reliability of information obtained from various sources
  • Consider the risk and significance of the area when determining the extent of information gathering
  • Document information-gathering procedures in the workpapers
Practical Application

The four qualities of evidence โ€” sufficient, reliable, relevant, and useful โ€” are the framework for assessing whether evidence gathered supports the conclusions to be drawn. An auditor must consciously evaluate evidence against all four criteria, not simply gather whatever is available.

CIA Exam Tip

Memorise the four characteristics: sufficient (enough), reliable (trustworthy), relevant (related to the objective), and useful (contributes to the conclusion). Each characteristic is independently testable.

Standard 14.2Domain V › Principle 14: Conduct Engagement Work

Analyses and Potential Engagement Findings

All Internal Auditors

Internal auditors must analyse the information gathered to identify potential findings โ€” conditions that differ from the established criteria. Analysis must be rigorous, objective, and documented.

Key Requirements

  • Perform rigorous analysis of information gathered during fieldwork
  • Compare conditions observed against established evaluation criteria
  • Identify potential findings where conditions differ from criteria
  • Consider alternative explanations before concluding a finding exists
  • Document analytical procedures and their results in workpapers
Practical Application

Analysis is not simply observation โ€” it requires comparing what is observed (condition) against what should be (criteria), understanding why any gap exists (cause), and assessing the consequences (effect). All four elements must be evaluated before a finding is confirmed.

CIA Exam Tip

The four-element finding framework โ€” condition, criteria, cause, effect โ€” is the analytical structure underpinning this standard. Questions may test whether a described finding contains all four elements.

Standard 14.3Domain V › Principle 14: Conduct Engagement Work

Evaluation of Findings

All Internal Auditors

Internal auditors must evaluate potential findings for significance and determine which ones warrant inclusion in the final engagement communication. Findings must be assessed for their root cause and business impact.

Key Requirements

  • Evaluate each potential finding for its significance and impact
  • Assess the root cause of each significant finding
  • Consider the likelihood that a condition will lead to adverse consequences
  • Determine which findings are significant enough to include in final communications
  • Document the evaluation of findings and the basis for significance determinations
Practical Application

Not every deviation from policy warrants a formal audit finding. The auditor must exercise professional judgement about what is significant enough to report โ€” weighing the risk implications, the root cause, and the potential for harm.

CIA Exam Tip

Root cause analysis is a requirement of this standard โ€” not optional. A finding that accurately describes the condition but incorrectly identifies the cause will produce a corrective action that does not resolve the underlying problem.

Standard 14.4Domain V › Principle 14: Conduct Engagement Work

Recommendations and Action Plans

All Internal Auditors

Internal auditors must develop practical, risk-focused recommendations for corrective action. Management is responsible for developing action plans in response to recommendations. Both must be clearly documented.

Key Requirements

  • Develop practical recommendations that address the root cause of each finding
  • Recommendations must be specific, actionable, and proportionate to the risk
  • Obtain management's agreement on action plans and target completion dates
  • Management is responsible for developing and implementing action plans
  • Document recommendations and management responses in engagement communications
Practical Application

Recommendations that address symptoms rather than root causes produce management actions that close findings without resolving the underlying risk. The quality of recommendations is one of the primary measures of audit value.

CIA Exam Tip

Management is responsible for the action plan โ€” not the auditor. The auditor recommends; management decides how to respond. The auditor may assess whether the proposed action plan is adequate, but cannot substitute their own plan for management's.

Standard 14.5Domain V › Principle 14: Conduct Engagement Work

Engagement Conclusions

All Internal Auditors

Internal auditors must develop an overall engagement conclusion that summarises the results of the engagement based on the evidence gathered and findings evaluated. The conclusion must be supported by the engagement work performed.

Key Requirements

  • Develop an overall engagement conclusion based on all findings and evidence
  • Conclusion must be consistent with and supported by the engagement work
  • Communicate the conclusion clearly in the final engagement communication
  • Obtain supervisory review and approval of the engagement conclusion
  • Document the basis for the conclusion in the engagement workpapers
Practical Application

The overall conclusion is a synthesis โ€” not a summary of findings. It provides the reader with an informed professional judgement about the overall state of the area audited, which may be better or worse than any individual finding suggests.

CIA Exam Tip

The engagement conclusion must be supported by the evidence โ€” it cannot be a predetermined outcome. If evidence gathered does not support the planned conclusion, the conclusion must change, not the evidence.

Standard 14.6Domain V › Principle 14: Conduct Engagement Work

Engagement Documentation

All Internal Auditors

Internal auditors must document their work in workpapers that are sufficient to support the findings, conclusions, and recommendations in the final engagement communication. Workpapers must be retained appropriately.

Key Requirements

  • Document engagement work in workpapers sufficient to support conclusions
  • Workpapers must be organised, clear, and reviewable by others
  • Include all significant evidence, analyses, and supervisory reviews
  • Obtain supervisory sign-off on completed workpapers
  • Retain workpapers in accordance with the organisation's retention policies
  • Protect workpapers from unauthorised access
Practical Application

Workpapers must support the conclusions, not just record what was done. An auditor who performed adequate procedures but documented them inadequately has failed this standard โ€” because the work cannot be reviewed, verified, or defended.

CIA Exam Tip

The test of adequate documentation is whether a competent reviewer, with no other information, could understand what was done, why it was done, and what conclusion was reached. If not, documentation is insufficient.

Principle 15Domain V: Performing Internal Audit Services

Communicate Engagement Results and Monitor Action Plans

Internal auditors must communicate the results of each engagement in a final communication and monitor management's implementation of agreed action plans.

Standard 15.1Domain V › Principle 15: Communicate Engagement Results and Monitor Action Plans

Final Engagement Communication

CAE All Internal Auditors

The CAE must issue a final written communication for each engagement that includes the objectives, scope, conclusions, findings, recommendations, and management's responses. The communication must be distributed to appropriate stakeholders.

Key Requirements

  • Issue a final written engagement communication for each engagement
  • Include objectives, scope, conclusions, significant findings, and recommendations
  • Include management's responses to findings and recommendations
  • Distribute the communication to parties who can act on the results
  • Obtain supervisory review and approval before distribution
  • Communicate results to the board when significant findings exist
Practical Application

The final communication is the primary deliverable of the engagement โ€” it is the document on which all subsequent governance action is based. Its quality determines whether the engagement's findings drive meaningful change.

CIA Exam Tip

Final communications must include management responses โ€” not just findings and recommendations. The response is management's commitment to action, and its absence or inadequacy is itself a governance concern.

Standard 15.2Domain V › Principle 15: Communicate Engagement Results and Monitor Action Plans

Confirming the Implementation of Recommendations or Action Plans

CAE

The CAE must establish a follow-up process to confirm that management has implemented agreed action plans within the agreed timeframe. Unresolved significant findings must be escalated appropriately.

Key Requirements

  • Establish a follow-up process to monitor implementation of action plans
  • Confirm that corrective actions have been implemented within agreed timeframes
  • Verify that implemented actions have effectively addressed the root cause of findings
  • Escalate unresolved significant findings to senior management and the board as appropriate
  • Document the follow-up process and its results
Practical Application

Follow-up is not simply asking management whether they have completed the action โ€” it involves independent verification that the action was implemented and was effective. A management confirmation that an action is complete is not the same as audit verification.

CIA Exam Tip

Follow-up is mandatory โ€” not optional. An audit function that issues reports and never follows up on whether findings were addressed is not conforming with GIAS. The escalation pathway for unresolved findings must be documented and consistently applied.