A comprehensive, searchable guide to the Global Internal Audit Standards โ 5 Domains, 15 Principles, 52 Standards โ with plain-English summaries, practical applications, and CIA exam guidance. Developed by CTC Global.
Select any Domain, Principle, or Standard from the left panel โ or use the search bar above โ to explore the Global Internal Audit Standards with plain-English explanations, practical applications, and CIA exam tips.
Domain I establishes the foundational purpose of the internal audit profession. It contains no principles or standards โ instead, it provides the core purpose statement that anchors everything else in the GIAS framework.
"Internal auditing strengthens the organisation's ability to create, protect, and sustain value by providing the board and management with independent, risk-based, and objective assurance, advice, insight, and foresight."
CIA Part I candidates must understand the purpose statement precisely. The phrase 'assurance, advice, insight, and foresight' reflects the expanded value proposition in GIAS 2024 compared to earlier standards.
Domain II replaces the former IIA Code of Ethics and establishes the behavioural expectations for all internal auditors. These principles and standards apply to every individual providing internal audit services โ from staff auditors to the CAE.
Internal auditors must demonstrate integrity in all their work and professional behaviour. Integrity is the foundation of every other ethical principle โ without it, trust in the profession cannot exist.
Internal auditors must perform their work with honesty and professional courage. They must be truthful, accurate, clear, open, and respectful in all communications โ including when expressing disagreement or scepticism. They must not make false, misleading, or deceptive statements and must disclose all material facts known to them.
Professional courage is required when audit findings are unwelcome. An auditor who softens or omits significant findings to avoid conflict with management is in breach of this standard.
Questions often present scenarios where an auditor faces pressure to modify findings. The correct answer almost always involves maintaining honesty and disclosing the finding as observed.
Internal auditors must understand the ethical expectations of their organisation and act in a manner consistent with those expectations, while still conforming with GIAS. When organisational ethical expectations conflict with GIAS, GIAS takes precedence.
Internal auditors working in organisations with weak ethical cultures must maintain their own professional standards regardless. The existence of organisational misconduct does not excuse auditor non-conformance.
Remember that GIAS requirements always take precedence over organisational codes of conduct when there is a conflict. This is a frequently tested principle.
Internal auditors must comply with applicable laws and regulations and behave ethically in all professional activities. They must not participate in or facilitate illegal or unethical acts and must report suspected violations through appropriate channels.
If an internal auditor discovers evidence of illegal activity during an engagement, this standard โ combined with confidentiality obligations โ creates a tension that requires careful professional judgement and consultation with the CAE and legal counsel.
Understand the difference between an auditor's obligation to report violations internally vs. externally. Externally mandated reporting (e.g., to regulators) overrides internal confidentiality.
Internal auditors must maintain an impartial and unbiased mental attitude in all professional activities. Objectivity is both a personal responsibility and a functional requirement โ impairments must be identified, managed, and disclosed.
Individual internal auditors must maintain objectivity when performing their work. They must not subordinate their professional judgement to others, and must avoid situations that could compromise or appear to compromise their impartial assessment.
An internal auditor asked to audit a process they previously managed, or a department led by a close personal friend, has an objectivity impairment that must be disclosed regardless of their confidence in their own impartiality.
Objectivity is a mental attitude โ independence is an organisational condition. Both are required but they are distinct concepts. Knowing the difference is critical for CIA Part I.
The CAE must establish safeguards to protect the objectivity of the internal audit function. These include structural measures such as rotation policies, restrictions on auditing recently managed areas, and cooling-off periods.
A common safeguard is a one-year or two-year cooling-off period before an auditor can audit an area they previously managed. The CAE must define and enforce this policy consistently.
The standard requires the CAE to proactively safeguard objectivity โ not just respond to identified impairments. This is an ongoing structural responsibility, not a reactive one.
Internal auditors must disclose any impairments to objectivity โ real or perceived โ to the CAE. The CAE must disclose function-level impairments to the board. Disclosure does not eliminate the impairment; reassignment may be necessary.
The appearance of impairment is as damaging as actual impairment to the audit function's credibility. Even if an auditor is genuinely objective, if stakeholders reasonably perceive bias, the engagement result loses credibility.
Disclosure of impairment does not automatically mean the auditor is removed from the engagement โ the CAE makes that determination. But non-disclosure is a clear standards violation.
Internal auditors must possess and apply the knowledge, skills, and abilities required to perform their responsibilities effectively. Competency is both an individual and a functional obligation โ the CAE must ensure the overall function has adequate collective capability.
Internal auditors must possess the knowledge, skills, and abilities needed to fulfil their individual responsibilities. The CAE must ensure that the collective competencies of the internal audit function are sufficient to perform the planned internal audit services.
A generalist auditor assigned to a complex cybersecurity audit without adequate technical knowledge must either obtain specialist assistance or the scope must be adjusted. Proceeding without adequate competency violates this standard.
Competency is assessed at two levels: individual (can this auditor do this work?) and functional (does the audit function collectively have what it needs?). The CAE is responsible for both levels.
Internal auditors must maintain and enhance their knowledge, skills, and abilities through ongoing continuing professional development. The CAE must support CPD opportunities for all members of the internal audit function.
The CIA designation requires 40 hours of CPE annually. GIAS 2024 elevates CPD from a certification requirement to a standards obligation for all internal auditors, whether certified or not.
CPD is mandatory under GIAS 2024 โ not optional. Questions may present scenarios where resource constraints are used as justification for skipping CPD. The correct answer maintains the CPD obligation.
Internal auditors must apply the care, skill, and diligence that a reasonably prudent and competent internal auditor would exercise in similar circumstances. Due care does not require perfection, but it does require rigorous professional judgement.
Internal auditors must conform with GIAS. Where full conformance is not possible, alternative actions must be implemented to achieve the intent of the relevant standard, and the deviation must be documented and disclosed appropriately.
A small audit function that cannot conduct a full external quality assessment due to resource constraints must implement alternative measures (such as peer review) and document the deviation. Silence about non-conformance is not acceptable.
GIAS acknowledges that full conformance is not always possible โ particularly for small functions and public sector organisations. The key is documentation, disclosure, and achieving the intent through alternative means.
Internal auditors must exercise due professional care in performing all aspects of internal audit work, including planning, fieldwork, and communication. Due care is the application of skill and diligence that a reasonably prudent and competent professional would apply in similar circumstances.
Due care does not mean an auditor must find every possible issue โ it means they must apply the level of diligence that a competent professional would reasonably apply. Missing an issue is not automatically a violation; applying insufficient procedures is.
Due professional care is tested through scenarios where auditors must decide how much evidence is enough, whether a scope is adequate, or how to document judgements. The 'reasonably prudent auditor' is the benchmark.
Internal auditors must exercise professional scepticism โ a questioning mindset that critically assesses information, challenges assumptions, and remains alert to the possibility of fraud, error, and misrepresentation throughout the engagement.
Professional scepticism does not mean assuming management is dishonest โ it means not assuming they are automatically correct either. When management explanations are plausible but unverified, scepticism requires the auditor to seek corroborating evidence.
GIAS 2024 elevates professional scepticism to its own standard, reflecting its importance in modern audit practice. Expect exam questions testing the difference between appropriate scepticism and unwarranted suspicion.
Internal auditors must protect the information they acquire in the course of their work and must not use or disclose it in ways that are contrary to the organisation's interests, applicable law, or professional standards.
Internal auditors must use information obtained during an engagement only for purposes related to that engagement or other legitimate internal audit purposes. Information must not be used for personal benefit or in ways that are contrary to law or the organisation's interests.
An internal auditor who shares sensitive financial information learned during an engagement with a family member who then trades on it has violated this standard โ and likely committed a criminal offence. The standard applies even after the auditor leaves the organisation.
Information obtained during an audit engagement remains confidential even after the engagement ends. The obligation persists beyond employment. This is a commonly tested point.
Internal auditors must protect information from unauthorised access, disclosure, or misuse. The CAE must establish policies and procedures to protect the confidentiality and security of the information held by the internal audit function.
In digital work environments, information protection includes secure access controls on audit software, encrypted transmission of sensitive documents, and clear policies on remote working with confidential data.
The obligation to protect information applies to all formats โ paper documents, electronic workpapers, verbal discussions, and digital communications. No format is exempt.
Domain III describes the governance responsibilities of the board over the internal audit function. GIAS 2024 significantly strengthened this domain, placing explicit obligations on the board โ not just the CAE โ to ensure the function is properly authorised, positioned, and overseen.
The internal audit function must be formally authorised by the board with a mandate that gives it the authority, access, and resources needed to perform its work effectively.
The board must formally establish the internal audit function with a mandate that defines its purpose, authority, and responsibility. The mandate must be consistent with the GIAS purpose statement and give the function unrestricted access to records, personnel, and property.
If the CAE is denied access to certain records or areas by senior management, the mandate should give the board the information needed to intervene and enforce the function's access rights.
The mandate is the board's document โ not the CAE's. It is established by the board, not simply approved by them. This is a key distinction in GIAS 2024 versus earlier standards.
The CAE must develop and maintain an internal audit charter that documents the internal audit function's purpose, authority, responsibility, accountability, and position within the organisation. The board must approve the charter.
The charter is the operational document that flows from the mandate. While the mandate establishes the function's existence and authority, the charter defines how it operates. Both are required under GIAS 2024.
The charter must be board-approved โ not simply acknowledged. Updates also require board approval. Exam questions frequently test who approves versus who maintains the charter.
The board and senior management must demonstrate active support for the internal audit function. This includes providing adequate resources, maintaining the function's independence, and taking appropriate action on audit findings and recommendations.
Active support means more than formal approval โ it means management responding to findings, not obstructing access, and the board holding management accountable for corrective actions. Passive tolerance of internal audit is not sufficient.
This standard makes board and senior management support an explicit GIAS requirement โ not just a best practice. If support is absent, the CAE has an obligation to communicate the impact to the board.
The internal audit function must be positioned within the organisation to allow it to perform its work without undue influence or interference. Organisational independence is the structural foundation of the function's credibility.
The CAE must report functionally to the board and administratively to a level of senior management that allows the internal audit function to fulfil its responsibilities without interference. The board must approve the CAE's appointment and removal.
A CAE who reports functionally to the CFO โ rather than to the audit committee โ has a structural independence impairment. Even if the relationship is professional, the structural position creates the appearance of dependence on the finance function.
Functional reporting is to the board; administrative reporting can be to senior management. This dual reporting structure is a core GIAS concept. Independence impairments require disclosure โ not just management.
The CAE must possess the knowledge, skills, and abilities necessary to effectively manage all aspects of the internal audit function. The board is responsible for ensuring the CAE has appropriate qualifications.
The board โ not management โ is responsible for evaluating the CAE's qualifications. This is a significant governance responsibility that many boards historically delegated to management, but which GIAS 2024 explicitly assigns to the board.
CAE qualifications are a board responsibility under GIAS 2024, not just an HR matter. The board must actively assess whether the CAE has the right capabilities โ not simply accept management's recommendation.
The board must provide active, ongoing oversight of the internal audit function โ including its resources, quality, and conformance with GIAS. This oversight cannot be delegated to management.
The board must interact regularly and directly with the CAE to provide oversight, direction, and support. This includes private meetings without management present, review of the audit plan and results, and action on significant audit findings.
Private sessions between the CAE and the audit committee โ without management present โ are one of the most important mechanisms for maintaining the function's independence. Without them, the CAE cannot safely share concerns about management.
Private sessions with the CAE are not optional under GIAS 2024 โ they are a board requirement. The frequency and structure of these sessions is a common exam scenario.
The board must ensure that the internal audit function has adequate funding, staffing, and other resources to carry out its responsibilities effectively and in conformance with GIAS.
If the CAE believes the audit function is under-resourced relative to the audit universe and risk profile, the obligation is to communicate this to the board โ not to silently prioritise. The board must then decide whether to increase resources or accept the coverage limitation.
Resource adequacy is a board responsibility โ the board must ensure adequate resources, not simply accept whatever management proposes. The CAE must proactively communicate resource needs and gaps.
The board must oversee the quality assurance and improvement programme (QAIP) of the internal audit function. This includes reviewing the results of both internal and external quality assessments.
The board's oversight of quality is active โ not passive receipt of quality reports. The board must understand what the QAIP found, whether the function is conforming with GIAS, and what action is being taken on gaps.
Quality oversight is a board responsibility under GIAS 2024. The CAE runs the QAIP, but the board is accountable for ensuring it functions effectively. This is a new and strengthened element in the 2024 update.
The internal audit function must have an external quality assessment (EQA) conducted by a qualified, independent assessor at least once every five years. The CAE must communicate the results to the board, and the board must act on significant findings.
The three conformance ratings have real implications. 'Does Not Conform' requires significant corrective action and broader disclosure. 'Partially Conforms' identifies specific gaps. 'Generally Conforms' is the target but does not mean perfection.
The five-year EQA cycle is mandatory, not advisory. Exam questions frequently test the conformance rating levels, disclosure requirements, and who conducts the EQA (independent of the organisation โ not just the internal audit function).
Domain IV covers the CAE's responsibilities for managing the internal audit function โ strategic planning, resource management, stakeholder communication, and quality. These standards apply primarily to the CAE and internal audit management.
The CAE must develop and maintain a strategic approach to internal auditing that aligns with the organisation's objectives, risk profile, and governance structure. Strategic planning is the foundation of a risk-based, value-adding audit function.
The CAE must develop and maintain an understanding of the organisation's governance, risk management, and control processes sufficient to plan and prioritise internal audit services effectively.
A CAE who builds the audit plan without understanding what management considers its top risks will miss the most significant audit opportunities. This standard requires active engagement with governance, risk, and control stakeholders โ not just review of documentation.
This standard establishes the information foundation for risk-based audit planning. Exam questions test whether the CAE understands where to get this information (board, management, risk function) and how to use it.
The CAE must develop a long-term internal audit strategy that describes how the function will achieve its purpose and fulfil the mandate over multiple years, aligned with the organisation's strategic direction.
An internal audit strategy document is different from an annual audit plan. The strategy is a multi-year directional document โ covering capability development, technology, staffing, and coverage priorities over three to five years. The annual plan executes the strategy.
GIAS 2024 requires a formal internal audit strategy โ not just an annual plan. This is a new and frequently tested element of the updated standards.
The CAE must develop and maintain methodologies for conducting internal audit services. These methodologies provide the framework for consistent, quality-driven execution of audit work across all engagements.
Methodologies are the internal playbook of the audit function โ they ensure consistency across different auditors, engagement types, and time periods. Without them, quality varies and conformance with GIAS cannot be reliably demonstrated.
Methodologies support the QAIP โ they are the standard against which internal assessments measure performance. A function without documented methodologies cannot meaningfully assess its own conformance.
The CAE must develop a risk-based internal audit plan that prioritises internal audit services based on the organisation's risk profile. The plan must be approved by the board and communicated to senior management.
The audit plan must be genuinely risk-based โ not habit-based. A plan that mirrors last year's coverage without reassessing risk does not conform with this standard. The CAE must document the risk rationale for every inclusion and exclusion.
Board approval of the audit plan is required โ not just senior management acknowledgement. The plan must also address what is NOT being covered (coverage gaps) and why. This disclosure is frequently tested.
The CAE must coordinate with other assurance and advisory providers to avoid duplication, identify gaps in coverage, and consider reliance on the work of others where appropriate and reliable.
Coordination with external audit includes sharing the internal audit plan, workpapers (where appropriate), and findings to avoid duplication. Reliance on second-line work (such as compliance testing) requires assessment of that work's quality and independence.
Reliance on the work of others requires evaluation of competency and objectivity โ not just acceptance. The CAE cannot simply assume that second-line or external audit work is reliable without assessment.
The CAE must effectively manage the financial, human, and technological resources of the internal audit function to ensure it can deliver the planned internal audit services with appropriate quality.
The CAE must manage the internal audit function's financial resources โ including its budget โ effectively and transparently. Resource constraints that impair the function's ability to conform with GIAS must be disclosed to the board.
Budget management is not merely an administrative function for the CAE โ it is a governance matter. When the budget is insufficient to execute the risk-based audit plan, the CAE must communicate this to the board, not quietly reduce coverage.
The CAE advocates for the budget to the board โ not to senior management. Senior management may influence the budget recommendation but the board has final authority over it.
The CAE must manage the internal audit function's human resources effectively, ensuring adequate staffing levels, appropriate competencies, and a working environment that supports quality performance.
The CAE must actively manage the human capital of the audit function โ including succession planning for key roles, skills gap analysis relative to the audit plan, and structured development programmes for staff at all levels.
Human resource management includes the use of co-sourced or outsourced audit resources. When these are used, the CAE retains responsibility for quality oversight โ the responsibility cannot be outsourced.
The CAE must identify and leverage appropriate technological resources to enhance the efficiency and effectiveness of internal audit services, including data analytics, audit management software, and other digital tools.
Technology is no longer optional in modern internal auditing. A function that still relies entirely on manual procedures when analytical tools are available is not fulfilling its obligation to apply due professional care and manage resources effectively.
Standard 10.3 creates an expectation that CAEs will actively pursue technology solutions โ not simply accept the technology status quo. Resource constraints must be disclosed to the board, not used as a permanent justification for technological inadequacy.
The CAE must establish and maintain effective communication with the board, senior management, and other stakeholders. Communication includes ongoing relationship management as well as formal engagement reporting.
The CAE must build and maintain productive relationships with the board, senior management, external auditors, and other stakeholders to support the effective delivery of internal audit services.
Effective stakeholder relationships are the intelligence network of the internal audit function. CAEs who meet only during formal audit reporting cycles miss the informal signals about emerging risks and management concerns that inform the most valuable audit work.
Relationship building must not compromise independence. A CAE who becomes so aligned with management that they lose the ability to report critical findings objectively has crossed the line from relationship management to independence impairment.
All internal audit communications โ verbal and written โ must be clear, concise, complete, constructive, timely, and accurate. They must be tailored to the audience and must clearly convey the significance of issues identified.
A technically correct audit report written in impenetrable audit jargon that the board cannot understand has failed this standard. Effective communication means the message was received and understood โ not just transmitted.
The word 'constructive' in effective communication is important โ findings must be communicated in a way that helps management address the issue, not simply criticise. The framing of recommendations matters as much as their content.
The CAE must communicate the results of internal audit engagements โ including significant findings, conclusions, and recommendations โ to appropriate stakeholders in a timely manner.
Timely communication is not simply speed โ it is ensuring that results reach decision-makers when they can still act. A report issued six months after fieldwork is complete may be technically compliant but practically valueless.
The standard requires distribution to those who can act on the findings โ not just those who requested the audit. If a finding affects an area beyond the engagement scope, communication must reach the relevant decision-makers.
If an internal audit communication contains a material error or omission, the CAE must communicate the corrected information to all parties who received the original communication as soon as practicable.
Discovering a factual error in a distributed audit report requires prompt correction โ even if the finding conclusion remains unchanged. The CAE must determine whether the error was material and, if so, issue a corrected communication to all original recipients.
Not all errors require formal correction communications โ the materiality threshold must be assessed. But when an error is significant enough to affect the reader's understanding or conclusions, correction is mandatory.
When the CAE concludes that management has accepted a level of risk that exceeds the organisation's risk appetite or tolerance, this must first be discussed with senior management. If unresolved, it must be escalated to the board.
This standard gives the CAE a specific escalation pathway for unacceptable risk acceptance. The sequence is clear: operational management โ senior management โ board. Bypassing steps without cause is inappropriate.
The CAE's role is communication, not resolution. The board decides what to do about the risk โ the CAE's obligation ends when the board has been informed. This distinction is frequently tested.
The CAE is responsible for the internal audit function's conformance with GIAS and for continuously improving performance. The quality assurance and improvement programme (QAIP) is the mechanism through which this responsibility is fulfilled.
The CAE must develop and conduct internal quality assessments to evaluate the function's conformance with GIAS and progress toward performance objectives. These must include ongoing monitoring and periodic self-assessments.
Ongoing monitoring happens daily โ through supervisory reviews, workpaper sign-offs, and engagement feedback. Periodic self-assessments are scheduled, comprehensive reviews of conformance across all standards. Both are required.
Internal assessment has two components: ongoing monitoring (continuous) and periodic self-assessment (scheduled, comprehensive). Questions often distinguish between these two mechanisms and their different purposes.
The CAE must develop performance objectives and measurement methodologies to assess the internal audit function's effectiveness and drive continuous improvement.
Performance measurement goes beyond tracking whether engagements are completed on time and within budget. Meaningful metrics include stakeholder satisfaction, finding recurrence rates, management response quality, and the quality of audit evidence.
Performance objectives must reflect board and senior management input โ they are not set unilaterally by the CAE. This stakeholder input requirement is a key element of this standard.
The CAE must ensure that each internal audit engagement is adequately supervised and that individual engagement performance is continuously monitored and improved.
Engagement supervision is not a one-time sign-off at the end of fieldwork โ it is a continuous process from planning through reporting. The CAE or a designated supervisor must be actively engaged throughout each engagement.
Supervision is a quality control mechanism โ it protects both audit quality and individual auditor development. Questions may test whether supervision is adequate at different stages of the engagement lifecycle.
Domain V covers the performance of individual internal audit engagements โ from planning through fieldwork, documentation, and final communication. These standards apply to all internal auditors conducting engagement work.
Every internal audit engagement must be planned with sufficient rigour to ensure that objectives are clear, scope is appropriate, risks are assessed, and resources are adequate before fieldwork begins.
Internal auditors must communicate with relevant stakeholders at the outset of each engagement to confirm objectives, scope, timing, and the roles and responsibilities of all parties involved.
The opening communication โ typically an opening meeting โ sets the tone for the entire engagement. It is the auditor's opportunity to establish collaboration, clarify expectations, and identify any potential access or data issues before they become problems.
Engagement communication is the first step in the planning process โ before risk assessment or work program development. It establishes the foundation for everything that follows.
Internal auditors must perform a risk assessment for each engagement to identify the risks relevant to the area being audited and to determine the nature, timing, and extent of procedures to be performed.
The engagement risk assessment is not the same as the function-level risk assessment used for annual planning. It is a focused analysis of the specific risks within the engagement scope โ the foundation on which the work program is built.
The engagement risk assessment must explicitly consider fraud risk โ this is a GIAS requirement, not an optional consideration. Missing this element is a conformance gap.
Internal auditors must establish clear engagement objectives that address the risks identified in the risk assessment, and define a scope that is sufficient to achieve those objectives.
Vague objectives like 'assess the adequacy of controls over procurement' are insufficient. Objectives should specify what aspects of procurement controls will be assessed, against what criteria, and what 'adequate' means in this context.
Objectives and scope are distinct concepts. Objectives describe what the engagement will achieve; scope describes the boundaries within which it will operate. Both must be clearly documented.
Internal auditors must identify and agree on the criteria against which the activity under review will be evaluated before fieldwork begins. Criteria provide the benchmark for assessing whether controls and processes are effective.
Without pre-established criteria, the auditor cannot determine whether observed conditions represent a deficiency. Criteria are the 'should be' against which the 'as is' (condition) is compared in each finding.
Criteria must be established before fieldwork โ not selected to justify a conclusion already reached. Criteria chosen after the fact to support a predetermined finding is a serious professional standards violation.
Internal auditors must ensure that each engagement is assigned the appropriate resources โ including personnel with the right competencies, adequate time, and necessary tools โ to achieve the engagement objectives.
Resource allocation is a planning decision with quality implications. Understaffed or under-skilled engagement teams will either produce inadequate work or expand timelines. Either outcome creates risk โ for the organisation and the audit function.
Engagement resources must match engagement requirements โ the CAE cannot assign available staff without considering whether they have the competencies the specific engagement requires.
Internal auditors must develop a written work program that describes the procedures to be performed during the engagement, aligned with the objectives, scope, risk assessment, and evaluation criteria established in planning.
The work program is both a planning document and a quality control tool. It ensures that fieldwork is directed at the right areas, that procedures are pre-approved by supervision, and that completeness can be assessed at the end of fieldwork.
Work programs must be approved before fieldwork begins โ not after. This is a supervision and quality requirement. Deviations from the approved work program during fieldwork must be documented and, in significant cases, re-approved.
Internal auditors must gather sufficient, reliable evidence; perform rigorous analyses; identify and evaluate findings; develop appropriate recommendations; and reach well-supported conclusions during fieldwork.
Internal auditors must gather information that is sufficient, reliable, relevant, and useful to support engagement findings and conclusions. The nature and extent of information gathered must be commensurate with the risk and significance of the area under review.
The four qualities of evidence โ sufficient, reliable, relevant, and useful โ are the framework for assessing whether evidence gathered supports the conclusions to be drawn. An auditor must consciously evaluate evidence against all four criteria, not simply gather whatever is available.
Memorise the four characteristics: sufficient (enough), reliable (trustworthy), relevant (related to the objective), and useful (contributes to the conclusion). Each characteristic is independently testable.
Internal auditors must analyse the information gathered to identify potential findings โ conditions that differ from the established criteria. Analysis must be rigorous, objective, and documented.
Analysis is not simply observation โ it requires comparing what is observed (condition) against what should be (criteria), understanding why any gap exists (cause), and assessing the consequences (effect). All four elements must be evaluated before a finding is confirmed.
The four-element finding framework โ condition, criteria, cause, effect โ is the analytical structure underpinning this standard. Questions may test whether a described finding contains all four elements.
Internal auditors must evaluate potential findings for significance and determine which ones warrant inclusion in the final engagement communication. Findings must be assessed for their root cause and business impact.
Not every deviation from policy warrants a formal audit finding. The auditor must exercise professional judgement about what is significant enough to report โ weighing the risk implications, the root cause, and the potential for harm.
Root cause analysis is a requirement of this standard โ not optional. A finding that accurately describes the condition but incorrectly identifies the cause will produce a corrective action that does not resolve the underlying problem.
Internal auditors must develop practical, risk-focused recommendations for corrective action. Management is responsible for developing action plans in response to recommendations. Both must be clearly documented.
Recommendations that address symptoms rather than root causes produce management actions that close findings without resolving the underlying risk. The quality of recommendations is one of the primary measures of audit value.
Management is responsible for the action plan โ not the auditor. The auditor recommends; management decides how to respond. The auditor may assess whether the proposed action plan is adequate, but cannot substitute their own plan for management's.
Internal auditors must develop an overall engagement conclusion that summarises the results of the engagement based on the evidence gathered and findings evaluated. The conclusion must be supported by the engagement work performed.
The overall conclusion is a synthesis โ not a summary of findings. It provides the reader with an informed professional judgement about the overall state of the area audited, which may be better or worse than any individual finding suggests.
The engagement conclusion must be supported by the evidence โ it cannot be a predetermined outcome. If evidence gathered does not support the planned conclusion, the conclusion must change, not the evidence.
Internal auditors must document their work in workpapers that are sufficient to support the findings, conclusions, and recommendations in the final engagement communication. Workpapers must be retained appropriately.
Workpapers must support the conclusions, not just record what was done. An auditor who performed adequate procedures but documented them inadequately has failed this standard โ because the work cannot be reviewed, verified, or defended.
The test of adequate documentation is whether a competent reviewer, with no other information, could understand what was done, why it was done, and what conclusion was reached. If not, documentation is insufficient.
Internal auditors must communicate the results of each engagement in a final communication and monitor management's implementation of agreed action plans.
The CAE must issue a final written communication for each engagement that includes the objectives, scope, conclusions, findings, recommendations, and management's responses. The communication must be distributed to appropriate stakeholders.
The final communication is the primary deliverable of the engagement โ it is the document on which all subsequent governance action is based. Its quality determines whether the engagement's findings drive meaningful change.
Final communications must include management responses โ not just findings and recommendations. The response is management's commitment to action, and its absence or inadequacy is itself a governance concern.
The CAE must establish a follow-up process to confirm that management has implemented agreed action plans within the agreed timeframe. Unresolved significant findings must be escalated appropriately.
Follow-up is not simply asking management whether they have completed the action โ it involves independent verification that the action was implemented and was effective. A management confirmation that an action is complete is not the same as audit verification.
Follow-up is mandatory โ not optional. An audit function that issues reports and never follows up on whether findings were addressed is not conforming with GIAS. The escalation pathway for unresolved findings must be documented and consistently applied.