HomeAbout UsServices Our ExpertsResources InsightsGet in Touch
Free Professional Tool — GIAS 2024

Internal Audit Quality
Assessment Tool

Assess your internal audit function’s conformance against all 52 standards across all 5 domains of the Global Internal Audit Standards 2024. Rate each standard, capture evidence, identify gaps, and generate a prioritised action plan.

52Standards
5Domains
15Principles
4Rating Levels
Ratings: FC — Full Conformance GC — Generally Conformance PC — Partially Conformance NC — Non-Conformance N/A — Not Applicable 0 / 52 rated

Assessment Navigator

Domain I

Purpose of Internal Auditing

Domain I establishes the foundational purpose of internal auditing. It contains no individual standards — instead it provides the Purpose Statement that underpins all of Domains II through V.

Purpose Statement — GIAS 2024
“Internal auditing strengthens the organisation’s ability to create, protect, and sustain value by providing the board and management with independent, risk-based, and objective assurance, advice, insight, and foresight.”

Internal auditing enhances the organisation’s:

✓ Successful achievement of objectives
✓ Governance, risk management, and control
✓ Decision-making and oversight
✓ Reputation and credibility with stakeholders
✓ Ability to serve the public interest
Quality Assessment Note
Domain I has no individual standards and therefore no conformance ratings. Quality assessment of Domain I is embedded throughout the other four domains — particularly in how well the internal audit function fulfils its stated purpose of providing assurance, advice, insight, and foresight. Proceed to Domain II to begin your standards assessment.
When is Internal Auditing Most Effective? (GIAS 2024)
Condition 1
Performed by competent professionals in conformance with the Global Internal Audit Standards
Condition 2
Independently positioned with direct accountability to the board
Condition 3
Internal auditors are free from undue influence and committed to objective assessments
Domain II

Ethics & Professionalism

Covers the ethical and professional behavioural standards for all internal auditors — integrity, objectivity, competency, due professional care, and confidentiality.

Principle 1Demonstrate Integrity
1.1 Honesty and Professional Courage
Requirement: Internal auditors must be honest and truthful in all professional dealings and must demonstrate courage in communicating findings, conclusions, and opinions even when unpopular or challenged.
✓ What to Test / Assess
Review audit reports for instances where findings were softened or omitted due to management pressure
Interview auditors on how they handle disagreements with management on findings
Review documented instances of escalation or disagreement
Check whether significant findings were clearly stated or buried in report language
Review CAE communications with audit committee for evidence of honest reporting
■ Evidence to Request
Audit reports with clearly stated unfavourable findings
Documented escalation procedures and instances of use
Meeting minutes showing CAE presented unpopular findings
Performance evaluations assessing honesty and courage
Exit interview records referencing professional conduct
★ Performance Indicators
  • % of reports containing at least one significant finding
  • # of findings escalated to audit committee
  • Presence of documented escalation policy
Conformance Rating — Select One
1.2 Organisation's Ethical Expectations
Requirement: Internal auditors must understand and abide by the organisation's ethical expectations and applicable laws, and must communicate them to relevant parties.
✓ What to Test / Assess
Verify auditors have acknowledged the organisation's code of conduct
Check training records for ethics training completion
Review declarations of interest and conflict of interest registers
Verify processes to identify and manage ethical breaches within the audit team
Review onboarding procedures for new audit staff
■ Evidence to Request
Signed acknowledgement of code of conduct by all audit staff
Ethics training attendance records
Conflict of interest declaration forms
Documented procedures for managing ethics breaches
★ Performance Indicators
  • % of staff with current signed code of conduct acknowledgement
  • % of staff completing annual ethics training
  • # of COI declarations filed in the period
Conformance Rating — Select One
1.3 Legal and Ethical Behavior
Requirement: Internal auditors must not participate in activities that are illegal or discreditable to the profession and must report observed illegal or unethical activities through appropriate channels.
✓ What to Test / Assess
Review whistleblower and escalation policies covering audit staff
Check for any disciplinary actions or legal matters involving audit staff
Verify access to ethics hotline or reporting mechanism
Review documented instances where audit staff reported concerns
■ Evidence to Request
Whistleblower policy covering internal audit staff
Records of concerns raised and actions taken
Evidence of access to independent reporting channels
HR records confirming no material conduct issues
★ Performance Indicators
  • Existence of accessible reporting mechanism
  • # of ethics concerns raised and resolved in period
Conformance Rating — Select One
Principle 2Maintain Objectivity
2.1 Individual Objectivity
Requirement: Internal auditors must have an impartial, unbiased attitude and must avoid conflicts of interest. Each auditor must be free from undue influence and personal bias in all professional activities.
✓ What to Test / Assess
Review engagement assignment process — auditors not assigned to areas where they lack independence
Review annual independence declarations for all audit staff
Test a sample of engagements to verify auditor was not reviewing areas they previously managed
Check for any audit of areas where auditor has personal relationships or financial interests
■ Evidence to Request
Annual independence/objectivity declarations
Engagement assignment matrix showing independence verification
Documented cooling-off policy
Instances where assignments were changed due to objectivity concerns
★ Performance Indicators
  • % of staff with current annual independence declaration
  • # of reassignments due to objectivity conflicts
  • Existence of documented cooling-off policy
Conformance Rating — Select One
2.2 Safeguarding Objectivity
Requirement: The chief audit executive must establish policies and procedures to promote and safeguard the objectivity of the internal audit function. These must include cooling-off periods and post-assignment restrictions.
✓ What to Test / Assess
Review documented objectivity safeguard policies
Verify cooling-off period requirements and that they are being enforced
Check whether non-audit roles assigned to auditors have documented safeguards
Review whether auditors rotate engagements to prevent over-familiarity
■ Evidence to Request
Documented objectivity safeguard policy
Cooling-off period register
Evidence of enforcement — auditor rotation records
Internal audit manual sections on objectivity
★ Performance Indicators
  • Existence of cooling-off policy with defined periods
  • % of auditors subject to cooling-off arrangements
  • Engagement rotation frequency
Conformance Rating — Select One
2.3 Disclosing Impairments to Objectivity
Requirement: Internal auditors must disclose any actual, potential, or perceived impairments to objectivity, and the CAE must disclose such impairments to appropriate parties and establish safeguards.
✓ What to Test / Assess
Verify process for auditors to disclose objectivity impairments
Review documented instances of impairment disclosures
Check whether CAE disclosed function-level impairments to the board
Review audit engagement files for objectivity declarations
■ Evidence to Request
Impairment disclosure log
Board or audit committee minutes showing CAE disclosure of impairments
Engagement-level objectivity declarations in workpapers
Documented safeguards implemented for disclosed impairments
★ Performance Indicators
  • Existence of impairment disclosure procedure
  • # of impairments disclosed in period
  • Evidence of board notification where required
Conformance Rating — Select One
Principle 3Demonstrate Competency
3.1 Competency
Requirement: Internal auditors must possess the knowledge, skills, and competencies necessary to perform their assigned responsibilities. The CAE must ensure the function collectively possesses the competencies needed.
✓ What to Test / Assess
Review competency profiles and job descriptions for all audit staff
Assess whether the team collectively covers required competencies (audit, IT, finance, fraud, data analytics)
Review hiring and selection criteria for auditors
Test a sample of engagements against the competency required — was the right person assigned?
Review CAE's competency self-assessment
■ Evidence to Request
Competency framework for the internal audit function
Individual competency profiles and CVs
Certification records (CIA, CISA, CFE, CRMA)
Evidence of specialist co-sourcing where in-house competency was absent
★ Performance Indicators
  • % of audit staff with relevant professional certification
  • # of competency gaps identified in annual assessment
  • Co-sourcing usage for specialist areas
Conformance Rating — Select One
3.2 Continuing Professional Development
Requirement: Internal auditors must maintain and develop their competencies through continuing professional development. The CAE must establish a CPD policy and ensure auditors meet requirements.
✓ What to Test / Assess
Review CPD policy — does it set minimum hours?
Check CPD records for all audit staff against policy requirements
Verify CPD covers relevant areas — GIAS 2024, data analytics, sector risk
Review training plans and budget allocation
Assess whether CPD is formally tracked and reported
■ Evidence to Request
CPD policy with minimum hour requirements
Individual CPD logs for all audit staff
Training attendance records and certificates
CPD budget and expenditure records
CPD progress reports to CAE
★ Performance Indicators
  • % of staff meeting CPD hour requirements
  • Average CPD hours per auditor
  • % of CPD budget utilised
  • # of staff maintaining active professional certifications
Conformance Rating — Select One
Principle 4Exercise Due Professional Care
4.1 Conformance with Global Internal Audit Standards
Requirement: Internal auditors must conform with the Global Internal Audit Standards and must disclose any non-conformance that affects the quality of the engagement or the conclusions reached.
✓ What to Test / Assess
Review QAIP results for conformance assessment findings
Check whether any non-conformances have been disclosed in reports
Verify auditors are aware of and have access to current GIAS 2024
Review last external quality assessment findings
Assess whether GIAS 2024 update training has been conducted
■ Evidence to Request
GIAS 2024 training completion records
QAIP self-assessment results
External quality assessment report
Non-conformance disclosures in audit reports where applicable
Internal audit manual aligned to GIAS 2024
★ Performance Indicators
  • Date of last EQA
  • GIAS 2024 conformance rating from last assessment
  • % of staff trained on GIAS 2024
  • # of non-conformances identified and disclosed
Conformance Rating — Select One
4.2 Due Professional Care
Requirement: Internal auditors must apply the care and skill expected of a reasonably prudent and competent internal auditor, including appropriate audit techniques, consideration of costs and benefits, and recognition of red flags.
✓ What to Test / Assess
Review engagement files for evidence of appropriate planning and risk consideration
Test whether auditors applied appropriate sampling techniques and justified the approach
Verify fraud risk was considered in engagements covering high-risk areas
Review supervisory review documentation for evidence of quality oversight
Assess whether audit procedures were proportionate to risk
■ Evidence to Request
Engagement planning documentation showing risk assessment
Sampling methodology documentation in workpapers
Supervisory review sign-offs in workpaper files
Fraud consideration documentation in engagement plans
Post-engagement quality review results
★ Performance Indicators
  • % of engagements with documented risk assessment
  • % of engagements with supervisory review completed
  • # of quality issues identified in post-engagement reviews
Conformance Rating — Select One
4.3 Professional Skepticism
Requirement: Internal auditors must exercise professional skepticism — a questioning mind that critically assesses evidence and remains alert to conditions suggesting possible misstatement, fraud, or non-compliance.
✓ What to Test / Assess
Review workpapers for evidence of corroboration of evidence from multiple sources
Check whether auditors tested management representations against independent evidence
Assess whether fraud risk indicators were identified and followed up
Review documented instances where additional procedures were applied due to skeptical concerns
Interview auditors on their approach to evidence evaluation
■ Evidence to Request
Workpapers showing corroboration of evidence
Documented fraud risk considerations in engagements
Instances of expanded scope due to red flags identified
Training records on professional skepticism
Supervisory review comments addressing evidence quality
★ Performance Indicators
  • % of high-risk engagements with documented fraud risk considerations
  • # of engagements where scope was expanded due to skeptical concerns
  • Evidence of multi-source corroboration in workpapers
Conformance Rating — Select One
Principle 5Maintain Confidentiality
5.1 Use of Information
Requirement: Internal auditors must use information obtained during engagements only for the purposes of those engagements, unless disclosure is authorised or legally required.
✓ What to Test / Assess
Review policies governing the use of engagement information
Check whether workpapers and reports are shared only with authorised parties
Verify information obtained during engagements is not used for personal benefit
Review access controls to audit management system and workpaper files
■ Evidence to Request
Confidentiality policy for internal audit
Access control logs for audit management system
Signed confidentiality agreements with audit staff
Distribution controls on final audit reports
★ Performance Indicators
  • Existence of information use policy
  • % of staff with signed confidentiality agreements
  • No confirmed instances of unauthorised information use
Conformance Rating — Select One
5.2 Protection of Information
Requirement: Internal auditors must protect information from unauthorised access, use, disclosure, or destruction in accordance with the organisation's policies and applicable legal requirements.
✓ What to Test / Assess
Review physical and logical security of audit workpapers and files
Verify encryption and password protection of digital audit files
Check retention and disposal policies for audit documentation
Assess whether audit staff received training on information protection
Review any incidents of information breach or unauthorised access
■ Evidence to Request
IT access controls for audit systems
Encryption and security settings on audit files
Document retention and disposal policy
Information security training records for audit staff
Incident log confirming no breaches in the period
★ Performance Indicators
  • Existence of documented information protection policy
  • # of information security incidents in audit function
  • % of staff completing information security training
Conformance Rating — Select One
Domain III

Governing the Internal Audit Function

Covers governance requirements for authorising, positioning, and overseeing the internal audit function — mandate, charter, independence, board oversight, and external quality assessment.

Principle 6Authorized by the Board
6.1 Internal Audit Mandate
Requirement: The internal audit function must operate under a mandate that is approved by the board and that defines the purpose, authority, and responsibility of the function.
✓ What to Test / Assess
Obtain and review the current internal audit mandate
Verify board approval — check board or audit committee minutes
Assess whether mandate is current and reflects GIAS 2024 requirements
Confirm mandate grants right of access to all records, personnel, and assets
Review whether mandate addresses advisory services scope
■ Evidence to Request
Board-approved internal audit mandate document
Board/audit committee minutes approving the mandate
Evidence of most recent mandate review and update
Correspondence confirming right of access
★ Performance Indicators
  • Date of last board approval of mandate
  • Alignment of mandate language with GIAS 2024 requirements
  • Scope of access granted — restricted or unrestricted
Conformance Rating — Select One
6.2 Internal Audit Charter
Requirement: The CAE must maintain an internal audit charter that documents the mandate, positioning, authority, and responsibilities of the function, approved by the board and reviewed at least annually.
✓ What to Test / Assess
Obtain current internal audit charter
Verify charter is board-approved — check approval date
Confirm charter covers: mandate, independence, scope, responsibilities, reporting lines
Verify charter was reviewed in the last 12 months
Confirm charter references conformance with GIAS 2024
Check charter documents CAE reporting relationships
■ Evidence to Request
Current board-approved internal audit charter
Board/audit committee minutes approving charter
Evidence of annual review — date and sign-off
Charter content checklist against GIAS 2024 requirements
★ Performance Indicators
  • Date of last board approval
  • Date of last annual review
  • % of required charter elements present per GIAS 2024
Conformance Rating — Select One
6.3 Board and Senior Management Support
Requirement: The CAE must obtain appropriate support from the board and senior management to enable the internal audit function to fulfill its mandate effectively.
✓ What to Test / Assess
Review evidence of CAE meetings with board and senior management
Assess whether board provides adequate resources — budget, headcount
Review whether management cooperates with audit requests — response rates, access granted
Verify CAE communicates essential conditions to board and senior management
Check for instances where access was denied or scope was restricted
■ Evidence to Request
Board and senior management meeting schedules and minutes
Resource approval documentation
Access request log and response records
CAE communications on essential conditions
Instances of access denial and how addressed
★ Performance Indicators
  • # of CAE meetings with audit committee per year
  • % of resource requests approved
  • % of management responses received within agreed timeline
  • # of access restrictions experienced
Conformance Rating — Select One
Principle 7Positioned Independently
7.1 Organizational Independence
Requirement: The CAE must confirm organisational independence to the board at least annually and must report any independence impairments and safeguards employed.
✓ What to Test / Assess
Verify CAE reports functionally to the board/audit committee — not to a management executive
Review annual independence confirmation communication to board
Check for any current non-audit roles assigned to CAE and whether safeguards are documented
Review charter for documentation of reporting relationships
Assess whether any board independence conditions are absent and whether safeguards are in place
■ Evidence to Request
Organisational chart showing CAE reporting lines
Annual independence confirmation letter/communication to board
Board minutes acknowledging independence confirmation
Documentation of any impairments and safeguards
Charter section on reporting relationships
★ Performance Indicators
  • CAE functional reporting line — board or management
  • Date of last annual independence confirmation
  • # of independence impairments reported and safeguards applied
Conformance Rating — Select One
7.2 Chief Audit Executive Qualifications
Requirement: The CAE must help the board understand the qualifications needed for the CAE role and must maintain competencies necessary to manage the function effectively.
✓ What to Test / Assess
Review CAE's qualifications, certifications, and experience against role requirements
Verify board was involved in CAE appointment and approved qualifications criteria
Check CAE's CPD records — are they maintaining competencies?
Review whether CAE's qualifications are appropriate for the organisation's size and complexity
Assess CAE's knowledge of GIAS 2024 and current audit practices
■ Evidence to Request
CAE curriculum vitae and professional certifications
Board approval of CAE appointment and qualifications criteria
CAE CPD records
Performance evaluation of CAE by board/audit committee
Evidence of CAE participation in professional forums
★ Performance Indicators
  • Professional certifications held by CAE
  • Date of CAE's last GIAS 2024 training
  • CAE tenure and experience level
  • Board satisfaction rating for CAE performance
Conformance Rating — Select One
Principle 8Overseen by the Board
8.1 Board Interaction
Requirement: The CAE must interact regularly with the board and have private sessions with the audit committee without management present to discuss matters related to the internal audit function.
✓ What to Test / Assess
Verify frequency and nature of CAE communications with audit committee
Check whether private sessions (without management) occur regularly
Review audit committee charter for provisions on interaction with CAE
Assess quality and completeness of audit committee reports from CAE
Review whether CAE alerts the board to significant risks or governance concerns promptly
■ Evidence to Request
Audit committee meeting minutes showing CAE attendance and private sessions
Audit committee charter provisions on CAE access
CAE reports to audit committee
Records of ad hoc communications to audit committee on significant matters
Board evaluation of CAE communication effectiveness
★ Performance Indicators
  • # of audit committee meetings with CAE attendance
  • # of private sessions held per year
  • Completeness of CAE reporting to audit committee
Conformance Rating — Select One
8.2 Resources
Requirement: The board must ensure the internal audit function has the financial, human, and technological resources necessary to fulfill its mandate.
✓ What to Test / Assess
Compare approved audit budget against industry benchmarks and function requirements
Review headcount plan against audit universe coverage needs
Assess technology resources — audit management system, data analytics tools
Review whether the CAE has formally communicated resource constraints to the board
Check CAE's annual resource plan and whether it was approved in full
■ Evidence to Request
Approved internal audit budget
Headcount plan and actual staffing levels
Inventory of technology and analytics tools
CAE resource request documentation and board response
Any documented instances of scope reduction due to resource constraints
★ Performance Indicators
  • Internal audit budget as % of organisation revenue/budget
  • Ratio of auditors to audit universe size
  • Audit universe coverage % per year
  • Technology tools in use
Conformance Rating — Select One
8.3 Quality
Requirement: The board must oversee the QAIP and must receive and review the results of both internal and external quality assessments.
✓ What to Test / Assess
Verify board/audit committee received results of internal quality assessments
Check whether board approved scope and provider of most recent EQA
Verify EQA has been conducted within last five years
Review board response to quality assessment findings
Assess whether board monitors CAE's corrective action plans from assessments
■ Evidence to Request
Audit committee minutes showing receipt of QAIP reports
Board approval of EQA provider and scope
EQA report and final rating
Board-approved corrective action plan from EQA findings
QAIP annual report to audit committee
★ Performance Indicators
  • Date of last EQA and overall conformance rating
  • # of QAIP reports presented to audit committee in period
  • % of EQA corrective actions completed on time
Conformance Rating — Select One
8.4 External Quality Assessment
Requirement: The internal audit function must obtain an external quality assessment at least once every five years by a qualified, independent assessor.
✓ What to Test / Assess
Confirm date and provider of last EQA — within 5 years?
Assess independence of EQA provider — no conflict of interest
Verify EQA result was disclosed in audit communications as required
Review corrective action plan from EQA findings and implementation status
Check whether board approved the EQA provider
■ Evidence to Request
EQA final report with overall conformance rating
Evidence of assessor independence
Board approval of EQA scope and provider
EQA disclosure statement in audit reports or charter
Corrective action plan and implementation tracker
★ Performance Indicators
  • Years since last EQA
  • Overall EQA conformance rating (FC/GC/PC/NC)
  • % of EQA recommendations implemented
  • Independence of EQA assessor
Conformance Rating — Select One
Domain IV

Managing the Internal Audit Function

Covers strategic planning, resource management, communication, and quality assurance for managing the internal audit function effectively.

Principle 9Plan Strategically
9.1 Understanding Governance, Risk Management, and Control
Requirement: The CAE must understand the organisation's governance, risk management, and control processes to inform the audit strategy and plan.
✓ What to Test / Assess
Review evidence of CAE participation in organisational risk forums
Check whether internal audit strategy reflects current organisational risks and priorities
Verify CAE has obtained and reviewed key governance documents — board minutes, risk registers
Assess whether the audit universe covers all significant governance and control areas
Review how the function obtains information on emerging risks
■ Evidence to Request
Risk register review documentation
CAE attendance records at risk and governance forums
Internal audit strategy documents showing risk linkage
Documented process for understanding governance and control environment
Audit universe mapped to organisational objectives and risks
★ Performance Indicators
  • # of risk forums attended by CAE in period
  • Alignment of audit plan to top organisational risks
  • % of audit universe refreshed in current year
Conformance Rating — Select One
9.2 Internal Audit Strategy
Requirement: The CAE must develop a multi-year internal audit strategy that articulates the function's vision, objectives, and initiatives, and must communicate it to the board and senior management.
✓ What to Test / Assess
Obtain and review current internal audit strategy document
Verify strategy covers multiple years — minimum 3 years
Confirm strategy was presented to and endorsed by board/audit committee
Assess alignment between strategy and organisational strategic objectives
Review whether strategy is periodically updated — particularly after major organisational changes
■ Evidence to Request
Documented multi-year internal audit strategy
Board/audit committee minutes endorsing the strategy
Strategy refresh documentation when organisational changes occurred
Performance measures linked to strategy
Annual strategy progress report to audit committee
★ Performance Indicators
  • Existence and currency of multi-year strategy
  • Date of last strategy review
  • % of strategic initiatives completed or on track
  • Board endorsement status
Conformance Rating — Select One
9.3 Methodologies
Requirement: The CAE must establish methodologies that guide the function in a systematic and disciplined manner, and must train auditors on them.
✓ What to Test / Assess
Review whether a documented internal audit manual or methodology document exists
Assess whether methodologies cover all key stages: planning, fieldwork, reporting, follow-up
Verify methodologies are aligned to GIAS 2024
Check whether auditors have been trained on current methodologies
Review whether methodologies are reviewed and updated periodically
■ Evidence to Request
Internal audit manual or methodology documentation
Evidence of methodology training for all audit staff
Methodology review and update records
Cross-reference of methodology content to GIAS 2024 requirements
Evidence of methodology application in engagement files
★ Performance Indicators
  • Date of last methodology update
  • % of staff trained on current methodologies
  • % of engagements following documented methodology
  • Alignment of methodology to GIAS 2024
Conformance Rating — Select One
9.4 Internal Audit Plan
Requirement: The CAE must develop a risk-based internal audit plan and present it to the board for approval, and must update it as necessary to reflect significant changes in risk.
✓ What to Test / Assess
Obtain and review current annual audit plan
Verify plan was presented to and approved by the audit committee
Confirm plan is based on a documented risk assessment of the audit universe
Check whether plan was updated during the year in response to emerging risks
Assess coverage of significant risk areas — fraud, IT, financial, operational
Review resource allocation against planned engagements
■ Evidence to Request
Current board-approved annual audit plan
Risk assessment supporting the audit plan
Audit committee minutes approving the plan
Mid-year plan updates and approval documentation
Audit universe risk scoring methodology
★ Performance Indicators
  • % of planned engagements completed
  • # of mid-year plan amendments
  • Board approval status of current plan
  • Risk assessment completion date
Conformance Rating — Select One
9.5 Coordination and Reliance
Requirement: The CAE must coordinate with other assurance providers and may rely on their work to avoid duplication, subject to assessment of competency and objectivity.
✓ What to Test / Assess
Review whether CAE coordinates with external audit, risk, compliance, and other assurance functions
Assess whether reliance on other providers is documented and appropriately assessed
Check whether audit plan reflects work of other assurance providers to avoid duplication
Verify combined assurance map or equivalent exists
Review agreements or protocols with external auditors
■ Evidence to Request
Combined assurance map or three lines model documentation
Coordination meetings with external auditors — minutes
Protocols or service level agreements with other assurance providers
Audit plan showing areas where reliance was placed on other providers
Assessment of other providers' competency and objectivity
★ Performance Indicators
  • Existence of combined assurance framework
  • # of coordination meetings with external audit
  • % of audit plan areas with documented reliance assessment
  • Duplication reduction achieved
Conformance Rating — Select One
Principle 10Manage Resources
10.1 Financial Resource Management
Requirement: The CAE must manage the internal audit budget effectively and transparently, ensuring resources are adequate to fulfill the mandate.
✓ What to Test / Assess
Review budget preparation process — is it based on planned engagements?
Compare actual spend against budget for the period
Check whether budget variances are explained and managed
Verify whether CAE formally communicated any budget shortfalls to the board
Review cost per audit engagement trends
■ Evidence to Request
Internal audit budget approved by the board
Actual vs budget variance reports
CAE communications to board on budget adequacy
Cost tracking by engagement type
Benchmarking data on audit costs
★ Performance Indicators
  • % of budget variance (actual vs approved)
  • Cost per audit engagement
  • Budget approved vs budget requested ratio
Conformance Rating — Select One
10.2 Human Resources Management
Requirement: The CAE must ensure the function has sufficient, competent staff and must manage performance, development, and succession to meet current and future needs.
✓ What to Test / Assess
Review staffing levels against audit universe and planned workload
Assess staff qualification mix — are there sufficient certified auditors?
Review performance management process for audit staff
Check succession planning for key roles including CAE
Verify staff satisfaction and retention — review exit interview themes
Assess use of co-sourcing or guest auditors to supplement capability
■ Evidence to Request
Staffing plan and actual headcount
Competency matrix for all audit staff
Performance review records
Succession plan for CAE and senior audit roles
Exit interview records and staff turnover analysis
Co-sourcing agreements and deliverable assessments
★ Performance Indicators
  • Staff turnover rate
  • % of staff with professional certification
  • Performance review completion rate
  • Ratio of auditors to planned audit days
Conformance Rating — Select One
10.3 Technological Resources
Requirement: The CAE must ensure the function has appropriate technological resources — including data analytics tools — to perform engagements effectively and efficiently.
✓ What to Test / Assess
Inventory technology tools used by the audit function
Assess whether an audit management system is in use
Review data analytics capability — tools, skills, usage in engagements
Check whether technology resources are fit for purpose and regularly updated
Assess training on technology tools for audit staff
■ Evidence to Request
Technology inventory for internal audit function
Audit management system usage records
Data analytics tool licences and usage statistics
Technology training records for audit staff
% of engagements using data analytics
★ Performance Indicators
  • Audit management system in use (Y/N)
  • % of engagements using data analytics
  • Technology budget as % of total audit budget
  • Staff trained on data analytics tools
Conformance Rating — Select One
Principle 11Communicate Effectively
11.1 Building Relationships and Communicating with Stakeholders
Requirement: The CAE must build effective relationships with key stakeholders — board, senior management, and other assurance providers — to enable effective internal audit services.
✓ What to Test / Assess
Review stakeholder engagement plan or equivalent
Assess frequency and quality of CAE interactions with audit committee, CEO, and CFO
Review evidence of pre-engagement communication with management
Check whether stakeholder feedback is obtained and acted upon
Assess how the function communicates its plan, results, and value to stakeholders
■ Evidence to Request
Stakeholder engagement plan
Meeting logs with key stakeholders
Stakeholder satisfaction survey results
Pre-engagement notification records
Annual report/summary of audit activity
★ Performance Indicators
  • Stakeholder satisfaction scores
  • # of stakeholder meetings per period
  • % of engagements with pre-engagement communication
  • Management response rate to findings
Conformance Rating — Select One
11.2 Effective Communication
Requirement: Internal audit communications must be accurate, objective, clear, concise, constructive, complete, and timely.
✓ What to Test / Assess
Review a sample of audit reports against the 7 communication qualities
Assess readability and executive accessibility of reports
Verify reports are issued within agreed timelines
Check whether reports include executive summaries and overall conclusions
Review draft reports process — are they shared with management before finalisation?
■ Evidence to Request
Sample of final audit reports
Report issuance date vs engagement completion date
Draft report sharing records
Stakeholder feedback on report quality
Report review/editing process documentation
★ Performance Indicators
  • Average days from fieldwork completion to report issue
  • % of reports with executive summary
  • % of reports issued within agreed timeline
  • Stakeholder rating of report clarity and usefulness
Conformance Rating — Select One
11.3 Communicating Results
Requirement: The CAE must communicate engagement results — including findings, conclusions, recommendations, and management responses — to appropriate parties.
✓ What to Test / Assess
Review audit reports for inclusion of findings, criteria, cause, effect, and risk rating
Check whether management responses are captured and attributed
Verify overall engagement conclusion is stated
Review distribution of final reports — are they reaching the right parties?
Assess whether significant findings are escalated to the audit committee
■ Evidence to Request
Sample of final audit reports with all required elements
Report distribution lists and delivery confirmation
Audit committee reporting packages
Records of significant findings escalated to board level
Management response quality assessment
★ Performance Indicators
  • % of reports with CCCE-structured findings
  • % of findings with management responses
  • % of significant findings escalated to audit committee
  • Report distribution timeliness
Conformance Rating — Select One
11.4 Errors and Omissions
Requirement: If a final engagement communication contains a material error or omission, the CAE must communicate corrected information to all parties who received the original.
✓ What to Test / Assess
Review whether a documented procedure exists for correcting issued reports
Check whether any corrections were issued in the period and whether they were handled appropriately
Verify the process for identifying errors post-issuance
Assess whether CAE takes responsibility for corrections
■ Evidence to Request
Documented error correction procedure
Any corrected reports issued in period with evidence of distribution
Quality review process before report issuance
Instances where corrections were required and management of those instances
★ Performance Indicators
  • # of corrected reports issued in period
  • Existence of error correction procedure
  • % of reports subject to quality review before issuance
Conformance Rating — Select One
11.5 Communicating the Acceptance of Risks
Requirement: If management has accepted a risk that the CAE believes is unacceptable to the organisation, the CAE must communicate this to senior management and, if not resolved, to the board.
✓ What to Test / Assess
Review whether a process exists for managing unacceptable risk acceptances
Check the finding follow-up log for instances of management accepting high/critical risks without adequate justification
Verify whether such instances were escalated to the audit committee
Review CAE communications to board on unresolved significant risks
Assess whether this issue is addressed in the internal audit charter
■ Evidence to Request
Risk acceptance register
Instances of escalation to audit committee on accepted risks
Board/audit committee minutes on unresolved significant risks
Internal audit charter provisions on risk acceptance escalation
CAE communication templates for risk escalation
★ Performance Indicators
  • # of risk acceptances in period
  • # of risk acceptances escalated to audit committee
  • Existence of documented risk acceptance escalation procedure
Conformance Rating — Select One
Principle 12Enhance Quality
12.1 Internal Quality Assessment
Requirement: The CAE must maintain a QAIP that includes both ongoing monitoring and periodic self-assessments, the results of which must be communicated to senior management and the board.
✓ What to Test / Assess
Verify a documented QAIP exists covering ongoing monitoring and periodic self-assessment
Review ongoing monitoring evidence — supervisory reviews, workpaper reviews, feedback
Check whether a periodic self-assessment has been conducted in the last year
Verify QAIP results were communicated to audit committee
Review whether corrective actions from QAIP were tracked and implemented
■ Evidence to Request
Documented QAIP policy and procedures
Ongoing monitoring records — supervisory review logs, KPI dashboards
Most recent periodic self-assessment report
Audit committee minutes receiving QAIP results
Corrective action tracker from self-assessment findings
★ Performance Indicators
  • Existence of documented QAIP
  • Date of last periodic self-assessment
  • % of self-assessment findings addressed
  • QAIP results communicated to audit committee (Y/N)
Conformance Rating — Select One
12.2 Performance Measurement
Requirement: The CAE must establish and monitor performance measures for the internal audit function and report them to the board.
✓ What to Test / Assess
Review whether formal performance metrics are defined and documented
Assess comprehensiveness of metrics — efficiency, quality, stakeholder satisfaction, impact
Verify metrics are tracked and reported to the audit committee
Check whether metrics are benchmarked against prior periods or external comparators
Review whether corrective actions are taken when metrics fall below target
■ Evidence to Request
Performance measurement framework documentation
KPI dashboard or performance scorecard
Audit committee reports showing performance data
Trend analysis of key metrics over time
Benchmarking data
★ Performance Indicators
  • # of defined performance metrics
  • Metrics reported to audit committee (Y/N)
  • % of KPIs meeting targets
  • Trend in key metrics year-on-year
Conformance Rating — Select One
12.3 Oversee and Improve Engagement Performance
Requirement: The CAE must supervise engagements to ensure conformance with standards and quality, and must implement improvements based on quality findings.
✓ What to Test / Assess
Review supervisory review process — is it documented and consistently applied?
Test a sample of engagement files for evidence of supervisory sign-off
Verify whether supervisory review covers planning, fieldwork, and reporting stages
Check whether themes from supervisory reviews are aggregated to identify training needs
Review post-engagement quality improvement actions
■ Evidence to Request
Supervisory review policy and procedures
Sample of workpaper files with supervisory sign-offs
Aggregated quality theme analysis from supervisory reviews
Training actions linked to quality findings
Post-engagement quality improvement register
★ Performance Indicators
  • % of engagements with documented supervisory review
  • Average supervisor review score
  • # of quality improvement actions implemented
  • Time from completion to supervisory sign-off
Conformance Rating — Select One
Domain V

Performing Internal Audit Services

Covers end-to-end requirements for planning, performing, and communicating the results of individual audit engagements.

Principle 13Plan Engagements Effectively
13.1 Engagement Communication
Requirement: Internal auditors must communicate the engagement objectives, scope, timing, and planned approach with management before beginning fieldwork.
✓ What to Test / Assess
Review engagement notification letters or planning communications
Verify management was notified in advance of each engagement
Check whether opening meetings were held and documented
Confirm engagement scope was communicated and agreed
Review whether scope restrictions were documented and escalated
■ Evidence to Request
Engagement notification letters for sampled engagements
Opening meeting minutes or agendas
Documented scope agreements with management
Records of scope restrictions and escalations
Pre-engagement planning communication templates
★ Performance Indicators
  • % of engagements with documented pre-engagement communication
  • % of engagements with opening meeting documented
  • # of scope restrictions recorded
Conformance Rating — Select One
13.2 Engagement Risk Assessment
Requirement: Internal auditors must perform an engagement risk assessment to identify and evaluate risks relevant to the engagement, including the risk of fraud.
✓ What to Test / Assess
Review engagement files for documented risk assessments
Verify fraud risk was explicitly considered in engagements covering high-risk areas
Confirm risk assessment informed the audit scope and procedures
Check whether risk assessment was updated during fieldwork if new risks emerged
Assess quality and depth of risk assessments in a sample of engagements
■ Evidence to Request
Engagement risk assessment workpapers
Risk and control matrices
Fraud risk consideration documentation
Evidence of risk assessment driving audit programme design
Updated risk assessments where scope was adjusted during fieldwork
★ Performance Indicators
  • % of engagements with documented risk assessment
  • % of risk assessments including fraud consideration
  • % of audit procedures directly linked to identified risks
Conformance Rating — Select One
13.3 Engagement Objectives and Scope
Requirement: Internal auditors must establish clear engagement objectives and a defined scope before commencing fieldwork, based on the risk assessment.
✓ What to Test / Assess
Review engagement planning documents for clearly stated objectives
Verify objectives are specific, measurable, and linked to identified risks
Confirm scope defines the boundaries of the engagement — period, locations, processes
Check whether objectives and scope were reviewed and approved by the engagement supervisor
Assess whether scope limitations were identified and documented
■ Evidence to Request
Engagement planning documents with objectives and scope statements
Supervisory approval of engagement objectives and scope
Scope limitation documentation where applicable
Risk-to-objective linkage in planning documents
Comparison of planned vs actual scope at engagement close
★ Performance Indicators
  • % of engagements with SMART objectives documented
  • % of objectives directly linked to risk assessment
  • % of engagements with supervisory approval of scope
Conformance Rating — Select One
13.4 Evaluation Criteria
Requirement: Internal auditors must identify evaluation criteria before fieldwork begins to provide the basis for assessing conditions observed during the engagement.
✓ What to Test / Assess
Verify evaluation criteria are documented in engagement planning files
Confirm criteria are specific — referencing particular policy sections, standards, regulations
Check whether criteria were communicated to management before fieldwork
Verify criteria are appropriate for each engagement objective
Assess whether criteria remained appropriate throughout fieldwork or were updated
■ Evidence to Request
Engagement planning workpapers with documented criteria
Criteria referenced in audit findings
Management communication acknowledging audit criteria
Policy and procedure documents referenced as criteria
Workpaper cross-references from findings to criteria
★ Performance Indicators
  • % of engagements with documented evaluation criteria
  • % of audit findings with specific criteria references
  • % of criteria referencing specific policy/standard provisions
Conformance Rating — Select One
13.5 Engagement Resources
Requirement: Internal auditors must ensure appropriate and sufficient financial, human, and technological resources are assigned to achieve engagement objectives within the required timeframe.
✓ What to Test / Assess
Review engagement resourcing plans — auditors assigned, time budget, tools
Verify resources were appropriate for the complexity and risk of each engagement
Check whether resource constraints were identified and escalated
Review actual vs budgeted time analysis across a sample of engagements
Assess whether specialists were engaged where technical competency was required
■ Evidence to Request
Engagement resource plans
Time budget vs actual analysis
Specialist engagement records and credentials
CAE communication on resource constraints
Approved engagement work programs showing resource allocation
★ Performance Indicators
  • % of engagements completed within time budget
  • # of specialist engagements per year
  • % of engagements with documented resource plan
Conformance Rating — Select One
13.6 Work Program
Requirement: Internal auditors must develop and document an engagement work program that identifies criteria, tasks, methodologies, and assigned auditors, approved by the CAE before implementation.
✓ What to Test / Assess
Verify documented work programs exist for all engagements in sample
Confirm work programs identify: criteria, tasks, methodology, assigned auditor
Check CAE/supervisor approval documented before fieldwork commenced
Verify work program was updated when scope changed mid-engagement
Assess linkage between work program steps and identified risks
■ Evidence to Request
Documented and approved work programs for sampled engagements
CAE/supervisor approval signatures on work programs
Work program update records where changes occurred
Risk-to-procedure linkage in work programs
Sampling methodology documentation in work programs
★ Performance Indicators
  • % of engagements with approved work program
  • % of work programs including all 4 required elements
  • % of work programs updated when scope changed
Conformance Rating — Select One
Principle 14Conduct Engagement Work
14.1 Gathering Information
Requirement: Internal auditors must gather information that is relevant, reliable, and sufficient to support engagement analyses and conclusions.
✓ What to Test / Assess
Review workpapers for quality and relevance of information gathered
Verify information was obtained from reliable, independent sources where possible
Check that evidence was corroborated from multiple sources for significant findings
Assess whether information gathering procedures were documented in workpapers
Review whether information limitations were identified and addressed
■ Evidence to Request
Workpapers showing information sources for each procedure
Evidence of corroboration for significant findings
Documentation of information reliability assessment
System reports and direct observation records
Management representation acknowledgement where used
★ Performance Indicators
  • % of significant findings with corroborated evidence
  • % of workpapers referencing reliable information sources
  • # of information limitations identified and resolved
Conformance Rating — Select One
14.2 Analyses and Potential Engagement Findings
Requirement: Internal auditors must perform analyses to identify potential findings and develop them into documented observations supported by evidence.
✓ What to Test / Assess
Review workpapers for analytical procedures performed
Verify analyses are documented with methodology, data source, and conclusions
Check whether all identified exceptions were investigated and resolved or developed into findings
Assess data quality — are data sources reliable and complete?
Review whether data analytics was used effectively where applicable
■ Evidence to Request
Analytical workpapers with documented methodology and results
Exception listings and disposition records
Data analytics outputs and interpretation workpapers
Query population and results documentation
Workpaper sign-offs confirming analytical review completion
★ Performance Indicators
  • % of engagements using data analytics
  • # of findings originating from analytical procedures
  • % of exceptions investigated and properly resolved
Conformance Rating — Select One
14.3 Evaluation of Findings
Requirement: Internal auditors must evaluate the significance of findings considering risk, materiality, and the potential impact on the organisation's objectives.
✓ What to Test / Assess
Review finding rating methodology — is it documented and consistently applied?
Test whether finding ratings are appropriate for the conditions observed
Check whether quantitative assessment of impact is included where possible
Verify finding significance is evaluated in the context of broader organisational risk
Review whether findings were recalibrated based on management input or additional evidence
■ Evidence to Request
Finding rating methodology documentation
Sample of rated findings with supporting rationale
Instances of finding recalibration with documented justification
Materiality and risk exposure quantification in findings
Supervisory review of finding evaluations
★ Performance Indicators
  • Consistency of finding rating across engagements
  • % of high-risk findings with quantified impact
  • # of finding ratings challenged and revised
Conformance Rating — Select One
14.4 Recommendations and Action Plans
Requirement: Internal auditors must develop recommendations or request action plans to address root causes, resolve findings, and improve the activity under review.
✓ What to Test / Assess
Review recommendations in a sample of audit reports
Verify recommendations address root cause rather than symptoms
Check whether specific, measurable, and time-bound action plans are obtained from management
Assess quality of management responses — are they substantive?
Review whether disagreements between audit and management were handled per documented procedure
■ Evidence to Request
Audit reports with CCCE-structured findings and root-cause recommendations
Management action plans with owners and timelines
Records of discussions with management on recommendations
Documentation of any disagreements and resolution process
Quality assessment of management responses
★ Performance Indicators
  • % of recommendations addressing root cause
  • % of management action plans with specific owners and timelines
  • Management response rate
  • # of recommendation disagreements and resolution method
Conformance Rating — Select One
14.5 Engagement Conclusions
Requirement: Internal auditors must develop overall engagement conclusions based on the findings and their significance, and communicate these conclusions to appropriate parties.
✓ What to Test / Assess
Verify overall engagement conclusions are stated in final reports
Check whether conclusions are linked to engagement objectives
Assess whether conclusions are appropriately calibrated to the findings presented
Review whether advisory conclusions align with advisory objectives
Verify management understands and acknowledges the engagement conclusion
■ Evidence to Request
Final audit reports with overall conclusion statements
Conclusion-to-objective linkage in final reports
Management acknowledgement of engagement conclusions
Consistency of conclusion with findings presented
Audit committee summaries showing engagement conclusions
★ Performance Indicators
  • % of reports with documented overall conclusion
  • % of conclusions consistent with findings presented
  • % of conclusions communicated to audit committee
Conformance Rating — Select One
14.6 Engagement Documentation
Requirement: Internal auditors must document information and evidence to support engagement results, such that a competent reviewer could repeat the work and reach the same conclusions.
✓ What to Test / Assess
Review workpaper files for completeness and consistency
Verify workpapers are cross-referenced to findings and conclusions
Check whether all required elements are documented: objectives, scope, risk assessment, work program, procedures, results, names, dates
Assess whether workpapers meet the reperformance standard
Review retention practices against policy requirements
■ Evidence to Request
Complete workpaper files for sampled engagements
Cross-referencing index in workpaper files
Document retention policy and evidence of application
Supervisory review completion records for workpapers
QAIP workpaper review findings
★ Performance Indicators
  • % of workpapers meeting reperformance standard (per QAIP review)
  • % of workpapers with supervisory sign-off
  • Average workpaper quality score from QAIP reviews
  • Workpaper retention compliance rate
Conformance Rating — Select One
Principle 15Communicate Engagement Results and Monitor Action Plans
15.1 Final Engagement Communication
Requirement: The CAE must communicate final engagement results to management and the board, and must ensure communications are complete, accurate, and timely.
✓ What to Test / Assess
Verify all engagements in the period have issued final reports
Check whether reports were issued within agreed timelines
Review report distribution for appropriateness — right parties received
Confirm closing meetings were held and documented
Verify whether report communicated overall engagement conclusion
■ Evidence to Request
Final report issue dates vs planned issue dates
Report distribution lists and delivery confirmation
Closing meeting minutes for sampled engagements
CAE cover letters to audit committee accompanying reports
Report timeliness analysis
★ Performance Indicators
  • % of reports issued within agreed timeline
  • Average days from fieldwork completion to report issue
  • % of engagements with documented closing meeting
  • # of overdue reports at period end
Conformance Rating — Select One
15.2 Confirming Implementation of Recommendations
Requirement: The CAE must establish a follow-up process to monitor and confirm the implementation of management action plans and communicate results to the board.
✓ What to Test / Assess
Verify a documented follow-up process exists
Review follow-up tracker for completeness and currency
Confirm management action plan status is verified — not just self-confirmed
Check whether overdue items are escalated appropriately
Review audit committee reporting on outstanding recommendations
■ Evidence to Request
Documented follow-up policy and procedures
Follow-up tracker showing all open recommendations
Evidence of independent verification of action plan implementation
Escalation records for overdue significant recommendations
Audit committee reports on recommendation status
★ Performance Indicators
  • % of recommendations implemented on time
  • % of recommendations independently verified
  • # of overdue recommendations by risk rating
  • Management action plan implementation rate
  • # of recommendations escalated to audit committee
Conformance Rating — Select One

Need Help Achieving Full Conformance with GIAS 2024?

CTC Global provides external quality assessments, GIAS 2024 readiness reviews, and internal audit transformation consulting across Pakistan and the UAE.