Skip to main content
Contact
Submit RFP

      The "Global Internal Audit Standards" (Standards for short) published by the Institute of Internal Auditors (IIA) in January 2024 will be effective for quality assessment from 9 January 2025. They will also replace the "International Standards for the Professional Practice of Internal Auditing" (IPPF) from 2017.

      The standards at a glance

      The standards are divided into five domains with 15 principles and a further 52 concretising requirements ("essential conditions") as well as considerations for implementation and examples.

      The five domains are

      1. Objectives of internal auditing
      2. Ethics and professionalism
      3. Governance of internal audit
      4. Management of internal audit
      5. Provision of auditing services

      The standards are supplemented by the so-called "Topical Requirements". These are IIA requirements for eight currently known risk topics (including cybersecurity, third party, organisational behaviour and organisational resilience). In response to the increasingly complex risk landscape of companies, they are to be included in audit activities on a mandatory basis1. For example, the Cybersecurity Topical Requirements, which were published in February 2025, will come into force on 5 February 2026. Based on the KPMG GIAS survey, 45 per cent of respondents stated that their internal auditors largely or fully cover the required skills and knowledge of the Topical Requirements. According to the IIA, the public consultation on the Topical Requirements relating to Organisational Behaviour Organisational Resilience is expected in 2025/2026.

      Relevant innovations of the Global Internal Audit Standards are, for example

      • For the first time, binding requirements for the (further) development of an audit mission statement and an audit strategy (Standard 6.2, 9.2)
      • Required involvement and interaction between Internal Audit and the management or supervisory body and recommendation of a reporting line to the Executive Board ("Essential conditions" in area III).
      • Knowledge of GRC processes and the organisational GRC risk profile (standard 9.1)
      • Increased cooperation with other governance functions (2nd line) within the organisation and with external assurance providers (standard 9.5)
      • Increased use of technological resources, such as the use of data analytics and AI tools in audit activities to increase efficiency and effectiveness (Standard 10.3)
      • Updated reporting requirements for a mandatory overall judgement on the effectiveness of GRC processes in the audit scope and a professional judgement on the overall significance of the findings based on a pre-defined methodology (standard 14.5)
      • Specification of the information protection requirements (standard 5.1, 5.2)
      • Greater focus on measuring the performance of internal audit activities (standard 12.2)
      • Increased requirements for external quality assessments (standard 8.4)
      Ready to talk? Contact us.

      What is important for a successful implementation

      A number of measures are necessary for organisations to ensure compliance with the new IIA Global Internal Audit Standards. This process is also a suitable opportunity for internal audit organisations to assess and challenge their existing audit systems to bring them in line with the updated requirements. It also enables a stronger focus on delivering value and meeting stakeholder requirements. This process can also serve as a catalyst for forward-looking changes, such as increased flexibility to respond to emerging risks, increased collaboration with GRC functions within the organisation2 and integrated new technologies into internal audit activities3.

      In this context, we recommend the following approach:

       

      Identify necessary changes, evaluate and classify adjustments based on the current internal audit system (IRS) and develop a roadmap for implementation.

      Define tasks and priorities as work packages, involve stakeholders, implement new requirements and monitor them regularly.

      Communicate changes to stakeholders, train auditors in the new and updated standards and measures and empower them to implement these changes.

      Analysis of the appropriateness of the updated IRS in accordance with DIIR No. 3 / IDW EPS 983 as amended. The analysis provides you with an important contribution to the quality assessment of the IRS and provides impetus for possible optimisation measures. It serves as an aid for the Executive Board and Supervisory Board in designing the IRS.

      In addition, we have collected challenges that can arise when implementing the GIAS requirements by Internal Audit:

      • Efforts to ensure consistency of all IA documentation including strategy, manual, instructions, templates, checklists, etc. during the update process
      • Time pressure and capacity constraints - balance between GIAS implementation and ongoing audit activities
      • Change management, especially in terms of people and culture, training and skills development
      • Communication plan and strategy to engage and gain buy-in from key stakeholders
      • Lack of leading practice examples and benchmarking information within the organisation's peer group

      KPMG approach to sparring on the implementation of GIAS compliance

      KPMG approach to sparring on the implementation of GIAS compliance

      A certain level of capacity within Internal Audit is required to derive and coordinate measures with the relevant stakeholders and to effectively implement the new standards. This should be taken into account as an ongoing project in the 2025/2026 audit planning. In addition, an audit review can be carried out as a kind of "dry run" in 2025 in order to monitor the appropriateness and effectiveness of the measures implemented, identify potential gaps and take improvement measures before the upcoming quality audits.

      Outlook: External quality assessment

      Conformity with the IIA Global Internal Audit Standards is an integral part of the high quality requirements for internal audit activities.With the publication of the new Global Internal Audit Standards (GIAS), the IIA and the DIIR have revised the framework for the external quality assessment of internal audit systems, which is now presented in the IIA QA Manual and in the applicable draft of DIIR No. 3. In addition, the draft of the updated version was approved by the Main Technical Committee (HFA) with a comment period (IDW EPS 983 n.F.). The final version (IDW PS 983 n.F.) is expected to follow and be published in the fourth quarter of 2025. The existing principles of internal auditing have not been fundamentally changed, but there are some modifications that should be noted.

      • The quality requirements include not only "conformity" with GIAS, Topical Requirements, Global Guidance and other legal requirements, but also the "performance" of the IRS.
      • Greater emphasis on strategic orientation, "real" risk orientation of audit activities (Standard 9.1 Organisational risk profile) and consideration of stakeholder expectations.
      • No minimum requirements for the identification of significant deficiencies and no knock-out criteria. All criteria are therefore equally weighted.
      • Review of conformity and consideration of whether the objective of the standard has been achieved.
      • The EQA must be conducted every five years and the effectiveness review requires coverage of an appropriate period of time. In addition, at least one CIA should be on the assessment team.
      • Updated quality assessment model proposed in DIIR No. 3 (draft):
        • The 110 criteria in DIIR No. 3 (draft) are fully derived from GIAS and cover all GIAS requirements including the essential conditions.
        • The hierarchical assessment process begins with an assessment of compliance with the 110 criteria, moves on to an assessment of compliance and achievement of objectives for 52 standards and 15 principles, and culminates in an overall assessment of the effectiveness of the IRS.
        • The DIIR proposes a four-point scale for the optional scoring. A full score of 3 indicates full compliance or achievement of the objectives, while scores of 2 and 1 reflect partial compliance with potential for improvement or a need for improvement. In the event of non-compliance, a score of 0 is awarded.

      In this context, it may make sense to carry out a readiness assessment based on the new standards such as DIIR No. 3 or EPS 983 as amended prior to the upcoming adequacy and effectiveness review of the IRS. In addition, peer group benchmarking is valuable for analysing the maturity level of internal audit in the areas of methodology, performance and strategy. This can provide a further sound basis for the strategic orientation of the further development of internal auditing.

      Arrow diagram on the subject of GIAS
      Interested in our services? Contact us

      Conclusion

      The need to share information and collaborate intensively across functions in the interests of efficient corporate governance cannot be overlooked - not least because compliance is a cost factor.

      The new standards offer a good opportunity to further develop internal auditing, to further intensify interaction with stakeholders and to strengthen the integration of governance, risk and compliance systems while maintaining independence and objectivity. The following measures are recommended in this context:

      • Discussion with management and the supervisory body about their expectations, the mission statement and the strategic contribution of internal audit to supporting the corporate vision, safeguarding corporate values and increasing resilience
      • Discussion of the company-wide risk map and the analysis and management of these (new) risks by risk management
      • Use of tools, technology and data & analytics to generate added value in auditing activities (D&A strategy)
      • Clear commitment to high quality standards in internal auditing
      • Training & further development of audit staff (skills matrix)

      The extent and maturity of corporate governance and, in particular, internal auditing varies depending on the industry and size of the company.

      In conclusion, it can be stated that the IIA's new Global Internal Audit Standards will have a significant impact on the interaction and working methods of internal audit - with a clear commitment to audit quality, the handling of relevant corporate risks, technology and data & analytics as well as the increasing integration of the GRC function and interaction with the relevant stakeholders such as management and the supervisory body.

      KPMG Internal Audit Hot Topics 2025/2026

      Current topics, trends and drivers for internal audit in risk-oriented audit planning
      Learn more
      Hands working on documents on desk

      1 In August 2025, the IIA published the "Topical Requirements Application Guidance", which provides guidance on the application of topical requirements throughout the audit lifecycle.

      2 According to the KPMG-GIAS survey from August 2024, 74% of participants plan to further develop the customised assurance approach. However, 55% of participants have neither established an assurance landscape nor performed a white-spot assessment.

      3 According to the KPMG GIAS Survey in August 2024, 43% of participants have used digital tools (e.g. data analytics, process mining) extensively or completely in their audit work.

      Your contacts

      Mark Frederik Schmidt
      Mark Frederik Schmidt

      Senior Manager, Audit - Regulatory Advisory, Sustainability Reporting & Governance

      KPMG AG Wirtschaftsprüfungsgesellschaft

      Marc Stauder
      Marc Stauder

      Partner, Audit, Regulatory Advisory, Sustainability Reporting & Governance

      KPMG AG Wirtschaftsprüfungsgesellschaft