The IIA 2025 Global Internal Audit Standards became effective January 9, 2025. After more than a year of transition guidance, the new framework is no longer a future consideration — it is the current requirement.
For many internal audit functions, the response has been to update the charter, note the effective date, and move on. That approach will not hold up under scrutiny. The 2025 standards represent a meaningful shift in how internal audit is expected to operate, and the functions that treat them as a documentation exercise will find themselves unprepared when an external quality assessment or board inquiry arrives.
What Changed — and Why It Matters
The 2025 Global Internal Audit Standards reorganized the framework into five domains: Purpose of Internal Auditing, Ethics and Professionalism, Governing the Internal Audit Function, Managing the Internal Audit Function, and Performing Internal Audit Services. This structure is not just cosmetic. It reflects a deliberate effort to clarify accountability — particularly around the chief audit executive's responsibility for building and maintaining a function that operates with consistency and quality.
Several changes stand out as having direct operational implications.
The internal audit mandate must be formally defined. The standards now require that the board and management clearly establish the authority, roles, and responsibilities of the internal audit function in a charter. This is not new in concept, but the 2025 standards are more explicit about what that charter must contain and how it must be maintained. Functions operating on outdated or generic charters are already out of conformance.
QAIP requirements are more specific. The Quality Assurance and Improvement Program is no longer a background requirement. Under the 2025 standards, the CAE must develop, implement, and maintain a QAIP that covers all aspects of the internal audit function — including ongoing monitoring, periodic self-assessments, and external quality assessments at least every five years. The standards also require that QAIP results be communicated to senior management and the board. A QAIP that exists only on paper does not satisfy this requirement.
Performance measurement is now a formal expectation. The 2025 standards call for defined key performance indicators and a structured approach to monitoring internal audit's effectiveness. This is a significant shift for functions that have historically measured success informally or not at all. The expectation is that the CAE can demonstrate — with data — that the function is delivering value and operating in conformance with standards.
Board and management involvement is elevated. The new framework places greater emphasis on the relationship between internal audit, the board, and senior management. This includes more explicit requirements around communication, independence, and the board's role in supporting the internal audit function's mandate. For CAEs who have operated with limited board engagement, this represents a meaningful change in expectations.
The strategic plan is now a formal requirement. Perhaps the most significant new requirement for many functions is the explicit mandate for a multi-year internal audit strategic plan. Under the 2025 standards, the CAE must develop and maintain a strategic plan that aligns the internal audit function's direction with the organization's strategic objectives. This is not an annual audit plan — it is a longer-horizon document that articulates where the function is headed, how it will build capability over time, and how it will demonstrate value to the board and senior management. For functions that have operated without a formal strategy, this requirement represents a meaningful shift in how the CAE's role is defined.
Where Most Functions Are Falling Short
The most common gap is not awareness — most internal audit leaders are familiar with the 2025 standards at a high level. The gap is implementation. Knowing what the standards require and having the systems in place to meet those requirements are two different things.
Functions that built their methodology under the 2017 IPPF are often operating with processes that do not map cleanly to the 2025 structure. Risk assessments may not be formally connected to audit planning. QAIP documentation may exist but not function as a continuous improvement system. Performance metrics may be tracked informally, if at all. These are not failures of intent — they are structural gaps that accumulate over time when the foundation of the function has not kept pace with evolving standards.
The 2025 standards also introduce topical requirements — specific guidance for high-risk engagement areas such as cybersecurity, third-party relationships, and business resiliency. For functions that have not built these areas into their risk-based audit planning, the gap between current practice and standards conformance may be larger than anticipated.
What Conformance Actually Requires
Conforming with the 2025 IIA standards is not primarily a documentation project. It is an audit function development project. The charter needs to be updated, but so does the methodology. The QAIP needs to be documented, but it also needs to function — with regular self-assessments, defined performance indicators, and a clear process for addressing gaps. The risk assessment needs to be connected to the audit plan in a way that can be explained to the board.
For functions that are starting from a solid foundation, the transition to 2025 conformance is manageable. For functions that have been operating without a standardized methodology, a functional QAIP, or defined performance measures, the work is more substantial — and the window for addressing it before an external quality assessment is narrower than many teams realize.
LH Consulting Group works with internal audit functions that are ready to close the gap between where they are and where the 2025 standards require them to be. Whether the need is a methodology redesign, QAIP development, or EQA readiness, the work begins with an honest assessment of the current state — and a practical plan for building the foundation that supports long-term conformance.