Internal audit functions vary widely in maturity, scope, and influence. The single most reliable predictor of which end of that spectrum a function sits at is how rigorously it implements the Institute of Internal Auditors (IIA) Standards. The Standards — formally part of the International Professional Practices Framework (IPPF) — define what internal audit is, what it does, and how it does it. Functions that take the Standards as their operating constitution produce a different kind of work than functions that treat them as an aspirational reference.
What Internal Audit Is — and What It Is Not
The IIA defines internal audit as an independent, objective assurance and consulting activity designed to add value and improve operations. The definition does work. Independence means structural separation from the activities being audited. Objective means free from bias in how findings are formed. Assurance means evidence-based conclusions that stakeholders can rely on. Consulting means advisory work that respects the boundary with management responsibility. Functions that drift on any of these dimensions produce work that looks like internal audit but does not deliver its value.
The Three-Lines Model
Internal audit operates as the third line under the IIA Three-Lines Model — operational management owns and manages risk (first line), risk management and compliance functions oversee risk (second line), and internal audit provides independent assurance over both (third line). The model is not new but the rigour with which organisations apply it varies enormously. Functions confused about which line they sit in produce confused work — assurance with conflict of interest, or advice that should have been an audit finding.
Risk-Based Audit Planning
The Standards require the internal audit plan to be risk-based, informed by the organisation's risk profile and aligned with organisational objectives. In practice this means the audit universe (the inventory of what could be audited) is mapped to the organisation's strategic and operational risks; audit coverage is allocated by risk significance; the plan is approved by the audit committee or equivalent; and the plan is updated as the risk profile changes. Functions that audit the same things every year regardless of risk drift away from this requirement.
A common audit committee complaint: the internal audit plan reads like a calendar of historical coverage rather than a forward-looking risk allocation. The committee asks why the function is not auditing emerging risks (cloud security, AI governance, sanctions compliance). The honest answer is usually that the audit team does not have the skills, and the plan reflects that constraint rather than the actual risk priority. Closing the skills gap is uncomfortable but necessary — the alternative is producing assurance that does not match where the organisation's risk actually sits.
Engagement Conduct: The Standards That Distinguish Real Internal Audit
- Engagement objectives, scope, and resources documented before fieldwork begins
- Sufficient, reliable, relevant, and useful information collected to support conclusions
- Working papers that document the work performed and conclusions reached, retained per defined retention
- Engagement results communicated promptly with appropriate stakeholders
- Recommendations tied to root causes, not just to symptoms or proximate findings
- Follow-up to confirm management actions have been taken — or to escalate when they have not
Quality Assurance: The Self-Audit
The Standards require the internal audit function to maintain a quality assurance and improvement programme covering all aspects of the audit activity. This includes ongoing internal monitoring, periodic internal self-assessment, and an external assessment at least every five years. The external assessment is not just compliance — it is the audit function being audited, and it is what produces the credibility that lets the function speak with authority on assurance matters. Functions that have never had an external quality assessment have a quiet credibility deficit they may not be aware of.
Why the CIA Credential Matters
The Certified Internal Auditor (CIA) credential is the IIA-issued certification that signals internal audit professional competence. The exam covers the Standards, audit conduct, business knowledge, and audit techniques across three parts. For internal auditors, the credential is the most direct signal of professional alignment with how the IIA defines the discipline. For audit functions, having a meaningful proportion of CIA-credentialed staff is one of the markers external assessors look at when evaluating function maturity. The credential is not a substitute for experience — but it is the most reliable indicator of foundation knowledge.