Skip to Content

Update: Setting the Standards

Magazine The Institute of Internal Auditors Apr 10, 2023

The IIA is entering month two of the public comment period on its draft Global Internal Audit Standards. These new Standards transform both the International Professional Practices Framework and the International Standards for the Professional Practice of Internal Auditing

Over two years, The IIA’s International Internal Audit Standards Board received input from 115 IIA affiliates, nearly 4,000 internal audit practitioners, and other relevant stakeholders to reimagine the Standards in a more clear, direct form that better reflects today’s risk environment.

“Internal auditors told us they need clear and direct guidance from The IIA,” says IIASB Chairman Mike Peppers. “Now more than ever, we need standards that meet their needs and raise the quality of the internal audit services they provide.” The new Standards simplifies the six components of the IPPF into two areas, Standards and Guidance. Each of these is organized into five domains: Purpose of Internal Auditing, Ethics and Professionalism, Governing the Internal Audit Function, Managing the Internal Audit Function, and Performing Internal Audit Services. The updated Standards also include:

  • Considerations for implementation and evidence of conformance, making it easier for practitioners to understand and conform with individual standards.
  • Sections that specifically address the nuances of public sector internal auditors, small audit functions, and outsourced services.

Hacker Pay Slump


The estimated drop in earnings of cybercrime gangs as victims are refusing to pay ransoms.

“Hackers are definitely finding it harder to get paid for ransomware attacks.”

— Brett Callow, threat researcher at cybersecurity company Emsisoft.

Source:, “Cybercrime Gangs’ Earnings Slide as Victims Refuse to Pay.”

A third element also is being considered: Topical Requirements. While the Standards are applicable and required for all internal audit services, Topical Requirements would be required only when auditing specific subjects. They focus on governance, risk management, and control processes relevant to those subjects.

Readers can access the proposed Standards and provide feedback at The public comment period ends May 30. The final Standards will be released in late 2023. —Logan Wamsley

No Hiding from Tougher Data Privacy Laws

Organizations need to keep better track of personally identifiable information and the laws around it.

The protection of personal data is in the spotlight this year. That’s because data privacy laws are getting more stringent in the U.S., European Union, and other parts of the world. In 2022, fines levied for violations of the EU’s General Data Protection Regulation roughly tripled, from more than $1 billion in 2021 to $3.1 billion in 2022, according to a report by global law firm DLA Piper. The GDPR applies to organizations that do business with consumers in the EU, the U.K., and countries that are part of the European Free Trade Association.

Further, the European Commission, the EU’s executive body, announced in January that it was committing to conducting regular oversight of how state data protection authorities enforce the GDPR’s rules, particularly with big cases. “This heralds the beginning of true enforcement of the GDPR, and of serious European enforcement against Big Tech,” says Johnny Ryan, an Irish Council for Civil Liberties senior fellow.

Meanwhile in the U.S., several states have decided to model portions of their privacy laws after the GDPR. The California Privacy Rights Act and the Virginia Consumer Data Privacy Act both went into effect in January, and similar measures in Colorado and Connecticut will begin in July. An updated data privacy law for Utah goes into effect Dec. 31. According to some experts, more states and countries will likely follow Europe’s rights-based approach to personal data protection. —Christine Janesko

2023 04 Digital-Update-Expert-250x250.jpg

Meet COSCO's New Board Chair

Lucia Wind is COSO board chair and CAE and vice president of Internal Audit at UnisysFairfax, Va.

What motivated you to take on this position?

What intrigued me most about this role was the opportunity to give a voice to all the internal audit and risk practitioners, such as me. We are one of the ultimate consumers of the frameworks and thought leadership papers produced by COSO and often have a unique perspective from our experience in the field. Practical knowledge and experience continue to be crucial components of successful adoption of any thought leadership guidance. COSO is a household name for any internal audit or risk function, providing us with tools to be more effective practitioners as we navigate the work of risk and compliance.

How do you see internal audit's role evolving?

Consistent with the trends we already see in this era of disruption and business transformation, I expect internal audit to continue to move toward more automated, analytical, and predictive functions within organizations. The availability of data will enable auditors to audit smarter, faster, and more efficiently. With the pervasive use of technology enabling companies to automate even the simplest of business processes, the lines between traditional business process and financial audit skills and IT audit skills will likely fade, as audit professionals will need both sets of core skills. This will not eliminate the need for subject matter experts — rather, it will optimize routine audits many internal audit functions have on their annual audit plans. 

ChatGPT Con

This tool is going to be the most powerful tool for spreading misinformation that has ever been on the internet.”

Gordon Crovitz, co-chief executive of NewsGuard, on the potential for ChatGPT to contribute to conspiracy theories.

Source: The New York Times, “Disinformation Researchers Raise Alarms About AI Chatbots”

Recruiting Roadblocks

Internal audit functions in the U.S. and Canada are experiencing several recruitment challenges in trying to staff up.

Compensation expectations
Canada -  U.S. 

 64%    64% 

Competition from other organizations
Canada -  U.S. 

61%    49%

Too few applicants
Canada -  U.S. 

34%    51% 

Lacking competencies
Canada -  U.S. 

57%    45%

Source: The IIA, 2023 North American Pulse of Internal Audit


Toning Up at the Top

Ethics and compliance professionals report on executives’ positive moves.

55% engage more with employees to meet challenges of remote/hybrid work.

67% balance business goals and priorities with employee needs.

69% make difficult decisions consistent with company values.

Source: LRN, 2023 Ethics and Compliance Program Effectiveness Report 

The Institute of Internal Auditors