The 2025 overhaul of the Global Internal Audit Standards (GIAS) provides far more than a checklist for compliance. It offers a framework for internal audit leaders to set strategy, govern their functions, and deliver measurable value.
The Standards emphasize purpose, ethics, independence, governance, management, and performance – but more importantly, they invite internal audit teams to move beyond compliance and demonstrate how assurance can accelerate risk responsiveness, enhance stakeholder trust, and integrate with enterprise value creation. These expectations coincide with rapid advances in technology and AI, creating both the requirement and means for internal audit to modernize.
AI’s Expanding Role
AI has fundamentally shifted how internal audit, risk, and compliance leaders strategize, prioritize, and operate. Rather than a bolt-on tool, AI now informs risk sensing, testing depth, reporting speed, and continuous improvement, forcing a redesign of operating models, talent mix, and assurance approaches.
Yet adopting AI alone is not enough; success depends on embedding these tools within a strategy anchored to leading professional practices and the Standards themselves. This requires a quality management system, supported by enabling technologies such as GRC platforms and AI. Equally important is connecting those capabilities to integrated risk management and a broader model of organizational assurance, positioning internal audit as a coordinated partner across the enterprise rather than a siloed reviewer. This begins with the foundation – modernizing internal audit’s mandate, strategy, and governance structures.
Modernizing Strategy
Internal audit teams are updating policies, charters, and escalation protocols to align with new expectations around independence, oversight, and risk tolerance. The Standards require clear documentation of the audit mandate and formal acknowledgement of the CAE’s reporting line to the board. And, many organizations are digitizing these policy updates through AI-enabled technologies that promote real-time escalation and greater transparency in how internal audit responds to fast-evolving threats.
The Standards also call for a published internal audit strategy (Principle 9.2), linking assurance priorities directly to enterprise objectives. Leading functions are formalizing this process by building audit strategies that not only reflect the organization’s risk appetite but also demonstrate how internal audit optimizes its resource model, integrates with other assurance providers, embeds feedback loops, and strengthens stakeholder relationships.
Dashboards, AI-driven analytics, and real-time engagement tools are increasingly common mechanisms to ensure this alignment. Some strategies now explicitly reference enabling technologies, including AI, as part of how internal audit sustains agility, transparency, and responsiveness. But strategies only gain credibility when paired with robust quality systems.
Quality and Continuous Improvement
At the heart of the new framework is the requirement for a Quality Assurance and Improvement Program (QAIP). This program is not just a periodic exercise; it must operate as a system, incorporating ongoing monitoring, periodic self-assessments, and a 5-year external quality assessment cycle. The Standards emphasize transparency, requiring boards to receive regular reporting on quality results, remediation actions, and continuous improvement initiatives.
In practice, technology and AI are redefining quality by standardizing execution, surfacing exceptions earlier, and shortening review cycles. Functions are adopting workflow tools such as AuditBoard and Workiva to standardize workpapers, automate documentation, and accelerate reviews. Some are deploying AI agents for routine audits, continuous monitoring, and anomaly detection – not replacing judgment, but freeing human auditors to focus on higher-risk and more judgment-intensive areas.
Over time, these tools also support the maturity journey outlined in the Standards: moving from “Initial/Reactive” practices to “Optimizing/Strategic Value” functions that contribute directly to organizational success.
Advancing Internal Audit Maturity
The GIAS outlines a path for how internal audit functions evolve in maturity – from ad-hoc activities to fully optimized, AI-enabled value creators. This model illustrates the progression and provides leaders with a tool to assess where they stand today and what capabilities are needed in the future.
Internal audit leaders can use this model as both a diagnostic and a roadmap for transformation. And as functions progress along this maturity journey, transparent and timely communication with the board becomes essential.
Reporting, Transparency, and Board Communication
The Standards also raise expectations for how internal audit communicates with boards. Reporting is no longer about delivering static documents. Instead, audit leaders are adopting dynamic, digital-first approaches:
- Dashboards that consolidate findings, remediation status, and value metrics in real time.
- Generative AI tools to prepare draft summaries, automate trend analyses, and shorten reporting cycles.
- Scorecards to highlight risk coverage, issue aging, closure velocity, and stakeholder feedback.
Boards gain not only visibility into issues but also confidence in how internal audit drives accountability. Independence remains paramount: While AI accelerates analysis, conclusions must always be owned and signed off by human auditors. Alongside improved reporting, the Standards expand what must be reported on through the introduction of Topical Requirements.
Topical Requirements as Strategic Inputs
One of the most significant evolutions in the Standards is the addition of Topical Requirements. These are mandatory when a subject is part of the audit plan, identified during fieldwork, or requested ad hoc by management or the board. Internal auditors must not only assess applicability but also document the rationale for excluding a requirement.
This approach ensures consistent, high-quality coverage of critical themes such as cybersecurity, third-party risk, organizational culture, and business resiliency. For example, the Cybersecurity Topical Requirement – effective February 5, 2026 – provides structured evaluation criteria and aligns directly with frameworks such as NIST and COBIT. By embedding these requirements into the audit plan, CAEs can show their function’s relevance to the most pressing organizational risks.
Meeting these new requirements at scale depends on technology and, increasingly, AI.
Technology and AI as Enablers
Innovation is an explicit objective of the GIAS. The Standards encourage internal audit functions to maximize the use of technology, enhance coordination, and expand value delivery. Teams are increasingly leveraging GRC platforms to automate workflow, manage documentation, and centralize assurance provider inputs.
AI is rapidly becoming indispensable. Advanced analytics expands scope through full-population testing and anomaly detection, and predictive models allow proactive risk identification. Generative AI, meanwhile, is being used to automate documentation, accelerate draft reporting, and benchmark continuous improvement efforts. These technologies must be governed within the same principles of objectivity, competence, and confidentiality that underpin the Standards. Many organizations are already aligning their AI programs with external frameworks such as the NIST AI Risk Management Framework to safeguard against bias and preserve independence.
With these opportunities come risks, making governance and guardrails essential.
AI Guardrails for Quality and Independence
As AI becomes embedded in audit processes, clear safeguards are essential to preserve independence, transparency, and trust. Leading functions are putting the following controls in place:
Of all the guardrails, the most critical are people themselves – supported by skills development and collaboration.
People, Skills, and Collaboration
Another critical dimension of strategy is people. The Standards require that internal audit functions demonstrate adequate financial, human, and technology resources. Forward-thinking functions are using competency frameworks tied to the Standards, with training delivered through platforms like Workday and tracked through formal attestations. AI is also being used to identify skill gaps, optimize staff deployment, and match resources to complex audits.
Collaboration with other assurance providers is a key component of the new framework. Cross-functional teams are increasingly using shared GRC platforms to streamline communication, coordinate findings escalation, and avoid duplication. This integration reinforces the value of internal audit not just as an independent assurance provider but as a strategic partner in enterprise risk management.
Together, strategy, quality, technology, and people move internal audit beyond conformance into a true value driver.
From Conformance to Value
The new Global Internal Audit Standards set a higher bar, but they also provide a clear roadmap. Audit leaders who act now are realizing measurable benefits:
- Accelerated QA cycles and earlier risk detection.
- Deeper insights enabled by analytics and AI-driven monitoring.
- Meaningful continuous improvement metrics that strengthen the QAIP.
- Real-time board communication through dashboards and interactive reports.
The next era of internal audit will be defined not just by compliance, but by how effectively these elements – strategy, quality, technology, and people – come together to drive resilience and enterprise value. Ready to transform your internal audit function in the age of AI? Contact CrossCountry Consulting to get started.