What the 2024 Global Internal Audit Standards mean for the Head of Audit running a global function — and where the partner-led co-source model fits.

The IIA’s Global Internal Audit Standards, released on 9 January 2024 and effective for conformance from 9 January 2025, are the most consequential restatement of internal audit practice in a generation. They consolidate the 2017 IPPF’s six separate elements into a single 120-page document organised around five domains, 15 principles, and 52 essential conditions. They make stakeholder engagement, strategic alignment, and performance measurement mandatory where these were previously implied. And they introduce Topical Requirements — on cybersecurity, third-party risk, organisational behaviour, and organisational resilience — that internal audit functions are now expected to incorporate.

For a Head of Audit running a global function — group-level reporting, regional coverage, thin teams in some geographies, an audit committee that wants more for less — the Standards arrive on top of pressures that already existed. ESG assurance. Cybersecurity oversight. Third-party risk in a tightening regulatory environment. A board that reads more than it used to. Stakeholders who expect insight, not just assurance.

The function is being asked to do more with the same. The Standards are not, in themselves, a problem — they codify what good practice already looked like. But the conformance work is real, the documentation expectations have tightened, and the External Quality Assessment cycle continues regardless of resource availability.

What follows is a peer-level reading of where the Standards are likely to press hardest on a Head of Audit in 2026 and 2027, and an honest discussion of where a credible co-source partnership strengthens the function versus where it weakens it. I write this as someone who has run a group internal audit function across Asia, the Middle East, and Africa for a Swiss-headquartered industrial group, and who now operates a partner-led practice from India serving multinational subsidiaries and Indian listed companies in roughly equal measure. The view is from inside the chair, not from outside it.

1 · Domain III — the board relationship has been formalised

What the 2017 Standards implied about the CAE’s relationship with the board, the 2024 Standards now require.

Domain III — Governing the Internal Audit Function — is where the new Standards have moved most decisively. The CAE’s positioning relative to the board (or audit committee) is now codified through specific principles on board-CAE direct interaction, on the establishment of the internal audit mandate, and on the board’s active role in resourcing and evaluating the function.

Two practical implications follow. First, the internal audit charter — which most functions have maintained as a static document, refreshed every few years — is now expected to be a live instrument that articulates stakeholder expectations, the function’s positioning, and the resources committed to it. Audit committees who have not reviewed their charter against the 2024 Standards will be asked to do so during the next External Quality Assessment.

Second, the CAE’s reporting line and the substance of board engagement have moved from “recommended” to “essential.” The Head of Audit who reports administratively to the CFO and only meets the audit committee chair quarterly will, under the new Standards, need to evidence direct and substantive engagement with the board on matters affecting the function’s independence and resourcing. This is operationally significant in organisations where the historical reporting pattern has been less direct than the Standards now expect.

2 · Domain IV — the audit strategy is now a document, not a state of mind

Strategic alignment and the QAIP have been formalised. Documentation is no longer optional.

Domain IV — Managing the Internal Audit Function — introduces explicit principles on the development of an internal audit strategy aligned with the organisation’s strategy and risk profile, on the design of the annual audit plan to reflect that strategy, and on the operation of a documented Quality Assurance and Improvement Program (QAIP) with both internal assessment and External Quality Assessment components.

Many functions have run on an annual risk-based audit plan refreshed each year through a familiar process: organisational risk-assessment workshop, audit universe scoring, plan calibration, audit committee approval, execution. What the 2024 Standards now require is a layer above that — a strategy for the function itself, articulating how the function will deliver against stakeholder expectations over a multi-year horizon, how it will develop its people and capabilities, how it will adopt technology and analytics, and how it will measure its own performance. Standard 9.1 (Organizational Risk Profile) makes this strategic alignment a documented expectation, not a conversational one.

The QAIP is the second instrument that has moved. Internal self-assessments are expected annually. External Quality Assessments remain on a five-year cycle, but the documentation expected during them has tightened. Functions that have run on a strong informal QAIP — where the CAE knows the work is good but has not documented the conformance trail — will find the next EQA more demanding than the last.

3 · The Topical Requirements — new audit territory, often without new resource

Cybersecurity, third-party, organisational behaviour, organisational resilience — mandatory inclusion in audit activities.

The Topical Requirements are the most operationally consequential addition to the 2024 framework. The IIA has identified eight risk areas, with the first four now active: cybersecurity, third-party risk, organisational behaviour (covering culture, conduct, and ethics), and organisational resilience. Internal audit functions are expected to include these topics in audit activities and to evidence that inclusion.

For a Head of Audit, the practical question is straightforward and uncomfortable: who in my team has the depth to audit cybersecurity controls to current expectations? Who can run a third-party risk assessment to the standard the new Topical Requirements imply? Who can audit organisational behaviour in a way that surfaces conduct issues without becoming an HR investigation? Who has the discipline to assess organisational resilience and business continuity rigorously?

In most internal audit functions, the answer is partial at best. A generalist team can cover one or two of these areas with stretch. Covering all four to the depth the Topical Requirements anticipate is a specialist exercise, and the specialist exercise is where the co-source question becomes operationally relevant — not because in-house cannot do the work, but because in-house cannot reasonably maintain four specialist capabilities permanently.

4 · Stakeholder engagement — from implied to required

The Standards now require active management of stakeholder expectations, not just delivery against them.

A subtle but important shift sits in the Standards’ treatment of stakeholders. The 2017 IPPF spoke of stakeholders implicitly — the board, senior management, the auditees. The 2024 Standards make stakeholder engagement explicit, with the CAE expected to identify stakeholders, understand their expectations, manage those expectations, and demonstrate value against them.

Two consequences for a Head of Audit. First, the audit committee chair and the CEO are now stakeholders whose expectations must be actively managed — in the sense that the CAE must know what they expect, must align the function to deliver against those expectations, and must communicate when expectations cannot be met within current resourcing. The polite annual conversation about “how the audit function is going” is no longer adequate. The Standards anticipate something more deliberate: a documented dialogue, refreshed on cycle, that evidences active management of the relationship.

Second, the auditee population — the business owners whose processes are being audited — are also stakeholders. Their experience of the audit, their understanding of the value the function delivers, and their participation in remediation are now considerations the CAE is expected to manage actively. For a function in the historical posture of “audit issues, recommendations, follow-up,” this is a meaningful change in orientation.

5 · Resource adequacy — the CAE’s declaration has new weight

Where the function’s capability does not match the risk profile, the CAE is now expected to say so.

Perhaps the most personally consequential change in the new Standards is what is required of the CAE in declaring whether the function has the resources it needs. The principles on resourcing make the CAE responsible for evaluating capability against the organisation’s risk profile and for communicating any gap to the board.

This is, of course, what good CAEs have always done. The 2024 Standards make it formal. A CAE who has been quietly managing through resource constraints — covering critical audit areas with stretch, deferring lower-risk areas, declining new scope — is now expected to surface that picture transparently to the board, with the gap quantified and the consequences spelled out. The political dynamics of doing this in any large organisation are real. The Standards do not pretend otherwise; they simply require the conversation.

The co-source model becomes relevant here too, but in a particular way. A CAE who can demonstrate that the function uses external partners to extend capability in specialist areas — rather than to substitute for permanent capacity — has a more defensible resourcing posture than one who is silent on the gap. Co-source, properly framed, is a resource-strategy answer, not an outsourcing decision.

Where in-house capability ends, and a credible co-source partner begins.

Stepping back from the five pressure points, the question for a Head of Audit becomes operational. Where should the in-house function hold the work, and where is a credible co-source partner a better answer than stretching an already-thin team?

In my view, three categories of work belong unambiguously in-house: the audit strategy and the annual plan, ownership of the QAIP, and stakeholder engagement at the board and senior-management level. These are the activities through which the CAE earns and discharges the role. They are not delegable to a partner without diluting the function.

Conversely, three patterns of co-source weaken the function rather than strengthening it, and a CAE evaluating partners should be alert to each. First, where the partner cycles juniors through engagements with thin senior review — the function loses methodology consistency and the audit committee detects it in the variable quality of the deliverable. Second, where the partner has conflicting commercial relationships with the audited management — independence is technically preserved but operationally compromised, and findings get softened. Third, where the engagement letter is fee-anchored rather than scope-anchored — the partner’s incentive shifts from substantive findings to deliverable volume, which an audit committee will identify within two cycles. Each of these is observable in the partner’s prior work and worth diligencing before commitment.

Three categories of work, conversely, are well-suited to a partner-led co-source: the Topical Requirements where specialist depth is needed (cybersecurity, third-party, organisational resilience), specific high-risk engagements where independence from local management is operationally important (forensic work, anti-bribery reviews, sensitive investigations), and capacity extension into geographies where the function is thin (a regional or country team that needs surge support without permanent hiring).

The middle category — routine financial, operational, and IT audits — can sit in either model. The deciding factor is not capability but cost-and-context: where the function has the headcount and the local knowledge, in-house is the right answer; where coverage is thin, where context-switching across geographies erodes quality, or where the political dynamics of an audit benefit from external independence, co-source is the right answer.

What a Head of Audit should look for in a co-source partner.

Co-source partnerships fail more often than they succeed, and the reasons are predictable. The Head of Audit who is considering a co-source arrangement — or refreshing one — should test the partner on five specific dimensions before committing.

One — conformance with the IIA’s 2024 Global Internal Audit Standards in the partner’s own work. If the partner cannot articulate how their methodology aligns with the five domains and the essential conditions, the partner’s output will not pass the CAE’s QAIP review. The partner should be able to map their work papers, their reporting conventions, and their evidence retention to the Standards without prompting.

Two — the named partner’s personal credentials and audit-committee experience. Not the firm’s brochure. The specific individual who will be reviewing and signing the work. A CAE engaging a co-source partner is, in effect, extending their own delegated authority to that individual. The individual’s credentials, prior audit-committee exposure, and personal liability under the engagement letter all matter.

Three — the partner’s ability to operate to your audit committee’s standards, not just to professional standards. A multinational audit committee has expectations that go beyond the IIA Standards — on documentation, on tone, on issue severity, on remediation tracking. The partner should be able to demonstrate prior work at audit-committee level for organisations of comparable scale and complexity to yours, and should be willing to align their conventions to yours rather than vice versa.

Four — data governance under the regulations of the relevant jurisdictions. For multinational engagements with Indian operations, this includes India’s Digital Personal Data Protection Act 2023, the European GDPR for EU-headquartered groups, and the specific data-residency conventions of your group. The partner’s answer to “where will our data sit, who will have access, and how will it be destroyed at the end of the engagement” should be precise and immediate.

Five — the partner’s view on independence and conflicts. A serious partner will decline work where independence is compromised — for example, where the partner’s firm also provides other services to the auditee that would create a conflict, or where the partner has a relationship with management that an audit committee would view as inappropriate. The partner who never declines a mandate on independence grounds has not understood the role.

The partner-led co-source model — what it looks like in practice.

The model that I have seen work, across two decades of operating in this space, is small in scale and high in quality. It is not the large-firm co-source model where the named partner appears at the pitch and the work is done by rotating juniors. It is a partner-led arrangement in which the same senior individual who scopes the work also reviews the workpapers, signs the report, and presents the findings to the audit committee.

The economics are different from the large-firm model. Engagement fees per day are typically comparable or modestly lower, but the ratio of senior time to engagement is higher — meaning that the value delivered per engagement-rupee is, in my own experience, materially better. The audit-committee feedback differs accordingly: a partner-led co-source engagement reads to the audit committee as the work of a senior practitioner, not the work of a brand.

The structural arrangement that most often works is a defined three-to-five-year framework agreement between the CAE’s function and the partner firm, with annual scoping of specific engagements within it. This gives the partner enough continuity to develop deep knowledge of the organisation, gives the CAE enough flexibility to commission specific work as the audit plan evolves, and gives the audit committee confidence that the relationship is governed properly. The framework agreement should include explicit conformance with the IIA Standards, explicit alignment with the organisation’s own audit methodology, and explicit independence and conflict-of-interest protocols.

For Heads of Audit at multinationals with significant Indian operations, the partner-led co-source model has particular value. The Indian regulatory environment — the Companies Act 2013, CARO 2020, GST and Income Tax compliance, the DPDP Act 2023 — is intricate enough that a partner with deep local knowledge adds substantial value to a global function. The same partner, if internationally qualified and methodology-aligned, can also operate to the standards expected by a group head office, an audit committee in another jurisdiction, and an External Quality Assessor.

The honest summary.

The IIA’s 2024 Standards have not transformed internal audit. They have codified what good internal audit already looked like, and they have raised the documentation expectations around it. For a Head of Audit running a global function, this means more work to evidence conformance, sharper expectations on stakeholder engagement, and a more formal posture on resource adequacy. None of it is unmanageable. All of it adds to the workload.

The partner-led co-source model, properly framed, is one of the more durable answers to this workload — not because it replaces in-house capacity, but because it extends specialist depth into the function without permanent hiring, supports thin-coverage geographies without burdening regional teams, and provides the audit committee with a layer of independent senior review that strengthens the function’s overall posture under the new Standards.

The choice of partner matters more than the model itself. A Head of Audit who selects a co-source partner on rate-card competition alone, without testing for the five dimensions above, is building a risk position into the function that will surface at the next External Quality Assessment, or at the next sensitive engagement, or in front of the next audit committee. The same Head of Audit who selects a partner on the basis of credentials, methodology conformance, audit-committee experience, and senior accountability is building a function that meets the new Standards and the audit committee’s expectations alike.

That, in a sentence, is the work the firm does.