The Institute of Internal Auditors (IIA) is an organization which advocates, provides educational conferences, and develops standards, guidance, and certifications for the internal audit profession.


Established in 1941, the IIA today serves more than 200,000 members from more than 170 countries and territories. IIA's global headquarters are in Lake Mary, FL, United States. Anthony Pugliese is the President and CEO. Pugliese succeeded Richard Chambers, in 2021. Previously, Pugliese was President and CEO of CalCPA.

Professional certification

The Certified Internal Auditor (CIA) is the primary professional designation offered by The IIA. The CIA designation is a globally recognized certification for internal auditors and is a standard by which individuals may demonstrate their competency and professionalism in the internal audit field. In order to become a certified internal auditor, candidates must possess a four-year degree from an accredited institution as well as pass all three parts of the CIA exam. Earning the CIA certification is intended to demonstrate a professional knowledge of the internal audit profession. CIAs are required to take continuing education courses. Internal Auditors who take and pass the CIA Part One exam can earn the designation of Internal Audit Practitioner. In 2019, the IIA announced it would be changing the Internal Audit Practitioner program. The program changes include a new exam and waiving of the educational requirement for active Internal Audit Practitioner designation holders applying for the CIA program. The changes go into effect in 2020.

Other certifications

In 2019, the IIA announced plans to change its Certification in Risk Management Assurance (CRMA) program. The CRMA changes go into effect in October 2020, and will include a new exam and updated prerequisites and experience requirements. * Certification in Risk Management Assurance (CRMA) * Qualification in Internal Audit Leadership (QIAL) * Internal Audit Practitioner (IAP) * Certification in Control Self Assessment (CCSA) * Certified Government Auditing Professional (CGAP), for Government performance auditing and Government Auditors * Certified Financial Services Auditor (CFSA) As of December 31, 2018, the CCSA, CFSA, and CGAP are no longer accepting new applications, and the three designations will be re-positioned into assessment-based certifications in the future. Below demonstrates the Number of CIA Holders by Region as of December 31, 2021.

Professional standards

The IIA has two levels of professional guidance: (1) Mandatory Guidance (including the Standards) and (2) Strongly Recommended Guidance. The two levels of guidance constitute the IIA's International Professional Practices Framework (IPPF).

Mandatory guidance

The definition of internal auditing and the code of ethics and the Standards are mandatory for IIA members and internal audit organizations claiming to complete
audit An audit is an "independent examination of financial information of any entity, whether profit oriented or not, irrespective of its size or legal form when such an examination is conducted with a view to express an opinion thereon.” Auditing ...
s to IIA
technical standard A technical standard is an established norm or requirement for a repeatable technical task which is applied to a common and repeated use of rules, conditions, guidelines or characteristics for products or related processes and production methods, ...
s around the world. The guidelines and recommendations are recorded in what is referred to as the "Red Book." * The definition: Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes. * The four principles of the IIA's Code of Ethics are integrity, objectivity,
confidentiality Confidentiality involves a set of rules or a promise usually executed through confidentiality agreements that limits the access or places restrictions on certain types of information. Legal confidentiality By law, lawyers are often required ...
and competency. * The international standards for the professional practice of internal auditing:

Strongly Recommended Guidance

Position papers, practice advisories, and practice guides are Strongly Recommended Guidance that help define and explain the IIA standards. Additional sources of guidance include a variety of materials that are developed and/or endorsed by the IIA, including research studies, books, seminars, conferences, and other products and services related to the professional practice of internal auditing.

Practice guides

As practice guides, 8 PGs, 15 GTAG (Global Technology Audit Guide), and 3 GAITs (Guide to the Assessment of IT Risk) have been issued in 2009 and 2010. GTAGs are written in straightforward business language to address a timely issue related to
information technology Information technology (IT) is the use of computers to create, process, store, retrieve, and exchange all kinds of data . and information. IT forms part of information and communications technology (ICT). An information technology system ( ...
management Management (or managing) is the administration of an organization, whether it is a business, a nonprofit organization, or a government body. It is the art and science of managing resources of the business. Management includes the activities ...
control Control may refer to: Basic meanings Economics and business * Control (management), an element of management * Control, an element of management accounting * Comptroller (or controller), a senior financial officer in an organization * Controlli ...
, and
security" \n\n\nsecurity.txt is a proposed standard for websites' security information that is meant to allow security researchers to easily report security vulnerabilities. The standard prescribes a text file called \"security.txt\" in the well known locat ...
. To date, the IIA has released GTAGs on the following topics: :*GTAG 1:
Information Technology Information technology (IT) is the use of computers to create, process, store, retrieve, and exchange all kinds of data . and information. IT forms part of information and communications technology (ICT). An information technology system ( ...
Controls :*GTAG 2: Change and Patch Management Controls: Critical for Organizational Success :*GTAG 3: Continuous Auditing: Implications for Assurance, Monitoring, and
Risk Assessment Broadly speaking, a risk assessment is the combined effort of: # identifying and analyzing potential (future) events that may negatively impact individuals, assets, and/or the environment (i.e. hazard analysis); and # making judgments "on the t ...
:*GTAG 4: Management of IT Auditing :*GTAG 5: Managing and Auditing Privacy
Risk In simple terms, risk is the possibility of something bad happening. Risk involves uncertainty about the effects/implications of an activity with respect to something that humans value (such as health, well-being, wealth, property or the environme ...
s :*GTAG 6: Managing and Auditing IT Vulnerabilities :*GTAG 7: Information Technology
Outsourcing Outsourcing is an agreement in which one company hires another company to be responsible for a planned or existing activity which otherwise is or could be carried out internally, i.e. in-house, and sometimes involves transferring employees and ...
:*GTAG 8: Auditing Application Controls :*GTAG 9: Identity and Access Management :*GTAG 10: Business Continuity Management (BCM) :*GTAG-11: Developing the IT Audit Plan :*GTAG-12: Auditing IT Projects (Mar. 2009) :*GTAG-13: Fraud Prevention and Detection in an Automated World (December 2009) :*GTAG-14: Auditing User-developed Applications (June 2010) :*GTAG-15: Information Security Governance (June 2010) :*GTAG-16: Data Analysis Technology (August 2011) :*GTAG-17: Auditing IT Governance (July 2012) :*Auditing Smart Devices: An Internal Auditor’s Guide to Understanding and Auditing Smart Devices (August 2016) :*Assessing Cybersecurity Risk: Roles of the Three Lines of Defense (September 2016) :*Understanding and Auditing Big Data (May 2017) :*Auditing Insider Threat Programs (August 2018) The IIA offers 31 General practice guides, 4 Financial Services guides, 4 Public Sector guides, 18 Global Technology Audit Guides (GTAG), 3 Guides to the Assessment of IT Risk (GAIT), and 2 guides for supplemental guidance.

Other initiatives

Internal Audit Foundation

The Internal Audit Foundation is a not-for profit organization that promotes and advances the value of the internal audit profession globally. It supports research, grants and awards, and promotes internal auditing study at post-secondary institutions worldwide. The 2020 Annual Report of the Foundation included white papers on auditing during the
COVID Coronavirus disease 2019 (COVID-19) is a contagious disease caused by a virus, the severe acute respiratory syndrome coronavirus 2 (SARS-CoV-2). The first known case was identified in Wuhan, China, in December 2019. The disease quickly ...

American corporate governance index

In December 2019, the IIA announced the results from its inaugural American Corporate Governance Index (ACGI). The ACGI is a joint project of the IIA and the Neel Corporate Governance Center at the University of Tennessee, and grades companies on eight Guiding Principles of Corporate Governance. The principles were compiled from guidance and principles from organizations like the Business Roundtable, National Association of Corporate Directors, and New York Stock Exchange. Scores were based on the survey responses of 128 chief audit executives. The criteria included: board performance, external disclosures, companywide communication, corporate culture, and long-term strategies. The first report graded U.S. publicly listed companies overall with a C+.

See also

Committee of Sponsoring Organizations of the Treadway Commission The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is an organization that develops guidelines for businesses to evaluate internal controls, risk management, and fraud deterrence. In 1992 (and subsequently re-released in 20 ...
* External audit,
External auditor An external auditor performs an audit, in accordance with specific laws or rules, of the financial statements of a company, government entity, other legal entity, or organization, and is independent of the entity being audited. Users of these en ...
Certified Public Accountant Certified Public Accountant (CPA) is the title of qualified accountants in numerous countries in the English-speaking world. It is generally equivalent to the title of chartered accountant in other English-speaking countries. In the United Sta ...
, and AICPA * Internal Audit, Director of audit, Comptroller General,
Inspector General An inspector general is an investigative official in a civil or military organization. The plural of the term is "inspectors general". Australia The Inspector-General of Intelligence and Security (Australia) (IGIS) is an independent statutory of ...
Internal Control Internal control, as defined by accounting and auditing, is a process for assuring of an organization's objectives in operational effectiveness and efficiency, reliable financial reporting, and compliance with laws, regulations and policies. A broa ...
Controller Controller may refer to: Occupations * Controller or financial controller, or in government accounting comptroller, a senior accounting position * Controller, someone who performs agent handling in espionage * Air traffic controller, a person ...
* List of international professional associations


External links

The Institute of Internal Auditors (IIA)
- and The IIA'
Code of EthicsInternal Audit FoundationNew York State Internal Control AssociationEssays on Common Sense Management regarding Internal ControlInternal Audit Training Courses across EMEAThe Chartered Institute of Internal Auditors
{{Authority control Internal audit Professional accounting bodies Auditing in the United States Organizations established in 1941 1941 establishments in the United States