2.1 Foundations of Internal Auditing Overview
Key Takeaways
- Section A, Foundations of Internal Auditing, is 35% of the CIA Part 1 blueprint, the largest of the four sections, and rests on the Global Internal Audit Standards effective January 9, 2025.
- The revised Purpose states internal auditing strengthens an organization's ability to create, protect, and sustain value through assurance, advice, insight, and foresight.
- The Standards framework has five Domains, 15 Principles, and 52 Standards; the Standards are mandatory and Global Guidance is recommended.
- Each Standard has three parts: Requirements (mandatory), Considerations for Implementation, and Examples of Evidence of Conformance.
What Internal Auditing Is
Internal auditing is an independent, objective assurance and advisory activity designed to add value and improve an organization's operations. Under the IIA's Global Internal Audit Standards (the "Standards"), which became effective January 9, 2025 and replaced the prior International Professional Practices Framework (IPPF) Standards, the Purpose of Internal Auditing is stated as follows:
Internal auditing strengthens the organization's ability to create, protect, and sustain value by providing the board and management with independent, risk-based, and objective assurance, advice, insight, and foresight.
Memorize the four deliverables in that sentence: assurance, advice, insight, and foresight. The exam tests whether you can recognize that internal audit is not merely a backward-looking compliance checker — it also offers forward-looking foresight and value-adding insight. The three verbs — create, protect, and sustain value — replace the older "add value" phrasing and are a common stem cue.
Where this sits on the blueprint
The current CIA Part 1 exam is organized into four sections: A — Foundations of Internal Auditing (35%), B — Ethics and Professionalism (20%), C — Governance, Risk Management, and Control (30%), and D — Fraud Risks (15%). This chapter is Section A, and at 35% it is the largest single section of Part 1. It absorbed material that older study guides scattered across separate independence, objectivity, proficiency, and quality topics, so the foundational definitions, the Standards framework, charter requirements, service types, and the independence-versus-objectivity distinction all live here.
Independence and objectivity
Two words anchor everything: independence is an organizational attribute (the function is free from conditions that threaten its ability to carry out responsibilities in an unbiased manner), while objectivity is an individual mental attitude (the auditor makes judgments without subordinating them to others). The function is independent; the auditor is objective. Mixing these two up is the single most common Section A trap.
Risk-based and the mission of value
The Purpose statement also embeds risk-based: internal audit directs limited resources toward the areas of greatest risk to the organization's objectives rather than auditing everything equally. The older IPPF spoke of a separate "Mission of Internal Audit," and the 2025 Purpose folds that mission language directly into the definition. Treat the Purpose statement as the authoritative one-sentence definition of internal auditing: it covers value (create/protect/sustain), the recipients (board and management), the qualities (independent, risk-based, objective), and the deliverables (assurance, advice, insight, foresight).
The Architecture of the Standards
The Standards are built on a clean hierarchy you must be able to reproduce. Keep one thing straight: the Standards framework (its five Domains, below) is not the same thing as the exam blueprint (its four Sections A–D). They are different structures that both happen to use the word "domain" in places. The framework hierarchy is:
| Layer | Count | What it is |
|---|---|---|
| Domains | 5 | The broad organizing categories of the Standards |
| Principles | 15 | The guiding ideas inside the Domains |
| Standards | 52 | The specific, testable requirements |
The five framework Domains are:
- Purpose of Internal Auditing
- Ethics and Professionalism
- Governing the Internal Audit Function
- Managing the Internal Audit Function
- Performing Internal Audit Services
Note that the second framework Domain absorbed the former standalone Code of Ethics: its principles of integrity, objectivity, confidentiality, and competency now live as Principles within that Domain. There is no longer a separate Definition, Code of Ethics, and Standards — the 2025 framework is a single integrated document.
Anatomy of a single Standard
Every one of the 52 Standards is laid out in the same three-part structure, and the exam expects you to know which part is binding:
- Requirements — the mandatory "must" statements. Conformance is measured against these.
- Considerations for Implementation — practical, recommended methods. Helpful, but not mandatory.
- Examples of Evidence of Conformance — sample artifacts (charters, plans, minutes) that demonstrate the requirement was met.
Only the Requirements are mandatory. If a stem describes an auditor who skipped a "Consideration for Implementation," that is not automatically a nonconformance.
This three-part anatomy is new compared with the prior IPPF Attribute and Performance Standards. The 2025 design is deliberately more prescriptive: pairing each Requirement with worked Considerations and concrete Evidence examples makes conformance easier to measure. Expect an exam item probing whether you can name these three parts and identify the Requirements as the binding layer.
Mandatory vs. Recommended Guidance
The IPPF (the umbrella the Standards sit within) distinguishes two tiers of authority, and confusing them is a frequent miss:
| Tier | Component | Status |
|---|---|---|
| Mandatory | The Global Internal Audit Standards (all 52) | Required — conformance is not optional |
| Recommended | Global Guidance (formerly Practice Guides, Topical Requirements support) | Strongly suggested, not binding |
When a Standard's Requirement uses "must," conformance is obligatory. "Should" signals a strong recommendation that applies unless there is a defensible reason to deviate. A practitioner conforms with the Standards only when the Requirements are met; the CAE must disclose any instance of nonconformance that affects the overall scope or operation of the function to the board and senior management.
How Section A appears on the exam
Section A questions are often definitional or framework-structure questions: *What is the Purpose of Internal Auditing? How many Domains does the Standards framework have? * Because Section A is the largest block of Part 1 at 35% — roughly 44 of the 125 items — accuracy here moves your score more than any other section. Many of these points are also among the most memorizable on the exam, so aim for near-perfect recall. Build a one-page map: five framework Domains, 15 Principles, 52 Standards, three parts per Standard, mandatory Standards vs. recommended Guidance, and the Purpose sentence.
If you can recite that map cold, a large share of Section A items become reliable points.
Quick reference
- Effective date of the Standards: January 9, 2025
- Deliverables of internal audit: assurance, advice, insight, foresight
- Value verbs: create, protect, sustain
- Mandatory: Standards; Recommended: Global Guidance
Topical Requirements — a new mandatory layer
Beyond the 52 Standards, the IIA is rolling out Topical Requirements: mandatory, subject-specific requirements (for example, cybersecurity) that apply when a function works in that topic, supported by recommended Topical Requirement User Guides. The Section A takeaway is that the mandatory tier of the IPPF now contains both the Standards and any applicable Topical Requirements, while Global Guidance and User Guides remain recommended.
Under the 2025 Global Internal Audit Standards, what is the stated Purpose of Internal Auditing?
How is the framework of the Global Internal Audit Standards structured?
Each individual Standard contains three parts. Which part is mandatory and the basis for measuring conformance?