From Assumption to Evidence: How the IIA's Competency Framework Is Changing What Good Internal Audit Looks Like

What It Is, Why It Matters, and What You Need to Do About It

Ask most organizations if their internal audit function has the right capabilities. Most say, "Yes—they're experienced, they deliver, and we haven't had any problems." That isn't enough anymore.

The IIA released the updated Internal Auditing Competency Framework™ in June 2025, changing how internal audit capability is assessed, demonstrated, and reported — for individual auditors, chief audit executives (CAEs), and the boards and executive teams overseeing the function.

Experience and track record are no longer sufficient. Documented, structured, evidence-based competency assessment are now expected.

This is not compliance disguised as development. Used properly, the framework provides every internal audit stakeholder with a clear, structured way to determine whether the audit function can do its job.

What the Framework Is

The Internal Auditing Competency Framework™ is a structured tool for assessing and developing internal audit knowledge and skills. It has four categories, 28 subcategories, and four proficiency levels. It is meant to be customized for your organization.

The four categories cover the full scope of what internal audit professionals need to be effective:

• Internal Auditing Competencies address the technical foundations of the profession — audit methodology, the IPPF®, quality assurance, integrated assurance, and reporting. These are the core skills that define what it means to do internal audit work well.

• Professional Competencies address how auditors operate as professionals and leaders — communication, negotiation, conflict management, data analysis, project management, and leadership. These are often the capabilities that determine whether an audit function is genuinely influential or merely technically correct.

• Governance and Risk Management Competencies cover the strategic landscape auditors must understand and assess — governance structures, enterprise risk management, compliance, fraud, organizational resilience, and sustainability. This is where audit connects directly to the priorities that keep boards and executives up at night.

• Operational Area Competencies reflect the specific domains where an organization operates — finance, IT, cybersecurity, HR, supply chain, and others. This is the category that varies most by organization, and the one that most directly determines whether the audit plan is executable with the team that exists.

Each category has four proficiency levels: Basic, Intermediate, Advanced, and Expert. The levels show what a person can do—not just their experience. Basic means awareness, Intermediate means application, Advanced means leadership, and Expert means advising senior management.

This distinction is important because it changes how gaps are identified and addressed. An organization assuming capability because the team has "covered this area before" may be at Intermediate proficiency, when Advanced is required. The framework makes that gap visible. Assumption does not.

Why the Framework Is Aligned to the Standards — and Why That Creates Obligations

The Competency Framework™ is not standalone guidance. It is explicitly aligned with the Global Internal Audit Standards™, and that alignment has practical consequences.

Competency is required by several Standards domains. Domain II covers auditors' ethics and professionalism. Domain III requires CAEs to inform the board of the competencies the function needs. Domain IV links CAE management of the function to competency. Domain V connects auditor capability to engagement quality.

This means the Competency Framework is the practical instrument through which CAEs demonstrate conformance with multiple Standards simultaneously. The templates that accompany the framework — individual assessments, collective assessments, role profiles for nine job levels, and a conformance checklist — are designed specifically to produce documentation that supports Standards conformance.

What This Means for Each Stakeholder If you are an internal auditor

The framework delivers a structured way to assess your current capabilities and pinpoint areas for improvement. Use the Individual Competency Assessment to compare yourself to standards. Your manager reviews and provides feedback. This conversation drives real development.

The role profile templates (B1 through B9) let you benchmark your assessed proficiency against typical expectations for your current role and the role above it. There is no automatic link between competency development and promotion — but the profile comparisons make the picture concrete. If you are a senior auditor and your proficiency map doesn't correspond to the expected profile for your role, you now have a specific, evidence-based basis for a development conversation rather than a vague aspiration.

In fast-changing fields like cybersecurity, proficiency can fade.

If you are a Chief Audit Executive

For CAEs, the framework is both an operational management tool and a standards-conformance instrument. The following steps are as follows:

Step one: Customize. Review the default subcategory list and adapt it to your organization's structure, risk priorities, and key audit plan subjects. The framework is a starting point to connect to organizational reality.

Step two: Assess each person. Use Template A3 to do individual assessments. Give feedback and set proficiency levels and development steps. Repeat this regularly.

Step three: Assess collectively. Use Template A4 to summarize the collective proficiency of the function across all subcategories. Record current levels in Template A4. Set clear targets for each future period. Highlight in the template the areas where the gap between current and target proficiency is greatest, according to the audit plan.

Step four: Act on the gaps. Gap closure is not just a training matter. Training helps maintain ability but is generally insufficient to advance it. Closing meaningful gaps requires a combination of development plans, hiring decisions, co-sourcing arrangements, and, in some cases, adjusting the scope of the function's work until capability is in place. The Collective Competency Assessment documentation functions as your evidence base for resource requests—for budget, headcount, and technology.

Step five: Report. Standard 7.2 requires you to provide the board with information about the competencies needed to manage the function. The framework gives you the structure to do this in a credible, specific, and repeatable way — not as a narrative assertion, but as a documented assessment.

Your responsibility is to provide oversight by ensuring the CAE has performed and documented assessments. Take the following steps: request evidence of structured assessments, review the reports on current proficiency and gaps, and confirm there is a clear plan to address any shortfalls. Your role is to ensure confidence is based on evidence, not assumptions.

The framework signals good governance. If the CAE gives specific answers with documented assessments and plans, they are meeting Standards. If they give only qualitative reassurance, they are not meeting the standard yet.

For organizations where the audit function is being asked to assess increasingly complex risk areas — third-party risk, technology risk, ESG, emerging regulatory environments (SEC-Cyber, EU NIS2) — the competency question is not academic. The Operational Area Competencies category exists precisely because audit functions frequently inherit mandates that exceed their current capability. The framework makes that visible before an engagement delivers inadequate assurance, rather than after.

If you are a C-Suite executive

The internal audit function's capability directly affects the quality of assurance your organization receives on its highest-priority risks. An audit plan that includes engagements in areas where the team lacks sufficient proficiency isn't just an HR development problem — it is a risk management gap.

The Competency Framework delivers a structured basis for aligning audit capability with organizational risk priorities. When the CAE customizes the subcategories to reflect the organization's strategic landscape and then maps team proficiency against those categories, the output is a picture of where audit can deliver strong assurance, where it can deliver acceptable assurance with management, and where there is a genuine gap that requires a resourcing decision.

The framework comes with a practical problem: knowing it exists and actually using it are different things. Competency assessments take time, they surface uncomfortable gaps, and they require follow-up. The temptation to defer is real.

The business case for acting now is straightforward. The Global Internal Audit Standards™ create documented obligations around competency that external quality assessments will probe. Organizations whose CAEs cannot demonstrate a structured approach to competency management are exposed — not just to a compliance gap, but also to broader reputational and governance risks associated with an audit function that cannot credibly account for its own capability.

If you are a CAE, begin the Collective Competency Assessment this quarter. Map where the function stands against the subcategories most relevant to this year's plan. The gaps you find will drive better resource conversations, better development plans, and a more defensible answer when the board asks the question that they will, sooner or later, ask.

If you are on the board or audit committee, put the question on the agenda. Request the documented assessment. Review it with the same rigor you bring to the audit plan itself.

The Standards say you should — and the answer will tell you exactly where things stand.

The Internal Auditing Competency Framework™, Global Internal Audit Standards™, and the full International Professional Practices Framework® are available at theiia.org.