“What Good Governance Looks Like”: How the New GIAS and a Strong Internal Audit Function Can Help

BDO SPOTLIGHT - JULY 2025

SEE MORE ARTICLES FROM THIS NEWSLETTER

This article was originally published in BDO Spotlight - July 2025


As expectations around transparency and accountability continue to rise, strong governance has become a defining benchmark of effective leadership. As regulatory environments grow increasingly complex and interconnected, boards are expected to look beyond technical compliance and consider the efficacy of governance across the organisation.

At a recent session hosted by the Singapore Institute of Directors (“SID”), Koh Chin Beng, Partner at BDO Risk Advisory, shared insights on how the new Global Internal Audit Standards (“GIAS”) can serve as a good reference point for organisations aiming to strengthen their governance structures. The standards offer a clear and structured depiction of what effective internal audit and board oversight entail.

What’s New in the GIAS?

The 2024 revision of the GIAS introduces a more structured, comprehensive approach to internal audit governance, focusing on five domains, 15 principles, and 52 standards. The framework offers boards, Chief Audit Executives (“CAEs”) and senior executives a practical tool for assessing audit maturity and oversight effectiveness.

Key updates include:

  • Clearer articulation of board and management responsibilities related to internal audit.
  • A focus on aligning internal audit priorities with business objectives and risk exposure.
  • An emphasis on collaboration between the board, senior leadership and the CAE.

These enhancements reflect a shift from a procedural audit function to a more strategic, organisation-wide governance mindset.


Figure 1: Overview of GIAS (reference: https://www.theiia.org/en/standards/2024-standards/global-internal-audit-standards/)

Translating the Principles into Practice

The GIAS outlines specific principles that reinforce the board’s responsibility in supporting and governing internal audits. Among the principles, three stand out as critical to reinforcing the board’s oversight role.

Principle 6: Authorised by the Board

The board plays a key role in authorising the internal audit function by approving:

  • The internal audit charter that outlines the scope and authority of internal audit.
  • The audit plan, budget, and resource allocation to ensure that the function is adequately supported.
  • The CAE’s access to all necessary data, records, personnel, and assets to enable an internal audit to carry out its mandate effectively.

To Adopt: The board plays a key role in ensuring the function is properly defined and empowered. The CAE, in turn, works with the board and senior management to translate this into day-to-day operational authority.

Principle 7: Positioned Independently

The independence of the internal audit function is paramount. The board is responsible for:

  • Appointing or removing the CAE, ensuring that the right qualifications and competencies are in place to lead the internal audit function.
  • Overseeing safeguards that protect the organisational independence of internal audit, particularly in cases where the CAE’s role could present a conflict of interest.

To Adopt: Independence is upheld when the CAE has a direct line to the board and clarity around his/her scope of responsibility. Senior management should be involved in performance discussions but not in ways that may impair objectivity.

Principle 8: Overseen by the Board

The board’s role in overseeing the internal audit function has been enhanced. It must:

  • Set internal audit priorities, aligning them with organisational strategy, objectives, and emerging risks.
  • Ensure that the internal audit has the adequate resources required to carry out its activities effectively.
  • Regularly review the Quality Assurance and Improvement Program (“QAIP”), which evaluates the internal audit function's performance and compliance with standards.
  • Approve performance objectives for internal audit at least annually.

To Adopt: Boards provide direction and assess whether internal audit activities align with enterprise risks and goals. The CAE assumes responsibility for communicating performance, resourcing and any improvement actions clearly and regularly.

Internal Audit: Transitioning from Compliance to Strategic Partner

Internal audit has long been viewed primarily as a compliance mechanism, focused on control testing and post-event reviews. While that role remains essential, limiting the function to this narrow scope significantly understates its strategic value. Today’s business environment demands a more forward-looking internal audit, capable of identifying risks early, offering insights on governance effectiveness, and contributing meaningfully to enterprise decision-making.

The GIAS provides a clear framework supporting this evolution. By embedding internal audit into strategic dialogue, boards can leverage their unique vantage point across the organisation. When internal audits are well-positioned and supported by strong board sponsorship and clear organisational independence, they can act as valuable advisors to leadership. They help identify risks early, test key initiatives, and strengthen accountability. With appropriate structure and support, internal audits contribute meaningfully to stronger governance and long-term organisational resilience.

Organisational Benefits: Enhancing Governance and Performance

Organisations that align internal audit with the GIAS are investing not only in compliance but in building smarter and more effective governance. Internal audit, when well-positioned, delivers benefits that reach far beyond the audit committee.

These benefits include:

  • Stronger Governance: With the board more involved in the governance of internal audit, organisations can ensure that audit activities are aligned with corporate strategy and risk management priorities.
  • Improved Risk Management: By setting clearer priorities and ensuring the internal audit function is adequately resourced, organisations can more effectively identify and mitigate emerging risks.
  • Greater Organisational Value: The new framework encourages internal audit to go beyond traditional compliance and offers forward-looking insights that help drive business performance and stakeholder confidence.
Closing the Loop: Governance as a Connected System

Figure 2: Three Lines Model (adapted from: https://www.theiia.org/globalassets/documents/resources/the-iias-three-lines-model-an-update-of-the-three-lines-of-defense-july-2020/three-lines-model-updated-english.pdf


Effective governance does not emerge from individual functions acting in isolation. It is a product of a coherent system – one in which the board, management, and internal audit each play a distinct yet interconnected role. The three-way partnership, as illustrated in the Three Lines model referenced during the SID session, underscores this structure. The board provides direction and oversight, management executes strategy while managing risk, and internal audit delivers independent assurance on both.

This tripartite relationship is not static. It relies on continual engagement, trust, and the disciplined exchange of information. When functioning well, it fosters an environment where risks are surfaced early, controls are tested rigorously, and decisions are made with clarity and confidence.

The GIAS helps articulate this model by defining the distinct roles each party plays in strengthening governance. By using the GIAS as a reference point, boards and executive teams can ensure their governance structures are not only well designed but actively reinforced. In doing so, organisations move beyond compliance, signal credibility, command stakeholder confidence, and position themselves for long-term success.


Article contributed by Katherine Ang Li Nah, Associate Director, Risk Advisory Services.