The Standards are no longer divided into ‘attribute’ and ‘performance’ categories (Standard 1000 and 2000 series, respectively) and do not contain ‘Interpretations’ as a separate section of the Standard.
The Standards do not differentiate between assurance and advisory (formally consulting) projects and both are incorporated into the main body of the Standards. Requirements for ad hoc and advisory projects are now similar to risk-based assurance audits with limited exceptions.
In addition to the Standards, the other mandatory component of the IPPF is ‘Topical Requirements’ which will cover topics such as Cybersecurity, Environmental, Social & Governance (ESG), and Third-party Management. While the Draft Cybersecurity Topical Requirement has been released, the remainder are expected during 2024.
It is important to note that the issuance of the ‘Topical Requirements’ is not a directive for all IA functions to audit those areas immediately, but rather they are additional requirements to be followed when the IA function chooses to review that subject area.
The one non-mandatory section of the IPPF is the IIA’s ‘Global Guidance’ which includes non-mandatory information,…
