Organizations undergoing internal audits must adopt the Institute of Internal Auditors’ (IIA) new 2025 Global Internal Audit Standards. The standards make clear that an internal auditor should evaluate fraud risk as part of their risk-based methodology, not as a separate or episodic focus handled by other functions. Meeting these standards is now essential to being a trusted governance partner.
There are three core areas where the new standards significantly elevate fraud risk management expectations, each with unique best practices for compliance:
- Embed fraud risk into every audit phase
- Strengthen fraud risk documentation and traceability
- Apply fraud risk assessments to each individual engagement
Core standard update 1: embed fraud risk into every audit phase
Internal audit strengthens fraud risk coverage when it uses structured, repeatable methods to surface and evaluate risks as part of normal engagement planning — not as a separate or isolated exercise. The standards encourage internal audit teams to integrate fraud risk considerations into planning, execution and reporting activities. This means that internal audit should be able to demonstrate how identified fraud risks influence engagement objectives, scope and procedures.
Through external quality assessments (EQAs), Sikich often sees organizations acknowledge fraud risk conceptually, but struggle to show how these considerations are consistently applied across the audit lifecycle. Addressing this gap helps internal audit demonstrate alignment with the standards and strengthens its role in proactive risk management.
Implementation best practices
Structured prompts and frameworks help teams identify fraud risks systematically and ensure these risks clearly connect to audit objectives, scope and procedures. Conversations across the business — through interviews, surveys and workshops — add another layer of insight by revealing risks that may not appear in formal documentation.
Supervisory and quality review processes reinforce consistency, confirming that fraud considerations are addressed throughout the engagement. Once identified, risks should be rated by likelihood and impact so they can be prioritized and incorporated into audit planning in a disciplined, enterprise-wide manner. This integrated approach ensures the organization assesses fraud risk in a way that is both comprehensive and actionable.
Core standard update 2: strengthen fraud risk documentation and traceability
The revised standards more strongly emphasize disciplined, well-documented risk assessment processes. Internal auditors must clearly document identified fraud risks rather than leave them assumed. Clear documentation enhances transparency and helps them show how they evaluate and address risks throughout the audit. As part of the annual risk assessment, internal audit should identify and document fraud risks alongside other key risks in the audit universe, using this information to inform audit planning.
Sikich’s EQA work frequently reveals gaps in this area: teams may list fraud risks in risk registers but don’t always clearly link them to audit procedures, limiting internal audit’s ability to demonstrate effective coverage.
Implementation best practices
A strong fraud risk process starts with the principle that what gets measured gets done. To make fraud planning consistent and repeatable, internal audit teams should standardize their approach. That begins with clearly identifying fraud risks — explicitly stating when none are present — then developing the related testing steps and building out the audit program. Documenting this program in a project management or audit platform ensures the right stakeholders contribute and that historical records are easy to reference.
Embedding fraud risk considerations directly into engagement planning templates is a practical way to make this discipline unavoidable. Platforms such as Workiva or AuditBoard allow teams to hardwire required prompts, fields and signoffs into the workflow. This creates a consistent structure for documenting fraud scenarios, associated controls and planned procedures, while also maintaining a clean audit trail. This creates greater accountability, stronger traceability and a process that correctly treats fraud planning as a systemic requirement across all engagements.
Core standard update 3: apply fraud risk assessments to each individual engagement
The new standards advocate for a risk assessment for every engagement, including consideration of fraud risks based on the audit’s nature and scope. Even when fraud isn’t a major concern, internal audit should show that it was considered and addressed when relevant.
This is a shift from viewing fraud assessments as specialized, occasional, red-flag-driven activities. Instead, the standards promote a consistent, risk-based approach in which fraud risk is evaluated as part of engagement-level planning.
Through EQAs, Sikich frequently observes gaps when fraud risk assessments performed by second-line functions are not fully integrated into internal audit planning, resulting in incomplete coverage.
Implementation best practices
Internal audit can strengthen fraud risk management by more deliberately integrating information, clarifying ownership and ensuring coordinated coverage. A key step is incorporating the results of second-line fraud risk assessments into the annual risk assessment and audit planning processes. When internal audit and second-line functions share information and coordinate effectively, fraud risks are evaluated more consistently and reflected appropriately in audit coverage. This reinforces the idea that fraud is a systemic, evolving threat that must be considered throughout the audit lifecycle — not treated as a peripheral issue.
Clear ownership is equally important. In many organizations, it’s unclear who’s responsible for various aspects of fraud oversight, causing gaps, duplication and missed risks. Assurance maps address this by explicitly documenting roles and responsibilities across management, compliance, risk and internal audit. By mapping fraud coverage across these functions, organizations gain a clearer view of accountability and can more easily identify where oversight is strong and where it needs reinforcement. When updated regularly, assurance maps remain a living tool that supports coordinated, comprehensive fraud risk management.
Conclusion: from compliance to culture
The new IIA standards symbolize more than just a compliance requirement. They’re a call to embed fraud risk awareness into internal audit processes and strengthen overall effectiveness. When internal audit teams adopt structured approaches, leverage technology and align with stakeholder expectations, they meet the standards and elevate their role as trusted partners in governance.
Another IIA standard is to execute routine EQAs. Through our execution of countless EQAs, Sikich has witnessed and resolved the weaknesses these new standards address. We can also review and consult on how your team conducts routine internal assessments. Contact us to learn more.
This publication contains general information only and Sikich is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or any other professional advice or services. This publication is not a substitute for such professional advice or services, nor should you use it as a basis for any decision, action or omission that may affect you or your business. Before making any decision, taking any action or omitting an action that may affect you or your business, you should consult a qualified professional advisor. In addition, this publication may contain certain content generated by an artificial intelligence (AI) language model. You acknowledge that Sikich shall not be responsible for any loss sustained by you or any person who relies on this publication.
