Skip to main content
Contact Us
Search
Weaver Connect
Payment Portal Client Login Weaver Alumni
Home    /    Insights & Resources

What the IIA’s New Competency Framework Means for Today’s Audit Leaders

Article
The IIA’s new Internal Auditing Competency Framework redefines audit credibility. Learn how aligning skills with key risks strengthens business outcomes and governance.
8 minute read
November 4, 2025
David Lange
David Lange
Director, Governance, Risk and Compliance Services

Related

Never miss a thing.

Sign up to receive our insights newsletter.

Subscribe

Online accountants talking virtual call at workplace closeup

The IIA released its new Internal Auditing Competency Framework in July 2025. The framework is a comprehensive guide that includes four competency categories and 28 knowledge and skill subcategories. It also provides proficiency levels and role expectations, from staff auditor through chief audit executive (CAE). The framework is more than simply a technical roadmap — it’s a signal of intent and direction.

Today more than ever, audit teams are not only judged by the number of certifications they hold, but on whether their skills align with the real risks that influence business performance. This is where many internal audit and risk groups currently find challenges.

Some audit functions find themselves buried in compliance tasks, producing long lists of control exceptions without aligning the findings to what drives enterprise value. Conversely, some audit teams label every issue as critical until management simply tunes out, diluting the value of the insight gained from the audit. Both approaches can erode credibility. The truth is that competency will deliver value when it targets the right risks, with the right emphasis at the right time.

The new framework is most useful when used as a risk-based lens to build teams that are not just technically skilled but strategically aligned to the enterprises’ objectives. That’s what differentiates cost center audit functions from trusted advisors.

The Framework at a Glance

The framework organizes internal audit competencies into the following four high-level categories and 28 knowledge and skill subcategories:

Internal Auditing Competencies Professional Competencies
• International Professional Practices Framework
• Ethics and professionalism
• Quality Assurance and Improvement Program
• Audit methodologies
• Integrated and coordinated assurance
• Reporting results 		• Leadership
• Professional communication
• Negotiation and conflict management
• Data analysis
• Project management
Governance and Risk Management Competencies Operational Area Competencies
• Governance
• Strategy
• Enterprise risk management
• Compliance
• Fraud
• Organizational resilience
• Sustainability		 • Accounting
• Customer relationship management
• Cybersecurity
• Finance
• Human resources
• Information technology
• Marketing
• Sales
• Supply chain management
• Other significant sectors, functions, processes
 

In addition to the high-level competencies and subcategories, the framework defines four proficiency levels with the aim to reflect leading global practices:

  1. Basic proficiency: Individuals demonstrate awareness through education and experience.
  2. Intermediate proficiency: Individuals apply knowledge, skills or experience with certain processes, though they do not have the skills to lead engagements.
  3. Advanced proficiency: Individuals demonstrate the ability to lead and train others in a knowledge and skill subcategory.
  4. Expert proficiency: Individuals demonstrate significant insight and are considered a trusted advisor and thought leader of a knowledge or skill subcategory.

The proficiency levels are mapped to job expectations — from staff and senior auditors, through supervisors to CAEs and audit committees. The proficiencies levels can also vary by organization, geography, industry sector and size of the internal audit function, among other factors.

Why the Framework Deserves Attention

Competency frameworks aren’t new, but this update is a game changer because:

  • Competency is the new currency of credibility: Boards and executives measure value by outcomes, not hours. The framework turns skills into action.
  • CAEs are explicitly accountable: CAEs must ensure the audit function collectively has the right proficiency within the team or that they are using third-party consultants to supplement the skills of the team.
  • Boards now have a yardstick: Audit and other governance committees will press on whether audit teams have the right skillset.
  • Sound judgment is the differentiator: Even highly skilled auditors can misjudge where the true risk lies, which can cause even top audit teams to stumble.

Five Practical Takeaways for Audit Leaders

1. Build your competency plan around enterprises risks

The framework provides direction; it’s not a one-size-fits-all formula. As every organization has a unique risk profile, audit functions should map competencies to the top five to seven enterprise risks and align proficiency expectations accordingly. It’s recommended to avoid treating competencies as a human resources exercise.

Practice application: Don’t blindly follow the framework’s categories; tailor them to reflect your organization’s unique risk profile.

2. Use the framework to recalibrate how risks are evaluated

When risk criteria aren’t properly weighted, credibility in audit judgment can quickly erode. The framework exposes where advanced skills are focused on low-value risk areas and where high-value risk areas are being supported by basic skill levels. Pair your competency assessment with enterprise risk management (ERM) results to identify and close credibility gaps.

3. Rethink hiring and development strategies

Internal audit teams should be hired and developed like a balanced portfolio, blending CPAs with cyber, data, sustainability and operational professionals. Strategic rotations with business units and targeted certifications deepen insight and reinforce credibility. The goal isn’t to fill audit positions, it’s to align talent with the highest impact enterprise risks.

4. Integrate competency assessments into governance

Competency gaps should be reported regularly to audit committees, executives and others charged with governance. Linking competency assessments to budget cycles can be used to provide strong support to hire additional resources and further develop the audit talent pool.

Practice application: Document gaps and actions in committee packets to demonstrate audit maturity and foresight.

5. Align competencies with business outcomes

Competencies only matter when they translate into measurable outcomes, such as revenue protection, faster remediation, risk detection and/or management buy-in. Without clear alignment between skills and business results, internal audit will be seen as just another cost center.

Consequences of Ignoring the Framework

When the framework becomes a check-the-box exercise rather than a strategic tool, the organization’s likely to have increased exposure:

  • Credibility erosion: Exaggerating or downplaying risks can quickly erode credibility with stakeholders.
  • Failed quality assessments: “Does not conform” or “partially conforms” results if competency planning isn’t demonstrated
  • Strategic irrelevance: Remaining at basic proficiency on critical risk areas leaves audit sidelined.

Closing Thought

The IIA’s framework provides a solid roadmap into matching talent and skills to the risks with the highest business impact. Leading audit teams will dynamically use the framework to demonstrate value, enhance judgment and stay aligned to organizational goals. This will be the differentiator between audit teams that maintain the status quo and those operating at the cutting edge of audit proficiency.

Are you ready to put the framework into action? Weaver helps internal audit leaders align teams, competencies and strategies to protect and grow enterprise value. Contact us.

©2025