Government Functional Standard GovS 009: Internal Audit
Updated 31 March 2025
© Crown copyright 2025
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/government-functional-standard-govs-009-internal-audit/government-functional-standard-govs-009-internal-audit
Approved 31 March 2025
This functional standard is part of a suite of management standards that promotes consistent and coherent ways of working across government, and provides a stable basis for assurance, risk management and capability improvement.
The suite of standards, and associated guidance, can be found at GOV.UK/government/ collections/functional-standards.
Functional standards cross-refer to each other where needed, so can be confidently used together.
They contain both mandatory and advisory elements, described in consistent language (see the table below).
| Term | Intention |
| shall | denotes a requirement: a mandatory element. |
| should | denotes a recommendation: an advisory element. |
| may | denotes approval. |
| might | denotes a possibility. |
| can | denotes both capability and possibility. |
| is/are | denotes a description. |
The meaning of words is as defined in the Shorter Oxford English Dictionary, except where defined in annex B(#glossary) and the Common Glossary
It is assumed that legal and regulatory requirements are always met.
Version 3 of GovS 009 replaces version 2, but it has the same purpose, scope, and intent. Major changes have been made to eliminate duplication of requirements contained in the Global Internal Audit Standards and the Global Internal Audit Standards in the UK Public Sector Application Note. This functional standard is effective from 1 April 2025 in the UK public sector.
1. About this government functional standard
1.1 Purpose of this government standard
The purpose of this government functional standard is to set expectations for internal audit activity.
This standard, together with the Global Internal Audit Standards 1 and UK public sector application note 2 set expectations to enhance the effectiveness and efficiency of governance, risk management and control in government organisations.
1.2 Figure 1 scope and purpose of Internal Audit standards
Global Internal Audit Standards
Principle-based guidance that applies to all internal auditors worldwide, that incorporates:
-
Purpose of internal auditing
-
Ethics and professionalism
-
Governance of internal audit
-
Managing the internal audit function
-
Performing internal audit services
Each principle is supported by standards containing mandatory requirements, considerations for implementation and examples of ways to conform. Lists essential conditions required for effective oversight and governance of the internal audit function.
Global Internal Audit Standards in the UK Public Sector Application Note
Additional guidance for the UK public sector requiring the chief audit executive to prepare an overall conclusion at least annually and recognising UK specific qualifications for chief audit executives and the professional characteristics required of independent assessors.
Government Functional Standard GovS 009 Internal Audit
Sets expectations for government officials (permanent secretaries, director generals, accounting officers, senior leadership teams and members of organisational boards) to provide an environment which promotes the functional standard, the Global Internal Audit Standards and where internal auditors have authority to operate across the organisation.
Defines the role and responsibilities of the senior officer accountable for internal audit services across government.
This standard provides direction and guidance for:
- permanent secretaries, director generals, and chief executive officers of arm’s length bodies to ensure an environment exists which promotes this functional standard and the global internal audit standards.
- accounting officers, their senior leadership teams, and members of organisational boards, to provide an environment where internal auditors have authority to operate across the organisation, independent of executive leadership
- those responsible for the provision of internal audit services
- sponsors and officers supporting internal audit services in organisations
1.3 Scope of this standard
This standard applies to the planning, delivery and management of internal audit activity:
- in government departments and their arm’s length bodies
- delivered by civil servants, public servants, co-sourced and / or third-party providers or a combination of these
Note: The Global Internal Audit Standards apply to the purpose, ethics, governance, management and performance of internal auditing in all internal audit functions and internal auditors in every sector globally. GovS 009, Internal Audit, sets out requirements for a UK government context within the wider suite of government functional standards.
1.4 Government standards references
The following standard is directly necessary for the use of this standard:
- GovS 001, Government Functions
Functional standards set the expectations for the management of a function’s work across government. They clarify what should already be happening in every organisation and working as a suite cross-reference, where appropriate, to the functional standards they rely on.
Note: For expectations relating to management of a function across government, and management of functional standards, please see GovS 001, Government Functions.
Note: The functional standards provide a baseline of expectations for internal auditors to draw upon, when auditing functional activity 3.
2. Principles
Those sponsoring or undertaking internal audit services shall ensure that:
- audit objectives are aligned to government policy, and organisational objectives and risks.
- internal audit findings are captured, shared and used to promote improvement in the efficiency and effectiveness of the organisation and value for money.
- public service codes of conduct and ethics and those of associated professions are upheld. This includes operating in line with Managing Public Money 4 and The Orange Book: Management of Risk – Principles and Concepts 5.
3. Context
3.1 The Global Internal Audit Standards
The Institute of Internal Auditors issued the Global Internal Audit Standards in 2024, effective from 1st April 2025 in the UK Public Sector.
For the UK Public Sector, the Global Internal Audit Standards are supplemented by an Application Note issued by the Internal Audit Standards Advisory Board, which is responsible for developing and maintaining the standards applicable to internal auditors in the UK public sector.
Combined, the Global Internal Audit Standards and Application Note provide a comprehensive and detailed framework for internal audit in the public sector. Accordingly, the Public Sector Internal Audit Standards were withdrawn from use with effect from 31st March 2025.
3.2 Internal Audit in Government
Internal audit services can be provided by the Government Internal Audit Agency 6, or another internal audit service provider. The Government Internal Audit Agency is an independent agency of His Majesty’s Treasury, providing a shared internal audit service to the UK government.
Government departments are responsible for ensuring that there are effective arrangements for governance, risk management and internal control in the arm’s length bodies that they sponsor 4.
4. Governance
4.1 Governance and Management Framework
4.1.1 General
Governance comprises prioritising, authorising, directing, empowering and overseeing management, and assuring and reviewing performance of internal audit. A governance and management framework shall be defined and established across government for all organisations collectively, and within each organisation, which:
- complies with government and departmental policies and directives and with this standard
- is referenced from the respective Accounting Officer System Statement
4.1.2 Governance requirements
Organisations shall have an internal audit service that meets the requirements of the Global Internal Audit Standards and this standard. The governance of internal audit within an organisation shall be an integral part of that organisation’s overall governance.
Note: The Global Internal Audit Standards provide guidance on appropriate governance arrangements for an internal audit function to be effective.
4.2 Strategy and planning
4.2.1 Cross-government internal audit strategy and planning
The senior officer accountable for internal audit across government should develop a cross-government internal audit strategy, in consultation with organisational representatives.
The cross-government strategy should draw upon priority areas and insights identified by Heads of Function and functional governance bodies. See also GovS 001, Government Functions across government.
Cross-cutting assurance activity shall be planned and conducted with the consent of relevant accounting officers.
Cross-government audit plans should be developed in consultation with those accountable for sponsoring and providing internal audit services in organisations, to draw out issues of mutual interest.
The views of Heads of Functions and functional governance bodies should be sought and reflected in cross-government audit plans. See also GovS 001, Government Functions. The Permanent Secretary of HM Treasury may add to the plan for cross-government audit work and authorise an audit from the cross-government plan.
Note: Cross-government engagements can involve: separate engagement with individual organisations, with common themes being drawn together subsequently; a cross-cutting engagement with a single report to involved parties, or separate reports to each organisation; or a bespoke report for senior leaders to inform strategic cross-government decision making.
4.2.2 Internal Audit strategy and plan for an organisation
The internal audit strategy for an organisation provides a statement of how the internal audit service should be developed and delivered in accordance with the internal audit charter.
The internal audit plan for an organisation sets out how objectives, outcomes and outputs are to be delivered in accordance with the strategy.
The audit plan should consider priority areas for cross-government audit work identified by the senior officer accountable for internal audit across government.
Both the internal audit strategy and plan for an organisation shall follow the principles and expectations in the Global Internal Audit Standards.
4.3 Roles and accountabilities
4.3.1 Overview
Roles and accountabilities shall be defined in the relevant framework and assigned to people with appropriate seniority, skills and experience. This includes, but is not limited to, the activities, outputs or outcomes they are responsible for, and the person they are accountable to.
Global Internal Audit Standards, supplemented by the Application Note for the UK public sector, set out the roles and responsibilities of those sponsoring, leading and undertaking internal audit services and individual engagements in an organisation. Roles sponsoring, leading and undertaking internal audit services shall follow the Global Internal Audit Standards and the Application Note for the UK public sector.
4.3.2 Senior officer accountable for internal audit across government
The senior officer accountable for internal audit across government is accountable to HM Treasury for the development and oversight of a strategy for internal audit in government.
Note: This role is undertaken by the same person who leads the internal audit function across government.
4.3.3 Senior officer accountable for internal audit services in an organisation
The senior officer accountable for internal audit services in an organisation is accountable to the relevant accounting officer for provision of an effective, efficient and holistic internal audit service, in adherence with the Global Internal Audit Standards and the Application Note for the UK public sector.
Note: This role is often called the head of internal audit (HIA) or chief audit executive (CAE).
4.3.4 Accounting officer
The permanent head of a government department is usually its principal accounting officer.
The principal accounting officer generally appoints the most senior executive in the arm’s length bodies within the department’s ambit as an accounting officer.
An organisation’s accounting officer is accountable (via a principal accounting officer where appropriate) to Parliament and the public for the stewardship of public resources, ensuring they are used effectively and to high standards of probity 4.
4.3.5 Other internal audit roles
The Global Internal Audit Standards set out the roles and responsibilities of those sponsoring, leading and supporting internal audit services and individual engagements in an organisation. This includes:
- Senior management (including accounting officers and those sponsoring internal audit services and engagements)
- the Board / the Audit and Risk Assurance Committee
Note: The Audit and Risk Committee Handbook provides guidance on how the committee should operate 7.
Note: Roles and responsibilities are stipulated in the Global Internal Audit Standards including within the internal audit plan, charter, and mandate.
5. Internal audit engagement lifecycle and practices
5.1 Overview
The primary practices involved in the life cycle of an internal audit are shown in figure X.
Expectations for performing the internal audit lifecycle and practices are set out in the Global Internal Audit Standards.
5.2 Figure 2: Internal audit engagement life cycle as noted in Domain V of Global Internal Audit Standards
Plan engagements effectively
- Engagement
- Communication
- Risk assessment
- Objectives and scope
- Resources
- Evaluation criteria
- Work program
Conduct engagement work
- Gathering information for analyses and evaluation
- Analyses and potential engagement findings
- Evaluation of findings
- Recommendations and action plans
- Engagement conclusions
- Engagement documentation
Communicate results and monitor action plans
- Final engagement communication
- Confirm implementation of recommendations and action plans.
6. References
All references are correct at the time of publication, users should check for updated versions.
| I.D. | Description |
| 1 | Institute of Internal Auditors (IIA) Global Internal Audit Standards (2024) |
| 2 | Internal Audit Standards Advisory Board Application Note: The Global Internal Audit Standards in the UK Public Sector (2024) |
| 3 | Cabinet Office Functional Standards |
| 4 | HM Treasury, Managing Public Money (revised 2023) |
| 5 | HM Treasury, Government Finance Function The Orange Book: Management of risk – principles and concepts (2023) |
| 6 | HM Treasury Government Internal Audit Agency |
| 7 | HM Treasury, Audit and Risk Assurance Committee Handbook (2024) |
7. Glossary
See also the common glossary of definitions which includes a list of defined terms and phrases used across the suite of government functional standards. The glossary includes the term, definition, and which function owns the term and definition. The Global Internal Audit Standards also includes a glossary
| Term | Definition |
| arm’s-length body (ALB) | Central government bodies that carry out discrete functions on behalf of departments, but which are controlled or owned by them. They include executive agencies, Non-Departmental Public Bodies and government-owned companies. More information on classification of public bodies can be found here: www.gov.uk/government/publications/classification-of-public-bodies- information-and-guidance |
| assurance | A general term for the confidence that can be derived from objective information over the successful conduct of activities, the efficient and effective design and operation of internal control, compliance with internal and external requirements, and the production of insightful and credible information to support decision making. Confidence diminishes when there are uncertainties around the integrity of information or of underlying processes. |
| audit and risk assurance committee | The governance group charged with independent assurance of the adequacy of the risk management framework, the internal control environment and the integrity of financial reporting. The audit committee provides oversight of financial reporting, risk management, internal control, compliance, ethics, management, internal auditors, and the external auditors. |
| audit opinion | The rating, conclusion and/or other description of results provided by the chief audit executive addressing, at a broad level, governance, risk management and/ or control processes of the organisation. An overall audit opinion is the professional judgement of the chief audit executive based on the results of a number of individual engagements and other activities for a specific time interval. |