Standards of Practice
Internal Audit operates within the International Professional Practices Framework (IPPF) as promulgated by the Institute of Internal Auditors (IIA). The framework is commonly referred to as the “Red Book” and is followed by most internal audit functions within higher education and Oregon agencies. The 2017 Standards were updated in 2024 and are effective January 1, 2025.
Three components comprise the IPPF:
• Global Internal Audit Standards
• Topical Requirements
• Global Guidance
The Global Internal Audit Standards are comprised of five domains with fifteen principles:
1. Purpose of Internal Audit
2. Ethics and Professionalism
3. Governing the Internal Audit Function
4. Managing the Internal Audit Function
5. Performing Internal Audit Services
Topical Requirements currently include:
1. Cyber-Security (Effective February 5, 2026)
2. Third Party (Effective September 15, 2026)
3. Organizational Behavior (Coming December 2025)
4. Organizational Resilience (Public Comment by November 17, 2025)
Global Guidance comprises Global Practice Guides and Global Technology Audit Guides (GTAG) issued after 2017.
These guides provide detailed support and direction for conducting internal audit activities such as processes and procedures, techniques, step-by-step approaches, and examples of deliverables. In addition, sector-specific guides are available for public sector audit functions and financial services internal audit functions.
Internal Audit utilizes the Committee of Sponsoring Organizations of the Treadway Commission (COSO) control framework(s), Internal Audit’s procedure manual(s), and when required and not otherwise in conflict with the Standards, the Generally Accepted Government Auditing Standards (“Yellow Book”). Internal Audit will adhere to Southern Oregon University’s relevant policies and procedures, but in the event of conflicting direction, the Standards shall prevail.
Quality Assurance and Improvement Program
Standards require the creation and maintenance of a Quality Assurance and Improvement Program. The Standards require an assessment by a qualified independent reviewer or review team from outside the organization at least every five years. Until the first successful assessment it is not appropriate for Internal Audit to state “in conformance with the Standards,” or “in conformity to the Standards” in its reports.