How the New IIA Standards Change Evidence Documentation Requirements

The new Global Internal Audit Standards (GIAS), effective January 2025, have fundamentally shifted how internal auditors must approach evidence documentation. The standards move beyond the previous "guidance" structure of the IPPF to a mandatory framework that emphasizes the reliability, relevance, and sufficiency of evidence. For internal audit teams, this means that manual screenshots, unverified spreadsheets, and static workpapers are increasingly insufficient for demonstrating conformance. Automation is no longer just an efficiency play; it is a requirement for meeting the quality standards of Domain V.

What Are the New Evidence Requirements in the 2025 IIA Standards?

The new GIAS structure organizes requirements into five domains. Domain V: Performing Internal Audit Services contains the specific mandates regarding evidence collection and analysis.

Specifically, Principle 11 (Conduct Engagement Work) and its associated standards require auditors to gather information that is not just "available" but rigorously vetted.

The Shift from "convincing" to "reliable"

Under the previous IPPF, auditors had significant leeway in what constituted evidence. The new standards tighten this definition. Standard 11.3 explicitly requires that internal auditors gather information that is:

Sufficient: Is there enough factual evidence to support the conclusion logically?
Reliable: Is the source trustworthy, and is the evidence verifiable?
Relevant: Does the evidence directly address the engagement objective?
Useful: Does it provide value to the organization?

While these terms existed before, the new Conformance Requirements link them directly to the Quality Assurance and Improvement Program (QAIP). If your evidence consists of manual screenshots without metadata or timestamps, you may fail a QAIP assessment because the reliability of that evidence cannot be proven.

How Does the "Use of Technology" Standard Impact Documentation?

One of the most significant additions to the GIAS is the explicit expectation regarding technology. The standards acknowledge that organizations run on complex digital systems, and therefore, auditing via manual observation is no longer adequate.

Domain III: Governing the Internal Audit Function

The standards imply that the Internal Audit function must have the resources—including technology—to perform its duties. This creates a mandate for Computer-Assisted Audit Techniques (CAATs) and automated evidence collection.

If an internal auditor manually screenshots a configuration setting, they introduce human error and risk of manipulation. An automated tool like Screenata, which captures the workflow, timestamps it, and logs the metadata, aligns perfectly with the standard's push for technology-enabled reliability.

Where Do Traditional Manual Workpapers Fail Under GIAS?

The gap between traditional manual documentation and the new GIAS requirements is widening.

1. Lack of Verifiable Chain of Custody

Standard: Evidence must be reliable. Manual Failure: A screenshot pasted into a Word doc has no EXIF data, no source URL, and no proof of when it was taken. It is "hearsay" rather than "forensic evidence." Automated Solution: Automated evidence packs include JSON manifests, NTP-synced timestamps, and DOM snapshots that prove the image is authentic.

2. Inability to Support Root Cause Analysis

Standard: Auditors must identify the root cause of findings (Standard 11.4). Manual Failure: Manual sampling (e.g., testing 25 out of 10,000 items) often misses the pattern required to identify the root cause. Automated Solution: Continuous evidence collection allows auditors to see the control status over time, making it easier to pinpoint exactly when and why a control failed.

3. Inefficiency in "Timeliness"

Standard: Communications must be timely (Standard 13.1). Manual Failure: Spending 40 hours per audit just to format screenshots delays reporting. Automated Solution: Generating audit-ready PDFs instantly allows auditors to report findings immediately, meeting the timeliness requirement.

Comparison: 2017 IPPF vs. 2025 GIAS Evidence Standards

Feature	2017 IPPF (Old)	2025 GIAS (New)
Structure	Principles-based Guidance	Mandatory Principles and Standards
Evidence Quality	"Sufficient, Reliable, Relevant, Useful"	Same criteria, but linked to mandatory QAIP conformance
Technology	Encouraged as "Best Practice"	Explicitly integrated into resource management and performance
Documentation	Workpapers support conclusions	Workpapers must demonstrate conformance to standards
Root Cause	Recommended	Required for findings

Example: Automating ITGC Evidence for Standard 11.3

Let’s look at a practical example of how to apply the new standards to a common internal audit task: IT General Controls (ITGC) testing for User Access Reviews.

The Objective

Verify that access to the ERP system was reviewed and unauthorized users were removed.

The Manual Approach (Risks Non-Conformance)

The auditor asks the System Admin for a screenshot of the user list. The Admin takes a screenshot, crops it, and emails it.

Risk: The screenshot could be old. The Admin could have cropped out a specific user. There is no metadata. This evidence has low reliability.

The Automated Approach (GIAS Compliant)

The auditor uses Screenata to record the workflow.

Capture: The tool records the auditor navigating to the user list in the ERP.
Metadata: The system logs the URL, the logged-in user ID, and the exact server time.
Output: A PDF is generated with the screenshots and a hash of the data.
Verdict: This evidence is reliable (system-generated), sufficient (complete list captured), and relevant (directly addresses the control).

Frequently Asked Questions

When do the new IIA standards take effect?

The Global Internal Audit Standards (GIAS) were released in January 2024 and became effective January 9, 2025. Internal audit functions are expected to conform to them for audits conducted after this date.

Do the new standards require me to buy automation software?

While the standards do not list specific software vendors, they do mandate that the Chief Audit Executive (CAE) ensures the function has appropriate technology resources to perform the work effectively. Given the complexity of modern IT environments, manual evidence collection is increasingly seen as failing this resource standard.

Can manual screenshots still be considered "reliable" evidence?

It depends on the risk level. For low-risk observations, manual screenshots may suffice. However, for critical controls (like financial reporting or cybersecurity), manual screenshots lack the metadata and chain of custody required to be considered truly reliable under strict scrutiny.

How does automation help with the QAIP requirements?

The Quality Assurance and Improvement Program (QAIP) requires ongoing monitoring of the audit function's performance. Automated evidence collection ensures consistency—every workpaper looks the same, contains the same metadata, and follows the same format—making it much easier to pass an external quality assessment.

Key Takeaways

✅ Mandatory Conformance: The new GIAS moves evidence requirements from "guidance" to "mandatory," increasing the risk of non-conformance for sloppy documentation.
✅ Reliability is Key: Evidence must be verifiable. Screenshots without metadata may be challenged during quality assessments.
✅ Technology is Expected: The standards assume modern audit functions utilize technology to improve coverage and accuracy.
✅ Root Cause Analysis: Automated, continuous evidence provides the data depth needed to identify root causes, a requirement of Standard 11.4.
✅ Efficiency = Quality: By automating the mundane capture of screenshots, auditors free up time to focus on the analysis and professional judgment the new standards demand.

Learn More About Internal Audit Evidence Automation

For a complete guide to modernizing your audit workflows, see our guide on automating internal audit evidence collection, including strategies for meeting the 2025 IIA standards with AI-driven documentation.