Opstartcheck compleet — max:ok, beschermingen actief. Andere instances actief (o.a. FAL i2v, embeddings/RAG werk). GIAS and Small Internal Audit Functions

Insights
Key takeaways

Small audit functions of one to five people face the same GIAS standards as large departments. The most significant challenges arise in quality assurance, strategy development, staffing and external review. Full conformance is unattainable for many small functions. What is attainable: proportionate implementation, transparently documented for the board and audit committee.

Opgestart — max:ok, meerdere instances actief, beschermingen actief. Vertaling volgt.

An internal audit function of one to five auditors falls under the same Global Internal Audit Standards (GIAS) as a department of fifty. The same standards, without the scale, the specialisation and the budget. The problem is not the intent of those standards. The problem is feasibility.

This tension affects a large group. Globally, 51% of Chief Audit Executives have a team of five or fewer staff. European benchmarking data confirms this picture: a substantial proportion of audit functions has fewer than 4 FTE, or falls within the 4 to 10 FTE range.1 Small audit functions are not the exception. They form the largest population within the GIAS.

In the Netherlands, the Corporate Governance Code adds a further layer. It requires an internal audit function that assesses the design and operating effectiveness of internal risk management and control systems, including a periodic external assessment.2 IIA Netherlands has given the transition to the GIAS concrete shape through mapping tables, Scaling Guidelines and the Professional Judgement Document as a framework for quality assessments.

The central question for small functions is not whether the GIAS are relevant, but where full conformance structurally breaks down. This article focuses on the standards where the size of the function itself is the bottleneck. Standards that primarily require discipline or basic set-up remain out of scope.

The standards where it really pinches

Not all GIAS weigh equally on small audit functions. The greatest pressure comes from a limited group of standards around quality assessment, strategy development, staffing and technology. A second group is challenging but manageable with targeted choices and sound governance.

StandardSubjectDifficulty for SAFsWhy it pinches
8.4External quality assessment (EQA/SAIV)HighEQA costs and preparation are virtually independent of team size; for 1–3 FTE, the relative burden is very heavy.
9.2Internal audit strategy (multi-year)HighA formal multi-year strategy demands time and intellectual capacity that in small teams directly competes with engagement execution.
10.2Human resourcesHighOne or a few staff members must cover a broad set of competencies, while the standards explicitly require sufficient and qualified staffing.
10.3Technological resourcesHighAudit software, data analytics and workflow tools require budget and implementation capacity that small functions often lack.
12.1Internal quality assurance programme (QAIP)HighOngoing monitoring and periodic self-assessments structurally consume time, without small functions having dedicated capacity for them.
12.3Engagement-level qualityHighA solo auditor or small team does not inherently have an independent second pair of eyes for review and supervision.
2.2Safeguarding objectivityMediumClose relationships, combined roles and limited rotation options increase the risk of role conflicts.
7.1Organisational independenceMediumFunctional reporting to the board or audit committee is not always firmly embedded in smaller organisations.
9.4Internal audit planMediumRisk-based planning with very limited capacity inevitably leads to blind spots in coverage.
10.1Financial resourcesMediumLimited budgets put pressure on training, tooling and external support, while the standards explicitly require resource decisions.

Below we discuss those six red-rated standards, grouped into three themes: cost, capacity and independence. The amber standards are relevant as amplifiers, not as the core of the problem.

Costs that do not scale

The first group of bottlenecks is about money. External assessment (8.4) and technology (10.3) cost virtually the same whether you have two or twenty auditors. That is the crux: the bill does not scale with your team.

8.4 External quality assessment

Standard 8.4 requires the internal audit function to undergo an external quality assessment at least once every five years, conducted by a qualified, independent assessor or assessment team. In the Netherlands, this is reinforced by the Corporate Governance Code and the national supervisory and assessment framework for quality reviews.

For small audit functions, this is one of the heaviest requirements. Costs and preparation barely scale with the size of the function. A team of 2 FTE goes through virtually the same preparation as a team of 20 FTE in practice, while the relative budget pressure is many times greater.

In practice, small functions often opt for Self-Assessment with Independent Validation (SAIV), peer review or a conformance dossier built up early, documenting policies, choices, work programmes and deviations. External quality assessment does not start in year five. You prepare for it from day one in your documentation.

10.3 Technological resources

Standard 10.3 requires the CAE to determine which technological resources are needed and to ensure the audit function has adequate access to them. Technology and tooling are thus an explicit management responsibility of the CAE.

For small functions, this is challenging. Specialist audit tools, data analytics solutions and GRC platforms cost money and implementation capacity. The standard does not require a specific system, but it does require a deliberate, substantiated choice. It is precisely that substantiation that tends to fall short in small functions.

Start by documenting: which tools are currently in use, what they are suited for, where their limitations lie and what risks that poses for audit execution.1 From that overview, a small function can make a targeted case for why a limited toolset suffices, or why additional support is needed.

Capacity versus requirements

The second group concerns capacity versus requirements. Strategy (9.2), staffing (10.2) and quality assurance (12.1) demand time and intellectual capacity that in a small team directly compete with engagement execution.

9.2 Internal audit strategy

Standard 9.2 requires the CAE to develop a multi-year strategy describing the vision, objectives, priorities and required resources of the internal audit function, aligned with the organisation's strategy. That strategy forms the basis for subsequent choices in audit planning, competency development and technology.

Small functions often experience this standard as burdensome. They operate reactively and pragmatically, not with three-to-five-year planning horizons. Yet a small function has more to gain from a strategy than a large one. Limited capacity forces explicit choices about what will and will not be covered.

This need not be a lengthy document. Two to three pages will do. Towards the board and audit committee, they serve as a clear conform-or-explain document.

10.2 Human resources

Standard 10.2 obliges the CAE to ensure sufficient and qualified staff, with the right mix of competencies, attention to development and broad deployability.3 In small teams, that means concretely: everyone must be able to do more than one thing.

For small audit functions, this is a structural problem. Large departments specialise. Small teams must simultaneously have expertise in IT, data, governance, behaviour, compliance and operational processes. The problem is not only capacity. You simply cannot sustainably organise all relevant expertise in-house.

Be clear about what you must have internally and what you demonstrably arrange through co-sourcing, guest auditors or reliance on other assurance functions. Know what you do yourself, what you place elsewhere, and document it.

12.1 Internal quality assurance programme

Standard 12.1 obliges the CAE to maintain an internal quality assurance and improvement programme with ongoing monitoring, periodic self-assessments and follow-up on improvement actions. The quality programme is a permanent activity, not an annual ritual.

For small functions, this weighs heavily. QAIP activities directly compete with engagement execution capacity. What in a larger department is handled by multiple people or a quality coordinator must in an SAF often be done by the same auditor who also executes engagements.

Quality assurance works best when woven into daily work: standardised checklists, file reviews, lessons learned per engagement and periodic self-assessments using tools such as the Conformance Readiness Assessment and the Professional Judgement Document. For small functions, a risk-based QAIP approach is almost always more effective than a fully elaborated internal quality system.

Make the choice explicit: a team of two FTE that spends twenty per cent of its time on quality assurance audits twenty per cent less. Either you accept that, or you demonstrate that a lighter QAIP approach is justified. Looking the other way is not an option.

Independence under pressure

The third group touches the core of audit quality: independent countervailing power. Engagement-level quality (12.3) presupposes a second pair of eyes. In a small team, that is precisely what is missing.

12.3 Engagement-level quality

Standard 12.3 addresses quality at the engagement level: supervision, coaching, review of working papers and reports, and improving performance based on feedback. The standard assumes that sufficient countervailing power and reflection are available within or around the function.

In small audit functions, that assumption rarely holds. A solo auditor cannot independently review their own work. And even in teams of two or three, formal review roles are difficult to organise objectively. This creates structural tension between what the standard requires and what the staffing allows.

External file reviews, peer review on selected engagements, guidance from a more experienced auditor or standardised templates with review checklists help to close this gap. A small function must demonstrably show how it assures quality at the engagement level, even without an internal four-eyes principle.

The amber standards in context

Alongside these six core standards, there are standards that are challenging for small functions but rarely the primary bottleneck: objectivity (2.2), organisational independence (7.1), the audit plan (9.4) and financial resources (10.1).

These standards become problematic primarily because they amplify the red-rated standards. A weak reporting line makes quality and escalation harder. A limited budget shrinks the room for technology and external review. Limited objectivity or a thin audit plan increase the pressure on a function that is already thinly staffed.

Dutch tools for proportionality

Small audit functions do not have to make these trade-offs unaided. IIA Netherlands has made instruments available through the mapping tables, the Ambition Model and the Professional Judgement Document that enable small functions to substantiate their choices.

ProblemTool
Understanding differences between former standards and GIASTwo-way Mapping / transition tables from IIA Netherlands4
Identifying where the largest gaps areConformance Readiness Assessment and GIAS checklists5
Substantiating proportionality for small functionsProfessional Judgement Document5
Determining ambition level and development pathAmbition Model from IIA Netherlands78
Structuring non-conformance and quality judgementsProfessional Judgement Document and quality assessment supervisory framework59

For small functions the rule is: explainable and defensible is achievable. Fully conformant is not always.

Board and supervisory board: what lies behind this

Many of the bottlenecks in this article are not solely an execution issue for the CAE. They stem from choices made by the board and supervisory board on positioning, budget and mandate. The heaviest standards become even heavier when the function lacks sufficient access, resources or boardroom backing.

A board and supervisory board that assess a small audit function as though it were large are missing the point. The question is: are the preconditions in place for proportional conformance? That requires choices, and above all clarity on reporting lines, resources, external reviews, co-sourcing and acceptance of blind spots in audit coverage.

Recommendations for small audit functions

The priority does not lie in evenly elaborating all 52 standards. Be selective: tackle the standards where size poses the greatest challenge, and document the rest.

  • Start with a targeted gap analysis on 8.4, 9.2, 10.2, 10.3, 12.1 and 12.3, and treat the amber standards as context and amplifying factors.
  • Use Dutch tools such as the Professional Judgement Document/Scaling Guidelines and the Ambition Model to make proportionality explicit and defensible.
  • Do not record limitations in capacity, technology, independence and review implicitly in engagement files, but explicitly in strategy, audit plan and communication with the board and audit committee.

How can Audirium help?

Small audit functions face the toughest GIAS challenges: quality assurance, strategic planning, resource management, governance and proportionally implementing and documenting non-conformance. Audirium helps you make that concrete, tailored to your situation and capacity.

  • GIAS advisory and gap analysis. Making your charter, audit plan and annual report GIAS-conformant based on your situation. Proportionality is central, not one-size-fits-all.
  • Coaching for the CAE. Personal guidance on competency development (Std. 3.1 and 3.2), strategic issues and documenting and communicating non-conformance to the board.
  • External review (EQA and SAIV). Periodic quality assessment in conformance with Standard 8.4 and the Professional Judgement Document, critical but constructive. Knowledge stays within your organisation. Supported by our GIAS Assessment platform, which makes EQA preparation and the conformance dossier considerably more efficient.
  • Peer review coordination. We help set up collaborative arrangements with other SAFs: share costs, raise quality.

Want to know how Audirium strengthens your audit function towards GIAS conformance? Get in touch →

References

  1. Chartered Institute of Internal Auditors, Internal Audit Benchmarking Part One, December 2024. charterediia.org
  2. Monitoring Commissie Corporate Governance Code, Dutch Corporate Governance Code 2025, 2025. mccg.nl
  3. Chartered Institute of Internal Auditors, Small Internal Audit Functions Guidance, 2025. charterediia.org
  4. IIA Nederland, Effectuering GIAS, 2025. iia.nl
  5. IIA Nederland, Document Oordeelsvorming o.b.v. GIAS, 2025. iia.nl
  6. IIA Nederland, Scaling Guidelines, based on GIAS, 2024. iia.nl
  7. IIA Nederland, Ambition Model – Versterk Interne Auditkwaliteit, accessed 2026. iia.nl
  8. IIA Nederland, Updated Ambition Model: Now Aligned with Global Audit Standards, 2025. iia.nl
  9. IIA Nederland, Antwoord op al uw vragen over toezicht kwaliteitstoetsingen, accessed 2026. iia.nl
Back to Insights