Frequently asked questions
We’ve asked Liz Sandwith to review the most frequently asked questions and provide her informed responses for additional consideration and clarity.
Q: What would be required for the QAIP program to be generally compliant?
QAIP must include ongoing monitoring, periodic self-assessment, and external assessment at least every five years.
Why it’s important:
- QAIP is the foundation for demonstrating conformance with the Standards, driving continuous improvement, and providing assurance to the board/audit committee.
Best Practice:
- Document all QAIP activities (monitoring, self-assessment, external assessment).
- Communicate results and action plans to the board.
- Ensure coverage of all domains and principles in the Standards.
- Use evidence (checklists, stakeholder feedback, supervisory reviews) to support compliance.
Source: Standard 8.3 Quality and 12.1 Internal Quality Assessment
Q: What is the optimal reporting structure for the QA or quality assessment team to ensure independence?
Independence and objectivity in quality assurance are essential.
Why it’s important:
- Reporting lines can affect the independence and objectivity of the QA function. Direct reporting to the CAE helps safeguard independence, especially if the Senior Audit Manager has oversight of areas being evaluated.
Best Practice:
- The QA Manager should ideally report directly to the CAE to maintain independence.
- If reporting to a Senior Audit Manager, ensure there are safeguards to prevent conflicts of interest and maintain objectivity.
- Document reporting lines and review them annually for appropriateness.
Source: Standards 8.3 Quality and 7.1 Organizational Independence
Q: What are your thoughts on general vs. full conformance with the Standards and what it takes to be at each level?
Standard 4.1 Conformance with the Global Internal Audit Standards
Why it’s important:
- The level of conformance determines the credibility of the internal audit function and its ability to provide assurance.
Best Practice:
- Full conformance: All requirements met with documented evidence.
- General conformance: Minor, isolated nonconformities that do not affect overall adherence or outcomes, with documented rationale and corrective actions.
- Partial/nonconformance: Significant gaps or repeated issues; must be disclosed and remediated.
- Regularly review and update QAIP to maintain or improve conformance.
Source: Standard 4.1 Conformance
Q: Do you need a CIA designation if you are doing an SAIV?
For external assessments, at least one assessor must hold an active CIA. For SAIV (Self-Assessment with Independent Validation), CIA is not mandatory but strongly recommended.
Why it’s important:
- CIA certification demonstrates professional competence and credibility, especially for external validation.
Best Practice:
- Use a CIA-certified assessor for external validation when possible.
- For internal assessments, ensure assessors have sufficient knowledge of internal audit practices and the Standards.
- Document qualifications and independence of all assessors.
Source: Standard 8.4 External Quality Assessment
Q: Any tips for not reviewing our own homework as a small audit shop in our QAIP processes?
Why Standard 12.1 is important:
- Objectivity and independence are critical for credible quality assessment.
Best Practice:
- Seek peer review from another department (e.g., compliance, risk, finance) or an external consultant.
- Rotate assessment responsibilities if possible.
- Document independence and objectivity of the reviewer.
- If unavoidable, disclose limitations and supplement with periodic external validation.
Source: Standard 12.1 Internal Quality Assessment
Q: Do you think it is important for the reporting line to be through the CFO or is there another reporting direction that is acceptable?
Why Stanard 7.1 is important:
- Direct reporting to the board/audit committee ensures independence and protects the integrity of the internal audit function.
Best Practice:
- The CAE should report directly to the board or audit committee, not the CFO.
- Administrative reporting to senior management is acceptable, but direct reporting must be done to the board and, audit committee.
- Document reporting lines in the internal audit charter and review annually.
Source: Standard 7.1 Organizational Independence
Q: Are peer reviews between IA groups of different Companies acceptable?
Peer reviews are acceptable if independence and competence are ensured; however, the Quality Assessment Manual flags that Peer Reviews where only two internal audit functions are in play are not acceptable. There needs to be more than 2 involved in the peer review process to avoid a perceived conflict of interest.
Why it’s important:
- Independence and objectivity are critical for credible external quality assessments. Reciprocal peer reviews (between two organizations) may compromise independence.
Best Practice:
- Use peer reviews among three or more organizations to avoid reciprocal arrangements.
- Ensure reviewers are qualified and independent of the audit work being assessed.
- Document the process, qualifications, and independence of reviewers.
Source: Standard 8.4 External Quality Assessment
Q: Can a professional practices team consist of me, myself, and I?
For very small teams, an adequate QAIP will require assistance from outside the internal audit function.
Why it’s important:
- Objectivity and independence are essential for credible quality assessment. Self-assessment alone may lack sufficient independence.
Best Practice:
- Seek external input or peer review from another department or organization.
- If unavoidable, disclose limitations and supplement with periodic external validation.
- Document all procedures and findings.
Source: Standard 12.1 Internal Quality Assessment
Q: What if our function is co-sourced? How do others perform a Quality Assessment when there are co-sourced team members?
The QAIP and external assessment must cover all aspects of the internal audit function, including co-sourced team members.
Why it’s important:
- Ensures that all audit work, regardless of who performs it (internal or co-sourced), meets the Standards and is subject to quality review.
Best Practice:
- Include co-sourced team members in the scope of the QAIP and external assessment.
- Assess conformance, performance, and independence for both internal and co-sourced staff.
- Document roles, responsibilities, and evidence of quality for all parties.
Source: Standard 8.4 External Quality Assessment
Q: How does the annual internal quality assessment differ from standard practices around managerial review processes for each audit?
Annual IQA is a holistic review of the function’s conformance, performance, and improvement.
Why it’s important:
- Managerial review is engagement-specific (workpaper review, supervision), while IQA assesses the overall function and QAIP.
Best Practice:
- Conduct managerial reviews for each audit engagement (supervision, workpaper review).
- Perform annual IQA to evaluate overall conformance, effectiveness, and continuous improvement.
- Document both processes and communicate results to the board/audit committee.
Source: Standard 12.1 Internal Quality Assessment
Q: For Domain I through to IV, can we skip looking at them if we looked at them last year, and only focus on Domain V for this year's QAIP?
Rolling assessment is acceptable if all domains are covered within the five-year EQA cycle.
Why it’s important:
- Ensures comprehensive coverage of all Standards over time, while allowing for focused annual reviews.
Best Practice:
- Rotate focus areas each year, ensuring all domains are assessed within five years.
- Document rationale, coverage, and findings for each domain.
- Communicate approach and results to the board/audit committee.
Source: Standard 12.1 Internal Quality Assessment
Q: Is the internal assessment the same as self-assessment?
Internal assessment and self-assessment are synonymous with the Standards.
Why it’s important:
- Clarifies terminology and ensures consistent understanding of QAIP requirements.
Best Practice:
- Use “internal assessment” and “self-assessment” interchangeably.
- Document methodology, findings, and action plans.
- Communicate results to the board/audit committee.
Source: Standard 12.1 Internal Quality Assessment
Q: How often are we advised to perform the periodic self-assessment that Standard 12.1 is referring to?
Standard 12.1 Internal Quality Assessment does not prescribe a fixed interval for periodic self-assessment. Instead, it states that self-assessments should be performed “periodically,” which is defined as:
- At regularly occurring intervals, depending on the needs of the organization, including the internal audit function.
Best practice:
- Most organizations interpret “periodically” as at least annually.
- Some may perform self-assessments more frequently if there are significant changes, challenges, or risks.
- The key is to ensure that all domains of the Standards are covered within the five-year cycle between required external quality assessments.
In summary:
You are advised to perform the periodic self-assessment at least once a year, or more often if circumstances warrant, and to document your rationale and schedule.
Q: What evidence is needed to demonstrate conformance with ongoing monitoring?
Standard 12.1 states in the Examples of Evidence of Conformance section the following:
- Completed checklists that support workpaper reviews, survey results, and performance measures related to the efficiency and effectiveness of the internal audit function.
- Documentation of completed periodic assessments including the plan, workpapers, and communications.
- Presentations to the board and management and meeting minutes covering the results of internal assessments.
- Documented results of ongoing monitoring and periodic self-assessments, including corrective action plans.
- Actions taken to improve the internal audit function’s efficiency, effectiveness, and conformance with the Standards.
In summary:
Completed checklists supporting workpaper reviews; survey results; performance measures; documentation of periodic assessments (plan, workpapers, communications); presentations and minutes; documented results of ongoing monitoring and self assessments; corrective action plans; actions taken to improve efficiency, effectiveness, and conformance.
Q: Can a Chartered accountant with good organizational experience do an internal audit QA? For external, do the team members have to be CIA certified if the team leader has certification?
Best practice:
-
A Chartered Accountant with relevant experience can contribute to an internal quality assessment, especially if they understand internal audit standards and methodology.
- For external assessments, at least one assessor must be a CIA, but other professional qualifications and experience are valuable.
- Independence and objectivity are essential—avoid assessors with conflicts of interest.
Source: Standards 8.4 and 12.1
Q: What are the usual Performance Objectives/KPIs for a CAE? What kind of KPIs would you recommend internal audit functions track?
Key Performance Indicators (KPIs) for a Chief Audit Executive (CAE) typically focus on various aspects of the internal audit function. Here are some common KPIs:
- Audit Plan Completion Rate: Measures the percentage of the annual audit plan that has been completed within the specified timeframe.
- Audit Findings Resolution Rate: Tracks the percentage of audit findings that have been addressed and resolved within a given period.
- Audit Cycle Time: Measures the average time taken to complete an audit from start to finish.
- Stakeholder Satisfaction: Assesses the satisfaction levels of key stakeholders, such as the audit committee and senior management, with the internal audit function.
- Cost of Audit per Engagement: Evaluates the cost efficiency of the audit process by measuring the average cost per audit engagement.
- Quality of Audit Reports: Assesses the quality and clarity of audit reports, often through feedback from stakeholders.
- Training and Development: Tracks the number of training hours completed by the audit team to ensure continuous professional development.
- Risk Coverage: Measures the extent to which the audit plan covers the organization's key risks.
These KPIs help ensure that the internal audit function is effective, efficient, and aligned with the organization's strategic objectives.
In summary:
Audit plan completion rate; audit findings resolution rate; audit cycle time; stakeholder satisfaction; cost per engagement; quality/clarity of reports; training hours; risk coverage; timeliness; coverage of key risks; implementation rate of recommendations; tend to be considered as quantitative performance measures, but don’t forget qualitative measures such as the value the internal audit engagement delivered to the organization which are also value‑add measures.
Q: If an organization receives partial conformance on an External Quality Assessment, can we start using "performed in conformance with the standards" after corrections are made or do we have to have another external review?
Standard 8.4 External Quality Assessment and 15.1 Final Engagement Communication
Why Standards 8.4 and 15.1 are important:
- Conformance statements must be supported by evidence from engagement supervision and the QAIP.
Best Practice:
- Once corrective actions are implemented and documented, you may state conformance if supported by internal and external assessment evidence.
- It is not mandatory to have another external review immediately, but it is important to document the corrections and communicate them to the board, audit committee.
- Consider a follow-up validation by the external assessor, if possible: often this is dependent on the level of the external quality assessment outcome and the number of recommendations that need to be addressed.
- Include a conformance statement in final engagement communication only if supported by engagement supervision and QAIP. After a partial conformance EQA, you may state conformance once corrective actions are implemented and evidenced; consider follow‑up validation.
Source: Standard 8.4 External Quality Assessment and 15.1 Final Engagement Communication
Q: Should survey responses be anonymous or identified? Should we survey the full board, audit committee?
Best practice:
- Anonymity encourages honest feedback, especially from operational staff.
- For senior management and board, identified responses may be appropriate for targeted follow-up.
- Consider a mixed approach: anonymous for broad surveys, identified for targeted interviews or follow-up.
- Stakeholder feedback is a key qualitative KPI. Board feedback provides broader perspective and supports continuous improvement. Survey both the audit committee and board for satisfaction scores and feedback. Use results to inform QAIP, performance measurement, and development plans. Document survey methodology and communicate findings to stakeholders.
- Anonymity encourages candor (especially operational staff). Identified feedback can be suitable for senior leadership follow‑up. Surveying both audit committee and board is a leading practice to broaden perspective.
Source: Standard 12.1 Internal Quality Assessment
Q: How can very small internal audit teams conform with the requirement to undertake an IQA and avoid self‑review bias?
Seek help from other qualified functions (quality, legal, compliance) or external consultants; rotate reviewers; disclose limitations; supplement with periodic external validation; document all procedures and independent safeguards.
Small teams should use a combination of self-assessment and external input to maintain objectivity and conformance.
- Use checklists, peer review (from another department, e.g., quality or compliance), and periodic external validation.
- Document all procedures and findings and seek feedback from stakeholders.
- Consider using external consultants for periodic reviews if internal independence is hard to achieve.
Source: Standard 12.1 Internal Quality Assessment
Q: We lack capacity for full annual IQA—how should we proceed?
Adopt a rolling assessment covering all domains across the five‑year external assessment cycle. Document frequency and rationale; communicate approach and constraints to the audit committee. QAIP is ongoing: embed supervision, monitoring, and continuous improvement into every engagement.
Standard 12.1 Internal Quality Assessment. “Periodic” means at regularly occurring intervals, depending on organizational needs.
Why it’s important:
- Regular assessment ensures ongoing conformance and continuous improvement, but frequency can be tailored to resources and risk.
Best Practice:
- Consider a rolling assessment approach, covering all domains within the five-year external assessment cycle.
- Document your chosen frequency and rationale.
- Communicate the approach and resource constraints to the audit committee.
