External Quality Assessment (EQA) Frequently Asked Questions
We’ve asked Liz Sandwith to review the most frequently asked questions and provide her informed responses for additional consideration and clarity specific to her presentation — “EQA Preparation: Conformance and Performance = Quality.”
Q1: How much time should pass before a firm that was previously providing Internal Audit Services can be appointed to do External Quality Assessment (EQA) in the same organization where those service were provided?
A: Standard 8.4 in the Consideration for Implementation states - The chief audit executive should consider potential impairments to the independence of assessors driven by past, present, or anticipated future relationships with the organization, its personnel, or its internal audit function. If a potential assessor is a former employee of the organization, the length of time the assessor has been independent should be evaluated.
Examples of potential impairments include:
- External audits of financial statements.
- Assistance to the internal audit function.
- Personal relationships.
- Previous or planned participation in internal quality assessments.
- Advisory services in governance, risk management, and control processes; financial reporting; or other areas.
The Standards do not specifically state time periods but the four bullet points above provide criteria for assessing whether the firm that provided internal audit services can now provide an EQA. One of the key challenges must be about reviewing/assessing their own work, so I would suggest because of the new Standards if they stopped providing internal audit services at any point in 2024 then an EQA focused on the new Standards will tend to look at a volume of work undertaken since January 2025. However, if the volume is relatively small and the Reviewer/Assessor needs to go back to IPPF 2017 conformance then there would be a conflict of interest. Perhaps, at a minimum, a couple of years might be a helpful timeline.
Q2: What is the basic qualification requirement for an Internal Auditor to conduct an internal annual assessment?
A: The Quality Assessment Manual states - Periodic self-assessments are generally overseen by senior members of the internal audit function who have extensive knowledge of the professional practice of internal auditing and the mandatory elements of the International Professional Practices Framework. In some larger internal audit functions, a separate professional practices group may perform the self-assessments. In other functions, performing a self-assessment may be an opportunity to train auditors on the function’s methodologies and the Standards.
To the extent possible, the assessors should be independent from the areas they review; for example, they should not assess engagements for which they were primarily responsible. Assessors might also include other qualified individuals not currently in the internal audit function, for example, individuals from elsewhere within the organization, retired internal auditors, or contractors. Objectivity is presumed to be impaired to some extent when internal personnel assess conformance with the standards in Domains III and IV, which is one reason the Standards require external assessments. A presumed impairment to objectivity should be disclosed, as appropriate, in the internal quality assessment results.
Q3: Does the performance of External Quality Assessment (EQA) consider the size of the internal audit function?
What are the differences between EQAs completed using the previous Standards compared to the new Standards?
Can an EQA be done internally by an internal auditor?
A1: The internal audit function’s ability to fully conform with the Standards may be affected by its size or the size of the organization. With limited resources, completing certain tasks may be challenging. Additionally, if the internal audit function comprises only one member, an adequate quality assurance and improvement program will require assistance from outside the internal audit function. (See also Standards 10.1 Financial Resource Management, 12.1 Internal Quality Assessment, and 12.3 Oversee and Improve Engagement Performance.) The EQA Reviewer will appreciate the size of the internal audit function but will also be focused on recognizing that the Standards apply to any individual or function that provides internal audit services, whether an organization employs internal auditors directly, contracts them through an external service provider, or both. Organizations receiving internal audit services vary in sector and industry affiliation, purpose, size, complexity, and structure.
A2: The principles are very similar except, of course, as you state the Standards are different. There is also more awareness around the maturity of the internal audit function and how it performs (i.e., its objectives and performance measures will also be considered).
A3: An EQA cannot be undertaken internally by an internal auditor, it must be undertaken externally. See Standard 8.4 - The external assessment must be performed at least once every five years by a qualified, independent assessor or assessment team.
Q4: As an internal audit function aiming to achieve conformance, can we start with gap analysis, maturity assessment internally, and then an External Quality Assessment (EQA) within 5 years?
A: Yes, I would certainly start with a gap analysis to see how far along your conformance journey you are. But in terms of 5 years, it will vary much depending on when you last had an EQA because the Standards are very clear that you must have an EQA at a minimum once every 5 years. The clock does not start ticking again from 9 January 2025.
Q5: Would the Audit Strategy be part of an External Quality Assessment (EQA)? And if yes, to what extent or detail would it be assessed?
A: Standard 9.2 is very clear that there needs to be an internal audit strategy for the internal audit function approved by the board/audit committee. Standard 8.4 is clear - The external quality assessment should include a comprehensive review of the adequacy of the internal audit function’s:
- Mandate, charter, strategy, methodologies, processes, risk assessment, and internal audit plan.
In answer to your question 'yes' the internal audit strategy will form part of the EQA. The depth of review will be dependent upon the EQA assessors’ judgement linked to the other items listed above, your conformance journey, and the maturity of your internal audit function.
Q6: Are the assessors required to get any certification to perform quality assessments in accordance with the new External Quality Assessment (EQA) requirements and Standards?
A: Standard 8.4 states - When selecting the independent assessor or assessment team, the chief audit executive must ensure at least one person holds an active Certified Internal Auditor® designation.
Standard 8.4 in the Considerations for Implementation states - In addition to the requirement that at least one member of the external assessment team be a Certified Internal Auditor®, other important qualifications of the assessment team to consider include:
- Experience with and knowledge of the Standards and leading internal audit practices.
- Experience as a chief audit executive or comparable senior level of internal audit management.
- Experience in the organization’s industry or sector.
- Previous experience performing external quality assessments.
- Completion of external quality assessment training recognized by The Institute of Internal Auditors.
- Attestation by assessment team members that they have no conflicts of interest, in fact or appearance.
Q7: What is the recommended scope for an External Quality Assessment (EQA)?
A: Standard 8.4 Considerations for Implementation state - The external quality assessment should include a comprehensive review of the adequacy of the internal audit function’s:
- Conformance with the Global Internal Audit Standards.
- Mandate, charter, strategy, methodologies, processes, risk assessment, and internal audit plan.
- Compliance with applicable laws and/or regulations.
- Performance criteria and measures, as well as assessment results.
- Competencies and due professional care, including the sufficient use of tools and techniques, and a focus on continual development.
- Qualifications and competencies, including those of the chief audit executive role, as defined by the organization’s job description and hiring profile.
- Integration into the organization’s governance processes, including the relationships among those involved in positioning the internal audit function to operate independently.
- Contribution to the organization’s governance, risk management, and control processes.
- Contribution to the improvement of the organization’s operations and ability to attain its objectives.
- Ability to meet expectations articulated by the board, senior management, and stakeholders.
Q8: Professional courage is new wording within the Standards. During an External Quality Assessment (EQA) what would the expectations be on how this can be explicitly demonstrated (other than the survey option mentioned)?
A: Standard 1.1, Honesty and Professional Courage references - Internal auditors must be truthful, accurate, clear, open, and respectful in all professional relationships and communications, even when expressing skepticism or offering an opposing viewpoint. Internal auditors must not make false, misleading, or deceptive statements, nor conceal or omit findings or other pertinent information from communications. Internal auditors must disclose all material facts known to them that, if not disclosed, could affect the organization’s ability to make well-informed decisions.
Some of the requirements are challenging to evidence. However, the Standard suggests evidence of conformance might include the following:
- A training plan that includes ethics education and training.
- Documents that evidence internal auditors’ attendance or participation in ethics education and training.
- Performance evaluations showing honesty and professional courage as objectives.
- Feedback from key stakeholders regarding the honesty and courage of internal auditors
- Feedback from stakeholders, and perhaps ongoing monitoring by senior internal audit management or the CAE, are probably the most appropriate forms of evidence.
Q9: Is there a set framework for the maturity assessment or is this a subjective measure dependent on the external assessor and what the internal audit function is seeking to achieve in its objectives?
A: The Quality Assessment Manual includes reference to a Maturity Assessment. It states that the benefits of a maturity assessment are that the chief audit executives should strive for more than conformance with the Global Internal Audit Standards. They should also focus on optimizing the internal audit function’s performance with the goal of addressing the organization’s changing needs and exceeding stakeholders’ expectations. A good start to optimizing the function is assessing its maturity. Maturity assessments can provide a benchmark and guidance for improving the function’s performance. While maturity assessments were initially intended to be self-assessments, they can also supplement external assessments. Maturity assessments also help the chief audit executive identify specific targets for improvement and communicate with the board and senior management about the internal audit function’s current achievements compared with its quality goals and the gaps the function needs to fill to achieve the desired level of performance. Discussing maturity increases stakeholders’ awareness of the elements of effective internal auditing and the full potential of the internal audit function.
Q10: Where do reciprocal peer reviews fit if only validated self-assessment and full External Quality Assessment (EQA) are valid approaches?
A: Standard 8.4 - external quality assessments, whether full or self-assessment with independent validation, can be conducted through peer reviews instead of engaging an external service provider. A peer review involves internal auditors from multiple organizations forming a pool of professionals qualified to conduct external quality assessments. At least three organizations must be involved (Standard 8.4) to meet the requirements of reviewer independence. Subsidiaries or other affiliated entities that share a common board should be considered as coming from the same organization for the purposes of reviewer independence. When the number of organizations participating is sufficient, drawing assessors from multiple organizations provides a broad perspective and prevents reciprocal review.
Peer review consortia can be organized within industries, other affinity groups, or regional associations. Peer reviews are particularly common in the public sector, where consortia exist for state and local governments. These programs may have their own methodologies, but this manual’s tools can supplement the peer consortium’s approach. One risk to be considered is that peers could collude or subconsciously be motivated to reciprocate positive reviews.
Q11: My company is cost-cutting and does not see the cost benefit of EQA, especially as we have had good results from previous External Quality Assessment (EQA)s. What are the consequences?
A: The new Standards include within Domain III the oversight responsibility of the board/audit committee are clearly defined.
The board oversees the internal audit function to ensure the function’s effectiveness. Board oversight is essential to enable the overall effectiveness of the internal audit function. Achieving this principle requires collaborative and interactive communication between the board and the chief audit executive, as well as the board’s support in ensuring the internal audit function obtains sufficient resources to fulfill the internal audit mandate. Additionally, the board receives assurance about the quality of the performance of the chief audit executive and the internal audit function through the quality assessment and improvement program, including the board’s direct review of the results of the external quality assessment.
The board or audit committee will make decisions about the future of the business and some of the information or data used to make those decisions will have been subjected to an assurance engagement by internal audit. The board or audit committee therefore need to be assured that the assurance being provided by internal audit is robust, has integrity, and can be relied upon - hence the value of an EQA.
Q12: Is general conformity considered as a conformance and can it therefore be included on audit communication (i.e., the internal audit engagement was undertaken in accordance with the Global Internal Audit Standards)?
A: The Quality Assessment Manual is clear - if the outcome of your EQA provides either a full achievement or a general achievement (both of which are green), then you can include in your reports that you completed the internal audit engagement in accordance with the IIA Standards. As long as your EQA was not more than 5 years ago.
Q13: How much time should we allow to plan and prepare for an External Quality Assessment (EQA)?
A: It will depend on whether you have already undertaken a gap analysis to identify gaps in conformance with the Standards and therefore have a roadmap in place that will take you to conformance. If so, then I would suggest a minimum of 3-6 months, but not continuous. Take time to remind yourself of the Standards and ensure that you have evidence to support conformance. Perhaps the most challenging element will be ensuring that senior management and the audit committee are also aligned and ready to share their thoughts and best practices with the EQA Reviewer(s) when they ask.
Q14: Is there a weighting scale for External Quality Assessment (EQA) or Internal Quality Assessment (IQA) pertaining to the 52 Standards?
A: No, there is not. Perhaps it would be helpful if there were as it might help internal audit functions prioritize conformance. The IIA is very clear, The Global Internal Audit Standards set forth principles, requirements, considerations, and examples for the professional practice of internal auditing globally, all of which should be part of a conformance program.
The Standards apply to any individual or function that provides internal audit services, whether an organization employs internal auditors directly, contracts them through an external service provider, or both. Organizations receiving internal audit services vary in sector and industry affiliation, purpose, size, complexity, and structure. The Standards apply to the internal audit function and individual internal auditors, including the chief audit executive. While the chief audit executive is accountable for the internal audit function’s implementation of and conformance with all principles and standards, all internal auditors are responsible for conforming with the principles and standards relevant to performing their job responsibilities, which are presented primarily in Domain II: Ethics and Professionalism and Domain V: Performing Internal Audit Services.
Q15: What does the External Quality Assessment (EQA) Assessor look for in the working paper files? Can the working paper files be maintained as a soft copy?
A: The Assessor will usually arrange an initial discussion or introductory meeting with the chief audit executive to meet them and other staff who may be assisting during the assessment, and to answer questions about responding to the initial data request and conformance overviews, and verify that all requested documents can be provided. There isn't anything I could find that said whether or not it was acceptable to have soft copies of documentary evidence.
Standard 12.1 lists examples of evidence. See below for an internal quality assessment, which will also form part of the external quality assessment as:
- Completed checklists that support workpaper reviews, survey results, and performance measures related to the efficiency and effectiveness of the internal audit function.
- Documentation of completed periodic assessments, including the plan, workpapers,
and communications.
- Presentations to the board and management, and meeting minutes covering the results of internal assessments.
- Documented results of ongoing monitoring and periodic self-assessments, including corrective action plans.
- Actions taken to improve the internal audit function’s efficiency, effectiveness, and conformance with the Standards.
Q16: Will there be a "Quality Assessment Manual" for the new Global Internal Audit Standards?
A: The new Quality Assessment Manual, linked here, has already been produced and is available to purchase.
Q17: Is the self-assessment required to include Topical Requirements?
A: Topical Requirements are effective 12 months after issuance, meaning that the relevant requirements must be implemented by this time. Additionally, quality assessments conducted after the effective date of the Topical Requirement will assess conformance with the current Topical Requirements. The quality assessor will review the documentation for relevant engagements to determine conformance. Early adoption of the Topical Requirement is therefore encouraged, especially if there is a relevant internal audit engagement in your internal audit risk-based plan.
Q18: If a validated self-assessment is completed, does the independent validator need to be a CIA?
A: Yes, the Standard is very clear, Standard 8.4, External Quality Assessment (EQA) states - When selecting the independent assessor or assessment team, the chief audit executive must ensure at least one person holds an active Certified Internal Auditor® designation. It is a 'must' statement and is therefore mandatory, irrespective of whether the assessor is undertaking an EQA or a Self-Assessment Independently Validated.
Q19: If an internal audit function is deemed nonachievement or nonconformance, do they have the ability to make corrections to achieve conformance?
A: Yes, an External Quality Assessment (EQA) is part of a journey to achieve evidence of conformance with the Standards. The primary objectives of an EQA are the same as for internal assessments: to evaluate an internal audit function’s conformance with the Standards and report on its achievement of performance objectives.
Standard 8.4 states that the board or audit committee should review and approve the chief audit executive’s action plans to address identified deficiencies and opportunities for improvement, if applicable. The Standard also required the board/audit committee to approve a timeline for completion of the action plans and monitor the chief audit
executive’s progress.
External quality assessments may also identify leading practices that have been implemented and opportunities to enhance internal audit processes and improve the effectiveness and credibility of the function which may also support improving conformance and meeting the internal audit functions objectives.
Q20: If you are part of a global organization and each location has its own internal audit function with a separate head of internal audit that reports to different boards or audit committees, could we use peer reviews to undertake the external quality assessment?
A: The Quality Assessment Manual states - Subsidiaries or other affiliated entities that share a common board should be considered as coming from the same organization for the purposes of reviewer independence. Therefore, I would suggest that it will not be possible for you to use a peer review involving other internal audit functions in your organization located at different geographical locations. Standard 8.4 also states that ‘individuals from another department of the organization, although organizationally separate from the internal audit function, are not considered independent for the purpose of conducting an external assessment. Likewise, individuals from a related organization (for example, a parent organization, an affiliate in the same group of entities, or an entity with regular oversight, supervision, or quality assurance responsibilities with respect to the subject organization) are not considered independent. In the public sector, internal audit functions in separate entities within the same tier of government are not considered independent if they report to the same chief audit executive.’