ComplianceApril 30, 2025

Maximizing internal audit effectiveness through external quality assessments

In today’s volatile and dynamic business environment, organizations are increasingly challenged to maintain resilience and deliver on their objectives. The role of internal audit is pivotal in supporting the board, audit committee, and senior management by providing independent and objective assurance and advisory support that will help the organization remain successful.

One of the key processes that bolsters the trustworthiness and effectiveness of the internal audit function is the external quality assessment (EQA). An EQA acts as a badge of credibility, affirming internal audit’s adherence to global standards and its capacity to provide valuable insights and foresight to the organization.

What is an external quality assessment in internal audit?

The Institute of Internal Auditors (IIA) revised its Global Internal Audit Standards in 2024 to elevate the quality of internal audit services and give internal auditors the guidance they need to remain relevant in a rapidly changing business landscape. The 2024 Standards, which came into effect on January 9, 2025, reflect the ever-expanding scope of the internal audit function to provide independent, objective, efficient, and impactful assurance and advice that aligns with organizational goals.

The 2024 Standards consist of 5 Domains, 15 Principles, and 52 Standards that cover internal audit’s purpose, ethics and professionalism, governing and managing the internal audit function, and performing internal audit services.

Given the scope of the Standards, the external quality assessment is the tool used by internal auditors to evaluate conformance. There are two types of external quality assessments: the full-scope EQA and the self-assessment independently validated (SAIV). According to the new Standards, organizations must conduct either a full-scope EQA or a self-assessment independently validated every 5 years. This flexibility allows organizations to balance the comprehensive nature of a full- scope EQA with the cost-effectiveness and reduced disruption of a self-assessment independently validated.

Typically, an EQA occurs every five years, serving as a periodic checkpoint to evaluate the internal audit function’s conformance with the Standards and effectiveness in delivering value and to provide assurance to internal auditor’s stakeholders e.g., board/audit committee and senior management. By integrating conformance and quality into the regular cycle of work, internal audit functions can regularly ensure they are aligned with the Standards, as well as their own performance measurements and strategic objectives.

Steps to prepare for an external quality assessment

Preparation is crucial to maximize the value derived from an EQA. The following steps must be in place to ensure the internal audit function is primed and ready for the review.

  • Understand the Standards. Organizations must understand the Global Internal Audit Standards and align their practices to meet the IIA’s conformance expectations.
  • Conduct a self-assessment or gap analysis. Perform a high-level self-assessment or gap analysis of the internal audit function against the Standards in anticipation of the review to identify the various strengths and weaknesses.
  • Organize documentation. Gather and organize all necessary documentation, including the audit charter and mandate, policies, procedures, audit plans, strategy, and past audit reports.
  • Engage stakeholders. Communicate with senior management, the audit committee, and other stakeholders to ensure their involvement and continued support during the EQA.
  • Select an external assessor(s). At least one member of an external assessor team or an individual assessor must be a CIA-qualified external assessor who is independent and objective. Be aware of any potential conflicts of interest.
  • Prepare the internal audit team. Brief the internal audit team on the EQA process and encourage openness and transparency during the review.
  • Review past EQAs. Analyze findings from previous EQAs (if available) and document actions taken to address recommendations.
  • Develop a communications plan. Create a communications plan to keep stakeholders informed and develop a follow-up plan to address EQA findings and recommendations with stakeholders, particularly the board/audit committee and senior management, and members of the internal audit function.

Auditing the auditor: Understanding external quality assessment requirements

Simply put, the EQA process requires reviewing the internal audit function’s past actions and looking ahead to discover areas of opportunity and improvement. Domain III: Governing the Internal Audit Function groups together the Standards that focus on the relationship between the chief audit executive (CAE), board (or audit committee), and senior management in governing the internal audit function. This includes Standard 8.4, which guides the EQA process to ensure that the internal audit function aligns with organizational priorities. 

Standard 8.4 External Quality Assessment (EQA)

Standard 8.4 requires the CAE to develop a plan for the external quality assessment and present it to the board. A qualified, independent assessor must perform the external quality assessment at least once every five years. The board, audit committee, and senior management’s involvement are crucial as they are the primary stakeholders who benefit from the assurance provided by the EQA.

While the Standard states that an EQA must be conducted at least every five years, the board and CAE may determine that it is appropriate to perform them more frequently. Some reasons for this include changes in leadership, amendments to internal audit methodologies, the merger of two or more internal audit functions, or significant staff turnover. Additionally, organizations in highly regulated industries may find it beneficial to increase the frequency or scope of their EQAs.

Selecting an EQA assessor

Choosing the right external assessor is a strategic decision that can significantly impact the external quality assessment’s outcome and value. At least one member of the external assessment team must be a Certified Internal Auditor to meet the Standards. There are also certain criteria that a assessor should meet, including knowledge of the Standards, experience as a CAE or other senior level within the organization, industry knowledge, previous experience performing external quality assessments, absence of any conflicts of interest, and (ideally) they have taken the training provided by the IIA.

Organizations may opt for external third-party assessments or peer reviews. It should be noted that reciprocal peer assessments between two organizations are not considered independent. Peer reviews that rotate among three or more organizations will likely meet the independence and objectivity criteria.

Another consideration when selecting external assessors is any potential impairments to the assessor’s past, present, or future relationships with the organization, its personnel, or its internal audit function. Some examples of potential impairments include:

  • External audits of financial statements
  • Assistance to the internal audit function, such as a co-sourced arrangement or subject matter expert
  • Personal relationships
  • Previous or planned participation in internal quality assessments
  • Advisory services in governance, risk management, control processes, financial reporting, or other areas

Two types of external quality assessments

There are two valid approaches to conducting an EQA, each with unique advantages and considerations.

Self-assessment Independently Validated (SAIV)

The self-assessment independently validated is potentially a more cost-effective and less disruptive approach, where the internal audit function conducts a self-assessment and prepares documentation for the external assessors. In other words, internal audit does all the heavy lifting. The independent, qualified external assessor then validates the self-assessment, ensuring that the internal audit function’s evaluation is accurate and aligns with the Standards.

Full-scope EQA

The full-scope EQA is a comprehensive assessment that examines the organization’s conformance with the 5 Domains, 15 Principles, and 52 Standards within the Global Internal Audit Standards. This includes:

  • Achievement of performance objectives (Standards 12.1 and 12.2)
  • Compliance with laws and regulations relevant to internal auditing (Standard 1.3)
  • Developing a plan to address the internal audit function’s deficiencies and opportunities for improvement (Standards 8.1, 8.3, and 12.1)
  • Adherence to topical requirements as part of the EQA process
  • Optional maturity assessment

What is the Quality Assessment Manual?

The IIA has created a Quality Assessment Manual that provides an overview of how to achieve enhanced conformance with the Standards and examines the internal audit function’s ability to add value to the organization. The Quality Assessment Manual covers each of the 15 Principles and the Standards within each Principle to support the CAE in providing the necessary evidence to demonstrate conformance. This guidance can be a useful resource to help build quality across the internal audit function and support continuous improvement.

Understanding the 5 domains of the global IIA standards

The external assessor will explore and assess achievement in all five Domains of the IIA Standards and examine the maturity of the internal audit function, with an emphasis on conformance and performance.

Domain I: Purpose of Internal Auditing could be compared to internal audit’s “elevator pitch.” Domain I is unique because it does not contain Principles or Standards. Instead, the Purpose Statement is designed to help internal auditors and stakeholders understand the value of internal auditing. The Purpose Statement reads, “Internal auditing strengthens the organization’s ability to create, protect, and sustain value by providing the board and management with independent, risk-based, and objective assurance, advice, insight, and foresight.”

Domain II: Ethics and Professionalism is the DNA of internal auditors and the internal audit function. Domain II clearly outlines the expectations stakeholders have across the five Principles:

  1. Demonstrating integrity
  2. Maintaining objectivity
  3. Demonstrating competency
  4. Exercising due professional care
  5. Maintaining confidentiality

A noticeable shift in this Domain is the elevation of honesty, professional courage, and professional skepticism. These have all been implied by the Standards and advocated by chief audit executives and industry professionals for many years.

Domain III: Governing the Internal Audit Function groups together Standards that focus on the relationship between the chief audit executive (CAE), board (or audit committee), and senior management in governing internal audit. This Domain has a unique element – essential conditions – that describes the actions necessary for the board and senior management to authorize, position, and oversee an effective internal audit function.

If the essential conditions are not fully implemented, assessors should evaluate whether any alternative actions were taken and if the intent of the Standards in Domain III was met. There may also be situations where the approved internal audit mandate is generic or not comprehensive over the organization and not fully aligned with Domain I: Purpose of Internal Auditing, such as with temporary restrictions, unclear mandates, overlap with other assurance functions, or a narrow view by the board or audit committee. If the mandate falls short, assessors should use their professional judgment.

Domain IV: Managing the Internal Audit Function is the CAE’s job description. It focuses on the CAE’s responsibility to manage the internal audit function, including performance measurement and continuous improvement. Like Domain III, Domain IV emphasizes the importance of working closely with management, the board, and other key stakeholders. The direct reporting relationship between the board and the CAE enables the internal audit function to fulfill its mandate.

Domain V: Performing Internal Audit Services focuses on internal auditors’ daily work, outlining the steps they must take to effectively plan engagements, conduct audits, collaborate, and communicate findings to management, and, most importantly, deliver value to stakeholders.

The EQA requires reviewing the workpapers of a sample of internal audit’s engagements. The sample files should represent and include:

  • A variety of service types
  • Work conducted by various internal auditors, including external service providers, if applicable
  • Engagements where Topical Requirements apply
  • Engagements using data analytics

In summary, the external quality assessment should include a comprehensive review of the internal audit function’s conformance with the Global Internal Audit Standards. This should include a holistic evaluation of the internal audit function, including its:

  • Mandate, charter, strategy, methodologies, processes, risk assessment, and internal audit plan
  • Compliance with applicable laws and regulations
  • Performance criteria, measures, and assessment results
  • Competencies and due professional care
  • Qualifications
  • Integration into the organization’s governance processes
  • Contribution to the organization’s governance, risk management and control processes
  • Contribution to the improvement of the organization’s operations and ability to attain its objectives
  • Ability to meet expectations articulated by the board, senior management, and stakeholders

Assessing the maturity of the internal audit function

A good start to optimizing the internal audit function is assessing its maturity. Maturity assessments help chief audit executives identify opportunities for continuous improvement, enabling the internal audit function to add value to their organization and exceed stakeholder expectations. They can also provide a benchmark and guidance for improving internal audit’s performance. While maturity assessments were originally intended to be self-assessments, they are also helpful in supplementing external quality assessments.

Conclusion

An EQA is not merely a compliance exercise but a strategic tool that restores or enhances stakeholder confidence in the internal audit function. By ensuring the internal audit function has the right skills and expertise, EQAs help strengthen their position as trusted advisors, navigate the challenges of today's business environment with resilience and confidence, and contribute strategically to the organization's success.

View a demo

External Quality Assessment (EQA) Frequently Asked Questions

We’ve asked Liz Sandwith to review the most frequently asked questions and provide her informed responses for additional consideration and clarity specific to her presentation — “EQA Preparation: Conformance and Performance = Quality.”

Q1: How much time should pass before a firm that was previously providing Internal Audit Services can be appointed to do External Quality Assessment (EQA) in the same organization where those service were provided?

A: Standard 8.4 in the Consideration for Implementation states - The chief audit executive should consider potential impairments to the independence of assessors driven by past, present, or anticipated future relationships with the organization, its personnel, or its internal audit function. If a potential assessor is a former employee of the organization, the length of time the assessor has been independent should be evaluated.
Examples of potential impairments include:

  • External audits of financial statements.
  • Assistance to the internal audit function.
  • Personal relationships.
  • Previous or planned participation in internal quality assessments.
  • Advisory services in governance, risk management, and control processes; financial reporting; or other areas.

The Standards do not specifically state time periods but the four bullet points above provide criteria for assessing whether the firm that provided internal audit services can now provide an EQA. One of the key challenges must be about reviewing/assessing their own work, so I would suggest because of the new Standards if they stopped providing internal audit services at any point in 2024 then an EQA focused on the new Standards will tend to look at a volume of work undertaken since January 2025. However, if the volume is relatively small and the Reviewer/Assessor needs to go back to IPPF 2017 conformance then there would be a conflict of interest. Perhaps, at a minimum, a couple of years might be a helpful timeline.

Q2: What is the basic qualification requirement for an Internal Auditor to conduct an internal annual assessment?

A: The Quality Assessment Manual states - Periodic self-assessments are generally overseen by senior members of the internal audit function who have extensive knowledge of the professional practice of internal auditing and the mandatory elements of the International Professional Practices Framework. In some larger internal audit functions, a separate professional practices group may perform the self-assessments. In other functions, performing a self-assessment may be an opportunity to train auditors on the function’s methodologies and the Standards. 

To the extent possible, the assessors should be independent from the areas they review; for example, they should not assess engagements for which they were primarily responsible. Assessors might also include other qualified individuals not currently in the internal audit function, for example, individuals from elsewhere within the organization, retired internal auditors, or contractors. Objectivity is presumed to be impaired to some extent when internal personnel assess conformance with the standards in Domains III and IV, which is one reason the Standards require external assessments. A presumed impairment to objectivity should be disclosed, as appropriate, in the internal quality assessment results.

Q3: Does the performance of External Quality Assessment (EQA) consider the size of the internal audit function?
What are the differences between EQAs completed using the previous Standards compared to the new Standards?
Can an EQA be done internally by an internal auditor?

A1: The internal audit function’s ability to fully conform with the Standards may be affected by its size or the size of the organization. With limited resources, completing certain tasks may be challenging. Additionally, if the internal audit function comprises only one member, an adequate quality assurance and improvement program will require assistance from outside the internal audit function. (See also Standards 10.1 Financial Resource Management, 12.1 Internal Quality Assessment, and 12.3 Oversee and Improve Engagement Performance.) The EQA Reviewer will appreciate the size of the internal audit function but will also be focused on recognizing that the Standards apply to any individual or function that provides internal audit services, whether an organization employs internal auditors directly, contracts them through an external service provider, or both. Organizations receiving internal audit services vary in sector and industry affiliation, purpose, size, complexity, and structure.

A2: The principles are very similar except, of course, as you state the Standards are different. There is also more awareness around the maturity of the internal audit function and how it performs (i.e., its objectives and performance measures will also be considered).

A3: An EQA cannot be undertaken internally by an internal auditor, it must be undertaken externally. See Standard 8.4 - The external assessment must be performed at least once every five years by a qualified, independent assessor or assessment team.

Q4: As an internal audit function aiming to achieve conformance, can we start with gap analysis, maturity assessment internally, and then an External Quality Assessment (EQA) within 5 years?

A: Yes, I would certainly start with a gap analysis to see how far along your conformance journey you are. But in terms of 5 years, it will vary much depending on when you last had an EQA because the Standards are very clear that you must have an EQA at a minimum once every 5 years. The clock does not start ticking again from 9 January 2025.

Q5: Would the Audit Strategy be part of an External Quality Assessment (EQA)? And if yes, to what extent or detail would it be assessed?

A: Standard 9.2 is very clear that there needs to be an internal audit strategy for the internal audit function approved by the board/audit committee. Standard 8.4 is clear - The external quality assessment should include a comprehensive review of the adequacy of the internal audit function’s:

  • Mandate, charter, strategy, methodologies, processes, risk assessment, and internal audit plan.

In answer to your question 'yes' the internal audit strategy will form part of the EQA. The depth of review will be dependent upon the EQA assessors’ judgement linked to the other items listed above, your conformance journey, and the maturity of your internal audit function.

Q6: Are the assessors required to get any certification to perform quality assessments in accordance with the new External Quality Assessment (EQA) requirements and Standards?

A: Standard 8.4 states - When selecting the independent assessor or assessment team, the chief audit executive must ensure at least one person holds an active Certified Internal Auditor® designation.

Standard 8.4 in the Considerations for Implementation states - In addition to the requirement that at least one member of the external assessment team be a Certified Internal Auditor®, other important qualifications of the assessment team to consider include:

  • Experience with and knowledge of the Standards and leading internal audit practices.
  • Experience as a chief audit executive or comparable senior level of internal audit management.
  • Experience in the organization’s industry or sector.
  • Previous experience performing external quality assessments.
  • Completion of external quality assessment training recognized by The Institute of Internal Auditors.
  • Attestation by assessment team members that they have no conflicts of interest, in fact or appearance.

Q7: What is the recommended scope for an External Quality Assessment (EQA)?

A: Standard 8.4 Considerations for Implementation state - The external quality assessment should include a comprehensive review of the adequacy of the internal audit function’s:

  • Conformance with the Global Internal Audit Standards.
  • Mandate, charter, strategy, methodologies, processes, risk assessment, and internal audit plan.
  • Compliance with applicable laws and/or regulations.
  • Performance criteria and measures,  as well as assessment results.
  • Competencies and due professional care, including the sufficient use of tools and techniques, and a focus on continual development.
  • Qualifications and competencies, including those of the chief audit executive role, as defined by the organization’s job description and hiring profile.
  • Integration into the organization’s governance processes, including the relationships among those involved in positioning the internal audit function to operate independently.
  • Contribution to the organization’s governance, risk management, and control processes.
  • Contribution to the improvement of the organization’s operations and ability to attain its objectives.
  • Ability to meet expectations articulated by the board, senior management, and stakeholders.

Q8: Professional courage is new wording within the Standards. During an External Quality Assessment (EQA) what would the expectations be on how this can be explicitly demonstrated (other than the survey option mentioned)?

A: Standard 1.1, Honesty and Professional Courage references - Internal auditors must be truthful, accurate, clear, open, and respectful in all professional relationships and communications, even when expressing skepticism or offering an opposing viewpoint. Internal auditors must not make false, misleading, or deceptive statements, nor conceal or omit findings or other pertinent information from communications. Internal auditors must disclose all material facts known to them that, if not disclosed, could affect the organization’s ability to make well-informed decisions.

Some of the requirements are challenging to evidence. However, the Standard suggests evidence of conformance might include the following:

  • A training plan that includes ethics education and training.
  • Documents that evidence internal auditors’ attendance or participation in ethics education and training.
  • Performance evaluations showing honesty and professional courage as objectives.
  • Feedback from key stakeholders regarding the honesty and courage of internal auditors
  • Feedback from stakeholders, and perhaps ongoing monitoring by senior internal audit management or the CAE, are probably the most appropriate forms of evidence.

Q9: Is there a set framework for the maturity assessment or is this a subjective measure dependent on the external assessor and what the internal audit function is seeking to achieve in its objectives?

A: The Quality Assessment Manual includes reference to a Maturity Assessment. It states that the benefits of a maturity assessment are that the chief audit executives should strive for more than conformance with the Global Internal Audit Standards. They should also focus on optimizing the internal audit function’s performance with the goal of addressing the organization’s changing needs and exceeding stakeholders’ expectations. A good start to optimizing the function is assessing its maturity. Maturity assessments can provide a benchmark and guidance for improving the function’s performance. While maturity assessments were initially intended to be self-assessments, they can also supplement external assessments. Maturity assessments also help the chief audit executive identify specific targets for improvement and communicate with the board and senior management about the internal audit function’s current achievements compared with its quality goals and the gaps the function needs to fill to achieve the desired level of performance. Discussing maturity increases stakeholders’ awareness of the elements of effective internal auditing and the full potential of the internal audit function.

Q10: Where do reciprocal peer reviews fit if only validated self-assessment and full External Quality Assessment (EQA) are valid approaches?

A: Standard 8.4 - external quality assessments, whether full or self-assessment with independent validation, can be conducted through peer reviews instead of engaging an external service provider. A peer review involves internal auditors from multiple organizations forming a pool of professionals qualified to conduct external quality assessments. At least three organizations must be involved (Standard 8.4) to meet the requirements of reviewer independence. Subsidiaries or other affiliated entities that share a common board should be considered as coming from the same organization for the purposes of reviewer independence. When the number of organizations participating is sufficient, drawing assessors from multiple organizations provides a broad perspective and prevents reciprocal review.

Peer review consortia can be organized within industries, other affinity groups, or regional associations. Peer reviews are particularly common in the public sector, where consortia exist for state and local governments. These programs may have their own methodologies, but this manual’s tools can supplement the peer consortium’s approach. One risk to be considered is that peers could collude or subconsciously be motivated to reciprocate positive reviews.

Q11: My company is cost-cutting and does not see the cost benefit of EQA, especially as we have had good results from previous External Quality Assessment (EQA)s. What are the consequences?

A: The new Standards include within Domain III the oversight responsibility of the board/audit committee are clearly defined.

The board oversees the internal audit function to ensure the function’s effectiveness. Board oversight is essential to enable the overall effectiveness of the internal audit function. Achieving this principle requires collaborative and interactive communication between the board and the chief audit executive, as well as the board’s support in ensuring the internal audit function obtains sufficient resources to fulfill the internal audit mandate. Additionally, the board receives assurance about the quality of the performance of the chief audit executive and the internal audit function through the quality assessment and improvement program, including the board’s direct review of the results of the external quality assessment.

The board or audit committee will make decisions about the future of the business and some of the information or data used to make those decisions will have been subjected to an assurance engagement by internal audit. The board or audit committee therefore need to be assured that the assurance being provided by internal audit is robust, has integrity, and can be relied upon - hence the value of an EQA.

Q12: Is general conformity considered as a conformance and can it therefore be included on audit communication (i.e., the internal audit engagement was undertaken in accordance with the Global Internal Audit Standards)?

A: The Quality Assessment Manual is clear - if the outcome of your EQA provides either a full achievement or a general achievement (both of which are green), then you can include in your reports that you completed the internal audit engagement in accordance with the IIA Standards. As long as your EQA was not more than 5 years ago.

Q13: How much time should we allow to plan and prepare for an External Quality Assessment (EQA)?

A: It will depend on whether you have already undertaken a gap analysis to identify gaps in conformance with the Standards and therefore have a roadmap in place that will take you to conformance. If so, then I would suggest a minimum of 3-6 months, but not continuous. Take time to remind yourself of the Standards and ensure that you have evidence to support conformance. Perhaps the most challenging element will be ensuring that senior management and the audit committee are also aligned and ready to share their thoughts and best practices with the EQA Reviewer(s) when they ask.

Q14: Is there a weighting scale for External Quality Assessment (EQA) or Internal Quality Assessment (IQA) pertaining to the 52 Standards?

A: No, there is not. Perhaps it would be helpful if there were as it might help internal audit functions prioritize conformance. The IIA is very clear, The Global Internal Audit Standards set forth principles, requirements, considerations, and examples for the professional practice of internal auditing globally, all of which should be part of a conformance program.
 
The Standards apply to any individual or function that provides internal audit services, whether an organization employs internal auditors directly, contracts them through an external service provider, or both. Organizations receiving internal audit services vary in sector and industry affiliation, purpose, size, complexity, and structure. The Standards apply to the internal audit function and individual internal auditors, including the chief audit executive. While the chief audit executive is accountable for the internal audit function’s implementation of and conformance with all principles and standards, all internal auditors are responsible for conforming with the principles and standards relevant to performing their job responsibilities, which are presented primarily in Domain II: Ethics and Professionalism and Domain V: Performing Internal Audit Services.

Q15: What does the External Quality Assessment (EQA) Assessor look for in the working paper files? Can the working paper files be maintained as a soft copy?

A: The Assessor will usually arrange an initial discussion or introductory meeting with the chief audit executive to meet them and other staff who may be assisting during the assessment, and to answer questions about responding to the initial data request and conformance overviews, and verify that all requested documents can be provided. There isn't anything I could find that said whether or not it was acceptable to have soft copies of documentary evidence.

Standard 12.1 lists examples of evidence. See below for an internal quality assessment, which will also form part of the external quality assessment as:

  • Completed checklists that support workpaper reviews, survey results, and performance measures related to the efficiency and effectiveness of the internal audit function.
  • Documentation of completed periodic assessments, including the plan, workpapers,
    and communications.
  • Presentations to the board and management, and meeting minutes covering the results of internal assessments.
  • Documented results of ongoing monitoring and periodic self-assessments, including corrective action plans.
  • Actions taken to improve the internal audit function’s efficiency, effectiveness, and conformance with the Standards.

Q16: Will there be a "Quality Assessment Manual" for the new Global Internal Audit Standards?

A: The new Quality Assessment Manual, linked here, has already been produced and is available to purchase.

Q17: Is the self-assessment required to include Topical Requirements?

A: Topical Requirements are effective 12 months after issuance, meaning that the relevant requirements must be implemented by this time. Additionally, quality assessments conducted after the effective date of the Topical Requirement will assess conformance with the current Topical Requirements. The quality assessor will review the documentation for relevant engagements to determine conformance. Early adoption of the Topical Requirement is therefore encouraged, especially if there is a relevant internal audit engagement in your internal audit risk-based plan.

Q18: If a validated self-assessment is completed, does the independent validator need to be a CIA?

A: Yes, the Standard is very clear, Standard 8.4, External Quality Assessment (EQA) states - When selecting the independent assessor or assessment team, the chief audit executive must ensure at least one person holds an active Certified Internal Auditor® designation. It is a 'must' statement and is therefore mandatory, irrespective of whether the assessor is undertaking an EQA or a Self-Assessment Independently Validated.

Q19: If an internal audit function is deemed nonachievement or nonconformance, do they have the ability to make corrections to achieve conformance?

A: Yes, an External Quality Assessment (EQA) is part of a journey to achieve evidence of conformance with the Standards. The primary objectives of an EQA are the same as for internal assessments: to evaluate an internal audit function’s conformance with the Standards and report on its achievement of performance objectives.
 
Standard 8.4 states that the board or audit committee should review and approve the chief audit executive’s action plans to address identified deficiencies and opportunities for improvement, if applicable. The Standard also required the board/audit committee to approve a timeline for completion of the action plans and monitor the chief audit 
executive’s progress.

External quality assessments may also identify leading practices that have been implemented and opportunities to enhance internal audit processes and improve the effectiveness and credibility of the function which may also support improving conformance and meeting the internal audit functions objectives.

Q20: If you are part of a global organization and each location has its own internal audit function with a separate head of internal audit that reports to different boards or audit committees, could we use peer reviews to undertake the external quality assessment?

A: The Quality Assessment Manual states - Subsidiaries or other affiliated entities that share a common board should be considered as coming from the same organization for the purposes of reviewer independence. Therefore, I would suggest that it will not be possible for you to use a peer review involving other internal audit functions in your organization located at different geographical locations. Standard 8.4 also states that ‘individuals from another department of the organization, although organizationally separate from the internal audit function, are not considered independent for the purpose of conducting an external assessment. Likewise, individuals from a related organization (for example, a parent organization, an affiliate in the same group of entities, or an entity with regular oversight, supervision, or quality assurance responsibilities with respect to the subject organization) are not considered independent. In the public sector, internal audit functions in separate entities within the same tier of government are not considered independent if they report to the same chief audit executive.’

Subscribe below to receive monthly Expert Insights in your inbox

Liz Sandwith
Internal Audit and Risk Management Consultant
Liz Sandwith has been a member of the IIA Standards Board for the last 6 years. Because of her involvement in the IPPF Evolution project, the IIA asked her to stay on as a Special Adviser to the Standards Board. 
Back To Top