Quality Frequently Asked Questions

An external quality assessment, or EQA, evaluates conformance with the Definition of Internal Auditing, the International Standards for the Professional Practice of Internal Auditing (Standards) and an evaluation of whether internal auditors apply the Code of Ethics.

Regardless of an organization's industry or the internal audit activity's complexity or size, there are two recommended approaches to EQAs. The first approach - an independent review team (QA) - involves an outside team under the leadership of an experienced and professional project manager. The team members should be a competent professional who are well versed in best internal audit practices.

The second approach seeks out an objective outside party for independent validation of the internal self assessment and report is completed by the internal audit activity (SAIV). THis approach brings in a competent independent evaluator who is well-versed in quality assessment methodology to validate the aforementioned self assessment of the internal audit activity. In addition to reviewing the self-assessment, the validator substantiates some of the work done by the self-assessment team, makes an on-site visit, interviews senior management, and either co-signs the CAE's report regarding conformance to the Standards, or issues a separate report on the disparities.

External QAs are necessary in order to provide full objectivity. In addition to enabling you to state that your IA activities are "conducted in accordance with the International Standards for the Professional Practice of Internal Auditing," they build stakeholder confidence by documenting the internal audit activitiy's commitment to quality and best practices, and the internal auditors' mindset for professionalism. Obtaining an external QA also provides evidence to the board, management, and staff that the internal audit activity is concerned about the organization's internal controls, governance, and risk management processes.

It is mandatory that every internal audit activity undergo an external QA conducted by an independent team or independent validator once every five years to comply with Standard 1312. The clock starts ticking for the five-year period when an internal audit activity formally adopts the International Standards for the Professional Practice of Internal Auditing.

Adoption of the Standards establishes the intent of the IA activity to comply and as a result, is considered the starting point of the five-year period before an external QA is required. Evidence to examine to support the date of the adoption of the Standards would include Audit Committee minutes, updates to the Audit Charter, and use of the phrase "conducted in conformance with the Standards" in audit reports, etc.

The International Professional Practices Framework (IPPF) defines the required competency of the external assessors. Interpretation of Standard 1312 from the International Standards for the Professional Practice of Internal Auditing contained in Practice Advisory 1312-1:

Performing and communicating the results of an external assessment require the exercise of professional judgment. Accordingly, an individual serving as an external assessor should:

Be a competent, certified audit professional (e.g., CIA, CPA, CA, or CISA) who possesses current, in-depth knowledge of the Standards.

Be well-versed in the best practices of the profession.

Have at least three years of recent experience in the practice of internal auditing at a management level.

Have competence and experience, such as that gained from working previously as a team member on an external quality assessment, successful completion of The IIA's quality assessment training course or similar training.

Have CAE or comparable senior internal audit management experience.

Start by attending The IIA's courses titled "Performing External Quality Assessments of the Internal Audit Activity" and "Internal Audit Quality Assessment: Establishing your QA and Improvement Program."

If you have not yet established a Quality Assurance and Improvement Program, a good first step on the path to quality is to conduct an internal quality assessment. This will establish a benchmark of your internal audit activity that can be used to establish metrics. These metrics will indicate improvement in areas of partial compliance or noncompliance with the Standards.

To receive a proposal for external QA services, please complete and submit a free quote inquiry form to The IIA's Quality Department (e-mail quality@theiia.org).

All internal audit activities, regardless of size or whether they are outsourced or co-sourced, should undergo external quality assessments. Ongoing and periodic internal assessments lay the foundation for external assessments, and together, internal and external assessments make up the Quality Assurance and Improvement Program (QAIP).

Service providers themselves are not required to conform with The IIA's Standards on Quality. In accordance with the intent of Standard 1300 of The International Standards for the Professional Practice of Internal Auditing, external quality assessments of internal audit activities are to be conducted on an organizational basis and not on a service provider basis.

This premise is erroneous, as external QAs of internal audit activities are to be conducted on an organizational basis and not on a service provider basis. The external QA of a service provider would not qualify as sufficient evidence to conclude on the specific work performed at multiple clients. The individual organization's internal audit work must be the focus of the external QA, and any work performed by a service provider would be subject to review during the course of the organization's external QA.

The use of the organization's external auditor to perform an external assessment could be a potential conflict of interest and may create questions regarding independence. Standard 1312 "External Assessments" of The IIA's International Standards for the Professional Practice of Internal Auditing (effective January 1, 2009) addresses this matter in that it requires "The chief audit executive must discuss with the board ... the qualifications and independence of the external reviewer or assessment team, including potential conflict of interest." The interpretation section of Standard 1312 adds, "An independent assessor or assessment team means not having either a real or an apparent conflict of interest..." Thus, professional guidance indicates that the CAE and the board must consider this question, given the facts and circumstances.

The External Quality Assessment (QA) of the Internal Auditing Activity (IAA) is to evaluate the IAA's conformance with The IIA's Standards, which also mandates that IAA have an external assessment completed by a qualified independent assessor or assessment team from outside the organization at least once every five years. In addition to the conformance level, all the technical information and tools from a QA can be found in the Quality Assessment Manual available from The IIA Research Foundation Bookstore. Although the Standards are unrelated to ISO standards, a QA may identify the areas for improvement of IAA and make recommendations to enhance IAA which affect ISO-related standards.

There is not a required retention period for the QAIP. However, a guide would be to follow the five-year external quality assessment (QA) timeline, i.e., drop off the oldest year's set of documents every five years. Caution: As a general rule, the IAA should follow their organization's record retention policies when determining how long documents should be maintained.

An external quality assessment, or EQA, evaluates conformance with the Definition of Internal Auditing, the International Standards for the Professional Practice of Internal Auditing (Standards) and an evaluation of whether internal auditors apply the Code of Ethics.​

An external QA builds stakeholder confidence by documenting management's commitment to quality and successful practices, and the internal auditors' mindset for professionalism. Obtaining an external QA provides evidence to the board, management, and staff that the audit committee and the internal audit activity are concerned about the success of the organization's internal controls, ethics, governance, and risk management processes. An opinion of "Generally Conforms" on an external QA allows internal auditors to state their activities are conducted in accordance with the International Standards for the Professional Practice of Internal Auditing​ (Standards).

An SAIV involves the completion of a rigorous self-assessment by the internal audit activity, followed by an assessment conducted by an external, qualified validator. In addition to reviewing the self-assessment, the validator substantiates some of the work completed by the self-assessment team, makes an on-site visit, and interviews senior management. The validator either co-signs the self-assessment report or issues a separate report on any disparities. Additional guidance can be located under Resources in the Quality section on The IIA's website, including Tool 2A -Self-Assessment Guide and a detailed description in the Quality Assessment Manual.​

There are alternatives that may assist you in obtaining an external QA. For example, contact your local chapter to determine if they can assist you with an independent validation conducted at minimal cost to your company, other than maybe travel costs if the validator does not live in your city. Another option is to conduct a peer review with other local internal audit activities, rotating the assessment among members of the group, and must include at least three members. If management and the audit committee are not supportive, then your efforts at educating them regarding the reasons, benefits, and overall approach to an external QA are needed. IIA reference materials are available to help you in this effort (free in most cases to IIA members). Additionally, work with your external auditor to educate the audit committee on the benefits of an external QA, which may include additional reliance on the internal audit activity's work. This could result in making the overall external audit more efficient and effective.

The IIA strongly encourages that the results of an external QA be considered in order to come to a conclusion as to the reliability of the internal audit activity's work.

It will vary depending on the size of the internal audit activity, the number of locations, and the size of the review team. Reviews conducted by The IIA are generally designed to encompass one or two weeks of on-site work. The preliminary work, wrap-up, report writing, and review will also vary.

Since QAs should be forward-looking and improvement-oriented rather than punitive, an assessment team would be most interested in current work, generally going back one year to obtain an approprite sample.

The Quality Assessment Manual contains detailed instructions and audit programs (tools) for conducting a QA. These tools can also be used by the internal audit activity to conduct an internal assessment or self-assessment.

We recommend internal audit activities utilize The IIA's Quality Assessment Manual, which can be used to conduct periodic internal assessments or self-assessments in preparation for an external validation or as part of the internal assessment requirement under Standard 1311. This manual can be obtained through The IIA Research Foundation Bookstore.

Consider attending IIA seminars titled "Performing External Quality Assessments of the Internal Audit Activity" and "Internal Audit Quality Assessment: Establishing your QA and Improvement Program."

There is not a specific number required when sampling work papers. The IIA uses a 10-20% of audits rule of thumb in a quality assessment (QA) with independent team reviews taking into consideration the size of the IAA and the number of audits conducted per year. At a minimum, the independent QA  team should review at least two to three sets of working papers from the last twelve months. When conducting Self-Assessment with Independent Validation (SAIV), the norm is to review two-three sets of working papers that were reviewed as part of the self-assessment, and then to review a couple that were not reviewed as part of the self-assessment.

Yes. The IIA conducts both external independent team assessments and independent validations. In addition to conducting external quality assessments, The IIA can also provide some consulting services to include readiness assessments in preparation for an external quality assessment. To receive a no-obligation proposal from The IIA, please complete the free quote inquiry form.

Organizations should request proposals from providers that will be mutually acceptable to the CAE, audit committee, and possibly management. The providers should be required to perform the assessment using a methodology similar to that described in The IIA's Quality Assessment Manual. The organization should require the team to be qualified under the criteria described in Practice Advisory 1312-1.

The cost will vary depending on the size of the internal audit activity and the number of locations to be reviewed, etc. IIA Quality Services can provide a detailed proposal based on the internal audit activity's particular circumstances. To receive a no-obligation proposal from The IIA, please complete the free quote inquiry form.

Standard 1312 states that external QAs must be conducted at least once every five years by a qualified, independent assessor or assessment team from outside the organization. The potential need for more frequent external assessments, as well as the qualifications and independence of the external assessor or assessment team, including any potential conflict of interest, must be discussed by the CAE with the board. Such discussions must also consider the size, complexity, and industry of the organization in relation to the experience of the assessor or assessment team. However, best practice would suggest that the audit committee be directly involved in the selection process, as well as the determination of the QA method to be followed, the approach to be followed, and the overall cost. The CAE generally leads the selection process with the full involvement and support of the audit committee and executive management.

The International Professional Practices Framework (IPPF) defines the required competency of the external assessors. Interpretation of Standard 1312 from the International Standards for the Professional Practice of Internal Auditing contained in Practice Advisory 1312-1:

Performing and communicating the results of an external assessment require the exercise of professional judgment. Accordingly, an individual serving as an external assessor should:

• Be a competent, certified audit professional (e.g., CIA, CPA, CA, or CISA) who possesses current, in-depth knowledge of the Standards.
• Be well-versed in the best practices of the profession.
• Have at least three years of recent experience in the practice of internal auditing at a management level.
• Have competence and experience, such as that gained from working previously as a team member on an external quality assessment, successful completion of The IIA's quality assessment training course or similar training.
• Be a CAE or have comparable senior internal audit management experience.

Standard 1320 states that the chief audit executive must communicate the results of external assessments upon completion to senior management and the board (through the audit committee). Upon the completion of an external quality assessment, the assessment team must issue a formal report containing an opinion on the internal audit activity's conformance with the International Standards for the Professional Practice of Internal Auditing (Standards). The report must be addressed to the person or organization requesting the assessment. The chief audit executive must prepare a written action plan in response to the significant comments and recommendations contained in the report of the external assessment. This written action plan must also be addressed to the person or organization requesting the assessment. Appropriate follow-up is also the chief audit executive's responsibility.

Yes, as stated in Standard 1320, the results of any quality assessment by an independent group of the internal audit activity must be discussed with the board.

An example of an SAIV report is included in The IIA's Quality Assessment Manual. In general, the independent assessor must review the scope, approach, and various opinions that could be given, and the overall opinion arrived at with any qualifying issues needing attention.

It is mandatory that every internal audit activity undergo an external QA conducted by an independent team or independent validator once every five years to comply with Standard 1312. The clock starts ticking for the five-year period when an internal audit activity formally adopts the International Standards for the Professional Practice of Internal Auditing (Standards).

Adoption of the Standards establishes the intent of the IA activity to comply and as a result, is considered the starting point of the five-year period before an external QA is required. Evidence to examine to support the date of the adoption of the Standards would include audit committee minutes, updates to the audit charter, and use of the phrase "conducted in conformance with the Standards" in audit reports, etc.

In this situation, the internal audit activity is considered as being established two years ago when the company was spun out of another company. The five-year cycle starts when an IA activity formally adopts the Standards. If the Standards were formally adopted at the same time as the spin-off occurred, then the five-year cycle began at the same time. Adoption of the Standards establishes the intent of the IA activity to comply, and as a result, is considered the starting point of the five-year period before an external QA is required. Evidence to examine to support the date of the adoption of the Standards would include audit committee minutes, updates to the audit charter, and the use of the phrase "conducted in conformance with the Standards" in audit reports, etc.

The five-year cycle starts when an IA activity formally adopts the Standards. If the Standards were formally adopted at the same time as the merger occurred, then the five-year cycle began at the same time. If the Standards were previously formally adopted by the surviving internal audit activity, then the five-year cycle starts when the Standards were first adopted or from the most recent external QA, whichever is later. Adoption of the Standards establishes the intent of the IA activity to comply, and as a result is considered the starting point of the five-year period before an external QA is required. Evidence to examine to support the date of the adoption of the Standards would include audit committee minutes, updates to the audit charter, and the use of the phrase "conducted in conformance with the Standards" in audit reports, etc.

If the policies and practices of the surviving internal audit activity are based on the organization that had the external QA, then no further external QA would be needed. If not, then an external QA would be required.

If the regulator's approach follows a method which would provide an assessment against the Standards, then the regulator's assessment the Standards as a basis for the assessment, then a separate external QA would be needed.

Yes. An external QA is required, regardless of whether the internal audit activity was in-house or outsourced. The five-year requirement began when the IA activity was first enacted, regardless of whether it was outsourced, co-sourced or in-house. Adoption of the Standards establishes the intent of the IA activity to comply, and as a result is considered the starting point of the five-year period before an external QA is required. Evidence to examine to support the date of the adoption of the Standards would include audit committee minutes, updates to the audit charter, and the use of the phrase "conducted in conformance with the Standards" in audit reports, etc.

The IA activity has five years from the date of adoption of the Standards before an external quality assessment would be required. Adoption of the Standards establishes the intent of the IA activity to comply and should be considered the starting point of the five-year period before an external QA is required. Generally, adoption of the Standards and "intent" coincide with the formation of the internal audit activity. However, in other cases the election to adopt the Standards may not occur when the department is first established. Evidence to examine to support the date of the adoption of the Standards would include audit committee minutes, updates to the audit charter, and the use of the phrase "conducted in conformance with the Standards" in audit reports, etc.

In all cases, the organization maintains the responsibility for having an external QA in accordance with The IIA's Standards. If the organization has a CAE (partial outsourcing), it is clearly the CAE's responsibility to initiate the process and discussion with the audit committee. If a total outsourcing exists, the person who negotiates the outsourcing of the internal audit services (e.g.,  CFO, Corporate Controller) would be responsible for initiating the external QA. The service providers' specific work on the assignment would be reviewed as part of the external QA and not the entire firm's policies and procedures (except relevant section of the Policies & Procedures of the service provider as applied in the organization). Service providers must advise and brief their clients on the requirements of the Standards.

In all cases, the organization maintains the responsibility for having an external QA in accordance with The IIA's Standards. If the organization has a CAE (partial outsourcing) it is clearly the CAE's responsibility to initiate the process and discussion with the audit committee. If the majority of the internal audit work is outsourced to a service provider, the person who negotiates the outsourcing of the internal audit services (e.g., CFO, corporate controller) would be responsible for initiating the external QA. The service providers' specific work on the assignment would be reviewed as part of the external QA and not the entire firm's policies and procedures (except relevant section of the Policies & Procedures of the service provider as applied in the organization). Service providers must advise and brief their clients on the requirements of the Standards.

The use of the organization's external auditor to perform an external assessment could be a potential conflict of interest and may create questions regarding independence. Standard 1312 "External Assessments" of The IIA's International Standards for the Professional Practice of Internal Auditing (effective January 1, 2009) addresses this matter in that it requires "The chief audit executive must discuss with the board ... the qualifications and independence of the external assessor or assessment team, including potential conflict of interest." The interpretation section of Standard 1312 adds, "An independent reviewer or review team means not having either a real or an apparent conflict of interest..." Thus, professional guidance indicates that the CAE and the board must consider this question given the facts and circumstances.

The criteria is described in The IIA's Quality Assessment Manual. To summarize, it is a matter of determining conformity to each of the standards individually and then rolling those determinations into an overall conclusion. Due to the fact that it is a conclusion, the lack of general conformity to a particular standard would not necessarily result in an overall "partially conforms" opinion or the reverse.

The CAE should report the rationale for nonconformance of the external QA requirement to the board and management. If the internal audit activity does not undergo the external QA during the designated timeframe (once every five years), it is forbidden to use the phrase, "Conducted in accordance with the International Standards for the Professional Practice of Internal Auditing," in reports or its internal audit activity charter. A CAE who uses this statement while not in conformance is subject to ethical disciplinary sanctions by The IIA.

If an internal audit activity receives a less than generally conforms opinion regarding conformance to the Standards, the CAE must initiate action to cure the deficiency and/or discuss with the Audit Committee the limiting factors that may need to be addressed in order to resolve the area(s) where a deficiency was noted. The lack of a generally conforms opinion would preclude the internal audit activity from indicating they were operating in conformance with the Standards in any written reports or documents until the deficiency was resolved.

If the CAE does not agree with the opinion of the external QA team or the independent validator, the CAE must report their view of the situation to the audit committee and discuss the issue with the audit committee to determine the appropriate action to be taken. If a "partially conforms" or "does not conform" opinion is received, the internal audit activity is not in conformance with the Standards and the CAE must discuss the appropriate action to be taken with the audit committee to resolve the issue(s).

Yes, until the issues identified as causing the nonconformance are resolved, the activity would be out of conformance with the Standards.

The CAE must review the corrective action taken to resolve the nonconformance issue(s) with the audit committee and report when the action plan is complete. If the audit committee desires an external validation, then additional input may be needed. When the remediation work is completed to the satisfaction of the audit committee, the internal audit activity can then consider themselves in conformance with the Standards.

Volunteer team members should have the following qualifications:

- Three years of internal auditing experience
- Professionally-recognized certification (e.g., CIA, CISA, CPA, etc.)
- Current knowledge of The IIA's Standards

The IIA can offer volunteers many opportunities to participate on assignments. However, The IIA's clients have final approval of the volunteers proposed for their external QAs.

If selected by the client for participation on an external QA, you may decline, but it could have a negative impact on the engagement, especially if the cancellaton is done with short notice.

External QAs or independent validations can be conducted through peer reviews instead of utilizing external service providers. Internal auditors from three or more different organizations come together to form a pool of professionals, all of whom must be qualified to conduct external QAs. Reciprocal peer reviews between two organizations does not pass the independence test.

Peer review teams can consist of members from different organizations within an industry or other affinity group, regional association, or other group of organizations. However, administration of this process can be quite challenging because assuring appropriate composition and assignments of the teams is imperative. Perceived independence and objectivity can also be challenging.

It would be preferable to have the QA performed by other government auditors, which are not "related" to the department under review. The IIA recommends an independent validator be engaged to review and validate the "peer review" in a government setting.

A QAIP is required by the Standards. As an organization grows, its operations and quality processes must evolve and be refined in order to keep pace with the changes. To ensure consistent quality in this dynamic environment, an ongoing commitment to growth and improvement is essential. This commitment to continuous improvement is demonstrated through a documented QAIP, as described in PA1300-1.

The required elements of the program are periodic internal and external quality assessments, ongoing internal monitoring, and assurance that the internal audit activity is conforming to the Standards and the Code of Ethics. A QAIP Guide can be obtained under Resources in the Quality section on The IIA's website.

Practice Advisory 1300-1 provides an inclusive list of the elements that should be included in the QAIP. The IIA has posted a Model Quality Assurance and Improvement Program to assist you in implementing a QAIP.

Internal assessments must include ongoing of the performance of the internal audit activity and periodic reviews performed by self-assessments. External assessments require an outside team of independent reviewers to evaluate conformance with the Standards, the use of successful practices, and the efficiency and effectiveness of the internal audit activity.

No. An internal audit activity must demonstrate conformance with The IIA's Standards before it can state that it is in conformance. Simply having a contract to perform an external quality assessment after the end of the five-year cycle is not sufficient to demonstrate the conformance with the Standards. Therefore, the internal audit activity cannot state that it is in conformance with the Standards.​

As per Practice Advisory 1321, internal auditors may use the statement only if assessments of the quality improvement program demonstrate that the internal audit activity is in conformance with the Standards. An internal auditing activity must demonstrate conformance with the Standards before it can state that it is in conformance with the Standards. Standard 1300 requires the Chief Audit Executive (CAE) to develop and maintain a Quality Assurance and Improvement Program (QAIP) that covers all aspects of the internal audit activity and continuously monitors its effectiveness. The CAE of a new internal auditing activity can authorize the use of the statement, "Conducted in Conformance with the Standards,” when supported by sufficient evidence from QAIP internal assessments. While an external quality assessment must be performed within five years of a new department's existence, the conformance statement can be used after at least one year's internal assessments indicate sufficient evidence exists that the audit function is indeed compliant with the Standards.​

A reference should not be made in either the IA activity charter or the IA activity audit reports. The reference may be made when the IA activity’s quality assurance and improvement program demonstrates that the internal audit activity is in conformance with the Standards. ​