
Frequently Asked Questions |
|
-
What is an External Quality Assessment (EQA)?
An external quality assessment, or EQA, evaluates conformance with the Definition of Internal Auditing, the International Standards for the Professional Practice of Internal Auditing (Standards) and an evaluation of whether internal auditors apply the Code of Ethics.
-
What are the approaches for an EQA?
Regardless of an organization's industry or the internal audit activity's complexity or size, there are two recommended approaches to EQAs. The first approach - an independent review team (QA) - involves an outside team under the leadership of an experienced and professional project manager. The team members should be a competent professional who are well versed in best internal audit practices.
The second approach seeks out an objective outside party for independent validation of the internal self assessment and report is completed by the internal audit activity (SAIV). THis approach brings in a competent independent evaluator who is well-versed in quality assessment methodology to validate the aforementioned self assessment of the internal audit activity. In addition to reviewing the self-assessment, the validator substantiates some of the work done by the self-assessment team, makes an on-site visit, interviews senior management, and either co-signs the CAE's report regarding conformance to the Standards, or issues a separate report on the disparities.
-
Why undergo a Quality Assessment (QA)?
External QAs are necessary in order to provide full objectivity. In addition to enabling you to state that your IA activities are "conducted in accordance with the International Standards for the Professional Practice of Internal Auditing," they build stakeholder confidence by documenting the internal audit activitiy's commitment to quality and best practices, and the internal auditors' mindset for professionalism. Obtaining an external QA also provides evidence to the board, management, and staff that the internal audit activity is concerned about the organization's internal controls, governance, and risk management processes.
-
When does an Internal Audit Activity need to have a QA performed?
It is mandatory that every internal audit activity undergo an external QA conducted by an independent team or independent validator once every five years to comply with Standard 1312. The clock starts ticking for the five-year period when an internal audit activity formally adopts the International Standards for the Professional Practice of Internal Auditing.
Adoption of the Standards establishes the intent of the IA activity to comply and as a result, is considered the starting point of the five-year period before an external QA is required. Evidence to examine to support the date of the adoption of the Standards would include Audit Committee minutes, updates to the Audit Charter, and use of the phrase "conducted in conformance with the Standards" in audit reports, etc.
-
Who can conduct a QA?
The International Professional Practices Framework (IPPF) defines the required competency of the external assessors. Interpretation of Standard 1312 from the International Standards for the Professional Practice of Internal Auditing contained in Practice Advisory 1312-1:
Performing and communicating the results of an external assessment require the exercise of professional judgment. Accordingly, an individual serving as an external assessor should:
Be a competent, certified audit professional (e.g., CIA, CPA, CA, or CISA) who possesses current, in-depth knowledge of the Standards.
Be well-versed in the best practices of the profession.
Have at least three years of recent experience in the practice of internal auditing at a management level.
Have competence and experience, such as that gained from working previously as a team member on an external quality assessment, successful completion of The IIA's quality assessment training course or similar training.
Have CAE or comparable senior internal audit management experience.
-
How do I obtain knowledge about internal and external quality assessments?
-
Where do I start?
If you have not yet established a Quality Assurance and Improvement Program, a good first step on the path to quality is to conduct an internal quality assessment. This will establish a benchmark of your internal audit activity that can be used to establish metrics. These metrics will indicate improvement in areas of partial compliance or noncompliance with the Standards.
To receive a proposal for external QA services, please complete and submit a free quote inquiry form to The IIA's Quality Department (e-mail quality@theiia.org, or call +1-407-937-1399).
|
|
|
-
Which organizations should undergo external QAs?
All internal audit activities, regardless of size or whether they are outsourced or co-sourced, should undergo external quality assessments. Ongoing and periodic internal assessments lay the foundation for external assessments, and together, internal and external assessments make up the Quality Assurance and Improvement Program (QAIP).
-
How can a Service Provider conform with the IIA Standards on Quality?
Service providers themselves are not required to conform with The IIA's Standards on Quality. In accordance with the intent of Standard 1300 of The International Standards for the Professional Practice of Internal Auditing, external quality assessments of internal audit activities are to be conducted on an organizational basis and not on a service provider basis.
-
If a Service Provider undergoes an external QA, would the results of the external QA suffice to cover the work performed at multiple clients? If not, what additional work would be needed at a specific client to validate the external QA results?
This premise is erroneous, as external QAs of internal audit activities are to be conducted on an organizational basis and not on a service provider basis. The external QA of a service provider would not qualify as sufficient evidence to conclude on the specific work performed at multiple clients. The individual organization's internal audit work must be the focus of the external QA, and any work performed by a service provider would be subject to review during the course of the organization's external QA.
-
Can the external audit firm of an organization bid and conduct an external QA of the internal audit activity?
The use of the organization's external auditor to perform an external assessment could be a potential conflict of interest and may create questions regarding independence. Standard 1312 "External Assessments" of The IIA's International Standards for the Professional Practice of Internal Auditing (effective January 1, 2009) addresses this matter in that it requires "The chief audit executive must discuss with the board ... the qualifications and independence of the external reviewer or assessment team, including potential conflict of interest." The interpretation section of Standard 1312 adds, "An independent assessor or assessment team means not having either a real or an apparent conflict of interest..." Thus, professional guidance indicates that the CAE and the board must consider this question, given the facts and circumstances.
-
How would the QA help my internal auditing department to improve my compliance with ISO certification or ISO quality assurance?
The External Quality Assessment (QA) of the Internal Auditing Activity (IAA) is to evaluate the IAA's conformance with The IIA's Standards, which also mandates that IAA have an external assessment completed by a qualified independent assessor or assessment team from outside the organization at least once every five years. In addition to the conformance level, all the technical information and tools from a QA can be found in the Quality Assessment Manual available from The IIA Research Foundation Bookstore. Although the Standards are unrelated to ISO standards, a QA may identify the areas for improvement of IAA and make recommendations to enhance IAA which affect ISO-related standards.
-
What's the retention period required for the documents of the Quality Assurance and Improvement Program (QAIP), specifically for the processes of ongoing reviews and periodic assessments both internal and external?
There is not a required retention period for the QAIP. However, a guide would be to follow the five-year external quality assessment (QA) timeline, i.e., drop off the oldest year's set of documents every five years. Caution: As a general rule, the IAA should follow their organization's record retention policies when determining how long documents should be maintained.
|
|
|
-
What is an external quality assessment?
An external quality assessment, or EQA, evaluates conformance with the Definition of Internal Auditing, the International Standards for the Professional Practice of Internal Auditing (Standards) and an evaluation of whether internal auditors apply the Code of Ethics.
-
What are the benefits of an external QA?
An external QA builds stakeholder confidence by documenting management's commitment to quality and successful practices, and the internal auditors' mindset for professionalism. Obtaining an external QA provides evidence to the board, management, and staff that the audit committee and the internal audit activity are concerned about the success of the organization's internal controls, ethics, governance, and risk management processes. An opinion of "Generally Conforms" on an external QA allows internal auditors to state their activities are conducted in accordance with the International Standards for the Professional Practice of Internal Auditing (Standards).
-
Can you describe the process of self-assessment with independent validation (SAIV)?
An SAIV involves the completion of a rigorous self-assessment by the internal audit activity, followed by an assessment conducted by an external, qualified validator. In addition to reviewing the self-assessment, the validator substantiates some of the work completed by the self-assessment team, makes an on-site visit, and interviews senior management. The validator either co-signs the self-assessment report or issues a separate report on any disparities. Additional guidance can be located under Resources in the Quality section on The IIA's website, including Tool 2A -Self-Assessment Guide and a detailed description in the Quality Assessment Manual.
|
|
|
-
What recourse do I have if my company senior management and the audit committee are not supportive of having an external QA performed and thus will not approve the funding required?
There are alternatives that may assist you in obtaining an external QA. For example, contact your local chapter to determine if they can assist you with an independent validation conducted at minimal cost to your company, other than maybe travel costs if the validator does not live in your city. Another option is to conduct a peer review with other local internal audit activities, rotating the assessment among members of the group, and must include at least three members. If management and the audit committee are not supportive, then your efforts at educating them regarding the reasons, benefits, and overall approach to an external QA are needed. IIA reference materials are available to help you in this effort (free in most cases to IIA members). Additionally, work with your external auditor to educate the audit committee on the benefits of an external QA, which may include additional reliance on the internal audit activity's work. This could result in making the overall external audit more efficient and effective.
-
Under the Sarbanes-Oxley Act of 2002 section 404, the external auditor must assess the work of the internal audit activity in order to rely on their work. Is an external QA a basis for a conclusion as to the reliability of the internal activity's work?
The IIA strongly encourages that the results of an external QA be considered in order to come to a conclusion as to the reliability of the internal audit activity's work.
|
|
|
-
How long does an external QA generally take?
It will vary depending on the size of the internal audit activity, the number of locations, and the size of the review team. Reviews conducted by The IIA are generally designed to encompass one or two weeks of on-site work. The preliminary work, wrap-up, report writing, and review will also vary.
-
How far back does The IIA go in performing external QAs?
Since QAs should be forward-looking and improvement-oriented rather than punitive, an assessment team would be most interested in current work, generally going back one year to obtain an approprite sample.
-
When The IIA conducts a QA, is there an audit program or some other tool that is used?
The Quality Assessment Manual contains detailed instructions and audit programs (tools) for conducting a QA. These tools can also be used by the internal audit activity to conduct an internal assessment or self-assessment.
-
Where do I find resources to conduct a QA?
We recommend internal audit activities utilize The IIA's Quality Assessment Manual, which can be used to conduct periodic internal assessments or self-assessments in preparation for an external validation or as part of the internal assessment requirement under Standard 1311. This manual can be obtained through The IIA Research Foundation Bookstore.
-
Where can I find information on training to conduct a self-assessment?
-
How many audit working papers are normally selected for QA sample purpose?
There is not a specific number required when sampling work papers. The IIA uses a 10-20% of audits rule of thumb in a quality assessment (QA) with independent team reviews taking into consideration the size of the IAA and the number of audits conducted per year. At a minimum, the independent QA team should review at least two to three sets of working papers from the last twelve months. When conducting Self-Assessment with Independent Validation (SAIV), the norm is to review two-three sets of working papers that were reviewed as part of the self-assessment, and then to review a couple that were not reviewed as part of the self-assessment.
|
|
|
-
Does The IIA provide quality assessments?
Yes. The IIA conducts both external independent team assessments and independent validations. In addition to conducting external quality assessments, The IIA can also provide some consulting services to include readiness assessments in preparation for an external quality assessment. To receive a no-obligation proposal from The IIA, please complete the free quote inquiry form.
-
What does The IIA recommend regarding the request for proposal, criteria for selection, and the selection process?
Organizations should request proposals from providers that will be mutually acceptable to the CAE, audit committee, and possibly management. The providers should be required to perform the assessment using a methodology similar to that described in The IIA's Quality Assessment Manual. The organization should require the team to be qualified under the criteria described in Practice Advisory 1312-1.
-
Does The IIA have information on the cost of an external QA and the availability of qualified external assessors?
The cost will vary depending on the size of the internal audit activity and the number of locations to be reviewed, etc. IIA Quality Services can provide a detailed proposal based on the internal audit activity's particular circumstances. To receive a no-obligation proposal from The IIA, please complete the free quote inquiry form.
-
Who hires the external QA team or independent validator? The CAE? The audit committee?
Standard 1312 states that external QAs must be conducted at least once every five years by a qualified, independent assessor or assessment team from outside the organization. The potential need for more frequent external assessments, as well as the qualifications and independence of the external assessor or assessment team, including any potential conflict of interest, must be discussed by the CAE with the board. Such discussions must also consider the size, complexity, and industry of the organization in relation to the experience of the assessor or assessment team. However, best practice would suggest that the audit committee be directly involved in the selection process, as well as the determination of the QA method to be followed, the approach to be followed, and the overall cost. The CAE generally leads the selection process with the full involvement and support of the audit committee and executive management.
-
What qualifications should the lead assessor possess?
The International Professional Practices Framework (IPPF) defines the required competency of the external assessors. Interpretation of Standard 1312 from the International Standards for the Professional Practice of Internal Auditing contained in Practice Advisory 1312-1:
Performing and communicating the results of an external assessment require the exercise of professional judgment. Accordingly, an individual serving as an external assessor should:
Be a competent, certified audit professional (e.g., CIA, CPA, CA, or CISA) who possesses current, in-depth knowledge of the Standards.
Be well-versed in the best practices of the profession.
Have at least three years of recent experience in the practice of internal auditing at a management level.
Have competence and experience, such as that gained from working previously as a team member on an external quality assessment, successful completion of The IIA's quality assessment training course or similar training.
Be a CAE or have comparable senior internal audit management experience.
|
|
|
-
Who receives the report from an external QA?
Standard 1320 states that the chief audit executive must communicate the results of external assessments upon completion to senior management and the board (through the audit committee). Upon the completion of an external quality assessment, the assessment team must issue a formal report containing an opinion on the internal audit activity's conformance with the International Standards for the Professional Practice of Internal Auditing (Standards). The report must be addressed to the person or organization requesting the assessment. The chief audit executive must prepare a written action plan in response to the significant comments and recommendations contained in the report of the external assessment. This written action plan must also be addressed to the person or organization requesting the assessment. Appropriate follow-up is also the chief audit executive's responsibility.
-
When a Self-Assessment with Independent Validation (SAIV) is used, is the resultant report to go to the audit committee?
Yes, as stated in Standard 1320, the results of any quality assessment by an independent group of the internal audit activity must be discussed with the board.
-
What is the format of the SAIV report?
An example of an SAIV report is included in The IIA's Quality Assessment Manual. In general, the independent assessor must review the scope, approach, and various opinions that could be given, and the overall opinion arrived at with any qualifying issues needing attention.
|
|
|
-
When should our internal audit activity have an external QA?
It is mandatory that every internal audit activity undergo an external QA conducted by an independent team or independent validator once every five years to comply with Standard 1312. The clock starts ticking for the five-year period when an internal audit activity formally adopts the International Standards for the Professional Practice of Internal Auditing (Standards). Adoption of the Standards establishes the intent of the IA activity to comply and as a result, is considered the starting point of the five-year period before an external QA is required. Evidence to examine to support the date of the adoption of the Standards would include audit committee minutes, updates to the audit charter, and use of the phrase "conducted in conformance with the Standards" in audit reports, etc.
-
I am a new CAE for a company that was spun out of another company two years ago. We established a new IA activity in this company at that time. When does my five-year period begin?
In this situation, the internal audit activity is considered as being established two years ago when the company was spun out of another company. The five-year cycle starts when an IA activity formally adopts the Standards. If the Standards were formally adopted at the same time as the spin-off occurred, then the five-year cycle began at the same time. Adoption of the Standards establishes the intent of the IA activity to comply, and as a result, is considered the starting point of the five-year period before an external QA is required. Evidence to examine to support the date of the adoption of the Standards would include audit committee minutes, updates to the audit charter, and the use of the phrase "conducted in conformance with the Standards" in audit reports, etc.
-
We recently merged with another company. Does our five year period begin at the time of the merger?
The five-year cycle starts when an IA activity formally adopts the Standards. If the Standards were formally adopted at the same time as the merger occurred, then the five-year cycle began at the same time. If the Standards were previously formally adopted by the surviving internal audit activity, then the five-year cycle starts when the Standards were first adopted or from the most recent external QA, whichever is later. Adoption of the Standards establishes the intent of the IA activity to comply, and as a result is considered the starting point of the five-year period before an external QA is required. Evidence to examine to support the date of the adoption of the Standards would include audit committee minutes, updates to the audit charter, and the use of the phrase "conducted in conformance with the Standards" in audit reports, etc.
-
We recently merged with another company. The IA activity of one of the companies had an external QA performed last year. The IA activity in the other company had not had an external QA performed. Does the external QA performed for the one company suffice
If the policies and practices of the surviving internal audit activity are based on the organization that had the external QA, then no further external QA would be needed. If not, then an external QA would be required.
-
We are required by the regulators for our industry (i.e., banking) to have an assessment of our IA activity every three years. Will this satisfy The IIA requirements?
If the regulator's approach follows a method which would provide an assessment against the Standards, then the regulator's assessment the Standards as a basis for the assessment, then a separate external QA would be needed.
-
Our IA activity was recently outsourced. Is an external QA required and if so when does the five-year period begin?
Yes. An external QA is required, regardless of whether the internal audit activity was in-house or outsourced. The five-year requirement began when the IA activity was first enacted, regardless of whether it was outsourced, co-sourced or in-house. Adoption of the Standards establishes the intent of the IA activity to comply, and as a result is considered the starting point of the five-year period before an external QA is required. Evidence to examine to support the date of the adoption of the Standards would include audit committee minutes, updates to the audit charter, and the use of the phrase "conducted in conformance with the Standards" in audit reports, etc.
-
How is a new internal audit activity defined when considering the requirement of Standard 1312?
The IA activity has five years from the date of adoption of the Standards before an external quality assessment would be required. Adoption of the Standards establishes the intent of the IA activity to comply and should be considered the starting point of the five-year period before an external QA is required. Generally, adoption of the Standards and "intent" coincide with the formation of the internal audit activity. However, in other cases the election to adopt the Standards may not occur when the department is first established. Evidence to examine to support the date of the adoption of the Standards would include audit committee minutes, updates to the audit charter, and the use of the phrase "conducted in conformance with the Standards" in audit reports, etc.
|
|
|
-
Who is responsible for an external QA when a Service Provider has been contracted to provide total outsourcing of the internal audit activity?
In all cases, the organization maintains the responsibility for having an external QA in accordance with The IIA's Standards. If the organization has a CAE (partial outsourcing), it is clearly the CAE's responsibility to initiate the process and discussion with the audit committee. If a total outsourcing exists, the person who negotiates the outsourcing of the internal audit services (e.g., CFO, Corporate Controller) would be responsible for initiating the external QA. The service providers' specific work on the assignment would be reviewed as part of the external QA and not the entire firm's policies and procedures (except relevant section of the Policies & Procedures of the service provider as applied in the organization). Service providers must advise and brief their clients on the requirements of the Standards.
-
Who is responsible for an external QA when a majority of the internal audit work is outsourced to a service provider?
In all cases, the organization maintains the responsibility for having an external QA in accordance with The IIA's Standards. If the organization has a CAE (partial outsourcing) it is clearly the CAE's responsibility to initiate the process and discussion with the audit committee. If the majority of the internal audit work is outsourced to a service provider, the person who negotiates the outsourcing of the internal audit services (e.g., CFO, corporate controller) would be responsible for initiating the external QA. The service providers' specific work on the assignment would be reviewed as part of the external QA and not the entire firm's policies and procedures (except relevant section of the Policies & Procedures of the service provider as applied in the organization). Service providers must advise and brief their clients on the requirements of the Standards.
-
If a service provider has been providing internal audit services to a client, can that service provider also perform a QA? Does the amount of work being performed by the firm make a difference in the answer (e.g., 15%, 25%, 50%, 75%)?
The use of the organization's external auditor to perform an external assessment could be a potential conflict of interest and may create questions regarding independence. Standard 1312 "External Assessments" of The IIA's International Standards for the Professional Practice of Internal Auditing (effective January 1, 2009) addresses this matter in that it requires "The chief audit executive must discuss with the board ... the qualifications and independence of the external assessor or assessment team, including potential conflict of interest." The interpretation section of Standard 1312 adds, "An independent reviewer or review team means not having either a real or an apparent conflict of interest..." Thus, professional guidance indicates that the CAE and the board must consider this question given the facts and circumstances.
|
|
|
-
How does The IIA determine if the internal audit activity passes the external QA?
The criteria is described in The IIA's Quality Assessment Manual. To summarize, it is a matter of determining conformity to each of the standards individually and then rolling those determinations into an overall conclusion. Due to the fact that it is a conclusion, the lack of general conformity to a particular standard would not necessarily result in an overall "partially conforms" opinion or the reverse.
-
What are the repercussions of not undergoing an external QA?
The CAE should report the rationale for nonconformance of the external QA requirement to the board and management. If the internal audit activity does not undergo the external QA during the designated timeframe (once every five years), it is forbidden to use the phrase, "Conducted in accordance with the International Standards for the Professional Practice of Internal Auditing," in reports or its internal audit activity charter. A CAE who uses this statement while not in conformance is subject to ethical disciplinary sanctions by The IIA.
-
What happens if a partial conforms or does not conform opinion is received from an external QA?
If an internal audit activity receives a less than generally conforms opinion regarding conformance to the Standards, the CAE must initiate action to cure the deficiency and/or discuss with the Audit Committee the limiting factors that may need to be addressed in order to resolve the area(s) where a deficiency was noted. The lack of a generally conforms opinion would preclude the internal audit activity from indicating they were operating in conformance with the Standards in any written reports or documents until the deficiency was resolved.
-
What steps can be taken if the independent validator does not agree with the results of our self-assessment and we do not agree with the independent validator's assessment? Does that mean we would not be in conformance?
If the CAE does not agree with the opinion of the external QA team or the independent validator, the CAE must report their view of the situation to the audit committee and discuss the issue with the audit committee to determine the appropriate action to be taken. If a "partially conforms" or "does not conform" opinion is received, the internal audit activity is not in conformance with the Standards and the CAE must discuss the appropriate action to be taken with the audit committee to resolve the issue(s).
-
If issues of nonconformance are identified and we have not had the opportunity to remediate all the issues within the five-year cycle, does that mean that we are not in conformance?
Yes, until the issues identified as causing the nonconformance are resolved, the activity would be out of conformance with the Standards.
-
If nonconformance issues are identified and corrective actions have been taken to get in conformance, how is the evaluation of the corrective action performed to confirm conformance to the Standards?
The CAE must review the corrective action taken to resolve the nonconformance issue(s) with the audit committee and report when the action plan is complete. If the audit committee desires an external validation, then additional input may be needed. When the remediation work is completed to the satisfaction of the audit committee, the internal audit activity can then consider themselves in conformance with the Standards.
|
|
|
|
-
How do peer reviews fit into the QA process?
External QAs or independent validations can be conducted through peer reviews instead of utilizing external service providers. Internal auditors from three or more different organizations come together to form a pool of professionals, all of whom must be qualified to conduct external QAs. Reciprocal peer reviews between two organizations does not pass the independence test. Peer review teams can consist of members from different organizations within an industry or other affinity group, regional association, or other group of organizations. However, administration of this process can be quite challenging because assuring appropriate composition and assignments of the teams is imperative. Perceived independence and objectivity can also be challenging.
-
In the case of an internal audit activity for a government department, would a peer review by an internal audit activity of other departments meet the “independence” and “outside organization” criteria?
It would be preferable to have the QA performed by other government auditors, which are not "related" to the department under review. The IIA recommends an independent validator be engaged to review and validate the "peer review" in a government setting.
|
|
|
|
|
|
|