Skip Ribbon Commands
Skip to main content
The Institute of Internal Auditors North AmericaBreadcrumb SeparatorServicesBreadcrumb SeparatorQualityBreadcrumb SeparatorFrequently Asked Questions

Trust the Quality Experts

​Frequently Asked Questions

Top 7 Questions
  •   What is an External Quality Assessment (EQA)?

    An external quality assessment, or EQA, evaluates conformance with the Definition of Internal Auditing, the International Standards for the Professional Practice of Internal Auditing (Standards) and an evaluation of whether internal auditors apply the Code of Ethics.

  •   What are the approaches for an EQA?

    Regardless of an organization's industry or the internal audit activity's complexity or size, there are two recommended approaches to EQAs. The first approach - an independent review team (QA) - involves an outside team under the leadership of an experienced and professional project manager. The team members should be a competent professional who are well versed in best internal audit practices.

    The second approach seeks out an objective outside party for independent validation of the internal self assessment and report is completed by the internal audit activity (SAIV). THis approach brings in a competent independent evaluator who is well-versed in quality assessment methodology to validate the aforementioned self assessment of the internal audit activity. In addition to reviewing the self-assessment, the validator substantiates some of the work done by the self-assessment team, makes an on-site visit, interviews senior management, and either co-signs the CAE's report regarding conformance to the Standards, or issues a separate report on the disparities.

  •   Why undergo a Quality Assessment (QA)?

    External QAs are necessary in order to provide full objectivity. In addition to enabling you to state that your IA activities are "conducted in accordance with the International Standards for the Professional Practice of Internal Auditing," they build stakeholder confidence by documenting the internal audit activitiy's commitment to quality and best practices, and the internal auditors' mindset for professionalism. Obtaining an external QA also provides evidence to the board, management, and staff that the internal audit activity is concerned about the organization's internal controls, governance, and risk management processes.

  •   When does an Internal Audit Activity need to have a QA performed?

    It is mandatory that every internal audit activity undergo an external QA conducted by an independent team or independent validator once every five years to comply with Standard 1312. The clock starts ticking for the five-year period when an internal audit activity formally adopts the International Standards for the Professional Practice of Internal Auditing.

    Adoption of the Standards establishes the intent of the IA activity to comply and as a result, is considered the starting point of the five-year period before an external QA is required. Evidence to examine to support the date of the adoption of the Standards would include Audit Committee minutes, updates to the Audit Charter, and use of the phrase "conducted in conformance with the Standards" in audit reports, etc.

  •   Who can conduct a QA?

    The International Professional Practices Framework (IPPF) defines the required competency of the external assessors. Interpretation of Standard 1312 from the International Standards for the Professional Practice of Internal Auditing contained in Practice Advisory 1312-1:

    Performing and communicating the results of an external assessment require the exercise of professional judgment. Accordingly, an individual serving as an external assessor should:

    Be a competent, certified audit professional (e.g., CIA, CPA, CA, or CISA) who possesses current, in-depth knowledge of the Standards.

    Be well-versed in the best practices of the profession.

    Have at least three years of recent experience in the practice of internal auditing at a management level.

    Have competence and experience, such as that gained from working previously as a team member on an external quality assessment, successful completion of The IIA's quality assessment training course or similar training.

    Have CAE or comparable senior internal audit management experience.

  •   How do I obtain knowledge about internal and external quality assessments?
  •   Where do I start?

    If you have not yet established a Quality Assurance and Improvement Program, a good first step on the path to quality is to conduct an internal quality assessment. This will establish a benchmark of your internal audit activity that can be used to establish metrics. These metrics will indicate improvement in areas of partial compliance or noncompliance with the Standards.

    To receive a proposal for external QA services, please complete and submit a free quote inquiry form to The IIA's Quality Department (e-mail quality@theiia.org, or call +1-407-937-1399).

External QAs and Internal Audit (IA) Activities
External Quality Assessment (QA) Defined
  •   What is an external quality assessment?

    An external quality assessment, or EQA, evaluates conformance with the Definition of Internal Auditing, the International Standards for the Professional Practice of Internal Auditing (Standards) and an evaluation of whether internal auditors apply the Code of Ethics.​

  •   What are the benefits of an external QA?

    An external QA builds stakeholder confidence by documenting management's commitment to quality and successful practices, and the internal auditors' mindset for professionalism. Obtaining an external QA provides evidence to the board, management, and staff that the audit committee and the internal audit activity are concerned about the success of the organization's internal controls, ethics, governance, and risk management processes. An opinion of "Generally Conforms" on an external QA allows internal auditors to state their activities are conducted in accordance with the International Standards for the Professional Practice of Internal Auditing​ (Standards).

  •   Can you describe the process of self-assessment with independent validation (SAIV)?

    An SAIV involves the completion of a rigorous self-assessment by the internal audit activity, followed by an assessment conducted by an external, qualified validator. In addition to reviewing the self-assessment, the validator substantiates some of the work completed by the self-assessment team, makes an on-site visit, and interviews senior management. The validator either co-signs the self-assessment report or issues a separate report on any disparities. Additional guidance can be located under Resources in the Quality section on The IIA's website, including Tool 2A -Self-Assessment Guide and a detailed description in the Quality Assessment Manual.​

External QA and Key Stakeholders
External QA Methodology
External QA Providers
  •   Does The IIA provide quality assessments?

    Yes. The IIA conducts both external independent team assessments and independent validations. In addition to conducting external quality assessments, The IIA can also provide some consulting services to include readiness assessments in preparation for an external quality assessment. To receive a no-obligation proposal from The IIA, please complete the free quote inquiry form.

  •   What does The IIA recommend regarding the request for proposal, criteria for selection, and the selection process?

    Organizations should request proposals from providers that will be mutually acceptable to the CAE, audit committee, and possibly management. The providers should be required to perform the assessment using a methodology similar to that described in The IIA's Quality Assessment Manual. The organization should require the team to be qualified under the criteria described in Practice Advisory 1312-1.

  •   Does The IIA have information on the cost of an external QA and the availability of qualified external assessors?

    The cost will vary depending on the size of the internal audit activity and the number of locations to be reviewed, etc. IIA Quality Services can provide a detailed proposal based on the internal audit activity's particular circumstances. To receive a no-obligation proposal from The IIA, please complete the free quote inquiry form.

  •   Who hires the external QA team or independent validator? The CAE? The audit committee?

    Standard 1312 states that external QAs must be conducted at least once every five years by a qualified, independent assessor or assessment team from outside the organization. The potential need for more frequent external assessments, as well as the qualifications and independence of the external assessor or assessment team, including any potential conflict of interest, must be discussed by the CAE with the board. Such discussions must also consider the size, complexity, and industry of the organization in relation to the experience of the assessor or assessment team. However, best practice would suggest that the audit committee be directly involved in the selection process, as well as the determination of the QA method to be followed, the approach to be followed, and the overall cost. The CAE generally leads the selection process with the full involvement and support of the audit committee and executive management.

  •   What qualifications should the lead assessor possess?

    The International Professional Practices Framework (IPPF) defines the required competency of the external assessors. Interpretation of Standard 1312 from the International Standards for the Professional Practice of Internal Auditing contained in Practice Advisory 1312-1:

    Performing and communicating the results of an external assessment require the exercise of professional judgment. Accordingly, an individual serving as an external assessor should:

    Be a competent, certified audit professional (e.g., CIA, CPA, CA, or CISA) who possesses current, in-depth knowledge of the Standards.

    Be well-versed in the best practices of the profession.

    Have at least three years of recent experience in the practice of internal auditing at a management level.

    Have competence and experience, such as that gained from working previously as a team member on an external quality assessment, successful completion of The IIA's quality assessment training course or similar training.

    Be a CAE or have comparable senior internal audit management experience.

       
    External QA Reporting
    •   Who receives the report from an external QA?

      Standard 1320 states that the chief audit executive must communicate the results of external assessments upon completion to senior management and the board (through the audit committee). Upon the completion of an external quality assessment, the assessment team must issue a formal report containing an opinion on the internal audit activity's conformance with the International Standards for the Professional Practice of Internal Auditing (Standards). The report must be addressed to the person or organization requesting the assessment. The chief audit executive must prepare a written action plan in response to the significant comments and recommendations contained in the report of the external assessment. This written action plan must also be addressed to the person or organization requesting the assessment. Appropriate follow-up is also the chief audit executive's responsibility.

    •   When a Self-Assessment with Independent Validation (SAIV) is used, is the resultant report to go to the audit committee?

      Yes, as stated in Standard 1320, the results of any quality assessment by an independent group of the internal audit activity must be discussed with the board.

    •   What is the format of the SAIV report?

      An example of an SAIV report is included in The IIA's Quality Assessment Manual. In general, the independent assessor must review the scope, approach, and various opinions that could be given, and the overall opinion arrived at with any qualifying issues needing attention.

    External QA Timing
    •   When should our internal audit activity have an external QA?

      It is mandatory that every internal audit activity undergo an external QA conducted by an independent team or independent validator once every five years to comply with Standard 1312. The clock starts ticking for the five-year period when an internal audit activity formally adopts the International Standards for the Professional Practice of Internal Auditing (Standards).

      Adoption of the Standards establishes the intent of the IA activity to comply and as a result, is considered the starting point of the five-year period before an external QA is required. Evidence to examine to support the date of the adoption of the Standards would include audit committee minutes, updates to the audit charter, and use of the phrase "conducted in conformance with the Standards" in audit reports, etc.

    •   I am a new CAE for a company that was spun out of another company two years ago. We established a new IA activity in this company at that time. When does my five-year period begin?

      In this situation, the internal audit activity is considered as being established two years ago when the company was spun out of another company. The five-year cycle starts when an IA activity formally adopts the Standards. If the Standards were formally adopted at the same time as the spin-off occurred, then the five-year cycle began at the same time. Adoption of the Standards establishes the intent of the IA activity to comply, and as a result, is considered the starting point of the five-year period before an external QA is required. Evidence to examine to support the date of the adoption of the Standards would include audit committee minutes, updates to the audit charter, and the use of the phrase "conducted in conformance with the Standards" in audit reports, etc.

    •   We recently merged with another company. Does our five year period begin at the time of the merger?

      The five-year cycle starts when an IA activity formally adopts the Standards. If the Standards were formally adopted at the same time as the merger occurred, then the five-year cycle began at the same time. If the Standards were previously formally adopted by the surviving internal audit activity, then the five-year cycle starts when the Standards were first adopted or from the most recent external QA, whichever is later. Adoption of the Standards establishes the intent of the IA activity to comply, and as a result is considered the starting point of the five-year period before an external QA is required. Evidence to examine to support the date of the adoption of the Standards would include audit committee minutes, updates to the audit charter, and the use of the phrase "conducted in conformance with the Standards" in audit reports, etc.

    •   We recently merged with another company. The IA activity of one of the companies had an external QA performed last year. The IA activity in the other company had not had an external QA performed. Does the external QA performed for the one company suffice

      If the policies and practices of the surviving internal audit activity are based on the organization that had the external QA, then no further external QA would be needed. If not, then an external QA would be required.

    •   We are required by the regulators for our industry (i.e., banking) to have an assessment of our IA activity every three years. Will this satisfy The IIA requirements?

      If the regulator's approach follows a method which would provide an assessment against the Standards, then the regulator's assessment the Standards as a basis for the assessment, then a separate external QA would be needed.

    •   Our IA activity was recently outsourced. Is an external QA required and if so when does the five-year period begin?

      Yes. An external QA is required, regardless of whether the internal audit activity was in-house or outsourced. The five-year requirement began when the IA activity was first enacted, regardless of whether it was outsourced, co-sourced or in-house. Adoption of the Standards establishes the intent of the IA activity to comply, and as a result is considered the starting point of the five-year period before an external QA is required. Evidence to examine to support the date of the adoption of the Standards would include audit committee minutes, updates to the audit charter, and the use of the phrase "conducted in conformance with the Standards" in audit reports, etc.

    •   How is a new internal audit activity defined when considering the requirement of Standard 1312?

      The IA activity has five years from the date of adoption of the Standards before an external quality assessment would be required. Adoption of the Standards establishes the intent of the IA activity to comply and should be considered the starting point of the five-year period before an external QA is required. Generally, adoption of the Standards and "intent" coincide with the formation of the internal audit activity. However, in other cases the election to adopt the Standards may not occur when the department is first established. Evidence to examine to support the date of the adoption of the Standards would include audit committee minutes, updates to the audit charter, and the use of the phrase "conducted in conformance with the Standards" in audit reports, etc.

    External QAs and Outsourced IA Activities
    •   Who is responsible for an external QA when a Service Provider has been contracted to provide total outsourcing of the internal audit activity?

      In all cases, the organization maintains the responsibility for having an external QA in accordance with The IIA's Standards. If the organization has a CAE (partial outsourcing), it is clearly the CAE's responsibility to initiate the process and discussion with the audit committee. If a total outsourcing exists, the person who negotiates the outsourcing of the internal audit services (e.g.,  CFO, Corporate Controller) would be responsible for initiating the external QA. The service providers' specific work on the assignment would be reviewed as part of the external QA and not the entire firm's policies and procedures (except relevant section of the Policies & Procedures of the service provider as applied in the organization). Service providers must advise and brief their clients on the requirements of the Standards.

    •   Who is responsible for an external QA when a majority of the internal audit work is outsourced to a service provider?

      In all cases, the organization maintains the responsibility for having an external QA in accordance with The IIA's Standards. If the organization has a CAE (partial outsourcing) it is clearly the CAE's responsibility to initiate the process and discussion with the audit committee. If the majority of the internal audit work is outsourced to a service provider, the person who negotiates the outsourcing of the internal audit services (e.g., CFO, corporate controller) would be responsible for initiating the external QA. The service providers' specific work on the assignment would be reviewed as part of the external QA and not the entire firm's policies and procedures (except relevant section of the Policies & Procedures of the service provider as applied in the organization). Service providers must advise and brief their clients on the requirements of the Standards.

    •   If a service provider has been providing internal audit services to a client, can that service provider also perform a QA? Does the amount of work being performed by the firm make a difference in the answer (e.g., 15%, 25%, 50%, 75%)?

      The use of the organization's external auditor to perform an external assessment could be a potential conflict of interest and may create questions regarding independence. Standard 1312 "External Assessments" of The IIA's International Standards for the Professional Practice of Internal Auditing (effective January 1, 2009) addresses this matter in that it requires "The chief audit executive must discuss with the board ... the qualifications and independence of the external assessor or assessment team, including potential conflict of interest." The interpretation section of Standard 1312 adds, "An independent reviewer or review team means not having either a real or an apparent conflict of interest..." Thus, professional guidance indicates that the CAE and the board must consider this question given the facts and circumstances.

    Opinion on the Standards
    Participation on an IIA External QA
    Peer Reviews
    Quality Assurance and Improvement Program
    Use of the Conformance Statement