-Top 7 Questions https://na.theiia.org/services/quality/Pages/Frequently-Asked-Questions.aspx

·         What is an External Quality Assessment (EQA)?

An external quality assessment, or EQA, evaluates conformance with the Definition of Internal Auditing, the International Standards for the Professional Practice of Internal Auditing (Standards) and an evaluation of whether internal auditors apply the Code of Ethics.

·         What are the approaches for an EQA?

Regardless of an organization's industry or the internal audit activity's complexity or size, there are two recommended approaches to EQAs. The first approach - an independent review team (QA) - involves an outside team under the leadership of an experienced and professional project manager. The team members should be a competent professional who are well versed in best internal audit practices.

The second approach seeks out an objective outside party for independent validation of the internal self assessment and report is completed by the internal audit activity (SAIV). THis approach brings in a competent independent evaluator who is well-versed in quality assessment methodology to validate the aforementioned self assessment of the internal audit activity. In addition to reviewing the self-assessment, the validator substantiates some of the work done by the self-assessment team, makes an on-site visit, interviews senior management, and either co-signs the CAE's report regarding conformance to the Standards, or issues a separate report on the disparities.

·         Why undergo a Quality Assessment (QA)?

External QAs are necessary in order to provide full objectivity. In addition to enabling you to state that your IA activities are "conducted in accordance with the International Standards for the Professional Practice of Internal Auditing," they build stakeholder confidence by documenting the internal audit activitiy's commitment to quality and best practices, and the internal auditors' mindset for professionalism. Obtaining an external QA also provides evidence to the board, management, and staff that the internal audit activity is concerned about the organization's internal controls, governance, and risk management processes.

When does an Internal Audit Activity need to have a QA performed?

It is mandatory that every internal audit activity undergo an external QA conducted by an independent team or independent validator once every five years to comply with Standard 1312. The clock starts ticking for the five-year period when an internal audit activity formally adopts the International Standards for the Professional Practice of Internal Auditing.

Adoption of the Standards establishes the intent of the IA activity to comply and as a result, is considered the starting point of the five-year period before an external QA is required. Evidence to examine to support the date of the adoption of the Standards would include Audit Committee minutes, updates to the Audit Charter, and use of the phrase "conducted in conformance with the Standards" in audit reports, etc.

·         Who can conduct a QA?

The International Professional Practices Framework (IPPF) defines the required competency of the external assessors. Interpretation of Standard 1312 from the International Standards for the Professional Practice of Internal Auditing contained in Practice Advisory 1312-1:

Performing and communicating the results of an external assessment require the exercise of professional judgment. Accordingly, an individual serving as an external assessor should:

Be a competent, certified audit professional (e.g., CIA, CPA, CA, or CISA) who possesses current, in-depth knowledge of the Standards.

Be well-versed in the best practices of the profession.

Have at least three years of recent experience in the practice of internal auditing at a management level.

Have competence and experience, such as that gained from working previously as a team member on an external quality assessment, successful completion of The IIA's quality assessment training course or similar training.

Have CAE or comparable senior internal audit management experience.

How do I obtain knowledge about internal and external quality assessments?

Start by attending The IIA's courses titled "Performing External Quality Assessments of the Internal Audit Activity" and "Internal Audit Quality Assessment: Establishing your QA and Improvement Program."

·         Where do I start?

If you have not yet established a Quality Assurance and Improvement Program, a good first step on the path to quality is to conduct an internal quality assessment. This will establish a benchmark of your internal audit activity that can be used to establish metrics. These metrics will indicate improvement in areas of partial compliance or noncompliance with the Standards.

To receive a proposal for external QA services, please complete and submit a free quote inquiry form to The IIA's Quality Department (e-mail quality@theiia.org, or call +1-407-937-1399).

External QAs and Internal Audit (IA) Activities

l

·         Which organizations should undergo external QAs?

All internal audit activities, regardless of size or whether they are outsourced or co-sourced, should undergo external quality assessments. Ongoing and periodic internal assessments lay the foundation for external assessments, and together, internal and external assessments make up the Quality Assurance and Improvement Program (QAIP).

·         How can a Service Provider conform with the IIA Standards on Quality?

Service providers themselves are not required to conform with The IIA's Standardson Quality. In accordance with the intent of Standard 1300 of The International Standards for the Professional Practice of Internal Auditing, external quality assessments of internal audit activities are to be conducted on an organizational basis and not on a service provider basis.

If a Service Provider undergoes an external QA, would the results of the external QA suffice to cover the work performed at multiple clients? If not, what additional work would be needed at a specific client to validate the external QA results?

This premise is erroneous, as external QAs of internal audit activities are to be conducted on an organizational basis and not on a service provider basis. The external QA of a service provider would not qualify as sufficient evidence to conclude on the specific work performed at multiple clients. The individual organization's internal audit work must be the focus of the external QA, and any work performed by a service provider would be subject to review during the course of the organization's external QA.

·         Can the external audit firm of an organization bid and conduct an external QA of the internal audit activity?

The use of the organization's external auditor to perform an external assessment could be a potential conflict of interest and may create questions regarding independence. Standard 1312 "External Assessments" of The IIA's International Standards for the Professional Practice of Internal Auditing (effective January 1, 2009) addresses this matter in that it requires "The chief audit executive must discuss with the board ... the qualifications and independence of the external reviewer or assessment team, including potential conflict of interest." The interpretation section of Standard 1312 adds, "An independent assessor or assessment team means not having either a real or an apparent conflict of interest..." Thus, professional guidance indicates that the CAE and the board must consider this question, given the facts and circumstances.

How would the QA help my internal auditing department to improve my compliance with ISO certification or ISO quality assurance?

The External Quality Assessment (QA) of the Internal Auditing Activity (IAA) is to evaluate the IAA's conformance with The IIA's Standards, which also mandates that IAA have an external assessment completed by a qualified independent assessor or assessment team from outside the organization at least once every five years. In addition to the conformance level, all the technical information and tools from a QA can be found in the Quality Assessment Manual available from The IIA Research Foundation Bookstore. Although the Standards are unrelated to ISO standards, a QA may identify the areas for improvement of IAA and make recommendations to enhance IAA which affect ISO-related standards.

What's the retention period required for the documents of the Quality Assurance and Improvement Program (QAIP), specifically for the processes of ongoing reviews and periodic assessments both internal and external?

There is not a required retention period for the QAIP. However, a guide would be to follow the five-year external quality assessment (QA) timeline, i.e., drop off the oldest year's set of documents every five years. Caution: As a general rule, the IAA should follow their organization's record retention policies when determining how long documents should be maintained.

External Quality Assessment (QA) Defined

What is an external quality assessment?

An external quality assessment, or EQA, evaluates conformance with the Definition of Internal Auditing, the International Standards for the Professional Practice of Internal Auditing (Standards) and an evaluation of whether internal auditors apply the Code of Ethics.​

What are the benefits of an external QA?

An external QA builds stakeholder confidence by documenting management's commitment to quality and successful practices, and the internal auditors' mindset for professionalism. Obtaining an external QA provides evidence to the board, management, and staff that the audit committee and the internal audit activity are concerned about the success of the organization's internal controls, ethics, governance, and risk management processes. An opinion of "Generally Conforms" on an external QA allows internal auditors to state their activities are conducted in accordance with the International Standards for the Professional Practice of Internal Auditing​ (Standards).

·         Can you describe the process of self-assessment with independent validation (SAIV)?

An SAIV involves the completion of a rigorous self-assessment by the internal audit activity, followed by an assessment conducted by an external, qualified validator. In addition to reviewing the self-assessment, the validator substantiates some of the work completed by the self-assessment team, makes an on-site visit, and interviews senior management. The validator either co-signs the self-assessment report or issues a separate report on any disparities. Additional guidance can be located under Resources in the Quality section on The IIA's website, including Tool 2A -Self-Assessment Guide and a detailed description in the Quality Assessment Manual.​

External QA and Key Stakeholders

What recourse do I have if my company senior management and the audit committee are not supportive of having an external QA performed and thus will not approve the funding required?

There are alternatives that may assist you in obtaining an external QA. For example, contact your local chapter to determine if they can assist you with an independent validation conducted at minimal cost to your company, other than maybe travel costs if the validator does not live in your city. Another option is to conduct a peer review with other local internal audit activities, rotating the assessment among members of the group, and must include at least three members. If management and the audit committee are not supportive, then your efforts at educating them regarding the reasons, benefits, and overall approach to an external QA are needed. IIA reference materials are available to help you in this effort (free in most cases to IIA members). Additionally, work with your external auditor to educate the audit committee on the benefits of an external QA, which may include additional reliance on the internal audit activity's work. This could result in making the overall external audit more efficient and effective.

·            Under the Sarbanes-Oxley Act of 2002 section 404, the external auditor must assess the work of the internal audit activity in order to rely on their work. Is an external QA a basis for a conclusion as to the reliability of the internal activity's work?

The IIA strongly encourages that the results of an external QA be considered in order to come to a conclusion as to the reliability of the internal audit activity's work.

External QA Methodology

How long does an external QA generally take?

It will vary depending on the size of the internal audit activity, the number of locations, and the size of the review team. Reviews conducted by The IIA are generally designed to encompass one or two weeks of on-site work. The preliminary work, wrap-up, report writing, and review will also vary.

How far back does The IIA go in performing external QAs?

Since QAs should be forward-looking and improvement-oriented rather than punitive, an assessment team would be most interested in current work, generally going back one year to obtain an approprite sample.

When The IIA conducts a QA, is there an audit program or some other tool that is used?

The Quality Assessment Manual contains detailed instructions and audit programs (tools) for conducting a QA. These tools can also be used by the internal audit activity to conduct an internal assessment or self-assessment.

Where do I find resources to conduct a QA?

We recommend internal audit activities utilize The IIA's Quality Assessment Manual, which can be used to conduct periodic internal assessments or self-assessments in preparation for an external validation or as part of the internal assessment requirement under Standard 1311. This manual can be obtained through The IIA Research Foundation Bookstore.

Where can I find information on training to conduct a self-assessment?

Consider attending IIA seminars titled "Performing External Quality Assessments of the Internal Audit Activity" and "Internal Audit Quality Assessment: Establishing your QA and Improvement Program."

How many audit working papers are normally selected for QA sample purpose?

There is not a specific number required when sampling work papers. The IIA uses a 10-20% of audits rule of thumb in a quality assessment (QA) with independent team reviews taking into consideration the size of the IAA and the number of audits conducted per year. At a minimum, the independent QA  team should review at least two to three sets of working papers from the last twelve months. When conducting Self-Assessment with Independent Validation (SAIV), the norm is to review two-three sets of working papers that were reviewed as part of the self-assessment, and then to review a couple that were not reviewed as part of the self-assessment.

External QA Providers

Does The IIA provide quality assessments?

Yes. The IIA conducts both external independent team assessments and independent validations. In addition to conducting external quality assessments, The IIA can also provide some consulting services to include readiness assessments in preparation for an external quality assessment. To receive a no-obligation proposal from The IIA, please complete the free quote inquiry form.

·         What does The IIA recommend regarding the request for proposal, criteria for selection, and the selection process?

Organizations should request proposals from providers that will be mutually acceptable to the CAE, audit committee, and possibly management. The providers should be required to perform the assessment using a methodology similar to that described in The IIA's Quality Assessment Manual. The organization should require the team to be qualified under the criteria described in Practice Advisory 1312-1.

Does The IIA have information on the cost of an external QA and the availability of qualified external assessors?

The cost will vary depending on the size of the internal audit activity and the number of locations to be reviewed, etc. IIA Quality Services can provide a detailed proposal based on the internal audit activity's particular circumstances. To receive a no-obligation proposal from The IIA, please complete the free quote inquiry form.

Who hires the external QA team or independent validator? The CAE? The audit committee?

Standard 1312 states that external QAs must be conducted at least once every five years by a qualified, independent assessor or assessment team from outside the organization. The potential need for more frequent external assessments, as well as the qualifications and independence of the external assessor or assessment team, including any potential conflict of interest, must be discussed by the CAE with the board. Such discussions must also consider the size, complexity, and industry of the organization in relation to the experience of the assessor or assessment team. However, best practice would suggest that the audit committee be directly involved in the selection process, as well as the determination of the QA method to be followed, the approach to be followed, and the overall cost. The CAE generally leads the selection process with the full involvement and support of the audit committee and executive management.

·         What qualifications should the lead assessor possess?

The International Professional Practices Framework (IPPF) defines the required competency of the external assessors. Interpretation of Standard 1312 from the International Standards for the Professional Practice of Internal Auditing contained in Practice Advisory 1312-1:

Performing and communicating the results of an external assessment require the exercise of professional judgment. Accordingly, an individual serving as an external assessor should:

Be a competent, certified audit professional (e.g., CIA, CPA, CA, or CISA) who possesses current, in-depth knowledge of the Standards.

Be well-versed in the best practices of the profession.

Have at least three years of recent experience in the practice of internal auditing at a management level.

Have competence and experience, such as that gained from working previously as a team member on an external quality assessment, successful completion of The IIA's quality assessment training course or similar training.

Be a CAE or have comparable senior internal audit management experience.

External QA Reporting

Who receives the report from an external QA?

Standard 1320 states that the chief audit executive must communicate the results of external assessments upon completion to senior management and the board (through the audit committee). Upon the completion of an external quality assessment, the assessment team must issue a formal report containing an opinion on the internal audit activity's conformance with the International Standards for the Professional Practice of Internal Auditing (Standards). The report must be addressed to the person or organization requesting the assessment. The chief audit executive must prepare a written action plan in response to the significant comments and recommendations contained in the report of the external assessment. This written action plan must also be addressed to the person or organization requesting the assessment. Appropriate follow-up is also the chief audit executive's responsibility.

When a Self-Assessment with Independent Validation (SAIV) is used, is the resultant report to go to the audit committee?

Yes, as stated in Standard 1320, the results of any quality assessment by an independent group of the internal audit activity must be discussed with the board.

What is the format of the SAIV report?

An example of an SAIV report is included in The IIA's Quality Assessment Manual. In general, the independent assessor must review the scope, approach, and various opinions that could be given, and the overall opinion arrived at with any qualifying issues needing attention.

External QA Timing

·         When should our internal audit activity have an external QA?

It is mandatory that every internal audit activity undergo an external QA conducted by an independent team or independent validator once every five years to comply with Standard 1312. The clock starts ticking for the five-year period when an internal audit activity formally adopts the International Standards for the Professional Practice of Internal Auditing (Standards).

Adoption of the Standards establishes the intent of the IA activity to comply and as a result, is considered the starting point of the five-year period before an external QA is required. Evidence to examine to support the date of the adoption of the Standards would include audit committee minutes, updates to the audit charter, and use of the phrase "conducted in conformance with the Standards" in audit reports, etc.

A Standard of Quality Presentation ( (KB)
quality-assessment-resources

Quality Resources
Below are resources available for setting up, establishing, and completing a Quality Assessment.

Sample Request Proposal (Word, 32KB)
This document provides a sample request for an external quality assessment proposal that can be downloaded and modified for use by organizations when seeking assessment services from various potential providers.

Who Audits the Auditors?" (PPT, 2MB)
A Standard of Quality Presentation (PPT, 269KB)

Tool 2: Quality Assessment Advanced Preparation (Word, 252KB)
The Quality Assessment Advanced Preparation is a comprehensive questionnaire, completed by or under the supervision of the CAE, that provides specific information about the organization and internal audit staff. Using this tool, the QA team can often identify potential strengths and potential opportunities for improvement in the organization.

Tool 2A: Self-Assessment Guide (Word, 111KB)

Quality Assessment Manual, 6th Edition

Quality Assessment Manual 6th Edition Changes Matrix (PDF, 7KB)

Audit Customer (Client) Survey (PDF, 48KB)
This Audit Customer surveys can provide excellent feedback about the IA Activity's effectiveness and potential opportunities for improvement. The survey of audit customers should precede the on-site work. The IIA has collected information from the surveys they have completed over a nine year period Client Historical Survey Data (2001 - 2009) (PDF, 95KB).  Internal Audit activities can use this information as a benchmark against how they are graded by their audit (clients) customers.

Internal Audit Staff Survey (PDF, 48KB)
This Internal Audit Staff survey is an efficient means to obtain information from a large and/or geographically dispersed staff.  The IIA has collected information from the surveys they have completed over a eight year period Audit Staff Historical Survey Data (2002 - 2009) (PDF, 108KB).  Internal Audit activities can use this information and benchmark against how their staff graded their department.

Common Observations from External Quality Assessments (PPT, 368KB)

Internal Audit Activity Leading Practices (PPT, 260KB)

Self-Assessment Guide (Word, 111KB)
The self-assessment follows a quality assessment process similar to the external quality assessment, but it is performed under the direction of the CAE by competent in-house audit professionals. This guide provides information on the methodology for performing a self assessment.

Model Audit Committee Charter (Word, 112KB)

Model Internal Audit Activity Charter (Word, 105KB)  IPPF Aligned last updated June 8, 2009

Model Management Control Policy (Word, 97KB)

Model Quality Assurance and Improvement Program (Word, 113KB) Last updated September 22, 2009