Who Audits the Internal Auditors?
The IIA Standard No. 1312 requires all internal audit activities, regardless of size or whether they are outsourced or co-sourced, to perform an EQA at least once every 5 years by a qualified, independent assessor or assessment team. The five-year period begins when an internal audit activity formally adopts the International Standards for the Professional Practice of Internal Auditing. Adoption of the Standards establishes the intent of an internal audit activity to comply and, as a result, is considered the starting point of the five-year period before a Quality Assessment is required.
The IIA defines External Quality Assessment (EQA) as “…evaluates the conformance with the International Professional Practices Framework (IPPF), which includes the Code of Ethics, the Core Principles, the Definition of Internal Audit and the International Standards for Professional Practices of Internal Auditing (the IIA Standards).
What does the EQA process look like?
The process consists of a set of interviews, questionnaires, surveys, and reviews to determine whether the internal audit activity is in line with the IIA’s Standards for the profession. There are two types of approaches:
- A full-scope assessment – involves an independent assessment team, led by an experienced and professional team leader and assisted by qualified team members. This is a more expensive option, but there is less work required by the internal audit activity.
- A self-assessment with independent validation (SAIV) – the internal audit activity performs the “self-assessment” portion, and an external independent validator reviews the self-assessment and provides their “independent validation.” This is a more economical approach because the client or internal audit activity completes most of the work.
Both types include workpaper reviews, surveys, stakeholder interviews, and issuance of a formal report containing an opinion on the internal audit activity’s conformance with the Standards. The Chief Audit Executive (CAE) must then communicate the result to senior management and the audit committee and prepare a written action plan in response to any significant findings.
Who is qualified to perform an EQA?
The IPPF defines the required competency of the external assessors. Interpretation of Standard 1312-1 asserts that “performing and communicating the results of an external assessment require the exercise of professional judgment.” Accordingly, an individual serving as an external assessor should:
- Be a competent, certified audit professional (e.g., CIA, CPA, CA, or CISA) who possesses current, in-depth knowledge of the Standards.
- Be well-versed in the best practices of the profession.
- Have at least three years of recent experience in the practice of internal auditing at a management level.
- Have competence and experience, such as that gained from working previously as a team member on an External Quality Assessment, or successfully completing the IIA’s quality assessment training course or similar training.
- Have CAE or comparable senior internal audit management experience.
What are the benefits of an EQA?
There are many benefits of an EQA, but the notable ones are:
- To demonstrate and certify conformance to The IIA’s IPPF and Code of Ethics.
- To enhance stakeholder confidence in the internal audit activity’s credibility and effectiveness in meeting their needs and expectations.
- To assess whether the internal audit activity has the right skills and strategies to meet future organizational needs.
- To evaluate the effectiveness of the Quality Assurance and Improvement Program (QAIP) in meeting the requirements of continuous improvement, and to appraise and measure the efficiency and the effectiveness of the internal audit activity.
- Provides recommendations and a road map for implementing best practices to enhance the internal audit activity’s conformance and performance in the future.
- Gains valuable insight on department perceptions and reputation through in-depth interviews and surveys of stakeholders and internal audit department staff.
- Provides an assessment of the internal audit department alignment with the organization’s strategies, objectives, risks, and plans.
How to have a successful EQA
A successful EQA for internal audit activity starts with a sound QAIP. The QAIP should include annual self-assessment to ensure consistent quality and commitment to improvement, a periodic peer review and performance of EQA.
Are you ready for an EQA?
For more information on EQA or QAIP, contact Victor Kong at vkong@macpas.com.
For more information regarding our internal audit experience, be sure to visit our Internal Audit Services page and don’t hesitate to reach out to a member of our internal audit team.
About the Author
Victor joined McKonly & Asbury in 2023 and is currently a Senior Manager with the firm. He is a member of the firm’s Audit & Assurance Segment. Victor is a Certified Internal Auditor (CIA) and Certified Fraud Examiner (CFE), and hol… Read more