Quality Services Frequently Asked Questions

Assessments conducted in 2025 will primarily evaluate conformance with the Global Internal Audit Standards. The quality assessor will exercise professional judgment in considering the internal audit function's efforts to comply with these standards, while also taking into account work performed under The IIA’s previous International Standards for the Professional Practice of Internal Auditing.

The Standards will be effective for quality assessments January 9, 2025, 12 months after the date of the Standards publication.

Options for conducting your next external quality assessment.

• If your next assessment is due in 2024, you should proceed with your assessment when due under the existing IPPF.
• If your assessment is due in 2025, you can choose to accelerate your assessment under the existing IPPF in 2024. The IIA recommends adding a supplementary gap/readiness assessment to assess how well your function is prepared to implement the new Standards.
• Gap/readiness assessments may be scheduled at any point to help your internal audit function prepare to implement the new Standards effectively.

For more information about external quality assessments, please visit Quality Services.

The current quality assessment manual remains in effect and valid until updated. As the new Standards are established, a new quality assessment manual will be published later in 2024.

A Quality Assessment is an evaluation of an internal audit activity’s conformance with the Definition of Internal Auditing and the International Standards for the Professional Practice of Internal Auditing (Standards), and also an evaluation of whether internal auditors apply the Code of Ethics. Execution of a Quality Assessment may be accomplished by a Full-scope External Quality Assessment or by a Self-assessment with Independent Validation.

All internal audit activities, regardless of size or whether they are outsourced or co-sourced, are encouraged to undergo a Quality Assessment. Ongoing and periodic internal assessments lay the foundation for external assessments and, together, internal and external assessments comprise an organization’s Quality Assurance and Improvement Program (QAIP).

Internal assessments must include ongoing evaluations of the performance of the internal audit activity and periodic reviews performed by self-assessments. External assessments require an outside team of independent reviewers to evaluate conformance with the Standards, the use of successful practices, and the efficiency and effectiveness of the internal audit activity.

Yes. The “Performing an Effective Quality Assessment” course will provide attendees with the appropriate knowledge and skills to plan, perform, and evaluate the results of an external quality assessment case study. You will also learn about processes and tools in The IIA’s Quality Assessment Manual (QA Manual) that can help you identify opportunities to improve your internal audit quality activities. The “Building a Sustainable Quality Program” course is designed to help attendees understand how to build and maintain an effective Quality Assurance and Improvement Program (QAIP), leading to a successful external quality assessment.

The International Professional Practices Framework (IPPF) defines the required competency of the external assessors. Interpretation of Standard 1312 from the International Standards for the Professional Practice of Internal Auditing contained in Practice Advisory 1312-1 asserts that “Performing and communicating the results of an external assessment require the exercise of professional judgment.” Accordingly, an individual serving as an external Assessor should:

• Be a competent, certified audit professional (e.g., CIA, CPA, CA, or CISA) who possesses current, in-depth knowledge of the Standards.
• Be well-versed in the best practices of the profession.
• Have at least three years of recent experience in the practice of internal auditing at a management level.
• Have competence and experience, such as that gained from working previously as a team member on an External Quality Assessment, or successfully completing The IIA’s quality assessment training course or similar training.

Have CAE or comparable senior internal audit management experience.

Yes. IIA Quality Services offers Full-scope External Quality Assessments and Self-assessments with Independent Validation to appease the Quality Assessment requirement.  In addition, IIA Quality Services offers a Gap Assessment service.  More information can be found on our website and within our brochure. If you are interested in having IIA Quality Services conduct your internal audit activity’s next Quality Assessment, please complete our Proposal Request Form for a specifically tailored proposal.

This premise of this question is erroneous as The IIA does not “certify” individuals or organizations who perform Quality Assessment services.

The five-year cycle starts when an internal audit activity formally adopts the Standards. If the Standards were formally adopted at the same time as when the merger occurred, the five-year cycle began at the same time. If the Standards were previously formally adopted by the surviving internal audit activity, the five-year cycle starts when the Standards were first adopted or from the most recent Quality Assessment, whichever is later. Adoption of the Standards establishes the intent of the internal audit activity to comply and, as a result, is considered the starting point of the five-year period before a Quality Assessment is required. Examples of evidence to examine to support the date of the adoption of the Standards  include audit committee minutes, updates to the Audit Charter, and the use of the phrase “conducted in conformance with the Standards” in audit reports, etc.

No. An internal audit activity must demonstrate conformance with The IIA’s Standards before it can state that it is in conformance. Simply having a contract to perform an External Quality Assessment after the end of the five-year cycle is not sufficient to demonstrate the conformance with the Standards. Therefore, the internal audit activity cannot state that it is in conformance with the Standards.​

The International Professional Practices Framework (IPPF) defines the required competency of the external assessors. Interpretation of Standard 1312 from the International Standards for the Professional Practice of Internal Auditing contained in Practice Advisory 1312-1

asserts that “Performing and communicating the results of an external assessment require the exercise of professional judgment.” Accordingly, an individual serving as an external assessor should:

• Be a competent, certified audit professional (e.g., CIA, CPA, CA, or CISA) who possesses current, in-depth knowledge of the Standards.
• Be well-versed in the best practices of the profession.
• Have at least three years of recent experience in the practice of internal auditing at a management level.
• Have competence and experience, such as that gained from working previously as a team member on an External Quality Assessment, or successfully completing The IIA’s quality assessment training course or similar training.

Be a CAE or have comparable senior internal audit management experience.

Regardless of an organization’s industry or the internal audit activity’s complexity or size, there are two recommended approaches to Quality Assessments.

A Full-scope External Quality Assessment (EQA) involves an independent Assessment Team, led by an experienced and professional Team Leader and assisted by qualified Team Members. This is a more expensive option, as there is less work required by the internal audit activity (in comparison to the SAIV described below).

A Self-assessment with Independent Validation (SAIV) is where the internal audit function performs the “self-assessment” portion and an external, independent validators reviews the self-assessment portion and provides their “independent validation.”  This is a more economical approach because the client completes most of the work.

Both types include workpaper reviews, surveys, stakeholder interviews, and issuance of a report.

An internal audit activity must undergo a Quality Assessment at least once every five years to comply with Standard 1312. The five-year period begins when an internal audit activity formally adopts the International Standards for the Professional Practice of Internal Auditing.

Adoption of the Standards establishes the intent of an internal audit activity to comply and, as a result, is considered the starting point of the five-year period before a Quality Assessment is required. Evidence to examine to support the date of the adoption of the Standards would include audit committee minutes, updates to the Audit Charter, and use of the phrase “Conducted in conformance with the Standards” in audit reports, etc.

In all cases, the organization maintains the responsibility for having a Quality Assessment performed in accordance with The IIA’s Standards. If the organization co-sources its internal audit function and has a Chief Audit Executive, it is the Chief Audit Executive’s responsibility to initiate the process and discussion with the audit committee. If an organization fully outsources its internal audit function, the individual who negotiates the outsourcing of the internal audit services (such as the Chief Financial Officer or Corporate Controller) is responsible for initiating the Quality Assessment in a timely manner. A service provider’s specific work would be reviewed as part of the Quality Assessment, but not the entire service provider’s policies and procedures (except relevant sections of the policies/procedures of the service provider as applied in the organization). Service providers must advise and brief their clients on the requirements of the Standards.

The use of the organization’s external auditor to perform an external assessment could be a potential conflict of interest and may create questions regarding independence. Standard 1312 “External Assessments” of The IIA’s International Standards for the Professional Practice of Internal Auditing (effective January 1, 2009) addresses this matter in that it requires “The chief audit executive must discuss with the board ... the qualifications and independence of the external assessor or assessment team, including potential conflict of interest.” The interpretation section of Standard 1312 adds, “An independent reviewer or review team means not having either a real or an apparent conflict of interest...” Thus, professional guidance indicates that the CAE and the board must consider this question given the facts and circumstances

It is mandatory that every internal audit activity undergo a Quality Assessment performed by an external, independent team or independent validator once every five years to comply with Standard 1312. The five-year period begins when an internal audit activity formally adopts the International Standards for the Professional Practice of Internal Auditing (Standards).

Adoption of the Standards establishes the intent of the internal audit activity to comply and, as a result, is considered the starting point of the five-year period before a Quality Assessment is required. Evidence to examine to support the date of the adoption of the Standards may include audit committee minutes, updates to the Audit Charter, and use of the phrase “conducted in conformance with the Standards” in audit reports, etc.

Standard 1320 states that the Chief Audit Executive must communicate the results of a Quality Assessment upon completion to senior management and the board (through the audit committee). Upon the completion of a Quality Assessment, the Assessment Team must issue a formal report containing an opinion on the internal audit activity’s conformance with the International Standards for the Professional Practice of Internal Auditing (Standards). The report must be addressed to the person or organization requesting the Quality Assessment. The Chief Audit Executive must prepare a written action plan in response to the significant comments and recommendations contained in the report of the external assessment. This written action plan must also be addressed to the person or organization requesting the assessment. Appropriate follow-up is also the Chief Audit Executive’s responsibility.

There are alternatives that may assist in obtaining a Quality Assessment. For example, contact a local IIA chapter to determine if they can assist you with an independent validation conducted at minimal cost to the organization. Another option is to conduct a peer review with other local internal audit activities, rotating the assessment among members of the group; the group must include at least three members.

The IIA strongly encourages that results of a Quality Assessment be considered in order to arrive at a conclusion as to the reliability of the internal audit activity’s work.

Full-scope External Quality Assessments or Self-assessments with Independent Validations may be conducted through peer reviews instead of utilizing external service providers. Internal auditors from three or more different organizations come together to form a pool of professionals, all of whom must be qualified to conduct Quality Assessments. Reciprocal peer reviews between two organizations do not pass the independence test.

Peer review teams may consist of members from different organizations within an industry or other affinity group, regional association, or other group of organizations. However, administration of this process can be quite challenging because assuring appropriate composition and assignments of the teams is imperative. Perceived independence and objectivity may also be challenging.

It would be preferable to have the Quality Assessment performed by other public sector auditors who are not “related” to the department under review. The IIA recommends an independent validator be engaged to review and validate the “peer review” in a public sector setting.

Service providers themselves are not required to conform with The IIA’s Standards on quality. In accordance with the intent of Standard 1300 of the International Standards for the Professional Practice of Internal Auditing, Quality Assessments of internal audit activities are to be conducted on an organizational basis, not on a service provider basis.

This premise is erroneous, as Quality Assessments of internal audit activities are to be conducted on an organizational basis, not on a service provider basis. A Quality Assessment of an external service provider would not qualify as sufficient evidence to conclude on the specific work performed at multiple clients. The individual organization’s internal audit work must be the focus of a Quality Assessment, and any work performed by a service provider would be subject to review during the course of the organization’s Quality Assessment.

The use of the organization’s external auditor to perform an external assessment could be a potential conflict of interest and may create questions regarding independence. Standard 1312 “External Assessments” of The IIA’s International Standards for the Professional Practice of Internal Auditing (effective January 1, 2009) addresses this matter in that it requires “The chief audit executive must discuss with the board ... the qualifications and independence of the external reviewer or assessment team, including potential conflict of interest.” The interpretation section of Standard 1312 adds, “An independent assessor or assessment team means not having either a real or an apparent conflict of interest...” Thus, professional guidance indicates that the CAE and the board must consider this question, given the facts and circumstances.

Yes, a Quality Assessment would be required, regardless of whether the internal audit activity was in-house or outsourced. The five-year requirement began when the internal audit activity was first enacted, regardless of whether it was outsourced, co-sourced, or in-house. Adoption of the Standards establishes the intent of the internal audit activity to comply, and as a result is considered the starting point of the five-year period before a Quality Assessment is required. Evidence to examine to support the date of the adoption of the Standards would include audit committee minutes, updates to the Audit Charter, and the use of the phrase “conducted in conformance with the Standards” in audit reports, etc.

The internal audit activity has five years from the date of adoption of the Standards before a Quality Assessment would be required. Adoption of the Standards establishes the intent of the internal audit activity to comply and should be considered the starting point of the five-year period before a Quality Assessment is required. Generally, adoption of the Standards and “intent” coincide with the formation of the internal audit activity. However, in other cases, the election to adopt the Standards may not occur when the department is first established. Evidence to examine to support the date of the adoption of the Standards would include audit committee minutes, updates to the Audit Charter, and the use of the phrase “conducted in conformance with the Standards” in audit reports, etc.

Standard 1312 states that Quality Assessments must be conducted at least once every five years by a qualified, independent Assessor or Assessment Team comprised of individuals from outside the organization. The potential need for more frequent Quality Assessments, as well as the qualifications and independence of the external Assessor or Assessment Team, including any potential conflict of interest, must be discussed by the Chief Audit Executive with the board. Such discussions must also consider the size, complexity, and industry of the organization in relation to the experience of the Assessor or Assessment Team. However, best practice suggests the audit committee be directly involved in the selection process, as well as the determination of the method (Full-scope External Quality Assessment or Self-assessment with Independent Validation) to be followed, the approach to be followed, and the overall cost. The Chief Audit Executive generally leads the selection process with the full involvement and support of the audit committee and executive management.

The International Professional Practices Framework (IPPF) defines the required competency of the external assessors. Interpretation of Standard 1312 from the International Standards for the Professional Practice of Internal Auditing contained in Practice Advisory 1312-1 asserts that “Performing and communicating the results of an external assessment require the exercise of professional judgment.” Accordingly, an individual serving as an external assessor should:

• Be a competent, certified audit professional (e.g., CIA, CPA, CA, or CISA) who possesses current, in-depth knowledge of the Standards.
• Be well-versed in the best practices of the profession.
• Have at least three years of recent experience in the practice of internal auditing at a management level.
• Have competence and experience, such as that gained from working previously as a team member on an External Quality Assessment, or successfully completing The IIA’s quality assessment training course or similar training.

Be a CAE or have comparable senior internal audit management experience.

Yes. IIA Quality Services conducts Full-scope External Quality Assessments and Self-assessments with Independent Validation. In addition to conducting these two types of Quality Assessments, IIA Quality Services offers a Gap Assessment service. To receive a proposal from IIA Quality Services, please complete our Proposal Request Form.

Should an organization be in search of a subject matter expert to speak at an upcoming event about Quality Assessments and/or Quality Assurance and Improvement Programs (QAIPs), email your request to quality@theiia.org.

A QAIP is required by the Standards. As an organization grows, its operations and quality processes must evolve and be refined in order to keep pace with the changes. To ensure consistent quality in this dynamic environment, an ongoing commitment to growth and improvement is essential. This commitment to continuous improvement is demonstrated through a documented QAIP, as described in Practice 1300-1.

The required elements of the program are periodic internal and external quality assessments, ongoing internal monitoring, and assurance that the internal audit activity conforms to the Standards and the Code of Ethics.

Internal assessments must include ongoing evaluations of the performance of the internal audit activity and periodic reviews performed by self-assessments. External Quality Assessments require an outside team of independent reviewers to evaluate conformance with the Standards, the use of successful practices, and the efficiency and effectiveness of the internal audit activity.

This premise of this question is erroneous as The IIA does not “certify” individuals or organizations that perform Quality Assessment services.

We recommend referring to Practice 1300-1, which provides an inclusive list of all elements that should be included in the QAIP.

The criteria is described in detail in the Quality Assessment Manual. In summary, it is a matter of determining conformity to each of the Standards individually and then rolling those determinations into an overall conclusion. Since it is a conclusion, the lack of general conformity to one particular Standard would not necessarily result in an overall “partially conforms” opinion or the reverse.

A Chief Audit Executive should report the rationale for nonconformance of the Quality Assessment requirement to the board and management. If the internal audit activity does not undergo a Quality Assessment during the designated timeframe (once every five years), the internal audit activity may not use the phrase, “Conducted in accordance with the International Standards for the Professional Practice of Internal Auditing,” in its reports or in its internal audit activity charter. A Chief Audit Executive that uses this statement while not in conformance is subject to ethical disciplinary sanctions by The IIA.

If an internal audit activity receives a less than “generally conforms” opinion regarding conformance to the Standards, the Chief Audit Executive must initiate action to cure the deficiency and/or discuss with the audit committee the limiting factors that may need to be addressed to resolve the area(s) where a deficiency was noted. The lack of a “generally conforms” opinion would preclude the internal audit activity from indicating they operate in conformance with the Standards in any written reports or documents until the deficiency is resolved.

If a Chief Audit Executive does not agree with the opinion issued by the Assessment Team or the independent validator, the Chief Audit Executive must report their view of the situation to the audit committee and discuss the issue with the audit committee to determine the appropriate action to be taken. If a “partially conforms” or “does not conform” opinion is received, the internal audit activity is not in conformance with the Standards and the Chief Audit Executive must discuss the appropriate action to be taken with the audit committee to resolve the issue(s).

Yes, until the issues identified as causing the nonconformance are resolved, the activity would not be operating in conformance with the Standards.

A Chief Audit Executive must review the corrective action taken to resolve the nonconformance issue(s) with the audit committee and report when the action plan is complete. If an audit committee desires an external validation, additional input may be needed. When the remediation work is completed to the satisfaction of the audit committee, the internal audit activity may then consider themselves in conformance with the Standards.

No. An internal audit activity must demonstrate conformance with The IIA’s Standards before it can state it is in conformance. Having a contract to perform a Quality Assessment after the end of the five-year cycle is not sufficient to demonstrate conformance with the Standards. As such, the internal audit activity cannot state it is in conformance with the Standards.​

As per Practice Advisory 1321, internal auditors may use the statement only if assessments of the Quality Assurance and Improvement Program (QAIP) demonstrate that the internal audit activity is in conformance with the Standards. An internal audit activity must demonstrate conformance with the Standards before it can state that it is in conformance with the Standards. Standard 1300 requires a Chief Audit Executive to develop and maintain a QAIP that covers all aspects of the internal audit activity and continuously monitors its effectiveness. The Chief Audit Executive of a new internal auditing activity can authorize the use of the statement, “Conducted in conformance with the Standards,” when supported by sufficient evidence from QAIP internal assessments. While an External Quality Assessment must be performed within five years of a new department’s existence, the conformance statement can be used after at least one year’s internal assessments indicate sufficient evidence exists that the audit function is indeed compliant with the Standards.​

A reference should not be made in the internal audit activity’s charter or in the internal audit activity’s audit reports. The reference may be made when the internal audit activity’s Quality Assurance and Improvement Program (QAIP) demonstrates that the internal audit activity is in conformance with the Standards. ​