QAIP Requirements

Chapter 1
The Framework for

Quality Assurance
O v e rv i e w
A critical asset for an internal audit activity is its credibility with stakeholders. To provide cred-
ible assistance and constructive challenge to management, internal auditors must be perceived
as professionals. Professionalism requires conforming to a set of professional standards. This
chapter provides an overview of The IIA’s International Standards for the Professional Practice of
Internal Auditing and the other elements that make up the International Professional Practices
Framework (IPPF). It explains how each has evolved as the profession has matured, and how
their application should be tailored to each organization without compromising conformance
with the Standards. In particular, it presents and discusses the 1300 series of the Standards
that deals specifically with quality assurance.
9
S ta n d a r d s R e q u i r e Q ua l i t y
Assurance Focus
Chief audit executives (CAEs) need assurance that their internal audit activity and each member
of their staff conform to all mandatory elements of the IPPF, and they need to demonstrate
this conformance to their stakeholders. The only way to meet these expectations is with a
comprehensive quality assurance and improvement program (QAIP) that includes ongoing
monitoring of performance, periodic internal assessments, external assessments conducted
by a qualified, independent assessor or assessment team from outside the organization, and
communication of the results.
Standards and Other Professional Guidance Have Evolved

With the Profession
The steadily expanding scope and global reach of internal auditing is reflected in and fostered
by changes in the Standards and professional guidance. Changes occurred in the Standards
10 effective January 1, 2017, and contribute to the update to this manual. A significant change
in professional guidance occurred in 1999 with a new Definition of Internal Auditing and
the development of the Professional Practices Framework, which became the IPPF in 2009.
The IPPF was further updated and expanded in July 2015, and again in 2017. Evaluating
risk management and governance processes is much more challenging and meaningful than
control alone. It requires internal audit to operate at a higher, more strategic level. To operate
at this level, internal auditors need a higher level of credibility with their stakeholders.
Quality Assurance Has Evolved With the Standards

The original Standards (1978) stated, “The director of internal auditing should establish and
maintain a quality assurance program” that includes an external quality assessment (EQA)
every three years. The three-year time frame was chosen to be in line with guidance from the
U.S. Government Accountability Office (U.S. GAO). In the 2002 revision of the Standards,
The IIA changed the time frame to every five years, as this was considered more appropriate
for an internal audit activity.
Quality Assessment Manual for the Internal Audit Activity

T h e IPP F
The requirements and characteristics of quality in an internal audit activity are defined by
the IPPF, which consists of mandatory and recommended guidance, all provided within the
context of the Mission of Internal Audit as defined in the IPPF.
11
Mandatory Guidance
Mandatory guidance is considered essential for the professional practice of internal auditing.
Mandatory guidance is submitted for review by the entire global profession through the expo-
sure draft process. It consists of four elements:
• Core Principles: The Core Principles for the Professional Practice of Internal
Auditing are the foundation for the IPPF and support internal audit effectiveness.
• Definition of Internal Auditing: “Internal auditing is an independent, objec-

tive assurance and consulting activity designed to add value and improve an
organization’s operations. It helps an organization accomplish its objectives by
bringing a systematic, disciplined approach to evaluate and improve the effec-
tiveness of risk management, control, and governance processes.”
• Code of Ethics: The Principles and Rules of Conduct of the Code of Ethics
define ethical behavior for a professional internal auditor.
Chapter 1 The Framework for Quality Assurance

• Standards: The Standards are the central criteria that define the attributes
and characteristics of performance for an internal audit activity, including the
requirements for a QAIP.
Recommended Guidance
Recommended guidance is endorsed by The IIA through a formal approval process. It
describes practices for the effective implementation of the Core Principles, the Definition
of Internal Auditing, the Code of Ethics, and the Standards. Recommended guidance helps
internal auditors understand and apply the Standards and may provide insight into going
beyond conformance to a higher level of adding value, or addressing issues of concern not
related to a specific standard. Recommended guidance is described in terms of implemen-
tation guidance and supplemental guidance and is available to IIA members on The IIA’s
websites: global.theiia.org and na.theiia.org.
• Implementation Guidance: Implementation Guides exist for each standard.

They are intended to provide guidance to internal audit practitioners with
12 regard to conformance with the Standards.
• Supplemental Guidance: Supplemental guidance provides detailed guid-

ance for conducting internal audit activities. Supplemental guidance includes
topical areas, sector-specific issues, as well as processes and procedures, tools
and techniques, programs, step-by-step approaches, and examples of deliver-
ables. Examples of supplemental guidance currently include Practice Guides,
Global Technology Audit Guides (GTAGs), and Guides to the Assessment of
IT Risk (GAIT).
Quality Assurance and Improvement Program

Standard 1300 – Quality Assurance and Improvement Program is included in full because it
defines the requirements for a QAIP. Consult The IIA’s website for the most current version
of the Standards and for recommended guidance. Chapter 2 of this manual describes the
requirements and considerations for establishing a QAIP. Chapters 3, 4, and 5 describe the
requirements and considerations for performing internal assessments, a full external assess-
ment, and a self-assessment with independent validation, respectively.

1300 – Quality Assurance and Improvement Program
The chief audit executive must develop and maintain a quality assurance and improvement
program that covers all aspects of the internal audit activity.
Interpretation:
A quality assurance and improvement program is designed to enable an evaluation of the internal
audit activity’s conformance with the Standards and an evaluation of whether internal auditors
apply the Code of Ethics. The program also assesses the efficiency and effectiveness of the internal
audit activity and identifies opportunities for improvement. The chief audit executive should
encourage board oversight in the quality assurance and improvement program.
1310 – Requirements of the Quality Assurance and Improvement

Program
The quality assurance and improvement program must include both internal and external
assessments.
13
1311 – Internal Assessments
Internal assessments must include:
• Ongoing monitoring of the performance of the internal audit activity.
• Periodic self-assessments or assessments by other persons within the organiza-

tion with sufficient knowledge of internal audit practices.
Interpretation:
Ongoing monitoring is an integral part of the day-to-day supervision, review, and measurement of
the internal audit activity. Ongoing monitoring is incorporated into the routine policies and prac-
tices used to manage the internal audit activity and uses processes, tools, and information considered
necessary to evaluate conformance with the Code of Ethics and the Standards.
Periodic assessments are conducted to evaluate conformance with the Code of Ethics and the
Standards.

Sufficient knowledge of internal audit practices requires at least an understanding of all elements
of the International Professional Practices Framework.
1312 – External Assessments

External assessments must be conducted at least once every five years by a qualified, inde-
pendent assessor or assessment team from outside the organization. The chief audit executive
must discuss with the board:
• The form and frequency of external assessment.
• The qualifications and independence of the external assessor or assessment

team, including any potential conflict of interest.
Interpretation:
External assessments may be accomplished through a full external assessment, or a self-assessment

with independent external validation. The external assessor must conclude as to conformance with
the Code of Ethics and the Standards; the external assessment may also include operational or stra-
14
tegic comments.
A qualified assessor or assessment team demonstrates competence in two areas: the professional prac-
tice of internal auditing and the external assessment process. Competence can be demonstrated
through a mixture of experience and theoretical learning. Experience gained in organizations of
similar size, complexity, sector or industry, and technical issues is more valuable than less relevant
experience. In the case of an assessment team, not all members of the team need to have all the
competencies; it is the team as a whole that is qualified. The chief audit executive uses professional
judgment when assessing whether an assessor or assessment team demonstrates sufficient compe-
tence to be qualified.
An independent assessor or assessment team means not having an actual or perceived conflict of
interest and not being a part of, or under the control of, the organization to which the internal
audit activity belongs. The chief audit executive should encourage board oversight in the external
assessment to reduce perceived or potential conflicts of interest.

1320 – Reporting on the Quality Assurance and Improvement
Program
The chief audit executive must communicate the results of the quality assurance and improve-
ment program to senior management and the board. Disclosure should include:
• The scope and frequency of both the internal and external assessments.
• The qualifications and independence of the assessor(s) or assessment team,

including potential conflicts of interest.
• Conclusions of assessors.
• Corrective action plans.
Interpretation:
The form, content, and frequency of communicating the results of the quality assurance and improve-
ment program is established through discussions with senior management and the board and
considers the responsibilities of the internal audit activity and chief audit executive as contained in 15
the internal audit charter. To demonstrate conformance with the Code of Ethics and the Standards,
the results of external and periodic internal assessments are communicated upon completion of such
assessments and the results of ongoing monitoring are communicated at least annually. The results
include the assessor’s or assessment team’s assessment with respect to the degree of conformance.
1321 – Use of “Conforms with the International Standards for the

Professional Practice of Internal Auditing”
Indicating that the internal audit activity conforms with the International Standards for the
Professional Practice of Internal Auditing is appropriate only if supported by the results of the
quality assurance and improvement program.
Interpretation:
The internal audit activity conforms with the Code of Ethics and the Standards when it achieves
the outcomes described therein. The results of the quality assurance and improvement program
include the results of both internal and external assessments. All internal audit activities will have

the results of internal assessments. Internal audit activities in existence for at least five years will
also have the results of external assessments.
1322 – Disclosure of Nonconformance

When nonconformance with the Code of Ethics or the Standards impacts the overall scope
or operation of the internal audit activity, the chief audit executive must disclose the noncon-
formance and the impact to senior management and the board.
A p p l i ca t i o n of the IPP F
The IPPF is the foundation of quality for an internal audit activity. While it is equally applicable
to all internal audit activities, the actual practice of internal auditing within an organization
must be adapted to such factors as an organization’s legal, regulatory, and cultural environ-
ment, and industry, size, and stakeholder expectations. The CAE must adapt internal auditing
to the organization’s environment while still conforming with the Standards. Assessors should
consider this adaptation.
16
Internal auditing may be less mature in emerging countries, privately held (not listed) compa-
nies, not-for-profit organizations, small companies, and organizations with a relatively new
internal audit activity. At the same time, many mature internal audit activities that are gener-
ally in conformance with the Standards and the Code of Ethics look for ways to provide
context to the operation of their activity. Maturity models are used in some of these orga-
nizations to provide this context. Examples of maturity models are available on the internet
and can be adapted by an organization to provide additional insight into maturity levels for
specific internal audit processes or elements of infrastructure.

Chapter 2
Establishing a Quality
Assurance and
Improvement Program
O v e rv i e w
Standard 1300 – Quality Assurance and Improvement Program states, “The chief audit exec-
utive must develop and maintain a quality assurance and improvement program that covers
all aspects of the internal audit activity.” The QAIP should encompass all aspects of operating
and managing the internal audit activity—including consulting engagements—as found in
the mandatory elements of the IPPF. It may also be beneficial for the QAIP to consider best
practices in the internal audit profession.
Implementation Guide 1300 states, “The QAIP is designed to enable an evaluation of the
internal audit activity’s conformance with the International Standards for the Professional
Practice of Internal Auditing (Standards) and whether internal auditors apply The IIA’s Code
of Ethics.” Through conformance with the Standards and the Code of Ethics, the internal
audit activity also achieves alignment with the Definition of Internal Auditing and the Core
Principles.
17
The QAIP must include ongoing and periodic internal assessments, and external assessments
by a qualified independent assessor or assessment team from outside the organization. Quality
should be built into, not onto, the way the activity conducts its business—through its internal
audit methodology, policies and procedures, and human resource practices. Building quality
into a process is essential to validate and continuously improve the internal audit activity,
demonstrating value as defined by stakeholders.
Delivering quality requires a systematic and disciplined approach as professionals. Quality

does not just happen; it is the combination of the right people, the right systems, and a
commitment to excellence. Building an effective QAIP is similar to establishing a total quality
management program where products and services are analyzed to verify that they meet stake-
holder expectations, operations are evaluated to determine their efficiency and effectiveness,
and practices are assessed to confirm their conformance to standards. Maintaining an effec-
tive QAIP also requires leaders who are responsible for setting the proper tone in support of
quality and continuous improvement.
Using key concepts of quality as a foundation in establishing a QAIP, the internal audit activity
should consider all mandatory and recommended guidance elements of the IPPF that support:
18
• Conformance with the Standards and the Code of Ethics. It is further under-
stood that through conformance with the Standards and the Code of Ethics,
the internal audit activity also achieves alignment with other mandatory
elements of the IPPF.
• Stakeholder satisfaction defined by expected and preferred internal audit deliv-

erables that produce value for the organization.
• Operational effectiveness achieved by building quality “into” internal audit

processes. Preventing mistakes is generally less costly than correcting mistakes.
• Continuous improvement of internal audit activities accomplished through

quality initiatives identified during the quality assessment process.
• Management commitment to provide resources and tools necessary for a QAIP

to succeed. Participation is expected by all members of the internal audit activity.

For the internal audit profession, it is important to ensure that internal audit activities glob-
ally maintain the highest possible standards of service delivery to the organizations they
support. The IIA established the IPPF to guide the internal audit profession, and the manda-
tory elements of the IPPF—supported by recommended guidance—are the foundation for
developing an internal audit activity’s QAIP.
T h e QA IP F r a m e w o r k
Standard 1300 – Quality Assurance and Improvement Program states that the CAE must
develop and maintain a QAIP that covers all aspects of the internal audit activity.
Common elements of all QAIPs include:
• A scope that includes all aspects of the internal audit activity.
• An evaluation of conformance with the Standards and the Code of Ethics.
• An appraisal of the efficiency and effectiveness of the internal audit activity.

19
• The identification of opportunities for continuous improvement.
• Involvement by the board in oversight of the QAIP.
A framework is oftentimes used to describe the complete environment for developing and imple-
menting the QAIP. An example of such a framework, consisting of Governance, Professional
Practice, and Communication, is shown in figure 2-1. This framework is intended as guid-
ance only. CAEs may develop their own QAIP structure in conformance with the Standards.
Chapter 2 Establishing a Quality Assurance and Improvement Program

Continuous Improvement
of IA Processes
Reporting & Follow-Up
Internal Audit Activity Findings, Observations, &

Recommendations
Improvement of QAIP
Professional Practice
Continuous
External Assessment
Ongoing Monitoring
Communication
Self-Assessment
Governance
Periodic
Quality Assessments
Quality Assurance Over

Entire IA Activity
20
Figure 2-1: Quality Assurance and Improvement Program Framework
To construct a QAIP framework, the internal audit activity universe must be considered.
This universe must include the IPPF, and may include the legal requirements of the specific
country and/or industry where the activity is operating, stakeholder expectations, use of
third-party subject matter experts, co-source partners for internal audit services, and the size
and structure of the overall organization. Implementation Guides for the 1300 series of the
Standards provide more detail and insight.
Internal Assessments
Two key elements of the quality assessment process comprise the internal assessment portion
of the internal audit activity’s QAIP: ongoing monitoring and periodic self-assessments.

Ongoing Monitoring
What is important to remember is that a QAIP must be built into the processes of the internal
audit activity and not onto the way the activity conducts its business. The most obvious internal
method for continuously assessing quality is management oversight of internal audit work.
Adequate supervision from the beginning through the end of the engagements is a fundamental
element of a QAIP.
The Deming Cycle (or Plan-Do-Check-Act cycle) provides a possible structure in establishing the
QAIP. Applying the Deming Cycle to the ongoing monitoring portion of the QAIP might look
like figure 2-2 (Ongoing Monitoring). The steps in the Deming Cycle are as follows:
1. Plan means establishing expectations for operating a process to meet specific

objectives, goals, or deliverables.
2. Do means executing the process and collecting data for analysis and follow-up
in the Check and Act steps of the cycle.
3. Check is the step where actual results are compared to expected outcomes and
21
differences are analyzed.
4. Act is where feedback is provided to the operators of the process to reinforce

expectations established in the previous Plan step. It is in this step that improve-
ments to the process are identified and implemented.

Plan
●● Establish department standards for
engagements.
●● Create checklists (planning, meeting
agenda, and engagement closeout
procedures).
●● Design templates (risk control matrix, test
plans, and process documentation).
●● Develop tools (data mining and sampling
techniques).
●● Design formats (issues/findings and reports).
Act Do
●● Provide coaching and take corrective action. ●● Plan, perform, and report engagements.
●● Reinforce standards through communication and ●● Use checklists, templates, tools, and formats.
training. ●● Collect data on engagement process performance.
●● Revise checklists, templates, tools, and formats as
needed.
Check
22 ●● Verify department standards are met or
exceeded.
●● Confirm use of checklists, templates, tools,
and formats.
●● Document supervisory review.
●● Record, report, and analyze metrics.
Figure 2-2: Ongoing Monitoring
Note: Examples are for discussion purposes; they are not intended as a comprehensive or complete
list of activities.
The ongoing monitoring element of the QAIP would primarily address conformance with
the following Standards since they are intended to address quality on an audit-by-audit basis
and relate primarily to engagement activities:
2200: Engagement Planning

2300: Performing the Engagement
2400: Communicating Results
2500: Monitoring Progress

To this end, ongoing monitoring applies to all assurance and consulting assignments and
should achieve the objectives described in Standard 2340 – Engagement Supervision, which
states, “Engagements must be properly supervised to ensure objectives are achieved, quality
is assured, and staff is developed.” This standard also requires that appropriate evidence of
supervision is documented and retained. This documentation provides assurance that ongoing
monitoring is incorporated into the routine policies and practices used to manage the internal
audit activity. In other words, a quality review must be performed for each engagement. This
review provides an opportunity for ongoing evaluation, coaching, and feedback for each
auditor assigned to the engagement.
As noted in Implementation Guide 1311 – Internal Assessments, ongoing monitoring mech-

anisms may include:
• Checklists or automation tools to provide assurance on internal auditors’

compliance with established practices and procedures and to ensure consis-
tency in the application of performance standards.
• Feedback from internal audit clients and other stakeholders regarding the effi-
ciency and effectiveness of the internal audit team. Feedback may be solicited 23
immediately following the engagement or on a periodic basis (e.g., semian-
nually or annually) via survey tools or conversations between the CAE and
management.
• Staff and engagement key performance indicators (KPIs), such as the number
of certified internal auditors (CIAs) on staff, their years of experience in internal
auditing, the number of continuing professional development hours they
earned during the year, timeliness of engagements, and stakeholder satisfaction.
• Other measurements that may be valuable in determining the efficiency and

effectiveness of the internal audit activity. Measures of project budgets, time-
keeping systems, and audit plan completion may help to determine whether
the appropriate amount of time is spent on all aspects of the audit engagement.
Budget-to-actual variance can also be a valuable measurement to determine
the efficiency and effectiveness of the internal audit activity.

Results of ongoing monitoring must be reported to the board or the audit committee at least
annually. The adequacy and effectiveness of the ongoing monitoring portion of the QAIP
should also be evaluated as part of periodic self-assessments described in the next section.
Periodic Self-Assessments
Implementation Guide 1311 – Internal Assessments states, “Periodic self-assessments have
a different focus than ongoing monitoring in that they generally provide a more holistic,
comprehensive review of the Standards and the internal audit activity. In contrast, ongoing
monitoring is generally focused on reviews conducted at the engagement level. Additionally,
periodic self-assessments address conformance with every standard, whereas ongoing moni-
toring frequently is more focused on the performance standards at the engagement level.”
The internal audit activity conducts periodic self-assessments to validate its continued confor-
mance with the Standards and Code of Ethics. Through conformance with the Standards and
Code of Ethics, the internal audit activity also achieves alignment with the Definition of
Internal Auditing and the Core Principles. In addition, periodic self-assessments may evaluate:
24
• The quality and supervision of work performed.
• The adequacy and appropriateness of internal audit policies and procedures.
• The ways in which the internal audit activity adds value.
• The achievement of KPIs.
• The degree to which stakeholder expectations are met.
The QAIP should document and define a systematic and disciplined approach to the peri-
odic self-assessment process, which may incorporate programs provided in the appendices
of this manual.
Successful internal audit practice is for periodic self-assessment to be performed at least annu-
ally. This provides an annual basis for assurance that the internal audit activity continues to
operate in a manner consistent with requirements of the Standards and the Code of Ethics.
This is especially important during periods of change in the Standards or in the organization.

Many internal audit activities find it valuable to review and update their infrastructure, meth-
odology, and processes on an annual basis as a component of their periodic self-assessment to
ensure these elements are current with the requirements of the Standards. This annual peri-
odic self-assessment process provides the board with assurance that the internal audit activity
maintains the standard of performance that is required by The IIA. Recommendations for
improvement should be tracked by a follow-up report, and the results of which listed at each
board meeting.
The periodic self-assessment element of the QAIP would primarily address conformance with
the following series of Standards:
1000: Purpose, Authority, and Responsibility

1100: Independence and Objectivity
1200: Proficiency and Due Professional Care
1300: Quality Assurance and Improvement Program
2000: Managing the Internal Audit Activity
2100: Nature of Work
2200: Engagement Planning
25
2300: Performing the Engagement
2400: Communicating Results
2500: Monitoring Progress
2600: Communicating the Acceptance of Risks
Code of Ethics
The periodic self-assessment should also assess results of ongoing monitoring. Applying
the Deming Cycle to these additional elements of the QAIP might look like figure 2-3.

Plan
●● Create internal audit activity charter.
●● Adopt The IIA’s Code of Ethics.
●● Establish internal audit activity structure,
policies, and procedures.
●● Agree on value-added activities with
stakeholders.
●● Establish appropriate measures to track
value-added activities.
●● Define relevant quality metrics.
Act Do
●● Assess and report on conformance with IPPF ●● Perform annual audit planning.
mandatory guidance. ●● Schedule engagements and assign staff.
●● Identify gaps in conformance and develop road maps ●● Hire, train, and develop staff.
to close gaps. ●● Perform ongoing monitoring of engagements.
●● Revise internal audit activity structure, policies, and ●● Communicate and meet with stakeholders.
procedures as needed.
Check
●● Conduct surveys and interviews with
stakeholders to confirm value is delivered.
26
●● Review a sample of engagement to assure
ongoing monitoring is effective.
●● Record, report, and analyze metrics.
●● Assess internal audit activity structure,
policies, and procedures conformance with
IPPF mandatory guidance.
Figure 2-3: Periodic Self-Assessment
Note: Examples are for discussion purposes; they are not intended as a comprehensive or complete list
of activities.
A s s e s s m e n t , E va l u a t i o n , and
R e p o rt i n g
Establishing an internal assessment process, both ongoing monitoring and periodic self-
assessments, coupled with the reporting of KPIs, culminates in an evaluation of the internal
audit activity’s QAIP, with results reported to appropriate stakeholders.

Two questions the CAE should consider when performing a QAIP evaluation are:
• Is the evaluation to be a comprehensive or partial assessment of the QAIP and

the internal audit activity?
• What rating scale will be used to support a conclusion regarding the QAIP
and the internal audit activity’s conformance with the Standards and the Code
of Ethics?
Answering the first question will depend on the design of the internal audit activity’s QAIP
and the level of resources devoted to the internal assessment process. As noted previously, a
successful internal audit practice is to perform annual self-assessments; the Standards do not
specifically state a frequency. Some CAEs may view internal self-assessments as action taken
during years when an external assessment is not performed. Certain parts of the QAIP may
be evaluated every year, while other portions may be evaluated less frequently. The planning
guides described in appendix A and the programs described in appendix D can be used to plan
and perform an internal assessment and evaluation of the QAIP and the internal audit activity.
The second question is not specifically addressed in the Standards, as they do not prescribe 27
an assessment scale; however, the Standards do require the degree of conformance with the
Standards and the Code of Ethics be assessed. Appendix E has an evaluation summary frame-
work that contains conformance criteria linked with the Standards and the Code of Ethics,
which CAEs can use to assess the conformance with these mandatory elements of the IPPF.
Appendix E describes an assessment scale of Generally Conforms, Partially Conforms, and
Does Not Conform.
This discussion of rating scales leads back to the concept of a maturity model, which was
introduced in chapter 1. Internal audit activities in the early stages of establishing their QAIP
might use a maturity model to help them achieve general conformance with the Standards
and the Code of Ethics—confirmed by their internal self-assessment process and eventually
assessed by a qualified, independent assessor or assessment team from outside the organization.
Internal audit activities with mature QAIPs, where multiple internal and external assessments
have been completed, might use a maturity model as a way to demonstrate different levels
of quality to their stakeholders.

Standard 1320 – Reporting on the Quality Assurance and Improvement Program states, “The
chief audit executive must communicate the results of the quality assurance and improve-
ment program to senior management and the board.” Therefore, conclusions arising from the
internal assessments of the internal audit activity’s conformance with the Standards and the
Code of Ethics should be provided to key stakeholders as described by the standard. Results
of ongoing monitoring of performance must be reported annually. Successful internal audit
practice also suggests that the results of periodic self-assessment be reported at least annually.
Continuous Improvement
While the primary focus of the QAIP must be on evaluating conformance with the Standards
and the Code of Ethics, real value for the internal audit activity is derived from a focus on
continuous improvement. Internal audit activities that have embedded the concept of contin-
uous improvement into their operating culture and QAIP go beyond conformance with the
Standards and the Code of Ethics and realize many additional benefits, including:
• Positioning the internal audit activity for success within the organization.
28
• Becoming more forward-looking in approach and experiencing greater align-
ment with the organization’s strategies and objectives.
• Greater adaptability in implementing incremental internal audit process changes,

resulting in greater responsiveness to emerging stakeholder expectations.
• Enhanced internal audit productivity following the elimination of non-

value-added activities.
• Improved internal audit staff morale resulting from a focus on process improve-
ments where all ideas are welcome.
The concept of continuous improvement highlights the dynamic nature of establishing and
maintaining an effective QAIP. Changing stakeholder priorities, shifting organizational strat-
egies, and fluctuating environmental factors all contribute to this dynamic. CAEs should not
expect “perfect” or “absolute” conformance with the Standards and the Code of Ethics, partic-
ularly for internal audit activities that are just beginning to establish their QAIP. Conscientious
periodic self-assessments will highlight areas where the internal audit activity can get stronger.

Internal audit activities with mature QAIPs may have moved beyond general conformance,
but they are still focused on continuous improvement of their processes. Organizations use a
gap analysis—comparing current performance with desired future performance—to develop
plans or road maps to achieve process improvements.
Reports documenting the internal assessment process of a QAIP—both ongoing monitoring

and periodic self-assessment—should contain summaries of continuous improvement efforts
within the internal audit activity. This focus on continuous improvement within the QAIP
assures key stakeholders of the internal audit activity’s commitment to quality.
Chapter 3 outlines steps to perform ongoing monitoring and periodic self-assessment in a

manner that meets the requirements of the Standards, the Code of Ethics, and successful
internal audit practice, and fulfills the requirements of internal assessment.
External Assessments
So far, this chapter has outlined steps to building an effective QAIP, focusing on the internal
assessment process—ongoing monitoring and periodic self-assessment. External assessments 29
are also an element of the QAIP as prescribed by the Standards; however, the Standards only
require an external assessment to occur at least once every five years. Internal assessment
components of the QAIP should be continuously active between external assessments, estab-
lishing the foundation of a successful internal audit activity.
The primary link between a QAIP and an external assessment is the reporting process orig-
inating from the QAIP. For a QAIP to be deemed effective, CAEs should expect external
assessors to affirm what the CAE is measuring in regard to conformance with the Standards
and the Code of Ethics through the periodic self-assessment process and reporting of results
to key stakeholders. The CAE’s report of the periodic self-assessment may be used as a basis
for assessment by an external assessor.
A secondary link between a QAIP and an external assessment is the documentation main-
tained by the CAE as evidence of an effective QAIP. This includes charters, policies, procedures,
metrics, audit reports, annual audit plans, engagement workpapers, audit committee minutes,
staff training records, etc. External assessors will want to examine relevant documentation

that describes key elements of the QAIP (see “A-0: Background Information and Document
Request Checklist” in appendix A).
The decision to schedule an external assessment often results from the CAE’s requirement to
perform an external assessment every five years. The CAE might consider other factors when
determining specific timing and scope for this review:
• Does the CAE believe that the internal audit activity generally conforms with
the Standards and the Code of Ethics?
• Is the documentation describing the QAIP comprehensive and complete?
• Has feedback from key stakeholders been incorporated into the QAIP?
• Have discussions with the board established additional expectations related to

operational or strategic goals?
As noted in Standard 1312 – External Assessments, CAEs can choose from two method-
ologies for external assessments. The first approach is a full external assessment, and the
30 second approach is an independent, external validation of the CAE’s self-assessment of the
internal audit activity. Both approaches—full external assessment and independent, external
validation—require that they be conducted by a qualified, independent assessor or assessment
team from outside the organization. The qualified, independent assessor or assessment team
must demonstrate competence in two areas: the professional practice of internal auditing and
the external assessment process.
Several factors may influence the CAE’s decision in selecting an appropriate external assess-
ment method to review the internal audit activity’s QAIP. This is an area where the board
might take an active role in oversight of the QAIP as suggested in the Standards.
This manual reviews tools, techniques, and methods used to perform internal assessments
(see chapter 3), a full external assessment (see chapter 4), or an independent validation of the
CAE’s self-assessment of the internal audit activity (see chapter 5).

I m p l e m e n ta t i o n G u i d e s
An implementation guide exists for each standard. The implementation guides are supple-
mental guidance that offers insight into conformance and application of the individual
standard. Most relevant to establishing a QAIP are those implementation guides associated
with the 1300 series of the Standards. However, all implementation guides are relevant in
helping the CAE, the external assessor or assessment team, or others in evaluating confor-
mance with the Standards and the Code of Ethics.
The IIA is constantly producing new supplemental guidance and modifying implementation
guidance as warranted. Readers of this manual should check the Standards and Guidance
section of The IIA’s website for relevant guidance not listed here, and for updates to the guid-
ance noted above.
31

Chapter 3
O v e rv i e w
Chapter 3 outlines the requirements for performing internal assessments. Processes and
procedures used to support external assessments might also be used for internal assess-
ment purposes. For example, appendix D-4, “Internal Audit Process,” might be used
to evaluate conformance with Standards 2200, 2300, 2400, and 2500 for periodic self-
assessment purposes. They also might be used to evaluate quality for individual engagements
as a component of ongoing monitoring.
Standard 1311 – Internal Assessments states, “Internal assessments must include:
• Ongoing monitoring of the performance of the internal audit activity.
• Periodic self-assessments or assessments by other persons within the organiza-

tion with sufficient knowledge of internal audit practices.”
33
Interpretation
“Ongoing monitoring is an integral part of the day-to-day supervision, review, and measurement
of the internal audit activity. Ongoing monitoring is incorporated into the routine policies and
practices used to manage the internal audit activity and uses processes, tools, and information
considered necessary to evaluate conformance with the Code of Ethics and the Standards.
Periodic assessments are conducted to evaluate conformance with the Code of Ethics and the
Standards.
Sufficient knowledge of internal audit practices requires at least an understanding of all elements
of the International Professional Practices Framework.”
Implementation Guide 1311 – Internal Assessments states, “Ongoing monitoring is achieved
primarily through continuous activities such as engagement planning and supervision, stan-
dardized working practices, workpaper procedures and signoffs, report reviews, as well as
34
identification of any weaknesses or areas in need of improvement and action plans to address
them.” These processes support quality on an audit-by-audit basis.
Self-assessments serve internal audit by evaluating conformance with the internal audit
charter and the mandatory elements of the IPPF, the quality and supervision of audit work
being done, internal audit’s policies and procedures, how internal audit adds value, and the
achievement of KPIs. These processes provide insight into the level of conformance with the
Standards and the Code of Ethics and the quality of the internal audit activity as a whole.
Implementation Guide 1300 – Quality Assurance and Improvement Program states, “Through
conformance with the Standards and Code of Ethics, the internal audit activity also achieves
alignment with the Definition of Internal Auditing and the Core Principles for the Professional
Practice of Internal Auditing.”

Ongoing Monitoring
Ongoing monitoring of performance is included in a QAIP to promote quality on an engagement-
by-engagement basis. The processes and procedures that support ongoing monitoring are the
basic foundation of the internal audit activity. Routine practices, such as supervisory review
and approval of work performed, the use of checklists and templates embedded in an elec-
tronic workpaper tool, the use of customer surveys, and reporting of performance metrics,
all support ongoing monitoring.
Adequate supervision is the most fundamental and important aspect of quality in an internal
audit activity. Supervision that takes place at the appropriate times during annual audit plan-
ning and for engagement planning, fieldwork, and reporting, and is properly documented,
demonstrates due professional care. It also promotes consistency, quality, and sustainability
of internal audit processes and infrastructure.
Using checklists and templates embedded within an electronic workpaper tool further
supports quality. These items provide the structure to ensure work is performed consistently
between engagements. The use of checklists and templates allows internal auditors to focus
35
on content as opposed to being concerned with form. This is viewed by many stakeholders
as adding value within the internal audit process. Conducting surveys of key stakeholders at
the conclusion of an engagement is another way to gain insight into the quality and value of
the internal audit process from the perspective of the audit customer. These can also help to
identify opportunities for continuous improvement in the internal audit process.
KPIs that are developed in collaboration with stakeholders and the board can provide valuable
insight into the internal audit activity and can be used to promote enhanced efficiency, effec-
tiveness, and quality. The use of a balanced scorecard is a particularly effective way to monitor
and report results. Standard 1320 – Reporting on the Quality Assurance and Improvement
Program requires that the results of ongoing monitoring be reported to senior management
and the board at least annually. Incorporating a balanced scorecard into the periodic reports
to the board is an excellent way to meet this communication requirement.
Chapter 3 Internal Assessments

Periodic Self-Assessment
Periodic self-assessments are designed to assess conformance with the Standards, the Code
of Ethics, the internal audit charter, regulatory requirements, and the efficiency and effec-
tiveness of internal audit in meeting the needs of its various stakeholders. The QAIP should
document and define a systematic and disciplined approach to the periodic self-assessment
process, which could use guides and programs provided in the appendices of this manual.
For example, Planning Guides A-0 through A-4—found in appendix A—can be used as a
component of periodic self-assessment to ensure documents and insights of the CAE are kept
current with regard to conformance criteria. This is especially important when changes to the
IPPF occur or when the internal audit activity is undergoing significant change.
Survey guides—found in appendix B—might be used to monitor stakeholder input and

insight related to the internal audit activity in periods between external assessments. The
program guides found in appendix D provide a structured approach to evaluating confor-
mance with the Standards and the Code of Ethics. At the same time, these program guides
can be useful in documenting successful internal audit practices and opportunities for contin-
uous improvement.
36
Appendix E provides a mechanism to summarize work performed using this manual for peri-
odic self-assessment, and can provide a snapshot of conformance with the Standards and the
Code of Ethics. The results of a periodic self-assessment, together with the conclusions drawn,
must be communicated to senior management and the board upon completion of the assess-
ment. At a minimum, the report should include the objectives, scope, and frequency of the
periodic self-assessment; the qualifications and independence of the assessors or assessment
team; the conclusions of the assessors; and any corrective action plans that have been created
from the assessments to address areas that were not in conformance with the Standards or
the Code of Ethics.
Selecting the Periodic Self-Assessment Team

Periodic self-assessments are generally conducted by senior members of the internal audit
activity who are qualified in the professional practice of internal auditing and the IPPF.
Some larger organizations may use a separate professional practices group to perform these

self-assessments. In small organizations, self-assessments may be performed by the CAE or
an individual under the direction of the CAE.
In all situations, the assessor or assessment team should be independent from the areas they
review (they should not assess engagements for which they were primarily responsible) and
competent in the practice of internal auditing. Many organizations try to have self-assessment
team members who are CIAs. Team members might also include other qualified individuals
from within the organization or a co-source provider of internal audit services familiar with
the internal audit activity.
Using Periodic Self-Assessment to Enhance Quality and

Value
Periodic self-assessments provide the opportunity to combine assurance-type activities with
consulting-type activities. Internal audit activities that do this effectively combine vertical
and horizontal reviews of completed projects to support conformance with the Standards, the
Code of Ethics, the internal audit activity methodology, as well as the efficiency and effec-
tiveness of the underlying processes. 37
Vertical and horizontal reviews are the two generally accepted methods of performing quality
reviews of completed audit projects. A vertical review provides an evaluation of conformance
with the Standards or the Code of Ethics, and examines a specific project from a top-down
approach (e.g., an assessment of individual audit steps performed for a specific project work
plan, such as planning steps, fieldwork steps, and reporting steps).
A horizontal review allows for an evaluation across all project engagements (e.g., use of the
risk assessment matrix, the supervisory review and approval process, or consistency in applying
report ratings) from an efficiency and effectiveness perspective. Horizontal reviews can also
be used to evaluate other infrastructure and processes such as annual risk assessment and
audit planning or continuing professional development processes. A combination of these
two methods is consistent with successful internal audit practice and contributes to contin-
uous improvement of internal audit processes.
Chapter 3 Internal Assessments

Frequently Asked Questions
1. Question: How do you differentiate between ongoing monitoring of perfor-
mance and periodic self-assessment?
➜➜ Answer: The objectives are unique but interrelated. Ongoing monitoring

of performance promotes quality on an engagement-by-engagement basis
and supports consistency, quality, and sustainability of internal audit
activity processes and infrastructure. Periodic self-assessment is primarily
designed to evaluate conformance with the Standards and the Code of
Ethics during those periods when external assessment is not performed.
Periodic self-assessment can also evaluate efficiency and effectiveness
of the internal audit activity and identify opportunities for continuous
improvement.
2. Question: How frequently should periodic self-assessments be performed?
➜➜ Answer: Successful internal audit practice is for periodic self-assessments

38 to be performed at least annually. This is especially critical when changes
take place in the IPPF or in the organization that might impact the level
of conformance with the Standards and the Code of Ethics.
3. Question: Is periodic self-assessment helpful in achieving general conformance?
➜➜ Answer: Periodic self-assessments are the basis for a self-assessment with

independent validation. When periodic self-assessments are performed
annually, it ensures compliance with the IPPF and provides evidence that
quality is built into, and not onto, internal audit processes and activities.

Chapter 4
Full External Assessment
O v e rv i e w
Standard 1312 – External Assessments requires that an external assessment of an internal
audit activity be conducted at least once every five years by a qualified, independent assessor
or assessment team from outside the organization. The objective of the external assessment is
to evaluate an internal audit activity’s conformance with the Standards and the Code of Ethics.
Implementation Guide 1300 states, “Through conformance with the Standards and Code
of Ethics, the internal audit activity also achieves alignment with the Definition of Internal
Auditing and the Core Principles for the Professional Practice of Internal Auditing.” External
assessments may also focus on identifying opportunities to enhance internal audit processes,
offer suggestions to improve the effectiveness of the internal audit activity, promote ideas
to enhance the activity’s image and credibility, and offer operational or strategic comments.
This approach embraces the successful practices of the profession and emphasizes governance,
risk management, and control processes as important areas for internal auditors’ attention.
External assessment recommendations focus on opportunities for continuous improvement
and add value to the organization.
39
As noted in Standard 1312 – External Assessments, “External assessments may be accom-
plished through a full external assessment, or a self-assessment with independent external
validation.” The full external assessment is conducted by a qualified, independent assessor
or assessment team from outside the organization. The team approach involves an outside
team of competent professionals under the leadership of an experienced, professional project
manager or team leader. The team, on a collective basis, must demonstrate competence in the
professional practice of internal auditing and the external assessment process. This chapter
outlines how to conduct a full external assessment. Chapter 5 outlines how to conduct a
self-assessment with independent validation.
Before the onset of the external assessment, several communications must take place between
the CAE and the board. The CAE must discuss with the board the form and frequency of the
external assessment. He or she must also discuss the qualifications and independence of the
external assessor or assessment team, including any potential conflicts of interest. Involvement
of the board is encouraged because it reduces perceived conflicts of interest between the CAE
and the external assessment provider. Further guidance on qualifications and independence
of the external assessment provider can be found in Implementation Guide 1312 – External
Assessments.
40
The remainder of chapter 4 describes performing the external assessment from the perspec-
tive of the external assessment provider. The external assessment process, including planning,
fieldwork, and reporting activities, are described to facilitate the execution of a full external
assessment. Where appropriate, references are made to guides and programs used to docu-
ment the assessment. These guides and programs are found in the appendices to this manual.
Figure 4-1 illustrates an approach to the full external assessment process.

Leading industry
Enterprise objectives
successful practices The IPPF
for the IA activity
(e.g., GAIN, etc.)
Process
Planning Off-site work On-site work Evaluate and report

Key Inputs
QAIP ●● Set scope and ●● Review planning ●● Interview clients, ●● Evaluate against
objectives. docs. IA staff, and IPPF recourses
●● Select and prepare ●● Review all other docs stakeholders. for conformance
Surveys & Interviews team. received per docs ●● Review workpapers. and areas for
●● Request planning request list. ●● Review all other improvement.
Review of process, reports, docs. ●● Summarize survey documents only ●● Summarize issues.
and risk assessment ●● Arrange preliminary responses. available on site. ●● Make
visit. ●● Determine staffing recommendations.
Review of workpapers, ●● Distribute surveys. knowledge. ●● Close conference.
reports, and technology plan ●● Conduct team ●● Issue draft report for
discussions. comment.
●● Issue final report to
Report files
CAE.
Reporting/Communications
41
Figure 4-1: Full External Assessment Process
Planning
The five points of the planning process, if followed by the external assessment team leader,
enhance the customer’s involvement in and satisfaction with a value-added experience:
• Set scope and objectives—agree on the scope, objectives, and timing of the
full external assessment.
• Select and prepare the team—select and train (as needed) the full external
assessment team.
• Request planning documents—request and review the planning guides (see

appendix A) completed by the internal audit activity and clarify any ques-
tions or concerns.
Chapter 4 Full External Assessment

• Arrange preliminary visit—conduct a preliminary visit or teleconference to
gather further information, finalize the work plan, select and schedule inter-
views (see appendix C) with the internal audit activity’s key stakeholders and
internal audit management and staff, and prepare for the on-site visit.
• Distribute surveys—distribute the Executive Leadership and Operating

Management and Internal Audit Staff surveys to participants (see appendix B).
Set Scope and Objectives

The scope includes key elements:
• The internal audit activity charter that documents the purpose, authority, and
responsibility of the internal audit activity and is approved by the board.
• The expectations of the internal audit activity expressed by the oversight group,
executive management, and any other stakeholders.
42 • The entity’s control environment and the CAE’s audit practice environment.
• The focus on evaluating governance processes, enterprise risk, and assessing

organizational controls in audit plans.
• The integration of internal audit into the organization’s governance process,

including the combined assurance relationships and communications between
the key governance groups and assurance providers involved in that process
and the aligning of audit objectives and plans with the objectives of the entity
as a whole.
• The IPPF and any other legal requirements laid down for the internal audit
activity within the specific organization and/or country.
The objectives achieved in a full external assessment:
• Provide an opinion on the internal audit activity’s conformance with the

Standards and the Code of Ethics.

• Assess the efficiency and effectiveness of the internal audit activity in light of
its charter; its processes and infrastructure, including the quality assurance and
improvement program (QAIP); the mix of knowledge, experience, and exper-
tise; and the expectations of the board (usually represented by a committee
of the board oversight body, such as an audit committee), executive manage-
ment, other stakeholders and assurance providers, and the CAE.
• Consider the internal audit activity’s current needs and objectives, as well as the
future direction and goals of the organization. Appraise the risk to the organiza-
tion if the results indicate that the internal audit activity is performing at a less
than effective level or is not in conformance with one or more of the Standards.
• If applicable, identify opportunities and offer ideas to the CAE and staff for
improving the effectiveness of the internal audit activity, thereby raising the
value added to management and the audit committee.
The objectives listed can be modified and others can be added to satisfy the needs of customer
organizations.
43
Select and Prepare the Team

As noted in the Interpretation to Standard 1312 – External Assessments, “A qualified assessor or
assessment team demonstrates competence in two areas: the professional practice of internal auditing
and the external assessment process. Competence can be demonstrated through a mixture of expe-
rience and theoretical learning. Experience gained in organizations of similar size, complexity,
sector or industry, and technical issues is more valuable than less relevant experience. In the case of
an assessment team, not all members of the team need to have all the competencies; it is the team
as a whole that is qualified. The chief audit executive uses professional judgment when assessing
whether an assessor or assessment team demonstrates sufficient competence to be qualified.”
• Standard 1312 – External Assessments specifies that the full external assess-
ment must be conducted by a qualified, independent assessor or assessment
team from outside the organization.
• Qualified individuals are persons with the technical proficiency, internal audit
experience, business experience, and educational background appropriate for

the audit activities to be assessed. This could include internal auditors from
outside the organization, independent consultants, or independent outside
auditors, but preferably not the external audit firm that audits the organiza-
tion’s financial statements, or consultants providing any co-sourcing for the
entity. “From outside the organization” means not a part of, or under the
control of, the corporate entity.
Following is a list of the possible qualifications and criteria by which the CAE can assess the
competence of a full external assessment team. Specific engagements may require additional
unique qualifications.
• Experience (reference Standard 1312 and Implementation Guide 1312 –

External Assessments)
{{ The full external assessment team should comprise personnel of at least

managerial level.
{{ The team leader should have experience that is comparable to that of the
CAE of the internal audit activity being assessed.
44
{{ The team leader should be a competent, certified internal audit professional.
{{ Each team member should have a thorough understanding of current

internal audit practices and the IPPF and its application, sound judg-
ment, and good communication and analytical skills.
{{ The full external assessment team should possess or have ready access to
all of the necessary technical expertise (e.g., governance, IT, risk manage-
ment, internal audit attributes, management consulting, and internal
audit management).
{{ Knowledge of the organization’s industry, service, or internal audit activity

by at least one team member is an important consideration to be evalu-
ated by the customer.

• Objectivity
{{ The full external assessment team should objectively consider the expec-
tations of the audit committee, executive management, and the CAE; the
audit structure; and the policies and procedures of the organization and
the internal audit activity.
{{ To ensure freedom from bias in the full external assessment, there should
not be any relationship, either directly or indirectly, between the organi-
zation and the full external assessment team that is, or appears to be, a
conflict of interest. Such relationships could significantly negate the bene-
fits of the full external assessment.
Request the Planning Documents Completed by the Internal

Audit Activity
• The full external assessment process becomes easier when planning documen-
tation is completed by the internal audit activity before the on-site visit by 45
the team. The team leader requests relevant documentation from the CAE to
enable work to begin on the full external assessment prior to the on-site visit
(see appendix A).
• A comprehensive list of planning documentation necessary for the full external

assessment is provided to the CAE for completion, as well as survey invita-
tions to be responded to by executive leadership, operating management, and
internal audit staff (see appendices A and B).
Arrange a Preliminary Visit (or Teleconference)

The full external assessment team leader should arrange a preliminary visit or teleconference
with the CAE to:
• Meet the CAE and other staff that may be assisting the team during the
on-site visit.

• Clarify any misunderstandings regarding the planning documentation (see
appendix A).
• Ensure that all documents requested per the checklist can be provided (see
appendix A).
• Ensure that there are no misunderstandings regarding the time, venue, scope,
and objectives of the full external assessment.
• Identify the executive leadership, operating management, internal audit activity

staff, and other key stakeholders with whom meetings will be arranged (see
appendix C).
• Agree on the list of participants for the surveys: executive leadership, operating
management, and internal audit activity staff (see appendix B).
The full external assessment team leader should keep minutes (or a summary) of the meeting
for later attention and impressions of the organization.
46
Distribute Surveys
Distribute the Executive Leadership and Operating Management and Internal Audit Staff
surveys to participants. (The purpose and use of the surveys are fully discussed in appendix B.)
O ff - S i t e W o r k ( t o b e c o m p l e t e d
prior to on-site visit)
• The full external assessment team leader should review the planning docu-
mentation and all planning guides and documents noted on the document
request list provided by the CAE before visiting the organization. This will
help to plan the work outlined in the programs that will be performed on site
(see appendices A and D).
• The CAE should complete the two surveys and provide his or her best assess-
ment of how executive leadership, operating management, and the internal

audit activity staff will respond to each statement. Comparing the CAE’s
responses with survey results from the executives, operating managers, and
internal audit staff will provide the full external assessment team with possible
opportunities for improvement and areas of strength for the internal audit
activity (see appendix B).
Summarize the survey results for feedback to the CAE. Areas of significant
divergence between CAE responses and those of survey participants should
be investigated by the full external assessment team during their interviews,
adjusting interview guides where necessary as discussed in appendix C. The
full external assessment team (perhaps with input from the CAE during the
on-site visit) will need to interpret whether survey information has identified
positive or negative ratings or trends. The CAE should be encouraged to use
this information during training sessions with internal audit activity staff to
emphasize positive results and highlight areas that need improvement.
On-Site Work 47
Review appendix D to become familiar with descriptions and instructions for completing the
four program segments that follow the same sections that were used in the planning guides,
survey guides, and interview guides: Internal Audit Governance (D-1), Internal Audit Staff
(D-2), Internal Audit Management (D-3), and Internal Audit Process (D-4).
On-site work is the most comprehensive element of a quality assessment and includes:
• Interview selected members of the board (audit committee), executive manage-

ment, operating managers, and internal audit management and staff, and focus
on organizational risks, objectives, and the internal audit activity’s effective-
ness for staying current and adding value, with respect thereto. This is one of
the most valuable on-site activities. Interviews allow for in-depth exploration
of issues raised by survey results, and the perceptions gathered from interviews
should be investigated further and corroborated whenever possible, complete
with hard evidence. It is best to conduct these interviews at the beginning of
the on-site visit, but they may continue throughout the visit to accommodate
the busy schedules of executive management (see appendix C).

• Consider the work of other monitoring and assurance functions. Determine if
any reliance is placed on the work of other assurance functions and the mech-
anisms in place to support this reliance.
{{ Determine if the CAE is responsible for other areas beyond internal

auditing; and if so, the mechanisms in place to actively manage the actual
or perceived impairments to independence or objectivity this might cause.
{{ Review the internal audit activity’s audits and consulting engagements,

reports, and supporting documentation and its administrative and oper-
ating policies, practices, procedures, and records.
• Determine if the staffing knowledge and skills, especially in IT, risk assessment,
controls monitoring, interaction with governance participants, successful prac-
tices, and other areas, will pinpoint evidence of continuous improvement.
{{ Review reports and communicate with management and the board (audit
committee) to assess the extent that the internal audit activity meets objec-
tives and adds value.
48
{{ Review and assess the coordination of the internal audit activity with the
work of the independent auditors.
{{ Evaluate the internal audit activity’s conformance with the Standards and
Code of Ethics and other relevant policies and procedures,
{{ Review the quality/process improvement actions currently underway and

planned for the near term. Also consider successful practices appropriate
to the organization’s environment.
• The on-site process is a cumulative experience for the team. Therefore, frequent
discussions are held and information is assessed to offer practical suggestions
reflecting the current thinking of the profession.
The time spent for on-site work should be determined by such factors as the size of the internal
audit activity, workpaper reviews, and interview schedules. On-site work typically lasts for
one to two weeks, depending on the scope of work and the objectives of the full external
assessment, and the size, geographic dispersion, and structure of the internal audit activity.

E va l u a t e and R e p o rt
See appendix E for a discussion of the evaluation process, including rating scales.
Evaluate Against the IPPF

• The most important aspect of the full external assessment is the team’s evalua-
tion of the internal audit activity’s conformity with the Standards and the Code
of Ethics, its adherence to its charter, the extent of its adoption of successful
practices, and its program of continuous improvement. These evaluations
may also identify additional opportunities for continuous improvement. This
process is the culmination of the full external assessment team’s analysis of
surveys, interviews, and documentation.
• As appropriate, the full external assessment team will provide the CAE with
recommendations for the internal audit activity to enhance conformance with
the Standards and the Code of Ethics, add value for clients, and be a catalyst
for positive change in the organization. Finally, the full external assessment 49
team will exercise its professional judgment to render an opinion as to the level
of conformance with the Standards and the Code of Ethics by the internal
audit activity.
Summary of Issues, Recommendations, and Closing

Conference
See appendix E for a discussion that summarizes the collective view of the assessor or assess-
ment team related to conformance with the Standards and the Code of Ethics. It provides
documentation of the results of all work performed and documented in the Planning Guides
(appendix A), Survey Guides (appendix B), Interview Guides (appendix C), and Program
Guides (appendix D). Appendix E documents the basis for the reporting of external assess-
ment results. Items that should be considered include:
• Issues should be brought to the attention of the CAE and discussed as appro-
priate as they come up throughout the full external assessment. The closing

conference should be regarded as an opportunity to summarize and formalize
the views of the full external assessment team and the CAE.
• The full external assessment team’s evaluation process emphasizes successful

practices and the issues that require attention. It is desirable to prepare a written
summary of the successful practices, observations, and recommendations for
those attending the closing conference. This written summary provides the
team leader and team members with a framework for the closing conference.
• The CAE, with advice from the full external assessment team leader, will
decide who will attend the closing conference. Since the individual observa-
tions should have been discussed with internal audit management throughout
the full external assessment, the closing conference should hold no surprises.
It should be an orderly discussion of the significant issues, conclusions, and
recommendations. It also provides the CAE with an opportunity to comment
on the observations and recommendations.
50 Reporting
• A draft report is prepared either before or after the closing conference (see
appendix F). When the full external assessment team leader completes the
draft, copies are sent to the team for comment within a specific time frame.
Comments are considered and, as appropriate, incorporated into the draft
report before it is sent to the CAE. The CAE is asked to respond to the recom-
mendations and provide an action plan.
• The final report, in conjunction with the CAE’s response or action plan, will
typically be addressed to the CAE with the expectation that copies will be
distributed to representatives of the board (the chair of the audit committee or
other internal audit oversight body of the board) and the executives to whom
the CAE reports. Copies of the full external assessment report should also be
addressed to the individuals or groups initiating the full external assessment.

1. Question: I’ve heard the term “point-in-time assessment.” What does that
mean and what are the implications for a full external assessment?
➜➜ Answer: “Point in time,” in the context of a full external assessment, means

that the conclusions drawn and reported are as of a specific date—typi-
cally the last date of on-site fieldwork by the full external assessment team.
This allows the team to take into consideration the results and discussions
of the closing conference with the internal audit activity prior to final-
izing their conclusions. A point-in-time assessment places greater reliance
on data nearer that time. For example, workpapers reviewed for projects
completed nearer the point in time provide stronger evidence of perfor-
mance than workpapers for engagements from several years prior to the
full external assessment. It is critical to remember that while a full external
assessment report may be issued as of a point-in-time assessment, the
QAIP is a continuous process that incorporates ongoing monitoring of
performance and periodic assessment to ensure that levels of conformance 51
with the Standards and the Code of Ethics continue to be strengthened
during periods between external assessments.
Q ua l i t y A s s e s s m e n t P r o c e s s M a p
The Quality Assessment Process Map for a full external assessment, indicating the division of
work between the internal audit activity and the independent external assessor or assessment
team, is shown on page 52. Note that conducting surveys and scheduling interviews require
close coordination between the internal audit activity and the independent external assessor.

QUALITY ASSESSMENT PROCESS MAP
Full External Assessment
Completed by the IA Activity

IA IA IA IA
Governance Staff Management Process
Background Information on the internal audit
(IA) activity. Background Information and
Document Request Checklist cross-referenced to Document Request Checklist
planning/program process flow: IA Governance,
IA Staff, IA Management, and IA Process.
Planning Guides designed for each segment. A1 A2 A3 A4

Survey Guides containing elements from each
segment.
B-1 Executive Leadership & Operating Management
B-2 IA Staff
52 Interview Guides containing elements from each

segment.
C-1 Chief Audit Executive
C-2 Board Members, Senior & Operating Management
C-3 IA Staff
C-4 External Auditors & Other Assurance Providers
Program Guides designed for each segment.

Assessors document their conclusions regarding D1 D2 D3 D4
conformance with mandatory guidance here.
Evaluation Summary provides a record of ratings
Evaluation Summary
determined within the programs by assessors.
Quality Assessment Report formatted to meet the
Quality Assessment Report
needs of key stakeholders.
Completed by the Independent External Assessment Team

Chapter 5
Self-Assessment with
Independent Validation
O v e rv i e w
Standard 1312 – External Assessments requires that an external assessment of an internal
audit activity be conducted at least once every five years by a qualified, independent assessor
or assessment team from outside the organization. The objective of the external assessment
is to evaluate an internal audit activity’s conformance with the Standards and Code of Ethics.
Implementation Guide 1300 states, “Through conformance with the Standards and Code
of Ethics, the internal audit activity also achieves alignment with the Definition of Internal
Auditing and the Core Principles for the Professional Practice of Internal Auditing.”
External assessments may also focus on identifying opportunities to enhance internal audit
processes, offer suggestions to improve the effectiveness of the internal audit activity, promote
ideas to enhance the activity’s image and credibility, and offer operational or strategic comments.
This approach embraces the successful practices of the profession and emphasizes governance,
risk management, and control processes as important areas for auditors’ attention. External
assessment recommendations focus on opportunities for continuous improvement and are
53
offered to enhance conformance with the Standards and the Code of Ethics and the internal
audit activity’s ability to add value to the organization.
As noted in Standard 1312 – External Assessments, “External assessments may be accom-

plished through a full external assessment, or a self-assessment with independent validation.”
A self-assessment with independent validation includes a comprehensive and fully docu-
mented self-assessment process that requires the CAE to complete the self-assessment work,
and normally provides limited attention to benchmarking, review, and consultation related
to successful internal audit practice. Essentially, the CAE oversees the efforts of an internal
assessment team that completes planning documentation, performs assessment work programs,
evaluates conformance with the Standards and Code of Ethics, and produces a report summa-
rizing assessment results.
The same basic body of work needs to be performed and documented for a self-assessment
with independent validation as for a full external assessment (see chapter 4). The self-
assessment should be performed with the same level of due professional care found in
performing other internal audit engagements and should be structured in a manner that fully
documents and supports planning, fieldwork, and reporting activities.
54
The independent external assessor or assessment team validates the work of the internal assess-
ment team through review of assessment planning documentation, re-performing a sample of
assessment work program steps, conducting interviews with key stakeholders (board members,
executive leadership, operating management, and internal audit management and staff), and
assessing the conformance conclusions reported by the internal assessment team.
The internal assessment team should expect to submit all of its documentation related to
assessment planning, assessment work programs, and its final assessment report to the inde-
pendent external assessor or assessment team well in advance of any on-site visit by the external
assessor to perform the validation activities.
Defining the Scope of the

Assessment
Implementation Guide 1312: External Assessments provides recommended guidance regarding
the performance of a self-assessment with independent validation, and notes that the primary

objective is to assess conformance with the Standards and Code of Ethics. Through consultation
with the board and senior management, the CAE should define the scope of the self-
assessment with independent validation, which may include feedback on potential leading prac-
tices or identification of opportunities for enhancing existing internal audit activity processes.
Planning
A well-established QAIP provides a solid framework for achieving a successful self-assessment
with independent validation. The documentation, assessments, metrics, and reporting that
comprise an internal audit activity’s QAIP should be useful in preparing much of the mate-
rial required to perform the assessment.
Planning, scheduling, and staffing the self-assessment should follow the same process the
internal audit activity uses to execute and control any assurance or consulting engagement.
Assigning resources necessary to complete the self-assessment should be part of the annual
plan for the internal audit activity for the year in which the self-assessment with indepen-
dent validation is to be performed. Progress updates regarding the self-assessment should be
55
included with status reporting for all other engagements in the process as a component of
periodic reporting to senior management and the board.
Many internal audit activities that utilize electronic workpapers for internal audit engagements
find it helpful to document the self-assessment component as a separate audit in their work-
paper system. This allows for documentation of planning, fieldwork, and reporting activities
consistent with their prescribed framework, using guides, programs, tools, and templates as
found in this manual.
Key considerations for determining resource requirements and preparing a schedule of activ-
ities for the self-assessment with independent validation include:
• An evaluation of additional documentation and analysis required by the plan-

ning tools (see appendix A) beyond what is readily available from the internal
audit activity’s existing QAIP documentation.
Chapter 5 Self-Assessment with Independent Validation

• An estimate of time required for distributing, collecting, and analyzing survey
tools (see appendix B). This activity should be coordinated with the external
independent assessor as discussed below.
• A proposal from the independent external assessor regarding the number of

interviews (see appendix C) they wish to conduct with the board, senior exec-
utives, operating management, and internal audit activity management and
staff. This activity should be coordinated with the external independent assessor
as discussed below.
• An estimate of time required for the internal assessment team to complete the
assessment programs (see appendix D). A critical assumption for this estimate
is the number of engagement files to be reviewed as part of the internal audit
process program.
• A discussion with the independent external assessor regarding how much time
they need for their on-site work, and how far in advance of the on-site work
they want to receive documentation prepared by the internal audit activity’s
56 internal assessment team.
Upon completion of the on-site work by the independent external assessor, the self-assessment
with independent validation’s schedule should allow time for the external assessor to complete
the Independent Validation Statement (see appendix F-4).
Selecting the Independent

External Assessor for a Self-
Assessment with Independent
V a l i d at i o n
As noted in the Interpretation to Standard 1312 – External Assessments, “A qualified assessor or
assessment team demonstrates competence in two areas: the professional practice of internal auditing
and the external assessment process. Competence can be demonstrated through a mixture of expe-
rience and theoretical learning. Experience gained in organizations of similar size, complexity,
sector or industry, and technical issues is more valuable than less relevant experience. In the case of

an assessment team, not all members of the team need to have all the competencies; it is the team
as a whole that is qualified. The chief audit executive uses professional judgment when assessing
whether an assessor or assessment team demonstrates sufficient competence to be qualified.”
“An independent assessor or assessment team means not having either an actual or a perceived
conflict of interest and not being a part of, or under the control of, the organization to which the
internal audit activity belongs.”
The CAE should consult with the board and senior leadership regarding selection of the
external assessor or assessment team based on a thorough review of their qualifications and
experience. The CAE should also obtain a signed statement from the external assessor or
assessment team confirming their independence as defined in the Standards. This is typically
done during the contracting process.
C o m m u n i ca t i o n a n d C o o r d i n a t i o n
w i t h t h e E x t e r n a l V a l i d at i o n
Assessor 57
As indicated on the Quality Assessment Process Map appearing at the end of this chapter,
most of the work in performing a self-assessment with independent validation is completed
by the internal audit activity’s internal assessment team. However, the external assessor will
perform some work during the on-site visit, and coordination with the internal assessment
team will facilitate completion of the external assessor’s work.
One area requiring coordination is the completion of surveys (see appendix B). The internal
assessment team (or CAE) and the external assessor should agree on who will be asked to
participate in the surveys and on the schedule for completing the surveys. The internal assess-
ment team would be responsible for sending out the surveys, and survey participants will
normally send their responses directly to the external assessor for collation and evaluation of
results. The external assessor will review results of the surveys with the CAE and the internal
assessment team during the on-site visit. The external assessor will also use information gained
from the surveys in completing interviews with key stakeholders.

Another area for coordination is scheduling and conducting interviews (see appendix C) with
key stakeholders. Again, the internal assessment team (or CAE) and the external assessor
should agree on who will be interviewed and on the schedule for completing the inter-
views. Interviews are normally conducted by the external assessor during the on-site visit.
At a minimum, the external assessor or assessment team will interview the board committee
chair responsible for internal audit activity oversight, the CEO, the person to whom the
internal audit activity reports to administratively within the organization (if not the CEO),
and the external audit partner. Other interviews of key stakeholders are specifically coordi-
nated with the CAE.
During the on-site visit, the external assessor will review tests of audit engagement files
prepared by the internal assessment team. The external assessor may also want to review other
audit engagement files not reviewed by the internal assessment team. To enable the external
assessor to complete this review, the internal assessment team should provide the external
assessor with appropriate access to any relevant software.
58
Work to Be Completed Before
the On-Site Visit
The CAE should oversee completion of the self-assessment of the internal audit activity, which
uses the same tools completed during a full external assessment (see appendices A, B, and
D–F). Key elements of the self-assessment to be performed and documented by the internal
audit activity’s internal assessment team include:
• Completing the planning guides (see appendix A), which include an analysis of
the internal audit activity’s operations and answers to a series of questions that
provide insight into the CAE’s views regarding specific conformance criteria
related to the Standards or the Code of Ethics.
• Conducting surveys using the survey guides (see appendix B) that collect infor-
mation from senior leadership, operating management, and internal audit
management and staff regarding various aspects of the internal audit activity.
Use of the surveys should be coordinated with the external assessor or assess-
ment team as described above.

• Executing the assessment programs (see appendix D) that are intended to
collect, evaluate, and document evidence of conformance with the Standards
and the Code of Ethics.
• Summarizing results of the evaluation (see appendix E).
• Preparing a report (see appendix F) of the results of the self-assessment to be

validated by the external assessor and eventually distributed to the board and
other appropriate stakeholders.
All of the above materials should be made available to the external assessor for use in completing
the review and validation of the self-assessment. The internal audit activity should coordinate
with the external assessor or assessment team as to which documents will be supplied to the
external assessor before the on-site visit. The external assessor will also schedule interviews to
be conducted during the on-site visit.
Work Completed During the

On-Site Visit 59
During the on-site visit, the external assessor will review documentation prepared by the
internal assessment team and perform sufficient tests of the self-assessment to validate results
and express an opinion regarding conformance with the Standards and the Code of Ethics
to include:
• Exercising professional judgment in determining the extent of testing of the

self-assessment based on the size and complexity of the internal audit activity.
• Conducting interviews with key stakeholders to follow up on any issues or

opportunities identified from the surveys—all within the agreed-upon scope
of the self-assessment with independent validation.
As nearly all of the work performed during a self-assessment with independent validation
is completed by the internal audit activity’s internal assessment team, the amount of time
required on site by the external assessor is normally much less than that required by an external
assessment team performing a full external assessment.

R e p o rt i n g and F o l low - U p
Upon completion of fieldwork, the independent external assessor will provide an opinion
confirming the results, or expressing disagreement with the self-assessment, as appropriate. If
the external assessor is not in agreement with the self-assessment report, the external assessor
can add dissenting wording to the report, specifying the points of disagreement.
The final report of the self-assessment with independent validation should be signed by the
internal audit activity’s internal assessment team and the independent external assessor, and
issued by the CAE to senior management and the board (see appendix F).

1. Question: What are the costs and benefits associated with the decision to
perform a self-assessment with independent validation versus a full external
assessment?
60 ➜➜ Answer: The obvious difference is the higher out-of-pocket costs associ-

ated with a full external assessment. However, the internal audit activity’s
internal resource commitment may be much higher with a self-assessment
with independent validation. Many CAEs choose to perform a self-assess-
ment with independent validation following the initial establishment of
their QAIP to achieve the benefit of building quality into the operations.
The benefit of a full external assessment comes from a potentially broader
scope than a self-assessment with independent validation, and perhaps
a more robust assessment process being performed by an external team.
2. Question: I’ve heard the term “point-in-time assessment.” What does that
mean and what are the implications for a self-assessment with independent
validation?
➜➜ Answer: “Point in time,” in the context of a self-assessment with inde-

pendent validation, means that the conclusions drawn and reported are
as of a specific date—typically the last date of fieldwork by the internal
assessment team and the last day of on-site work by the external assessor

who performs the validation. This allows the external assessor performing
the validation to take into consideration the results and discussions of
the closing conference with the internal audit activity prior to finalizing
conclusions. A point in time places greater reliance on data nearer that
time. For example, workpapers reviewed for projects completed nearer
the point in time provide stronger evidence of performance than work-
papers for engagements from several years prior to the self-assessment.
It is critical to remember that while a self-assessment report and corre-
sponding validation may be issued as of a “point in time,” the QAIP is
a continuous process that incorporates ongoing monitoring of perfor-
mance and periodic assessment to ensure that levels of conformance with
the Standards and the Code of Ethics continue to be strengthened during
periods between external assessments.
Q ua l i t y A s s e s s m e n t P r o c e s s M a p
The Quality Assessment Process Map for a self-assessment with independent validation indi-
61
cating the division of work between the internal audit activity and the independent external
assessor or assessment team is shown on page 62. Note that conducting surveys and sched-
uling interviews requires close coordination between the internal audit activity and the
external independent assessor.

QUALITY ASSESSMENT PROCESS MAP
Self-Assessment with Independent Validation

IA IA IA IA
Governance Staff Management Process
Background Information on the internal audit
(IA) activity. Background Information and
Document Request Checklist cross-referenced to Document Request Checklist
planning/program process flow: IA Governance,
IA Staff, IA Management, and IA Process.
Planning Guides designed for each segment.

A1 A2 A3 A4
Survey Guides containing elements from each
segment.
B-1 Executive Leadership & Operating Management
B-2 IA Staff
Interview Guides containing elements from each

62
segment.
C-1 Chief Audit Executive
C-2 Board Members, Senior & Operating Management
C-3 IA Staff
C-4 External Auditors & Other Assurance Providers
Program Guides designed for each segment.

Assessors document their conclusions regarding D1 D2 D3 D4
conformance with mandatory guidance here.
Evaluation Summary provides a record of ratings

Evaluation Summary
determined within the programs by assessors.
Quality Assessment Report formatted to meet the
Quality Assessment Report
needs of key stakeholders.

QAIP Requirements

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

QAIP Requirements

Uploaded by

Copyright:

Available Formats

Chapter 1

The Framework for

Standards and Other Professional Guidance Have Evolved

Quality Assurance Has Evolved With the Standards

Quality Assessment Manual for the Internal Audit Activity

• Definition of Internal Auditing: “Internal auditing is an independent, objec-

Chapter 1 The Framework for Quality Assurance

• Implementation Guidance: Implementation Guides exist for each standard.

• Supplemental Guidance: Supplemental guidance provides detailed guid-

Quality Assurance and Improvement Program

Quality Assessment Manual for the Internal Audit Activity

1310 – Requirements of the Quality Assurance and Improvement

• Ongoing monitoring of the performance of the internal audit activity.

• Periodic self-assessments or assessments by other persons within the organiza-

Chapter 1 The Framework for Quality Assurance

1312 – External Assessments

• The form and frequency of external assessment.

• The qualifications and independence of the external assessor or assessment

External assessments may be accomplished through a full external assessment, or a self-assessment

Quality Assessment Manual for the Internal Audit Activity

• The qualifications and independence of the assessor(s) or assessment team,

• Corrective action plans.

1321 – Use of “Conforms with the International Standards for the

Chapter 1 The Framework for Quality Assurance

1322 – Disclosure of Nonconformance

Quality Assessment Manual for the Internal Audit Activity

Delivering quality requires a systematic and disciplined approach as professionals. Quality

• Stakeholder satisfaction defined by expected and preferred internal audit deliv-

• Operational effectiveness achieved by building quality “into” internal audit

• Continuous improvement of internal audit activities accomplished through

• Management commitment to provide resources and tools necessary for a QAIP

Quality Assessment Manual for the Internal Audit Activity

Common elements of all QAIPs include:

• A scope that includes all aspects of the internal audit activity.

• An evaluation of conformance with the Standards and the Code of Ethics.

• An appraisal of the efficiency and effectiveness of the internal audit activity.

• Involvement by the board in oversight of the QAIP.

Chapter 2 Establishing a Quality Assurance and Improvement Program

Reporting & Follow-Up

Internal Audit Activity Findings, Observations, &

Quality Assurance Over

Figure 2-1: Quality Assurance and Improvement Program Framework

Quality Assessment Manual for the Internal Audit Activity

1. Plan means establishing expectations for operating a process to meet specific

4. Act is where feedback is provided to the operators of the process to reinforce

Chapter 2 Establishing a Quality Assurance and Improvement Program

Figure 2-2: Ongoing Monitoring

2200: Engagement Planning

Quality Assessment Manual for the Internal Audit Activity

As noted in Implementation Guide 1311 – Internal Assessments, ongoing monitoring mech-

• Checklists or automation tools to provide assurance on internal auditors’

• Other measurements that may be valuable in determining the efficiency and

Chapter 2 Establishing a Quality Assurance and Improvement Program

• The adequacy and appropriateness of internal audit policies and procedures.

• The ways in which the internal audit activity adds value.

• The achievement of KPIs.

• The degree to which stakeholder expectations are met.

Quality Assessment Manual for the Internal Audit Activity

1000: Purpose, Authority, and Responsibility

Chapter 2 Establishing a Quality Assurance and Improvement Program

Figure 2-3: Periodic Self-Assessment

Quality Assessment Manual for the Internal Audit Activity

• Is the evaluation to be a comprehensive or partial assessment of the QAIP and