Quality Services Frequently Asked Questions

Assessments conducted in 2025 will primarily evaluate conformance with the Global Internal Audit Standards. The quality assessor will exercise professional judgment in considering the internal audit function's efforts to comply with these standards, while also taking into account work performed under The IIA’s previous International Standards for the Professional Practice of Internal Auditing.

The Standards will be effective for external quality assessments on January 9, 2025, 12 months after the date of the Standards publication.

Options for conducting your next external quality assessment.

• If your next assessment was due in 2024, you should proceed with your assessment when due under the existing IPPF.
• If your assessment is due in 2025, you can choose to accelerate your assessment under the existing IPPF in 2024. The IIA recommends adding a supplementary gap/readiness assessment to assess how well your function is prepared to implement the new Standards.
• Gap/readiness assessments may be scheduled at any point to help your internal audit function prepare to implement the new Standards effectively.

For more information about external quality assessments, please visit the Quality Services webpage.

The current quality assessment manual remains in effect and valid until updated and applies to quality assessments performed for the 2017 issued Standards. A new Quality Assessment Manual was released in September 2024 for the e-book and a hard copy version was available in late 2024. The new Quality Assessment Manual applies for quality assessments performed for the Global Internal Audit Standards. The new Quality Assessment Manual includes guidance for assessors and updated tools for conducting both an internal and external quality assessment.

An External  Quality Assessment is an evaluation of an internal audit  function conformance with the International Professional Practices Framework (IPPF)^® which includes the Global Internal Audit Standards.

Execution of a Quality Assessment may be accomplished by a Full-scope External Quality Assessment or by a Self-assessment with Independent Validation. Standard 8.4 External Quality Assessments identifies the requirement for a Quality Assessment. A successful Quality Assessment (i.e., a rating of Full Achievement or General Achievement) is required for an internal audit function to be in full conformance with the Global Internal Audit Standards.

All internal audit functions, regardless of size or whether they are outsourced or co-sourced, are required to undergo and External Quality Assessments under Standard 8.4, External Quality Assessment. Ongoing and periodic internal assessments (Standard 12.1 Internal Quality Assessment) lay the foundation for external assessments (and, together, internal and external assessments are a component of an organization’s Quality Assurance and Improvement Program (QAIP).  A QAIP also includes Standard 12.2, Performance Measurement and Standard 12.3, Oversee and Improve Engagement Performance.

Internal assessments must include ongoing evaluations of the performance of the internal audit function and periodic self-assessment reviews performed by the internal audit function. External assessments require an outside team of independent qualified reviewers to evaluate conformance and performance against the Global Internal Audit Standards with the results reported directly to the Board. Under Standard 12.1 Internal Quality Assessment, the chief audit executive must communicate the results of periodic self-assessments and action plans to the board and senior management. Under Standard 8.3 Quality, the communications to the board for both internal and external assessments must include not only the internal audit function’s conformance to the Standards, but also achievement of performance objectives, compliance with laws and/or regulations relevant to internal audit (if applicable), and if applicable, plans to address the internal audit function’s deficiencies and opportunities for improvement.

Yes. The “Performing an Effective Quality Assessment” course will provide attendees with the appropriate knowledge and skills to plan, perform, and evaluate the results of an external quality assessment case study. You will also learn about processes and tools in The IIA’s Quality Assessment Manual (QA Manual) that can help you identify opportunities to improve your internal audit quality activities. The “Building a Sustainable Quality Program” course is designed to help attendees understand how to build and maintain an effective Quality Assurance and Improvement Program (QAIP), leading to a successful external quality assessment.

The IIA also offers a Quality Assessor Certificate Program that provides participants with the basics for conducting Qualtiy Assessments and also provides a Certificate upon successful completion of an exam.

View more information on the courses that can be accessed.

Standard 8.4 External Quality Assessment defines the required competency of the external assessors. Accordingly, the assessment team must collectively include::

• One member who is a CIA.
• Experience with and knowledge of the Standards and leading internal audit practices.
• Experience as a chief audit executive or comparable senior level of internal audit management.
• Experience in the organization's industry or sector.
• Previous experience performing external quality assessments.
• Completion of external quality assessment training recognized by The Institute of Internal Auditors.
• Attestation by assessment team members that they have no conflicts of interest, in fact or appearance.

Yes. IIA Quality Services offers Full-scope External Quality Assessments and Self-assessments with Independent Validation to help internal audit function fulfill their External Quality Assessment requirement.  In addition, IIA Quality Services offers a Gap Assessment service that provides departments with a detailed roadmap to help ensure internal audit functions effectively and efficiently implement the Standards and includes  actions needed to ensure  full conformance.  If you are interested in more information or having IIA Quality Services conduct your internal audit function’s next Quality Assessment or help you implement the new Standards by conducting a Gap Assessment, please access the Quality Services website.

The IIA offers a Quality Assessor Certificate Program that provides participants with the basics for conducting Qualtiy Assessments and also provides the Certificate upon the successful completion of an exam.

View more information on the Certificate program as well as other quality courses offered that can be accessed.

The five-year cycle starts when an internal audit function formally adopts the Standards. If the Standards were formally adopted at the same time as when the merger occurred, the five-year cycle began at the same time. If the Standards were previously formally adopted by the surviving internal audit function, the five-year cycle starts when the Standards were first adopted or from the most recent External Quality Assessment, whichever is later. Adoption of the Standards establishes the intent of the internal audit function to comply and, as a result, is considered the starting point of the five-year period before an External Quality Assessment is required. Examples of evidence to examine to support the date of the adoption of the Standards include audit committee minutes, updates to the Internal Department Audit Charter, and the use of the phrase “conducted in conformance with the Standards” in audit reports, etc.

No. An internal audit function must demonstrate conformance with The IIA’s Standards by having successfully completed an External Quality Assessment with a rating of either Full Achievement or General Achievement before it can state that it is in conformance. Simply having a contract to perform an External Quality Assessment after the end of the five-year cycle is not sufficient to demonstrate the conformance with the Standards. Therefore, the internal audit function cannot state that it is in conformance with the Standards.​

Standard 8.4 External Quality Assessment identifies the required collective competencies of the external assessors.

Accordingly, the assessment team must collectively include:

• One member who is a CIA.
• Experience with and knowledge of the Standards and leading internal audit practices.
• Experience as a chief audit executive or comparable senior level of internal audit management.
• Experience in the organization's industry or sector.
• Previous experience performing external quality assessments.
• Completion of external quality assessment training recognized by The Institute of Internal Auditors.
• Attestation by assessment team members that they have no conflicts of interest, in fact or appearance.

Regardless of an organization’s industry or the internal audit function’s complexity or size, there are two approaches to External Quality Assessments.

A Full-scope External Quality Assessment (EQA) involves an independent Assessment Team, led by an qualified experienced and professional Team Leader and assisted by qualified Team Members. This is a more expensive option, as there is less work required by the internal audit function(in comparison to the SAIV described below).  The EQA is conducted in accordance with the Quality Assessment Manual with most of the work conducted by the Independent Assessment Team.

A Self-assessment with Independent Validation (SAIV) is where the internal audit function performs the “self-assessment” portion and an external, independent qualified validators reviews the self-assessment portion and provides their “independent validation.”  The SAIV is conducted in accordance with the requirements of the Quality Assessment Manual and the self-assessment team is responsible to execute all aspects of the requirements as defined in the Quality Assessment Manual. This is a more economical approach because the client completes most of the work.

Both types include workpaper reviews, surveys, stakeholder interviews, and issuance of a report that provides a rating as identified by the Quality Assessment Manual, i.e., Full Achievement, General Achievement, Partial Achievement and Non-Achievement.

The Quality Assessment Manual provide for four ratings, two of which are required for successful completion of the Quality Assessment – Full Achievement or General Achievement.  The table below provide additional information.

An internal audit function must undergo a Quality Assessment at least once every five years to comply with Standard 8.4 External Quality Assessment.  The five-year period begins when an internal audit function formally adopts the Global Internal Audit Standards.

Adoption of the Standards establishes the intent of an internal audit function to comply and, as a result, is considered the starting point of the five-year period before an External Quality Assessment is required. Evidence to examine to support the date of the adoption of the Standards would include audit committee minutes, updates to the Internal Audit Charter, and use of the phrase “Conducted in conformance with the Standards” in audit reports, etc.

In all cases, the organization maintains the responsibility for having an External Quality Assessment performed in accordance with the IIA’s Standards as well as ensuring that all the requirements of the Standards are met by the organization. If the organization co-sources aspects of its internal audit function and has a Chief Audit Executive, it is the Chief Audit Executive’s responsibility to  ensure full conformance with the requirements of the Standards. If an organization fully outsources its internal audit function, there needs to be an individual within the organization that is designated to ensure full conformance with the requirements of the Standards. . A service provider’s specific work would be reviewed as part of the External Quality Assessment, but not the entire service provider’s policies and procedures (except relevant sections of the policies/procedures of the service provider that may apply to the internal audit department under review).

The use of the organization’s external auditor to perform an external assessment could be a potential conflict of interest and may create questions regarding independence. Standard 8.4 External Quality Assessment,  indicate that the chief audit executive should consider potential impairments to the independence of assessors driven by past, present, or anticipated future relationships with the organization, its personnel, or its internal audit

It is mandatory that every internal audit function undergo an External Quality Assessment performed by an external, qualified and independent team or independent validator at least once every five years to ensure conformance with the Standards. The five-year period begins when an internal audit function formally adopts the IIA Global Internal Audit Standards.

Adoption of the Standards establishes the intent of the internal audit function to conform and, as a result, is considered the starting point of the five-year period before an External Quality Assessment is required. Evidence to examine to support the date of the adoption of the Standards may include audit committee minutes, updates to the Audit Charter, and use of the phrase “conducted in conformance with the Standards” in audit reports, etc.

An internal audit function cannot be in conformance with the Standards without conducting an External Quality Assessment.

Under Standard 8.4 External Quality Assessments the results of the external quality assessment or self-assessment with independent validation must be reported directly to the Board directly from the assessor. In general, the report also includes action plans in response to the recommendations for conformance gaps and enhancement opportunities contained in the report.

There are alternatives that may assist in obtaining an External Quality Assessment. For example, contact a local IIA chapter to determine if they can assist you with an independent validation conducted at minimal cost to the organization. Another option is to conduct a peer review with other local internal audit functions, rotating the assessment among members of the group; the group must include at least three member organizations. Note that the team members from the peer organizations must meet the qualification requirements covered in Standard 8.4.

Without an external quality assessment an internal audit function cannot be in conformance with the Standards

The IIA strongly encourages that results of an External Quality Assessment be strongly considered in order to arrive at a conclusion as to the reliability of the internal audit function’s work.

Full-scope External Quality Assessments or Self-assessments with Independent Validations may be conducted through peer reviews instead of utilizing external service providers. Internal auditors from three or more different organizations come together to form a pool of professionals, all of whom must be qualified to conduct External Quality Assessments. Reciprocal peer reviews between two organizations do not pass the independence test, given they are performing an assessment of each other.

Peer review teams may consist of members from different organizations within an industry or other affinity group, regional association, or other group of organizations. However, administration of this process can be quite challenging because assuring appropriate composition and assignments of the teams is imperative. Perceived independence and objectivity may also be challenging.

In any event, the assessment team must meet the qualification requirement of Standard 8.4 External Quality Assessments.

It would be preferable to have the External Quality Assessment performed by other public sector auditors who are not “related” to the department under review. The IIA recommends an independent validator be engaged to review and validate the “peer review” in a public sector setting.

Service providers themselves are not required to conform with The IIA’s Standards on quality. In accordance with the intent of Standards 8.4 External Quality, assessments are to be conducted on an organizational basis, not on a service provider basis. Therefore, when an external quality assessment is performed on an internal audit function the work of a service provider who performs co-sourced or out-sourced services will be considered in context of the function under review.

External Quality Assessments of internal audit functions are to be conducted on an organizational basis, not on a service provider basis. An External Quality Assessment of an external service provider would not qualify as sufficient evidence to conclude on the specific work performed at multiple clients. The individual organization’s internal audit work must be the focus of an External Quality Assessment, and any work performed by a service provider would be subject to review during the course of the organization’s External Quality Assessment.

The use of the organization’s external auditor to perform an external assessment could be a potential conflict of interest and may create questions regarding independence. Standard 8.4 External Quality Assessment indicate that the chief audit executive should consider potential impairments to the independence of assessors driven by past, present, or anticipated future relationships with the organization.

Yes, an External Quality Assessment would be required, regardless of whether the internal audit function was in-house or outsourced. The five-year requirement began when the internal audit function was first established, regardless of whether it was outsourced, co-sourced, or in-house. Adoption of the Standards establishes the intent of the internal audit function to comply, and as a result is considered the starting point of the five-year period before an External Quality Assessment is required. Evidence to examine to support the date of the adoption of the Standards would include audit committee minutes, updates to the Audit Charter, and the use of the phrase “conducted in conformance with the Standards” in audit reports, etc.

The internal audit function has five years from the date of adoption of the Standards before an External Quality Assessment would be required. Adoption of the Standards establishes the intent of the internal audit function to comply and should be considered the starting point of the five-year period within which  an External Quality Assessment is required. Generally, adoption of the Standards and “intent” coincide with the formation of the internal audit function. However, in other cases, the election to adopt the Standards may not occur when the department is first established. Evidence to examine to support the date of the adoption of the Standards would include audit committee minutes, updates to the Audit Department Charter, and the use of the phrase “conducted in conformance with the Standards” in audit reports, etc.

Under Standard 8.4 External Quality Assessment, the CAE must develop a plan for an external quality assessment and discuss the plan with the Board.  The Board must review and approve the chief audit executive’s plan which should cover: the scope and frequency of assessments; the competencies, qualifications and independence of the external assessor or assessment team; and, if applicable, the rationale for choosing to conduct a self-assessment with independent validation instead of an external quality assessment.

Standard 8.4 External Quality Assessment identifies the required competency of the external assessors. Accordingly, the assessment team must collectively include:

• One member who is a CIA.
• Experience with and knowledge of the Standards and leading internal audit practices.
• Experience as a chief audit executive or comparable senior level of internal audit management.
• Experience in the organization's industry or sector.
• Previous experience performing external quality assessments.
• Completion of external quality assessment training recognized by The Institute of Internal Auditors.
• Attestation by assessment team members that they have no conflicts of interest, in fact or appearance.

Yes. IIA Quality Services conducts Full-scope External Quality Assessments and Self-assessments with Independent Validation. In addition to conducting these two types of External Quality Assessments, IIA Quality Services performs Gap Assessments that provides departments with a detailed roadmap to help ensure full conformance.

If you are interested in more information or having IIA Quality Services conduct your internal audit function’s next Quality Assessment or help you implement the new Standards by conducting a Gap Assessment, please access the Quality Services website.

Should an organization be in search of a subject matter expert to speak at an upcoming event about Quality Assessments and/or Quality Assurance and Improvement Programs (QAIPs), email your request to quality@theiia.org or make the request utilizing the following link: www.theiia.org/requestspeaker. Completing the form will ensure the request is in our system and will provide the information we need to secure a speaker, agree the topic, and confirm the arrangements.

With the emphasis on conformance and performance under the Global Internal Audit Standards, a QAIP is essential to demonstrate and maintain performance as well as focus on continuous improvement. As an organization grows, its operations and quality processes must evolve and be refined in order to keep pace with the changes. To ensure consistent quality in this dynamic environment, an ongoing commitment to quality  and continuous  improvement is essential through periodic internal quality assessments, ongoing monitoring, clear meaningful performance measures, and an external quality assessment. This commitment to continuous improvement is demonstrated through a documented and executed QAIP that is in conformance with the Standards.

The required elements of the program are periodic internal and external quality assessments, ongoing internal monitoring, performance measures and assurance that the internal audit function conforms to the Standards.

The IIA offers a course to assist internal audit functions in establishing and effective QAIP: Building a Sustainable Quality Program.

Internal assessments must include ongoing evaluations of the performance of the internal audit function and periodic reviews performed by self-assessments. Periodic internal assessments must be reported to the Board under Standard 12.1 Internal Quality Assessment.  External Quality Assessments require an outside team of independent reviewers to evaluate conformance with the Standards, the use of successful practices, and the efficiency and effectiveness of the internal audit function.

The IIA does not “certify” individuals or organizations that perform External Quality Assessment services. However, the IIA offers a Quality Assessor Certificate Program that provides participants with the basics for conducting External Qualtiy Assessments and also provides the Certificate upon successful completion of an exam.

The IIA offers a Quality Assessor Certificate Program that provides participants with the basics for conducting Qualtiy Assessments and also provides the Certificate upon the successful completion of an exam.

We recommend referring to Practice 1300-1, which provides an inclusive list of all elements that should be included in the QAIP.  We expect this guide to be updated for the Global Internal Audit Standards in the future but this is a good guide to use.

In addition, the IIA offers a course to assist internal audit functions in establishing and effective QAIP: Building a Sustainable Quality Program.

The criteria is described in detail in the new Quality Assessment Manual. In summary, it is a matter of determining conformity to each of the Standards individually, achievement of each Principle, and then rolling those determinations into an overall conclusion. Since it is a conclusion, the lack of general achieves to one particular Standard would not necessarily result in an overall “partial achievement” opinion or the reverse. The Standards and Principles are not equally weighted when determining the overall level of conformance or achievement, rather the professional judgement, supported by a reasonable amount of demonstrative and relevant evidence, of the assessor is used to conclude on the overall level of conformance/achievement.

A Chief Audit Executive should report and document the rationale for nonconformance of the External Quality Assessment requirement to the board and management. If the internal audit function does not undergo an External Quality Assessment during the designated timeframe (once every five years), the internal audit function may not use the phrase, “Conducted in accordance with the IIA Global Internal Audit Standards,” in its reports or in its internal audit function charter. A Chief Audit Executive that uses this statement while not in conformance is subject to ethical disciplinary sanctions by The IIA.

An internal audit function can never be in Full Conformance with the Standards if an external quality assessment is not performed as required.

If an internal audit function receives a less than “full achievement” or “general achievement” opinion regarding conformance to the Standards, the Chief Audit Executive must initiate action to cure the deficiencies and/or discuss with the audit committee the limiting factors that may need to be addressed to resolve the area(s) where one or more deficiencies were noted. The lack of a “full achievement” or “general achievement” opinion would preclude the internal audit function from indicating they operate in conformance with the Standards in any written reports or documents until the deficiency is resolved.  It is recommended that a follow-up assessment be performed.

If a Chief Audit Executive does not agree with the opinion issued by the independent assessment team or the independent validator, the Chief Audit Executive must report their view of the situation to the board/audit committee and discuss the issue with the board/audit committee to determine the appropriate action to be taken. If a “partial achievement ” or “nonachievement” opinion is received, the internal audit function is not in conformance with the Standards and the Chief Audit Executive must discuss the appropriate action to be taken with the board/audit committee to resolve the issue(s).

Yes, until the issues identified as causing the nonachievement (conformance) are resolved, the function would not be operating in conformance with the Standards. It is recommended that a follow-up assessment be performed.

A Chief Audit Executive must review the corrective action taken to resolve the nonachievement (nonconformance) issue(s) with the audit committee and report when the action plan(s) is/are complete. If an audit committee desires an external validation, additional input may be needed. When the remediation work is completed to the satisfaction of the audit committee, the internal audit function may then consider themselves in conformance with the Standards. It is recommended that a follow-up assessment be performed.

No. An internal audit function must demonstrate conformance with The IIA’s Standards before it can state it is in conformance. Having a contract to perform an External Quality Assessment after the end of the five-year cycle is not sufficient to demonstrate conformance with the Standards. As such, the internal audit function cannot state it is in conformance with the Standards.​

A reference should not be made in the internal audit function’s charter or in the internal audit function’s audit reports. The reference may be made when the internal audit function’s Quality Assurance and Improvement Program (QAIP) demonstrates that the internal audit function is in conformance with the Standards.