Article

Preparing for your external quality assessment under the Global Internal Audit Standards

Jan 31, 2025 · Authored by Ashley Deihr, Tiffany Grossman

The Institute of Internal Auditors (IIA) Global Internal Audit Standards (Standards) are officially in effect as of Jan. 9, 2025—introducing new domains, principles and standards that internal audit functions must follow. This article provides an overview of these changes and offers guidance on preparing for an external quality assessment (EQA) to help ensure compliance and enhance the effectiveness of your internal audit function.

Overview of the new Standards

The updated Standards are organized into five domains, encompassing 15 principles and 52 standards. These domains provide a structured approach to internal auditing, ensuring comprehensive coverage of all critical aspects. Baker Tilly internal audit specialists have explored each of the five domains in full, diving deep into noteworthy changes and expected impacts:

Each domain includes mandatory requirements, implementation considerations and examples of evidence to demonstrate conformance.

Key changes in the new Standards

The new Standards are organized by the following key areas:

Purpose of internal auditing: Clarifies the fundamental role of internal auditing in creating, protecting and sustaining value within an organization.
Ethics and professionalism: Sets minimum requirements for the behavior of internal auditors, including integrity, objectivity, competency, professional care and confidentiality.
Governing the internal audit function: Outlines the relationship between the Chief Audit Executive (CAE) and the board, emphasizing the importance of independence and oversight.
Managing the internal audit function: Details the requirements for effective management, including strategic planning, resource management, communication and quality enhancement.
Performing internal audit services: Describes the essential steps for planning, conducting and reporting on internal audit engagements.

Preparing for an EQA

Given all the above, the question (often) becomes—how do we help ensure compliance with the Standards? Enter the EQA.

An EQA is a comprehensive review of the internal audit function's conformance with the Standards. It includes a holistic evaluation of the internal audit function, including its mandate, charter, strategy, methodologies, processes, risk assessment and audit work. The CAE must develop a plan for the EQA, which should be discussed and approved by the board. The assessment must be conducted at least once every five years by a qualified, independent assessor or assessment team. An EQA can either be a full, external assessment, in which the independent assessor comprehensively review’s the adequacy of the internal audit function against each of the Standards, or a self-assessment with independent validation in which the CAE completes a comprehensive and fully documented internal assessment of its functions conformance with the Standards, and the independent assessor selects and validates a sample of items to determine the independent assessment was conducted completely and accurately.

How to prepare for an EQA

Review and update documentation and practices to align with new Global Internal Audit Standards: Ensure that all relevant documents—such as the internal audit charter, strategic plans, methodologies and performance measures—are up-to-date and reflect the new Standards. While it may take functions 6-to-12 months to review and update documentation and practices to align with the new Standards, it’s never too late to get into compliance. Some of the impactful changes with the new Standards include:

Expanding the internal audit charter to include the internal audit mandate (i.e., the authority, role and responsibilities needed for internal audit to achieve its strategy and accomplish its objectives)
Documenting internal audit’s strategy, which could include:

Internal audit mission and vision
Three-to-five strategic objectives, including actions to achieve its objectives
Corresponding key performance indicators (KPIs) to assess progress against the strategic objectives

Ensuring critical items, such as internal audit charter, plan and results are communicated and approved, where applicable, to the board and senior management
Completing a competency assessment to develop a resourcing and skillset plan, aligned with the overall audit plan
Ensuring the CAE reviews key components of each audit, such as the engagement memo, work program and final report
Including risk ratings (or other prioritization) in audit reports, as well as an overall engagement conclusion

Conduct a self-assessment: Perform a self-assessment to identify areas of improvement and ensure that the internal audit function is aligned with the Standards. For any gaps identified, develop a plan to address the identified gaps, including an estimated timeline to address. Results of self-assessments and action plans to address should be shared with the board and senior management on a regular (e.g., annual) basis. While this step is required to initiate an EQA self-assessment with independent validation, it is also a strong expected practice for full external EQAs.

Engage with the board: Discuss the EQA plan with the board and obtain their approval. Discuss with the board the plan to undergo either a full external assessment, or a self-assessment with independent validation (SAIV). Similar to the results of any internal assessments, the CAE should also plan to provide regular updates on the progress of the EQA action plans.

Select a qualified assessor: Choose an independent assessor or assessment team with the necessary qualifications, including at least one member holding an active Certified Internal Auditor (CIA) designation. Ensure the independent assessor or assessment team is experienced and knowledgeable about the Standards and leading internal audit practices (such as a CAE or comparable senior level individual) and obtain an attestation that they have no conflicts of interest, in fact or appearance. Additional questions to consider when choosing your independent assessor may include:

What are you trying to get out of the EQA, and are you trying to use the EQA to drive a major change?
What experiences do you need from an independent assessor to ensure they can bring the appropriate perspective (e.g., peer, assessor with well-established enterprise risk management program [ERM] if you are trying to start ERM).

Prepare evidence of conformance: Gather and organize evidence to demonstrate conformance with the Standards. Evidence of conformance may include:

Audit committee and internal audit charters
Audit committee materials, including most recent annual report to the audit committee
Audit work files/work papers
Internal assessment results and action plans
Internal audit manual
Internal audit quality assurance improvement plan and evidence of ongoing monitoring
Internal audit strategic plan
Organizational chart
Prior external quality assessment report and action plan(s)
Risk assessment and audit plan
List of audits performed since the last EQA or SAIV
Internal audit competency framework or models (staff assessments, development plans, other resource plans not included in the strategy)
Internal audit status reports and evidence of monitoring management’s action plans

Conclusion

Adhering to the updated Standards is crucial for maintaining the effectiveness and credibility of the internal audit function. By preparing thoroughly for and completing an EQA, internal audit functions can help ensure compliance, enhance their performance and provide valuable assurance and advisory services to their organizations.

Whether you need help preparing for your EQA or are looking for an independent assessor - Baker Tilly knows the way forward.

Let's go there, together