External quality assessment (EQA) has evolved with the new Institute of Internal Auditors (IIA) standards, and chief audit executives must develop a strategic plan to bridge any gaps in conformance. The standards set a more stringent benchmark for audit departments undergoing an EQA. Tim Berichon explained to research and advisory firm Gartner how the EQA has evolved under the new IIA standards and detailed three focus areas that assessors will scrutinize, among others, during an assessment.
Q: How will the EQA differ under the new standards?
A: The IIA standards have introduced changes in with the EQA rating scale, now consisting of four tiers, rather than three (see Figure 1). This effectively creates two passing scores (full achievement and general achievement) and two failing scores (partial achievement and non-achievement), which will make earning the rank of full achievement more difficult to attain. Achieving full conformance will be challenging, requiring extensive documentation, collaboration, and automation.
The updated ratings, which includes 52 standards grouped into 15 principles, that are grouped into five domains, provides a more logical and intuitive structure. The overall quality conclusion will provide two separate ratings: conformance to the 52 standards and achievement of the 15 principles, which comprise overall ethics and professionalism, governance of the internal auditing (IA) function, management of the IA function, and performance of the IA services.
The selection of an external assessor is crucial, as the standards are principles-based. The assessor’s professional judgment will determine how well the audit department has achieved the standards’ intent and, in the end, the principles’ intent.
Q: What steps should audit take to achieve a desired conformance level?
A: Audit departments should follow a three-step process: assess readiness, align conformance goals with the AC, and conduct an internal quality assessment (IQA).
Step 1: Assess Readiness
The best place to start is by gaining an understanding of how the department stacks up against the standards. A gap assessment will inform the level of effort required to achieve the desired conformance level and help develop a timeline for implementation.
Step 2: Align with the Audit Committee and Senior Management
The standards require greater audit committee and senior management involvement in EQA planning. CAEs should collaborate with the AC and senior management to determine the conformance rating the department aims to achieve, considering the resources needed to reach a top rating.
Step 3: Conduct an IQA
Performing an IQA is essential, especially for departments aiming for a top score. This assessment will provide evidence of performance and demonstrate how well the department has implemented the standards in practice.
Q: What areas should auditors prioritize assessing before their EQA?
A: External assessors emphasize three priority areas for auditors to focus their efforts: communication with the audit committee and senior management, establishing an audit strategy, and performance measurement processes.
1) Communicating with audit committee and senior management is important as many audit committee members are unaware of their new roles under the standards. CAEs should ensure that audit committee members and senior management understand their responsibilities, as external assessors will verify these discussions.
2) Establishing or reviewing the audit strategy also merits attention because standard 9.2 (Internal Audit Strategy) requires a functional strategy that supports organizational objectives and aligns with stakeholder expectations. Developing or reviewing this strategy will be long term and time-consuming but is crucial for conformance.
3) Confirm a solid performance measurement. The EQA will assess the department’s achievement of its performance objectives. Metrics should balance activity-based and results-based measures and align with the strategic plan.
The standards have raised the bar for EQAs, requiring audit departments to enhance coordination with stakeholders, develop comprehensive strategies, and demonstrate performance. By following the outlined steps and focusing on key assessment areas, CAEs can effectively prepare for their EQA. 