Chief Audit Executives Should Follow a Three Step Process to Achieve Desired External Quality Assessment Conformance Level

External quality assessment (EQA) has evolved with the new Institute of Internal Auditors (IIA) standards, and chief audit executives (CAEs) must develop a strategic plan to bridge any gaps in conformance. The standards set a more stringent benchmark for audit departments undergoing an EQA.

We spoke with Tim Berichon, VP Analyst in the Gartner Audit & Risk practice, who explained how the EQA has evolved under the new IIA standards and detailed three focus areas that assessors will scrutinize, among others, during an assessment.

Journalists who would like to speak with Tim regarding this topic should contact Heather Sabharwal. Members of the media can reference this material in articles with proper attribution to Gartner.

A: The IIA standards have introduced changes in with the EQA rating scale, now consisting of four tiers, rather than three (see Figure 1). This effectively creates two passing scores (i.e., full achievement and general achievement) and two failing scores (i.e., partial achievement and nonachievement), which will make earning the rank of full achievement more difficult to attain.  Achieving full conformance will be challenging, requiring extensive documentation, collaboration and automation.

The updated ratings, which includes 52 standards grouped into 15 principles, that are grouped into five domains, provides a more logical and intuitive structure.  The overall quality conclusion will provide two separate ratings: conformance to the 52 standards, and achievement of the 15 principles, which comprise overall ethics and professionalism, governance of the internal auditing (IA) function, management of the IA function and performance of the IA services.

The selection of an external assessor is crucial, as the standards are principles-based. The assessor’s professional judgment will determine how well the audit department has achieved the standards’, and in the end, the Principles’ intent. 

A: Audit departments should follow a three-step process: assess readiness, align conformance goals with the AC, and conduct an internal quality assessment (IQA).

Step 1: Assess Readiness
The best place to start is by gaining an understanding of how the department stacks up against the standards. A gap assessment will inform the level of effort required to achieve the desired conformance level and help develop a timeline for implementation.

Step 2: Align with the AC + Senior Management
The standards require greater AC and senior management involvement in EQA planning. CAEs should collaborate with the AC and senior management to determine the conformance rating the department aims to achieve, considering the resources needed to reach a top rating.

Step 3: Conduct an IQA
Performing an IQA is essential, especially for departments aiming for a top score. This assessment will provide evidence of performance and demonstrate how well the department has implemented the standards in practice.

A: External assessors emphasize three priority areas for auditors to focus their efforts: communication with the AC and senior management, establishing an audit strategy, and performance measurement processes.

1) Communicating with AC and senior management is important as many AC members are unaware of their new roles under the standards. CAEs should ensure that AC members and senior management understand their responsibilities, as external assessors will verify these discussions.

2) Establishing or reviewing the audit strategy also merits attention because standard 9.2 (Internal Audit Strategy) requires a functional strategy that supports organizational objectives and aligns with stakeholder expectations. Developing or reviewing this strategy will be long term and time-consuming but is crucial for conformance.

3) Confirm a solid performance measurement. The EQA will assess the department’s achievement of its performance objectives. Metrics should balance activity-based and results-based measures and align with the strategic plan.

The standards have raised the bar for EQAs, requiring audit departments to enhance coordination with stakeholders, develop comprehensive strategies, and demonstrate performance. By following the outlined steps and focusing on key assessment areas, CAEs can effectively prepare for their EQA.

Additional information and example principles noted above are available to Gartner clients in the report Plan for Your Next EQA: Advice from External Assessors.