What the Standards Require
The IIA's Standards require internal audit functions to maintain a Quality Assurance and Improvement Programme (QAIP). This programme must include both ongoing and periodic internal assessments as well as periodic external assessments conducted at least once every five years by a qualified, independent assessor or assessment team.
The assessment evaluates conformance with the Standards, the Code of Ethics, and the internal audit charter. It results in a conformance rating — either Generally Conforms, Partially Conforms, or Does Not Conform — which must be communicated to senior management and the board.
What a Quality Review Actually Measures
An external quality assessment examines a defined set of inputs: the charter, audit plan, risk assessment methodology, working paper files, reports, stakeholder feedback, and staff qualifications. Assessors interview CAE leadership, audit committee members, and key stakeholders. They review a sample of completed engagements against the Standards.
The assessment is therefore most reliable at measuring:
- Whether mandatory processes exist and are documented
- Whether working papers support the conclusions in audit reports
- Whether the function has the right technical skills on paper
- Whether independence is structurally maintained
- Whether the function communicates its results in a timely and complete way
These are genuinely important dimensions. A function that fails on these measures has serious structural problems that need to be addressed.
What a Quality Review Misses
The more instructive question is what an external quality assessment cannot reliably measure. The answer reveals why some functions that achieve "Generally Conforms" ratings continue to add limited value to their organisations.
Audit impact: The Standards do not require assessors to evaluate whether audit findings led to meaningful change. A function can produce technically conforming reports that sit unread in filing systems without any consequences for its rating. The quality of management responses, the rate of sustainable remediation, and the function's actual influence on the organisation's risk culture are outside the standard assessment scope.
Relevance of the audit plan: An assessor can confirm that a risk-based audit plan exists and is updated annually. What is far harder to assess is whether the risks selected for audit are actually the most important ones — whether the plan reflects genuine insight into the organisation's risk profile or simply perpetuates historical coverage patterns.
Relationship quality: The effectiveness of internal audit is heavily influenced by the quality of its relationships with auditees, senior management, and the board. A function with adversarial relationships will consistently struggle to gain the access, information, and cooperation it needs. External assessments include stakeholder interviews, but these rarely capture the depth of relationship dynamics.
Conformance is a floor, not a ceiling. Achieving "Generally Conforms" means the function is operating within acceptable standards — not that it is delivering exceptional value.
Using the QAIP for Genuine Improvement
The most effective CAEs treat the quality programme as a genuine improvement tool rather than a compliance obligation. This means going beyond what the Standards require to ask harder questions: Are our audits changing behaviour? Are we auditing the right things? Do our stakeholders view us as strategic partners or compliance police? Are our people developing the skills the organisation will need from us in three years?
Internal assessment mechanisms — including ongoing monitoring of key performance indicators, periodic self-assessments against the Standards, and regular stakeholder feedback surveys — provide the continuous improvement data that periodic external reviews cannot. CAEs who invest in these internal mechanisms get far more value from the external review process, because they arrive at it with a clear understanding of where their gaps actually lie.
Preparing for an External Assessment
The most common mistake functions make when preparing for an external quality assessment is treating it as an audit — gathering evidence, documenting processes, and presenting the best possible picture. The better approach is to treat it as a genuine diagnostic. Share the difficult feedback you have received. Be transparent about the areas where you know the function is underperforming. Use the assessment as an opportunity to get expert perspective on the structural changes that will make the most difference. The rating matters less than the insight you walk away with.