The Internal Auditor’s Basic Guide to an External Quality Assessment (EQA)
Every internal auditor knows that keeping your work sharp and aligned with professional standards isn’t just a nice-to-have. It’s a must. And with the updated Global Internal Audit Standards (IIA Standards) from The IIA now in effect (as of January 9, 2025), there’s a new path forward for doing just that.
A Quality Assurance and Improvement Program (QAIP) is essential for internal audit teams to meet professional standards and continuously improve. It ensures audits align with professional standards, evaluates performance and identifies areas for growth.
The QAIP requires both internal and external assessments, which means that an External Quality Assessment (EQA) isn’t just recommended. It’s required as a component of the QAIP.
Whether you’re gearing up for your first EQA or just want a refresher, this guide breaks down the basics.
What is EQA?
The EQA is a core part of the QAIP, which is required under Principle 12 – Enhance Quality within the IIA Standards.
An EQA is an independent review that evaluates:
- Whether your internal audit activity conforms to IIA Standards
- How well the audit function is achieving its goals
- Opportunities for improvement
Why do I need an EQA?
First and foremost, without an EQA, an internal audit function does not fully comply with the IIA Standards.
External assessments also help the internal audit team determine whether they are:
- Operating in line with the internal audit and audit committee charters
- Addressing the organization’s risk and control assessments
- Using resources effectively
- Applying best practices
Who needs to have an EQA?
Every internal audit function (no matter the company’s industry, sector, size or whether it’s in-house, outsourced or co-sourced) must have a QAIP that includes both internal and external assessments.
How often do I need an EQA?
An EQA must be performed at least once every five years. However, you may need EQAs more often if:
- There have been significant changes in the audit function
- You have seen low performance or are concerned about quality
- You operate in a highly regulated space
- You experience a merger or acquisition
Who performs an EQA?
An EQA must be performed by a qualified, independent assessor or assessment team.
You may also meet the external quality assessment requirement by performing a self-assessment, as long as it’s reviewed by an independent validator. The Chief Audit Executive must make sure that at least one person on the validation team has an active Certified Internal Auditor® (CIA) certification.
Who on the Internal Audit Team should be involved in the EQA?
While the Chief Audit Executive leads the EQA process, it’s important for the entire Internal Audit Team to be involved in some way.
Senior Auditors or Audit Managers may help gather documentation, answer questions and participate in interviews. Staff auditors should also be prepared to speak with the assessor about their work, tools and understanding of the IIA Standards.
How should I prepare for an EQA?
Preparing for an EQA often takes more time than expected, so it’s smart to start early and plan ahead.
One of the best ways to prepare is to ensure your team has a thorough understanding of the IIA’s Global Internal Audit Standards. Having this foundation at the beginning of the process will allow you to most effectively grasp the findings and make improvements based on the assessment’s end results.
If you’ve had assessments in the past, you may find it helpful to review past findings, and it can also be helpful to perform a readiness assessment or a gap analysis. It can also help to thoroughly organize your documentation before the assessment and to connect with your various stakeholders.
The Chief Audit Executive is ultimately responsible for creating a plan for an external quality assessment and discussing it with the Board.
Gather key documents, such as your internal audit charter, audit plans, risk assessments, policies and procedures, QAIP documentation and any recent audit reports.
You should also gather evidence of staff qualifications, training records, performance metrics and stakeholder communications. If you’ve had previous assessments, include those reports and any action plans that resulted from them.
What are the results of an EQA?
Your assessor will assign one of four ratings:
- Full Achievement
- General Achievement
- Partial Achievement
- Nonachievement
If you receive a “Full Achievement” or “General Achievement” rating, you completed the assessment successfully.
How should I select an assessor?
When choosing an external quality assessor, make sure they are independent, have no conflicts of interest and understand internal auditing. Look for someone with experience doing EQAs, especially in your industry, and who is familiar with the latest IIA Standards.
Remember, at least one person on the assessment team must also have an active Certified Internal Auditor® (CIA) certification.
Good communication is important too. Your assessor should be able to explain their findings clearly and work well with your team.
What happens after the EQA?
After the EQA, the Chief Audit Executive should review the report, share it with the Audit Committee or Board and create an action plan to address any issues.
This plan should include specific steps, deadlines and who is responsible. Once the plan is in place, the team should begin making improvements, track progress and provide regular updates to leadership.
Learn more about EQAs
To learn more about EQAs and what to expect in the process, contact your Warren Averett advisor directly, or ask a member of our team to reach out to you.
