Chapter 1

The Framework for

Quality Assurance

O v e rv i e w
A critical asset for an internal audit activity is its credibility with stakeholders. To provide cred-
ible assistance and constructive challenge to management, internal auditors must be perceived
as professionals. Professionalism requires conforming to a set of professional standards. This
chapter provides an overview of The IIA’s International Standards for the Professional Practice of
Internal Auditing and the other elements that make up the International Professional Practices
Framework (IPPF). It explains how each has evolved as the profession has matured, and how
their application should be tailored to each organization without compromising conformance
with the Standards. In particular, it presents and discusses the 1300 series of the Standards
that deals specifically with quality assurance.

9
 S ta n d a r d s R e q u i r e Q ua l i t y
Assurance Focus
Chief audit executives (CAEs) need assurance that their internal audit activity and each member
of their staff conform to all mandatory elements of the IPPF, and they need to demonstrate
this conformance to their stakeholders. The only way to meet these expectations is with a
comprehensive quality assurance and improvement program (QAIP) that includes ongoing
monitoring of performance, periodic internal assessments, external assessments conducted
by a qualified, independent assessor or assessment team from outside the organization, and
communication of the results.

Standards and Other Professional Guidance Have Evolved

With the Profession
The steadily expanding scope and global reach of internal auditing is reflected in and fostered
by changes in the Standards and professional guidance. Changes occurred in the Standards
10 effective January 1, 2017, and contribute to the update to this manual. A significant change
in professional guidance occurred in 1999 with a new Definition of Internal Auditing and
the development of the Professional Practices Framework, which became the IPPF in 2009.
The IPPF was further updated and expanded in July 2015, and again in 2017. Evaluating
risk management and governance processes is much more challenging and meaningful than
control alone. It requires internal audit to operate at a higher, more strategic level. To operate
at this level, internal auditors need a higher level of credibility with their stakeholders.

Quality Assurance Has Evolved With the Standards

The original Standards (1978) stated, “The director of internal auditing should establish and
maintain a quality assurance program” that includes an external quality assessment (EQA)
every three years. The three-year time frame was chosen to be in line with guidance from the
U.S. Government Accountability Office (U.S. GAO). In the 2002 revision of the Standards,
The IIA changed the time frame to every five years, as this was considered more appropriate
for an internal audit activity.

Quality Assessment Manual for the Internal Audit Activity

T h e IPP F

The requirements and characteristics of quality in an internal audit activity are defined by
the IPPF, which consists of mandatory and recommended guidance, all provided within the
context of the Mission of Internal Audit as defined in the IPPF.
11

Mandatory Guidance
Mandatory guidance is considered essential for the professional practice of internal auditing.
Mandatory guidance is submitted for review by the entire global profession through the expo-
sure draft process. It consists of four elements:

• Core Principles: The Core Principles for the Professional Practice of Internal
Auditing are the foundation for the IPPF and support internal audit effectiveness.

• Definition of Internal Auditing: “Internal auditing is an independent, objec-

tive assurance and consulting activity designed to add value and improve an
organization’s operations. It helps an organization accomplish its objectives by
bringing a systematic, disciplined approach to evaluate and improve the effec-
tiveness of risk management, control, and governance processes.”

• Code of Ethics: The Principles and Rules of Conduct of the Code of Ethics
define ethical behavior for a professional internal auditor.

Chapter 1  The Framework for Quality Assurance

 • Standards: The Standards are the central criteria that define the attributes
and characteristics of performance for an internal audit activity, including the
requirements for a QAIP.

Recommended Guidance
Recommended guidance is endorsed by The IIA through a formal approval process. It
describes practices for the effective implementation of the Core Principles, the Definition
of Internal Auditing, the Code of Ethics, and the Standards. Recommended guidance helps
internal auditors understand and apply the Standards and may provide insight into going
beyond conformance to a higher level of adding value, or addressing issues of concern not
related to a specific standard. Recommended guidance is described in terms of implemen-
tation guidance and supplemental guidance and is available to IIA members on The IIA’s
websites: global.theiia.org and na.theiia.org.

• Implementation Guidance: Implementation Guides exist for each standard.

They are intended to provide guidance to internal audit practitioners with
12 regard to conformance with the Standards.

• Supplemental Guidance: Supplemental guidance provides detailed guid-

ance for conducting internal audit activities. Supplemental guidance includes
topical areas, sector-specific issues, as well as processes and procedures, tools
and techniques, programs, step-by-step approaches, and examples of deliver-
ables. Examples of supplemental guidance currently include Practice Guides,
Global Technology Audit Guides (GTAGs), and Guides to the Assessment of
IT Risk (GAIT).

Quality Assurance and Improvement Program

Standard 1300 – Quality Assurance and Improvement Program is included in full because it
defines the requirements for a QAIP. Consult The IIA’s website for the most current version
of the Standards and for recommended guidance. Chapter 2 of this manual describes the
requirements and considerations for establishing a QAIP. Chapters 3, 4, and 5 describe the
requirements and considerations for performing internal assessments, a full external assess-
ment, and a self-assessment with independent validation, respectively.

Quality Assessment Manual for the Internal Audit Activity

1300 – Quality Assurance and Improvement Program
The chief audit executive must develop and maintain a quality assurance and improvement
program that covers all aspects of the internal audit activity.

Interpretation:

A quality assurance and improvement program is designed to enable an evaluation of the internal
audit activity’s conformance with the Standards and an evaluation of whether internal auditors
apply the Code of Ethics. The program also assesses the efficiency and effectiveness of the internal
audit activity and identifies opportunities for improvement. The chief audit executive should
encourage board oversight in the quality assurance and improvement program.

1310 – Requirements of the Quality Assurance and Improvement

Program
The quality assurance and improvement program must include both internal and external
assessments.
13
1311 – Internal Assessments
Internal assessments must include:

• Ongoing monitoring of the performance of the internal audit activity.

• Periodic self-assessments or assessments by other persons within the organiza-

tion with sufficient knowledge of internal audit practices.

Interpretation:

Ongoing monitoring is an integral part of the day-to-day supervision, review, and measurement of
the internal audit activity. Ongoing monitoring is incorporated into the routine policies and prac-
tices used to manage the internal audit activity and uses processes, tools, and information considered
necessary to evaluate conformance with the Code of Ethics and the Standards.

Periodic assessments are conducted to evaluate conformance with the Code of Ethics and the
Standards.

Chapter 1  The Framework for Quality Assurance

 Sufficient knowledge of internal audit practices requires at least an understanding of all elements
of the International Professional Practices Framework.

1312 – External Assessments

External assessments must be conducted at least once every five years by a qualified, inde-
pendent assessor or assessment team from outside the organization. The chief audit executive
must discuss with the board:

• The form and frequency of external assessment.

• The qualifications and independence of the external assessor or assessment

team, including any potential conflict of interest.

Interpretation:

External assessments may be accomplished through a full external assessment, or a self-assessment

with independent external validation. The external assessor must conclude as to conformance with
the Code of Ethics and the Standards; the external assessment may also include operational or stra-
14
tegic comments.

A qualified assessor or assessment team demonstrates competence in two areas: the professional prac-
tice of internal auditing and the external assessment process. Competence can be demonstrated
through a mixture of experience and theoretical learning. Experience gained in organizations of
similar size, complexity, sector or industry, and technical issues is more valuable than less relevant
experience. In the case of an assessment team, not all members of the team need to have all the
competencies; it is the team as a whole that is qualified. The chief audit executive uses professional
judgment when assessing whether an assessor or assessment team demonstrates sufficient compe-
tence to be qualified.

An independent assessor or assessment team means not having an actual or perceived conflict of
interest and not being a part of, or under the control of, the organization to which the internal
audit activity belongs. The chief audit executive should encourage board oversight in the external
assessment to reduce perceived or potential conflicts of interest.

Quality Assessment Manual for the Internal Audit Activity

1320 – Reporting on the Quality Assurance and Improvement
Program
The chief audit executive must communicate the results of the quality assurance and improve-
ment program to senior management and the board. Disclosure should include:

• The scope and frequency of both the internal and external assessments.

• The qualifications and independence of the assessor(s) or assessment team,

including potential conflicts of interest.

• Conclusions of assessors.

• Corrective action plans.

Interpretation:

The form, content, and frequency of communicating the results of the quality assurance and improve-
ment program is established through discussions with senior management and the board and
considers the responsibilities of the internal audit activity and chief audit executive as contained in 15
the internal audit charter. To demonstrate conformance with the Code of Ethics and the Standards,
the results of external and periodic internal assessments are communicated upon completion of such
assessments and the results of ongoing monitoring are communicated at least annually. The results
include the assessor’s or assessment team’s assessment with respect to the degree of conformance.

1321 – Use of “Conforms with the International Standards for the

Professional Practice of Internal Auditing”
Indicating that the internal audit activity conforms with the International Standards for the
Professional Practice of Internal Auditing is appropriate only if supported by the results of the
quality assurance and improvement program.

Interpretation:

The internal audit activity conforms with the Code of Ethics and the Standards when it achieves
the outcomes described therein. The results of the quality assurance and improvement program
include the results of both internal and external assessments. All internal audit activities will have

Chapter 1  The Framework for Quality Assurance

 the results of internal assessments. Internal audit activities in existence for at least five years will
also have the results of external assessments.

1322 – Disclosure of Nonconformance

When nonconformance with the Code of Ethics or the Standards impacts the overall scope
or operation of the internal audit activity, the chief audit executive must disclose the noncon-
formance and the impact to senior management and the board.

A p p l i ca t i o n of the IPP F
The IPPF is the foundation of quality for an internal audit activity. While it is equally applicable
to all internal audit activities, the actual practice of internal auditing within an organization
must be adapted to such factors as an organization’s legal, regulatory, and cultural environ-
ment, and industry, size, and stakeholder expectations. The CAE must adapt internal auditing
to the organization’s environment while still conforming with the Standards. Assessors should
consider this adaptation.
16
Internal auditing may be less mature in emerging countries, privately held (not listed) compa-
nies, not-for-profit organizations, small companies, and organizations with a relatively new
internal audit activity. At the same time, many mature internal audit activities that are gener-
ally in conformance with the Standards and the Code of Ethics look for ways to provide
context to the operation of their activity. Maturity models are used in some of these orga-
nizations to provide this context. Examples of maturity models are available on the internet
and can be adapted by an organization to provide additional insight into maturity levels for
specific internal audit processes or elements of infrastructure.

Quality Assessment Manual for the Internal Audit Activity