![](/media/r3hdautq/guarding-the-guards.jpg?width=160&height=160&format=webp,webp&quality=70&v=1db1e237f86f040 160w,/media/r3hdautq/guarding-the-guards.jpg?width=320&height=320&format=webp,webp&quality=70&v=1db1e237f86f040 320w,/media/r3hdautq/guarding-the-guards.jpg?width=480&height=480&format=webp,webp&quality=70&v=1db1e237f86f040 480w,/media/r3hdautq/guarding-the-guards.jpg?width=640&height=640&format=webp,webp&quality=70&v=1db1e237f86f040 640w)
Guarding the guards: How to prepare for an EQA
Sooner or later, most internal auditors will experience an external quality assessment (EQA). This is best practice for all teams and a requirement for many. It also means that internal auditors find out what it’s like to be on the other side of the auditing process and see their work and that of their team under the spotlight.
However, an EQA can be far more than simply a health check that ticks off whether your processes and controls meet the IIA Standards, satisfies the audit committee and enables you to say that you abide by the Chartered IIA’s codes of practice. An EQA at its most effective can provide you with space to consider the present and future performance of the team, an opportunity to discuss “grey areas” or barriers to progress with experienced peers, a chance to learn about solutions and innovations introduced by other teams across sectors and, perhaps most valuable of all, a safe space to explore concerns and opportunities and to gain new perspectives.
This is why choosing an EQA provider and good preparation is essential. EQAs cost time as well as money and you should plan to get the most from your investment – what you get out really does depend on what you put in. So what do the assessors recommend?
Choose challenge
First, you need to choose an assessment provider. The Chartered IIA offers a full EQA service as well as smaller scale validation checks and assessments. A good place to start is the institute’s free self-assessment checklist, which will enable you to ensure that you have all the basics in place before you begin. Then you need to identify what you (and your stakeholders) most want to get out of the process and create a shortlist of providers who might be able to achieve this. The choice is wide, but some will probably not be best suited to your sector, team size or specific requirements.
“The first question I would ask a potential provider is who will be doing the assessment work – who will be on the team, what experience do they have, have they actually worked in internal audit, have they encountered the challenges I face?” says Claire Ashby, Chartered IIA EQA assessor and director at Ashby Associates internal audit consultancy. “You need to know if the person you will see most has really been there and done it. Look for someone who has been a chief audit executive (CAE) in a similar internal audit model – such as a full in-house team or a co-sourced arrangement. Check whether that person will be doing the interviews personally, rather than just overseeing the assessment.”
It matters because the quality of the reviewer and the review could affect internal audit’s reputation in your organisation. The report is important, but if the person who interviews the chief executive or the chair of the audit committee lacks experience or understanding of the organisation this will undermine the conclusions of the report and, possibly, perceptions of the internal audit team itself.
Assuming you want to get more from the EQA than a simple “conforms to the Standards” tick in the box, then you should look for a provider who can challenge you. “You don’t want someone who comes in and just says everything looks fine – that’s not a useful outcome,” Ashby warns. “You want someone who can suggest ideas about how to get to the next level of maturity, so ask potential providers what they offer in terms of development and how they will deal with any areas of non-compliance. An EQA should take the whole team on a journey and provide long-term inspiration and opportunities.”
Ducks in a row
Once you have chosen a provider, preparation is vital, says Greg Coleman, governance consultant and Chartered IIA EQA assessor. He recommends undertaking a pre-review to ensure that you are ready for the assessment, you address the requirements of the IIA Standards and you can supply supporting documents as soon as they’re needed – the more time the assessor spends chasing documents, the less they have to explore more interesting and useful issues. It also helps the assessor if the CAE is already aware of areas that may be problematic.
“You need to identify interviewees and check their availability during the assessment period – it’s better to interview a limited number of people who have the information and perspective we need, than to include everyone you can think of. It’s not helpful if they all say the same thing and from the same viewpoint, so choose those who will add most value,” he advises.
The potential interviewees need to be prepared and to know what kind of questions they will be asked, so manage communications and expectations from the start of the process. Coleman suggests thinking laterally, because the person who can offer the best insights may not be one of the “usual suspects”. “This is an opportunity to step back and think about governance broadly,” he says. “Is the internal audit function doing what is needed now? It might have been great five years ago, but what do you need to do today and in future? That could be different.”
In addition to the Chartered IIA’s self-assessment checklist and the IIA’s Standards, it’s helpful to review how your team rates against additional indicators of good practice, such as the institute’s Internal Audit Code of Practice or financial services code.
“Make sure you’ve got the basics in place – are your policies and procedures written down, can you access the CPD records of your team and is your internal audit charter up to date?” says Ashby. “Check in advance, so that if things need audit committee approval, you can get it. This maximises useful time with the assessor; a conversation about how you build a combined assurance model is much, much more valuable than one on whether your charter is up to date.”
“The key to a smooth EQA is good planning,” agrees Clare Worley, independent internal audit adviser and Chartered IIA EQA assessor. “It helps to have your own improvement log and to demonstrate that you appreciate where you need to do more and what you are doing to get there. It’s a good starting point for a conversation with the assessor, who can look at where you are and help you to explore ways to progress.”
It’s vital to be honest about shortcomings or problems, she adds. “No one is ever perfect – times change and expectations constantly evolve. If I see a self-assessment that says everything is perfect, I immediately think ‘uh oh’.”
It pays to identify anything that may delay or block the EQA once it begins. Timing is important. Worley suggests working backwards from the date by which the audit committee wants the report and checking for conflicts in diaries and the workload of interviewees during that period.
“Think ahead – for example, do you want to do a survey of stakeholders and will you need the IT team’s support for this or to provide access to documents?” she asks. “Will the assessor need remote access to your in-house system?”
It can help to designate someone responsible for arranging EQA meetings and interviews, who can coordinate diaries and send invitations. Similarly, providing a contact who can answer simple queries and provide documents without constantly referring back to the CAE can prevent delays.
Once the EQA has begun, there’s no need to “lock down” everything in progress as long as you can explain things that are in flux, Worley says. However, it is useful to agree in advance how regularly you want meetings and feedback. “Personally, I would say at least once a week is desirable, but you can set your own timeframe – ask for what you want upfront,” she suggests. “Be clear if you need the report by a specific date or if you want interviews to take place in a particular week. It should be in your control and it should work as a partnership.”
Takeaway options
It’s best to go into an EQA with a clear perception of what you want to get out of it. “Aim for pragmatic advice based on experience, rather than headline statements about best practice that are ideals or based on what organisations with huge budgets are doing,” advises Coleman. “A good assessor can draw on their own background and on the other assessments they’ve completed.”
“The Standards are a minimum bar that you should achieve, but the real value is the practical suggestions and help on how to implement them best in your organisation and the things you can learn from others’ experience via your assessor,” agrees Worley. “Aim to come out with small practical steps to make day-to-day improvements. It should be a supportive experience and about continuous improvement, not a huge investment in lots of new technology or consultancy.”
An EQA is an opportunity to discuss with stakeholders the future requirements for, and needs of, internal audit, what these mean for the internal audit team and what the next level of internal audit maturity looks like. What does the audit committee chair want from internal audit?
You can also use the EQA process and report to educate your audit committee and board about what good internal audit can offer them. “We can support CAEs by explaining to managers the full benefits of a strong internal audit function – how it can protect the organisation’s value and support statements made about risk and internal control in the annual report and accounts,” Coleman adds. “If an audit committee chair doesn’t have the information they need to challenge the CAE they can’t protect the organisation’s value and will be potentially exposed.”
Embarking on an EQA may be daunting, but with the right preparation it should be a valuable and even enjoyable opportunity to move into a new gear. “In the end, an EQA is a brilliant opportunity to stand back and assess the big picture. Where is your function now, where should it be heading and how are you going to get there?” Ashby says.
Why do you need an external quality assessment (EQA)?
• To conform to the 1300 series of Standards.
• To provide independent assurance in conformance with Standard 1312 that requires an external assessment to be undertaken at least every five years. More frequent reviews may take place, for example, when there are changes in leadership, a new chief audit executive (CAE) or a new audit committee chair, or significant changes in internal audit policies and procedures, etc.
• To raise the bar of the internal audit activity within the organisation.
• To benchmark your activity against best practice.
• To enhance the performance of your internal audit function through the ideas and suggestions offered by experienced EQA reviewers.
We run an EQA course on 'Preparing for an external quality assessment'. Click here to learn more about it.
This article was published in July 2021.