Chapter 4

Full External Assessment

O v e rv i e w
External assessments must be conducted every five years as required by The Institute of
Internal Auditors’ (IIA’s) International Standards for the Professional Practice of Internal
Auditing (Standards), which require assessment by an outside independent assessor or assess-
ment team. The objective of the external assessment is to evaluate an internal audit activity’s
conformance with The IIA’s Definition of Internal Auditing, Code of Ethics, and Standards.
External assessments may also focus on identifying opportunities to enhance internal audit
processes, offering suggestions to improve the effectiveness of the internal audit activity, and
promoting ideas to enhance the activity’s image and credibility. This approach embraces the
successful practices of the profession and emphasizes governance, risk management, and
control processes as important areas for auditors’ attention. External assessment recommen-
dations focus on opportunities for improvement and are offered to enhance the internal
audit activity’s ability to add value to the organization.

As noted in the Standards:

43
 External assessments can be in the form of a full external assessment, or a self-assessment
with independent external validation.

The full external assessment is conducted by a qualified, independent external assessor or

assessment team. The team approach involves an outside team of competent professionals
under the leadership of an experienced, professional project manager. This chapter outlines
how to conduct a full external assessment.

The self-assessment with independent external validation involves the use of a qualified,
independent external assessor or assessment team to conduct an independent validation of
the internal audit activity’s internal self-assessment and report. Independent external asses-
sors should be well versed in successful internal audit practices. See chapter 3 for an outline
of how to conduct a self-assessment with independent validation.

The full external assessment process involves the chief audit executive (CAE) acquiring a
suitable independent, qualified provider of external assessment services, as guided by the
Standards (Practice Advisory 1312-1). The CAE should provide input into the requested
scope of the full external assessment and its specific objectives. This process should also ensure
44 full consideration regarding expectations of executive management and the audit committee.

Figure 4-1 illustrates an approach to the full external assessment process.

>

Quality Assessment Manual for the Internal Audit Activity

 Leading industry
Enterprise objectives
successful practices The IPPF
for the IA activity
(for example GAIN)

Process

Planning Off-site work Onsite work Evaluate and report

Key Inputs

QAIP ●● Set scope and ●● Review planning docs ●● Interviews with ●● Evaluate against
objectives ●● Review all other docs clients, IA staff, and IPPF recourses
●● Select and prepare received as per docs stakeholders for conformance
Interviews & Surveys team request list ●● Workpaper reviews and areas for
●● Request planning ●● Summarize survey ●● Review all other improvement
Review of process, reports, docs responses documents only ●● Summarize issues
and risk assessment ●● Preliminary visit available onsite ●● Recommendations
●● Distribute surveys ●● Determine staffing ●● Closing meeting
Review of workpapers, knowledge ●● Issue draft report for
reports, and technology plan ●● Team discussions comment
●● Issue final report
to CAE
Report files

Reporting /Communications

45
Figure 4-1: Full External Assessment Process

Planning
The following five points of the planning process, if followed by the team leader, enhance the
customer’s involvement in, and satisfaction with, a value-added experience:

• Agree on the scope and objectives of the full external assessment.

• Select and prepare (as needed) the full external assessment team.

• Request and review the planning guides (see appendix A) completed by the
internal audit activity and clarify any questions or concerns.

• Make a preliminary visit (or teleconference) to the organization to gather

further information, finalize the work plan, select and schedule interviews
(see appendix C) with the internal audit activity’s key stakeholders and staff,
and otherwise prepare for the onsite visit.

Chapter Four  Full External Assessment

 • Distribute the two surveys, Executive Leadership & Operating Management
and Internal Audit Staff, to survey participants (see appendix B).

Scope and Objectives

The scope includes the following key elements of professional internal audit practice:

• The expectations of the internal audit activity expressed by the oversight

group, executive management, and any other stakeholders.

• The entity’s control environment and the CAE’s audit practice environment.

• The focus on evaluating governance processes, enterprise risk, and assessing

organizational controls in audit plans.

• The integration of internal audit into the organization’s governance process,

including the combined assurance relationships and communications between
the key governance groups and assurance providers involved in that process and
46 aligning audit objectives and plans with the objectives of the entity as a whole.

• The IIA’s International Professional Practices Framework (IPPF) and any

other legal requirements laid down for the internal audit activity within the
specific organization and/or country.

The following basic objectives should be achieved in a full external assessment:

• Assess the efficiency and effectiveness of the internal audit activity in light of
its charter, the expectations of the board (usually represented by a committee
of the board oversight body, such as an audit committee), executive manage-
ment, other stakeholders and assurance providers, and the CAE.

• Consider the internal audit activity’s current needs and objectives, as well as the
future direction and goals of the organization. Appraise the risk to the organi-
zation if the results indicate the internal audit activity is performing at less than
an effective level or is not in conformance with one or more of the Standards.

Quality Assessment Manual for the Internal Audit Activity

 • Provide an opinion on the internal audit activity’s conformance with The
IIA’s Definition of Internal Auditing, Code of Ethics, and Standards.

• If applicable, identify opportunities and offer ideas to the CAE and staff for
improving effectiveness of the internal audit activity, thereby raising the value
added to management and the audit committee.

The objectives listed above can be modified and others can be added to satisfy the needs of
customer organizations.

Select and Prepare the Full External Assessment Team

As noted in Standard 1312:

A qualified assessor or assessment team demonstrates competence in two areas: the

professional practice of internal auditing and the external assessment process.
Competence can be demonstrated through a mixture of experience and theoretical learning.
Experience gained in organizations of similar size, complexity, sector or industry, and
technical issues is more valuable than less relevant experience. In the case of an assessment 47

team, not all members of the team need to have all the competencies; it is the team as a
whole that is qualified. The chief audit executive uses professional judgment when
assessing whether an assessor or assessment team demonstrates sufficient compe-
tence to be qualified.

Team Selection and Qualifications

• IIA Standard 1312: External Assessments specifies that the full external assess-
ment must be conducted “by a qualified, independent assessor or assessment
team from outside the organization.”

• Qualified individuals are persons with the technical proficiency, internal audit
experience, business experience, and educational background appropriate
for the audit activities to be assessed. This could include internal auditors
from outside the organization, independent consultants, or independent
outside auditors, but preferably not the external audit firm that audits the

Chapter Four  Full External Assessment

 organization’s financial statements or consultants providing any co-sourcing
for the entity. “From outside the organization” means not a part of, or under
the control of, the corporate entity.

Following is a list of the possible qualifications and criteria by which the CAE can assess the
competence of a full external assessment team. Specific engagements may require additional
unique qualifications.

• Experience (reference Standard 1312 and Practice Advisory 1312-1)

{{ The full external assessment team should comprise personnel of at least

managerial level.

{{ The team leader should have experience that is comparable to that of the
CAE of the internal audit activity being assessed.

{{ The team leader should be a competent, certified internal audit professional.

{{ Each team member should have a thorough understanding of current

internal audit practices and the IPPF and its application; sound judgment;
48
and good communication and analytical skills.

{{ The full external assessment team should possess, or have ready access to,
all of the necessary technical expertise (e.g., governance, information tech-
nology, risk management, internal audit attributes, management consulting,
and internal audit management).

{{ Knowledge of the organization’s industry, service, or internal audit activity

by at least one team member is an important consideration to be evalu-
ated by the customer.

• Objectivity

{{ The full external assessment team should objectively consider the expec-
tations of the audit committee, executive management, and the CAE;
the audit structure; and the policies and procedures of the organization
and the internal audit activity.

Quality Assessment Manual for the Internal Audit Activity

 {{ To ensure freedom from bias in the full external assessment, there should
not be any relationship, either directly or indirectly, between the orga-
nization and the full external assessment team that is, or appears to be,
a conflict of interest. Such relationships could significantly negate the
benefits of the full external assessment.

Request the Planning Documents Completed by the Internal

Audit Activity and Clarify Any Questions or Concerns
• The full external assessment process becomes easier when planning documen-
tation is completed by the internal audit activity before the onsite visit by
the team. The team leader requests relevant documentation from the CAE to
enable work to begin on the full external assessment prior to the onsite visit
(see appendix A).

• A comprehensive list of planning documentation necessary for the full

external assessment is provided to the CAE for completion as well as survey
invitations to be responded to by executive leadership, operating manage- 49
ment, and internal audit staff (see appendices A and B).

A Preliminary Visit (or Teleconference) to the Organization

The full external assessment team leader should arrange a preliminary visit or teleconference
with the CAE to:

• Meet the CAE and other staff that may be assisting the team during the onsite
visit.

• Clarify any misunderstandings regarding the planning documentation (see

appendix A).

• Ensure that all documents requested as per the checklist can be provided (see
appendix A).

Chapter Four  Full External Assessment

 • Ensure that there are no misunderstandings regarding the time, venue, scope,
and objectives of the full external assessment.

• Identify the executive leadership, operating management, internal audit

staff, and other key stakeholders with whom meetings will be arranged (see
appendix C).

• Agree on the list of participants for the surveys: executive leadership, oper-
ating management, and internal audit staff (see appendix B).

The full external assessment team leader should keep minutes (or a summary) of the meeting
for later attention and impressions of the organization.

Distribute the two surveys, Executive Leadership & Operating Management and
Internal Audit Staff, to survey participants: the purpose and use of the surveys are fully
discussed in appendix B.

50
W o r k t o B e C o m p l e t e d O ff - s i t e
(prior to onsite visit)
• The full external assessment team leader should review the planning docu-
mentation (planning guides and documents noted on the document request
checklist) provided by the CAE before visiting the organization. This will help
to plan the work outlined in the programs that will be performed onsite. Refer
to appendices A and D for explanations of the planning guides and programs.

• The CAE should complete the two surveys—Executive Leadership &

Operating Management and Internal Audit Staff—providing his or her best
assessment of how executive leadership, operating management, and internal
audit staff will respond to each statement. Comparing the CAE’s responses
with survey results from the executives, operating managers, and internal
audit staff will provide the full external assessment team with possible oppor-
tunities for improvement as well as possible areas of strength for the internal
audit activity (see appendix B).

Quality Assessment Manual for the Internal Audit Activity

 • Summarize the survey results for feedback to the CAE. Areas of significant
divergence between CAE responses and those of survey participants should
be investigated by the full external assessment team during their interviews,
adjusting interview guides where necessary as discussed in appendix C. The
full external assessment team (perhaps with input from the CAE during the
onsite visit) will need to interpret whether survey information has uncovered
favorable or unfavorable ratings or trends. The CAE should be encouraged
to use this information during training sessions with internal audit staff to
emphasize positive results and highlight areas that need improvement.

Onsite Procedures
Review appendix D to become familiar with descriptions and instructions for completing the
four program segments that follow the same sections that were used in the planning guides,
surveys, and interview guides: Internal Audit Governance (D-1), Internal Audit Staff (D-2),
Internal Audit Management (D-3), and Internal Audit Process (D-4).
51
Onsite work is the most comprehensive element of a quality assessment. It includes:

• Interviews with selected members of the board (audit committee), executive

management, operating managers, and internal audit staff, focusing on orga-
nizational risks and objectives and the internal audit activity’s effectiveness
at remaining current and adding value with respect thereto. This is one of
the most valuable onsite activities. Interviews allow for in-depth exploration
of issues raised by survey results, and the perceptions gathered from inter-
viewees should be investigated further and corroborated when possible with
hard evidence. It is best to conduct these interviews at the beginning of the
onsite visit, but they may continue throughout the visit to accommodate the
busy schedules of executive management (see appendix C for additional instruc-
tions regarding the interview guides).

• Considering the work of other monitoring and assurance functions.

Chapter Four  Full External Assessment

 • The review of the internal audit activity’s audits and consulting engagements,
reports, and supporting documentation; and administrative and operating
policies, practices, procedures, and records.

• Determining the staffing knowledge and skills, especially in IT areas; risk

assessment; controls monitoring; interaction with governance participants;
successful practices; and other evidence of continuous improvement.

• The review of reports for, and communications with, management and the
board (audit committee) to assess the extent that the internal audit activity
meets objectives and adds value.

• The review and assessment of the coordination of the internal audit activity
with the work of the independent auditors.

• Evaluating the internal audit activity’s conformance with the Standards and
other relevant policies and procedures.

• The review of the quality/process improvement actions currently underway

52
and planned for the near term. Also consider successful practices appropriate
to the organization’s environment.

The onsite process is a cumulative experience for the team; thus, frequent discussions are
held and information is assessed by the team to offer practical suggestions reflecting the
current thinking of the profession. Onsite work should be determined by such factors as the
size of the internal audit activity, workpaper review, and interview schedule, but typically
lasts for one to two weeks, depending on the scope of work and objectives of the full external
assessment, and the size, geographic dispersion, and structure of the internal audit activity.

E va l u a t i n g t h e I n t e r n a l A u d i t
A c t i v i t y a n d R e po r t i n g
See appendix E for a discussion of the evaluation process, including rating scales.

The most important aspect of the assessment is the full external assessment team’s evaluation
of the internal audit activity’s conformity with The IIA’s Definition of Internal Auditing,

Quality Assessment Manual for the Internal Audit Activity

Code of Ethics, and Standards; its adherence to its charter; the extent of its adoption of
leading practices; and its program of continuous improvement. These evaluations will also
disclose opportunities for improvement. This is the culmination of the full external assess-
ment team’s analysis of surveys, interviews, and documentation. As appropriate, the full
external assessment team will provide the CAE with recommendations for the internal audit
activity to enhance conformance with the Standards, add value for clients, and be a catalyst
for positive change in the organization. Finally, the full external assessment team will exer-
cise its professional judgment to render an opinion as to the level of conformance with the
Standards by the internal audit activity.

Summary of Issues, Recommendations, and Closing

Conference
See appendix E for a discussion of reporting guidelines and options.

• Issues should be brought to the attention of the CAE as they come up

throughout the full external assessment and discussed as appropriate. The
closing conference should be regarded as an opportunity to summarize and 53
formalize the views of the full external assessment team and the CAE.

• The full external assessment team’s evaluation process emphasizes successful

practices and the issues that require attention. It is desirable to prepare a written
summary of the successful practices, observations, and recommendations for
those attending the closing conference. This written summary provides the
team leader and team members with a framework for the closing conference.

• The CAE, with advice from the full external assessment team leader, will
decide who will attend the closing conference. Since the individual obser-
vations should have been discussed with audit management throughout the
full external assessment, the closing conference should hold no surprises. It
should be an orderly discussion of the significant issues, conclusions, and
recommendations. It also provides the CAE with an opportunity to comment
on the observations and recommendations.

Chapter Four  Full External Assessment

 Reporting
A draft report is prepared, either before or after the closing conference (see appendix F for
a discussion of reporting guidelines and options). When the full external assessment team
leader completes the draft, copies are sent to the team for comment within a specific time-
line. Comments are considered and, as appropriate, incorporated into the draft report before
it is sent to the CAE. The CAE is requested to respond to the recommendations and provide
an action plan.

The final report, in conjunction with the CAE’s response or action plan, will typically be
addressed to the CAE, with the expectation that copies will be distributed to representatives
of the board (the chair of the audit committee or other internal audit oversight body of the
board) and the executive to whom the CAE reports. Copies of the full external assessment
report should be addressed to the individuals or groups initiating the full external assessment.

The process map for a full external assessment, indicating the division of work between the
internal audit activity and the independent external assessment team, is shown below. Note
that conducting surveys and scheduling interviews require close coordination between the
54 internal audit activity and the external assessment team.

Quality Assessment Manual for the Internal Audit Activity

 QUALITY ASSESSMENT PROCESS MAP
Full External Assessment

Completed by the IA Activity

IA IA IA IA
Governance Staff Management Process
Background Information on the internal audit
(IA) activity. Background Information and
Document Request Checklist cross-referenced to Document Request Checklist
planning/program process flow: IA Governance,
IA Staff, IA Management, and IA Process.

Planning Guides designed for each segment. A1 A2 A3 A4

Surveys containing elements from each segment.

B-1 Executive Leadership & Operating Management
B-2 IA Staff

Interview Guides containing elements from each 55

segment.

C-1 Chief Audit Executive

C-2 Board Members, Senior & Operating Management

C-3 IA Staff

C-4 External Auditors & Other Assurance Providers

Programs designed for each segment. Assessors

document their conclusions regarding D1 D2 D3 D4
conformance with mandatory guidance here.
Evaluation Summary provides a record of ratings
Evaluation Summary
determined within the programs by assessors.
Quality Assessment Report formatted to meet the
Quality Assessment Report
needs of key stakeholders.

Completed by the Independent External Assessment Team

Chapter Four  Full External Assessment