Can You Help Us with External Quality Assessment?

It depends on where you are on the curve and what you aspire to.

Our context

Our mission is to help clients achieve risk and assurance excellence. 

This means doing what is right for you as opposed to adopting what is standard elsewhere without considering your context.

New standards, new curve

The 2025 Internal Audit Standards are a huge uplift from what was there previously.

They now put internal audit teams on a path to excellence (as defined in the eyes of their organisation). This is a new development and a big shift for many. Here’s our quick summary on the key changes.

But compliance with the International Internal Audit Standards won’t get you to excellence by themselves.

Standards are a playbook for the middle of the pack.

They have to be. Not everyone can aspire to excellence, and nor should they.

Put another way, internal audit teams are all on a bell curve, which we rate A-F based on innovation diffusion curves.

  • Exceptional teams are at the front (left) of the pack (A)
  • Excellent teams are not far behind (B)
  • Solid teams are in the middle of the curve (C)
  • Laggard teams are tying to get the basics in place (D)
  • Non-performing teams aren’t able, or have given up (F).

You always want to be a C or better.

What we hope for our clients is to get them to at least a B, and an A on the things that matter (what we call excellent and exceptional). From there the rest of the pack can learn and catch up.

image 1

If you’ve ever wondered what our theory of change is and where our logo comes from this is it.

Back to the Standards.

The latest IIA Standards moved the curve towards the left and literally set new standards.

Today’s pass (C) is tomorrow’s Does not Conform as we described in our seminal paper on World Class Internal Audit in 2013 (image below).

image

IIA’s goal remains, to get everyone on the wrong side of the curve (DNC does not confirm) to get closer the middle (GC Generally Conforms). Note the language in this one – the highest mark is to generally confirm with a middling standard.

Our take is they’re targeted towards the D-F players so that anywhere you go in the world, internal audit is at a minimum standard. It’s a very admirable goal, but it’s not what we do or where we play. We’re chasing excellence.

So back to the EQA. How does this fit into all of this?

What is the External Quality Assessment for?

The idea of an external quality review is to get an external reviewer to cast an eye over your work.

But different reviewers have different criteria.

A certification style review is not focused on whether you’re fit-for-purpose, but whether you comply with the standards. It’s an incredibly narrow view and for us this is where the friction starts.

We’ve only ever been on one EQA review with the IIA. They wanted to pass the team, we wanted to fail them.

Our ruler is whether the IA function is doing what’s needed of it. Everything else (including standards compliance) is secondary. We were using different criteria. It wasn’t natural fit.

I was never asked back because I was a tough marker for their offer.

Many years later I chaired the ARC for that org. It was a mess and the organisation suffered immensely as a result of weak marking. In my view that soft marking has a lot to answer for.

I digress.

In a nutshell there’s three types of EQAs:

  • Certification focused. This is the report that allows you to say you’re compliant with the standards and that’s it. IIA does this incredibly well and cost effectively, if this is all you need, hire them, or get a friendly peer to do it for you. It’s a softball approach, as they represent auditors, not those they report to. As we know a soft audit from a friendly marker is a bad idea. You wouldn’t do it to your clients. If you’re a sponsor, you might want a bit more Audit Committee perspective in the assessment.
  • The Big Bang approach. This is the (expensive) review from a big name firm who will give you lots of pretty powerpoint and make your Audit Committee feel good. There is probably some benchmarking involved, which doesn’t tell you what’s right for you, only what some others do.

    If you haven’t chose wisely there may never be a lot of noise actions to deal with that could take you off course for some time. Remember big name firms are there to impress and sell more work, and they probably haven’t run an in house team or had it report to them. Tread carefully.
  • Ace the exam approach. This is what we do, see below.

How we approach it

Countless times I’ve seen an EQA report suck all the oxygen out of what the internal audit team wants to discuss. Instead of discussing the strategy and the way forward, the EQA dominates the discussion and the report sets the talking points. In our view this is a really bad idea.

Our preferred approach

  1. Set your draft strategy
  2. Assess your baseline and your capabilities to achieve this
  3. Self assess against the standards so you know the answer before reviewers come in, and stress test it before they run their certification process
  4. Use the EQA to seed and test ideas with you and sponsors, get feedback you wouldn’t otherwise get, and get your reviewer to test your ideas with your sponsors without you in the room. Use it to help cement your strategy.
  5. Then certify through an independent validation, which is added to you strategy as a short Appendix (not the main talking points).

What this does is get your stakeholders aligned on baseline, direction, initiatives and funding so you can move into the next 12 months with focus and excitement both by sponsors and your team. And tick the compliance box on the way through, and not as the primary goal.

It’s a far more enjoyable experience than listening to a reviewer drone on without using your preferred talking points. Or worse, talking points that are wrong, really unhelpful or detail your preferred strategy.

That’s a really long answer. So is that a yes or a no?

So back to the question of whether we can help with EQAs.

Yes, but not the way other advisors do it.

1: If you want to leverage this investment to move towards excellence, then we’re the right people for the job.

We work with teams to ace the exam, and use the process to set a platform towards moving up the curve. This means getting the strategy done, getting the baseline assessment done, acing the exam and moving forward with excitement. If this feels right for you book a discovery call.

Book a discovery call.

2: If you need credibility with your sponsors: Yes, can absolutely do that. But we’ll only do it in the way we described above. If the Board wants a change or has doubts, it may be too late for us to assist. And while we can to a tough assessment, it’s not where we want to focus at the moment. A big name firm might be the right call for this one. If you’re an existing client (leader or sponsor) we can help you work out who to use, and get you prepared. Book a discovery call.

3: If you just want to tick the boxes and get back to what you were doing, we’re not your people for this. The IIA or a peer review will be your best option. For you the value from them will be excellent.

Home.