Quality Is Not Assumed — It Is Demonstrated

In every field of professional practice, there is a gap between claiming competence and demonstrating it. Lawyers pass bar examinations. Physicians are subject to peer review and licensing boards. Engineers have their designs independently certified. These external quality mechanisms exist because the stakes of professional failure are high, because self-assessment alone is insufficient, and because stakeholders who rely on professional outputs need an objective basis for their confidence.

Internal audit is no different. The board and audit committee that relies on internal audit’s assurance — making governance decisions, allocating oversight resources, and communicating with regulators on the basis of internal audit findings — needs to know that the function producing those findings is operating to a professional standard that justifies the confidence placed in it. The CAE who assures the board that the organisation’s risk management and control processes are effective must be able to demonstrate that the audit methodology, team competency, and quality management processes underlying that assurance are themselves sound.

This is the purpose of the Quality Assurance and Improvement Programme — the QAIP — that the IIA’s International Standards for the Professional Practice of Internal Auditing require every internal audit function to maintain. This article, the seventh in Dawgen Global’s The Internal Audit Imperative series, examines the QAIP in depth: what it requires, how it is structured, what the external quality assessment entails, how quality is measured through key performance indicators, and how Caribbean organisations can use quality assurance not merely as a compliance obligation but as a genuine driver of continuous improvement.

 

KEY INSIGHT A QAIP is not bureaucratic overhead imposed by an international standards body. It is the internal audit function’s commitment — to the board, to management, and to the organisation’s stakeholders — that the assurance it provides is produced to a standard that deserves to be relied upon.

 

The IIA Standards Requirement: What the QAIP Must Achieve

Standard 1300 of the IIA’s International Standards for the Professional Practice of Internal Auditing requires that the Chief Audit Executive develop and maintain a quality assurance and improvement programme that covers all aspects of the internal audit activity. The programme must be designed to enable an evaluation of the internal audit activity’s conformance with the IIA Standards and an assessment of whether internal auditors apply the IIA’s Code of Ethics.

The Standard also requires that the QAIP assess the efficiency and effectiveness of the internal audit activity and identify opportunities for improvement. This dual mandate — conformance assessment and performance improvement — is important: the QAIP is not merely a compliance exercise designed to confirm that the function meets minimum requirements. It is an improvement mechanism designed to drive the function progressively toward greater quality, effectiveness, and value.

The IIA Standards further require that the CAE communicate the results of the QAIP to senior management and the board — including the results of external quality assessments, the conformance rating assigned to the IA function, and any significant quality improvement initiatives. This communication requirement ensures that the governing body has the information it needs to assess whether the internal audit function it relies upon for assurance is itself operating to the standard that its governance role demands.

The 2024 IIA Standards Update: Strengthened Quality Requirements

The IIA’s 2024 Global Internal Audit Standards — the most comprehensive update to the professional standards framework in over two decades — significantly strengthened the quality assurance requirements applicable to internal audit functions. The updated Standards introduced more prescriptive requirements around the content and frequency of the QAIP components, enhanced the requirements for board reporting on quality, and introduced new expectations around quality metrics and benchmarking. Caribbean internal audit functions operating under the pre-2024 Standards framework should review their QAIP design against the updated requirements to ensure continued conformance.

The QAIP Architecture: Five Interlocking Components

A comprehensive QAIP comprises both internal assessments — conducted by the IA function itself — and external assessments conducted by independent qualified reviewers. The IIA Standards require both, and they serve complementary purposes: internal assessments provide the continuous quality monitoring and improvement feedback that keeps the function on track day-to-day, while external assessments provide the independent credibility that internal self-assessment alone cannot deliver. The table below presents the five principal QAIP components.

 

QAIP Component	Type	Frequency	Key Activities
Ongoing Monitoring	Internal	Continuous	Engagement supervision; real-time working paper review; finding quality checks; report review before issuance; tracking of prior audit recommendations
Periodic Self-Assessments	Internal	At least annually	Structured review of IA function performance against IIA Standards; assessment of charter compliance, audit plan execution, team competency, and reporting quality
Internal Quality Reviews	Internal	Periodic	Peer review of completed engagements by CAE or senior auditor; assessment of methodology compliance, documentation adequacy, and finding reliability
External Quality Assessment (EQA)	External	At least every 5 years	Independent assessment by qualified external reviewer against full IIA Standards; produces conformance rating and improvement recommendations presented to audit committee
Self-Assessment with Independent Validation (SAIV)	Hybrid	Between EQAs	Internal self-assessment conducted against IIA Standards, independently validated by external reviewer; less resource-intensive than full EQA while maintaining external credibility

 

The Complementary Logic of Internal and External Assessment

The relationship between internal and external QAIP components is not redundant — it is deliberately complementary. Ongoing monitoring and periodic self-assessments allow the IA function to identify and address quality issues continuously, maintaining a consistent standard between external assessments. The external quality assessment then provides the independent validation — and the independent credibility — that confirms the function’s conformance to the IIA Standards from the perspective of a qualified external reviewer who has no stake in the outcome.

Organisations that rely exclusively on internal assessments without commissioning external quality assessments are in non-conformance with IIA Standards — and their boards are receiving quality assurance that has not been independently validated. This is a governance deficiency with practical consequences: regulators increasingly expect evidence of external quality assessment, and sophisticated governance audiences recognise the credibility gap between self-assessed and independently validated quality.

 

KEY INSIGHT An internal audit function that has never undergone an external quality assessment is, from a governance perspective, in a similar position to an external auditor who has never been subject to regulatory inspection. The absence of independent validation does not mean the work is poor — but it means there is no objective basis for confidence that it is not.

The External Quality Assessment: What to Expect and How to Prepare

The External Quality Assessment is the most rigorous and most governance-significant component of the QAIP. It involves a comprehensive independent evaluation of the internal audit function against the full IIA Standards framework — examining the IA charter and governance architecture, the risk-based audit planning process, the methodology and documentation standards applied in fieldwork, the quality of findings and reporting, the team’s professional competency and development, the independence safeguards in place, and the effectiveness of the QAIP itself.

The EQA process typically unfolds across three stages. The first is a document review — the external assessor reviews the audit charter, recent audit plans, completed audit working papers and reports, CAE communications to the audit committee, and the IA function’s self-assessment documentation. The second is a series of structured interviews — with the CAE, audit committee members, senior management stakeholders, and IA team members — designed to assess the function’s governance relationships, operational effectiveness, and quality culture. The third is the assessor’s synthesis and reporting — producing a written assessment of the IA function’s conformance rating, the specific Standards requirements where opportunities for improvement exist, and recommended improvement actions.

The Three Conformance Ratings

The IIA Standards prescribe three possible outcomes from an external quality assessment, each with distinct governance implications. The table below summarises the three conformance ratings and their significance.

 

Rating	Meaning	Governance Implication
Conforms	The IA function meets all mandatory requirements of the IIA Standards; minor opportunities for improvement may exist but do not affect overall conformance	Full disclosure to audit committee; public reporting permissible; strong governance credential
Generally Conforms	The IA function has a sound foundation in IIA Standards but has some deficiencies in selected areas; improvements are identified and recommended	Disclosure to audit committee with improvement plan; indicates a maturing but not yet fully conformant function
Does Not Conform	The IA function has significant, pervasive deficiencies relative to IIA Standards that impair its ability to fulfil its mandate	Immediate disclosure to audit committee and board; urgent remediation plan required; serious governance concern

 

Preparing for an External Quality Assessment

The value of an EQA is not realised on the day the external assessor arrives. It is realised in the months of preparation that precede the assessment — during which the CAE and IA team conduct a rigorous self-assessment, identify and address quality gaps, and ensure that the documentation, processes, and governance structures of the function are in the condition they should be year-round. Organisations that treat the EQA as an inspection to be managed — rather than an improvement opportunity to be embraced — typically receive lower ratings, more extensive recommendations, and less governance value from the process.

Effective EQA preparation involves four principal activities: conducting a comprehensive self-assessment against IIA Standards in the six to twelve months preceding the scheduled EQA; reviewing and updating the audit charter, methodology documentation, and QAIP policies to ensure they reflect current practice; ensuring that working paper documentation for recent engagements meets the Standards’ documentation requirements; and briefing the audit committee on the EQA process, the expected timeline, and the governance significance of the conformance rating.

DAWGEN GLOBAL: EXTERNAL QUALITY ASSESSMENT SERVICES Dawgen Global provides independent External Quality Assessments for internal audit functions across the Caribbean — evaluating conformance with IIA Standards, identifying improvement opportunities, and providing the audit committee with the independent quality assurance report it needs to discharge its oversight responsibilities. Our EQA process is thorough, constructive, and calibrated to the specific governance context of Caribbean organisations. We also provide QAIP design and implementation support for functions preparing for their first external assessment. Contact us at [email protected] to discuss your EQA requirements.

Measuring Quality: Eight Key Performance Indicators for Internal Audit

A well-designed QAIP does not rely exclusively on periodic assessments — internal or external — to monitor quality. It maintains a set of key performance indicators that provide real-time visibility into the function’s operational effectiveness and enable the CAE to identify quality trends, resource pressures, and improvement opportunities on a continuous basis. The CAE should report these indicators to the audit committee at least quarterly, enabling the committee to assess IA performance against defined benchmarks and to hold the function accountable for quality over time.

The table below presents eight quality indicators that represent the most important dimensions of internal audit performance for Caribbean organisations, along with definitions and target benchmarks.

 

Quality Indicator	Definition	Target / Benchmark
Audit Plan Completion Rate	Percentage of planned audit engagements completed within the annual cycle	> 90% indicates effective planning and execution discipline
Management Action Plan Closure Rate	Percentage of agreed management action plans closed within the agreed timeframe	> 75% at 12 months indicates effective follow-through by management
Report Issuance Timeliness	Average elapsed time from fieldwork completion to final report issuance	< 15 working days for standard engagements; longer for complex reviews
Stakeholder Satisfaction Score	Annual survey of audit committee, management, and operational stakeholders on IA quality and value	Trend improvement over time; specific dimension scores guide targeted quality investment
Finding Repeat Rate	Percentage of current-year findings that were also findings in prior-year audits	< 20% repeat rate indicates effective management remediation and first-line risk ownership
Staff Certification Rate	Percentage of IA team holding relevant professional certifications (CIA, CPA, CISA, CFE)	> 60% for mature functions; lower acceptable for developing teams with clear certification pathway
CPD Compliance Rate	Percentage of IA staff meeting annual CPD requirements for their professional designation	100% required — non-compliance represents a Standards conformance deficiency
Audit Coverage of High-Risk Areas	Percentage of high-risk audit universe items covered in the most recent audit cycle	> 80% for high-risk areas; lower-risk areas may be covered on a multi-year cycle

 

These indicators are not merely management metrics — they are governance tools. An audit committee that reviews IA performance against these indicators on a regular basis is exercising active oversight of the function’s quality, not merely receiving assurance that quality exists. The difference between passive receipt and active oversight is the difference between governance that is nominal and governance that is genuine.

Quality Assurance in Outsourced and Co-Sourced Arrangements

The QAIP requirements of the IIA Standards apply equally to outsourced and co-sourced internal audit arrangements — and in some respects, quality assurance is even more critical in these models, because the audit committee has less direct visibility into the operational practices of an external provider than it would have into an in-house team.

Provider Quality Frameworks

When engaging an outsourced or co-sourced IA provider, the audit committee should require evidence of the provider’s own quality framework — including the documented methodology standards, engagement supervision processes, working paper review protocols, and professional development requirements that govern how the provider’s team delivers audit work. A provider that cannot produce evidence of a structured, IIA-aligned quality framework is not in a position to credibly commit to the Standards conformance that the client’s governance obligations require.

Contractual Quality Obligations

The engagement contract for an outsourced or co-sourced IA arrangement should include explicit quality obligations — specifying the professional standards to which the provider will deliver, the quality indicators against which performance will be measured, the reporting obligations to the audit committee, and the provider’s obligations in respect of the external quality assessment. Where the EQA covers both in-house and provider components of a co-sourced function, the contract should specify how the provider will cooperate with and support the external assessor.

Annual Quality Reporting to the Audit Committee

Whether the IA function is in-house, outsourced, or co-sourced, the CAE — or the engagement lead of the outsourced provider acting in the CAE role — must present an annual quality assurance report to the audit committee. This report should summarise the QAIP activities conducted during the year, the results of self-assessments and any external quality assessments, the quality indicator performance against benchmarks, and the improvement initiatives planned for the forthcoming year. This annual report is the audit committee’s primary governance mechanism for discharging its oversight responsibility for IA quality.

 

KEY INSIGHT The quality of the assurance an organisation receives from its internal audit function is only as good as the quality management system that governs how that assurance is produced. Without a QAIP, an internal audit opinion is a professional judgement — worthy of respect, but not independently verified. With a QAIP, it becomes a quality-assured output that the board can rely upon with confidence.

Beyond Compliance: Building a Quality Culture in Internal Audit

The most effective QAIPs are not merely compliance mechanisms — they are expressions of a quality culture that permeates the internal audit function from the CAE to the most junior auditor. A quality culture is one in which every member of the team internalises the commitment to professional excellence, in which quality improvement is a continuous aspiration rather than a periodic compliance activity, and in which the board and management stakeholders of the function consistently experience audit work that meets or exceeds their expectations of rigour, relevance, and practical utility.

Building this culture requires deliberate leadership from the CAE — modelling professional standards, investing in team development, providing rigorous supervision and feedback, and communicating the quality standards expected in every aspect of the function’s work. It also requires the active support of the audit committee — which sets the tone for what quality means by the questions it asks, the standards it demands, and the accountability it enforces when quality falls short.

For Caribbean organisations where internal audit functions are still maturing — building teams, developing methodologies, and navigating the governance challenges explored throughout this series — the QAIP is both a quality management tool and a capability development mechanism. The discipline of continuous self-assessment, the feedback loop of the external quality assessment, and the accountability of quality indicator reporting create the structured improvement environment that accelerates the journey from a compliant internal audit function to a genuinely excellent one.

Conclusion: Quality Is the Foundation of Credibility

Internal audit’s value to the organisation it serves is ultimately a function of the credibility of the assurance it provides. That credibility rests on three pillars: independence, which ensures that findings are objective; competence, which ensures that findings are accurate; and quality assurance, which provides the independent evidence that both independence and competence are being maintained to the standard the IIA requires. Remove the quality assurance pillar, and the other two become assertions rather than demonstrated realities.

Caribbean boards and audit committees seeking to understand whether their internal audit function is genuinely delivering the governance value it is supposed to provide should ask a simple question: when did the function last undergo an external quality assessment, what was the conformance rating, and what improvement actions have been implemented since? If the answer reveals a function that has never been externally assessed, or one whose conformance deficiencies have not been addressed, the governance response is clear — invest in the quality framework that the function’s assurance mandate demands.

In Article 8 — Knowledge Transfer Through Outsourced Internal Audit — we examine one of the most strategically distinctive dimensions of a well-designed outsourced or co-sourced IA arrangement: its capacity to build lasting internal capability through structured knowledge transfer, embedding world-class audit methodology and professional competency within the client organisation.

 

IS YOUR INTERNAL AUDIT FUNCTION OPERATING AT THE HIGHEST STANDARD? Dawgen Global’s Internal Audit & Assurance Practice operates under a rigorous IIA-aligned quality assurance framework. Every engagement we deliver meets the Standards — and we help our clients build internal quality cultures that sustain excellence between external assessments. Whether you need an outsourced IA function, a co-sourced quality uplift, or an independent quality assessment of your existing function, we are ready to help. Request a Proposal Today: [email protected] Tel: 876-929-3670  |  876-665-5926  |

About Dawgen Global