Definition

An External Quality Assessment (EQA) is a mandatory peer review of the internal audit function conducted by a qualified independent assessor every five years (IIA Standard 1312), evaluating conformance with IIA Standards, the internal audit charter, and the CAE's effectiveness. It covers the charter, independence, risk-based planning, engagement execution, reporting quality, and follow-up processes. GCC regulators (SAMA, CBUAE) reference IIA Standards in supervisory expectations and treat EQA non-conformance as a governance weakness.

Why it matters

The pressure on Internal Audit programmes is shifting in specific, observable ways:

• IIA Standard 1312 mandates an external assessment at least once every five years; SAMA's periodic assessment questionnaire explicitly asks for EQA date, assessor credentials, and conformance rating.
• Audit committees in UAE-listed entities subject to SCA Corporate Governance regulations must disclose internal audit quality; an EQA provides the objective evidence for disclosure.
• Organisations rated 'Generally Conforms' (highest IIA rating) attract stronger reliance from external auditors, reducing external audit fees by AED 150,000–400,000 annually through expanded internal audit reliance.
• EQA preparation uncovers chronic documentation and methodology gaps before regulators do; proactive remediation avoids formal regulatory findings worth 6–18 months of remediation effort.

Evidence sources to capture

What an auditor or reviewer will sample for — wire each source into your evidence repository before the next review cycle:

• Internal audit charter — current version, Audit Committee approval date, and explicit reference to IIA Standards and IPPF 2024.
• Audit plan and universe documentation — 3-year plan, risk scoring methodology, and universe coverage map.
• Engagement files (10–15 sample engagements) — planning memos, risk and control matrices, working papers, draft and final reports, and management response records.
• QA and Improvement Program (QAIP) internal assessment results — annual self-assessment scores against IIA attribute and performance standards.
• Audit Committee meeting minutes — evidence that IA results and independence declarations were presented and discussed.

Recommended next actions

A 90-day plan, sequenced so each step produces evidence the next step depends on:

• Day 0-30: CAE commissions an internal self-assessment using IIA's Quality Self-Assessment tool; score each IIA Standard (1000–2600 series) and identify gaps rated 'Partial Conformance' or 'Non-conformance'.
• Day 31-60: Remediate top-10 self-assessment gaps: update charter to reference IPPF 2024, implement 5-C finding template, and formalise QAIP documentation.
• Day 61-90: Select EQA assessor (IIA-certified firm or peer-institution team); agree scope, timeline, and sample selection methodology; brief Audit Committee.
• Day 90+: Conduct EQA fieldwork and interviews; target 'Generally Conforms' rating; accept EQA report with agreed remediation plan at next Audit Committee meeting.
• Ongoing: Conduct annual internal self-assessment (IIA Standard 1311); track QAIP actions to closure and report results to Audit Committee each year.

Example metrics

Instrument these and report them monthly to the executive sponsor; sustained adverse trends become board-level conversations:

• EQA conducted within the IIA-mandated 5-year cycle — 100% compliance.
• IIA conformance rating target: 'Generally Conforms' (highest level) on all attribute and performance standards.
• Self-assessment completion rate: 100% of IIA Standards scored annually.
• QAIP remediation actions closed within agreed timeline ≥90%.
• External auditor reliance rate increase post-EQA: target ≥15 percentage point improvement.

The working checklist

Use this list during your next Internal Audit review cycle. The phrasing is intentionally observable — every item is something a reviewer can sample for, not an aspiration.

• Verify: audit universe.
• Verify: three-year audit plan.
• Verify: engagement letter and scope.
• Verify: workpapers.
• Verify: audit committee report.
• Verify: a universe that lists processes but not the underlying risks.

Pitfalls we keep seeing

Across MAST Consulting Group's Internal Audit portfolio, the same recurring failure modes show up cycle after cycle. None are exotic; all are expensive when they reach the audit report.

• Pattern: plan utilisation skewed to easier engagements. What good looks like: the same control evidenced inside the workflow it governs, not separately for the audit.
• Pattern: quality-assurance and improvement programme that is paper-only. What good looks like: the same control evidenced inside the workflow it governs, not separately for the audit.
• Pattern: follow-up that loses momentum after 90 days. What good looks like: the same control evidenced inside the workflow it governs, not separately for the audit.
• Pattern: a universe that lists processes but not the underlying risks. What good looks like: the same control evidenced inside the workflow it governs, not separately for the audit.

Tooling we actually reach for

MAST Consulting Group is deliberately tool-agnostic, but in practice the same shortlist keeps appearing on Internal Audit engagements because the integrations are cheap and the evidence is defensible:

• TeamMate+ / Workiva / Galvanize for audit lifecycle — used not because it is fashionable, but because the audit trail it generates is one the reviewer accepts on the first ask.
• Power BI for audit analytics — used not because it is fashionable, but because the audit trail it generates is one the reviewer accepts on the first ask.
• issue trackers that the auditees actually use — used not because it is fashionable, but because the audit trail it generates is one the reviewer accepts on the first ask.

How MAST Consulting Group can help

MAST Consulting Group runs Internal Audit programmes for banks, insurers, healthcare networks, payments providers, telcos and government entities across the UAE, KSA, India and the wider GCC. We bring Lead Practitioners, sector specialists, and a working library of policies, risk methodologies and evidence templates that have passed audit at firms recognisable to your board.

If anything in this checklist is relevant to a programme you are scoping or rescuing, the fastest next step is a 30-minute working session with the practice lead. We will look at your specific situation, share what we have seen work for Internal Audit programmes at similar scale, and tell you honestly if the work is something you should bring to us or run in-house.