Who Audits The Internal Auditors ?

When I ask this question, I usually get a variety of answers ranging from "no one" to " the audit committee"! While the Internal Audit Activity is not subject to audit in the same way other company business units  and processes are ,there are ways management can get reasonable assurance that the internal audit department is doing what it is supposed to do. One of these ways is the External Quality Assessment.

 IIA Standard 1300 covers the Quality Assurance and Improvement Program that need to be established by the CAE covering all aspects of the internal audit activity. Standard1312 requires that "External Assessment must be conducted at least once every five years by a qualified,independent assessor or assessment team from outside the organization. The chief audit executive must discuss with the board:

• The form and frequency of external assessment,and
• The qualification and independence of the external assessor or assessment team,including any potential conflict of interest."

The interpretation of the standard explains that external assessment can be in the form of a full external assessment,or a self -assessment with independent external validation.

In addition to the external assessment ,the standards call for internal assessment which must include:

• Ongoing monitoring of the performance of the internal audit activity,and
• Periodic self - assessment or assessments by other persons within the organization with sufficient knowledge of internal audit practises.

Do you think the above is adequate to provide management with reasonable assurance that the internal audit activity is performing its duties in conformity with the IIA standards? If not, what else would you suggest to do,for example:

• Have the external auditors audit the internal audit activity
• Have a peer review by other internal audit activity of an unrelated company.
• Have an external assessment every year or two.

 Please share your experience and thoughts.