3.5 Practice Drills and Readiness Markers
Key Takeaways
- The QAIP has two parts: internal assessments (Standard 12.1) and an external assessment (Standard 8.4).
- Internal assessment = ongoing monitoring (day-to-day supervision) PLUS periodic self-assessment of conformance with every standard.
- The external assessment occurs at least every five years by a qualified, independent assessor; at least one must hold an active CIA.
- An external assessment may be met by a self-assessment WITH independent validation (SAIV).
- The CAE communicates internal assessment results at least annually and external results when completed, to the board and senior management.
The QAIP, end to end (Standards 8.3, 8.4, 12.1)
The quality assurance and improvement program (QAIP) is the CAE's program to evaluate whether the function conforms with the Standards, achieves its performance objectives, and pursues continuous improvement. Standard 8.3 Quality requires the CAE to develop, implement, and maintain a QAIP covering all aspects of the function, made up of two assessment types:
| Assessment | Standard | Frequency | Who performs it |
|---|---|---|---|
| Internal — ongoing monitoring | 12.1 | Continuous, day-to-day | Supervisors via workpaper review, checklists, metrics |
| Internal — periodic self-assessment | 12.1 | Periodically | Senior IA staff, a QA team, or CIAs / experienced staff |
| External assessment | 8.4 | At least every 5 years | A qualified, independent assessor or team |
Internal assessment has two layers. Ongoing monitoring is built into routine supervision — reviewing engagement planning, workpapers, and final communications, plus stakeholder feedback and metrics like budget-to-actual and plan completion. Periodic self-assessment is the broader, holistic review of conformance against every standard. Based on self-assessment results, the CAE develops action plans for any nonconformance and communicates them to the board and senior management.
External assessment specifics (Standard 8.4)
The external assessment is the high-yield QAIP fact set:
- It must be performed at least once every five years.
- The assessor or team must be qualified and independent of the organization.
- At least one member must hold an active Certified Internal Auditor® (CIA) designation — a 2024-Standards requirement worth memorizing.
- The requirement may be met by a self-assessment with independent validation (SAIV) — the function self-assesses, and an independent party validates the result.
- The CAE develops the plan and discusses it with the board; the board reviews/approves scope, frequency, and assessor competence, and receives the complete results directly from the assessor.
- The board and CAE may choose more frequent assessments after events like a new CAE, a merger of audit functions, major methodology changes, or heavy staff turnover.
Reporting cadence — who hears what, and when
- Organizational independence: the CAE confirms it to the board at least annually (Standard 7.1).
- Internal assessment results: communicated to the board and senior management at least annually (Standard 8.3).
- External assessment results: communicated when completed (Standard 8.3).
Communications in all cases cover conformance with the Standards, achievement of performance objectives, any legal/regulatory compliance issues, and action plans for deficiencies.
How the QAIP connects back to the rest of Section B
The QAIP is not a standalone topic — it is the feedback loop that keeps integrity, objectivity, competency, due professional care, and confidentiality honest. The periodic self-assessment measures the function's conformance against every standard, and the ongoing monitoring built into daily supervision catches problems engagement by engagement. The external assessment then independently validates all of it and is the formal mechanism by which the function can claim it conforms with the Global Internal Audit Standards.
This is why the exam frequently links QAIP facts to ethics behavior. A function that lets an auditor audit their own recent work, accepts vendor gifts, or skips ethics CPE is generating nonconformances that a periodic self-assessment should surface and an external assessor would flag. Conversely, a strong QAIP is evidence of conformance for nearly every ethics standard — note how often the Standards list "results of internal and external quality assessments" among their examples of conformance.
Numbers you must not miss
| Requirement | Number |
|---|---|
| Presumed objectivity impairment after prior responsibility | within 12 months |
| External quality assessment frequency | at least every 5 years |
| CIA-holders on the external assessment team | at least 1 |
| CAE confirms organizational independence to the board | at least annually |
| CAE communicates internal assessment results | at least annually |
| Temporary CAE non-audit role — independent assurance window | during the assignment |
Readiness drills for the whole chapter
Use a two-column recall sheet: cue on the left, controlling standard and required action on the right. Drill until you can produce the right column from memory.
| Cue in the stem | Standard | Required action |
|---|---|---|
| Auditor offered a gift by an auditee | 2.2 | Decline; appearance alone disqualifies |
| Auditor audited their own area within 12 months | 2.2 | Refrain (assurance presumed impaired) |
| Auditor discovers a conflict of interest | 2.3 | Disclose to CAE / supervisor |
| CAE's own objectivity impaired | 2.3 / 7.1 | Disclose to the board |
| Team lacks needed skills (assurance) | 3.1 | Obtain competent advice and assistance |
| "Did we catch every fraud?" | 4.2 | Due care ≠ infallibility; risk/cost-benefit |
| CAE reports administratively to CFO, audits treasury | 7.1 | Independent party performs/supervises |
| Trading on non-public acquisition news | 5.1 | Keep confidential; never for personal gain |
| External quality assessment timing | 8.4 | At least every 5 years; ≥1 assessor is a CIA |
| Internal assessment components | 12.1 | Ongoing monitoring + periodic self-assessment |
Readiness markers
- Recall: state the five ethics principles (Integrity, Objectivity, Competency, Due Professional Care, Confidentiality) without notes.
- Discrimination: instantly label a scenario as independence vs objectivity and as assurance vs advisory.
- Application: name who must act (auditor, CAE, senior management, board) and the disclosure path.
- Currency: avoid retired language ("generally conforms") and remember the 12-month, 5-year, and annual numbers.
- Retention: re-run a mixed set after a one-day break and keep your rationale quality stable. If you can name a rule but not the action, or the action but not the standard, the material is not yet exam-ready.
A final drill: for each of the five ethics principles, write one sentence describing the behavior it demands and one describing the failure the exam will test (for example, Confidentiality demands protecting non-public information and is failed by trading on a planned acquisition). When you can produce both halves for all five principles without notes, and can place each scenario on the independence-versus-objectivity and assurance-versus-advisory axes, Section B is exam-ready.
Under the 2024 Global Internal Audit Standards, how often must an EXTERNAL quality assessment of the internal audit function be performed?
Which two activities make up the INTERNAL assessment component of the QAIP under Standard 12.1?
The CAE must communicate the results of the INTERNAL quality assessment to the board and senior management at least: