Stay connected: follow us on LinkedIn and explore more at
www.CherryHillAdvisory.com.
Lorem ipsum dolor sit amet consectetur interdum quam duis varius facilis.
Latest Blogs
No items found.
Follow Us
.svg){kind=small}
%20in%202026.png)
Subscribe now to join the Risk Register community:
External Quality Assessments tend to move quietly through the calendar. They are scheduled years in advance, required under professional standards, and rarely feel urgent until the year arrives. But in 2026, many organizations are approaching their assessment under a newly updated framework.
The Institute of Internal Auditors released the updated Global Internal Audit Standards in 2024, and they became mandatory for quality assessments beginning in January 2025. In addition to the revised framework, the Standards now include Topical Requirements that are going live across specific risk areas, including cybersecurity, third-party risk, and organizational behavior. These requirements raise the bar by establishing clearer expectations for how internal audit addresses high-impact, complex risk domains.
As a result, any EQA conducted in 2026 will evaluate not only structural alignment with the updated Standards, but also whether the internal audit function is appropriately positioned and prepared to assess these emerging and evolving risks.
Under the 2024 Global Internal Audit Standards, the assessor evaluates the entire internal audit ecosystem. That includes how the function is positioned within governance, how it is managed and resourced, how engagements are executed, and how quality is monitored over time.
The five domain structure provides the framework, but the assessment itself focuses on evidence of conformance and effectiveness.
At a minimum, the assessor will expect to see:
It is an evaluation of whether internal audit is structured and operating in a way that aligns with modern professional expectations.
In many assessments, governance positioning sets the tone. Assessors often begin by examining how internal audit is situated within the organization and whether independence is preserved in practice.
That means revisiting the audit charter and confirming that it reflects the language and intent of the updated Standards. It also means reviewing reporting lines. Functional reporting to the audit committee should be clearly documented, not only in organizational charts but in meeting minutes, approvals, and performance oversight.
It is worth reviewing recent audit committee materials to confirm that plan approvals, quality discussions, and significant issues are formally recorded. If independence safeguards rely on informal understandings rather than structural clarity, this is the time to address them.
Once governance is reviewed, a structured gap assessment provides clarity on where the function stands relative to the updated Standards.
A disciplined approach works best. Map relevant requirements to documented evidence and identify where support is incomplete or informal. Often, internal audit functions are performing activities that meet expectations, but the documentation does not clearly reflect it.
This process typically surfaces practical improvements rather than fundamental weaknesses. Perhaps risk assessment methodology needs clearer documentation. Perhaps supervisory review is occurring but not consistently evidenced. Perhaps Quality Assurance and Improvement Program activities are underway but not formally reported.
Addressing these gaps methodically, months before the EQA, reduces last minute pressure and improves overall consistency.
Under the updated Standards, the Quality Assurance and Improvement Program is central. It demonstrates that internal audit evaluates itself continuously, not just every five years.
Assessors will look for evidence of ongoing monitoring, periodic self assessments, formal communication of quality results, and documented corrective action tracking. If these elements exist but have not been summarized or consistently archived, preparation is the right time to consolidate them.
Consider preparing a concise overview of quality initiatives since the last EQA. Highlight improvements implemented, lessons learned, and enhancements made to methodology or reporting. This signals maturity and proactive oversight.
An EQA also evaluates whether internal audit is focused on the right risks.
Take time to revisit the most recent enterprise risk assessment and confirm that the audit universe reflects current organizational priorities. Review how the annual audit plan was developed and ensure that the linkage between risk inputs and selected engagements is clearly documented.
If the risk landscape shifted during the year, ensure that plan adjustments and rationale are recorded. Traceability matters. Assessors want to see that planning is intentional and responsive rather than static.
Even with strong governance and planning, engagement execution remains a core focus.
Select several recent audit files and review them internally before the assessor does. Evaluate whether planning documents clearly articulate objectives and risks. Confirm that testing supports conclusions reached and that supervisory review is consistently documented. Review reports for clarity of impact, root cause analysis, and practical recommendations.
Variation in documentation standards is common across teams, especially in growing organizations. Standardizing workpaper structure and review practices before the EQA can significantly strengthen outcomes.
An EQA is not only a documentation exercise. It involves interviews and discussions with internal audit staff and governance leaders.
Communicate the scope and timing of the assessment clearly. Ensure the team understands expectations around documentation and interview participation. Encourage thoughtful, consistent responses rather than rehearsed messaging.
It is equally important to brief executive leadership and the audit committee in advance. Clarify timelines, explain the rating structure, and set expectations around how results will be communicated.
The choice of assessor influences both process and perception.
Look for experience applying the 2024 Global Internal Audit Standards and familiarity with your industry environment. Independence from management is critical. Beyond conformance scoring, assess whether the assessor can provide benchmarking insight and practical improvement recommendations.
Ask how they evaluate conformance across the five domains and how they approach partial conformance scenarios. Having clarity at the outset avoids surprises later.
An External Quality Assessment in 2026 will measure alignment with the updated Global Internal Audit Standards. For internal audit leaders, the objective is not simply to achieve a rating. It is to demonstrate that the function is structured, governed, and executed in a way that meets evolving professional expectations.
Starting early allows the process to be intentional rather than reactive. With disciplined preparation and clear documentation, the EQA becomes a validation exercise rather than a stress point.
For organizations that would benefit from an independent readiness review, or guidance for strengthening their Quality Assurance and Improvement Program, Cherry Hill Advisory works alongside internal audit leaders to bring structure and clarity well before the formal assessment begins.
Preparation today can make the 2026 assessment a reflection of strength rather than a scramble to respond. Reach out to start a conversation early.
Subscribe now to join the Risk Register community:
