Exposure Draft of QSIA 2, Peer Review and Third-Party Assessment

The Exposure Draft Quality Standard on Internal Audit (QSIA) 2 establishes guidelines for Peer Review and Third-Party Assessment, which are independent mechanisms aimed at confirming the quality, objectivity, and effectiveness of internal audit functions. The standard applies to both internal audit functions undergoing assessment under a Quality Assurance and Improvement Program (QAIP) and to Chartered Accountant firms subject to the ICAI’s Peer Review Board requirements. The core objective is to ensure internal audit methodologies, processes, and reporting align with ICAI’s Standards on Internal Audit (SIAs) and ethical principles, providing assurance to stakeholders. Requirements include formal planning within a QAIP, ensuring the independence and competence of reviewers (who must have no professional relationship with the reviewed unit for two years), and defining a scope that covers governance, compliance, execution, and documentation. Reviewers must gather sufficient evidence, test selected engagements, and issue a report detailing strengths, weaknesses, and improvement recommendations, which must be followed up with a corrective Action Plan. Regulatory criteria often mandate peer review once every three years.

The Institute of Chartered Accountants of India

Quality Standard on
Internal Audit (QSIA) 2
Peer Review and Third-Party
Assessment

1. Introduction

1.1 Peer review and third-party assessments are independent mechanisms to ensure the quality, credibility, objectivity, and effectiveness of internal audit functions. These reviews provide independent evaluations of whether internal audit processes comply with ICAI’s Standards on Internal Audit (SIAs), best professional & ethical practices, and regulatory requirements.

“Peer Review” is a regulatory requirement conducted under the supervision of the Peer Review Board constituted by ICAI, as per the ‘Statement on Peer Review’. Third-party assessments, however, are voluntary initiatives by audit entities.”

1.2 This Standard provides guidelines on conducting peer reviews and third-party assessments to enhance the quality of internal audits, strengthen internal controls, and improve risk management processes.

1.3 Scope: This Standard shall apply to both internal audit functions conducting self-assessment or external assessments under quality assurance and improvement program (QAIP), and to Chartered Accountant firms subject to Peer Review as per ICAI’s Peer Review Guidelines or getting third party assessment done.

2. Effective Date

2.1 This Standard is applicable for internal audits beginning on or after a date notified by the Council of the Institute.

3. Objectives

3.1 The objectives of this QSIA are to ensure that:

• Internal audit functions undergo independent and objective quality assessments through peer review or third-party evaluations.
• Peer Review aims to confirm that the internal audit firm has complied with Technical Standards, maintained quality control systems, and properly documented audit work, in line with ICAI requirements.
• Internal audit methodologies, processes, and reporting align with ICAI SIAs, ethical standards, and industry best practices.
• Audit stakeholders receive assurance on the effectiveness and reliability of internal audit functions.
• Identified gaps or weaknesses in audit quality are addressed through corrective actions and continuous improvements.

3.2 Peer reviews and third-party assessments shall be conducted periodically, based on regulatory requirements, organizational policies, or best professional practices.

4. Requirements

4.1 Planning for Peer Review and Third-Party Assessment (Refer Para. A1)

Internal audit functions shall develop a formalized quality assurance and improvement program (QAIP), incorporating:

• Periodic peer reviews by internal audit professionals from similar organizations.
• Independent third-party assessments conducted by external reviewers or audit firms.
• Compliance checks with ICAI’s SIAs, corporate governance frameworks, and legal requirements.
• Before the peer review commences, the Practice Unit must submit Preliminary Information in the prescribed format approved by the peer review Board to the Reviewer.

The frequency of reviews shall be determined on the basis of:

• Regulatory or Peer Review Board requirements.
• Size, complexity, and risk profile of the organization.
• Material changes in internal audit processes, structure, or leadership.
• The Peer Review Board mandates peer review of firms falling under prescribed criteria once every three years or as notified.

4.2 Selection of Reviewers (Refer Para. A2)

The selection of peer reviewers and third-party assessors shall ensure independence, objectivity, and competence.

Reviewers shall have:

• Expertise in internal auditing, risk management, and governance practices.
• A strong understanding of ICAI’s Standards on Internal Audit (SIAs) and ethical principles.
• No conflicts of interest with the internal audit function under review.
• Reviewers must not have had any professional relationship with the Practice Unit for a minimum of two years, or preceding the external review.

4.3 Scope of Peer Review and Third-Party Assessment (Refer Para. A3)

The review shall cover the following key areas:

• Governance and independence of the internal audit function.
• Compliance with ICAI’s SIAs and other applicable professional standards.
• Audit planning, execution, documentation, and reporting processes.
• Use of audit tools, data analytics, and risk assessment techniques.
• Stakeholder engagement and communication effectiveness.
• Quality control mechanisms, including supervision and review processes.

4.4 Execution of Peer Review and Third-Party Assessment (Refer Para. A4)

Reviewers shall obtain sufficient, reliable, and relevant evidence to support their evaluation.

Review techniques may include:

• Interviews with key audit stakeholders (Audit Committee, management, internal auditors).
• Review of audit reports, working papers, and quality assurance procedures.
• Assessment of compliance with ethical and professional standards.
• Testing of selected audit engagements for conformance to SIAs.
• Execution shall include evaluation of audit engagements, review of policies and procedures, sample verification of audit documentation, using ICAI prescribed checklists by the peer review board.
• Reviewers must prepare and maintain a Review Summary Report and working papers.

4.5 Reporting the Results of Peer Review and Third-Party Assessments (Refer Para. A5)

The review report shall include:

• Executive summary of key findings, observations, and best practices.
• Evaluation of the internal audit function’s adherence to SIAs.
• Identification of strengths, improvement areas, and potential risks.
• Recommendations for enhancing audit quality and governance. The final report shall be shared with:
• Chief Internal Auditor (CIA)/ Head of Internal Audit or Head of the internal audit firm.
• Audit Committee and Board of Directors (if applicable).
• Senior management and other relevant stakeholders.

The Reviewer is required to maintain strict confidentiality of all information, records, documents, and discussions accessed during the course of the review. No part of the information obtained shall be disclosed to any third party, except as required by the Peer Review Board or under legal obligation.

4.6 Follow-Up and Continuous Improvement (Refer Para. A6) Internal audit functions / Auditor firm shall:

• Develop an action plan with timelines to address findings from the review.
• Track implementation of recommendations and corrective actions.
• Conduct follow-up assessments to ensure continuous improvement.
• Provide regular updates to the Board and senior management.
• In case of peer review- If deficiencies are observed, the Peer Review Board may require the Practice Unit to submit an Action Taken Report within the prescribed timeframe or may mandate a follow-up review.

*****

Application and Other Explanatory Material

A1. Planning for Peer Review and Third-Party Assessment (Refer Para. 4.1)

• A structured review program enhances audit credibility and governance.
• Frequency of reviews shall align with risk exposure and regulatory expectations.
• Every entity getting internal audit done or engaged in providing internal audit service should get such external review done at least once in three years.

A2. Selection of Reviewers (Refer Para. 4.2)

• Independent reviewers ensure unbiased evaluations.
• Competency in Standards on Internal Audit and industry practices is essential.
• Scope of Peer Review and Third-Party Assessment (Refer Para. 4.3): Comprehensive reviews improve internal audit effectiveness and stakeholder trust.
• Execution of Peer Review and Third-Party Assessment (Refer Para. 4.4)
• Evidence collection shall be systematic and well-documented.
• Interviews and case study reviews provide insights into audit effectiveness.

A5. Reporting the Results of Peer Review and Third-Party Assessments (Refer Para. 4.5)

• Findings shall be categorized into strengths, weaknesses, and improvement areas.
• Audit Committees/ Partners shall review reports to drive governance improvements.

A6. Follow-Up and Continuous Improvement (Refer Para. 4.6): Action plans shall be monitored, ensuring audit quality enhancement.

Sample Checklist for

Internal Audit Peer Review Checklist (aligned to ICAI Peer Review Guidelines)