(Source: Internal Auditing Professional Standards)

• at least once every five years by qualified, independent reviewer/team from outside organization.

• appraise and express an opinion as to compliance with Standards
• make recommendations

• Independence:

• free from any obligation to or interest in organization
• if from another department, not considered independent
• reciprocal peer review arrangements among three or more organizations can alleviate independence concerns
• peer reviews between two organizations generally should not be performed

• External reviewers:

• CAE involve senior management and board in selecting external reviewer
• independent of the organization and audit
• competent in the professional practice
• certified, e.g., CIA, CPA, CA, or CISA
• knowledgeable of the Standards
• competent in external assessment process
• qualified
• no real or apparent conflict of interest due to present or past relationships, etc.
• honest and candid within constraints of confidentiality
• objective - a state of mind; impartial, intellectually honest, free of conflicts of interest
• well versed in best practices
• at least three years of recent internal auditing management experience
• information technology expertise
• relevant industry experience

• Scope:

• compliance with Standards, Code, charter, plans, policies, procedures, practices, applicable legislative and regulatory requirements
• expectations of board, executive and operational management
• integration of internal audit into organization's governance process
• tools and techniques used
• knowledge, experience, disciplines of staff
• if audit adds value and improves organization's operations

• Self assessment with independent external validation:

• comprehensive, fully documented self-assessment process
• independent on-site validation by qualified reviewer including limited tests of self-assessment
• economical time and resource requirements

• Reporting results:

• preliminary results discussed with CAE
• final results to CAE or official who authorized review
• opinion based on sound business judgment, integrity, due professional care
• "compliance" opinion - practices, taken as a whole, satisfy requirements of the Standards
• "noncompliance" opinion - impact and severity of deficiency so significant it impairs audit's ability to discharge its responsibilities
• assessment and evaluation of the use of best practices
• recommendations for improvement
• response from CAE, including action plan and implementation dates
• CAE communicates review results and action plan to senior management and board