The IIA’s Internal Audit Capability Model (IA-CM) Strategic Planning · PDF...
-
Upload
nguyenliem -
Category
Documents
-
view
220 -
download
4
Transcript of The IIA’s Internal Audit Capability Model (IA-CM) Strategic Planning · PDF...
The IIA’s Internal Audit Capability
Model (IA-CM)
Strategic Planning Applications
Steve Goodson
October 25, 2016
Objectives
• Define and Discuss the elements of IA-CM
• Identify and Discuss the uses of IA-CM – Self Assessment
– Strategic Planning
– Benchmarking
• IA-CM Re-fresh
Please ask questions throughout the presentation.
2
What is the IA-CM?
• Framework for Assessment
• Communication Vehicle
• A Roadmap for Orderly Improvement
3
Why an IA-CM?
• Reinforce the importance of internal auditing governance and accountability
• Implement and institutionalize effective internal auditing
4
IA – CM History
• October 2006 – May 2009
• IIA Research Foundation Project
• Validated in collaboration with the World Bank– Global validation critical
– > 300 people > 30 countries
• Original focus - public sector internal audit. But equally applicable to the private sector!
5
Underlying Principles
• Selecting optimum capacity
– Three variables
• Environment
• Organization
• IA activity
– Different capability required
– Internal auditing must be cost-effective
– No “One Size Fits All”
6
Underlying Structure
• Capability Maturity Model®
– Based on quality management principles
• Software Engineering Institute
– The original developers of capability maturity
models®
• Software Capability Maturity Model®
• Technical Report, CMMI® for Development, Version 1.2
7
IA-CM Levels
LEVEL 5
Optimizing
LEVEL 4
Managed
LEVEL 3
Integrated
LEVEL 2
Infrastructure
LEVEL 1
Initial
8
IA-CM
Level 1 Initial
9
No sustainable, repeatable capabilities dependent upon individual efforts
IA-CM
Level 2 Infrastructure
10
Sustainable and repeatable IA practices and procedures
IA-CM
Level 3 Integrated
11
IA management and professional practices uniformly applied
IA-CM
Level 4 Managed
12
IA integrates information from across the organization to improve governance and risk management
IA-CM
Level 5 Optimized
13
IA learning from inside and outside the organization for continuous improvement
Elements of Internal Auditing
• IA activity consists of six elements:
– Services and Role of IA
– People Management
– Professional Practices
– Performance Management and Accountability
– Organizational Relationships and Culture
– Governance Structures
14
Elements of Internal Auditing
• The role — to provide independent and objective assessments to assist the organization in accomplishing its objectives and improve operations.
• Services provided are typically based on the needs of the organization and the IAA’s authority, scope, and capacity.
15
Elements of Internal Auditing
• People Management involves the process of creating a work environment where people perform to the best of their ability.
16
Elements of Internal Auditing
• Professional Practices reflects the full backdrop of policies, processes, and practices that enable the IAA to be performed effectively and with proficiency and due professional care.
17
Elements of Internal Auditing
• Performance Management and Accountability - information needed to manage, conduct, and control the operations of the IAA and account for its performance and results.
18
Elements of Internal Auditing
Organizational Relationships and Culture refers to the organizational structure of the IAA along with its relationships with other units in the organization with other review providers and the external auditor.
19
Elements of Internal Auditing
Governance Structures the reporting relationship (administrative and functional) of the CAE and how the IAA fits within the organizational and governance structure of the organization.
It includes the means by which the independence and objectivity of the IAA is assured
20
Internal Audit
Capability Model Matrix
Services &
Roles
People
Management
Professional
Practices
Performance
Management
Organizational
Relationships
Governance
Structures
Level 5 -
Optimizing
Level 4 -
Managed
Level 3 -
Integrated
Level 2 -
Infrastructure
Level 1-
Initial
Key Process Area (KPA)
22
Services and Roles of IAKey Process Areas
Level 5 - Optimizing • Internal Audit Recognized as Key Agent of Change
Level 4 - Managed• Overall Assurance on Governance, Risk Management,
and Control
Level 3 - Integrated• Advisory Services
• Performance/ Value for Money Audits
Level 2 - Infrastructure • Compliance Auditing
Level 1 - Initial • Ad hoc and unstructured
Services and Roles of IAExamples in Practice
Level 5 - Optimizing• Internal audit plays key role in influencing change
within the organization
Level 4 - Managed• Senior management support and internal audit charter
provide authority for entity-wide opinion
Level 3 - Integrated• Senior management supports advisory services
• Training on performance/ value for money audits
Level 2 - Infrastructure• Internal audit charter describing assurance services
• Documented audit programs and policy manual
Level 1 - Initial • Not applicable; Ad hoc and unstructured
People ManagementKey Process Areas
Level 5 - Optimizing• Leadership Involvement with Professional Bodies
• Workforce Projection
Level 4 - Managed
• IA Contributes to Management Development
• Internal Audit Activity Supports Professional Bodies
• Workforce Planning
Level 3 - Integrated
• Team Building and Competency
• Professionally Qualified Staff
• Workforce Coordination
Level 2 - Infrastructure• Individual Professional Development
• Skilled People Identified and Recruited
Level 1 - Initial • Ad hoc and unstructured
People ManagementExamples in Practice
Level 5 - Optimizing• Management seek leaders in professional bodies
• Organizational policy on workforce planning
Level 4 - Managed
• Rotation policy for auditors and rest of organization
• Support for leadership roles in IIA or other groups
• Senior management support audit staffing needs
Level 3 - Integrated
• Appraisal system; audit competency framework
• Senior management support certifications
• Staff utilization plans; workforce coordination
Level 2 - Infrastructure• Training budget; professional development plan
• Job descriptions; staffing and recruitment policy
Level 1 - Initial • Not applicable; ad hoc and unstructured
Professional PracticesKey Process Areas
Level 5 - Optimizing• Continuous Improvement in Professional Practices
• Strategic Internal Audit Planning
Level 4 - Managed• Audit Strategy Leverages Organization’s Management
of Risk
Level 3 - Integrated• Quality Management Framework
• Risk-based Audit Plans
Level 2 - Infrastructure• Professional Practices and Processes Framework
• Audit Plan Based on Stakeholder Priorities
Level 1 - Initial • Ad hoc and unstructured
Professional Practices Examples in Practice
Level 5 - Optimizing• Quality improvement program; global benchmarking
• Internal audit participates in senior strategic planning
Level 4 - Managed• Senior management support alignment of internal audit
with organization’s current ERM strategy
Level 3 - Integrated• Internal quality reviews; peer review
• Documented risk assessment process
Level 2 - Infrastructure• Audit charter/policy manual comply with Standards
• Formal internal audit plan with audit universe
Level 1 - Initial • Not applicable; ad hoc and unstructured
Performance ManagementKey Process Areas
Level 5 - Optimizing • Reporting of Internal Audit Effectiveness
Level 4 - Managed• Integration of Qualitative and Quantitative
Performance Measures
Level 3 - Integrated
• Performance Measures
• Cost Information
• Internal Audit Management Reports
Level 2 - Infrastructure• Internal Audit Operating Budget
• Internal Audit Business Plan
Level 1 - Initial • Ad hoc and unstructured
Performance ManagementExamples in Practice
Level 5 - Optimizing • Reporting of internal audit effectiveness
Level 4 - Managed• Senior management support using qualitative and
quantitative data to achieve strategic objectives
Level 3 - Integrated
• Organizational policy to monitor results
• Time recording and reporting system
• Senior management commitment to manage and
account for audit results
Level 2 - Infrastructure• Internal audit operating budget
• Internal audit business plan or annual report
Level 1 - Initial • Not applicable; ad hoc and unstructured
Organizational RelationshipsKey Process Areas
Level 5 - Optimizing • Effective and Ongoing Relationships
Level 4 - Managed • CAE Advises and Influences Top-level Management
Level 3 - Integrated• Coordination with Other Review Groups
• Integral Component of Management Team
Level 2 - Infrastructure • Managing within the Internal Audit Activity
Level 1 - Initial • Ad hoc and unstructured
Organizational Relationships Examples in Practice
Level 5 - Optimizing• Visible commitment and support from senior
management
Level 4 - Managed• Formal reporting relationship with regular and direct
communication with top-level management
Level 3 - Integrated
• Formal coordination between the internal audit
activity and the external auditor
• Senior management supports CAE as valued member
of the management team
Level 2 - Infrastructure • Formally approved organizational structure
Level 1 - Initial • Not applicable; ad hoc and unstructured
Governance StructuresKey Process Areas
Level 5 - Optimizing• Independence, Power, and Authority of the Internal
Audit Activity
Level 4 - Managed• Independent Oversight of the IA Activity
• CAE Reports to Top-level Authority
Level 3 - Integrated• Management Oversight of the Internal Audit Activity
• Funding Mechanisms
Level 2 - Infrastructure
• Full Access to Organization’s Information, Assets, and
People
• Reporting Relationships Established
Level 1 - Initial • Ad hoc and unstructured
Governance Structures
Examples in Practice
Level 5 - Optimizing• Strategic information and communication strategy
advocating independence & authority of internal audit
Level 4 - Managed
• Legislation/policy requires independent oversight
committee
• CAE reports directly to oversight committee
Level 3 - Integrated• Legislation/policy requiring an oversight committee
• Management supports internal audit funding
Level 2 - Infrastructure
• Organizational policy to allow internal auditors full
access to information, assets, and people
• Approved internal audit charter
Level 1 - Initial • Not applicable; ad hoc and unstructured
The IA-CM – Its Uses
• Self-Assessment and Continuous Improvement
• Strategic Planning & Vision Communication
• Benchmarking / Capacity Development
35
The IA-CM – Its Users
• IA Professionals
• IA’s Principal Stakeholders
– Senior Management
– Audit Committee Members
– Governing Body
– External Auditors
36
Using the IA-CM
• Not prescriptive – what should be done rather than how to do it
• A universal model with comparability around principles, practices and processes to improve IA and be applied globally
• Apply professional judgment
37
Completed Matrix
Services and Role
SliceKey Process Area Implementation Status
5Internal Auditing Recognized as a
Key Agent of Change
Not In Progress
4
Overall Assurance on
Governance, Risk Management,
and Control
In Progress
3
Advisory Services Fully Implemented
Performance/Value-for-money
AuditingFully Implemented
2 Compliance Auditing Fully Implemented
1 No KPAs N/A
39
Strategic Goal Example
GoalGap Identified
ActionPlanned
Accomplishment
Indicator
Level 4 –
Managed:
From “in Progress” to “Fully
Implemented” by
2016
The Department
does not have an
annual statement
of internal control or an annual risk
assessment.
Work with the
Enterprise Risk
Management
function to
facilitate an organization-wide
annual statement of internal control.
Organization-
wide annual
statement of
internal control
40
Organizational Relationships
Slice
Key Process Area Implementations Status
5 Effective and Ongoing Relationships In Progress
4CAE Advises and Influences Top-Level
ManagementIn Progress
3Coordination with Other Review Groups In Progress
Integral Component of Management Team Fully Implemented
2 Managing within the IA Activity Fully Implemented
1 No KPAs N/A
41
Strategic Goal Example
Goal
Gap IdentifiedAction
Planned
Accomplis
hment
Indicator
42
Goal Gap IdentifiedAction
PlannedAccomplishment
Indicator
Level 4 –
Managed: from “In
Progress” to “Fully
Implemented” by 2018.
The audit role has
an inherently
negative
perception.
To improve the
Department’s
perception of
auditing by
continuing to work with management
to improve
business processes, assess
fraud risk, and
achieve higher efficiency.
Increase in the
number of
special requests
for advisory
services added to the annual
audit plan. Also,
recognition of CAO as a
strategic partner
in high-level meetings.
Self-Assessment Steps
• Understand purpose and structure of IA-CM
• Identify KPAs that appear institutionalized by the IA activity
• Review documentation re: IA activity, organization, and environment
• Interview managers/stakeholders
• Conduct sessions with IA activity staff, management and stakeholders to confirm the “as-is” level.
• Identify actual KPAs institutionalized
• Determine capability level
• Identify strengths and areas for improvement
• Communicate results
43
Process Flow
44
Strategic Planning Tool
• IA-CM used by IA activity, management and stakeholders to determine the capability level appropriate for the organization’s oversight needs
• Similar process to a self-assessment– Preliminary assessment using the IA-CM
– Identify level of IA capability desired based on the organization’s needs and resources available
– Develop an IA activity vision statement
– Develop strategic objectives for a 2-5 year timeframe and shorter-term project goals
– Prepare a workforce plan
– Present to the audit committee
45
Visioning and Communication
Tool – An Example
46
Visioning and Communication Tool
– An Example
Maturity Model consists of the following 6 Elements:
• Services and Role of IA• People Management• Professional Practices• Performance Management and Accountability• Organizational Relationships and Culture• Governance Structure
Level 1Initial
Level 2Infrastructure
Level 3Integrated
Level 4Managed
Level 5Optimizing
2011
2012
2013
2014
2015
Planned 20172016
47
Benchmarking
• IA-CM can be used as a source of benchmarks by management, stakeholders, and policy centres
• Through identification of selected KPAs and the practices institutionalized in that KPA
• To assess the level of capability/maturity in each IA element by comparing practices of various organizations and jurisdictions
48
Considerations
• Mandatory guidance in the IPPF is embedded at level 3 - Integrated
• Is Level 3 sufficient?
• When and why aspire to Level 4 or 5?
• An IA activity may choose to stay at a particular level
• Consider environmental and organizational factors
49
The IA-CM and the QAIP
• IA-CM
– Self-assessment and development tool for continuous
improvement
– Determines optimum capability
– Underpinned by IIA mandatory guidance
• QAIP
– Evaluates conformance with IIA mandatory guidance
– Assesses efficiency and effectiveness of IA activity
– Identifies opportunities for improvement
50
IA-CM 2016
Re-fresh
• IA-CM overall conceptual base sound
– Six elements and 41 KPAs remain
• External environmental factors, professional practices, including IPPF, have evolved
• Alignment with current practices
• Development of assessment tools
51
The IA-CM For the Public Sector
• Thank you!
• Comments
• Questions
Steve Goodson CIA, CGAP, CCSA, CISA, CRMA, [email protected]
52