The IIA’s Internal Audit Capability

Model (IA-CM)

Strategic Planning Applications

Steve Goodson

October 25, 2016

Objectives

• Define and Discuss the elements of IA-CM

• Identify and Discuss the uses of IA-CM – Self Assessment

– Strategic Planning

– Benchmarking

• IA-CM Re-fresh

Please ask questions throughout the presentation.

2

What is the IA-CM?

• Framework for Assessment

• Communication Vehicle

• A Roadmap for Orderly Improvement

3

Why an IA-CM?

• Reinforce the importance of internal auditing governance and accountability

• Implement and institutionalize effective internal auditing

4

IA – CM History

• October 2006 – May 2009

• IIA Research Foundation Project

• Validated in collaboration with the World Bank– Global validation critical

– > 300 people > 30 countries

• Original focus - public sector internal audit. But equally applicable to the private sector!

5

Underlying Principles

• Selecting optimum capacity

– Three variables

• Environment

• Organization

• IA activity

– Different capability required

– Internal auditing must be cost-effective

– No “One Size Fits All”

6

Underlying Structure

• Capability Maturity Model®

– Based on quality management principles

• Software Engineering Institute

– The original developers of capability maturity

models®

• Software Capability Maturity Model®

• Technical Report, CMMI® for Development, Version 1.2

7

IA-CM Levels

LEVEL 5

Optimizing

LEVEL 4

Managed

LEVEL 3

Integrated

LEVEL 2

Infrastructure

LEVEL 1

Initial

8

IA-CM

Level 1 Initial

9

No sustainable, repeatable capabilities dependent upon individual efforts

IA-CM

Level 2 Infrastructure

10

Sustainable and repeatable IA practices and procedures

IA-CM

Level 3 Integrated

11

IA management and professional practices uniformly applied

IA-CM

Level 4 Managed

12

IA integrates information from across the organization to improve governance and risk management

IA-CM

Level 5 Optimized

13

IA learning from inside and outside the organization for continuous improvement

Elements of Internal Auditing

• IA activity consists of six elements:

– Services and Role of IA

– People Management

– Professional Practices

– Performance Management and Accountability

– Organizational Relationships and Culture

– Governance Structures

14

Elements of Internal Auditing

• The role — to provide independent and objective assessments to assist the organization in accomplishing its objectives and improve operations.

• Services provided are typically based on the needs of the organization and the IAA’s authority, scope, and capacity.

15

Elements of Internal Auditing

• People Management involves the process of creating a work environment where people perform to the best of their ability.

16

Elements of Internal Auditing

• Professional Practices reflects the full backdrop of policies, processes, and practices that enable the IAA to be performed effectively and with proficiency and due professional care.

17

Elements of Internal Auditing

• Performance Management and Accountability - information needed to manage, conduct, and control the operations of the IAA and account for its performance and results.

18

Elements of Internal Auditing

Organizational Relationships and Culture refers to the organizational structure of the IAA along with its relationships with other units in the organization with other review providers and the external auditor.

19

Elements of Internal Auditing

Governance Structures the reporting relationship (administrative and functional) of the CAE and how the IAA fits within the organizational and governance structure of the organization.

It includes the means by which the independence and objectivity of the IAA is assured

20

Internal Audit

Capability Model Matrix

Services &

Roles

People

Management

Professional

Practices

Performance

Management

Organizational

Relationships

Governance

Structures

Level 5 -

Optimizing

Level 4 -

Managed

Level 3 -

Integrated

Level 2 -

Infrastructure

Level 1-

Initial

Key Process Area (KPA)

22

Services and Roles of IAKey Process Areas

Level 5 - Optimizing • Internal Audit Recognized as Key Agent of Change

Level 4 - Managed• Overall Assurance on Governance, Risk Management,

and Control

Level 3 - Integrated• Advisory Services

• Performance/ Value for Money Audits

Level 2 - Infrastructure • Compliance Auditing

Level 1 - Initial • Ad hoc and unstructured

Services and Roles of IAExamples in Practice

Level 5 - Optimizing• Internal audit plays key role in influencing change

within the organization

Level 4 - Managed• Senior management support and internal audit charter

provide authority for entity-wide opinion

Level 3 - Integrated• Senior management supports advisory services

• Training on performance/ value for money audits

Level 2 - Infrastructure• Internal audit charter describing assurance services

• Documented audit programs and policy manual

Level 1 - Initial • Not applicable; Ad hoc and unstructured

People ManagementKey Process Areas

Level 5 - Optimizing• Leadership Involvement with Professional Bodies

• Workforce Projection

Level 4 - Managed

• IA Contributes to Management Development

• Internal Audit Activity Supports Professional Bodies

• Workforce Planning

Level 3 - Integrated

• Team Building and Competency

• Professionally Qualified Staff

• Workforce Coordination

Level 2 - Infrastructure• Individual Professional Development

• Skilled People Identified and Recruited

Level 1 - Initial • Ad hoc and unstructured

People ManagementExamples in Practice

Level 5 - Optimizing• Management seek leaders in professional bodies

• Organizational policy on workforce planning

Level 4 - Managed

• Rotation policy for auditors and rest of organization

• Support for leadership roles in IIA or other groups

• Senior management support audit staffing needs

Level 3 - Integrated

• Appraisal system; audit competency framework

• Senior management support certifications

• Staff utilization plans; workforce coordination

Level 2 - Infrastructure• Training budget; professional development plan

• Job descriptions; staffing and recruitment policy

Level 1 - Initial • Not applicable; ad hoc and unstructured

Professional PracticesKey Process Areas

Level 5 - Optimizing• Continuous Improvement in Professional Practices

• Strategic Internal Audit Planning

Level 4 - Managed• Audit Strategy Leverages Organization’s Management

of Risk

Level 3 - Integrated• Quality Management Framework

• Risk-based Audit Plans

Level 2 - Infrastructure• Professional Practices and Processes Framework

• Audit Plan Based on Stakeholder Priorities

Level 1 - Initial • Ad hoc and unstructured

Professional Practices Examples in Practice

Level 5 - Optimizing• Quality improvement program; global benchmarking

• Internal audit participates in senior strategic planning

Level 4 - Managed• Senior management support alignment of internal audit

with organization’s current ERM strategy

Level 3 - Integrated• Internal quality reviews; peer review

• Documented risk assessment process

Level 2 - Infrastructure• Audit charter/policy manual comply with Standards

• Formal internal audit plan with audit universe

Level 1 - Initial • Not applicable; ad hoc and unstructured

Performance ManagementKey Process Areas

Level 5 - Optimizing • Reporting of Internal Audit Effectiveness

Level 4 - Managed• Integration of Qualitative and Quantitative

Performance Measures

Level 3 - Integrated

• Performance Measures

• Cost Information

• Internal Audit Management Reports

Level 2 - Infrastructure• Internal Audit Operating Budget

• Internal Audit Business Plan

Level 1 - Initial • Ad hoc and unstructured

Performance ManagementExamples in Practice

Level 5 - Optimizing • Reporting of internal audit effectiveness

Level 4 - Managed• Senior management support using qualitative and

quantitative data to achieve strategic objectives

Level 3 - Integrated

• Organizational policy to monitor results

• Time recording and reporting system

• Senior management commitment to manage and

account for audit results

Level 2 - Infrastructure• Internal audit operating budget

• Internal audit business plan or annual report

Level 1 - Initial • Not applicable; ad hoc and unstructured

Organizational RelationshipsKey Process Areas

Level 5 - Optimizing • Effective and Ongoing Relationships

Level 4 - Managed • CAE Advises and Influences Top-level Management

Level 3 - Integrated• Coordination with Other Review Groups

• Integral Component of Management Team

Level 2 - Infrastructure • Managing within the Internal Audit Activity

Level 1 - Initial • Ad hoc and unstructured

Organizational Relationships Examples in Practice

Level 5 - Optimizing• Visible commitment and support from senior

management

Level 4 - Managed• Formal reporting relationship with regular and direct

communication with top-level management

Level 3 - Integrated

• Formal coordination between the internal audit

activity and the external auditor

• Senior management supports CAE as valued member

of the management team

Level 2 - Infrastructure • Formally approved organizational structure

Level 1 - Initial • Not applicable; ad hoc and unstructured

Governance StructuresKey Process Areas

Level 5 - Optimizing• Independence, Power, and Authority of the Internal

Audit Activity

Level 4 - Managed• Independent Oversight of the IA Activity

• CAE Reports to Top-level Authority

Level 3 - Integrated• Management Oversight of the Internal Audit Activity

• Funding Mechanisms

Level 2 - Infrastructure

• Full Access to Organization’s Information, Assets, and

People

• Reporting Relationships Established

Level 1 - Initial • Ad hoc and unstructured

Governance Structures

Examples in Practice

Level 5 - Optimizing• Strategic information and communication strategy

advocating independence & authority of internal audit

Level 4 - Managed

• Legislation/policy requires independent oversight

committee

• CAE reports directly to oversight committee

Level 3 - Integrated• Legislation/policy requiring an oversight committee

• Management supports internal audit funding

Level 2 - Infrastructure

• Organizational policy to allow internal auditors full

access to information, assets, and people

• Approved internal audit charter

Level 1 - Initial • Not applicable; ad hoc and unstructured

The IA-CM – Its Uses

• Self-Assessment and Continuous Improvement

• Strategic Planning & Vision Communication

• Benchmarking / Capacity Development

35

The IA-CM – Its Users

• IA Professionals

• IA’s Principal Stakeholders

– Senior Management

– Audit Committee Members

– Governing Body

– External Auditors

36

Using the IA-CM

• Not prescriptive – what should be done rather than how to do it

• A universal model with comparability around principles, practices and processes to improve IA and be applied globally

• Apply professional judgment

37

Completed Matrix

Services and Role

SliceKey Process Area Implementation Status

5Internal Auditing Recognized as a

Key Agent of Change

Not In Progress

4

Overall Assurance on

Governance, Risk Management,

and Control

In Progress

3

Advisory Services Fully Implemented

Performance/Value-for-money

AuditingFully Implemented

2 Compliance Auditing Fully Implemented

1 No KPAs N/A

39

Strategic Goal Example

GoalGap Identified

ActionPlanned

Accomplishment

Indicator

Level 4 –

Managed:

From “in Progress” to “Fully

Implemented” by

2016

The Department

does not have an

annual statement

of internal control or an annual risk

assessment.

Work with the

Enterprise Risk

Management

function to

facilitate an organization-wide

annual statement of internal control.

Organization-

wide annual

statement of

internal control

40

Organizational Relationships

Slice

Key Process Area Implementations Status

5 Effective and Ongoing Relationships In Progress

4CAE Advises and Influences Top-Level

ManagementIn Progress

3Coordination with Other Review Groups In Progress

Integral Component of Management Team Fully Implemented

2 Managing within the IA Activity Fully Implemented

1 No KPAs N/A

41

Strategic Goal Example

Goal

Gap IdentifiedAction

Planned

Accomplis

hment

Indicator

42

Goal Gap IdentifiedAction

PlannedAccomplishment

Indicator

Level 4 –

Managed: from “In

Progress” to “Fully

Implemented” by 2018.

The audit role has

an inherently

negative

perception.

To improve the

Department’s

perception of

auditing by

continuing to work with management

to improve

business processes, assess

fraud risk, and

achieve higher efficiency.

Increase in the

number of

special requests

for advisory

services added to the annual

audit plan. Also,

recognition of CAO as a

strategic partner

in high-level meetings.

Self-Assessment Steps

• Understand purpose and structure of IA-CM

• Identify KPAs that appear institutionalized by the IA activity

• Review documentation re: IA activity, organization, and environment

• Interview managers/stakeholders

• Conduct sessions with IA activity staff, management and stakeholders to confirm the “as-is” level.

• Identify actual KPAs institutionalized

• Determine capability level

• Identify strengths and areas for improvement

• Communicate results

43

Process Flow

44

Strategic Planning Tool

• IA-CM used by IA activity, management and stakeholders to determine the capability level appropriate for the organization’s oversight needs

• Similar process to a self-assessment– Preliminary assessment using the IA-CM

– Identify level of IA capability desired based on the organization’s needs and resources available

– Develop an IA activity vision statement

– Develop strategic objectives for a 2-5 year timeframe and shorter-term project goals

– Prepare a workforce plan

– Present to the audit committee

45

Visioning and Communication

Tool – An Example

46

Visioning and Communication Tool

– An Example

Maturity Model consists of the following 6 Elements:

• Services and Role of IA• People Management• Professional Practices• Performance Management and Accountability• Organizational Relationships and Culture• Governance Structure

Level 1Initial

Level 2Infrastructure

Level 3Integrated

Level 4Managed

Level 5Optimizing

2011

2012

2013

2014

2015

Planned 20172016

47

Benchmarking

• IA-CM can be used as a source of benchmarks by management, stakeholders, and policy centres

• Through identification of selected KPAs and the practices institutionalized in that KPA

• To assess the level of capability/maturity in each IA element by comparing practices of various organizations and jurisdictions

48

Considerations

• Mandatory guidance in the IPPF is embedded at level 3 - Integrated

• Is Level 3 sufficient?

• When and why aspire to Level 4 or 5?

• An IA activity may choose to stay at a particular level

• Consider environmental and organizational factors

49

The IA-CM and the QAIP

• IA-CM

– Self-assessment and development tool for continuous

improvement

– Determines optimum capability

– Underpinned by IIA mandatory guidance

• QAIP

– Evaluates conformance with IIA mandatory guidance

– Assesses efficiency and effectiveness of IA activity

– Identifies opportunities for improvement

50

IA-CM 2016

Re-fresh

• IA-CM overall conceptual base sound

– Six elements and 41 KPAs remain

• External environmental factors, professional practices, including IPPF, have evolved

• Alignment with current practices

• Development of assessment tools

51

The IA-CM For the Public Sector

• Thank you!

• Comments

• Questions

Steve Goodson CIA, CGAP, CCSA, CISA, CRMA, CLEAspee@stevegoodson.com

52