Add to collection(s) Add to saved
  1. Business
  2. Management

Internal audit capability model (ia

advertisement 
INTERNAL AUDIT CAPABILITY MODEL (IA-CM)
A TOOL FOR GOING BEYOND COMPLIANCE
OCTOBER 3, 2011
ELIZABETH (LIBBY) MACRAE, CGAP
QUOTE – THE IIARF WEBSITE
The IA-CM “…does not mandate compliance. Rather,
realizing that there are many factors that influence an
IA function, it provides a path for achieving a higher
level of compliance… Although geared to the public
sector, it has universal application. CAEs can use the
model to establish and build their IA functions using
key benchmarks to evaluate their progress,
demonstrate to audit committees and management
what should be expected from their functions, and
outline what steps are needed to grow and improve
their capabilities.” Dan B. Gould, CIA
2
PRESENTATION AGENDA
The IA-CM
• Development
• Structure
• Underlying Principles
Its Uses and Users
• Self-Assessment and Continuous Improvement
• Strategic Planning
• Visioning and Communication
• Capacity Development
• Benchmarking
3
WHAT IS THE IA-CM?
• Framework for Assessment
• Communication Vehicle
• A Roadmap for Orderly Improvement
4
WHY AN IA-CM?
• Reinforce the importance of internal
auditing in public sector governance and
accountability
• Implement and institutionalize effective
internal auditing
5
ITS DEVELOPMENT
• October 2006 – May 2009
• IIARF Project
• Validated in collaboration with the World
Bank
– Global validation critical
– > 300 people > 30 countries
6
UNDERLYING PRINCIPLES
• Selecting optimum capacity
– Three variables
• Environment
• Organization
• IA activity
– Different capability required
– Internal auditing must be cost-effective
– No “One Size Fits All”
7
UNDERLYING STRUCTURE
• Capability Maturity Model®
– Based on quality management principles
• Software Engineering Institute
– The original developers of capability maturity
models®
• Software Capability Maturity Model®
• Technical Report, CMMI® for Development,
Version 1.2
8
IA-CM LEVELS
IA learning from inside and outside the
organization for continuous improvement
IA integrates information from across the organization
to improve governance and risk management
IA management and professional
practices uniformly applied
Sustainable and repeatable IA
practices and procedures
No sustainable,
repeatable
capabilities –
dependent upon
individual
efforts
9
LEVEL 1
Initial
LEVEL 2
Infrastructure
LEVEL 3
Integrated
LEVEL 4
Managed
LEVEL 5
Optimizing
ELEMENTS OF INTERNAL AUDITING
IA activity consists of six elements:
• Services and Role of IA
• People Management
• Professional Practices
• Performance Management and
Accountability
• Organizational Relationships and Culture
• Governance Structures
10
KEY PROCESS AREA (KPA)
11
IA-CM 1-PAGE MATRIX
12
USING THE IA-CM
• Not prescriptive – what should be done
rather than how to do it
• A universal model with comparability
around principles, practices and processes
to improve public sector IA and be applied
globally
• Can be used as a self-assessment
exercise for continuous improvement
13
THE IA-CM – ITS USERS
• IA Professionals
• IA’s Principal Stakeholders
– Senior Management
– Audit Committee Members
– Governing Bodies
– Legislative Auditors
14
SELF-ASSESSMENT STEPS
• Understand the purpose and structure of IA-CM
• Identify KPAs that appear to be institutionalized
by the IA activity
• Review documentation re: IA activity,
organization, and environment
• Interview managers/stakeholders
• Confirm actual KPAs institutionalized
• Determine capability level
• Communicate results
15
CONSIDERATIONS
• A KPA is achieved when it is
institutionalized into the culture of the IA
activity
• All KPAs, up to and including the KPAs at
a given level, must be institutionalized to
achieve that level
• Can KPAs be ignored?
• Can levels be skipped?
• Must all elements be at the same level?
16
SELF-ASSESSMENT – AN EXAMPLE
• Large IA activity in the central government of the
United Kingdom
• Lessons Learned
– Need to ensure that the purpose, structure and
underlying principles of the IA-CM are understood
– Need a clear commitment from the top - to the
exercise, its results and an action plan for
improvement
– Need to encourage openness and honesty
– Important to be inclusive
17
SELF-ASSESSMENT
• Conclusions
– The IA-CM
• “adds value, but needs to be used intelligently,
holistically and with commitment”
• “provides the CAE with a view of where the IA
activity stands in comparison to where it may
aspire to be”
• “has the potential to enhance professionalism and
have a positive impact on morale”
18
STRATEGIC PLANNING TOOL
• The IA-CM can be used by management and
stakeholders to determine the IA activity
appropriate for their oversight needs
• Similar process to a self-assessment
– Preliminary assessment using the IA-CM
– Sessions with IA activity staff and
stakeholders to confirm the “as-is” level
19
STRATEGIC PLANNING TOOL - EXAMPLES
• Three IA activities in the United States
• As a strategic planning tool
– Identify the level of IA capability desired based on the
organization’s needs and resources available
– Develop an IA activity vision statement
– Develop strategic objectives for a 2-4 year timeframe
and shorter-term project goals
– Prepare a workforce plan
– Present to audit committee
20
VISIONING AND COMMUNICATION TOOL
21
CAPACITY BUILDING – AN EXAMPLE
• IFAD – Office of Audit and Oversight
– Program to develop capacities of IA activities for
governments with which IFAD works
– IFAD internal audit team performs an assessment of
Ministry IA activity using IA-CM
– Report issued to Ministry noting areas for IA activity
improvement
– Selected Ministry auditors work as part of IFAD’s
Audit and Oversight Office for six months
– Their experiences potentially contribute to improved
practices in their Ministries’ IA activities
22
BENCHMARKING
• IA-CM can be used as a source of
benchmarks by management, stakeholders,
and policy centres
• Through identification of selected KPAs and
the practices institutionalized in that KPA
• To assess level of capability/maturity in each
IA element by comparing practices of various
organizations and jurisdictions
23
BENCHMARKING – AN EXAMPLE
• Internal Audit Sector of The Office of the Comptroller
General in Canada (policy centre)
– Used the IA-CM as its analytical framework
– Identified relevant KPAs within each of the six
elements
– Documented federal Government of Canada internal
audit practices
– Highlighted other jurisdictions’ successful practices
that might be applied to federal government
– Did not assess the level of capability/maturity of
internal auditing
24
BEYOND COMPLIANCE
• Mandatory guidance in the IPPF is embedded at
level 3 - Integrated
• Is Level 3 sufficient?
• When and why aspire to Level 4 or 5?
• An IA activity may choose to stay at a particular
level
• Apply professional judgment
• Consider environmental and organizational
factors
25
THE IA-CM FOR THE PUBLIC SECTOR
For more information, visit:
www.theiia.org/research/ia-cm
26
Related documents
COVER LETTER SAMPLE
COVER LETTER SAMPLE
Internal Auditor Job Description
Internal Auditor Job Description
CIS 349 – Information Technology Audit and Control
CIS 349 – Information Technology Audit and Control
Job Title: IT Audit Senior
Job Title: IT Audit Senior
Evolution of an Automated Internal Audit Management System
Evolution of an Automated Internal Audit Management System
Recent Changes to IIA Standards
Recent Changes to IIA Standards
Download
advertisement