INTERNAL AUDIT CAPABILITY MODEL (IA-CM)

A TOOL FOR GOING BEYOND COMPLIANCE

OCTOBER 3, 2011
ELIZABETH (LIBBY) MACRAE, CGAP

QUOTE THE IIARF WEBSITE

The IA-CM does not mandate compliance. Rather,
realizing that there are many factors that influence an IA
function, it provides a path for achieving a higher level of
compliance Although geared to the public sector, it has
universal application. CAEs can use the model to establish
and build their IA functions using key benchmarks to
evaluate their progress, demonstrate to audit committees
and management what should be expected from their
functions, and outline what steps are needed to grow and
improve their capabilities. Dan B. Gould, CIA

PRESENTATION AGENDA
The IA-CM
Development
Structure
Underlying Principles
Its Uses and Users
Self-Assessment and Continuous Improvement
Strategic Planning
Visioning and Communication
Capacity Development
Benchmarking
3

WHAT IS THE IA-CM?

Framework for Assessment

Communication Vehicle
A Roadmap for Orderly Improvement

WHY AN IA-CM?

Reinforce the importance of internal

auditing in public sector governance and
accountability
Implement and institutionalize effective
internal auditing

ITS DEVELOPMENT

October 2006 May 2009

IIARF Project
Validated in collaboration with the World
Bank
Global validation critical
> 300 people > 30 countries

UNDERLYING PRINCIPLES

Selecting optimum capacity

Three variables
Environment
Organization
IA activity

Different capability required

Internal auditing must be cost-effective
No One Size Fits All

UNDERLYING STRUCTURE

Capability Maturity Model

Based on quality management principles

Software Engineering Institute

The original developers of capability maturity
models
Software Capability Maturity Model
Technical Report, CMMI for Development, Version
1.2

IA-CM LEVELS
IA learning from inside and outside the
organization for continuous improvement

IA integrates information from across the organization

to improve governance and risk management

IA management and professional

practices uniformly applied

Sustainable and repeatable IA

practices and procedures
No sustainable,
repeatable
capabilities
dependent upon
individual
efforts

LEVEL 1
Initial

LEVEL 2
Infrastructure

LEVEL 3
Integrated

LEVEL 4
Managed

LEVEL 5
Optimizing

ELEMENTS OF INTERNAL AUDITING

IA activity consists of six elements:

Services and Role of IA
People Management
Professional Practices
Performance Management and
Accountability
Organizational Relationships and Culture
Governance Structures
10

KEY PROCESS AREA (KPA)

11

IA-CM 1-PAGE MATRIX

12

USING THE IA-CM

Not prescriptive what should be done

rather than how to do it
A universal model with comparability
around principles, practices and
processes to improve public sector IA and
be applied globally
Can be used as a self-assessment
exercise for continuous improvement
13

THE IA-CM ITS USERS

IA Professionals
IAs Principal Stakeholders
Senior Management
Audit Committee Members
Governing Bodies
Legislative Auditors

14

SELF-ASSESSMENT STEPS
Understand the purpose and structure of IA-CM
Identify KPAs that appear to be institutionalized
by the IA activity
Review documentation re: IA activity,
organization, and environment
Interview managers/stakeholders
Confirm actual KPAs institutionalized
Determine capability level
Communicate results
15

CONSIDERATIONS

A KPA is achieved when it is

institutionalized into the culture of the IA
activity
All KPAs, up to and including the KPAs at
a given level, must be institutionalized to
achieve that level
Can KPAs be ignored?
Can levels be skipped?
Must all elements be at the same level?
16

SELF-ASSESSMENT AN EXAMPLE
Large IA activity in the central government of the
United Kingdom
Lessons Learned
Need to ensure that the purpose, structure and
underlying principles of the IA-CM are understood
Need a clear commitment from the top - to the
exercise, its results and an action plan for
improvement
Need to encourage openness and honesty
Important to be inclusive
17

SELF-ASSESSMENT

Conclusions
The IA-CM
adds value, but needs to be used intelligently,
holistically and with commitment
provides the CAE with a view of where the IA
activity stands in comparison to where it may
aspire to be
has the potential to enhance professionalism and
have a positive impact on morale

18

STRATEGIC PLANNING TOOL

The IA-CM can be used by management and
stakeholders to determine the IA activity
appropriate for their oversight needs
Similar process to a self-assessment
Preliminary assessment using the IA-CM
Sessions with IA activity staff and
stakeholders to confirm the as-is level

19

STRATEGIC PLANNING TOOL - EXAMPLES

Three IA activities in the United States
As a strategic planning tool
Identify the level of IA capability desired based on the
organizations needs and resources available
Develop an IA activity vision statement
Develop strategic objectives for a 2-4 year timeframe
and shorter-term project goals
Prepare a workforce plan
Present to audit committee

20

VISIONING AND COMMUNICATION TOOL

21

CAPACITY BUILDING AN EXAMPLE

IFAD Office of Audit and Oversight
Program to develop capacities of IA activities for
governments with which IFAD works
IFAD internal audit team performs an assessment of
Ministry IA activity using IA-CM
Report issued to Ministry noting areas for IA activity
improvement
Selected Ministry auditors work as part of IFADs
Audit and Oversight Office for six months
Their experiences potentially contribute to improved
practices in their Ministries IA activities
22

BENCHMARKING
IA-CM can be used as a source of
benchmarks by management, stakeholders,
and policy centres
Through identification of selected KPAs and
the practices institutionalized in that KPA
To assess level of capability/maturity in each
IA element by comparing practices of various
organizations and jurisdictions

23

BENCHMARKING AN EXAMPLE
Internal Audit Sector of The Office of the Comptroller
General in Canada (policy centre)
Used the IA-CM as its analytical framework
Identified relevant KPAs within each of the six
elements
Documented federal Government of Canada internal
audit practices
Highlighted other jurisdictions successful practices
that might be applied to federal government
Did not assess the level of capability/maturity of
internal auditing
24

BEYOND COMPLIANCE
Mandatory guidance in the IPPF is embedded at
level 3 - Integrated
Is Level 3 sufficient?
When and why aspire to Level 4 or 5?
An IA activity may choose to stay at a particular
level
Apply professional judgment
Consider environmental and organizational
factors
25

THE IA-CM FOR THE PUBLIC SECTOR

For more information, visit:

www.theiia.org/research/ia-cm
26