Measuring Up: Internal Audit Capability Maturity Model

Measuring Up: Internal Audit Capability Maturity Model

Compliance with the Institute of Internal Auditors International Standards for the Professional Practice of Internal Auditing is a requirement for Internal Audit Departments around the world. As most already know, compliance is validated through an External Quality Assessment completed by an independent third party (such as Vonya Global). The evaluation and final grade is generally pass/fail (yes, there are shades of gray).

So, for arguments sake, let’s say an Internal Audit Department has failed an External Quality Assessment. Does this mean the Internal Audit Department is not fulfilling its expectations with Executive Management and the Audit Committee? Maybe, maybe not. What if the Internal Audit Department simply is not ready for the External Quality Assessment? Maybe a new Chief Audit Executive just took over.  Maybe the company made a significant acquisition.  In fact, there are many reasons why an Internal Audit Department may not fully comply with the IIA Standards.

If that is the case, then shouldn't there be an alternative?

There is an alternative for evaluating the effectiveness of the Internal Audit Department. One in which the fear of non-compliance is eliminated. It is called The Internal Audit Capability Maturity Model.

The Internal Audit Capability Maturity Model (IA-CM) was developed by the Institute of Internal Auditors Research Foundation in 2009. This model is a framework that identifies fundamentals needed for an effective Internal Audit department. Rather than aligning strictly with the Institute of Internal Audit standards, this framework provides flexibility for organizations that use their Internal Audit Department in varying manners and ties to leading practices within Internal Audit.

The IA-CM framework identifies the fundamentals needed for effective internal auditing and classifies them into six Essential Elements.

  • Services and Role of Internal Audit
  • People Management
  • Professional Practices
  • Performance Management and Accountability
  • Organizational Relationships and Culture
  • Governance Structures

Within the Essential Elements are Key Process Areas that increase in sophistication through five levels of maturity.

  • Level 1 Informal: The IA activity is ad hoc or unstructured. No professional practices have been established, and there is an absence of infrastructure.
  • Level 2 Infrastructure: The IA activity has established and is maintaining the repeatability of processes. There is partial conformance to the IIA Standards, and appropriate reporting relationships established.
  • Level 3 Integrated: Policies and procedures are defined, documented, and integrated into the culture of the IA activity.
  • Level 4 Managed: IA activity is recognized as a significant contributor to the organization. Performance metrics are in place to measure and monitor IA performance. IA is a well-managed business unit.
  • Level 5 Optimizing: World-class. The IA activity has acquired top-level professional and specialized skills, and is a critical part of the organization’s governance structure.

The final conclusion on the external assessment will be determined based on several factors, including the following:

  • Established purpose of Internal Audit department
  • Results of Interviews/questionnaires
  • Results of testing
  • Assessment of maturity in each element vs. purpose of department

The Internal Audit Capability Maturity Model was created for the public sector to help those organizations implement the fundamentals of effective internal auditing. While designed for the public sector, the model can be applied to any organization, regardless of industry or sector. Vonya Global is one of the few firms which has developed a methodology for evaluating Internal Audit Departments against the IA-CM and has used this methodology to help organizations outside of the public sector.

This article was first published on the Vonya Global blog in 2012.

Sunil Panjwani

Chief Risk Officer, Chief Audit Executive, US Big 4, US Fortune 500

8 年

Informative article.

要查看或添加评论,请登录

社区洞察

其他会员也浏览了