Presentation on theme: "Internal Audit Capability Model (IA-CM) for the Public Sector"— Presentation transcript:
1 Internal Audit Capability Model (IA-CM) for the Public Sector Using the IA-CM as aSelf-assessment ToolDisclosureCopyright 2009 The Institute of Internal Auditors Research FoundationThe Institute of Internal Auditors Research Foundation based the structure and certain other elements of this model, in part, on “CMMI® for Development, Version 1.2,” CMU/SEI-2006-TR-008, copyright 2006 Carnegie Mellon University, with special permission from the Software Engineering Institute. This model has not been reviewed nor is it endorsed by Carnegie Mellon University or its Software Engineering Institute. CMMI is a registered trademark of Carnegie Mellon University.IA-CM
2 Agenda What is the IA-CM? Structure of the IA-CM. Underlying principles.Structure of the IA-CM.Self-assessment steps.Considerations.Communicate results.More information.The presentation will begin by talking about what the Internal Audit Capability Model for the Public Sector is — particularly with respect to its underlying principles and structure.I will then review how it can be used to conduct a self-assessment of an IA activity, considerations to be addressed during the self-assessment, and the importance of fully communicating the results.
3 What is the IA-CM? Communication vehicle. Framework for assessment. A road map for orderly improvement.The Internal Audit Capability Model is intended to be used globally as a basis for implementing and institutionalizing effective internal auditing in the public sector and as a road map for orderly improvement to strengthen capabilities within internal auditing.As such, the IA-CM is a framework that describes the fundamentals needed for effective internal auditing. It describes an evolutionary path for a public sector organization to follow in developing effective internal auditing to meet the governance needs of the organization and professional expectations.The IA-CM provides:A communication vehicle — a basis for communicating what is meant by effective internal auditing and how it serves an organization and its stakeholders, and for advocating its importance to decision makers.A framework for assessment — a framework for assessing the capabilities of an IA activity against professional internal audit standards and practices, either as self-assessment or an external assessment.A road map for orderly improvement — a road map for building capacity that sets out the steps an organization can follow to establish and strengthen its IA activity.
4 IA-CMWhy Public Sector?Internal auditing (IA) varies widely from country to country.Differences in culture, management practices, and processes.Need for a governance model, including IA.Opportunities to:Modernize/evolve IA.Improve its effectiveness.Deliver added value.Critical need for a developmental model, especially in developing countries.The model focuses on internal auditing in the public sector.In 2004, The IIA’s Public Sector Committee (PSC) recommended that an IA-CM be developed to reinforce the importance of internal auditing in public sector governance and accountability. It recognized that internal auditing could vary significantly from country to country because of differences in management practices, processes, and culture of a particular government. The PSC identified the need for a universal model that public sector IA activities could use as a self-assessment and development tool to assess their progress and determine training and capacity-building needs.At that same time, governments at all levels — national, regional (provincial or state), and local (county or city) — were acknowledging the critical importance of internal auditing in enhancing the economy, efficiency, and effectiveness of all levels of public sector administration. There was clearly a need for a universal public sector governance model that included internal auditing.Through the development and use of such a model, opportunities will be identified to modernize or evolve internal auditing, improve its effectiveness, and deliver added value. The model was also seen as critical for improving internal auditing in developing countries.
5 Underlying Principles IA-CMUnderlying PrinciplesIA Activity’s ObligationsBe an integral component of effective governance in the public sector.Help organizations achieve their objectives and account for their results.Organization’s ObligationsDetermine optimum level of IA capability to support required governance structures.Achieve and maintain the desired capability.There are a number of principles that underlie the IA-CM.For example, the IA activity has an obligation to be an integral component of effective governance in the public sector and help organizations achieve their objectives and account for their results.The organization is also obligated to determine the optimum level of IA capability to support its governance structures and achieve and maintain the desired IA capability.In this respect, it is critical that senior management establish a supportive environment for internal auditing.
6 Underlying Principles IA-CMUnderlying PrinciplesSelecting Optimum CapabilityThree variables:Environment.Organization.IA activity.Different capability required.Auditing must be cost-effective.No “one size fits all.”It is important to select the optimum capability needed for the IA activity.To do so, three variables must be considered — the overall external environment in which the organization operates, the organization, and the IA activity itself.In determining the most appropriate IA activity for an organization in the public sector, it is important to consider the influence that corporate governance structures, control frameworks, and risk management have on the ability to implement internal auditing and develop the necessary internal audit capabilities.The reality that management capacity, infrastructure, and governance arrangements are different in developed and developing countries must also be considered.As such, not every organization requires the same internal audit capability or sophistication. A different capability may be required. The appropriate capability level will be commensurate with the nature and complexity of the organization and the risks to which the organization may be exposed.In addition, internal auditing must be delivered in a cost-effective manner.In summary, “no one size fits all."
7 Structure of the IA-CM Capability Level Key Process Area PurposeActivitiesThe IA-CM is made up of levels. It is a layered framework that provides the progression needed to achieve continuous improvement.Each capability level consists of one or more Key Process Areas (KPAs).KPAs are the main building blocks that determine the capability level achieved — a KPA identifies a cluster of related activities that, when performed collectively, achieve a purpose and produce immediate outputs and longer-term outcomes. The KPA is mastered when it is implemented in an effective and lasting way.Achieving a given capability level involves mastering all of the KPAs associated with it and ensuring that these key processes are institutionalized within the IA activity.The next slide describes the five capability levels identified for the IA activity.Outputs &OutcomesMastery7
8 IA Capability Model Levels IA-CMIA Capability Model LevelsLEVEL 5OptimizingLEVEL 4ManagedLEVEL 3IntegratedLEVEL 2InfrastructureLEVEL 1InitialNo sustainable, repeatable capabilities – dependent upon individual effortsSustainable and repeatable IA practices and proceduresIA management and professional practices uniformly appliedIA learning from inside and outside the organization for continuous improvementIA integrates information from across the organization to improve governance and risk managementAs noted previously, the IA-CM is a framework that describes the fundamentals needed for effective internal auditing.Each capability level describes the characteristics and capabilities of an IA activity at that level. As either the size or complexity of an organization or the risks associated with its operations increases, so does the need for more sophisticated IA capabilities. The capability levels in the model provide a road map for continuous improvement within the IA activity. However, an IA activity may choose to remain at any level and still represent a best practice at that level for that IA activity in that organization in that particular environment.At Level 1 — Initial, the internal audit infrastructure and its institutional capability are not developed. There may be isolated single audits, but the outputs are dependent on the skills of individuals. Internal auditing is ad hoc and unstructured.At Level 2 — Infrastructure, the focus is on establishing repeatability of processes and capability. The IA activity’s reporting relationships, management and administrative infrastructures, and professional practices and processes are being established. But there is still a reliance on the skills and competencies of specific individuals. The IA activity will likely partially conform to the Standards.At Level 3 — Integrated, the IA activity’s policies, processes, and procedures are defined, documented, and integrated into each other and the organization’s infrastructure. IA management and professional practices are well established. IA is starting to be aligned with the organization’s business. The focus is on team building and capacity. The IA activity will likely generally conform to the Standards.At Level 4 — Managed, the IA activity is a well-managed business unit. IA functions as integral part of the organization’s governance and risk management. Performance metrics are in place. The requisite skills and competencies are in place with a capacity for renewal and knowledge sharing. IA is recognized as delivering significant contributions.At Level 5 — Optimizing, the IA activity is a learning organization with continuous process improvements and innovation. IA uses information from inside and outside the organization to effect change within. It has “world-class” best-practice performance. The IA activity is a critical part of the organization’s governance structure. It has top-level professional and specialized skills. Its performance measures are fully integrated to drive performance improvements.
9 IA-CMWhy Levels?Different performance expectations and measures in current practice.Capability gets built in steps/stages.Need a common map/conceptual framework.Help select the capability level appropriate for an organization.Why levels? Because there are different performance expectations and measures in current practice. This model attempts to match the nature and complexity of an organization with the IA capabilities needed to support it. In other words, if the organization requires a greater degree of sophistication in internal audit practices, the IA activity will typically be at a higher capability level. The IA capability level is often tied to the governance structure of the organization that it serves.Furthermore, capability is built in steps or stages. Specifically, the IA-CM is a framework for strengthening or enhancing internal auditing through many small evolutionary steps. The model illustrates the stages through which an organization can evolve as it defines, implements, measures, controls, and improves its IA processes and practices.As noted previously, these steps have been organized into five progressive capability levels. The levels provide a conceptual framework or a common map where the improvements or practices at one level provide the foundation on which to progress to the next level. Hence, it is a “building block” approach to establishing effective internal auditing in an organization.In summary, the levels help determine the internal audit requirements according to the nature, complexity, and associated risks of the organization’s operations and identify the appropriate level of IA capability needed by an organization.
10 IA-CMIA Activity ElementsThe IA activity consists of the following six elements:Services and role of IA.People management.Professional practices.Performance management and accountability.Organizational relationships and culture.Governance structures.In the model, six essential elements were identified for an IA activity. The first four relate primarily to the management and practices of the IA activity itself while the last two, “Organizational Relationships and Culture” and “Governance Structures,” also include the IA activity’s relationship with the organization it supports and the internal and external environments.The role — to provide independent and objective assessments to assist the organization in accomplishing its objectives and improve operations — is found to some degree in most IA activities in the public sector. The means or services provided vary among different jurisdictions and environments. Services provided are typically based on the needs of the organization and the IA activity’s authority, scope, and capacity. Services can be performed by the IA activity itself, co-sourced with external service providers, or outsourced.People Management involves the process of creating a work environment that enables people to perform to the best of their abilities. It begins when a job is defined as needed.Professional Practices reflects the full backdrop of policies, processes, and practices that enable the IA activity to be performed effectively and with proficiency and due professional care.Performance Management and Accountability refers to information needed to manage, conduct, and control the operations of the IA activity and account for its performance and results. It refers to reporting on the effectiveness of the IA activity to relevant stakeholders and the public.Organizational Relationships and Culture refers to the organizational structure of the IA activity and its positioning within the management regime. It also refers to the IA activity’s relationships with other units in the organization, both within the administrative infrastructure and as part of the management regime. It refers to the internal relationships and the internal culture and environment of the organization. It refers to relationships with other review providers and the external auditor, including the legislative auditor, if applicable.Governance Structures includes the reporting relationship (administrative and functional) of the CAE and how the IA activity fits within the organizational and governance structure of the organization. It includes the means by which the independence and objectivity of the IA activity is assured (e.g., through its mandate, legislated authority, and/or oversight body — the audit committee). It also refers to the policies and processes established to support and resource the IA activity and contribute to its effectiveness and independence.
11 Internal Audit Capability Model Matrix IA-CMInternal Audit Capability Model MatrixServices and Role of IAPeople ManagementProfessional PracticesPerformance Management and AccountabilityOrganizational Relationships and CultureGovernance StructuresLevel 5 –OptimizingIA Recognized as Key Agent of ChangeLeadership Involvement with Professional BodiesWorkforce ProjectionContinuous Improvement in Professional PracticesStrategic IA PlanningPublic Reporting of IA EffectivenessEffective and Ongoing RelationshipsIndependence, Power, and Authority of the IA ActivityLevel 4 –ManagedOverall Assurance on Governance, Risk Management, and ControlIA Contributes toManagement DevelopmentIA Activity Supports Professional BodiesWorkforce PlanningAudit Strategy Leverages Organization’s Management of RiskIntegration of Qualitative and Quantitative Performance MeasuresCAE Advises and Influences Top-level ManagementIndependent Oversight of the IA ActivityCAE Reports to Top-level AuthorityLevel 3 – IntegratedAdvisory ServicesPerformance/Value-for-Money AuditsTeam Building and CompetencyProfessionally Qualified StaffWorkforce CoordinationQuality Management FrameworkRisk-based Audit PlansPerformance MeasuresCost InformationIA Management ReportsCoordination with Other Review GroupsIntegral Component of Management TeamManagement Oversight of the IA ActivityFunding MechanismsLevel 2 – InfrastructureCompliance AuditingIndividual Professional DevelopmentSkilled People Identified and RecruitedProfessional Practices and Processes FrameworkAudit Plan Based on Management/Stakeholder PrioritiesIA Operating BudgetIA Business PlanManaging within the IA ActivityFull Access to the Organization’s Information, Assets, and PeopleReporting Relationship EstablishedLevel 1 –InitialAd hoc and unstructured; isolated single audits or reviews of documents and transactions for accuracy and compliance; outputs dependent upon the skills of specific individuals holding the position; no specific professional practices established other than those provided by professional associations; funding approved by management, as needed; absence of infrastructure; auditors likely part of a larger organizational unit; no established capabilities; therefore, no specific key process areasThis slide depicts the Internal Audit Capability Model for the Public Sector graphically as a one-page matrix. The vertical axis represents the capability levels — with the capability of the IA activity increasing from bottom to top. The elements of internal auditing are presented on the horizontal axis.Each capability level consists of one or more “key process areas” (KPAs). These are associated with the six elements of internal auditing. The key process area/s for each level for each element is identified in the relevant boxes for the appropriate level.The colors on the IA-CM one-page matrix depict the extent or influence that the IA activity has over the elements. Specifically, moving from left to right, the ability of the IA activity itself to independently create and institutionalize the KPAs decreases. For example, the IA activity will likely have greater control over its role and services than over its governance structure. Similarly, an IA activity has potentially less ability to independently institutionalize the KPAs as the capability levels move upward on the matrix from levels 2 to 5. This shift occurs because the organization and the environment will tend to increase their influence over whether the IA activity is able to institutionalize the KPAs at the higher capability levels.Furthermore, to move from Level 1 to 2, certain prerequisites need to exist in the environment such as maturing governance structures, financial management, control, and accountability frameworks, government stability, a receptive organizational culture, and central drivers for internal auditing.In summary, the IA activity will likely have more control in creating and institutionalizing the KPAs found in the elements and levels that are illustrated in dark green.
12 IA-CMUsing the IA-CMNot prescriptive — what should be done rather than how to do it.A universal model with comparability around principles, practices, and processes to improve IA and be applied globally.The IA-CM is not intended to be prescriptive in terms of how a process should be carried out, but rather what should be done. It is intended as a universal model with comparability around principles, practices, and processes that can be applied globally to improve the effectiveness of internal auditing.As noted previously, it is very important to consider the public sector organization, its needs, capacities, complexities, and governance and financial management environment in determining if and at what stage the IA activity can exist.
13 Self-assessment Steps IA-CMSelf-assessment StepsUnderstand the IA-CM.Identify KPAs that appear to be institutionalized by the IA activity.Review documentation re: IA activity, organization, and environment.Interview managers/stakeholders.Confirm actual KPAs institutionalized.Determine capability level.Communicate results.When using the IA-CM as a self-assessment tool, it is important to begin by understanding the purpose and structure of the IA-CM.Next, identify a team to conduct the self-assessment — the team should include, at a minimum, a person skilled in conducting internal or external assessments of an IA activity and another person who is involved in making improvements to the IA activity.In actually conducting the self-assessment, the following steps have been described in detail in Appendix B of the IA-CM Research Report.Familiarize the CAE and other internal audit professionals with the IA-CM.Identify the KPAs that appear to be institutionalized by the IA activity.Obtain and review relevant documentation relating to the IA activity.Obtain and review relevant documentation relating to the organization and the external environment of the IA activity.Interview senior managers and other key stakeholders.Confirm which KPAs have been institutionalized within the IA activity and determine the capability level.Present the results of the self-assessment.
14 Considerations Apply professional judgment. IA-CMConsiderationsApply professional judgment.Consider environmental and organizational factors.Is Level 3 sufficient?Can capability levels be skipped?Can KPAs be ignored?Must all elements be at the same capability level?This slide includes some considerations that should be addressed when applying and interpreting the IA-CM.First, professional judgment is needed to apply and interpret the IA-CM.The model also recognizes how the external regulatory environment and the public sector organization itself may impact on the capability of the IA activity. For example, organizational factors such as size, nature, complexity, and risks of operations must be considered when assessing whether and how a particular KPA is implemented and institutionalized.Is Level 3 sufficient? An IA activity at capability Level 3 – Integrated will generally conform to the Standards and focuses its efforts on capacity, independence, and objectivity. While capability levels in the IA-CM provide a road map for continuous improvement, an IA activity may choose to remain at Level 3. However, it is important that it not become complacent at Level 3. The external environment, the organization’s culture and business processes, or the makeup of the IA activity may change. It needs to ensure that the KPAs, up to and including those in Level 3, remain institutionalized and continuously improve on the quality of those processes through refining the institutionalizing practices, if necessary.Can capability levels be skipped? With the exception of Level 1– Initial, it is not possible to skip levels.Implementation of the KPAs at one level establishes the basis for the practices and capabilities at the next level and provides the foundation upon which to progress to the next level. Without building an appropriate foundation at one level for implementing a KPA at the next level, that KPA may not be sustainable or achieve the outputs and outcomes desired.Can KPAs be ignored? No, all KPAs should be considered as relevant. There are relationships among the KPAs at a particular level and within the elements.Must all elements be at the same capability level? No, it is not unusual for an IA activity to have strengths in one or more of the internal audit elements. However, for an IA activity to achieve a given capability level, the KPAs in all elements up to and including that level must be institutionalized in the culture of the IA activity.
15 IA-CMCommunicate ResultsIdentify strengths and areas for improvement of the IA activity.Identify “leading practices” of the IA activity.The results of the assessment are presented as a profile of the IA activity’s strengths and areas for improvement against the KPAs of the IA-CM. Leading practice examples of the IA activity also may be highlighted. The capability level of the IA activity is the lowest level for which all the KPAs have been institutionalized. The results of the assessment identify the KPAs or elements where the IA activity may want to focus to improve its effectiveness. However, it may be determined that the level achieved by the IA activity is the most appropriate for that activity in that organization in that particular environment.
16 Internal Audit Capability Model (IA-CM) for the Public Sector For more information, visit:IA-CM