www.theiia.org draft version – do not distribute or copy © 2007, iia research foundation – all...
TRANSCRIPT
www.theiia.orgDRAFT VERSION – DO NOT DISTRIBUTE OR COPY© 2007, IIA Research Foundation – All Rights Reserved
The IIAResearch Foundation
Internal Auditing Capability Maturity Model
(IA-CMM)Preliminary Draft
Validation Session
Republic of CroatiaMinistry of Finance
Internal Audit Division
www.theiia.org 2DRAFT VERSION – DO NOT DISTRIBUTE OR COPY© 2007, IIA Research Foundation – All Rights Reserved
Outline
• Validation Objectives• Why an IA-CMM?
– Underlying Principles– Matrix
• Validation Results
www.theiia.org 3DRAFT VERSION – DO NOT DISTRIBUTE OR COPY© 2007, IIA Research Foundation – All Rights Reserved
Validation Objectives
• Review purpose, theory and uses of the IA-CMM
• Refine, confirm and elaborate on– Capability Maturity Levels– Elements of Internal Auditing (IA)– Key Process Areas (KPAs)– Practices/Means to Institutionalize KPAs
• Identify issues to be addressed
www.theiia.org 4DRAFT VERSION – DO NOT DISTRIBUTE OR COPY© 2007, IIA Research Foundation – All Rights Reserved
Why the IA-CMM?
• Framework for Assessment– Basis for implementing and
institutionalizing effective internal auditing in the public sector
– Roadmap for orderly improvement to strengthen capabilities
• Communication Vehicle
www.theiia.org 5DRAFT VERSION – DO NOT DISTRIBUTE OR COPY© 2007, IIA Research Foundation – All Rights Reserved
Underlying Principles
Selecting Optimum Capability• Three variables
– Environment– Organization– IA Activity
• Different capability required• Auditing must be cost-effective • No “one size fits all”
www.theiia.org 6DRAFT VERSION – DO NOT DISTRIBUTE OR COPY© 2007, IIA Research Foundation – All Rights Reserved
Key Process Area Key Process Area
Typical Structure of a Capability Maturity Model
Key Process Area
Goals
Activities
Capability Level
Outputs & Outcomes
Mastery
www.theiia.org 7DRAFT VERSION – DO NOT DISTRIBUTE OR COPY© 2007, IIA Research Foundation – All Rights Reserved
IA-CMM Capability Maturity Levels (Draft)
LEVEL 2 Infrastructure
LEVEL 3 Integrated
LEVEL 4Managed
LEVEL 5Optimizing
LEVEL 1 Initial
www.theiia.org 8DRAFT VERSION – DO NOT DISTRIBUTE OR COPY© 2007, IIA Research Foundation – All Rights Reserved
Preliminary Draft Internal Auditing Capability Maturity Model Matrix Services & Role of IA
People Management Professional Practices Performance Management & Accountability
Organizational Relationships &
Culture
Governance Structures
Level 5 –Optimizing
IA as a Change Agent
Leadership Involvement with Professional
Associations
Workforce Projection
Continuous Improvement in Professional Practices
Anticipatory IA Planning
Public Reporting of IA Effectiveness
Effective and Ongoing
Relationships
Independence, Power and
Authority of the IA Activity
Level 4 –Managed
Assurances on Governance,
Risk Management,
Control
IA as a Management Development and Career Tool
IA Activity Supports Professional Bodies
Workforce Planning
Strategic Alignment of Audits with
Organization’s Management of Risk
Integration of Qualitative and
Quantitative Performance
Measures
CAE Advises and Influences Top-
Level Management
Independent Oversight of the IA
Activity
CAE Reports to Top-Level Authority
Level 3 – Integrated
Performance / Value-for-Money
Audits
Advisory Services
Team Building and Competency
Professionally Qualified Staff
Workforce Coordination
Quality Management Framework
Risk-Based Audit Plans
Cost Information
Performance Measures
IA Management Reports
Integral Component of Management
Team
Management Oversight Committee
Funding Mechanisms
Full Access to the Organization’s
Information, Assets and People
Level 2 – Infrastructure
Compliance Auditing
Individual Professional Development
Identify and Recruit Skilled People
Professional Practices and Processes Framework
Audit Plan Based on Management / Stakeholder
Priorities
IA Business Plan
IA Operating Budget
Managing the Work of the IA
Activity
Reporting Relationship Established
Level 1 - Initial
Ad hoc and unstructured; isolated single audits or reviews of documents and transactions for accuracy and compliance; outputs dependent upon the skills of specific individuals holding the position; no specific professional practices established other than those provided by professional associations; funding approved by management, as needed; absence of infrastructure; auditors likely part of a larger organizational unit; no established capabilities; therefore, no specific key process areas
www.theiia.org 9DRAFT VERSION – DO NOT DISTRIBUTE OR COPY© 2007, IIA Research Foundation – All Rights Reserved
Validation Process
• Review Documentation re: IA-CMM Elements; Environmental Factors
• Walkthrough IA-CMM– Chief Audit Executive– Internal Audit Practitioners – Key Stakeholders
• CHU• State Auditor• Auditee Client
www.theiia.org 10
DRAFT VERSION – DO NOT DISTRIBUTE OR COPY© 2007, IIA Research Foundation – All Rights Reserved
Validation Results
• Importance of External Environment, Organizational Factors
• Need more clarity in some elements and KPAs
www.theiia.org 11DRAFT VERSION – DO NOT DISTRIBUTE OR COPY© 2007, IIA Research Foundation – All Rights Reserved
Issues For Consideration
• Advisory Services– Independence and Objectivity of IA
• Team Building and Competency– Communication
• Quality Management Framework– External Quality Assessment
www.theiia.org 12
DRAFT VERSION – DO NOT DISTRIBUTE OR COPY© 2007, IIA Research Foundation – All Rights Reserved
Issues For Consideration
• Governance Structures– Funding Mechanisms– Management Oversight Committee– Independent Oversight of IA
• Role of CHU• IA’s Relationship with External
(State) Auditor
www.theiia.org 13
DRAFT VERSION – DO NOT DISTRIBUTE OR COPY© 2007, IIA Research Foundation – All Rights Reserved
Leading Practices
• Training and Professional Development– Modules– CPIA– IA Classification System
• Relationship Building– CAE Network
• Professional Practices Framework – Law, Charter, Code of Ethics, Rulebook,
Manual
14
Croatia - Internal Audit Legal Framework
Code of ethics Internal audit standards
Rulebook for budget users IAInternal audit manual
PIFC Law
Decree on organisation of MoF/Rulebook for job descriptionCharter of internal auditorsWorking procedures of IAD
Strategic/annual planInternal audit programmes/guidelines
Internal audit reports/Follow up
Sta
teC
HU
MoF
www.theiia.org 15
DRAFT VERSION – DO NOT DISTRIBUTE OR COPY© 2007, IIA Research Foundation – All Rights Reserved
Next Steps
• Refine and validate the draft model based on each global validation session
• Completed IA-CMM–2008– Summary– Implementation Workbook/s – Illustrative recommended and leading
practices
www.theiia.org 16
DRAFT VERSION – DO NOT DISTRIBUTE OR COPY© 2007, IIA Research Foundation – All Rights Reserved
…
• “When you aim for perfection, you discover it's a moving target” – Geoffrey F. Fisher (1887–1972) archbishop of Cantebury