The mission of the IIARF is to advance the knowledge and understanding of internal auditing by providing relevant research and educational products to advance the profession worldwide. Much of the content presented in their final reports is the result of IIARF-funded research and prepared as a service to the Foundation and the internal audit professional. This report reflects the results of the research conducted to develop and validate the Internal Audit Capability Model (IA-CM) for the public sector.
The overview provides background to the research project itself, some environmental and contextual information about internal auditing and a description of the model, including its underlying principles and structure. Some examples of developments and best practices of IA activities identified during the global validation of IA-CM are highlighted along with guidance to help use IA-CM as a self-assessment tool. The World Bank Internal Audit Department for its financial support and technical expertise working with the research team to validate the IA-CM globally.
The IA and other activities, identified in Exhibits A.1 and A.2, that participated during the IA-CM global assessments and specifically the two IA activities that piloted the on-site assessments outside and within North America - Internal Audit Service of the Ministry of Finance in the Republic of Croatia and the Office of the Chief Auditor of the Texas Commission on Environmental Quality in Austin, Texas, USA. The brief provides a high-level overview of the Internal Audit Competency Model (IA-CM) for the Public Sector. It includes the background of the research project itself, some background and contextual information about internal auditing, and a description of the model, including its underlying principles and structure.
The model is based on an adaptation of the Software Engineering Institute's Software Capability Maturity Model®, which was developed as a tool for assessing an organization's ability to build software applications, and on the more recent technical report, “CMMI® for Development, version 1.2. ”1.
They could report to legislators on the extent to which each public sector IA activity has reached maturity in terms of governance, policy and practice framework, organization and structure, resources and services. The research team felt that global validation was critical to the applicability and acceptability of the model. The World Bank's Internal Audit Department worked with IIARF to ensure sufficient global validation.
A detailed validation plan was developed to identify public sector IA activities at each of the capacity levels in different locations around the world. The model was validated and refined to ensure that it was workable, useful, practical and relevant to public sector IA activities. A detailed report of the results of each on-site validation (which included development/best-practice examples, suggestions for improving the IA activity and adjustments to the IA-CM) was provided to validation participants.
Sixteen IA activities in public sector settings worldwide participated in the on-site validation of IA-CM. Annex A in the Application Guide provides more details on the Phase 2 validation methodology, its participants and the evolving cases/best practice examples identified during the on-site validations.
Internal auditing and the environment
Extensive consultation and interaction took place with internal audit professionals, key stakeholders and communities of interest, including senior management, members of the audit committee and supreme audit institutions, as well as relevant service providers. In addition, input was sought from various local internal audit institutes and the IIA's international committees, particularly the PSC. Internal auditing is performed by professionals with an in-depth understanding of the organization's business culture, systems and processes.
Internal auditors are expected to follow the IIA's International Standards for the Professional Practice of Internal Auditing (Standards) and adhere to its Code of Ethics. To be seen as adding value, the IAA must strategically align the needs and priorities of all its key stakeholders, including the AC [audit committee], executive management and external auditors.”3 The IA activity works with management and the oversight body to ensure provides that management processes are effective and efficient, internal controls are adequate to mitigate the organization's risks, and organizational goals and objectives are achieved.
There may be real capacity constraints that affect the implementation of internal audit in a given environment or limit the activity of the CA to a less developed skill level. In some developing and transition countries, it may not be possible to generally comply with the Standards due to environmental and political factors. For example, if the environment has not fully embraced organizational and individual accountability for results, it may be difficult for internal auditing to progress beyond levels 1 or 2.
Internal auditing is an integral part of effective management in the public sector and helps organizations achieve their goals and be accountable for their results. When assessing the performance level of an IA activity, three variables must be considered – the activity itself, the organization and the overall environment in which the organization operates. It is the responsibility of the organization to determine the optimal level of internal audit capability to support its management needs and to achieve and maintain the desired capability.
The appropriate level will be commensurate with the nature and complexity of the organization and the risks to which the organization may be exposed. The capability of the CA activity is directly related to the actions taken by the Chief Audit Executive (CAE) to establish the processes and practices necessary to achieve and maintain internal audit capabilities and the measures taken by the organization's management to create an environment internal audit support. IA-CM is intended as a universal model with comparability around principles, practices and processes that can be applied globally to improve internal audit effectiveness.
Initial
Objective To have developed the professional and leadership capabilities of the IA activity sufficiently to provide foresight and serve as a catalyst to bring about positive change in the organization. Objective To facilitate and support top leaders of the IA activity to become key leaders within relevant professional organizations. Purpose To coordinate long-term workforce development activities to meet the future business needs of the IA activity.
Purpose To integrate the development of the organization's managers with the training and experiences of the IA activity and vice versa. Purpose To coordinate the development of the periodic audit and services plan to the human resource levels authorized for the IA activity. Purpose To identify and attract people with the necessary competencies and relevant skills to carry out the work of the IA activity.
Purpose To understand the strategic directions of the organization and the evolving issues and risks, and to change the skill sets and audit services of the IA activity to meet the possible future needs. Purpose To link the periodic audit plan and activities of the IA with the organization's enterprise risk management strategies and practices. Purpose To create and maintain processes for monitoring, evaluating and continuously improving the effectiveness of the AB activity.
Objective To systematically assess risks and focus the priorities of the IA activity's periodic audit and service plan on risk exposure across the organization. Objective To enable the IA activity to use performance information to measure and monitor fluctuations that affect results. Purpose To receive and use information to manage the day-to-day activities of the IA activity, support decision-making and provide accountability.
Purpose To allocate and use its operating budget to plan AB activity services. Interactions with the organization's managers are focused on conducting the business of the AB activity. Purpose To create a robust and transparent financing process that provides sufficient resources to allow the activity of the AB to fulfill its obligations.
Selected bibliography and resource links 4
Lead, Sridhar Ramamoorti and Mark Salamasick, Internal Auditing: Assurance and Consulting Services (Altamonte Springs, FL: Internal Auditor Research Foundation, 2007). A Vision for the Future: Leading the Internal Auditing Profession to Excellence (Altamonte Springs, FL: . Institute of Internal Auditors, 2008). A Vision for the Future – The Professional Practices Framework for Internal Auditing (Altamonte Springs, FL: Institute of Internal Auditors, 1999).
Research Opportunities in Internal Auditing (Altamonte Springs, FL: Institute of Internal Auditors Research Foundation, 2003). Thomas White, A Framework for the Internal Audit Unit's Opinion on Internal Control (Altamonte Springs, FL: Institute of Internal Auditors Research, 2004). The role of internal audit in government financial management: an international perspective. International Monetary Fund.
Fraser, John and Hugh Lindsay, 20 Questions Directors Should Ask About Internal Auditing (Toronto, Canada: The Canadian Institute of Chartered Accountants, 2004). The Institute of Internal Auditors, "Practical Considerations Regarding Internal Auditing in Expressing an Opinion on Internal Control." June 2005. The Institute of Internal Auditors, "The Role of Internal Auditing in Enterprise-Wide Risk Management." 2004.
Institute of Internal Auditors, Survey of Internal Audit Organizations in Provinces and Territories in Canada.
