A fundamental challenge of today’s chief audit executive (CAE) is matching internal audit to the needs of the organization and the expectations of internal audit’s key stakeholders. While there is one International Professional Practices Framework (IPPF) and one International Standards for the Professional Practice of Internal Auditing, internal audit functions vary in their practices and level of development across organizations. A primary role of the CAE is to tailor the application of the IPPF to the organization, taking into account its unique needs and environment and knowing how to leverage a maturity model view of the IPPF and Standards in striving for internal audit excellence.
A Living Framework
One of the strengths of the IPPF is the principles-based nature of the Standards. Being principles based allows organizations of different industries, sizes, and locations — with varying governance models and stakeholder expectations — to apply the same set of standards. The principles-based nature of the Standards also helps add clarity and consistency, while still being relevant and adaptable to evolutions in society and in the organizations internal audit serves.
In 2015, the IPPF received significant enhancements that improved its ability to serve as a tool for internal audit functions to take their practice to higher levels of effectiveness and provide even greater value to their organizations. Two noteworthy changes are:
Creation of the 10 Core Principles for the Professional Practice of Internal Auditing, which, taken as a whole, articulate internal audit effectiveness. For an internal audit function to be considered effective, all principles should be present and operating effectively. However, with the release of these Core Principles, The IIA also recognized that how an internal audit function demonstrates achievement of the Core Principles may differ from organization to organization.
Implementation Guides and Supplemental Guides moved from “strongly recommended” status to “recommended” status, adding further flexibility to the IPPF for practitioners.
The ever-evolving nature of the IPPF gives practitioners the flexibility they need to align to the unique needs of the organizations they serve. The IPPF’s various layers also provide practitioners with a framework they can use to continually integrate new methodologies, tools, resources, and practices to further mature their performance.
A Maturity Model View
Examples of Successful Uses of Maturity Models
- The IIA’s Internal Audit Capability Model for the Public Sector
- The Internal Audit Maturity Assessment – previously maintained by The IIA Quality Services Department
- IIA Path to Quality Model
- IIA Practice Guide, Process Capability Maturity Model
- IIA Practice Guide, Compliance and Ethics Program Maturity Model
- The ISACA COBIT 4.1 Model
- The RIMS Risk Maturity Model
- Software Engineering Institute Capability Maturity Models
- International Organization for Standardization and the International Electrotechnical Commission’s ISO/IEC 15504
When looking at internal audit’s conformance with the Standards, many practitioners and stakeholders at first may think of it as a binary exercise — either being in conformance or not. Perhaps this is natural given the external quality assurance and improvement assessment’s common ratings scale of “generally conforms,” “partially conforms,” and “does not conform” are widely recognized.
Practitioners should look at using the IPPF and the Standards as part of a journey toward greater maturity and continuous improvement. Such a continuous improvement view is consistent with the IPPF, which includes in the Standards the assertion that quality is not only about assessing quality at one point, but also about improvement, as outlined in Standard 1300: Quality Assurance and Improvement Program. A maturity framework approach allows practitioners to assess the audit function’s implementation of the IPPF to continually improve audit practice.
Maturity Model Structure
Many organizations have used maturity models to assess and help bring continuous improvement. The IPPF, itself, includes guidance on the use of maturity models, including The IIA’s Practice Guide, Selecting, Using, and Creating Maturity Models: A Tool for Assurance and Consulting Engagements. Based on review of other maturity models, the following categories are proposed for use in the model for applying the IPPF: Level 5 – Optimized, Level 4 – Managed, Level 3 – Defined, Level 2 – Repeatable, and Level 1 – Initial/Ad hoc.
It is natural to ask how these levels align with the category of general conformance to the Standards. For consistency, and to allow the maturity model to capture performance that falls below general conformance — as well as above the base general conformance level — Level 3 on the maturity framework will be defined with attributes that achieve general conformance with the Standards (see “Maturity Model Alignment Points” below).
Applying the Maturity Model to the Standards
By exploring several areas of the Standards, one can see how the maturity model may be applied. Some aspects of the Standards may seem binary, such as Standard 1000: Purpose, Authority, and Responsibility, which requires that an internal audit activity have a charter. Either an organization does or does not have an internal audit charter.
However, even given this binary nature, the maturity model can be used to highlight how to differentiate between conformance in Level 3 – Defined and below conformance (Level 2 – Repeatable and Level 1 – Initial/Ad Hoc). Perhaps even more importantly, note how Level 4 – Managed and Level 5 – Optimized can be used to differentiate higher levels of maturity and excellence, using the charter as an opportunity for stakeholder engagement, alignment, and elevation of internal audit stature and opportunity to perform (see “Internal Audit Maturity Model Related to the Standards” at the end of this article).
A fundamental area such as communication of results applies to every internal audit function. The column, “Standard 2400: Communicating Results,” in the “Internal Audit Maturity Model Related to the Standards” chart at the base levels cover aligning the report with core points in the Standards. The higher levels of 4 – Managed and 5 – Optimized include exploring stakeholder value and insights received, as well as stakeholder, top executive, and board perceptions on the quality of internal audit reporting.
Lastly, talent is an area of importance and challenge for many internal audit functions, so using a maturity model approach to look at Standard 1000: Proficiency and Due Care, or any other standard to apply the IPPF, can identify an array of practices and performance levels that can result in distinct improvements.
Currently, internal audit functions often look for leading practices, opportunities to provide more value, and continuous improvement. Taking a fresh view of the IPPF and the Standards through a maturity model approach can help internal audit assess its current state, identify opportunities for improvement aligned with stakeholder priorities, and drive continuous improvement. Having a maturity model can equip the CAE with a framework and tools to help articulate options to stakeholders and the internal audit team. CAEs need to be adept at defining those aspects of applying the maturity model approach that will make a difference in their organization, given the stakeholder expectations and risks.
Does Size Impact Maturity?
Beyond maturity levels, internal audit, itself, varies in size as does the size of the organization it serves. A smaller internal audit function may not need as much documentation in planning and process as functions serving large, complex organizations. Some elements, such as an internal audit charter, will apply no matter what the size of the organization; however, other aspects of the IPPF, such as how to build talent models, may not require the complexity of infrastructure.
The IIA’s Practice Guide, Assisting Small Internal Audit Activities in Implementing the International Standards for the Professional Practice of Internal Auditing, notes the level of challenge for a small internal audit function in conforming with various categories of the Standards:
- Low degree of challenge: Standard 1000: Purpose, Authority, and Responsibility.
- Medium degree of conformance challenge: Standard 1100: Independence and Objectivity, Standard 1300: Quality Assurance and Improvement Program, Standard 2000: Managing the Internal Audit Activity, Standard 2200: Engagement Planning, and Standard 2300: Performing the Engagement.
- High degree of conformance challenge: Standard 1200: Proficiency and Due Professional Care, Standard 2100: Nature of Work, Standard 2400: Communicating Results, Standard 2500: Monitoring Progress, and Standard 2600: Communicating the Acceptance of Risks.
For an audit department covering a smaller, less complicated organization, some of the higher levels of internal audit maturity may not be needed. However, some aspects of internal audit excellence that are money and time saving may be as important in a smaller, closely aligned, agile organization as in a large, international conglomerate.
In a small internal audit department, the challenges can be addressed through flexible planning, process disciplines that keep everyone on track, and tools available to CAEs of small groups. For example, flexibility can be applied during internal audit risk assessments, in duration and style of internal audit projects, and in documentation and communications. In process discipline, internal auditors should focus on what is important to accomplish and eliminate the unnecessary, strive to automate repetitive tasks, and leverage checklists and lessons learned to continually improve.
Many tools and resources are available to internal audit groups of all sizes and maturity levels, thanks to The IIA, the internet, and peer networks. There also are many technology solutions that can help ease the administrative needs of small departments by facilitating standard workflows, approval/review processes, and action plan follow-up. Having a robust system can be a key source for demonstrating compliance with several of the standards.
Anderson and Dahle are co-authors of Applying the International Professional Practices Framework, 4th Ed., published by the Internal Audit Foundation.