My thanks go to Frans Kersten, who suggested I review and comment on a June, 2016 publication by IIA–Netherlands and the Royal Netherlands Institute of Chartered Accountants (NBA), the Dutch association of CPAs.
Internal Audit Ambition Model is what I would ordinarily call a maturity model.
It's worth downloading and taking the time to consider.
This is how it is introduced:
A group of internal auditors expressed the wish to develop an ambition model that provides insight into how an IAF can grow into complying with the International Professional Practices Framework (IPPF) of The Institute of Internal Auditors (IIA) and/or the professional standards of the Royal Netherlands Institute of Chartered Accountants (NBA) and the Dutch professional association for IT auditors (NOREA).
In a joint effort, a number of enthusiastic members of IIA–Netherlands and the NBA Members Group of Internal and Government Auditors (LIO) created the Internal Audit Ambition Model (IA AM) that deals with the broad spectrum of the proactive design, setup and further development of the IAF. The model contains relevant best practices and recommendations from recent publications.
With this, the IA AM can become an excellent communication and benchmarking instrument for further spreading and increased recognition of the internal audit profession.
I congratulate the enthusiastic members and the associations that participated.
They set the bar very high:
The IA AM is a self assessment tool that provides levels of ambition and concrete best practices that can serve as guidelines for the CAE wanting more than just meeting professional standards. The IA AM helps CAEs formulate strategic objectives, evaluate the current IAF and define a road map to achieve the stated objectives. The IA AM can help the Audit Committee and/or Supervisory Board determine which aspects to take into account when assessing the internal audit mandate and ambition level. As such the IA AM shows the steps in progressing from a level of internal auditing typical of a less established organization to the strong, effective, internal audit capabilities generally associated with a more mature and complex organization.
Have they achieved their goal?
I will let you decide.
- I like the fact that they mention continuous risk assessment (and presumably continuous updating of the audit plan).
- However, I dislike the reference to annual and, especially, multi-year plans.
- I also have reservations about their focus on the bureaucratic aspect of internal auditing: not so much the charter as the formalization of audit procedures. We need to empower people to take innovative approaches in this dynamic environment.
- I am nervous about the idea of providing an opinion on "the overall adequacy of governance, risk management, and control". I prefer to provide an opinion whether there is reasonable assurance that the more significant risks will be managed as desired. The sources of those risks may lie in failures in internal control or in governance processes. But providing an opinion on the overall adequacy of governance is one step too far. It is not our job to assess the performance of the board. We have to be careful in our language as we assess governance processes where the risk to corporate objectives may be high.
What do you think of the model?
Have you seen a better one?