Professional Documents
Culture Documents
Maturity Model PDF
Maturity Model PDF
19
www.theiia.org
Internal Audit Process Maturity
Quality Assurance and Improvement Program – Key Characteristics
IIA Standards require that the The process to execute the Responsibility for Significant company systems The results of periodic internal
Chief Audit Executive Quality Assurance and implementation of the Quality are used to derive relevant Key assessments are reported to
communicate the results of the Improvement Program is Assurance and Improvement Performance Indicators (KPIs) and reviewed with senior
quality assurance and documented in the internal Program is assigned to that are monitored and used management and the Audit
improvement program to audit Policy and Procedure personnel who are during the internal quality Committee.
senior management and the Manual. independent and objective. assessment process.
board.
The internal audit Policy and The process is reviewed External assessments are External assessment providers
Procedure Manual describes periodically to ensure it is conducted by qualified deliver qualitative and
the Quality Assurance and current with IIA Standard personnel who are quantitative benchmarks that
Improvement Program requirements as well as independent from the are reported to both
requirements. consistent with leading organization. management and the Audit
internal audit practice. Committee to facilitate
continuous improvement.
The internal audit activity Fully dedicated internal audit Client Feedback forms are
charter establishes the staff are assigned to perform solicited and received back
requirement for the Quality the periodic internal quality from each client and
Assurance and Improvement assessments, with strong documented within the work
Program. experience in internal audit papers to assist in continuous
and performing quality improvement of the internal
assessments. audit processes.
20
www.theiia.org
Internal Audit Process Maturity
Quality Assurance and Improvement Program
Overall
Methodology Systems and Communication
Maturity Policy People
And Process Information And Reporting
Level
Continuous Continuous SMEs identified and Extensive use of data Communication and
monitoring and monitoring and used; training and mining and reporting highly Realization
updating for updating for development analytics; continuous effective; high level Of Value
Optimized necessary changes necessary changes monitored; robust audit and monitoring of quality Proposition
and emerging and emerging succession planning processes in place demonstrated in
leading practices leading practices in place driving value timely reports
Policies are Methodology and All resources have Data integrity is high; Communication and
communicated to processes are appropriate skills automated reports reporting highly
personnel and communicated to and credentials; are reliable; key data effective; quality and
Managed training occurs as personnel and targeted training and is monitored timeliness metrics
necessary training occurs as development in continuously defined and
necessary place monitored
Policies are defined, Uniform Appropriate skills Stable systems in Communication and
in place, and methodology and and credentials in place; information reporting processes
documented processes are place; training generated is reliable are defined, in place,
Defined defined, in place, requirements and relied upon and documented;
and documented documented and effective use of
executed reporting templates
Policies are defined Uniform Some specialized Fairly effective Communication and
and in place but may methodology and technical skills and systems are in place; reporting processes
not be documented processes are credentials; training low reliance on data are defined and in
Repeatable defined and in place and development and information place but may not be
but may not be defined but may not generated from documented
documented be documented systems
Policies are not Methodology and Resource skills and High reliance on Communication and
defined or in place processes are not credentials do not manual systems and reporting done on an
defined or in place match process spreadsheets; ad hoc basis; no
Initial requirements; critical information validation of results Risk of
training programs not readily available or focus on quality
not defined
Failure
21
www.theiia.org
Internal Audit Process Maturity
Recruiting, On-Boarding, and Staff Development – Key Characteristics
23
www.theiia.org
Internal Audit Process Maturity
Recruiting, On-Boarding, and Staff Development
Overall
Methodology Systems and Communication
Maturity Policy People
And Process Information And Reporting
Level
Continuous Continuous SMEs identified and Extensive use of data Communication and
monitoring and monitoring and used; training and mining and reporting highly Realization
updating for updating for development analytics; continuous effective; high level Of Value
Optimized necessary changes necessary changes monitored; robust audit and monitoring of quality Proposition
and emerging and emerging succession planning processes in place demonstrated in
leading practices leading practices in place driving value timely reports
Policies are Methodology and All resources have Data integrity is high; Communication and
communicated to processes are appropriate skills automated reports reporting highly
personnel and communicated to and credentials; are reliable; key data effective; quality and
Managed training occurs as personnel and targeted training and is monitored timeliness metrics
necessary training occurs as development in continuously defined and
necessary place monitored
Policies are defined, Uniform Appropriate skills Stable systems in Communication and
in place, and methodology and and credentials in place; information reporting processes
documented processes are place; training generated is reliable are defined, in place,
Defined defined, in place, requirements and relied upon and documented;
and documented documented and effective use of
executed reporting templates
Policies are defined Uniform Some specialized Fairly effective Communication and
and in place but may methodology and technical skills and systems are in place; reporting processes
not be documented processes are credentials; training low reliance on data are defined and in
Repeatable defined and in place and development and information place but may not be
but may not be defined but may not generated from documented
documented be documented systems
Policies are not Methodology and Resource skills and High reliance on Communication and
defined or in place processes are not credentials do not manual systems and reporting done on an
defined or in place match process spreadsheets; ad hoc basis; no
Initial requirements; critical information validation of results Risk of
training programs not readily available or focus on quality
not defined
Failure
24
www.theiia.org
Internal Audit Process Maturity
Risk Assessment and Annual Audit Planning – Key Characteristics
The risk assessment process is Internal audit resources are Internal Audit coordinates
undertaken from an appropriately aligned to audit coverage with other
enterprise-wide perspective functional areas of the review functions such as risk
and is re-evaluated on a organization to foster management, compliance, and
continuous basis. The process business/functional expertise external auditors to ensure
looks at and plans for emerging and to maintain awareness of total risk coverage, prevent
risks on an ongoing basis and ongoing changes and duplication of effort, and
focus is on strategic and challenges facing the business acquire knowledge about the
business risks. units. Resources can be rotated process.
to develop additional skills and
relationships.
26
www.theiia.org
Internal Audit Process Maturity
Risk Assessment and Annual Audit Planning
Overall
Methodology Systems and Communication
Maturity Policy People
And Process Information And Reporting
Level
Continuous Continuous SMEs identified and Extensive use of data Communication and
monitoring and monitoring and used; training and mining and reporting highly Realization
updating for updating for development analytics; continuous effective; high level Of Value
Optimized necessary changes necessary changes monitored; robust audit and monitoring of quality Proposition
and emerging and emerging succession planning processes in place demonstrated in
leading practices leading practices in place driving value timely reports
Policies are Methodology and All resources have Data integrity is high; Communication and
communicated to processes are appropriate skills automated reports reporting highly
personnel and communicated to and credentials; are reliable; key data effective; quality and
Managed training occurs as personnel and targeted training and is monitored timeliness metrics
necessary training occurs as development in continuously defined and
necessary place monitored
Policies are defined, Uniform Appropriate skills Stable systems in Communication and
in place, and methodology and and credentials in place; information reporting processes
documented processes are place; training generated is reliable are defined, in place,
Defined defined, in place, requirements and relied upon and documented;
and documented documented and effective use of
executed reporting templates
Policies are defined Uniform Some specialized Fairly effective Communication and
and in place but may methodology and technical skills and systems are in place; reporting processes
not be documented processes are credentials; training low reliance on data are defined and in
Repeatable defined and in place and development and information place but may not be
but may not be defined but may not generated from documented
documented be documented systems
Policies are not Methodology and Resource skills and High reliance on Communication and
defined or in place processes are not credentials do not manual systems and reporting done on an
defined or in place match process spreadsheets; ad hoc basis; no
Initial requirements; critical information validation of results Risk of
training programs not readily available or focus on quality
not defined
Failure
27
www.theiia.org
Internal Audit Process Maturity
Execution of Internal Audit Methodology – Key Characteristics
Internal Audit has developed The process to execute the Internal Audit utilizes external The information technology During the on-boarding
and implemented specific internal audit methodology is resources, such as the IIA and audit team participates in process, the internal audit
practices and procedures to documented in the internal ISACA (for IT), to obtain planning and implementation Policy and Procedure Manual is
support the delivery of non- audit Policy and Procedure updated work programs and procedures for significant communicated to new internal
assurance services, such as Manual. The methodology audit guidance. changes to the IT systems, audit staff members and is
consulting services and includes clear guidance on processes, and/or controls. available within a central
corporate investigations. These work paper standards, work knowledge repository.
practices are agreed with paper retention policies, audit
Management and the Audit evidence, and audit testing
Committee and they are approaches, including specific
documented in the Audit guidance on SOX testing and
Charter. use of CAATS.
IIA Standards require that the Internal Audit utilizes an The methodology includes
Chief Audit Executive "integrated" audit approach procedures for the oversight of
effectively manage the internal where possible (e.g., third-party service providers
audit activity to ensure it adds application audits, business who support the delivery of
value to the organization. process reviews, end to end internal audit work.
transaction processing).
29
www.theiia.org
Internal Audit Process Maturity
Execution of Internal Audit Methodology
Overall
Methodology Systems and Communication
Maturity Policy People
And Process Information And Reporting
Level
Continuous Continuous SMEs identified and Extensive use of data Communication and
monitoring and monitoring and used; training and mining and reporting highly Realization
updating for updating for development analytics; continuous effective; high level Of Value
Optimized necessary changes necessary changes monitored; robust audit and monitoring of quality Proposition
and emerging and emerging succession planning processes in place demonstrated in
leading practices leading practices in place driving value timely reports
Policies are Methodology and All resources have Data integrity is high; Communication and
communicated to processes are appropriate skills automated reports reporting highly
personnel and communicated to and credentials; are reliable; key data effective; quality and
Managed training occurs as personnel and targeted training and is monitored timeliness metrics
necessary training occurs as development in continuously defined and
necessary place monitored
Policies are defined, Uniform Appropriate skills Stable systems in Communication and
in place, and methodology and and credentials in place; information reporting processes
documented processes are place; training generated is reliable are defined, in place,
Defined defined, in place, requirements and relied upon and documented;
and documented documented and effective use of
executed reporting templates
Policies are defined Uniform Some specialized Fairly effective Communication and
and in place but may methodology and technical skills and systems are in place; reporting processes
not be documented processes are credentials; training low reliance on data are defined and in
Repeatable defined and in place and development and information place but may not be
but may not be defined but may not generated from documented
documented be documented systems
Policies are not Methodology and Resource skills and High reliance on Communication and
defined or in place processes are not credentials do not manual systems and reporting done on an
defined or in place match process spreadsheets; ad hoc basis; no
Initial requirements; critical information validation of results Risk of
training programs not readily available or focus on quality
not defined
Failure
30
www.theiia.org
Internal Audit Process Maturity
Use of Information Technology – Key Characteristics
Internal Audit has developed a Technology used within Internal Audit has identified Internal Audit utilizes software A knowledge awareness
knowledge management Internal Audit is compatible knowledge management to document and track status program has been created and
strategy and, where applicable, with the rest of the champions who are of identified issues within its a pocket guide is available and
is aligned with the organization to facilitate responsible for executing the department. includes definitions of
organization's knowledge effective interchange. knowledge management knowledge management,
management strategy. strategy. knowledge sharing principals,
and the company’s approach
to knowledge management.
The risk management Internal Audit employs data Complex and specialized The electronic work paper Members of the internal audit
challenges associated with analysis and extraction tools information technology audits system allows for on-line, real- team share and receive
knowledge management are for application within are regularly executed using time reviews of internal audit knowledge in an open
identified and addressed (e.g., individual audits. subject matter experts beyond work papers and maintains an environment.
copyright, obtaining the core Internal Audit team. electronic sign-off of all
employees consent, using reviews performed.
knowledge properly).
32
www.theiia.org
Internal Audit Process Maturity
Use of Information Technology
Overall
Methodology Systems and Communication
Maturity Policy People
And Process Information And Reporting
Level
Continuous Continuous SMEs identified and Extensive use of data Communication and
monitoring and monitoring and used; training and mining and reporting highly Realization
updating for updating for development analytics; continuous effective; high level Of Value
Optimized necessary changes necessary changes monitored; robust audit and monitoring of quality Proposition
and emerging and emerging succession planning processes in place demonstrated in
leading practices leading practices in place driving value timely reports
Policies are Methodology and All resources have Data integrity is high; Communication and
communicated to processes are appropriate skills automated reports reporting highly
personnel and communicated to and credentials; are reliable; key data effective; quality and
Managed training occurs as personnel and targeted training and is monitored timeliness metrics
necessary training occurs as development in continuously defined and
necessary place monitored
Policies are defined, Uniform Appropriate skills Stable systems in Communication and
in place, and methodology and and credentials in place; information reporting processes
documented processes are place; training generated is reliable are defined, in place,
Defined defined, in place, requirements and relied upon and documented;
and documented documented and effective use of
executed reporting templates
Policies are defined Uniform Some specialized Fairly effective Communication and
and in place but may methodology and technical skills and systems are in place; reporting processes
not be documented processes are credentials; training low reliance on data are defined and in
Repeatable defined and in place and development and information place but may not be
but may not be defined but may not generated from documented
documented be documented systems
Policies are not Methodology and Resource skills and High reliance on Communication and
defined or in place processes are not credentials do not manual systems and reporting done on an
defined or in place match process spreadsheets; ad hoc basis; no
Initial requirements; critical information validation of results Risk of
training programs not readily available or focus on quality
not defined
Failure
33
www.theiia.org
Internal Audit Process Maturity
Reporting and Monitoring – Key Characteristics
IIA Standards require that the An arbitration/escalation The CAE is appropriately Internal Audit leverages Internal Audit periodically
Chief Audit Executive process exists to resolve involved in technology in communicating obtains stakeholder feedback
communicate engagement disagreements between reviewing/approving the audit results. The reports are on all aspects of reporting and
results to appropriate parties. Internal Audit and results of internal audit interactive and include links to communications and the value
If a final communication management to ensure that engagements prior to their sources or additional, more derived from internal audit
contains a significant error or management's acceptance of release to management. detailed information that may activities. Summaries are
omission, the Chief Audit risks are appropriately be of interest to different communicated to
Executive must communicate considered and resolved at a levels of readers. management and the Audit
corrected information to all predetermined level within the Committee.
parties who received the organization.
original communication.
Internal Audit's policies for Management of the An intranet or web-based An issue tracking report is
communicating audit results information technology audit mechanism is available to help prepared and distributed to
are clearly documented in the team is involved in management update the status senior management and Audit
internal audit Policy and determining the severity of the of corrective actions Committee. The report
Procedure Manual (definition information technology audit implemented in response to indicates significant issues,
of ratings, distribution findings and their implication internal audit's who is accountable for the
protocols, and timing of on the audit as a whole. findings/recommendations. issues, the proposed
issuance of reports). This database is leveraged by resolution, and date of
internal audit in assessing and resolution. The significant
reporting on all audit issues open issues are "aged”.
(open and closed).
35
www.theiia.org
Internal Audit Process Maturity
Reporting and Monitoring
Overall
Methodology Systems and Communication
Maturity Policy People
And Process Information And Reporting
Level
Continuous Continuous SMEs identified and Extensive use of data Communication and
monitoring and monitoring and used; training and mining and reporting highly Realization
updating for updating for development analytics; continuous effective; high level Of Value
Optimized necessary changes necessary changes monitored; robust audit and monitoring of quality Proposition
and emerging and emerging succession planning processes in place demonstrated in
leading practices leading practices in place driving value timely reports
Policies are Methodology and All resources have Data integrity is high; Communication and
communicated to processes are appropriate skills automated reports reporting highly
personnel and communicated to and credentials; are reliable; key data effective; quality and
Managed training occurs as personnel and targeted training and is monitored timeliness metrics
necessary training occurs as development in continuously defined and
necessary place monitored
Policies are defined, Uniform Appropriate skills Stable systems in Communication and
in place, and methodology and and credentials in place; information reporting processes
documented processes are place; training generated is reliable are defined, in place,
Defined defined, in place, requirements and relied upon and documented;
and documented documented and effective use of
executed reporting templates
Policies are defined Uniform Some specialized Fairly effective Communication and
and in place but may methodology and technical skills and systems are in place; reporting processes
not be documented processes are credentials; training low reliance on data are defined and in
Repeatable defined and in place and development and information place but may not be
but may not be defined but may not generated from documented
documented be documented systems
Policies are not Methodology and Resource skills and High reliance on Communication and
defined or in place processes are not credentials do not manual systems and reporting done on an
defined or in place match process spreadsheets; ad hoc basis; no
Initial requirements; critical information validation of results Risk of
training programs not readily available or focus on quality
not defined
Failure
36
www.theiia.org