Professional Documents
Culture Documents
July 2013
IPPF – Practice Guide
Selecting, Using, and Creating Maturity Models: A Tool for Assurance and Consulting Engagements
Table of Contents
Executive Summary.................................................................................. 1
Introduction................................................................................................ 2
Additional Resources............................................................................. 26
www.globaliia.org/standards-guidance
IPPF – Practice Guide
Selecting, Using, and Creating Maturity Models: A Tool for Assurance and Consulting Engagements
Executive Summary Auditors may want to use maturity models as criteria to as-
sess business processes as part of assurance engagements,
Maturity models establish a systematic basis of measure- thus providing an easy-to-communicate understanding of
ment for describing the “as is” state of a process. A pro- the governance, risk, or control environment under review.
cess’s maturity can then be compared to management’s In the absence of defined criteria for a process, the audi-
expectations or contrasted with the maturity of other sim- tor can work with management to define adequate criteria
ilar processes for benchmarking purposes. Insights also using a maturity model.
can be derived from the model for determining improve-
ment options that help a process to satisfy its intended This practice guide provides guidance on the uses of ma-
objectives over time. turity models, identifies considerations for their selection,
and provides instructions on how to build them. Care
A maturity model describes process components that are must be taken to appropriately apply maturity models in
believed to lead to better outputs and better outcomes. A assurance or consulting engagements, including validat-
low level of maturity implies a lower probability of success ing their applicability to the process under review. Com-
in consistently meeting an objective while a higher level of ponents of existing maturity models are provided for use
maturity implies a higher probability of success. The or- “as is” or as the foundation for a model tailored specifically
ganization’s risk tolerance should be considered when de- to an organization’s process.
termining the level of maturity that management expects
to have in place.
1 / www.globaliia.org/standards-guidance
IPPF – Practice Guide
Selecting, Using, and Creating Maturity Models: A Tool for Assurance and Consulting Engagements
www.globaliia.org/standards-guidance / 2
IPPF – Practice Guide
Selecting, Using, and Creating Maturity Models: A Tool for Assurance and Consulting Engagements
• An auditor planning to use a maturity model in an as- sary to achieve a desired business outcome. How-
surance engagement should first consider whether the ever, an auditor — after understanding the model
model is fit for purpose.1 Assuming the model is used and its design — may not agree with a management
correctly, is its predictive ability relevant to the busi- position that a level 1 process is acceptable for the
ness objective being measured? For instance, a matu- objective of meeting customer needs.
rity model that assesses compliance elements would
not be appropriate to provide a perspective on how
well an operational business objective is managed.
Example of Maturity Model
• An auditor planning to use a maturity model in an Use by Internal Auditors
assurance engagement should independently deter-
Assume that an organization has just established a com-
mine what “maturity level” of the model is adequate
munity investment group to make donations to charities
to meet an objective. For instance, level 5 of a cus-
and other worthwhile causes. The organization expects it
tomer satisfaction maturity model may not be neces-
1 Pöppelbuß, Jens and Röglinger, Maximilian, “What Makes a Useful Maturity Model? A Framework of General Design Principles for Maturity Models and Its Demonstration in Business Process
Management” (2011).
3 / www.globaliia.org/standards-guidance
IPPF – Practice Guide
Selecting, Using, and Creating Maturity Models: A Tool for Assurance and Consulting Engagements
will take two years to develop all the policies and proce-
dures necessary to perform as intended. The long-range
Selecting Maturity Models
vision is for the community investment program to be rec- Management may have defined a maturity model for its
ognized as one of the top 100 in the country. After per- use within the organization. If so, the internal auditor
forming an audit planning risk assessment, the chief audit could adopt that model as a tool after carefully evaluating
executive (CAE) has included this subject in the annual the relevance and adequacy of the model to the assess-
plan six months after the group has been formed. ment or opinion being provided. Alternatively, there are
numerous maturity models available for use from industry
Potential internal audit objectives could be to evaluate: groups and associations. These models also must be as-
• Whether the community investment controls are sessed as fit for purpose before use.
compliant with relevant laws and regulations.
Maturity models involve a certain level of subjectivity;
• Whether an adequate strategic plan is in place to therefore, caution is warranted when providing assurance
identify and evaluate the impact of charities that are to management that a process is adequately controlled
provided donations. based on an assessment driven by a maturity model. The
Through the use of a maturity model, the audit function auditor should ensure the model is fit for purpose and
could validate that current charity evaluation efforts are properly implemented. Models may be used to describe
adequate (hypothetically, adequate is level 3 maturity, the “as is” state of the process, provide prescriptive guide-
where an understanding and survey of charity outcomes lines on improvement, or compare one process imple-
is in place) but recommend that a sustained level 4 be in mentation to another.1
place (hypothetically, level 4 calls for proactive monitoring
The use of a maturity model versus other audit tech-
of charity reporting and periodic management validation
niques and methodologies should not alter the level of
of charity results).
proficiency and due professional care auditors employ.
This continuum of maturity would be in contrast to a pass/ A maturity model should not be deployed as a checklist,
fail or satisfactory/unsatisfactory rating process. The ma- supplanting the auditor’s responsibility for independently
turity model lends itself to providing the criteria, the plot- and objectively identifying unmitigated risk and the po-
ting of the current condition, and the recommendation to tential inadequacy of control. The model should provide
move to the next level if such a recommendation is war- a framework and guide for discussion of governance, risk,
ranted. In the example, the model provides a great method and control maturity.
for assessing a process that is under development (in this
In selecting a maturity model, auditors should understand
case, the community investment group).
the management objective and the appropriateness of the
The use of maturity models will not be the best evalua- model in supporting that management objective. Consid-
tion method for auditors to deploy in all cases. When de- er the following:
termining whether to use a maturity model, evaluate the
• What is the desired management outcome? For
situations described below and consider the potential im-
example, does management want to assess systems
plications of different evaluation and reporting methods.
development lifecycle success, sales process excel-
lence, or environmental safety? What quantitative
metrics or qualitative statements describe the desired
management outcome?
www.globaliia.org/standards-guidance / 4
IPPF – Practice Guide
Selecting, Using, and Creating Maturity Models: A Tool for Assurance and Consulting Engagements
5 / www.globaliia.org/standards-guidance
IPPF – Practice Guide
Selecting, Using, and Creating Maturity Models: A Tool for Assurance and Consulting Engagements
• What does management want to assess (e.g., systems paring processes with high and low maturity to the
development lifecycle success, sales process excel- outcomes across those processes? Alternatively, do
lence, or environmental safety)? subject matter experts and experienced profession-
• What business processes are involved? als — who could include management and auditors
— believe the component contributes to increas-
• Will the model be applied across many different ing the probability of achieving the outcome? What
types of management processes to improve general research, evidence, or subject matter expertise can
compliance, controls, or organizational governance? internal audit rely on in making this determination?
• Is internal audit assessing an industry or company In the reference model — Example 3 — one component
specific set of tasks that require some degree of is Professional Practices. One can assume the authors of
specialized process knowledge, tools, techniques, that model felt that a higher state of maturity in following
or skills? professional practices contributes to the desired outcome
• How can internal audit state the expected outcome of public sector internal audit functions. This component
from the process in terms of metrics or a qualitative apparently was part of the critical few areas that, if left out
statement? or not consistently managed, would be detrimental to the
With the objective in mind, the components that drive management objective. Finally, one can assume that re-
that objective are then identified. This is the most impor- search shows a distinction between the level of outcomes
tant part of the model’s development in that the auditor achieved by public sector internal audit functions with-
is identifying the critical elements that — based on the out high maturity in professional practices and those with
model builders’ judgment — will improve the probability high maturity. That research might be quantitatively driv-
of achievement of the objective and outcome. en through statistical correlation or qualitatively driven
through interviews with subject matter experts and CAEs
Auditors will want to document their plan for developing in the field.
the model — outlining the research and data gathering
techniques (such as facilitation of subject matter experts) The components will vary based on the management
that help determine which components should be part of objective. When compliance is the objective, specific
the model. Auditors should consider the following when compliance controls, governance expectations, relevant
selecting components: regulatory skill sets, and other elements may be important
components of the model. If assessment of the general
• Will the component — if managed consistently — control environment is the objective, then basic segrega-
improve the probability of achieving the outcome? tion of duties, control mapping, and risk assessment con-
cepts may be important components. In an assessment of
• If a component is not included, will that negatively
an organization’s field sales offices, certain practices on
decrease the probability of achieving the outcome?
sales prospect tracking or market analysis may be consid-
Use caution here to focus on including the critical few
ered key components.
components that deserve attention, improvement, and
consistent execution versus everything that manage-
Components are those categories of process attributes rel-
ment could be doing to oversee the process.
evant and necessary to meet — or to at least improve the
• Can the model builder evaluate the correlation be- likelihood of meeting — the objective being assessed. Turn-
tween the component and the desired outcome? ing back to Example 3, the research study on public sector
Is that correlation based on a study or research com- internal audit capability found these components relevant:
www.globaliia.org/standards-guidance / 6
IPPF – Practice Guide
Selecting, Using, and Creating Maturity Models: A Tool for Assurance and Consulting Engagements
7 / www.globaliia.org/standards-guidance
IPPF – Practice Guide
Selecting, Using, and Creating Maturity Models: A Tool for Assurance and Consulting Engagements
In this example, the model builders created a progres- Considerations during this step include:
sively higher set of expectations culminating in level 5 • How well does each level build on the previous level?
Optimized — a process whose stakeholders confirm the
process meets their expectations and management has • How well do the expectations in each level align to
proactive efforts to reduce mistakes. In this case, the the expectation to have a process meet a certain level
model builders built the model with the intention that all of maturity — say level 3 versus level 5?
processes should achieve level 3 while only critical pro- • For the expectations in each box, will a process or
cesses are expected to expend the effort to reach level 5. organization that achieves that requirement have a
reasonable chance of achieving the outcome envi-
To build out this component, the team that created the sioned for that level — say being “Defined and Man-
model would have considered the range of options for aged” for level 3 or “Sustained” for level 4?
managing customer and stakeholder expectations and • Are the expectations for a given level consistent
then created the expectations within each level. Just as across components? For instance, are the require-
with the determination of which components to use, the ments for level 3 for this component — Customer/
actual requirements within a component may be deter- Stakeholder Expectations — appropriately equivalent
mined through in-depth research or through facilitated to the level 3 requirements for Human Capital?
conversation with subject matter experts. A maturity
model focused on general processes, such as the one used Caution: The same level of diligence that was applied in
in this example, will generally be applicable to any pro- determining what key components should exist in the model
cess. A maturity model focused on a specific industry or should be applied when setting the expectations within each
function may require specific diligence and demonstrated level of the model. Determine the key requirements versus
achievements regarding specialized people, process, and everything that could be done.
technology.
www.globaliia.org/standards-guidance / 8
IPPF – Practice Guide
Selecting, Using, and Creating Maturity Models: A Tool for Assurance and Consulting Engagements
The auditor’s model should now resemble the model below with specific components and expectations by level inserted.
The auditor may have selected more components or a different number of levels for the model.
Using a Maturity Model across the components being assessed. However, any
component assessed at level 1 or 2 is considered a
Step 4 – Set a target for each component.
red flag, requiring an immediate intervention plan by
regional leadership.
Once the scale and components are defined, the next step
is to determine the organization’s target maturity level for • The organization has adopted a general process gov-
each component. Generally speaking, cost/benefit anal- ernance maturity model. All processes are expected
ysis shows that not all components of a process should to evaluate their adherence to the model; however,
operate at the highest level of maturity. In conjunction only level 3 achievement is expected for all processes.
with the assessment of an organization’s risk appetite, the Each management function determines which specif-
target maturity for some components may be for instance ic processes are critical to the organization, and thus
to a Level 3 or Level 4. The organization may not want to require a 4 or 5 level of maturity. Non-critical pro-
expend the resources to move those components to a high cesses may be specifically excluded from the require-
level of maturity and accepts the risk that the process’s ment to “deploy the resources to reach the highest
objectives have a higher probability of failure as a result. state of maturity” as that would not be an optimized
Auditors should refer to The IIA’s Standards regarding risk allocation of resources across the organization.
and communicating risk acceptance for further guidance.
Caution: Auditors should not assume that managers should
Consider the following contrasting examples: seek to obtain the highest level of maturity for all maturity
model components across all processes being assessed. These
• Management has built a sales office maturity model may be too costly or risk adverse for the organization. The
for assessing the process maturity of its 100 sales goal of a model is to present the range of possibilities, assess
offices. Management expects all sales offices to the current maturity of the process, and then set goals for
achieve level 5 (optimized) over time, but allows improvements where such improvements make sense and are
each office to prioritize what will be addressed first in alignment with organizational objectives.
9 / www.globaliia.org/standards-guidance
IPPF – Practice Guide
Selecting, Using, and Creating Maturity Models: A Tool for Assurance and Consulting Engagements
One method of assessment an audit function could use Auditors — and management — must be cautious how-
would be to have management of the process or function ever not to overstate the probability that a given level of
under review conduct a self-assessment, including a col- process maturity will achieve a specified outcome over
lection of any evidence of performance. The audit func- time. Any language that purports to guarantee or ensure
tion would then validate that assessment. achievement of a specific outcome given that the process
has met a given state of maturity should be avoided.
Step 6 – Consider what the model may have
missed. Auditors should determine how the actual output met-
rics of the process under review should be provided in
All maturity models are built on the research, understand- the report and validated as appropriate. For instance, a
ing, and perspectives gained from the evaluation of previ- manufacturing process may be assessed at a high level of
ous business process implementations — not an evalua- maturity but customers continue to reject manufactured
tion of the current execution of the process under review. parts. These facts may not invalidate the appropriateness
Moreover, no model can consider all the circumstances of the maturity model; however, reporting on simply the
that may mitigate the risk that an outcome will not be model assessment — a high level of maturity — may be
achieved. Care should be taken not to apply the model as misleading to a reader without the context of the actual
a simple checklist. outcome metrics.
www.globaliia.org/standards-guidance / 10
IPPF – Practice Guide
Selecting, Using, and Creating Maturity Models: A Tool for Assurance and Consulting Engagements
“Our evaluation was limited to the application of the ma- ment of the model itself. Was the miss an indication that
turity model to x process. This maturity model was based changes in expectations in a given component at a given
on research conducted by x and enhanced using subject level should be considered to increase the probability of
matter experts identified by management. achieving the objective going forward?
After applying the model, internal audit will want to revisit ISACA’s development of the model in COBIT 4.1 involved
how each of the model elements (levels, components, and research of a variety of maturity models. Accordingly, in-
expectations) when implemented appears to be achiev- ternal auditors may use the model as a basis for their as-
ing the desired process outcomes. Is the expectation to sessment of the maturity of internal control structures or
achieve a certain level too high? Alternatively, does the development of their own maturity models. The model
assessment seem too easy and not driving improvements uses just one component (Internal Control Environment)
that raise the bar on expected process resiliency? Over and 6 levels ranging from nonexistent to optimized.
time, the auditor will want to understand any process
outcome misses and tie that learning into the improve-
11 / www.globaliia.org/standards-guidance
IPPF – Practice Guide
Selecting, Using, and Creating Maturity Models: A Tool for Assurance and Consulting Engagements
CobIt 4.1
0 – Nonexistent There is no recognition of the need for internal control. Control is not part of the organization’s culture
or mission. There is a high risk of control deficiencies and incidents.
1 – Initial/ad hoc There is some recognition of the need for internal control. The approach to risk and control
requirements is ad hoc and disorganized, without communication or monitoring. Deficiencies are not
identified. Employees are not aware of their responsibilities.
2 – Repeatable but intuitive Controls are in place but are not documented. Their operation is dependent on knowledge and
motivation of individuals. Effectiveness is not adequately evaluated. Many control weaknesses exist
and are not adequately addressed; the impact can be severe. Management actions to resolve control
issues are not prioritized or consistent. Employees may not be aware of their responsibilities.
3 – Defined process Controls are in place and are adequately documented. Operating effectiveness is evaluated
periodically and there are an average number of issues. However, the evaluation process is not
documented. Although management is able to deal predictably with most control issues, some control
weaknesses persist and impacts could still be severe. Employees are aware of their responsibilities
for control.
4 – Managed and measurable There is an effective internal control and risk management environment. A formal, documented
evaluation of controls occurs frequently. Many controls are automated and regularly reviewed.
Management is likely to detect most control issues, but not all issues are routinely identified. There is
consistent follow-up to address identified control weaknesses. A limited, tactical use of technology is
applied to automate controls.
5 – Optimized An enterprisewide risk and control program provides continuous and effective control and risk issues
resolution. Internal control and risk management are integrated with enterprise practices, supported
with automated real-time monitoring with full accountability for control monitoring, risk management,
and compliance enforcement. Control evaluation is continuous, based on self-assessments and gap
and root cause analyses. Employees are proactively involved in control improvements.
www.globaliia.org/standards-guidance / 12
IPPF – Practice Guide
Selecting, Using, and Creating Maturity Models: A Tool for Assurance and Consulting Engagements
An auditor planning to use a maturity model in an assurance engagement should first consider whether the model is fit for purpose.
An auditor planning to use a maturity model in an assurance engagement should independently determine what “maturity level” of the model is
adequate to meet an objective.
Maturity models involve a certain level of subjectivity; therefore, caution is warranted when providing assurance to management that a process is
adequately controlled based on an assessment driven by a maturity model. Ask yourself these questions when considering using a model.
• Would following a model improve the probability that the outcome would be achieved?
• Would management have a false sense of confidence that the outcome would be achieved if an assessment — using the model — shows a high
state of process maturity?
Auditors should disclose in their report the source of the model, how the model was constructed, who participated in the construction of the model,
and why the auditor — and management, as appropriate — believes the selected model is valid for the process and objective under review.
Auditors should clearly assess the level of predictability they want their model to have.
Auditors should not assume that managers should seek to obtain the highest level of maturity for all maturity model components across all processes
being assessed. These may be too costly or risk adverse for the organization.
Care should be taken not to apply the model as a simple checklist. Auditors should always conduct their work in a way that will allow for the
identification of significant risks to the organization’s objectives. Accordingly, use of a maturity model does not preclude an auditor from the
responsibility to consider for the specific process under review what the model may be missing in terms of risk mitigation and control guidance.
Auditors — and management — must be cautious not to overstate the probability that a given level of process maturity will achieve a specified
outcome over time. Any language that purports to guarantee or ensure achievement of a specific outcome given that the process has met a given
state of maturity should be avoided.
Auditors should determine how the actual output metrics of the process under review should be provided in the report and validated as appropriate.
After applying the model, internal audit will want to periodically revisit how each of the model elements (levels, components, and expectations)
appears to be achieving the desired process outcomes.
13 / www.globaliia.org/standards-guidance
IPPF – Practice Guide
Selecting, Using, and Creating Maturity Models: A Tool for Assurance and Consulting Engagements
General • Process is not • Process is more • Process is fully • Management decision- • Perfect service levels
Description formalized. formalized defined and executed making and continuous are achieved.
• Inconsistent (documented). consistently. improvement projects • Independently verified
execution. • Repeatable execution. • Adequate metrics are are based on data, as best in class.
defined to allow for metrics, and formal
• Management quality assurance/self- • Innovative ideas and
understands overall quality assurance/ techniques are piloted
self-assessment assessment feedback.
process. on an ongoing basis.
capabilities.
www.globaliia.org/standards-guidance / 14
IPPF – Practice Guide
Selecting, Using, and Creating Maturity Models: A Tool for Assurance and Consulting Engagements
Strategic • Initiatives are • Initiatives are re- • Business unit/ • Strategic planning • 1-3 year strategic
Planning/ identified and evaluated annually. department/ process supports corporate planning initiatives
Financial tasks assigned. • Project milestones are strategic planning strategic plan in terms consistently meet
Management monitored. includes 1-3 year of customer growth, their milestone goals.
initiatives based segment profit margin, • Financial and
• Resources are on stakeholder competitive advantage
allocated and tracked. stakeholder
expectations. and strategic intent expectations are met.
• Financial, process, fulfillment.
• The strategic
human resource, and • Prioritization of plan incorporates
risk management resources and alternatives and
elements are included initiatives is based on options for long-term
in the planning. ROI or governance/ (3-6 year) industry
compliance and regulatory
requirements. changes.
Customer/ • Stakeholder • Process decision- • Key stakeholders are • Stakeholder feedback • Stakeholder feedback
Stakeholder expectations making is based identified. is collected via validates that the
Expectations are identified or on stakeholder • Expectations critical surveys, focus groups, process meets or
tracked informally. expectations and to quality satisfaction and innovative voice exceeds stakeholder
feedback. are documented. of the customer expectations.
methodologies. • Proactive initiatives
• Process success in
meeting expectations • Rework/mistakes are in place to
and feedback is impacting stakeholder minimize or eliminate
monitored. expectations have rework/mistakes.
improvement projects
underway.
Risk • Limited or no • At least annually, a • A comprehensive risk • Management formally • Resource allocation
risk assessment review of process assessment process is articulates risk ROI incorporates risk
occurring. risks is performed. developed that covers tolerance. assessment into the
• Risk is considered strategic, financial, • Specific mitigation prioritization process.
in project plans and compliance, and plans are implemented • Risks are mitigated
initiatives. operational risks. based on the below the risk
• Potential risk hazards assessment and cost/ tolerance goals set by
or opportunities are benefit analysis. management.
formally evaluated for • The risk assessment
likelihood and impact. is reviewed and
updated as appropriate
throughout the year.
15 / www.globaliia.org/standards-guidance
IPPF – Practice Guide
Selecting, Using, and Creating Maturity Models: A Tool for Assurance and Consulting Engagements
Metrics • Few or no metrics • Key metrics are • Key metrics with • Key metrics, targets, • Key metric targets are
are identified, identified and target performance and measurement reached consistently
tracked, or measurement indicators are systems are re- for all areas.
reported. elements are identified for financial, evaluated and validated • Proactive activities
accurate. compliance, strategic, continuously for process are implemented so
• Methods are in place operational, human changes, resource gaps are not incurred
to track and report resources, and changes, and corporate between actual and
to management on a stakeholder attributes strategy initiatives. target.
continuous basis. (balanced scorecard). • Specific improvement
• Measurement of initiatives are developed
actual performance and prioritized for
to target metrics metrics not meeting
is accurate and performance goals.
communicated to
management and
associates.
Human Capital • A resource • The development • A formalized resource • Target metrics on • Key metric targets are
development process is formalized development workforce efficiency reached consistently
process does and documented process is executed and effectiveness for all areas.
not exist or is for all levels of consistently. are identified and • Proactive activities
informal. associates. • A formalized training measurement methods are implemented so
• A resource • Role descriptions program for all levels are in place for actual gaps are not incurred
training process and expectations is established and its results. between actual and
does not exist or are documented and completion is tracked. • Continuous target.
is informal. communicated. • A formalized improvement projects
• Training programs are succession plan and are initiated for
implemented. recruiting plan are in gaps between actual
place. performance and
targeted metric.
• Compensation
correlates to
documented
performance
management
expectations and
contributions.
www.globaliia.org/standards-guidance / 16
IPPF – Practice Guide
Selecting, Using, and Creating Maturity Models: A Tool for Assurance and Consulting Engagements
Process • Processes and • Policies, high-level • Documentation • Key controls and control • Process
Management procedures are procedure documents, is maintained, execution standards documentation
and Self- not documented and basic templates communicated, and are tracked for current and controls
assessment or known exist that drive accurate. and new processes/ are proactively
informally. repeatable processes. • Standard evidence is products. developed and
• Controls are identified available, including • Formal quality validated before new
and noted in the a process control assurance through systems, products, or
documentation. management system, self-assessment is initiatives.
process narratives, executed regularly for • Proactive initiatives
and process flows. key processes. are taken based
• Documentation is • Record retention upon gaps identified
readily available for policies are in place through self-
outside audit without and monitored. assessments.
advance notice.
17 / www.globaliia.org/standards-guidance
IPPF – Practice Guide
Selecting, Using, and Creating Maturity Models: A Tool for Assurance and Consulting Engagements
1. Code of Ethics • There is no formally • A code of ethics has • A comprehensive • The code of ethics • Specific compliance
documented code of been developed, code of ethics is reviewed as and ethics policies
How effectively ethics. but it may not be exists, was approved appropriate by are in place to
does the comprehensive or by the board, and outside legal support and provide
code outline • In general, there
are no other means current. is reviewed every counsel to ensure additional guidance
management’s two to three years it remains current on key components of
expectations of communicating • Experienced
management’s employees generally to determine what and appropriate. the code.
regarding ethical updates are needed. • The code of
conduct? expectations understand • Periodic focus groups
regarding ethical management’s • All employees must ethics is reviewed and/or surveys are
conduct. expectations sign off annually annually and conducted with
regarding ethical that they are in updated as a representative
conduct, but new compliance with the necessary. sample of employees
employees may not code of ethics. • All employees must to assess their
have any way of • New employees complete annual understanding
determining those must sign a questionnaires of the code of
expectations. document asserting that ask more ethics and their
that they have read probing questions perceptions on the
and understand the regarding level of compliance
code. compliance with throughout the
the code of ethics. organization.
4 Adapted from the IIA Research Foundation. Internal Auditing: Assurance & Consulting Services. Altamonte Springs, Fla.: IIARF, 2009.
www.globaliia.org/standards-guidance / 18
IPPF – Practice Guide
Selecting, Using, and Creating Maturity Models: A Tool for Assurance and Consulting Engagements
2. Culture and • The organization • There are perceptions • The perception • Compliance and • Periodic surveys or
Consistency seems indifferent that compliance and is that senior ethics are topics focus groups are
to compliance and ethics are important. management takes at organization conducted to assess
How does the ethics. compliance and and department- the perception of
organization • The program was
• The program was developed to address ethics seriously and level meetings, the compliance and
perceive “walks the talk.” ensuring a ethics culture and
management’s developed by very few legal ramifications of
individuals with no noncompliance. • The program was consistent cultural make adjustments
commitment to message. when needed.
compliance? outside input. • Discipline is generally developed with
• There are perceptions left to the discretion input from legal, • The program was • Periodic input
of disciplinary of business and human resources, developed with is solicited from
inconsistencies and department and internal audit. input from various employees to help
“playing favorites.” managers and, as • Human resources is employee groups. improve the program.
• People are promoted such, is not always consulted to make • Disciplinary • Disciplinary actions
without formal consistent. sure disciplinary decisions involve are reviewed by an
consideration of • Although ethical actions are an appropriate independent group
ethical conduct. conduct seems to appropriate and mix of human (e.g., internal audit)
be considered, it’s compliant with resources, legal, to support the
• Events of regulations. and compliance consistency of such
noncompliance are not a part of job
descriptions. • Job descriptions personnel actions.
typically learned from to ensure
complaints versus • Events of non- include expectations • People are recognized
for ethical conduct. appropriateness for demonstrating
monitoring or audit compliance are and consistency.
activities. generally reported • Many employees ethical conduct.
timely, but there raise compliance • Job descriptions • Some
are few efforts questions before and interviews employees make
to report events they become a formally cover recommendations
before they become problem. ethical conduct. for improving the
noncompliant. • Employees feel compliance program.
empowered to
raise questions
about compliance
matters.
4 Adapted from the IIA Research Foundation. Internal Auditing: Assurance & Consulting Services. Altamonte Springs, Fla.: IIARF, 2009.
19 / www.globaliia.org/standards-guidance
IPPF – Practice Guide
Selecting, Using, and Creating Maturity Models: A Tool for Assurance and Consulting Engagements
3. Awareness • Employees are • Employees are • There is widespread • Annual training • Communications
generally aware that aware the program employee awareness reinforces the occur regularly
How aware the program exists exists, went through of the program. program, with to remind/
are employees but are not sure how training once, and individual modules update employees
and outside • All employees went
to get information. intuitively know some through training in delivered in more on program
stakeholders of of the requirements depth. expectations.
the compliance • Employees aren’t the last three years.
familiar with specific contained in the • Employees know • The program is
and ethics program. • Employees know
program and its requirements. who the chief which individuals part of external
requirements? • Employees don’t know • Employees know who compliance officer are responsible sustainability
who manages the the chief compliance and the compliance for key compliance reporting conducted
compliance and ethics officer is, but not managers are. areas. annually.
program. others involved • Compliance with
in managing the • Stakeholders are
• Stakeholders know aware a program the program
compliance and and ethical
nothing about the ethics program. exists and can find
program. references on the expectations are
• Stakeholders assume company’s website. covered in the
a program exists but contracts with
don’t know anything vendors.
about it.
www.globaliia.org/standards-guidance / 20
IPPF – Practice Guide
Selecting, Using, and Creating Maturity Models: A Tool for Assurance and Consulting Engagements
4 Adapted from the IIA Research Foundation. Internal Auditing: Assurance & Consulting Services. Altamonte Springs, Fla.: IIARF, 2009.
21 / www.globaliia.org/standards-guidance
IPPF – Practice Guide
Selecting, Using, and Creating Maturity Models: A Tool for Assurance and Consulting Engagements
5. Process • There are no formal • There are some • Compliance and • Compliance and • The company has
Automation compliance and compliance and ethics controls and ethics controls established an
and ethics controls and ethics controls procedures are well and procedures integrated GRC
Integration procedures, although and procedures, documented and are an integral program that ensures
many employees know but they are not standardized across part of business compliance risks
How effectively intuitively how to act. consistent across the organization. processes. are managed to be
are compliance the organization nor consistent with the
and ethics controls • There is no formal • Compliance and • Many compliance
protocol for employees formally documented. ethics controls and and ethics organization’s risk
and processes appetite.
standardized, or outsiders to report • There is limited procedures are controls address
integrated, and suspected events of testing of the controls tested periodically key compliance • Event management
automated? non-compliance. and procedures in to identify gaps or risks as part of a software is used to
• Information/data place. weaknesses. governance, risk, ensure all key data
related to compliance • Employees generally • An external hotline and compliance is gathered and
and ethics is not understand that they is in place through (GRC) view of the the resolution of
available. can contact legal or which employees or program. events is completely
human resources if outsiders can report • There are multiple and consistently
they suspect an event suspected events of avenues through documented.
of noncompliance. non-compliance. which employees • GRC software is used
• Information/data • Some compliance or outsiders can to provide integrated
related to compliance and ethics controls report suspected information on the
and ethics events is are integrated with events of program.
difficult to compile. other business noncompliance, • Integrated technology
processes and and all follow a routines are run
automated to the consistent protocol regularly to prevent
extent supported by for gathering or detect timely
existing systems. information on potential compliance
the event and and ethics events.
• Some standard escalating it.
reports are
prepared related • A consistent test
to compliance and plan is used to
ethics events. ensure compliance
and ethics controls
and procedures
operate effectively.
• Technology is
used to aid in the
identification and
investigation of
compliance and
ethics events.
www.globaliia.org/standards-guidance / 22
IPPF – Practice Guide
Selecting, Using, and Creating Maturity Models: A Tool for Assurance and Consulting Engagements
6. Goals and • No formal goals or • Although goals and • Broad compliance • Specific • All employees have
Metrics metrics exist or are metrics are not and ethics goals compliance and individual compliance
contemplated. formalized, employees are established and ethics goals are and ethics goals.
How is success generally understand communicated. integrated into
of the compliance • Metrics are
that the absence • Broad metrics the annual goal integrated into the
and ethics of compliance setting process for
program exist to measure overall performance
and ethics events the nature and each compliance measurement
measured? is indicative of a area.
frequency of process.
successful program. compliance and • Metrics are
ethics events. established for
each compliance
area.
4 Adapted from the IIA Research Foundation. Internal Auditing: Assurance & Consulting Services. Altamonte Springs, Fla.: IIARF, 2009.
23 / www.globaliia.org/standards-guidance
IPPF – Practice Guide
Selecting, Using, and Creating Maturity Models: A Tool for Assurance and Consulting Engagements
Performance Organizational
Services & People Professional Governance
Management & Relationships &
Role of IA Management Practices Structures
Accountability Culture
5 Adapted from the IIA Research Foundation. Internal Audit Capability Model (IA-CM) For the Public Sector. Altamonte Springs, Fla.: IIARF, 2009.
www.globaliia.org/standards-guidance / 24
IPPF – Practice Guide
Selecting, Using, and Creating Maturity Models: A Tool for Assurance and Consulting Engagements
Performance Organizational
Services & People Professional Governance
Management & Relationships &
Role of IA Management Practices Structures
Accountability Culture
Level 2 – • Compliance • Individual • Professional • Internal audit • Managing within • Full access to the
Infrastructure auditing. professional practices operating budget. the internal audit organization’s
development. and process • Internal audit activity. information,
• Skilled people are framework. business plan. assets, and
identified and • Audit plan people.
recruited. is based on • Reporting
management relationships
and established.
stakeholder
priorities.
Level 1 – Initial • Ad hoc and unstructured; isolated single audits or reviews of documents and transactions for accuracy and compliance; outputs
dependent upon the skills of specific individuals holding the position; no specific professional practices established other than
those provided by professional associations; funding approved by management, as needed; absence of infrastructure; auditors
likely part of a larger organizational unit; no established capabilities; therefore, no specific key process areas.
5 Adapted from the IIA Research Foundation. Internal Audit Capability Model (IA-CM) For the Public Sector. Altamonte Springs, Fla.: IIARF, 2009.
25 / www.globaliia.org/standards-guidance
IPPF – Practice Guide
Selecting, Using, and Creating Maturity Models: A Tool for Assurance and Consulting Engagements
www.globaliia.org/standards-guidance / 26
IPPF – Practice Guide
Selecting, Using, and Creating Maturity Models: A Tool for Assurance and Consulting Engagements
Reviewers:
Maria E. Mendes, CIA, CCSA
Steven Jameson, CIA, CCSA, CFSA, CRMA
27 / www.globaliia.org/standards-guidance
About the Institute Disclaimer
Established in 1941, The Institute of Internal The IIA publishes this document for informa-
Auditors (IIA) is an international professional tional and educational purposes. This guidance
association with global headquarters in Altamonte material is not intended to provide definitive an-
Springs, Fla., USA. The IIA is the internal audit swers to specific individual circumstances and as
profession’s global voice, recognized authority, such is only intended to be used as a guide. The
acknowledged leader, chief advocate, and princi- IIA recommends that you always seek indepen-
pal educator. dent expert advice relating directly to any specific
situation. The IIA accepts no responsibility for
About Practice Guides anyone placing sole reliance on this guidance.
Practice Guides provide detailed guidance for
conducting internal audit activities. They include Copyright
detailed processes and procedures, such as tools Copyright © 2013 The Institute of Internal
and techniques, programs, and step-by-step ap- Auditors. For permission to reproduce, please
proaches, as well as examples of deliverables. contact The IIA at guidance@theiia.org.
Practice Guides are part of The IIA’s IPPF. As
part of the Strongly Recommended category
of guidance, compliance is not mandatory, but
it is strongly recommended, and the guidance
is endorsed by The IIA through formal review
and approval processes. For other authoritative
guidance materials provided by The IIA, please
visit our website at https://globaliia.org/standards-
guidance.
130513