Home » , » Internal Audit Capability Model (IACM)

Internal Audit Capability Model (IACM)

Written By YCS on Wednesday, May 27, 2015 | 12:31 PM

I.1 Introduction Internal Audit Capability Model (IA-CM) For Public Sector

Background for IACM

  • The importance of IAA in public sector governance and accountability, in enhancing the economy, efficiency, and effectiveness of all levels of public sector administration.
  • Internal Audit could vary from country to country.
  • The need for a universal model that public sector IA activities could use as a self-assessment and development tool.

The Research

Purpose: to develop an IA-CM to use globally as a basis for implementing and institutionalizing effective internal auditing in the public sector.
  • The primary lines of inquiry were intended to explore and identify.
  • The characteristics at each capability level for the IA activity and the org.
  • The elements of IA activity and the KPA at capability level and within element.
  • The activities and practices of each KPA that need to function effectively.

I.2 Internal Auditing and The Environment Internal Audit

“IA is independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by  bringing  a  systematic,  disciplined  approach to  evaluate  and improve the effectiveness of risk management, control, and governance processes.”


IA is performed in various environments and within organizations that differ in purpose, size, and structure.
  • Laws and customs vary around the world.
  • The receptiveness of a particular country to financial management reforms.

I.3 IACM in Summary.

What is the IA-CM for the Public Sector

The IA-CM is a framework that:
  • identifies the fundamentals needed for effective internal auditing in the public sector.
  • describes an evolutionary path for a public sector organization to follow in developing effective internal auditing to meet the organization's governance needs and professional expectations.
  • shows the steps in progressing from a level of internal auditing typical of a less established organization to the strong, effective, internal auditing capabilities, generally associated with a more mature and complex organization.
The IA-CM is:
  • a communication vehicle
    for communicating what is meant by effective internal auditing and how it serves an organization and its stakeholders, and for advocating the importance of  IA to decision makers.
  • a framework for assessment
    a framework for assessing the capabilities of an IA activity against professional IA standards and practices, either as a self-assessment or an external assessment.
  • a road map for orderly improvement
    for building capability that sets out the steps an organization can follow to establish and strengthen its IA activity.
The IA-CM provides a tool that a public sector organization can use to:
  • Determine its internal audit requirements according to the nature, complexity, and associated risks.
  • Assess its existing internal audit capabilities against the requirements it has determined.
  • Identify any significant gaps between those requirements and its existing IA capabilities and work toward developing the appropriate level of internal audit capability.

A number of principles underlie the IA-CM:

Internal auditing is an integral component of effective governance in the public sector and helps organizations achieve their objectives and account for their results.
Three variables must be considered when assessing the level of capability of an IA activity — the activity itself, the organization, and the environment in which the organization operates.
  • An organization has an obligation to determine the optimum level of IA capability to support its governance needs and to achieve and maintain the desired capability.
  • Not every organization requires the same IA capability or sophistication. The appropriate level will be commensurate the nature and complexity of the organization and the risks to which the organization may be exposed. “No one size fits all.”
  • The capability of the IA activity is directly related to the actions taken by the CAE to establish the processes and practices needed to achieve and maintain the internal audit capabilities and the measures taken by the organization’s management to establish a supportive environment for IA.
  • Internal auditing must be delivered in a cost-effective manner.

The Structure of the IA-CM

Steps for strengthening IA have been organized into 5 progressive capability levels.The model illustrates the stages through which an IA activity can evolve as it defines, implements, measures, controls, and improves its processes and practices.
Improvements in processes and practices at each stage provide the foundation on which to progress to the next capability level. It is “building block”.
A fundamental premise underlying the IA-CM is that a process or practice cannot be improved if it cannot be repeated
The five levels of the IA-CM are:
1. Initial.
2. Infrastructure.
3. Integrated.
4. Managed.
5. Optimizing.
IACM Level
IACM Level

Organization v.s. IA Capabilities

Each capability level describes the characteristics and capabilities of an IA activity at that level. As either the size or complexity of an organization or the risks associated with its operations increases, so does the need for more sophisticated internal audit capabilities. The IA-CM attempts to match the nature and complexity of the organization with the IA capabilities needed to support it. In other words, if the organization requires a greater degree of sophistication in internal audit practices, the IA activity will typically be at a higher capability level. The internal audit capability level is often tied to the governance structure of the organization within which it is situated.

Consideration to remain at certain level:

IA activity may choose to remain at any level and still represent a best practice at that level for that IA activity in that particular organization and environment.
For example, an IA activity may wish to remain at a particular level and improve the efficiency and quality of implementation at that level by establishing “better practices”, rather than necessarily striving for and evolving to a higher capability level.
Another factor to consider is the “cost to improve” — to move from one level to above level (2 to 3) or (3 to 4). An IA activity may choose to remain at Level 2 or Level 3, and not aspire to a higher capability level because the current level is the most cost effective at that particular time.

Six essential elements were identified for an IA activity:

1. Services and Role of Internal Auditing.
2. People Management.
3. Professional Practices.
4. Performance Management and Accountability.
5. Organizational Relationships and Culture.
6. Governance Structures.
The element than assessed in each levels (5) of the IA-CM

1. Services and Role of IA

The role: to provide independent and objective assessments to assist the org. in accomplishing its objectives and improve operations — is found to some degree in IA activities in the public sector.
  • The means or services provided vary among different jurisdictions and environments.
  • Services provided based on the organization’s needs and the IA activity’s authority, scope, and capacity.
  • Services include the provision of assurance and advice.
  • Services can be performed by the IA activity itself, co-sourced, or outsourced.

2. People Management

The process of creating a work environment that enables people to perform to the best of their abilities. The process begins when a job is defined as needed.
People management includes:
  • Identifying specific attributes and developing clear job descriptions.
  • Recruiting appropriate people through an appropriate selection process.
  • Identifying job requirements and work obj. based on perf. standards, outcomes, and measures.
  • Providing effective orientation, continuing education, professional development, and training.
  • Providing ongoing coaching and continuous feedback.
  • Designing effective compensation and recognition systems.
  • Providing appropriate promotional and career development opportunities.

3. Professional Practices

  • Reflects the full backdrop of policies, processes, and practices that enables the IA activity to be performed effectively and with proficiency and due professional care.
  • Refers to the capacity of the IA activity to align itself with the organization’s priorities and RM strategies and contribute to continuous improvement of the IA activity and the organization.
  • Includes the development and maintenance of a QAIP.

Performance Management  and Accountability

  • Refers to the information needed to manage, conduct, and control the operations of the IA activity and account for its performance and results.
  • Refers to the identification and communication of sufficient and relevant information to enable people to perform their assigned responsibilities.
  • Includes the management of relevant information systems and financial and non-financial (operational and program) performance information.
  • Includes the procedures to manage and protect the integrity of data and to produce and present the appropriate information and results when needed.
  • Refers to reporting on the effectiveness of the IA activity to relevant stakeholders and the public.

Organization Relationship and Culture

  • Refers to the organization structure and the internal management and relationships within the IAA itself.
  • Includes the CAE’s relationships with Senior Manager , and as part of the management team.
  • Refers to the IAA relationships with other units in the organization, both within the administrative infrastructure and as part of the management regime.
  • Includes how the organization's policies, processes, and practices are interpreted and may impact on the IAA capacity to access the information and people needed in the conduct of its work.
  • Refers to the internal relationships and the organization’s internal culture and environment, and how these relationships and the org culture may impact on key stakeholders and others outside the org.
  • Refers to relationships with other review groups, including the external auditor or the legislative auditor, if applicable.

Governance Structure

  • Includes the reporting relationship (administrative and functional) of the CAE, and how the IA activity fits within the organizational and governance structure of the entity.
  • Includes the means by which the independence and objectivity of the IAA is assured; for example:, through its mandate, legislated authority, and/or oversight body such as an Audit Committee.
  • Refers to the policies and processes established to support and resource the IA activity and thus contribute to its effectiveness and independence.

IACM Matrix

  • The shading the matrix depict the extent/influence the IA activity has over the elements.
  • Moving from left to right, the ability of the IA activity itself to independently create and institutionalize the KPAs decreases. For example, the IA activity will likely have greater control over its role and services than over its governance structure.
  • The IA activity has potentially less ability to independently institutionalize the KPAs as the capability levels move upward. This shift occurs because the organization and the environment will tend to increase their influence over whether the IA activity is able to institutionalize the KPAs at the higher capability levels.
  • To move from Level 1 to Level 2 requires certain prerequisites in the environment, such as maturing governance structures and financial management, control, and accountability frameworks, along with goverance stability, a receptive organization culture, and central drivers for IA
In summary, the IA activity will likely have more control in creating and institutionalizing the KPAs found in the elements and levels that are darker green.
IACM Matrix
IACM Matrix

What is a Key Process Area (KPA)?

KPAs identify what must be in place and sustained. Each capability level consists of one or more KPAs. These are associated with the six elements of internal auditing.
KPAs are the main building blocks that determine the capability of an IA activity. They identify what must be in place and sustained before the IA activity can advance to the next level. All of the KPAs in each element up to and including that level must be mastered and institutionalized into the culture of the IA activity for IA to achieve a particular level.
By definition, KPAs are expressed within an element at a single capability level. There are relationships among KPAs that stretch across the elements and through the capability levels.
Purpose, essential activities, outputs, outcomes, and institutionalizing practices
Purpose: summarizes the intended outcome or state that must exist for that KPA.
The state must be implemented in an effective and lasting way. The extent to which the purpose has been accomplished is an indicator of how much capability the IA activity has established at that capability level. The purpose signifies the scope and intent of each KPA.
Essential activities: Each KPA identifies a group of related activities that, when performed collectively, achieve the purpose. In turn, these activities produce outputs and outcomes.
Outputs and outcomes: Certain immediate outputs and longer-term outcomes are associated with every KPA.
Institutionalizing practices: Certain practices must be mastered and institutionalized into the IA activity to achieve a particular KPA. The model is not intended to be prescriptive in terms of how a process should be carried out, but rather what should be done.
Institutionalizing practices for a particular IAA will vary depending on the external environment, the organization’s nature and complexity, and the attributes of the IA activity.
IACM Mastering KPA
IACM Mastering KPA

Achieving a Capability Level

Achieving a given capability level involves mastering all of the KPAs found in the elements included in that level and ensuring that these KPAs are institutionalized within the IA activity.
Institutionalizing KPAs at one level establishes the basis for practices and capabilities at the next level.
Mastering KPAs: once an IAA has done the necessary work to realize the outputs and outcomes associated with a KPA, it has mastered that KPA.
Institutionalizing KPAs: the IAA must institutionalize the KPA by incorporating the essential activities associated with it into the culture of the IAA. In this way, the KPA will be sustainable and repeatable and become a basic building block to reac a particular capability level.

Common Features

Common features: The five types of common features include: commitment to perform, ability to perform, activities performed, measurement, and verification.
IACM Common Features
IACM Common Features
Five features describe means to institutionalize and ensure the sustainability of the KPA.
  • Commitment to perform: commitment to master the KPAs, include developing policies — for supporting the essential activities of a particular KPA. Clearly, Senior Manager support is an important in developing strong internal audit capabilities.
  • Ability to perform: ability to carry out the essential activities competently. It could reflect the need for appropriate resouces (for example: human resouces, dollars, time, and access to specialized skills and appropriate toos, including technology based tools). It may also address haveing a plan in place to carry out activity, assigning reponsibility to carry out the plan, and appropriate training and development.
  • The activities performed: describes implementation activities. the IA-CM identifies them separately for each KPA as “essential activities.”
  • Measurement: refers to ongoing measurement and analysis of activities and progress.
  • Verification includes continuous verification to ensure that activities have been carried out in accordance with established policies and procedures.

Key process areas by Internal Audit element

Once the IAA has institutionalized Compliance Auditing, that KPA will continue to be performed even as other KPAs at higher capability levels (Performance/Value-for-Money Audits and Advisory Services) are also performed. 

Purposes of KPAs by Element

Services and Role of Internal Auditing

5 –Optimizing
Internal Auditing Recognized as Key Agent of Change
Purpose: To have sufficiently developed the professional and leadership capacity of the IA activity to provide foresight and serve as a catalyst to achieve positive change in the organization.
4 -Managed
Overall Assurance on Governance, Risk Management, and Control
Purpose: To conduct sufficient work to provide an opinion on the overall adequacy and effectiveness of the org’s gov, RM, and control processes (see BPKP). The IAA has coordinated its audit services to be sufficiently comprehensive that it can provide reasonable assurance at a corporate level that these processes are adequate and functioning as intended to meet the org.’s objectives.
3 –Integrated
Advisory Services
Purpose : To analyze a situation/ provide guidance and advice to mgt.  Advisory services add value w/o the IA assuming mgt responsibility. Advisory services are those that are directed toward facilitation, not assurance
Performance/Value-for-Money Audits
Purpose : To assess and report on the 3 E of operations, activities, or programs; or conduct engagements on governance, RM, and control.
2 -Infrastructure
Compliance Auditing
Purpose     To carry out an audit of conformity and adherence of a particular area,  process, or system to policies, plans, procedures, laws, regulations,  contracts, or other requirements.
1 -Initial
No KPAs, Isolated single audits or reviews of documents and transactions for accuracy and compliance.

People Management

5 –Optimizing
Leadership Involvement with Professional Bodies
Purpose: To facilitate and support top leaders of the IAA becoming key leaders within relevant prof. bodies. In addition to making contributions to the prof through their volunteer work, the CAE and other IA will become thought leaders and influence the growth and evolution of the profession.
Workforce Projection
Purpose: To coordinate long-term workforce devp actv to meet future business needs of the IAA. WF projection involves developing a strategic WF plan that sets out the IAA’s obj. for competency devp and WF actv in conjunction with the org’s projected strategic needs, and developing plans to guide WF devp actv for the IAA
4 -Managed
Internal Auditing Contributes to Management Development
Purpose : To integrate the devp of the org’s mgt with the training and experiences of the IAA and vice versa. The org and the IAA pursue a strategy to encourage people with a good understanding of governance, RM, and controls to work and contribute throughout the org..
IA Activity Supports Professional Bodies
Purpose : To provide leadership and prof. development opportunities for the internal audit staff by supporting their involvement and participation in professional bodies.
Workforce Planning
Purpose: To coordinate WF activities to achieve current business needs of the IAA. WF planning involves developing a WF plan that sets out the resources, skills, training, and tools required to conduct the audits that have been identified (or are proposed) in the periodic audit and services plan.
3 –Integrated
Team Building and Competency
Purpose: To develop staff members’ capacity to function effectively in a team environment, beginning with focus on the individual project team. Because many audits cover scopes that require the concerted effort of a team of auditors to conduct, and because the skills needed to conduct an audit are not necessarily the same skills to work effectively in a group environment, additional team competencies are required.
Professionally Qualified Staff
Purpose: To staff the IA activity with professionally qualified staff and retain the individuals who have demonstrated a minimum level of competence.
Workforce Coordination
Purpose: To coordinate the devp of the periodic audit and services plan to the HR levels authorized to the IAA. Because resources are often constrained, the IAA needs to use appropriate methods to set priorities on planned projects and services to limit its commitments to a  “doable” quantity and type of projects/ services.
2 -Infrastructure
Individual Professional Development
Purpose: To ensure that internal auditors continuously maintain and enhance their prof. capabilities.
Skilled People Identified and Recruited
Purpose : To identify and attract people with the necessary competencies and relevant skills to carry out the work of IAA. Appropriately qualified and recruited IA are more likely to provide credibility to the IA results
1 -Initial
No KPAs, Outputs are dependent upon the skills of specific individuals holding the position.

Professional Practices

5 –Optimizing
Continuous Improvement in Professional Practices, Purpose: To integrate the performance data, global leading practices, and feedback received from ongoing QA & IP processes to continuously strengthen and develop the IAA’s capacity to deliver world-class IA.
Strategic Internal Audit Planning, Purpose: To understand the organization’s strategic directions and emerging issues and risks, and change the IAA’s skill sets and audit services to meet potential future needs.
4 -Managed
Audit Strategy Leverages Organization’s Management of Risk, Purpose: To link the IAA’s periodic audit and services plan w/ the org’s enterprise RM strategies/practices
3 –Integrated
Quality Management Framework, Purpose: To establish and maintain processes to continuously monitor, assess, and improve the effectiveness of the IAA. Processes include ongoing internal monitoring, periodic internal and external quality assessments.
Risk-based Audit Plans, Purpose: To systematically assess risks and focus the priorities of the IAA’s periodic audit and services plan on risk exposures throughout the organization
2 -Infrastructure
Professional Practices and Processes Framework , Purpose: To help facilitate the perf. of audit engagements w/ the independence and obj., and proficiency and due prof care envisaged in the IA charter and The IIA’s Definition, the Code of Ethics, and the Standards. The PPFA includes the policies, processes, and procedures that guide in managing; developing its IA WP; and planning, performing, and reporting.
Audit Plan Based on Management/Stakeholder Priorities, Purpose: To develop periodic plans for which audits/other services will be provided, based on consultations with mgt / stakeholders.
1 -Initial
No KPAs, No specific prof practices established other than those provided by prof associations

Performance Management and Accountability

5 –Optimizing
Public Reporting of Internal Audit Effectiveness , Purpose: To report publicly on the effectiveness of the IAA to demonstrate transparency and accountability to the stakeholders and the public, and identify the contribution and impact made with the resources provided.
4 -Managed
Integration of Qualitative and Quantitative Performance Measures, Purpose: To enable the IAA to use inf. on performance to measure and monitor fluctuations that affect its results. The activity has balanced its use of quantitative and qualitative data to help it achieve its strategic objectives.
3 –Integrated
Performance Measures, Purpose: to develop indicators and measures that enable the IAA to measure and report on its perf. and monitor its progress against targets to ensure results achieved econ. and efficiently. These will be primarily process and input measures, and some output or qualitative outcome measures.
Cost Information , Purpose: To provide sufficient inf. so that the IA activity understands the cost inf sufficiently to use it to manage its services econ and efficiently. Goes slightly beyond budget variances and integrates the relationship of outputs to inputs.
Internal Audit Management Reports , Purpose: To receive and use information to manage the IA activity’s day-to-day operations, support decision-making, and demonstrate accountability.
2 -Infrastructure
Internal Audit Operating Budget , Purpose: To be allocated and use its own operating budget to plan the services of the IA activity.
Internal Audit Business Plan, Purpose: To establish a periodic plan for delivering the services of the IA activity, including administrative and support services, and the expected results.
1 -Initial
No KPAs, Ad hoc and unstructured; funding approved by management, as needed.

Organizational Relationships and Culture

5 –Optimizing
Effective and Ongoing Relationships,
Purpose: To use strong relationship mgt skills of the CAE for maintaining appropriate visibility and alignment with key stakeholders, mgt,  and AC needs and expectations.
4 -Managed
CAE Advises and Influences Top-level Management,
Purpose : To facilitate the org.’s understanding and appreciation of the vision, leadership, and foresight of the CAE, and to develop a relationship with top-level mgt that fosters frank exchanges. SM values the CAE for advice on strategic issues.
3 –Integrated
Coordination with Other Review Groups,
Purpose: To share inf. and coordinate activities with other internal and external providers of assurance and advisory services to ensure appropriate org. coverage and minimize duplication of effort.
Integral Component of Management Team ,
Purpose: To participate in the org. mgt activities in some form as a valued member of the mgt team. Although the CAE does not carry out mgt’s responsibilities, CAE is included in communications and forums of the mgt team, and as an observer, is able to maintain a channel of communication with SM.
2 -Infrastructure
Managing within the IA Activity ,
Purpose: To focus the mgt effort of the IAA on its own operations and relationships within the activity itself, such as org. structure, people mgt, budget preparation, annual planning, providing audit tools, and performing audits. Interactions with org. managers are focused on carrying out the business of the IA activity.
1 –Initial
No KPAs, Absence of IA activity infrastructure

Governance Structures

5 –Optimizing
Independence, Power, and Authority of the IA Activity, Purpose: To fully actualize the IA activity’s independence, power, and authority.
4 -Managed
Independent Oversight of the IA Activity, Purpose: To establish an oversight body, including members independent of the org’s mgt, to assure the indp of the IAA, broaden the IIA scope of input and influence, and help strengthen the org’s accountability.
CAE Reports to Top-level Authority , Purpose : To strengthen the CAE’s independence by establishing a direct functional reporting relationship to the governing body and a direct adm. reporting relationship to either the CEO or governing body.
3 –Integrated
Management Oversight of the IA Activity, Purpose: To establish a mechanism/process within the org. to provide oversight and advice, and review the results of the IAA to strengthen its independence and ensure appropriate action is taken. Involvement of a variety of mgt in the decisions related to IAA helps to extend the activity’s support and scope beyond a single individual.
Funding Mechanisms , Purpose: To establish a robust and transparent funding process that ensures adequate resources to allow the IA activity to discharge its obligations.
2 -Infrastructure
Full Access to the Organization’s Information, Assets, and People , Purpose: To provide the authority for the IA activity to obtain access to all the information, assets, and people that it requires to carry out its duties.
Reporting Relationships Established, Purpose: To establish formal reporting relationships (administrative and functional) for the IA activity.
1 -Initial
No KPAs, Auditors are likely part of a larger organizational unit.
Share this article :


  1. Apakah model IACM ini sudah atau dapat diterapkan di sektor privat (korporasi)


Total Pageviews

  • Posts
  • Comments
  • Pageviews

Support : IIA Website | CPA Room | Your Link
Copyright © 2015. Internal Auditor's Corner - All Rights Reserved
Template Created by Creating Website Modified by CaraGampang.Com
Proudly powered by Blogger