w.theiia.org INTERNAL AUDIT CAPABILITY MODEL (IA-CM) Ciawi, 10 Oktober 2018 Nur Abdillah – Direktur Eksekutif IIA Indonesia

Agenda Background Fungsi IACM Public Sector Only? Corporate Sector? Capability Level Element IACM Assessment through KPA Mastering KPA Institutionalization KPA IACM and QAIP

Background Tahun 2004 Public Sector Committee recommended development of reinforcement of Internal Auditing in public sector governance and accountability  why ? Secara kualitas baik dalam praktek, proses, atau culture internal audit public sector sangat vary secara signifikan antar negara Dibutuhkan model universal  yang digunakan untuk self-assessment and development tools Saat yang sama IA dalam berbagai tingkatan pemerintahan memiliki peran penting dalam meningkatkan efisiensi dan efektifitas serta (economical?) di level pemerintahan masing-masing Kebutuhan ini direspon oleh IIA Research Foundation September 2016 dengan menjalankan Project to develop IACM dan selesai di IACM dikembangkan dari CMMI dari Carnegie Mellon University

IA – CM adalah suatu framework yang mengidentifikasi dasar yang dibutuhkan untuk menjalankan internal auditing efektif dalam public sector yang terdiri dari lima tingkatan.

No sustainable repeatable capabilities Dependent upon individual effort Initial Sustain and Repeatable dalam practice and procedures Infrastrusture IA Management and Professional practice uniformly applied Integrated IA Integrates information to improve Governance and Risk Management across the organization Managed IA as continuous improvement Optimizing

Fungsi IACM Communication vehicle. Basis communicating to organization and stakeholders through advocating Framework for assessment. Framework for assessing the capabilities of IA either as self assessment or an external assessment A road map for orderly improvement. Road map for building capacitythat sets out the steps an organizationb

IA CM merupakan alat bagi organisasi untuk: Menentukan kebutuhan organisasi IA sesuai dengan nature, complexity, dan juga tingkatan risiko organisasi Melakukan asesmen untuk kapabilitas IA saat ini sesuai dengan kebutuhan yang ditentukan Mengidentifikasi kesenjangan yang signifikan antara kebutuhan dengan kapabilitas existing sehingga dapat mencapai level yang diinginkan

Public or Private Sector

Memerlukan Redefinisi dan rekonfigurasi untuk setiap elemen dan Key Process Area agar fit dengan Korporasi IACM memang didesain dari awal untuk Public sector namun sebagaimana produk IIA yang lain dapat diterapkan pada multi sector

Capability Levels

Why Levels? Different performance expectations and measures in current practice. Capability gets built in steps/stages. Need a common map/conceptual framework. Help select the capability level appropriate for an organization.

IA Activity Elements The IA activity consists of the following six elements: –Services and role of IA. –People management. –Professional practices. –Performance management and accountability. –Organizational relationships and culture. –Governance structures.

Service and Role of Internal Auditing  provide independent and objective assessment to assist the organization in accomplishing its objectives and improve operations People and Management  process creating work environment that enables people to perform to the best of their abilities. Professional practices  Reflects of policies, procedures, process, and practices that enable IA activity to be performed effectively and with proficiency and professional care. Performance management and accountability  refers to information needed to manage, conduct, and control the operation of IA activity for its performance and results Organizational Relationship and Culture  Refers to the organizational structure and the internal management and relationships within the IA activity itself Governance Structure  Included the reporting relationship of the CAE (administrative and functional)

Assessment Through KPA

Key Process Areas (KPA) adalah the main building blocks that determine the capability of IA activity. They identify what must be in place and sustained at level.  Building blocks  In Place  Sustain Untuk dapat mencapai Level tertentu KPA ini harus  Mastering KPA  Institutionalizing KPA

Internal Audit Capability Model Matrix Services and Role of IA People ManagementProfessional Practices Performance Management and Accountability Organizational Relationships and Culture Governance Structures Level 5 – Optimizing IA Recognized as Key Agent of Change Leadership Involvement with Professional Bodies Workforce Projection Continuous Improvement in Professional Practices Strategic IA Planning Public Reporting of IA Effectiveness Effective and Ongoing Relationships Independence, Power, and Authority of the IA Activity Level 4 – Managed Overall Assurance on Governance, Risk Management, and Control IA Contributes to Management Development IA Activity Supports Professional Bodies Workforce Planning Audit Strategy Leverages Organization’s Management of Risk Integration of Qualitative and Quantitative Performance Measures CAE Advises and Influences Top-level Management Independent Oversight of the IA Activity CAE Reports to Top- level Authority Level 3 – Integrated Advisory Services Performance/Value- for-Money Audits Team Building and Competency Professionally Qualified Staff Workforce Coordination Quality Management Framework Risk-based Audit Plans Performance Measures Cost Information IA Management Reports Coordination with Other Review Groups Integral Component of Management Team Management Oversight of the IA Activity Funding Mechanisms Level 2 – Infrastructure Compliance Auditing Individual Professional Development Skilled People Identified and Recruited Professional Practices and Processes Framework Audit Plan Based on Management/ Stakeholder Priorities IA Operating Budget IA Business Plan Managing within the IA Activity Full Access to the Organization’s Information, Assets, and People Reporting Relationship Established Level 1 – Initial Ad hoc and unstructured; isolated single audits or reviews of documents and transactions for accuracy and compliance; outputs dependent upon the skills of specific individuals holding the position; no specific professional practices established other than those provided by professional associations; funding approved by management, as needed; absence of infrastructure; auditors likely part of a larger organizational unit; no established capabilities; therefore, no specific key process areas

Mastering KPAs

Institutionalizing of KPAs

Commitment to Perform  adanya Policies, kebijakan, keputusan Ability to perform  adanya sumber daya untuk melakukan KPA Activities Performed  Terimplementasinya suatu kebijakan atau KPA Measurement  Pengukuran implementasi yang continue Verification  aktivitas KPA dapat direview dan verifikasi

Self-assessment Steps Understand the IA-CM. Identify KPAs that appear to be institutionalized by the IA activity. Review documentation re: IA activity, organization, and environment. Interview managers/stakeholders. Confirm actual KPAs institutionalized. Determine capability level. Communicate results.

Considerations Apply professional judgment. Consider environmental and organizational factors. Is Level 3 sufficient? Can capability levels be skipped? Can KPAs be ignored? Must all elements be at the same capability level?

Communicate Results Identify strengths and areas for improvement of the IA activity. Identify “leading practices” of the IA activity.

Quality Assurance and Improvement Program The chief audit executive must develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity. Interpretation: A quality assurance and improvement program is designed to enable an evaluation of the internal audit activity’s conformance with the Definition of Internal Auditing and the Standards and an evaluation of whether internal auditors apply the Code of Ethics. The program also assesses the efficiency and effectiveness of the internal audit activity and identifies opportunities for improvement

Requirements of the Quality Assurance and Improvement Program The quality assurance and improvement program must include both internal and external assessments. Internal AssessmentsExternal Assessments Internal assessments must include: Ongoing monitoring of the performance of the internal audit activity; and Periodic reviews performed through self-assessment or by other persons within the organization with sufficient knowledge of internal audit practices. External assessments must be conducted at least once every five years by a qualified, independent reviewer or review team from outside the organization. The chief audit executive must discuss with the board: The need for more frequent external assessments; and The qualifications and independence of the external reviewer or review team, including potential conflict of interest.

Internal Quality Assessment According to the Standards, the quality assessment (QA) process should include both internal and external assessments. Internal assessments comprise ongoing internal evaluations of the IA activity, coupled with periodic self- assessments and/or reviews. These internal assessments are conducted by persons within the organization’s IA activity under the direction of the chief audit executive (CAE). Involvement, however, precludes total objectivity.

External Quality Assessment External assessments require an outside team of independent reviewers to evaluate compliance with the Standards, the use of successful practices, and the efficiency and effectiveness of the IA activity. The purposes of the external quality assessment are to: 1.Assess the effectiveness of an IA activity in providing assurance and consulting services to the board, senior executives, and other interested parties. 2.Assess conformance to the Standards and provide an opinion as to whether the IA activity generally conforms to all of the standards. 3.Identify opportunities, offer recommendations for improvement, and provide counsel to the CAE and staff for improving their performance and services and promoting the image and credibility of the internal audit function.

Scope of the External QA The scope of the external QA has been expanded beyond deter-mining whether the IA activity conforms to the Standards and its own charter, plans, policies, and procedures. The expanded approach encompasses the role and relationships of the IA activity in the entity’s governance process and the processes adopted for managing the internal audit practice and resources.

Scope of the External QA 1.The expectations of the IA activity expressed by the oversight group, executive management, and its other “customers” (i.e., management of operational and support units). 2.The entity’s control environment and the CAE’s audit practice environment. 3.The focus on evaluating enterprise risk, assessing organizational controls, and including aspects of the governance process in audit plans to assure that audit activities add value to the enterprise. 4.The integration of internal auditing into the organization’s governance process, including the attendant relationships and communications between and among the key groups involved in that process and aligning audit objectives and plans with the stra-tegic objectives of the entity as a whole. 5.The Standards. 6.The mix of knowledge, experience, and disciplines among the staff, including staff focus on process improvement and value-added activities. 7.The tools and techniques employed by the department, with emphasis on the use of technology.

Quality Assurance IA Governance Std 1000, 1100, 1300 dan Code Ethics IA StaffingStd 1200IA Management Std 2000, 2100, 2600 IA Process Std 2200, 2300, 2400, 2500

IACM vs QAIP IACMQAIP SectorSpecific to Public Sector (Government) Applicable to all sector FocusCapabilityQuality Main purpose The IA-CM assessment is part of an overall process used by an IA activity to develop and maintain the capabilities it needs to effectively respond to the needs of the organization it serves and to adhere to professional expectations. QAIP is designed to provide reasonable assurance to the various stakeholders of the IA activity that IA: 1.Performs its work in accordance with its Charter, which is consistent with The IIA International Standards, Definition of Internal Auditing and Code of Ethics 2.Operates in an effective and efficient manner 3.Is perceived by stakeholders as adding value and improving Internal Audit’s operations Who evaluate? Can be internal or externalMust include both internal & external evaluation. ScaleInitial / Infrastructure / Integrated / Managed / Optimizing Does Not Conform / Partially Conforms / Generally Conforms

The IIA is a dynamic global organization with more than 185,000 members worldwide. Established in 1941, The Institute of Internal Auditors (IIA) is an international professional association with global headquarters in Lake Mary, Florida, USA. The IIA is the internal audit profession's global voice, recognized authority, acknowledged leader, chief advocate, and principal educator. Members work in internal auditing, risk management, governance, internal control, information technology audit, education, and security. Mission The mission of The Institute of Internal Auditors is to provide dynamic leadership for the global profession of internal auditing. Activities in support of this mission will include, but will not be limited to: Advocating and promoting the value internal audit professionals add to their organizations. Providing comprehensive professional educational and development opportunities, standards and other professional practice guidance, and certification programs. Researching, disseminating, and promoting knowledge concerning internal auditing and its appropriate role in control, risk management, and governance to practitioners and stakeholders. Educating practitioners and other relevant audiences on best practices in internal auditing. Bringing together internal auditors from all countries to share information and experiences. ABOUT THE IIA