Internal Audit Maturity Model: A Better Way To Evaluate Internal Audit Departments?

Posted on by
Reply

Compliance with the Institute of Internal Auditors International Standards for the Professional Practice of Internal Auditing is a requirement for Internal Audit Departments around the world. As most already know, compliance is validated through an External Quality Assessment completed by an independent third party (such as Vonya Global). The evaluation and final grade is generally pass/fail (yes, there are shades of gray).

So, for arguments sake, let’s say an Internal Audit Department has failed an External Quality Assessment. Does this mean the Internal Audit Department is not fulfilling its expectations with Executive Management and the Audit Committee? Maybe, maybe not. What if the Internal Audit Department simply is not ready for the External Quality Assessment? There is an alternative for evaluating the effectiveness of the Internal Audit Department. One in which the fear of non-compliance is eliminated. It is called The Internal Audit Capability Maturity Model.

The Internal Audit Capability Maturity Model was developed by the Institute of Internal Auditors Research Foundation in 2009. This model is a framework that identifies fundamentals needed for an effective Internal Audit department. Rather than aligning strictly with the Institute of Internal Audit standards, this framework provides flexibility for organizations that use their Internal Audit Department in varying manners and ties to leading practices within Internal Audit.

The IA-CM framework identifies the fundamentals needed for effective internal auditing and classifies them into six Essential Elements.

  • Services and Role of Internal Audit
  • People Management
  • Professional Practices
  • Performance Management and Accountability
  • Organizational Relationships and Culture
  • Governance Structures

Within the Essential Elements are Key Process Areas that increase in sophistication through five levels of maturity.

  • Level 1 Informal: The IA activity is ad hoc or unstructured. No professional practices have been established, and there is an absence of infrastructure.
  • Level 2 Infrastructure: The IA activity has established and is maintaining the repeatability of processes. There is partial conformance to the IIA Standards, and appropriate reporting relationships established.
  • Level 3 Integrated: Policies and procedures are defined, documented, and integrated into the culture of the IA activity.
  • Level 4 Managed: IA activity is recognized as a significant contributor to the organization. Performance metrics are in place to measure and monitor IA performance. IA is a well-managed business unit.
  • Level 5 Optimizing: World-class. The IA activity has acquired top-level professional and specialized skills, and is a critical part of the organization’s governance structure.

The final conclusion on the external assessment will be determined based on several factors, including the following:

  • Established purpose of Internal Audit department
  • Results of Interviews/questionnaires
  • Results of testing
  • Assessment of maturity in each element vs. purpose of department
The Internal Audit Capability Model was created for the public sector to help those organizations implement the fundamentals of effective internal auditing. While designed for the public sector, the model can be applied to any organization, regardless of industry or sector. Vonya Global is one of the few firms which has developed a methodology for evaluating Internal Audit Departments against the IA-CM and has used this methodology to help organizations outside of the public sector.

This blog post was written by Steven Randall. Steve is a Managing Partner with Vonya Global, a premier provider of internal audit consulting services, and a Director of the Adler-Caris Foundation, a not-for-profit dedicated to raising funds for Alzheimer’s Disease research. If you would like more information about Vonya Global or if you have a questions for Steve, you may contact him through this blog, the company website, twitter, or his LinkedIn Profile.

From the Archives: Boardroom Digital Literacy: R U Talking to Me?

Posted on by
Reply

[This article was contributed by Fay Feeney, CEO of Risk for Good]

Boardroom protocol is being exposed every day on the internet. Does Rupert Murdoch really think we can’t see beyond his prepared remarks to determine for ourselves the “tone at the top” coming from his boardroom?

No need for board activists to add to the conversation from the outside about boardroom happenings. Now we hear directly from the CEO. When Yahoo fired their CEO Carol Bartz, she shared the inside scoop using her iPad. We learned of her accusing Chairman Roy Bostock, of board mistreatment. In the same Fortune interview, she called her fellow directors “doofuses” and said they “f—-d me over.”

It may be surprising to see the boardroom portrayed like this in mainstream media, but imagine what happens when 100 million people on Twitter can now get involved in the conversation.

I know that many people in the boardroom are still on the sidelines about social media. What will it take to get your board ready to tackle their willingness to learn what is happening on the internet? Will it take seeing your company’s name in the news before you add digital literacy to your director’s education? I can see the incredulous look on the directors’ faces when the board is called on for their oversight of digital issues.

I can only imagine a board being characterized as:

    “illiterate”: showing or marked by a lack of personal knowledge with the fundamentals of a particular field of knowledge.

Or maybe a board will be portrayed as:

    “ignorant”: Lacking knowledge, information, or awareness about something in particular: “ignorant of social media”.

Worse yet is as a board leader to know that it is true. So I ask, when are you planning to get digital and social media on your agenda? Who is going to be responsible for taking action to get it on your fall board agenda? Whatever title you have in the boardroom (board chair or lead directors), you are setting the boardroom agenda. Are you waiting for your CEO, Corporate Secretary, Corporate Counsel, Audit Committee Chair to bring resources and spend budget to get this to happen for you and your board?

This article is the first in a series contributed by Fay Feeney, CEO of Risk for Good. Risk for Good helps board chairs and lead directors navigate the disruption to their business from a social, mobile and global world.

Today’s minefields can cost your company: time, money and goodwill. Risk for Good works with your board to evaluate your exposure and leverage the opportunity from: social media, corporate social responsibility, sustainability, board composition, succession and the multitude of other areas where your board needs to manage emerging risk.

Modern boardrooms address these questions before others demand a “comply or explain” response. We use the quiet in our client’s boardroom to prepare thoughtful answers to today’s tough business questions.

If you are interested in contacting Ms. Feeney, you may do so through this blog or the Risk for Good website.

Policies and Procedures: a 2012 Project for Internal Audit

Posted on by
Reply

Internal Audit Project 2012Are Policies and Procedures important? We certainly think so, unfortunately many companies have old, outdated Policy and Procedure manuals while some have none at all. As companies and internal audit departments are planning projects for 2012, consideration should be given to reviewing and updating the Corporate Policies and Procedures.

Policies and Procedures are a company’s way of documenting and communicating management’s vision into instructions for employees on how to handle issues as they arise and how employees should be executing their job responsibilities in a consistent manner.

Written Policies communicate:

  • Company Rules in simple language
  • Delegation of Authority
  • Enforcement and consequences if not followed
  • Impartial administration of company-wide Policy
  • Evidence for Governance, if legally approved and followed

Procedures communicate:

  • Clear guideline on how to implement a policy
  • Establish boundaries for employees

While Policies are general in nature, Procedures provide the details as to what to do, often with examples and forms. Sometimes procedures include emergency steps.

By creating a Policy and Procedure Manual, the company provides a source for all employees to turn for guidance on standard matters and have management focus on exception handling and not need to waste time on day-to-day operations.

Successful Policy and Procedure Manuals require reviews and updates as laws and company environments change. Their dynamic nature requires work but overall it eliminates the redundant need for repeated instructions through time consuming meetings, memos or other correspondence.

Policies and Procedures should be assigned to a position within the company, for example the Finance Manual should be “owned” by the highest Finance position within the company, such as the CFO, and the Employee Handbook by the highest HR position such as the HR Director, etc. Policies should cover the key activities which need to be customized for each organization.

The objective is to create easy to understand policies and procedures that provide clear guidelines for everyone to follow.

Need a hand? We would be glad to help, just give us a call.

From the Archive: Board Director and Audit Committee Member Independence

Posted on by
Reply

Audit Committee Member independence as it relates to SOX section 301 definitions and SEC Rule10A-3 (specifically the definitions of “affiliate” and “affiliated person”) proves to be an area clouded by many shades of gray. In short, a clear and explicit definition of an “affiliated person” or “affiliate” is not defined. Rather, what is provided is a safe harbor definition suggesting that an individual is not an “affiliated person” if that person:

  • is not an executive officer and,
  • does not own more than 10% of the company stock.

Although this specific definition applies to ownership of securities, determining if a Director is an “affiliated person” appears to require more than that initial look.

What the rules are as of now.
Under SEC Rule 10A-3, all issuers must be in compliance with SOX Section 301 in order to be listed on any securities exchange. Specifically, they require each member of the Audit Committee of the issuer must be independent. The requirements establish two criteria and allow for each exchange to make more strict rules of their own:

  • Audit committee members are barred from accepting any consulting, advisory or compensatory fee from the issuer or any subsidiary thereof, other than in the member’s capacity as a member of the board and any board committee.
  • An Audit Committee Member of an issuer that is not an investment company must not be an affiliated person (see definition of “affiliate” below) of the issuer or any subsidiary apart from the member’s capacity as a member of the board or any board committee.

To answer the question about an “affiliated person”, the definition of an affiliated person by the SEC is “a person that directly, or indirectly through one or more intermediaries, controls or is controlled by, or is under common control with, [the issuer]”. The SEC defines control as “the possession, direct or indirect, of the power to direct or cause the direction of the management and policies of a person, whether through ownership of voting securities, by contract or otherwise”. Finally, as part of the definitions by the SEC, they have provided a baseline determination for what may or may not be an affiliate by providing a safe harbor under which a person who is not an executive officer and is not a greater than 10% stockholder is not deemed to control the issuer, therefore not an “affiliated person”.

Based on many discussions and information, other than the safe harbor definition, clear or explicit requirements for who is defined as an “affiliate” are not provided. Rather, the determination of whether a person falls within the category of an “affiliate” requires a factual determination based on a consideration of all relevant facts and circumstances on a case by case basis by the Board. These facts and circumstances would look deeper into the relationship to determine if control or influence exists or whether interference with judgment may occur.

Given the impossibility of defining all the relationships with a company that may arise for Directors and Director candidates, we believe it is advisable that Boards retain discretion to decide independence on a case by case basis rather than use rigid standards.

However, if a company is looking to define or add more explicit language for the definition of an affiliated person, you can look beyond the SEC rules and Sarbanes Oxley to rules established by the national exchanges and other professional associations (e.g. NYSE, NASDAQ and NACD) where more strict independence requirements. These requirements although not explicitly defining “affiliate” look deeper into the relationships of the Board Directors and Audit Committee Members, including:

  • NYSE – “No material relationship.” Under the NYSE listings, no director qualifies as independent unless the board of directors affirmatively determines that the director has “no material relationship” with the listed company, either directly or as a partner, shareholder or officer of an organization that has a relationship with the company.
  • NASDAQ – “No interference with independent judgment.” The rules provide that an independent director is a person other than an officer or employee of the company or its subsidiaries or any other individual having a relationship that, in the opinion of the company’s board of directors, would interfere with the exercise of independent judgment in carrying out their responsibilities of a director.
  • NACD – “The strictest definition of the term is a director whose only connection to the company is the receipt of director fees.”

If an organization is looking to define independence in the strictest sense, then the NACD definition would fit best; however, based on our experience and knowledge, most Boards follow listing standards of the national exchange for which they belong. In addition to the exchange definitions, they also allow their Boards the discretion to make judgment on member independence on a case by case basis.

This post was contributed by Sargon Youmara, a Partner with Vonya Global. If you would like to contact or connect with Sargon directly you can find his profile on LinkedIn: http://www.linkedin.com/in/syoumara.