staff analyzing data
iStock_Courtney Keating_staff analyzing data

8 Key Indicators of Internal Audit Maturity

Aug 31st 2016
Share this content

Assessing the maturity of an internal audit department helps stakeholders determine strategies to improve its performance and reliability, according to the Institute of Internal Auditors Research Foundation’s new report, Benchmarking Internal Audit Maturity: A High-Level Look at Audit Planning and Processes Worldwide.

The report examines key indicators of maturity, based on data and survey responses from more than 14,000 respondents in 166 countries, about a quarter of whom were chief audit executives (CAEs) and almost half were department staffers.

Here’s a snapshot of survey findings by maturity indicator.

1.Internal audit is almost fully aligned with the organization’s strategic plan and is flexible to change. More than half (55 percent) of CAEs said their department is almost or fully aligned. Alignment helps ensure synergy with the entire organization. The older the department, the greater the likelihood that is it almost completely aligned.

2. Internal audit relies on holistic risk assessment to understand the organization at micro and macro levels. The term “holistic assessment” means it is done comprehensively, compared to a “focused” assessment of risks one at a time. The former is what indicates maturity.

Globally, 71 percent of CAEs said they use comprehensive risk assessment, which is needed because of the complexity of the current business environment. A comprehensive approach allows a broader view of risks and lessens the chance of missing risks if a focused assessment is used.

3.Internal audit staff has a mixed background of traditional auditing skills and industry knowledge complemented by overall business competence, critical thinking, and leadership skills. About half (53 percent) of CAEs said their staffers have that mix. About a third (34 percent) indicated their staff has a more traditional accounting and audit background.

This mix is more common in older departments. Those in the financial industry have a far greater staff (62 percent) that possesses the mix, compared to 45 percent in not-for-profits.

4.Internal audit training programs are structured, documented, and diversified. Slightly less than half (47 percent) of CAEs indicated their programs met that maturity indicator. In 53 percent, the programs are either undeveloped or developed only on an ad hoc basis.

Far more than half (66 percent) of older departments have structured and documented training programs, while 33 percent of younger departments do.

More than half (56 percent) of departments that fully conform to standards have more structured and documented training programs than those that don’t (27 percent) or conform only partially (39 percent).

Most training focuses on internal audit skills, but 53 percent of CAEs said their training also includes business knowledge development.

5. Internal audit frequently updates risk assessments to stay in touch with organizational developments. More than half of CAEs (59 percent) indicate they perform annual risk assessments with periodic formal updates (36 percent) or continuous risk assessments (23 percent).

Older and larger internal audit departments update their risk assessments more continuously than younger and smaller departments. Departments in listed companies also update risk assessments more than those in the public sector do.

6. Internal audit documents and monitors audit procedures to adapt them to changes. About half (54 percent) of CAEs said their department procedures are documented in a manual and monitored. On the other hand, 17 percent said their procedures are ad hoc and not clearly documented, while 29 percent said procedures are documented in a manual but not monitored.

The majority (71 percent) of departments that rotate staffers as part of their management training have more documented and monitored procedures than those that don’t (50 percent).

7. Internal audit uses leading technology (data mining, data analytics, and continuous or real-time auditing). Less than half (39 percent) of CAEs say their departments use appropriate or extensive technology, including data mining and analytics. About a quarter (23 percent) say they only use manual systems.

The older the departments, the greater the use of technology. Those in international or multinational organizations also use more technology.

Data mining is used in about half (47 percent) of departments. About the same (45 percent) moderately or extensively use data analytics. About a third (31 percent) say they use real-time auditing.

8.Internal audit has a quality assurance and improvement program. About a third (34 percent) of CAEs say they have a well-defined program in place, including an external review. The majority (78 percent) of financial and public-sector organizations combined have a defined quality assurance and improvement program.

Replies (0)

Please login or register to join the discussion.

There are currently no replies, be the first to post a reply.