Good morning everybody Last Year We – i.e. Cheryl , Curtis , Joan and myself were involved in preparing Audit scorecard for the MOST Project and presenting it to Project Management during the monthly meetings. I realized what cool thing the scorecards were and how they make the task of governance more structured and meaningful. And I wondered at that point in time could we apply these useful concepts og governance to the work that we do in Internal Audit. Immediately after that I had an opportunity to go a 2 day Seminar conducted by ISACA called COBIT and VAL IT which talked about best practices of these governance and I was fascinated by that framework I therefore wanted to take this opportunity of sharing some of these governance concepts in this presentation. Not to challenge anybody
Sanjay Kankaria FRAST Branch Meeting June 23 , 2008 Maturity Models and Balanced Scorecard Frameworks For Internal Auditing
WHY - Maturity Models and Balanced Scorecard Frameworks ? The STRATEGIC Question The VALUE Question Are we delivering the right benefits ? Are we doing the right things ? Are we doing things the right way ? Are we doing things of right quality? The PROCESS Question The QUALITY Question 2
Business Goals Internal Audit Goals Internal Audit Processes Translate in to Check Alignment with Key Activities Control Objectives Maturity Models Balanced Score Card Internal Audit Strategy Maps Control Practices Responsibility and Accountability Chart(s) Activity Goals and Metrics Broken into Assessed by Analyzed by Assessed by For Performance Cause and effect illustrated by Controlled By Implemented by For Maturity Assessed for maturity by Control Framework 3
Business Goals Internal Audit Goals Internal Audit Processes Translate in to Check Alignment with Control Framework 4
Internal Audit Goals Internal Audit Processes Control Objectives Control Practices Controlled By Implemented by Control Framework 5
Internal Audit Goals Internal Audit Processes Key Activities Responsibility and Accountability Chart(s) Activity Goals and Metrics Broken into Assessed by Analyzed by Control Framework 6
Internal Audit Goals Internal Audit Processes Maturity Models Balanced Score Card Internal Audit Strategy Maps Assessed by For Performance Cause and effect illustrated by For Maturity Control Framework 7
Maturity Models -History First released by Software Engineering Institute affiliated with Carnegie Mellon University in 1993 as Capability Maturity Models -CMM Information System Audit and Control Association ISACA Adopted it for Internal Auditing as COBIT in 1996 Information System Audit and Control Association ISACA refined it further in 2007 Maturity levels rated from a scale of non–existent level 0 to optimized – level 5 8
Graphic Representation of Maturity Models 0 2 3 4 5 Non Existent Initial / Ad hoc Repeatable but intuitive Defined Process Managed and Measurable Optimized 1 Maturity Levels 9 0 Lack of any recognizable processes / practices 1 Processes are ad hoc and disorganized 2 Processes follow a regular pattern 3 Processes are documented and communicated 4 Processes are monitored and measured 5 Good Practices are followed and automated
Maturity Models 10 Maturity Level Characteristics 0 Non Existent Complete lack of any recognizable processes The enterprise has not even recognized that there is an issue to be addressed. 1 Initial /Ad Hoc There is evidence that the enterprise has recognized that the issues exist and need to be addressed There are however, no standardized processes; instead, there are ad hoc approaches that tend to be applied on an individual or case-by-case basis The overall approach to management is disorganized.
Maturity Models-cont’d 11 Maturity Level Characteristics 2 Repeat-able but Intuitive Processes have developed to the stage where similar procedures are followed by different people undertaking the same task. There is no formal training or communication of standard procedures, and responsibility is left to the individual There is a high degree of reliance on the knowledge of individuals and, therefore, errors are likely 3 Defined Process Procedures have been standardized and documented, and communicated through training. It is mandated that these processes should be followed; however, it is unlikely that deviations will be detected. The procedures themselves are not sophisticated but are the formalization of existing practices.
Maturity Models-cont’d 12 Maturity Level Characteristics 4 Managed And Measurable Management monitors and measures compliance with procedures and takes action where processes appear not to be working effectively Processes are under constant improvement and provide good practice Automation and tools are used in a limited or fragmented way 5 Optimized Processes have been refined to a level of good practice, based on the results of continuous improvement and maturity modeling with other enterprises IT tools are used in an integrated way to automate the workflow, providing tools to improve quality and effectiveness, making the enterprise quick to adapt.
Generic Maturity Model ISACA has proposed tracking Maturity levels of following Six Generic Aspects / Dimensions / Planes Generic Maturity Model 13 <ul><li>AWARENESS AND COMMUNICATION </li></ul><ul><li>POLICIES AND PROCEDURES </li></ul><ul><li>SKILLS AND EXPERTISE </li></ul><ul><li>RESPONSIBILITY AND ACCOUNTABILITY </li></ul><ul><li>GOAL SETTING AND MEASUREMENT </li></ul><ul><li>TOOLS, TEMPLATES AND AUTOMATION </li></ul>
Balanced Scorecards - History First proposed by Kaplan and Norton in an article in the Harvard Business Review in 1972. Institute of Internal Auditors Research Foundation brought out a research publication “A Balanced Scorecard Framework for Internal Auditing departments” In 2002 American Accounting Association awarded a prize for “ Most significant Contribution” in 2001 Further developed and refined the concept as Strategy Maps in 2001. 14
Mechanisms to enhance VALUE Book - The Discipline of Market Leaders- Michel Tracey Operational Excellence Customer Intimacy Innovation 15
Board & Audit Committees - Some Possible Metrics 19 GOALS MEASURES RATING The internal audit functions maintains independence with in the organization Independent third party’s objective evaluation of Internal Audit Independence There will not be any control related surprises/ unexpected events for the Audit Committee Peer Director’s objective evaluation of control surprises for the Audit committee Regular and timely communication occurs between Internal audit and audit committee Peer Director’s objective evaluation of regular communication with the Audit committee The audit committee will be continuously educated about the business controls , internal audit’s role etc. Number of educational subjects as part of Agenda in Audit Committee meetings Internal Audit meeting the expectations of Audit committee members Audit Committee Members Satisfaction Survey results R Y G R Y G R Y G R Y G R Y G
Management & Other Auditees- Some Possible Metrics 20 GOALS MEASURES RATING Internal Audit identifies Key issues Number of major audit findings and recommendations Internal Audit provides value added services Amount of savings identified by the Auditing Department Internal Audit provides value added services Number of process improvements suggested by the Audit department Internal Audit has client acceptability Percent of Audit recommendations fully implemented by the auditee Internal Audit has positive brand image New clients added to client base Internal Audit is responsive to clients needs Average Response time to management requests R Y G R Y G R Y G R Y G R Y G R Y G
Internal Audit Processes/Operational Excellence – Some Possible Metrics 21 Goals Measures Rating Internal Audit will have high productivity Completed Audits per Auditor Internal Audit will have high Staff Utilization Percentage of Time spent on Projects as opposed to administrative time or vacation Internal Audit will have low turnaround time Days from end of field work to report issuance Internal Audit will have high coverage of organization’s activities Completed versus Planned Audits Internal Audit will resolve pending issues promptly Number of Days the issue remained open after the expected closure date R Y G R Y G R Y G R Y G R Y G
Innovation, Future Orientation & Capabilities -Some Possible Metrics 22 GOALS MEASURES RATING Internal Audit will seek to develop the Human Capital of its staff Training hours per Auditor Internal Audit will encourage innovative practices Number of new Audit templates developed by the Internal Audit Internal Audit will identify and execute technological innovations Number of new Software purchased / deployed by Internal Audit Internal Audit staff would have proper professional competencies Number of new Certifications acquired by Internal Audit Internal Audit will maintain involvement interaction and thought leadership Number of Best Practices identified and presented with in the organization R Y G R Y G R Y G R Y G R Y G
Leading/ Lagging Performance Measures Continuum Leading Performance Measures Lagging Performance Measures Training Hours per Internal Auditor Number of Major Audit Findings Percentage of Audit Recommendations Implemented Number of Management Requests Number of Process Improvements Auditee Satisfaction Survey 23
Alternative Performance Dimensions Contribution of Internal Audit to help Organization / Clients achieve: Achievement of following objectives within internal Department : 28 A. Client Service Performance Measures B. Internal performance Measures 1 Adequate Risk Coverage 2 Better Strategic Alignment 3 Better Customer Intimacy 4 Better Performance Management Systems 5 Operational Excellence/ Better Quality / Resource Management 6 Learning & Innovation R Y G 2 Better Strategic Alignment 3 Better Customer Intimacy 4 Better Performance Management Systems 5 Operational Excellence/ Better Quality / Resource Management 6 Learning & Innovation R Y G R Y G R Y G R Y G R Y G R Y G R Y G R Y G R Y G R Y G
WHY - Maturity Models and Balanced Scorecard Frameworks ? BEST PRACTICES Answer STRUCTUREDNESS Answer COMPLETENESS Answer OBJECTIVITY Answer 29