Internal Audit

Ambition Model
 This publication is made on behalf of:

The Institute of Internal Auditors the Netherlands (IIA)

Members Group of Internal and Government Auditors (LIO)

of the Royal Netherlands Institute of Chartered Accountants. (NBA)

Taskforce Internal Audit Ambition Model:

Els Heesakkers, CZ
Joko Tenthof van Noorden, Exact
Maureen Vermeij - de Vries, CZ
Marieta Vermulm, LM Wind Power

June 2016

2
Table of Contents
Foreword 4
Introduction 5
1. Overview 6
1. Introduction 6
1.1 Background 6
1.2 Activities 6
2. The IA AM 7
2.1 What is the IA AM 7
2.2 The structure of the IA AM 7
2.2.1 Themes 7
2.2.2 Ambition levels 9
2.2.3 IA AM overview ambition level 12
2.2.4 Subthemes and topics 16
3. The IA AM questionnaire 17
3.1 Dashboard 17
3.2 Questionnaire 17
3.2.1 Showstoppers 17
3.2.2 Advisory services 18
3.3. Applying and interpreting the IA AM 18
3.3.1 Principles in applying the IA AM 18
3.3.2 Environmental and organizational factors 18
3.3.3 The IA AM and a Quality Assurance and Improvement Program 16
Abbreviations 19
Acknowledgments 19

3
Foreword
There is an ever-increasing broader recognition of the added You are more than welcome to use this model to your advan-
value of the Internal Audit Function (IAF), also in the appli- tage. Our aim is to substantively enhance the internal audit
cation of good governance. In the proposed revision of the profession and to challenge that group to continue on its
Dutch Corporate Governance Code, the IAF is given a more way of professionalization. The IA AM offers the opportunity
prominent position with its own principle. to lift the veil and perform a baseline measurement: where
are we currently with our IAFs and what are our goals as a
This broader recognition is not only reflected in the revision professional group?
proposals of the Corporate Governance Monitoring Commit-
tee (Commissie Van Manen), but also in the explicit rules in We call on all CAEs in the Netherlands to download the
the financial sector, e.g. Solvency II for insurers, Basel III for model and complete it as a self-assessment exercise. To
banks and the extension of the number of public-interest receive the model, please send an email to ambition@iia.nl.
organizations (OOBs). Consequently, there is a growing need We will send you the download link.
for the demonstrable establishing of a professional IAF.
The IIA and NBA-LIO are going to organize roundtable dis-
A group of internal auditors expressed the wish to develop cussions in the future and perform benchmarks to evalu-
an ambition model that provides insight into how an IAF ate your experiences with the model. We therefore ask all
can grow into complying with the International Professional IAFs using this model as a self-assessment tool to provide
Practices Framework (IPPF) of the Institute of Internal feedback and share their experiences with us. Only your
Auditors (IIA) and/or the professional standards of the Royal feedback will enable us to regularly update the model and,
Netherlands Institute of Chartered Accountants (NBA) and where necessary, further develop and improve it.
the Dutch professional association for IT auditors (NOREA).

In a joint effort, a number of enthusiastic members of IIA John Bendermacher RA CIA

Netherlands and the NBA Members Group of Internal and Chair IIA Netherlands
Government Auditors (LIO) created the Internal Audit Am-
bition Model (IA AM) that deals with the broad spectrum of Jos Motzheim RA CIA CRMA
the proactive design, setup and further development of the Chair NBA-LIO
IAF. The model contains relevant best practices and recom-
mendations from recent publications.

With this, the IA AM can become an excellent communica-

tion and benchmarking instrument for further spreading
and increased recognition of the internal audit profession.
The application of the model can be approached from two
angles:

1. The IA AM supports Chief Audit Executives (CAEs) in for-

mulating in consultation with the Management Board
the tasks and desired level of ambition for the IAF. The
tasks and responsibilities within the different lines of
defense will be taken into account. The model also offers
guidance for regularly evaluating the IAF and, on the
other hand, for achieving the agreed development goals.

2. The IA AM and this guide serve as an information source

for the Audit Committee of the Supervisory Board. It is
a useful aid for promoting the independence and the
performance of IAFs and for reinforcing the desired
ambition level of the IAF.

4
Introduction
This report reflects the efforts of the Institute of Internal together with the professions stakeholders. In line with the
Auditors (IIA) Netherlands and the Members Group of principle-based nature of internal auditing, this model is not
Internal and Government Auditors (LIO) at the Royal Nether- intended to be prescriptive in terms of how a process should
lands Institute of Chartered Accountants (NBA) to make an be carried out. More important is that the user assesses
internal audit ambition model (IA AM) with a Dutch view on whether his internal audit activity is organized to realize
ambition levels for IAFs. their ambition level.

In the Netherlands there is a growing need for the devel- As an ambition model the IA AM is not a static document
opment of an ambition model that helps CAEs and the and needs to be reviewed on a regular basis. Just as the
Committee of Quality Assessors (CQA) in identifying spe- world around us changes at exponential speed, we as an
cific improvement and ambition opportunities in addition internal audit profession need to adapt to these changes.
to complying with the International Professional Practices The ambitions of today are not the same as we will have to-
Framework (IPPF). morrow if we want to provide continuous insight, assurance
and advice.
As the Internal Audit Capabilities Model for the Public Sector
(IA-CM) was already a proven methodology which illustrates Therefore, this is the start of a broad professional dialogue
the levels and stages through which an internal audit (IA) amongst auditors with the ambition to improve this model
activity can evolve as it defines, implements, measures, con- over the next few years. We would like internal auditors to
trols, and improves its processes and practices, we used this use this tool and share their experiences and assessments
model as a starting point. for national benchmark research in order to gain insight in
the current level of quality and in the ambition level of IAFs.
However, the IIA and LIO felt a Dutch application of the IA-
CM was needed to align it with the current state of internal The model is written in English, an international language,
auditing in the Netherlands. First, the IA-CM was published to stimulate the use by IAFs that work internationally or
in 2009 and the internal audit profession and the world it work with non-Dutch board members.
operates in has developed significantly. Second, the IA-CM
had been developed for the public sector specifically and a A model developed by members for members.
broader scope was desired for the Netherlands also given
the fact that most Dutch companies have two-tier boards.
Furthermore, both the CQA and the Dutch CAEs felt the need Els Heesakkers
to link the existing IA-CM with the IPPF and the standard of Joko Tenthof van Noorden
the Dutch Chartered Accountants NV COS 6101. Maureen Vermeij - de Vries
Marieta Vermulm
Our work consisted of validating the guidelines from the
IA-CM with a broad group of CAEs, matching the guidelines
with the IPPF, NBA standards and updating the IA-CM based
on the recent publications of IIA Global, the IIA Research
Foundation (IIARF) and IIA Netherlands and the IFAC Code
of Ethics (which is the basis for the codes of ethics of the IIA
and NBA). Additional input was gathered from best practices
developed by a variety of internal audit professionals.

To align the name of this new model with the intended use
of the model, we renamed this new model the IA AM. This
IA AM is intended for self-assessment, formulating the role,
scope and ambition level of the IAF in consultation with the
Supervisory Board. It is also a tool for capacity building and
increasing awareness of the IAF and the internal audit pro-
fession in general among our stakeholders. Its primary users
are expected to be internal audit professionals


Original title: International Standard on Auditing (ISA) 610, Using the Work of

Internal Auditors

5
1. Overview
1. Introduction
The overview provides a high-level summary of the ambition After intensive discussion of the Dutch application of the
model. The background of the project and methodology as IA-CM with the CQA, a first version of the Dutch IA AM was
conducted by the task force is included below. introduced at the CAE Forum on June 30, 2015.

1.1 Background This presentation resulted in a pilot of 15 different IAFs who

In September 2014 the Committee Professional Practices tested the final draft, which was executed in the second
(CPP) of IIA Netherlands recommended developing an ambi- half of 2015. During this period further input was gathered
tion model that could be used as an add on to the regular from the CQA as well as the universities of Amsterdam and
accreditation activities of the CQA for Internal Audit Func- Rotterdam.
tions (IAFs).
Based on the feedback the task force decided that an update
After giving a generally complies opinion, the quality asses- of the existing IA-CM was necessary. For example, the use of
sors were frequently asked by the CAEs how the IAF com- data analysis and the concept of soft controls auditing were
pared to other IAFs and what best practices they identified in not part of the IA AM. Furthermore, the IA-CM had been de-
the market which the CAE could use to further improve the veloped for the public sector specifically and a broader scope
IAF processes. These questions could be answered in general was desired for the Netherlands given the fact most Dutch
terms, but a specific reference framework was lacking. companies have two-tier boards. Overall we concluded that
some higher levels were not ambitious enough, given the
1.2. Activities current requirements for IAFs in the Dutch context.
A task force was created at the end of 2014 under the CPP to
develop an ambition model. Its first task was to investigate The task force used the input from the pilots and research
whether maturity models for the internal audit profession conducted between 2009 and 2016 to prepare a second
already existed and if so, to what extent they could be used draft of the IA AM. This second draft has been discussed and
in a Dutch context. validated with sounding boards from three reference groups,
CAEs, the CQA and contributors from two Dutch universi-
The task force decided to use the Internal Audit Capabilities ties. This second round of feedback resulted in the current
Model for the Public Sector (IA-CM) as a starting point. The version of the IA AM. This final version was approved by the
background (purpose, scope and approach) of the IA-CM CPP on May 18, 2016.
can be found in their overview of the IA-CM and Application
Guide2. Our main considerations on using this model were:
First, the IA-CM has been internationally validated and is a
proven model. Second, its guidelines are sufficiently general
to be applied to both the private and public sector. And third,
the maturity levels are in line with generally accepted mod-
els as the Capability Maturity Model Integration (CMMI).

Next the taskforce developed a model-based questionnaire.

This questionnaire was based on the IA-CM, which could be
used by the CAE as a self-assessment tool, which could be
validated by the CQA as part of their regular external
assessments. Also a link was added between the IA-CM and
the following standards:

International Standards for the Professional Practice of

Internal Auditing (Standards)
Dutch Auditing Standards NV COS 610 (Original title: Inter-
national Standard on Auditing (ISA) 610, Using the Work of
Internal Auditors)

2
Internal Audit Capability Model IA-CM for the Public Sector Overview

6
2. The IA AM
2.1 What is the IA AM 2.2.1 Themes
The IA AM is a self assessment tool that provides levels The following six themes are identified for an IA activity:
of ambition and concrete best practices that can serve as Services and Role of Internal Auditing.
guidelines for the CAE wanting more than just meeting Professional Practices.
professional standards. The IA AM helps CAEs formulate stra- Performance Management and Accountability.
tegic objectives, evaluate the current IAF and define a road People Management.
map to achieve the stated objectives. The IA AM can help the Organizational Relationships and Culture.
Audit Committee and/or Supervisory Board determine which Governance Structures.
aspects to take into account when assessing the internal
audit mandate and ambition level. As such the IA AM shows The first four themes - Services and Role of Internal Audi-
the steps in progressing from a level of internal auditing typ- ting, People Management, Professional Practices, and Perfor-
ical of a less established organization to the strong, effective, mance Management and Accountability - relate primarily to
internal audit capabilities generally associated with a more the management and practices of the IA activity itself. The
mature and complex organization. last two themes - Organizational Relationships and Culture
and Governance Structures - also include the IA activitys
In other words, the IA AM is: relationship with the organization that it supports and the
A communication vehicle - a basis for communicating what internal and external environments.
is meant by effective internal auditing and how
it serves an organization and its stakeholders, and for A high-level description of the six themes is presented on
advocating the importance of internal auditing to decision the next page.
makers.
A framework for assessment - a framework for asses- sing To receive the model, please send an email to:
the capabilities of an IA activity against professional inter- ambition@iia.nl.
nal audit standards and best practices, as a self- assess-
ment.
A roadmap for orderly improvement - a roadmap for fur-
ther improvement and professionalization of the IAF.

The IA AM provides a tool that an organization can use to:

Determine its internal audit requirements according to the
nature, complexity, and associated risks of its operations.
Assess its existing internal audit capabilities against the
requirements.
Identify any significant gaps between those requirements
and its existing internal audit capabilities and work toward
developing the appropriate level of internal audit capability.

2.2 The structure of the IA AM

The IA AM consists of the following four building blocks,
which will be explained below:
1. Themes: Six themes are identified for an IA activity.
2. Ambition levels: The IA AM illustrates the stages through
which an IAF can evolve as it defines, implements, mea-
sures, controls and improves its processes and practices.
3. Subthemes and topics: To further detail and clarify the
specific steps which can be taken by the IAF to progress to
a next ambition level, the six themes have been divided
into eleven subthemes and thirty-nine topics. For an over-
view see 2.2.3.
4. Essential activities: The activities that must be performed
are defined for each of the thirty-nine topics. These are
called essential activities in the IA AM.

7
Services and Role of Internal Auditing to perform their assigned responsibilities. This element
Based on the IPPF of the IIA, the mission of internal audit is includes the development and management of relevant
to enhance and protect organizational value by providing information systems and financial and non-financial
risk-based and objective assurance, advice, and insight3. To (operational and program) performance information.
achieve this mission, internal auditing is an independent,
objective assurance and consulting activity designed to add People Management
value and improve an organizations operations. It helps an People management is the process of creating a working
organization accomplish its objectives by bringing a sys- environment that enables people to perform to the best of
tematic, disciplined approach to evaluate and improve the their abilities. People management is the system that begins
effectiveness of risk management, control, and governance when a job is defined as needed. The professional develop-
processes4. ment and workforce planning in level 1 is based on an ad hoc
basis. The output is dependent on the skills of the specific
However, the means by which this role is accomplished or individual auditors. Further professionalization teaches us
the services provided varies among different environments. that people management also relates to building effective
The services provided are typically based on the organiza teams to guide improvement and progress with a training
tions needs and the IAFs authority, scope, and capacity. and development plan. And coordinate long-term workforce
Services include the provision of assurance and consulting/ development activities to meet future business needs of the
advisory activities and can consist of audits of transactions, IA activity.
compliance, systems, processes, operations, performance/ Additionally, specific attention has been paid to team dyna
value-for-money, information and related technology, and mics regarding a professional skepticism. It refers to discuss-
financial statements and systems. ing ethical dilemmas and organizing professional feedback.

The broadest audit focus considers the organizations gov- Organizational Relationships and Culture
ernance activities, which can help the organization achieve Organizational relationships and culture refers to the
its objectives and priority goals and improve its governance organizational structure and internal management and
framework, including its ethical code. The narrowest audit relationships within the IA activity itself. It also refers to its
focus involves testing individual transactions for errors or relationships with other units in the organization. It includes
for compliance with contract terms, policies, regulations, or the CAEs relationships with senior management and as part
laws. The auditors scope of work can vary between these of the management team, as well as the ability to advise
extremes and includes activities such as reviewing internal and influence top-level management and develop effective
controls, processes, and systems to identify systemic weak- and ongoing relationships. This element refers to the
nesses and propose operational improvements. The services organizations internal relationships and internal culture
can be performed by the IA activity itself, co-sourced with and environment, and how these relationships and organi-
external service providers, or outsourced. zational culture may impact on key stakeholders and others
outside the organization, including the public. It also refers
Professional Practices to the IA activitys relationships with other review groups,
Professional practices reflect the full set of policies, pro- including the external or legislative auditor.
cesses, and practices that enables the IAF to be performed
effectively and with proficiency and due professional care. Governance Structures
It refers to the capacity of the IAF to align itself with the Governance structures generally refers to the combination
organizations priorities and risk management strategies and of processes and structures implemented by the board of
contribute to continuous improvement of the IA activity and directors and/or a supervising body (for example an audit
the organization. It includes the development and mainte- committee) to inform, direct, manage, and monitor the orga-
nance of a quality assurance and improvement program that nizations activities toward the achievement of its objectives.
covers all aspects of the internal audit activity. Governance structures include the administrative and func-
tional reporting relationships of the IA activity. It includes
Performance Management and Accountability the CAEs reporting relationship to the governing body and
Performance management and accountability refers to the how the IA activity fits within the organizations structure
information needed to manage, conduct, and control the and governance regime. It includes the means by which the
operations of the IA activity and account for its performance independence and objectivity of the IA activity is assured; for
and results. It refers to the identification and communication example, through its formal mandate, legislated authority,
of sufficient and relevant information to enable people and/or oversight mechanism such as an audit committee.

3
https://na.theiia.org/standards-guidance/Pages/Mission-of-Internal-Audit.aspx
4
https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Definition-of-Internal-Auditing.aspx

8
It also refers to the policies and processes established to ic transactions, or some basic compliance auditing. The infra-
provide the necessary authority, support, and resources for structure for the IA activity has not been established and the
the IA activity to carry out its duties and contribute to its auditors are likely part of a larger organizational unit. At this
effectiveness and independence. level, internal auditing must rely on the individual efforts
or personal skills of the auditors conducting the audits and
2.2.2 Ambition levels their personal objectivity. There are no professional practic-
The IA AM is a framework for strengthening or enhancing es established other than those provided by professional
the IAF through evolutionary steps. Each of these steps have associations.
been organized into five progressive ambition levels. Im-
provements in processes and practices at each stage provide Level 2 - Infrastructure
the foundation on which to progress to the next ambition At the Infrastructure level, the primary objective is to instill a
level. Hence, it is a building-block approach to establishing process discipline into the IAF that ensures that basic internal
effective internal auditing in an organization. A fundamental audit practices and processes are performed on a regular and
premise underlying the IA AM is that a process or practice repeatable basis. To do so, the IA activity is initiating the de-
cannot be improved, before it is a stable process. velopment of its management and administrative infrastruc-
tures. An audit charter establishing the purpose, authority,
Each ambition level describes the characteristics and ca- and responsibility of the IA activity and its reporting relation-
pabilities of an IA activity at that level. As either the size or ship (administrative and functional) within the organization
complexity of an organization or the risks associated with its is developed. Organizational policies are being established
operations increases, so does the need for more sophisticat- that provide for the IA activitys full access to the organiza-
ed internal audit capabilities. The model attempts to match tions information, assets, and people to conduct its work.
the nature and complexity of an organization with the inter-
nal audit capabilities needed to support it. In other words, if At the Infrastructure Level, the IAF primarily conducts
the organization requires a greater degree of sophistication traditional compliance auditing or, in other words, audits of
in internal audit practices, the IA activity will typically be at conformity and adherence of a particular area, process, or
a higher ambition level. The internal audit ambition level is system to policies, plans, procedures, laws, regulations, con-
often tied to the governance structure of the organization tracts, or other requirements. These could include financial
within which it is situated. audits as well as system or process-approach audits that
assess whether an appropriate internal control framework is
The ambition levels in the model provide a road map for con- in place and operating.
tinuous improvement within the IA activity. However, an IA
activity may choose to remain at any level and still represent The IA activity has started to identify and recruit people with
a best practice at that level for that IA activity in that particu- the necessary competencies and relevant skills to carry out
lar organization and environment. the work. However, to some extent, there continues to be
reliance on individual people and their personal skills and
The five ambition levels of the IA AM are. competencies. Emphasis is placed on individuals taking
1. Initial responsibility for their own professional development to
2. Infrastructure ensure that they continuously maintain and enhance their
3. Integrated professional capabilities.
4. Managed
5. Optimizing. A professional practices and processes framework is being
developed which includes documented policies, processes,
Below a high-level description of the ambition levels is intro- and procedures to encourage consistent application of inter-
duced. nal audit guidance and practices across the IA activity. How-
ever, all the relevant internal audit policies, processes, and
Level 1 - Initial practices may not have been institutionalized, and the IA
At the Initial level, internal auditing is ad hoc or unstruc- activity may fall short of meeting some major objectives.
tured, few processes are defined, and practices are per- For example, the IA activity may not have sufficient organi-
formed inconsistently. Isolated single audits and/or reviews zational independence, and may not have fully implement-
of documents and transactions could be performed. Audit- ed a quality assurance and improvement program (which
ing is likely limited to transaction auditing; that is to say, includes ongoing internal monitoring as well as periodic
examining the regularity and accuracy of individual econom- internal and external quality assessments).

9
 The management effort of the IA activity is primarily internal audit services to integrating as a team player. Inter-
focused on its own operations and relationships, such as or- nal auditing is evolving to a value-added activity that helps
ganizational structure, budget preparation and monitoring, an organization manage its risks and take advantage of op-
annual planning, providing the necessary audit tools and portunities to improve. The IAF also pays attention to other
technology, and performing audits. Interactions with organi- topics, including strategy and soft controls. Internal audit
zational managers are focused on carrying out the business services have become more varied to support the needs of
of the IA activity. the organizations management. When applicable, advisory
services are also undertaken by the IA activity to provide
In this respect, the IA activity develops its periodic (annual guidance and advice to management.
or multiyear) plans for which audits and/or other services
will be provided, based on managements priorities through Also the governance structure of the IA activity has evolved
consultations with management and/or other stakeholders. significantly. There is a direct reporting line to the ARC or
The IA activity has been allocated its own operating budget. a similar committee to assure the independence of the IA
It prepares a periodic business plan for delivering the ser- activity, broaden the activitys scope of input and influence,
vices of the IA activity, including administrative and support and help to strengthen the organizations accountability.
services.
Other key process areas at this level focus on the IA activi-
At Level 2, there will be some significant opportunities for tys capacity to monitor and assess the effectiveness of its
improving the effectiveness of the IA activity, and as such, it operations. It will have planning and reporting mechanisms
will only partially conform to the Standards. to ensure that resources are allocated appropriately to meet
objectives and operations are performed efficiently and eco-
The management effort of the IA activity is primarily focused nomically. The necessary information, including both finan-
on its own operations and relationships, such as organiza- cial and non-financial information, will be received and used
tional structure, budget preparation and monitoring, annual to manage the IA activitys day-to-day operations, support
planning, providing the necessary audit tools and technolo- decision-making, and demonstrate accountability.
gy, and performing audits. Interactions with organizational
managers are focused on carrying out the business of the IA There is a training and development plan for each individual
activity. to guide improvement and progress through the compe-
tency framework. Auditors are encouraged to be involved in
In this respect, the IA activity develops its periodic (annual or professional associations and criteria for effective teamwork
multiyear) plans for which audits and/or other services will be behaviors and practices are incorporated into the staff com-
provided, based on managements priorities through consul- petency framework.
tations with management and/or other stakeholders.
The IA activity has been allocated its own operating budget. It When the IAF functions at this level, the standards as for-
prepares a periodic business plan for delivering the services of mulated in the IPPF are adhered to and the external auditor
the IA activity, including administrative and support services. should be able to rely on its work, according to the require-
ments formulated in NVCOS 610.
At Level 2, there will be some significant opportunities for
improving the effectiveness of the IA activity, and as such, it Level 4 - Managed
will only partially conform to the Standards. At this level, the IA activity functions as an integral part of
the organizations governance and risk management. The
Level 3 - Integrated CAE is positioned to both formally and informally advise
At this level all the relevant internal audit policies, processes, on strategic issues and influences the Board of Directors
and procedures are defined, documented, and integrated and governing bodies (ARC and/or Supervisory Board). This
into each other and the organizations infrastructure. Inter- relationship facilitates the organizations understanding
nal audit management and professional practices are well and appreciation of the vision, leadership, and foresight of
established and uniformly applied across the IAF. The IAF the CAE and the contribution of the IA activity. The IAF is a
focuses on its capacity, its organizational independence, and critical part of the organizations governance structure. The
the personal objectivity of its auditors. CAE continues to maintain and develop effective relation-
ships with management and key stakeholders, including the
A key aspect of Level 3 is the changing role of internal audit- independent oversight body, to ensure that their needs and
ing. The role evolves from performing only traditional expectations are aligned with the services of the IAF, and

10
that the visibility and contribution of the IAF are evident. The IAFs governance structure is fully developed. Its in-
The words and actions of senior management, the oversight dependence, power, and authority are fully actualized (for
body, and all key stakeholders demonstrate full acceptance example, through legislation, formal mandate, statutory
and support of the IAF. policy, and/or independent oversight body). The IAF is not a
discretionary policy of management. It has uncompromising
The IA activity has balanced and integrated its use of quanti- independence, power, and authority to determine the scope
tative and qualitative data and information to help it achieve of internal auditing, perform its work, and communicate
its strategic objectives and continuously improve its perfor- its results. It has the stability and independence to focus on
mance. The IA activity functions as a well-managed business future directions and continuous improvement for both the
unit. IAF and the organization.

In developing its periodic audit and services plan, the IA The IAF is a critical part of the organizations governance
activity aligns, as appropriate, its engagements with the or- structure. The CAE continues to maintain and develop effec-
ganizations management of risks. It takes into consideration tive relationships with management and key stakeholders,
the organizations enterprise risk-management strategies including the independent oversight body, to ensure that
and practices. their needs and expectations are aligned with the services
of the IAF, and that the visibility and contribution of the IAF
The organization and the IAF pursue a strategy together that are evident. The words and actions of senior management,
integrates the development of the organizations managers the oversight body, and all key stakeholders demonstrate full
with the training and experiences of the IAF and vice versa. acceptance and support of the IAF.
For example, a training and development program could be
put in place in the IAF that provides high-potential employ- The IAF has top-level professional and specialized skills and
ees with broad exposure to business activities, corporate has sufficiently developed its leadership capacity to provide
culture, the control environment and risk management foresight and serve as a catalyst to achieve positive change
practices, leading to managerial positions throughout the in the organization. It also supports and facilitates its leaders
organization. to become key leaders in relevant professional bodies as
thought leaders to influence the growth and evolution of the
The internal audit services and role are also expanding profession and apply forward-thinking innovative practices
significantly at this level. Besides giving opinions on the in the organization.
effectiveness of the operations the IAF is now conducting
sufficient work to assess also the efficiency of processes sup- The IAF understands the organizations strategic directions
ported by, for example, data analysis and process mining. At and emerging issues and risks. It evolves its business require-
this level specific strategic risk audits are performed as well ments, workforce development needs (including resources
as audits on the effectiveness of soft controls. The IA activity and skill sets), risk assessment strategies, and processes to
has coordinated its audit services to be sufficiently com- meet the organizations potential future needs.
prehensive so that it can provide reasonable assurance at a
corporate level that these processes are adequate and func- At this level, the IAF is conducting sufficient work to be able
tioning as intended to meet the organizations objectives. to give an opinion on the overall adequacy and effectiveness
of the organizations governance, risk management and
Level 5 - Optimizing control processes.
At Level 5 - Optimizing, the focus is on learning for continu-
ous improvement to enhance capability. An IA activity at Lev-
el 5 is characterized as a learning organization with contin-
uous process improvements and innovation. It monitors the
changing external environment and uses information from
inside and outside the organization to refine its approaches
to assessing governance, risk management, and control. By
providing advice on emerging trends and organization-wide
issues, the IAF contributes to organizational learning and im-
provement and encourages the development of innovative
business practices and processes to help the organization
achieve its strategic business objectives.

11
2.2.3 IA AM overview ambition level

Theme Subtheme 1 - Initial 2 - Infrastructure 3 - Integrated

Services and Assurance services Ad hoc services Compliance auditing Performance auditing
Role of Internal Isolated single Carry out an audit of conformity and Assess and report on the effectiveness of
Auditing. audits or reviews adherence of a particular area, process, activities or programs; or conduct engagements
of documents or system to policies, plans, procedures, on governance, risk management, and control.
and transactions laws, regulations, contracts, or other Performance auditing covers the full spectrum
for accuracy and requirements that govern the conduct of operating and business processes, the as-
compliance. of the area, process, or system subject to sociated management controls, and the results
audit. achieved.

Advisory services No advisory Advice as part of assurance services Advisory services

services Internal audit function provides advice as Analyze a situation and/or provide guidance and
Internal audit part of their assurance services. advice to management. Advisory services add
function does not value without the internal auditor assuming
provide advisory management responsibility. Advisory services
services. are those that are directed toward facilitation
rather than assurance and include training,
systems development reviews, performance and
control self-assessment, counseling, and advice.
Professional Audit plan Ad hoc planning Audit plan based on management/stake- Risk-based audit plans
Practices. Internal audit holder priorities Systematically assess risks and focus the
activities are per- Develop periodic (annual or multiyear) priorities of the IA activitys periodic audit and
formed on an ad plans for which audits and/or other ser- services plan on risk exposures throughout the
hoc basis. vices will be provided, based on consul- organization.
tations with management and/or other
stakeholders.

Quality Assurance Limited audit Professional practices and processes Quality Management framework
processes framework Establish and maintain processes to continuous-
No specific profes- Facilitate the performance of audit enga- ly monitor, assess, and improve the effectiveness
sional practices gements in accordance with the values of the IA activity. Processes include ongoing in-
established other (for example independence, objectivity, ternal monitoring of the performance of the IA
than those provi- proficiency and due professional care) activity as well as periodic internal and external
ded by professional envisaged in the internal audit charter quality assessments.
associations. and the Definition of Internal Auditing,
the Code of Ethics, and the Standards.

The professional practices and processes

framework includes the policies, proces-
ses, and procedures that will guide the IA
activity in managing its operations;
developing its internal audit work pro-
gram; and in planning, performing, and
reporting on the results of internal audits.
Performance Internal Audit Ad hoc IAF busi- Internal audit activitys department plan Internal audit activitys department plan is alig-
Management Business Plan ness planning aligned with the audit plan and IPPF ned with companys risk profile (going concern)
and Accounta- Ad hoc and unst- Establish annual department plan for Take the companys risk profile into account
bility. ructured business delivering the services of the IA activity, when setting the objectives and results to be
plan for IA activity. including administrative and support achieved by the IA activity itself.
services, and the expected results.

Use its own operating budget to plan the

services of the IA activity.
Reporting Unstructured Internal audit management reports Performance measures
reporting Use information to manage the IA Develop meaningful indicators and measures
No structured activitys day-to-day operations, support (in addition to time and cost data) that enable
performance decision-making, and demonstrate ac- the IA activity to measure and report on its
measures in place. countability. performance and routinely monitor its progress
against targets.

This is to ensure that results are achieved as

economically and efficiently as possible. These
will be primarily input and process measures,
with some output or qualitative outcome
measures.

12
4 - Managed 5 - Optimizing
Performance auditing on a continuous basis Overall assurance on governance, risk management, and control
Perform audit-related activities, such as control and risk assessments, on a Conduct sufficient work to provide an opinion on the overall adequacy
continuous basis. Continuous auditing and reporting refers to the real-time and effectiveness of the organizations governance, risk management, and
or near real-time capability for (financial) information to be checked and control processes.
shared. Technology plays a key role in continuous audit activities, such as
the use of process mining. The IA activity has coordinated its audit services to be sufficiently compre-
hensive that it can provide reasonable assurance at corporate level that
Performance auditing on efficiency these processes are adequate and functioning as intended to meet the
Assess and report on the efficiency and economy of operations of activities organizations objectives.
or programs; or conduct engagements on governance, risk management,
and control.
Overall advisory services on governance, risk management, and control Internal auditing recognized as key agent of change
Conduct sufficient work to advise on the overall adequacy and effectiveness Sufficiently develop the professional and leadership capacity of the IA acti-
of the organizations governance, risk management, and control processes. vity to provide foresight and serve as a catalyst to achieve positive change in
the organization on governance, risk management, and control.

Audit plan leverages organizations management of risk Strategic Internal audit planning
Link the IA activitys periodic audit and services plan with the organizations Understand the organizations strategic directions and emerging issues and
enterprise risk management strategies and practices. risks. Anticipate future needs by changing the IA activitys skill sets and audit
services.
Enterprise risk management strategies and practices refer to formal and
documented processes put in place by the organization to identify risks,
and manage those risks within its risk appetite, thus providing reasonable
assurance that the organizations objectives will be achieved.
Continuous Improvement in professional practices Continuous Improvement in professional practices for audit innovation
Integrate the performance data, global leading practices, and feedback Initiate research capabilities on audit innovation or data analysis and audit
received from ongoing quality assurance and improvement program proces- automation/audit management systems.
ses to continuously strengthen and develop the IA activitys capacity to deli-
ver world-class internal auditing. This includes efforts for audit innovation,
data analysis and audit automation/audit management systems.

Internal audit activitys department plan is aligned with companys chan- Internal audit activitys department plan is aligned with companys strategy
ging objectives and risk appetite Take the companys strategic direction into account when setting the objec-
Take the companys objectives and risk appetite into account when setting tives and results to be achieved by the IA activity itself.
the objectives and results to be achieved by the IA activity itself.

Integration of qualitative and quantitative performance measures Overall reporting of Internal audit effectiveness
Enable the IA activity to use information on performance to measure and Report on the effectiveness of the IA activity for selected parties to demon-
monitor fluctuations that affect its results. The activity has balanced its use strate transparency and accountability to the organizations stakeholders
of quantitative and qualitative data to help it measure the achievement of and auditee management, and identify the contribution and impact made
its strategic objectives. by the IA activity with the resources provided.

13
 Theme Subtheme 1 - Initial 2 - Infrastructure 3 - Integrated
People Professional Ad hoc professio- Individual professional development Professionally qualified staff and team building
Management. Development nal development Ensure that internal auditors Staff the IA activity with professionally quali-
No development continuously maintain and enhance their fied staff and retain the individuals who have
objectives set. professional capabilities. demonstrated at least a minimum level of
competence.
Develop staff members capacity to function
effectively in a team environment, beginning
with a focus on the individual project team.
Because many audits cover scopes that require
the concerted effort of a team of auditors to
conduct, and because the skills needed to
conduct an audit are not necessarily the same
skills to work effectively in a group environ-
ment, additional team competencies are
required.
HR Planning Ad hoc Skilled people identified and recruited Workforce coordination
HR planning Identify and attract people with the ne- Coordinate the development of the periodic
Outputs are de- cessary competencies and relevant skills audit and services plan to the human resource
pendent upon the to carry out the work of the IA activity. levels authorized to the IA activity. Because
skills of specific Appropriately qualified and recruited in- resources are often limited the IA activity needs
individuals holding ternal auditors are more likely to provide to use appropriate methods to set priorities of
the position. credibility to internal audit results. planned projects and services to limit its com-
mitments to a doable quantity and type of
projects and services.
Organizational Organizational No structured Managing within the IA activity Focus Integral component of management team
Relationships Relationships (internal) the management effort of the IA activity Participate in the organizations management
and Culture. and Culture communication on its own operations and relationships activities in some form as a member of the
Absence of IA within the activity itself, management team. Although the CAE does not
activity such as organizational structure, people carry out managements responsibilities, the
infrastructure. management, budget preparation and CAE is included in communications and forums
monitoring, annual planning, providing of the management team and, as an observer,
the necessary audit tools and technology is able to maintain a channel of communication
and performing audits. Interactions with with senior management.
organizational managers are focused
on carrying out the business of the IA Coordination with other review groups Share
activity. Share information and coordinate activities
with other internal and external providers
ofassurance and advisory services to ensure ap-
propriate organizational coverage and minimize
duplication of effort.
Governance Management and No separate IAF Reporting relationships established CAE reports to top-level authority (ARC)
Structures. oversight of the IA Auditors are likely Establish formal reporting relationships Strengthen the CAEs independence by establi-
activity part of a larger or- (administrative and functional) for the IA shing a direct functional reporting relationship
ganizational unit. activity. The functional reporting line to to the governing body and a direct administra-
No specific repor- the Board of Directors for the IA activity is tive reporting relationship to either the CEO or
ting relationships the ultimate source of its independence governing body.
are established. and authority. Establish a mechanism/process within the or-
ganization to provide oversight and advice, and
review the results of the IA activity to streng-
then its independence and ensure appropriate
action is taken. Involvement of a variety of
managers in the decisions related to the IA
activity helps to extend the activitys support
and scope beyond a single individual.
Establish a robust and transparent funding
process that ensures adequate resources to
allow the IA activity to discharge its obligati-
ons. Budgetary controls and considerations
imposed by administrative reporting lines
should not impede the ability of the internal
audit activity to accomplish its mission.
Access and Limited access Full access to the organizations informa- The Audit Committee supports the internal
awareness No specific arran- tion, assets, and people specified in the audit mandate
gements are made charter The authority of the IA activity is visibly and
for data access. Provide the authority for the IA activity to proactively supported by the ARC.
obtain access to all the information,
assets, and people that it requires to carry
out its duties.

14
4 - Managed 5 - Optimizing
IA activity supports professional bodies and contributes to management Leadership involvement with professional bodies
development Facilitate and support top leaders of the IA activity becoming key leaders
Provide leadership and professional development opportunities for the within relevant professional bodies. In addition to making contributions to
internal audit staff by supporting their involvement and participation in the profession through their volunteer work, the CAE and other internal
professional bodies. auditors will become thought leaders and influence the growth and evolu-
Integrate the development of the organizations managers with the trai- tion of the profession.
ning and experiences of the IA activity and vice versa. Participating in the administration and/or leadership of professional bo-
The organization and the IA activity encourage people to contribute to dies helps auditors learn and practice higher-level people skills, since their
a good understanding of governance, risk management, and controls roles vis--vis their colleagues require different ways of interacting than
throughout the organization. their auditor or manager role within their own organization.

Workforce planning Workforce projection

Coordinate workforce activities to achieve current business needs of the IA Coordinate long-term workforce development activities to meet future busi-
activity. Workforce planning involves developing a workforce plan that sets ness needs of the IA activity. Workforce projection involves developing a stra-
out the resources, skills, training, and tools required to conduct the audits tegic workforce plan that sets out the IA activitys objectives for competency
that have been identified (or are proposed) in the periodic audit and services development and workforce activities, in conjunction with the organizations
plan. projected strategic needs, and developing plans to guide workforce develop-
ment activities for the IA activity.

CAE advises and influences top-level management Effective and ongoing (external) relationships
Facilitate the organizations understanding and appreciation of the vision, Use strong relationship management skills of the CAE for maintaining ap-
leadership, and foresight of the CAE, and develop a professional relationship propriate visibility and alignment with key stakeholders, management, and
with top-level management while maintaining independent and objective. audit committee needs and expectations.

Internal auditing recognized as key agent of change

Sufficiently develop the professional and leadership capacity of the IA acti-
vity to provide foresight and serve as a catalyst to achieve positive change in
the organization.

CAE has access to the supervisory board (or full board in case of a one-tier Not defined
board) No additional essential activities defined yet.
The CAE reports to the audit committee and has access to the chairman of
the supervisory board if necessary.
The CAE is involved in determining the ARC agenda
Align the charter of the oversight body with that of the IA activity to
reinforce the critical relationship between the oversight body and the IA
activity.
The ARC is actively involved in evaluating the IAF.

Key meetings CAE participation

The CAE can attend key business meetings (board, supervisory board) on The CAE has a standing invitation and takes part in top-level authority
request. business meetings.

15
2.2.4 Subthemes and topics

An overview of the six themes, 11 subthemes and 39 topics is included in the below.

Theme Sub theme Topic

Services and Role Assurance services Role and authority
of Internal Auditing
Governance and Risk Management
Strategy
Soft Controls
Advisory services Scope
Professional Practices Audit plan Audit universe and scope
Periodicity of evaluating the plan
Prioritization and approval of the plan
Resource planning
Follow up monitoring
Quality Assurance Compliance with IPPF
Audit procedures
Performing the audit Planning
Performing the audit Fieldwork
Communicating audit results
Performing the audit: Data analysis
Quality Management reviews
Advisory Services
Performance Management and Internal Audit Business Plan Scope
Accountability
Resourcing
Budget
Approval

Reporting Measures
Audience
Process
People Management Professional Development Staff training (target budget)
Team development
Professional associations
Performance cycle and remuneration policy
HR Planning Resource allocation
(including co-sourcing or outsourcing)
Recruitment

Organizational Relationships and Organizational Relationships and Communication on IAFs activities

Culture Culture
IAFs collaborations
Governance Structures Management and oversight of the IA Reporting Line
activity
Funding of the audit department
Oversight of the audit activity
3 Lines of defense
Access and awareness Access to information, assets and people
Awareness of the IA activity

16
3. The IA AM questionnaire
The IA AM questionnaire developed by the taskforce consists which is set by the CAE based on input of for example its
of a dashboard and six separate questionnaires for each of audit committee. When the IAF functions at ambition level
the six themes. 3, the IPPF standards should be generally complied with
and external auditors should be able to rely on its work (as
3.1 Dashboard defined in NV COS 610). Of course, final assessment if an
The dashboard gives a visual overview of the results of the IA IAF complies with the IPPF or with NV COS 610 is the CQA or
AM questionnaire compared to the desired ambition level, external auditors responsibility.

IPPF/COS 610 Services and Role

Ambition level of internal Auditing
5
Level achieved
4

3
Governance Professional
Structures Practices
2

Organizational Performance
Relationships Management and
and Culture Accountability

People Management

3.2 Questionnaire The showstoppers identified in the model are the following:
For each of the six themes, essential activities per level have A
 udit charter (Services and Role of IA - Assurance services,
been defined. For each of the essential activities, the CAE ambition level 3) Based on the IPPF the IAF needs to
is requested to rate to what extent the IAF performs these reflect in the internal audit charter the direct functional re-
activities. Based on the individual scores, the IA AM deter- porting relationship of the CAE to the governing body and
mines the ambition level achieved by the IAF. The output of the direct reporting relationship to either the CEO or the
the model is an equally weighted average of the scores and governing body. The CAE needs to review and update the
ambition levels given charter on a regular basis and obtain senior management
and/or board approval. The audit charter needs to include
3.2.1 Showstoppers the nature of the assurance services provided to the organi-
As a starting point all topics have an equal weight. Ho- zation and revise annually.
wever, based on input from both the pilot group and the A
 udit universe and scope (Professional Practices - Audit
CQA, showstoppers have been defined. These are essen- plan, ambition level 3) The audit universe should be risk
tial activities which need to be performed to reach a next based. Systematically assess risks and focus the priorities
ambition level. When at a certain point an ambition level is of the IA activitys periodic audit and services plan on risk
not achieved the questionnaire for that specific element is exposures throughout the organization.
completed.

17
3.2.2 Advisory services 3.3.3 The IA AM and a Quality Assurance and
According to the definition of internal auditing, it is an Improvement Program
independent, objective assurance and consulting activity The primary purpose of the IA AM is as a self-assessment and
designed to add value and improve an organizations opera- development tool for IAFs to determine the level of internal
tions. This definition explicitly includes consulting activity in audit capability appropriate and optimum to their organiza-
the IAF. However, the IA AM acknowledges that the services tion and environment. It describes an evolutionary path for
and roles of the IAF are dependent on the organization it the organization to follow in developing effective internal
operates. And in the Dutch context, most IAFs are assigned auditing to meet its governance needs, taking into consi-
to perform assurances services, for example because the ad- deration the nature, complexity, and associated risks of the
visory services are performed elsewhere in the organization. organizations operations.
Therefore, it is possible in the IA AM that the section specifi-
cally related to Advisory Services is set at not applicable (n/a). The IA AM is underpinned by the mandatory guidance (mis-
If the CAE chooses to do so, the score of Advisory Services is sion, definition of internal auditing, Code of ethics and the
not included in the score and ambition level. Standards) included in the IIAs IPPF and the criteria given in
the NV COS 610. However, it does not specifically evaluate
3.3. Applying and interpreting the IA AM conformance therewith, but rather whether key processes
The following section provides some principles, factors, and are repeatable, sustainable, and institutionalized into the IA
issues to consider when applying and interpreting the IA AM. activity.

3.3.1 Principles in applying the IA AM As part of the pilots performed for the IA AM in 2015, several
Professional judgment is needed to apply and interpret the of the IAFs had recently undergone an external quality as-
IA AM. sessment. The methodology and results of the assessments
A process or practice cannot be improved before it is a were compared to those of the IA AM validation sessions to
stable process. determine similarities. In all cases, the overall results from
The IA AM is an ambition model. If, for example together both exercises appeared to be in line with each other, where
with the Audit Committee the ambition level is set at level 3, the IA AM complemented the external quality assessment by
the IAF may choose to stay at this level. having a broader scope. Therefore, it is possible to use the IA
The IA AM is intended primarily as a self-assessment exer- AM as a self-assessment tool as envisaged by Standard 1311:
cise for continuous improvement. Internal Assessments.

3.3.2 Environmental and organizational factors Nevertheless, although a clear mapping has been made to
The model recognizes how the external regulatory environ- each of the IPPF standards and relevant NBA standards, no
ment and the organization itself may impact on the capabi- premature conclusions should be drawn from the scores
lity of the IA activity. Within the organization, it is important from the model. An average score of 2.9 does not mean that
to understand the influence of corporate governance, orga- the IAF does not generally comply with the IPPF; the IA AM is
nizational culture, internal control systems, human resource broader and also contains topics which are not directly linked
capacities, and the demand and need for the IAF. In addition, to an IPPF standard. Vice versa, having as score of 3 does not
other organizational factors such as size, nature, complexity, mean that the IAF automatically generally complies with the
and risks of operations must be considered when assessing IPPF. Professional judgement and a good understanding of
whether and how a particular theme is implemented and the IPPF and NBA NVCOS standards are necessary to evaluate
institutionalized. the results in this context.

In using the IA AM, it is important to determine what makes

sense and is reasonable considering the organization and
environment. For example, IAFs in smaller organizations
may be able to implement a particular theme without the
bureaucratic infrastructure of larger organizations.

18
Abbreviations
CAE: Chief Audit Executives
CEO: Chief Executive Officer
CMMI: Capability Maturity Model Integration
CPP: Commission Professional Practices
CQA: Committee of Quality Assessors
IA AM: Internal Audit Ambition Model
IA: Internal Audit
IA-CM: Internal Audit Capabilities Model for the Public Sector
IAF: Internal Audit Function
IIA: Institute of Internal Auditors
IPPF: International Professional Practices Framework
ISA: International Standard on Auditing
LIO: Members Group of Internal and Government Auditors
NBA: The Royal Netherlands Institute of Chartered Accountants
NV COS: Nadere voorschriften controle- en overige standaarden

Acknowledgments
We would like to express our appreciation to all those who
participated in the development and validation of the IA AM,
including:

The pilot group that tested the IA AM model and provided

feedback: ACAM, Ahold, Allianz, Arcadis, CZ, Dela, Delta
Lloyd, Exact, Leaseplan, NIBC, NUON, Nutreco, OCI, Philips
and Triodos Bank.
And a special thanks to the following people who helped
us: Bas Wakkerman and Alina van Meer-Stan as former
members of the taskforce, Jane Paanakker-Deskin, Vasiliki
Votsika and Mark van Zanten.
Bob van Kuijck RA RC, Program Director of the Executive
Internal Auditing Program of the University at Amsterdam.
Ron de Korte RA RE RO CIA, Business Director IT Auditing &
Advisory and Internal Auditing & Advisory at the Erasmus
School of Accounting & Assurance

The following institutes and committees for assistance:

The CQA (College Kwaliteitstoetsing) of IIA Netherlands;

The Commission Professional Practices of IIA Netherlands;
Members Group of Internal and Government Auditors
(LIO) at the Royal Netherlands Institute of Chartered
Accountants (NBA)

19
Burgemeester Stramanweg 102A
1101 AA Amsterdam
Postbus 22657
1100 DD Amsterdam

T 088 003 71 00
E iia@iia.nl
I www.iia.nl

Antonio Vivaldistraat 2-8

1083 HP Amsterdam
Postbus 7984
1008 AD Amsterdam

T 020 301 03 01
E nba@nba.nl
I www.nba.nl
880.99.762.1625