Strong Internal Audit


Strong Internal Audit


US Bancorp leverages The IIA’s International Professional Practices Framework and Internal Audit Capability Model to meet heightened expectations.

Jim Rusch
Audit Director
US Bancorp Corporate Audit Services

In December 2011, the Basel Committee on Banking Supervision’s Accounting Task Force Audit Subgroup issued “The Internal Audit Function in Banks,” a follow-up consultative paper that replaces the 2001 supervisory guidance for assessing the effectiveness of internal audit functions in banks, taking into account lessons drawn from the recent financial crisis. The IIA responded to the Committee’s request for comments, supplying several suggestions for clarifying and strengthening the guidance.


The guidance “seeks to promote a strong internal audit function within banking organizations” and “encourages bank internal auditors to comply with and to contribute to the development of national and international professional standards, such as those issued by The [IIA].” In fact, IIA principles, standards, and definitions are cited throughout the document, underscoring The IIA’s foundational role in establishing the most recognized body of internal audit professional standards and practices.   


One of the more important references within the guidance states that “the head of the internal audit departments should ensure compliance with sound internal auditing standards, such as The IIA’s International Standards for the Professional Practice of Internal Auditing [Standards].” Further, the guidance calls upon banks to oversee the internal audit function, and develop and maintain methods for assessing the quality of the function.


At many firms, this guidance serves to emphasize practices that are already in place in the form of internal quality reviews and self-assessments, as well as periodic external quality reviews. US Bancorp uses The IIA’s Standards as the framework for our audit practice and methodology. In addition, we have adopted The IIA’s Internal Audit Capability Model (IA-CM) — expanded to include relevant regulatory guidance for “strong” rated audit functions — as the basis for our self-assessment and continuous improvement program. 


The IA-CM was commissioned by The IIA Research Foundation and developed after extensive consultation and interaction with numerous internal audit professionals and key stakeholders. The IA-CM is organized into six elements:


  • Services and Role of Internal Auditing.

  • People Management.

  • Professional Practices.

  • Performance Management and Accountability.

  • Organizational Relationships and Culture.

  • Governance Structures. 


Borrowing from the Software Engineering Institute’s Software Capability Maturity Model, the IA-CM defines five levels of maturity for each of the six elements:


  • Level 1 – Initial.

  • Level 2 – Infrastructure.

  • Level 3 – Integrated.

  • Level 4 – Managed.

  • Level 5 – Optimizing.


Each level consists of one or more key process areas (KPAs). Each KPA consists of a purpose, essential activities, outputs, and institutionalizing practices.


The depth and breadth of the IA-CM’s elements, process areas, and attributes provide for a robust framework for both internal and external assessment. The model also attempts to match the nature and complexity of an organization with the internal audit capabilities needed to support it. As such, the IA-CM helps to support the creation of a road map for systematic yet targeted strengthening of the internal audit activity.


Moreover, the IA-CM can serve as a basis for communicating about the services and role of internal auditing and for advocating the importance of a strong internal audit function to the organization. Broad awareness and understanding about internal audit’s role as an integral member of the company’s enterprise risk management framework is critical not just to the effectiveness of internal audit but to the effectiveness of the overall framework itself. 


In summary, while the Basel Committee’s new guidanceoutlines challenging expectations for internal audit functions in banks, it is reassuring that these expectations draw extensively from The IIA’s Standards. As such, for those functions seeking to meet the heightened expectations for strong internal audit, The IIA has much to offer by way of the Standards, the IA-CM, and other practice guidance, not to mention a vast network of fellow practitioners committed to the principle of “progress through sharing.”


To comment on this article, email the FSA Times editor at