Skip Ribbon Commands
Skip to main content
Global Institute of Internal AuditorsBreadcrumb SeparatorInternal Audit FoundationBreadcrumb SeparatorInternal Audit Capability Model for the Public Sector

​Internal Audit Capability Model (IA-CM) for the Public Sector

The Internal Audit Capability Model (IA-CM) for the Public Sector is a framework that identifies the fundamentals needed for effective internal auditing in government and the broader public sector. It illustrates the levels and stages through which an internal audit (IA) activity can evolve as it defines, implements, measures, controls, and improves its processes and practices.

The chart below presents the IA-CM as a one-page matrix. The vertical axis represents the capability levels — with the capability of the IA activity increasing from bottom to top. The elements of internal auditing are presented on the horizontal axis. The Key Process Areas (KPAs) for each level for each element are identified in the relevant boxes for the appropriate level. The colors on the matrix depict the extent or influence that the IA activity has over the elements. Specifically, moving left to right, the ability of the IA activity itself to independently create and institutionalize the KPAs decreases (i.e., dark green indicates greater influence and light green indicates lesser). IIA Members can view KPA detailed descriptions by clicking on the links.

  • View the Table of Contents
  • Download the Overview
  • Purchase the book from the IIA Bookstore
  • Purchase a complete download from the IIA Bookstore
  • Disclosure statement

Download the IA-CM Overview Presentation - This presentation begins by talking about what the Internal Audit Capability Model for the Public Sector is – particularly with respect to its underlying principles, and its structure. It then reviews how the IA-CM can be used to conduct a self-assessment of an IA activity, considerations to be addressed during the self-assessment, and the importance of fully communicating the results. You also can use this presentation to inform others in your organization about the IA-CM.



Click on the Element or Level to view its definition

Services & Role of IA


People Management


Professional Practices


Performance Management & Accountability


Organizational Relationships & Culture


Governance Structures


​ ​ ​ ​ ​ ​IIA Members: Download Key Process Area descriptions (below)










IA Recognized as Key Agent of Change

Leadership Involvement with Professional Bodies

Workforce Projection

Continuous Improvement in Professional Practices

Strategic IA Planning

Public Reporting of IA Effectiveness

Effective and Ongoing Relationships

Independence, Power, and Authority of the IA Activity










Overall Assurance on Governance, Risk Management, and Control

IA Contributes to Management Development

IA Activity Supports Professional Bodies

Workforce Planning

Audit Strategy
Leverages Organization’s Management of Risk

Integration of Qualitative and Quantitative Performance Measures

CAE Advises and Influences Top-level Management

Independent Oversight of the IA Activity

CAE Reports to Top-level Authority










Advisory Services

Performance / Value-for-Money Audits 


Team Building and Competency

Professionally Qualified Staff

Workforce Coordination

Quality Management Framework

Risk-based Audit Plans

Performance Measures

Cost Information

IA Management Reports

Coordination with Other Review Groups

Integral Component of Management Team

Management Oversight of the IA Activity

Funding Mechanisms










Compliance Auditing

Individual Professional Development

Skilled People Identified and Recruited

Professional Practices and Processes Framework

Audit Plan Based on Management / Stakeholder Priorities

IA Operating Budget

IA Business Plan

Managing within the IA Activity

Full Access to the Organization’s Information, Assets, and People

Reporting Relationships Established



Ad hoc and unstructured; isolated single audits or reviews of documents and transactions for accuracy and compliance; outputs dependent upon the skills of specific individuals holding the position; no specific professional practices established other than those provided by professional associations; funding approved by management, as needed; absence of infrastructure; auditors likely part of a larger organizational unit; no established capabilities; therefore, no specific key process areas.