Sometimes, a binary answer isn't enough. At least, that is the belief of the thousands of organizations that have used a maturity model to assess their progress in achieving certain goals since maturity model concepts were introduced in the 1970s. They have found the model's reliance on a scale--often 1 (initial) to 5 (optimized)--to assess their performance in specific areas a useful guide for accomplishing two important objectives: understanding where the organization stands currently and coming to agreement on where it should be.
Initially focused on the IT function within an organization, maturity models have expanded into many distinct disciplines, such as project management, quality management, business process management, learning, human resources, supply chain, sustainability, social media, and security assurance (see "Maturity Model Examples" on page 41). Regardless of their niche area, effectively configured models tend to encourage in-depth conversations among a range of stakeholders and enable nuanced and goal-driven thinking about targeted areas. As such, they are a valuable tool for internal auditors who have come to realize, over time, the benefits of moving beyond a "black and white" approach to audit findings and the support that the range of levels provides in helping auditors discover the gaps between current and desired states. Once auditors have identified and quantified the gap, they can begin searching for the root causes that hinder achievement of the desired state and zero in on appropriate recommendations to bridge the gap.
"Maturity models can be a much more engaging experience for the audit client/management as compared to a pass/fail assessment or other opinions," says James Rose, chief financial officer of Aperture Credentialing in Louisville, Ky., and author of the IIA Practice Guide, "Selecting, Using, and Creating Maturity Models: A Tool for Assurance and Consulting Engagements."
Some of the "engaging experience" may arise from the availability of a broad spectrum of labels. Alyssa Martin, executive partner, Advisory Services, for Weaver in Dallas, notes that interna! auditors often are confined to using black or white answers: compliant/noncompliant, effective/ineffective. In her view, maturity models are exactly the "right paradigm" to evaluate the effectiveness of management systems such as governance that require many judgment calls. That is because those who work regularly with judgment calls may be more comfortable with a more subtly defined range of evaluations, rather than a simple yes/no, right /wrong finding.
CHANGING THE CONVERSATION
Use of a maturity model changes the nature of the conversation about the audit. The levels of incremental maturity lend themselves to acknowledging the organizations advances to date, creating a positive, collaborative tone. Recognizing these successes creates a more receptive audience when internal auditors present the verbal and written reports outlining the path to improvement.
Before the full benefits of maturity models can be realized, the groundwork has to be laid via pre-audit planning discussions among internal auditors, process owners, and management. "The discussion defines the different levels of maturity and establishes up front with the client what the expectations are within the maturity spectrum," says Kayla Flanders, senior audit manager with Pella Corp. in Pella, Iowa. "It takes more effort before the audit, but it helps significantly throughout the audit and at the end of the engagement when discussing issues and the overall report rating based on that upfront alignment."
She offers this example, related to financial reporting. Confer with the audit client to decide what attributes fit into each maturity category--matute, baseline, etc., reflecting both where the...