_________________________________________________________
Table of Contents 1
A GLOBAL SUMMARY OF THE COMMON BODY OF KNOWLEDGE 2006 Principal Researchers Priscilla A. Burnaby, PhD, CPA Mohammad J. Abdolmohammadi, DBA, CPA Susan Hass, CPA Rob Melville, PhD, MIIA, FIIA Marco Allegrini, PhD, CPA Giuseppe D’Onza, PhD Leen Paape, PhD, RA, RO, CIA Gerrit Sarens, PhD Marinda M. Marais, M Com Auditing, CIA Elmarie Sadler, DCompt CA Houdini Fourie, M Tech: Internal Auditing Barry J. Cooper, PhD Philomena Leung, PhD William L. Taylor, CPA, CGFM Chairman, CBOK Steering Committee
2 CGAP Examination Study Guide
___________________________________________
Disclosure Copyright © 2007 by The Institute of Internal Auditors Research Foundation (IIARF), 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201. All rights reserved. Printed in the United States of America. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form by any means — electronic, mechanical, photocopying, recording, or otherwise — without prior written permission of the publisher. The IIARF publishes this document for informational and educational purposes. This document is intended to provide information, but is not a substitute for legal or accounting advice. The IIARF does not provide such advice and makes no warranty as to any legal or accounting results through its publication of this document. When legal or accounting issues arise, professional assistance should be sought and retained. The IIA’s International Professional Practices Framework for Internal Auditing (IPPF) comprises the full range of existing and developing practice guidance for the profession. The IPPF provides guidance to internal auditors globally and paves the way to world-class internal auditing. The mission of The IIA Research Foundation (IIARF) is to expand knowledge and understanding of internal auditing by providing relevant research and educational products to advance the profession globally. ISBN 978-0-89413-618-4 08063 01/08 First Printing
_________________________________________________________
Table of Contents 7
DEDICATION
This research is dedicated to the memory of William G. Bishop III, CIA
William G. Bishop III, CIA, served as president of The Institute of Internal Auditors (IIA) from September 1992 until his untimely death in March 2004. With a motto of “I’m proud to be an internal auditor,” he strived to make internal auditing a truly global profession. He was the driving force behind the rapid growth of The IIA to over 120,000 members in approximately 100 countries. Bill Bishop advocated quality research for the enhancement of the stature and practice of internal auditing. To help enhance the future of this profession, it is vital for the profession to document the evolution of the similarities and differences in the Common Body of Knowledge (CBOK) of internal auditing worldwide.
The Institute of Internal Auditors Research Foundation
________________________________________________________________
Contents iii
CONTENTS Acknowledgments ........................................................................................................................ ix Chapter 1: Introduction ............................................................................................................. 1 CBOK 2006 ............................................................................................................................ 1 Overview ................................................................................................................................. 1 CBOK 2006 - Benefits to the Profession ............................................................................... 3 Prior IIA CBOK Studies ......................................................................................................... 4 Project Teams ......................................................................................................................... 5 CBOK 2006 Questionnaires .................................................................................................... 6 Clustering for Groups ............................................................................................................ 10 Appendix 1-A: Glossary of Terms Sent with CBOK 2006 Questionnaires .......................... 12 Appendix 1-B: Clustering of Groups and Number of Responses .......................................... 19 Chapter 2: A Worldwide Picture of the Internal Audit Activity ......................................... 25 Introduction ........................................................................................................................... 25 Survey Demographics Summary ........................................................................................... 26 Compliance with Internal Auditing Standards ...................................................................... 29 Staffing and Professional Development ................................................................................ 43 Internal Auditor Skills ............................................................................................................ 44 Internal Auditor Competencies and Knowledge Areas ......................................................... 48 Emerging Roles of the Internal Audit Activity ....................................................................... 53 Summary ............................................................................................................................... 58 Chapter 3: Survey Demographics .......................................................................................... 61 Introduction ........................................................................................................................... 61 Staff Levels of Respondents ................................................................................................. 63 IIA Membership .................................................................................................................... 64 Age of the Respondents ........................................................................................................ 67 Highest Level of Formal Education ....................................................................................... 70 Professional Qualifications .................................................................................................... 76 Areas of Professional Experience ......................................................................................... 80 Years of Existence of IAA and Years of CAE Experience .................................................. 81 Types of Organizations .......................................................................................................... 86 Service Providers of Internal Audit Services ........................................................................ 89 Age of Organizations ............................................................................................................ 90
The Institute of Internal Auditors Research Foundation
iv A Global Summary of the Common Body of Knowledge 2006
______________________
Industry Classification(s) ....................................................................................................... 91 Geographical Area Served by Organization .......................................................................... 96 Appendix 3 ............................................................................................................................ 99 Chapter 4: The Professional Practices Framework .......................................................... 105 Introduction ......................................................................................................................... 105 CBOK 2006 Survey Questions Related to the Standards .................................................. 107 Use of the Standards in Whole or in Part .......................................................................... 108 Compliance with the Standards ........................................................................................... 110 Adequacy of the Guidance Provided by the Standards ....................................................... 115 Use of and Adequacy of the Guidance Provided by the Practice Advisories ...................... 118 Reasons for Not Complying with the Standards ................................................................ 121 Quality Assurance and Improvement Program ................................................................... 128 Compliance with The IIA’s Code of Ethics ......................................................................... 146 Appendix 4-A: The IIA’s Standards, Practice Advisories, and Glossary to the Standards as of September 2006 ........................................................ 147 Appendix 4-B ...................................................................................................................... 165 Chapter 5: Current Status of the Internal Audit Activity ................................................. 183 Introduction ......................................................................................................................... 183 The IAA’s Relationship within the Organization ................................................................. 184 Relationship with the Audit Committee ............................................................................... 191 External Relationships - Legislation Affecting Internal Auditing ......................................... 192 Organizations’ and CAEs’ Perceptions About the IAA ...................................................... 194 Methods Used to Measure the Value Added by the IAA ................................................... 197 Internal Audit Activity ......................................................................................................... 200 Managing the Internal Audit Activity .................................................................................. 202 Creating the Audit Plan ....................................................................................................... 204 Allocation of IAAs’ Time .................................................................................................... 207 Performing the Engagement - The Use of Tools ................................................................ 214 Current Usage of Audit Tools and Techniques ................................................................... 216 Predictive Changes in the Use of Audit Tools and Techniques Over the Next Three Years .......................................................................................... 227 Resolution of Major Differences ......................................................................................... 233 Reporting of Findings .......................................................................................................... 235 Monitoring Corrective Action .............................................................................................. 237 Summary ............................................................................................................................. 239 Appendix 5 .......................................................................................................................... 240
The Institute of Internal Auditors Research Foundation
________________________________________________________________
Contents v
Chapter 6: Staffing and Professional Development ........................................................... 251 Introduction ......................................................................................................................... 251 Staffing ................................................................................................................................ 252 Service Providers ................................................................................................................ 259 Continuing Professional Development ................................................................................. 266 Summary ............................................................................................................................. 271 Appendix 6 .......................................................................................................................... 272 Chapter 7: Internal Audit Skills ........................................................................................... 279 Introduction ......................................................................................................................... 279 Technical Skills .................................................................................................................... 281 Behavioral Skills .................................................................................................................. 289 Summary ............................................................................................................................. 299 Appendix 7 .......................................................................................................................... 300 Chapter 8: Internal Auditor Competencies ........................................................................ 305 Introduction ......................................................................................................................... 305 Competencies ...................................................................................................................... 307 Areas of Knowledge ........................................................................................................... 323 Summary ............................................................................................................................. 331 Appendix 8 .......................................................................................................................... 332 Chapter 9: Emerging Roles of Internal Audit Activities .................................................. 339 Introduction ......................................................................................................................... 339 Years That the IAA and Organizations Have Existed ........................................................ 340 Changing Emphasis on Types of Audits .............................................................................. 344 Emerging Roles in Organizations’ Activities ........................................................................ 346 Organizational Environment and Key Activities of the IAA ............................................... 352 Summary ............................................................................................................................. 357 Chapter 10: Research Method and Literature Review ................................................... 359 Research Method ................................................................................................................ 359 Project Teams ............................................................................................................... 359 Pilot Test and Literature Review .................................................................................. 361 CBOK 2006 Questionnaires ......................................................................................... 363 Clustering for Groups .................................................................................................... 364
The Institute of Internal Auditors Research Foundation
vi A Global Summary of the Common Body of Knowledge 2006
______________________
Literature Review ............................................................................................................... 367 Introduction ................................................................................................................... 367 Prior IIA CBOK Studies .............................................................................................. 367 North American Literature Review on Internal Auditing ............................................. 372 Summary ....................................................................................................................... 379 Asia Pacific Literature Review on Internal Auditing .................................................... 380 European Literature Review on Internal Auditing ........................................................ 390 South African Literature Review on Internal Auditing ................................................. 398 Appendix 10-A: Pre-scope Questionnaire for CBOK ........................................................ 406 Appendix 10-B: Topical Areas That Are Addressed in Past and Current IIA CBOK Studies ....................................................................................................... 418 Appendix 10-C: CBOK 2006 CAE and Practitioner Questionnaire ................................... 421 The William G. Bishop III, CIA, Memorial Fund Contributors .................................................. 455 The IIA Research Foundation Chairman’s Circle ..................................................................... 458 The IIA Research Foundation Board of Trustees ..................................................................... 459 The IIA Research Foundation Board of Research and Education Advisors ............................ 460
The Institute of Internal Auditors Research Foundation
_________________________________________________________ Acknowledgments ix
ACKNOWLEDGMENTS With a project of this magnitude and importance, there are literally thousands of people who have contributed to the successful completion of the Common Body of Knowledge (CBOK) 2006 research report. I would like to start by thanking William Taylor, chair of the CBOK Steering Committee, who was the heart of the project. His goal was to make sure that this report honored the memory of William G. Bishop III, CIA, past president of The Institute of Internal Auditors (IIA) who was the driving force behind the rapid growth of The IIA to over 120,000 members in approximately 100 countries. At The IIA, the entire staff provided guidance and input. Special thanks to Jeffrey Swerdlow, PMP, chair of the CBOK Oversight Committee and the director of project management for The IIA Research Foundation. He worked tirelessly to keep the project on time and performed numerous duties such as monitoring the translations of the questionnaires into 16 additional languages, keeping all of us on track, and coordinating the many needs and demands of those involved at The IIA and on the research teams. It is a true tribute to his skills that this expansive project was completed on time with such a quality product. Two other key people on The IIA staff that I would like to recognize are Donna Batten, director of Global Audit Information Network (GAIN), and Sylvia Boyd, director of affiliate relations. Both were instrumental in the success of the project. I would also like to thank all the IIA members who participated by completing the pilot study, the questionnaires, and editing the text. Team Americas was truly blessed with four wonderful graduate research assistants. On the first phase of the project, Lisa Hsi was instrumental with the literature review, development of the questionnaires, and creation of a database for the affiliates. After Lisa graduated, we were fortunate to hire Diana Tien. She helped with data cleansing, completing the report for the affiliates, and transferring the data into tables. Yi Zhou worked on the tables and the editing process to make sure that all the references and numbers were correct in the text. On the final phase of writing the report, Shubin Liang converted tables into figures. From Bentley’s Academic Technology Center, Maria Skaletsky and Gaurav Shah helped with the many software packages needed to complete this product. The cooperation and sharing among the three research teams made this project a truly collaborative effort. On the two occasions when we had summits, we all agreed it was extremely exciting and exhilarating to have so many professors who selected internal auditing as their primary field of teaching and research together in one room. As team coordinators, Barry Cooper and Rob Melville did a great job getting participants for the pilot study and working with local affiliates. All the members of both teams made significant contributions to the research project.
The Institute of Internal Auditors Research Foundation
x A Global Summary of the Common Body of Knowledge 2006
______________________
I saved the members of my team to thank last. Both Mohammad (Ali) Abdolmohammadi and Susan Hass made significant contributions to the planning and construction of the CBOK 2006. Ali did a hero’s job on the data cleansing and analysis. He worked tirelessly to provide data for the tables. Susan Hass and I did most of the work on the development of the questionnaires, data presentation for the tables, writing many of the chapters, and editing the other teams’ contributions to the final text. Each did an extraordinary job under a great deal of pressure. Audrey Gramling and Richard Cleary contributed in a consulting capacity. This report owes its contents to thousands of IIA members all over the world, each of whom contributed to The IIA’s Common Body of Knowledge 2006. Thank you all! Priscilla A. Burnaby, PhD, CPA Professor of Accountancy Bentley College Waltham, MA, USA Coordinator of CBOK 2006
The Institute of Internal Auditors Research Foundation
_________________________________________________________ Acknowledgments xi
It has been my pleasure to be the chair of the CBOK Steering Committee and The William G. Bishop III, CIA, Memorial Fund from which this project was funded. As a former IIA chair of the board, I recognize the importance of this project as we seek to further understand our profession, how it is practiced throughout the world, and how we will continue to add value to our organizations in the future. Completing this project has been a monumental accomplishment. We were fortunate to have a tremendously talented group of IIA committees, volunteers, and IIA staff working with us. I would like to personally thank several people and groups without whom this project would not have been possible. The IIA Research Foundation Board of Trustees provided sound guidance and advice throughout the project. Their input, feedback, and suggestions ensured that the project lived up to its expectations. A special thank you goes to Roderick Winters, CIA, president of The Research Foundation and vice chair of The IIA Board. Rod provided a great deal of support to this project and truly established the vision for what we accomplished. The CBOK Steering Committee was an active participant throughout the project. This committee provided valuable guidance and overall direction to the project. I am proud that the Steering Committee is comprised of individuals from throughout the world. Members of the Steering Committee are Jackie Cain, Phil Tarling, Warren Hersch, Sri Ramamoorti, Urton Anderson, Louis Vaurs, Chris McRostie, Thijs Smit, Charity Prentice, and Jeffrey Swerdlow. The Research Foundation’s Board of Research and Education Advisors (BREA) played a critical role throughout the project. This extremely dedicated committee is responsible for reviewing all proposals received and reviewing all research and educational products produced by The Research Foundation. Throughout the course of the project, BREA provided valuable opinions and helped to shape the format of the complete research report. Bob Foster has been the chair of BREA during this project and has contributed immensely to our success. Considering the importance of this project, we wanted to ensure that we received a wide variety of input and feedback. To this end, we recruited almost 100 volunteers from all of The IIA’s international committees to review and provide feedback on the early first drafts of the complete research report. The reviewers provided us with candid and valuable feedback which helped shape the report. To manage a review effort of this magnitude, six members of BREA graciously volunteered their time to act as review team leaders. Thomas Clooney, Susan Driver, Don Espersen, Dan Gould, Raj Muthu Venkatachalam, and Mark Radde deserve special recognition for performing this vital role.
The Institute of Internal Auditors Research Foundation
xii A Global Summary of the Common Body of Knowledge 2006 ______________________
Dominique Vincenti, CIA, chief advocacy officer of The IIA and executive director of The Research Foundation, dedicated a great deal of her time to the project. Dominique was able to bring her background as a CAE to the project. She provided feedback and leadership at all stages of the project and her contribution was critical to its success. Jeffrey Swerdlow, PMP, director of project management for The Research Foundation, was the primary reason the project was completed on time and within budget. He proved that managing such an expansive project required participation from not only all worldwide affiliates and members but also the knowledge leaders of The IIA and staff. His overall plans and programs required participation from many interested groups and he performed in an exemplary manner, truly indicating that a project of this magnitude requires not only audit leaders, but a dedicated and professional project manager. I would be remiss if I did not thank each and every person and organization that donated to The William G. Bishop III, CIA, Memorial Fund. This fund underwrote the cost of CBOK 2006. Thanks to the generous donations we received, CBOK was funded to ensure a top quality result. William L. Taylor, CPA, CGFM Former IIA Chair of the Board McLean, Virginia, U.S.A. CBOK Steering Committee Chair
The Institute of Internal Auditors Research Foundation
A Global Summary of the Common Body of Knowledge 2006
CONTENTS Chapter 1
Chapter 1: Introduction.............................................................................................................. 1 CBOK 2006 ............................................................................................................................ 1 Overview................................................................................................................................. 1 CBOK 2006 - Benefits to the Profession ................................................................................ 3 Prior IIA CBOK Studies ......................................................................................................... 4 Project Teams ......................................................................................................................... 5 CBOK 2006 Questionnaires ................................................................................................... 6 Clustering for Groups ........................................................................................................... 10 Appendix 1-A: Glossary of Terms Sent with CBOK 2006 Questionnaires.......................... 12 Appendix 1-B: Clustering of Groups and Number of Responses ......................................... 19
Disclosure Copyright © 2007 by The Institute of Internal Auditors Research Foundation (IIARF), 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201. All rights reserved. Printed in the United States of America. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form by any means — electronic, mechanical, photocopying, recording, or otherwise — without prior written permission of the publisher. The IIARF publishes this document for informational and educational purposes. This document is intended to provide information, but is not a substitute for legal or accounting advice. The IIARF does not provide such advice and makes no warranty as to any legal or accounting results through its publication of this document. When legal or accounting issues arise, professional assistance should be sought and retained. The IIA’s International Professional Practices Framework for Internal Auditing (IPPF) comprises the full range of existing and developing practice guidance for the profession. The IPPF provides guidance to internal auditors globally and paves the way to world-class internal auditing. The mission of The IIA Research Foundation (IIARF) is to be the global leader in sponsoring, disseminating, and promoting research and knowledge resources to enhance the development and effectiveness of the internal auditing profession.
The Institute of Internal Auditors Research Foundation
_____________________________________________________
Chapter 1: Introduction 1
CHAPTER 1 INTRODUCTION CBOK 2006 The Common Body of Knowledge (CBOK) 2006 study is part of an ongoing global research program funded by The Institute of Internal Auditors Research Foundation (IIARF) to broaden the understanding of how internal auditing is practiced throughout the world. The overall purpose of the CBOK 2006 project is to develop the most comprehensive database ever to capture a current view of the global state of the internal audit profession. The database contains information about compliance with The Institute of Internal Auditors’ (IIA) International Standards for the Professional Practice of Internal Auditing (Standards), the state of the internal audit activity (IAA), staffing, skills, competencies, and the emerging roles of the IAA. Some information was collected about the influences of cultural and legal factors about the development and practice of internal auditing around the world. The objective is to establish a baseline for comparison when the CBOK study is repeated in the future. The database will be updated to understand the evolution of global internal audit practices. Future studies will build upon this baseline, allowing for comparison, analysis, and trending.
Overview1 The objectives of this chapter are to introduce CBOK 2006, provide a brief overview of past CBOK studies, review actions taken to perform the study, and to explain how the groupings of chapters and affiliates were determined. Within the United States and Canada, local groups of The IIA’s members are called chapters. Affiliates are independent organizations outside North America that provide services to members in their geographic locations. IIA affiliates are now referred to as “chapters and institutes.” This change officially took place after the CBOK 2006 survey was conducted. It was approved by The IIA’s Board of Directors on July 14, 2007, for implementation on January 1, 2008. For this reason, the use of “affiliates” is maintained throughout the CBOK 2006 report.
1
The CBOK review and the Team America’s literature review were published in a special CBOK 2006 issue of Managerial Auditing Journal (MAJ), Volume 21, Issue 8, in October 2006. With permission from the publisher of MAJ, this section uses portions of the following article: Abdolmohammadi, M.J., P.A. Burnaby, and S. Hass, “A review of prior common body of knowledge (CBOK) studies in internal auditing and an overview of the global CBOK 2006,” Managerial Auditing Journal 21 (8), 2006, pp. 811-821. Hass, S., M.J. Abdolmohammadi, and P.A. Burnaby, “The Americas literature review on internal auditing,” Managerial Auditing Journal 21 (8), 2006, pp. 835-844.
The Institute of Internal Auditors Research Foundation
2 A Global Summary of the Common Body of Knowledge 2006
______________________
At the core of the CBOK 2006 study were three surveys sent to internal auditors worldwide to gather information concerning how they comply with the Standards, how their IAAs function, and emerging roles of the IAA. One survey was sent to chief audit executives (CAEs), another to all other levels of internal auditing Practitioners, and a third to the leadership of The IIA’s affiliates. Since the Standards were first promulgated, internal auditors have had the opportunity to apply them to create a high level of standardization resulting in best practices for internal auditors worldwide. While the Standards provide a unifying mechanism for enhancing value and consistency across diverse legal and economic environments, research suggests that cultural, legal, and economic differences influence the practice of internal auditing in each country. The CBOK 2006 study has produced a body of data for the continuing study of the evolution of the global practice of internal auditing. As discussed in The IIARF’s Competency Framework for Internal Auditing: An Overview, core competencies change over time (McIntosh, 1999). Some of the major factors influencing these changes are the needs of organizations, technology, and the complexity of business transactions and systems. CBOK 2006 adds to this body of literature and expands the scope by extending the population surveyed to the entire international membership of The IIA. To include current practices and explore emerging roles for the profession, CBOK 2006 added several topical areas that were not included in prior CBOK studies. In Chapter 10, Appendix 10-B lists the topics studied in the current and past CBOK studies. As described below in The IIA’s 1999 definition of internal auditing, CBOK 2006 uses the expanded scope of the IAA as the basis for its focus. The IIA’s 1999 vision for the future task force recommended that the new Professional Practices Framework should be “a more comprehensive and elastic framework.” Based on this recommendation, the task force provided the following definition of internal auditing which was adopted by The IIA’s Board of Directors in June 1999: Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. The expanded definition of internal auditing includes consulting activities and value-added services for evaluation and improvement of the effectiveness of the risk management and governance processes. Since the CBOK 2006 questionnaires were sent out in September 2006, all references to The IIA’s Standards are as of that date.
The Institute of Internal Auditors Research Foundation
_____________________________________________________
Chapter 1: Introduction 3
The expansion of the internal audit scope has necessitated that internal auditors continuously develop new skills and learn new audit tools and technologies. There is very little information about the current state of skills, tools, and technologies used on engagements in existing internal auditing literature. The CBOK 2006 database includes the skills, tools, and techniques respondents indicate are necessary for internal auditors currently, and in the future, to perform their jobs and enhance audit efficiency and effectiveness. It also identifies emerging roles that The IIA will need to address in support of its members and the profession. The resulting CBOK 2006 database and research report can be used to improve the understanding of the current state of internal audit practices, anticipate the use of new skills, tools, and technologies, and promote the enhancement of standardization and performance of internal auditing worldwide. Chapter 2 provides a brief summary of selected CBOK 2006 data. Chapters 3 through 9 provide details of all the data collected in total from all respondents and by staff level and/or by groups as applicable. Chapter 10 contains the process used to collect the data and a detailed literature review of previously published articles about internal auditing around the world.
CBOK 2006 - Benefits to the Profession The Standards have three purposes: educating internal auditors about the role and responsibilities of internal auditing, providing a basis for measuring performance, and improving the practice of internal auditing. Internal auditing is performed in diverse economic and cultural environments within organizations that vary in purpose, size, and structure. These differences affect compliance with the Standards. CBOK 2006 identifies some of these diverse environments and groups culturally similar chapters and affiliates together. The groups’ usage of the Standards and the scope of the IAA are then compared. The information gathered in CBOK 2006 can be useful in many different ways. For example, the results of the study can be used as a resource, reference, or comparison mechanism by internal auditors and other stakeholders of the internal audit profession. Where there is a need for knowledge and skills to be enhanced, the CBOK 2006 results can be used as a guide for The IIA to develop continuing education materials so their members can acquire and then implement the appropriate knowledge and skills in their work. CBOK results can also provide useful information when periodically updating the competency framework. The IIA has expressed interest in conducting CBOK studies at regular intervals in the future to provide a mechanism for comparison and improvement. The CBOK 2006 results will contribute to future internal audit Standards and practices as well as identify important new knowledge and skills to be included in the CIA exam. The results can also be utilized during an IAA’s self-assessment program and/or the completion of external quality assessments. The Institute of Internal Auditors Research Foundation
4 A Global Summary of the Common Body of Knowledge 2006
______________________
Prior IIA CBOK Studies The IIA has sponsored four prior CBOK studies. Table 1-1 compares the number of participating countries and usable questionnaire responses used in each CBOK study. While all prior CBOK studies were only conducted in English, CBOK 2006 translated the questionnaires into 16 additional languages.
Table 1-1 Comparison of CBOK’s Number of Countries and Number of Respondents CBOK Number I II III IV V
Year
1972 1985 1991 1999 2006
Number of Countries
Number of Usable Respondents
1 2 2 21 91
75 340 1,163 136 9,366
CBOK 2006 is the first study that invited The IIA’s entire worldwide membership to participate. The participation of members from 91 countries and 9,366 usable respondents makes CBOK 2006 the most comprehensive study in The IIA’s history.
The Institute of Internal Auditors Research Foundation
_____________________________________________________
Chapter 1: Introduction 5
Project Teams The research team was comprised of three international teams that were selected from the responses to the CBOK Request for Proposals. Based on the location of the selected research teams, the international affiliates and North American chapters were broken down into three broad geographical areas. Table 1-2 lists the members of the three CBOK 2006 teams.
Table 1-2 Research Teams Teams
Lead Team • Priscilla A. Burnaby (Bentley College, United States) Project Coordinator and Team Coordinator • Mohammad J. Abdolmohammadi (Bentley College, United States) • Susan Hass (Simmons College, United States) • Rob Melville (Cass Business School, United Kingdom) Team Coordinator • Marco Allegrini and Giuseppe D’Onza (University of Pisa, Italy) • Leen Paape (Erasmus University, Netherlands) • Gerrit Sarens (University of Ghent, Belgium) • Marinda M. Marais (University of South Africa) • Elmarie Sadler (University of South Africa) • Houdini Fourie (Tshwane University of Technology, South Africa) • Barry J. Cooper (Deakin University, Australia) Team Coordinator • Philomena Leung (Deakin University, Australia)
General Areas of Responsibilities
North, Central, and South America and the Caribbean
Europe and Africa
Asia and Pacific
The Institute of Internal Auditors Research Foundation
6 A Global Summary of the Common Body of Knowledge 2006
______________________
CBOK 2006 Questionnaires To gain an understanding of what had been published about internal auditing and to develop an inventory of questions to use as a basis for developing the global CBOK 2006 questionnaires, an extensive literature review was conducted. Each team prepared a literature review for their general areas of responsibility. Based on this work, the teams then prepared a pilot study to poll members about the types of questions that should be included in the final survey. The three literature reviews and the results of the pilot study can be found in the CBOK 2006 issue of Managerial Auditing Journal (MAJ), Volume 21, Issue 8, published in October 2006. A summary is included in Chapter 10 of this research report. Based on the results of the pilot study, the survey questions were refined and finalized. The CBOK Steering Committee decided that the surveys should take a respondent approximately 40 minutes to complete. As a result, it was decided to create three CBOK 2006 questionnaires: 1. Affiliates: The IIA is fortunate to have numerous affiliates around the world that provide services to their geographic area in cooperation with The IIA headquarters. This questionnaire asked affiliate leaders questions about regulatory and cultural differences affecting the application of ethics and The IIA Standards in their area. One questionnaire was sent to each participating affiliate. 2. Chief Audit Executives (CAEs): The Standards define the CAE as the highest position within the organization responsible for the internal audit activity (IAA). Data on the status of the IAA within the organization, application of the Standards, skills needed at each staff level, and emerging audit roles were collected from CAEs worldwide. 3. Practitioners: For purposes of this study, Practitioners are all other internal auditors who are not CAEs. Data about the application of the Standards, how an audit is performed, skill sets needed, and the emerging role of internal auditing were collected from internal auditors worldwide. The three detailed questionnaires developed by the CBOK 2006 teams were subjected to careful scrutiny by The IIA CBOK 2006 Steering Committee. Once the final questions were selected, the questionnaires were reviewed by a group of over 100 internal auditors worldwide to ensure completeness and validity. Based on their comments, the final questionnaires were developed in English. The IIA translated them into 16 additional languages for the convenience of The IIA membership (Arabic, Bulgarian, Czech, Simplified Chinese, Unsimplified Chinese, French, German, Indonesian, Italian, Japanese, Polish, Portuguese, Russian, Spanish, Swedish, and Turkish). The combined CAE and Practitioner questionnaires are in Appendix 10-C in Chapter 10.
The Institute of Internal Auditors Research Foundation
_____________________________________________________
Chapter 1: Introduction 7
In September 2006, using the survey software Perseus, the CAE and Practitioner questionnaires were distributed electronically to members outside North America by participating international affiliates and by IIA headquarters to members within North America. The questionnaire to affiliate leadership was distributed by The IIA in December 2006. The Glossary in Appendix 1-A was provided with the questionnaires so respondents could reference definitions of key terms and words. This glossary is a combination of the glossary from The IIA’s Professional Practices Framework dated January 2005 and other key words used in the questionnaires.
Number of Respondents The total number of responses to the CAE and Practitioner questionnaires was 15,028. After consultation with an independent statistical expert, responses were determined to be not useable for reasons such as a blank reply or the respondent did not answer enough questions on important sections such as the use and application of the Standards. Upon completion of this process, 9,366 useable responses remained. This results in an overall 7.3% response from the 127,735 IIA members as of September 30, 2006. Due to some affiliates not participating and some members who have opted not to receive e-mail from The IIA, the invitation to participate in the survey was sent to approximately 99,000 members resulting in an estimated 9.5% response rate. Table 1-3 indicates the chapters (United States, Canada, and Caribbean) and affiliates (organizations around the world that serve their geographical area) listed on The IIA’s Web site as of September 2006 and notes the number that participated in this study for each one. A total of 133 United States chapters, all of the Canadian chapters, and 7 of the Caribbean chapters had at least one member who participated in CBOK 2006. Eighty-three affiliates had at least one usable CAE or Practitioner response. Forty-six affiliate leaders returned the CBOK Affiliate questionnaire by the January 15, 2007, cutoff date for data collection.
The Institute of Internal Auditors Research Foundation
8 A Global Summary of the Common Body of Knowledge 2006
______________________
Table 1-3 Number of Participating Chapters and Affiliates Area
U.S.A. Canada Caribbean
Number of Chapters/Affiliates*
1 or More Usable Responses from Chapters/Affiliates
Number of Affiliates that Returned CBOK Affiliate Questionnaire
143 11 9
133 11 7
Not Applicable Not Applicable Not Applicable
94
83
46
IIA Affiliates *Tallied from The IIA’s Web site
The number of respondents answering a specific question will often differ from the 9,366 total respondents in this study. This is due to the following reasons: • •
Not all of those that participated in the survey answered all the questions asked. Results are shown and discussed only for those respondents who answered a particular survey question. Not all questions were asked of all respondents. o Some questions were asked only of CAEs (those in the highest position within the organization responsible for internal audit activities). o Some questions were asked only of Practitioners (all other internal auditors who are not CAEs). o Some questions were asked of both CAEs and Practitioners.
The Institute of Internal Auditors Research Foundation
_____________________________________________________
Chapter 1: Introduction 9
Below is a list of all the affiliates, the United States, Canada, and Caribbean chapters, from which one or more usable responses were received. Please note that the individual chapters within the United States and Canada from which responses were received are not listed here.
Algeria Argentina Aruba Australia Austria Azerbaijan Bahamas Bangladesh Barbados Belgium Bermuda Bolivia Botswana Brazil Bulgaria Cameroon Canada Chile China Chinese Taiwan Colombia Congo-Kinshasa Costa Rica Cyprus Czech Republic Denmark Dominican Republic Ecuador Egypt Estonia Ethiopia
Finland France Germany Ghana Greece Guatemala Hong Kong, China Iceland India Indonesia Israel Italy Jamaica Japan Kenya Korea Latvia Lebanon Lithuania Luxembourg Malawi Malaysia Mexico Netherlands New Zealand Nicaragua Nigeria Norway Oman Pakistan-Islamabad Pakistan-Karachi
Pakistan-Lahore Panama Paraguay Peru Philippines Poland Portugal Puerto Rico Qatar Romania Russia-Moscow Singapore Slovenia South Africa Spain Sri Lanka Sweden Switzerland Thailand Trinidad and Tobago Tunisia Turkey Uganda Ukraine United Arab Emirates United Kingdom and Ireland United States of America Venezuela Zambia Zimbabwe
The Institute of Internal Auditors Research Foundation
10 A Global Summary of the Common Body of Knowledge 2006 ______________________
Clustering for Groups As data was collected from numerous affiliates and chapters, a methodology was sought to combine them into groups for the comparison of responses. Clustering literature was reviewed for plausible ways to combine affiliates and chapters by cultural classification. Hofstede (1980; 1983) introduced this concept and proposed a number of dimensions to classify 50 countries into cultural clusters. Expanding on Hofstede’s work, House et al. (2004) classified 62 societies into various cultural clusters. Since The IIA has affiliates in over 100 countries, the House et al. (2004) classification of 62 societies was insufficient for complete classification of the CBOK 2006 participants. By using additional information from the Central Intelligence Agency World Fact Book (2006), language(s) spoken in the affiliate’s geographical area, geographical location, and discussions with The IIA staff and leadership, the affiliates and chapters were classified into 12 groups. Respondents who did not indicate membership in a specific affiliate or chapter were clustered into a 13th group that was included in statistical summaries for the aggregate results but not in discussions of affiliate or chapter cultural cluster group results. Appendix 1-B lists the 13 groups used for the discussion of responses for CBOK 2006. WHENEVER GROUPS ARE MENTIONED IN THE TEXT, TO DETERMINE WHICH CHAPTERS OR AFFILIATES ARE IN EACH GROUP, PLEASE REFER TO APPENDIX 1-B IN CHAPTER 1 OF THIS REPORT.
The Institute of Internal Auditors Research Foundation
_____________________________________________________ Chapter 1: Introduction 11
References 1. Abdolmohammadi, M.J., P.A. Burnaby, and S. Hass, “A review of prior common body of knowledge (CBOK) studies in internal auditing and an overview of the global CBOK 2006,” Managerial Auditing Journal 21 8, 2006, pp. 811-821. 2. CIA World Fact Book, https://www.cia.gov/cia/publications/factbook/fields/2145.html, 2006. 3. Hofstede, G, Culture’s consequences: International differences in work-related values (London, UK: Sage), 1980. 4. Hofstede, G., “Dimensions of National Culture in Fifty Countries and Three Regions,” in J.B. Deregowski, S. Dziurawiec and R.C. Annis (Eds.), Explications in Cross-Cultural Psychology, Swets and Zeitling, 1983. 5. House, R.J., P.J. Hanges, M. Javidan, P.W. Dorfman, and V. Gupta (Eds), Culture, Leadership, and Organizations: The GLOBE Study of 62 Societies (Thousand Oaks, CA: Sage Publications), 2004. 6. McIntosh, E.R, Competency Framework for Internal Auditing: An Overview (Altamonte Springs, FL: The Institute of Internal Auditors Research Foundation), 1999. 7. The Institute of Internal Auditors, A Vision for the Future: Professional Practices Framework for Internal Auditing (Altamonte Springs, FL: The Institute of Internal Auditors Research Foundation), 1999. 8. The Institute of Internal Auditors, Professional Practices Framework (Altamonte Springs, FL: The Institute of Internal Auditors Research Foundation), 2005.
The Institute of Internal Auditors Research Foundation
12 A Global Summary of the Common Body of Knowledge 2006 ______________________
APPENDIX 1-A GLOSSARY OF TERMS SENT WITH CBOK 2006 QUESTIONNAIRES Add Value Value is provided by improving opportunities to achieve organizational objectives, identify operational improvement, and/or reducing risk exposure through both assurance and consulting services. Adequate Control Present if management has planned and organized (designed) in a manner that provides reasonable assurance that the organization’s risks have been managed effectively and that the organization’s goals and objectives will be achieved efficiently and economically. Advisory Role A position having or exercising the power to advise and function purely as a consultative role. Assurance Services An objective examination of evidence for the purpose of providing an independent assessment on risk management, control, or governance processes for the organization. Examples may include financial, performance, compliance, system security, and due diligence engagements. Audit Committee An audit committee assists the board of directors in discharging its responsibilities with respect to the accounting policies, internal controls, and financial reporting of the entity. Balanced Scorecard A concept for measuring a company’s activities in terms of its vision, strategies, and performance measures. It gives managers a comprehensive view of the performance of a business. It balances a financial perspective with customer, internal process, and learning and growth perspectives. Board A board is an organization’s governing body, such as a board of directors, supervisory board, head of an agency or legislative body, board of governors or trustees of a nonprofit organization, or any other designated body of the organization, including the audit committee, to whom the chief audit executive may functionally report.
The Institute of Internal Auditors Research Foundation
_____________________________________________________ Chapter 1: Introduction 13
Charter The charter of the internal audit activity is a formal written document that defines the activity’s purpose, authority, and responsibility. The charter should (a) establish the internal audit activity’s position within the organization; (b) authorize access to records, personnel, and physical properties relevant to the performance of engagements; and (c) define the scope of internal audit activities. Chief Audit Executive (CAE) Top position within the organization responsible for internal audit activities. Normally, this would be the internal audit director. In the case where internal audit activities are obtained from outside service providers, the chief audit executive is the person responsible for overseeing the service contract and the overall quality assurance of these activities, reporting to senior management and the board regarding internal audit activities, and follow-up of engagement results. The term also includes such titles as general auditor, chief internal auditor, and inspector general. Code of Ethics The Code of Ethics of The Institute of Internal Auditors (IIA) are principles relevant to the profession and practice of internal auditing, and rules of conduct that describe behavior expected of internal auditors. The Code of Ethics applies to both parties and entities that provide internal audit services. The purpose of the Code of Ethics is to promote an ethical culture in the global profession of internal auditing. Compliance Conformity and adherence to policies, plans, procedures, laws, regulations, contracts, or other requirements. Conflict of Interest Any relationship that is or appears to be not in the best interest of the organization. A conflict of interest would prejudice an individual’s ability to perform his or her duties and responsibilities objectively. Consulting Services Advisory and related client service activities, the nature and scope of which are agreed with the client and which are intended to add value and improve an organization’s governance, risk management, and control processes without the internal auditor assuming management responsibility. Examples include counsel, advice, facilitation, and training.
The Institute of Internal Auditors Research Foundation
14 A Global Summary of the Common Body of Knowledge 2006 ______________________
Continuous Monitoring Continuous monitoring is an ongoing systematic process for acquiring, analyzing, and reporting on business information to identify and respond to operational business risks. Contract Audit Staff Audit staff that has been hired to perform specific internal audit projects. Members of the contract audit staff are not employed as permanent audit staff at the organization. Control Any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. Management plans, organizes, and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved. Control Environment The attitude and actions of the board and management regarding the significance of control within the organization. The control environment provides the discipline and structure for the achievement of the primary objectives of the system of internal control. The control environment includes the following elements: • Integrity and ethical values • Management’s philosophy and operating style • Organizational structure • Assignment of authority and responsibility • Human resource policies and practices • Competence of personnel Control Processes The policies, procedures, and activities that are part of a control framework, designed to ensure that risks are contained within the risk tolerance established by the risk management process. Control Self-assessment CSA is a process through which internal control effectiveness is examined and assessed. The objective is to provide reasonable assurance that all business objectives will be met. Co-sourcing Working with external professionals to meet requirements for the organization’s audit plan and obtaining value-added solutions from the cooperative effort.
The Institute of Internal Auditors Research Foundation
_____________________________________________________ Chapter 1: Introduction 15
Corporate Governance The set of processes, customs, policies, laws, and institutions affecting the way a corporation is directed, administered, or controlled. Emerging Market Is a term used to refer to markets in newly industrialized or developing countries with capital markets at early stages of institutional development. Engagement A specific internal audit assignment, task, or review activity, such as an internal audit, control selfassessment review, fraud examination, or consultancy. An engagement may include multiple tasks or activities designed to accomplish a specific set of related objectives. Engagement Objectives Board statements developed by internal auditors that define intended engagement accomplishments. Engagement Work Program A document that lists the procedures to be followed during an engagement, designed to achieve the engagement plan. Enterprise Risk Management (ERM) A continuous process that establishes risk management objectives and develops tolerances and limits for all the enterprise’s significant risks. Environmental Sustainability In compliance with International Standard for Environmental Management System (ISO 14001 certified). External Quality Assurance Review External assessment should be conducted at least once every five years by a qualified, independent reviewer or review team from outside the organization. External Service Provider A person or firm, outside of the organization, who has special knowledge, skill, and experience in a particular discipline.
The Institute of Internal Auditors Research Foundation
16 A Global Summary of the Common Body of Knowledge 2006 ______________________
Fraud Any illegal acts characterized by deceit, concealment, or violation of trust. These acts are not dependent upon the application of threat of violence or of physical force. Frauds are perpetrated by parties and organizations to obtain money, property, or services; to avoid payment or loss of services; or to secure personal or business advantage. Global Audit Information Network (GAIN) The information network enables organizations to compare their audit department’s size, experience, expertise, and other metrics against the aggregated averages of similar-sized organizations in their industry. Governance The combination of processes and structures implemented by the board in order to inform, direct, manage, and monitor the activities of the organization toward the achievement of its objectives. Impairments Impairments to individual objectivity and organizational independence may include personal conflict of interest, scope limitations, restrictions on access to records, personnel, and properties, and resource limitations (funding). Independence The freedom from conditions that threaten objectivity or the appearance of objectivity. Such threats to objectivity must be managed at the individual auditor, engagement, functional, and organizational levels. Information Risk Assessment Assessment of information threats and opportunities to ensure proper controls are in place to minimize the risks to the organization’s information assets. Internal Audit Activity or Internal Audit Function A department, division, team of consultants, or other practitioner(s) that provides independent, objective assurance and consulting services designed to add value and improve an organization’s operations. The internal audit activity helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
The Institute of Internal Auditors Research Foundation
_____________________________________________________ Chapter 1: Introduction 17
Internal Quality Assurance Review Internal assessments include: ongoing reviews of the performance of the internal audit activity and periodic reviews performed through self-assessment or by other persons within the organization with knowledge of internal auditing practices and the Standards. Knowledge Management System A distributed system in organizations supporting creation, capture, storage, and dissemination of expertise and information. Management Effectiveness The metrics used to evaluate management effectiveness include: leadership, delegation, motivation, return on investment, return on assets, and return on equity. Manager A manager is normally an advanced senior rank position. Managerial Accounting The branch of accounting that uses both historical and estimated data in providing information that management uses in conducting daily operations in planning future operations, and in developing overall business strategies. Objectivity An unbiased mental attitude that allows internal auditors to perform engagements in such a manner that they have an honest belief in their work product and that no significant quality compromises are made. Objectivity requires internal auditors not to subordinate their judgment on audit matters to that of others. Partner This is the highest professional rank in an accounting firm. By achieving this rank, a partner is admitted as a co-owner of the firm. Residual Risk The risk remaining after management takes action to reduce the impact and likelihood of an adverse event, including control activities in responding to a risk.
The Institute of Internal Auditors Research Foundation
18 A Global Summary of the Common Body of Knowledge 2006 ______________________
Risk The possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact and likelihood. Risk Management A process to identify, assess, manage, and control potential events or situations to provide reasonable assurance regarding the achievement of the organization’s objectives. Semi-government The semi-government sector comprises the corporations, statuary boards, authorities, and state banks under the central government. Should The use of the word “should” in the Standards represents a mandatory obligation. Staff The position of a staff accountant (also called assistant) is the entry-level position. Standard A professional pronouncement promulgated by the Internal Auditing Standards Board that delineates the requirements for performing a broad range of internal audit activities, and for evaluating internal audit performance. Total Quality Management (TQM) Total Quality Management is a management approach that emphasizes superior quality in all aspects of the company’s operations. It is an ongoing process that utilizes synergistic relationships to exercise continuous improvement and self evaluation.
The Institute of Internal Auditors Research Foundation
_____________________________________________________ Chapter 1: Introduction 19
APPENDIX 1-B CLUSTERING OF GROUPS AND NUMBER OF RESPONSES Affiliate or Chapter Group Group 1 **Aruba **Bahamas **Barbados **Bermuda **Canada **Jamaica **Trinidad and Tobago **Puerto Rico *United States of America Total Group 2 *+Australia *+New Zealand Total Group 3 **+South Africa *+UK and Ireland Total Group 4 *China *+Chinese Taiwan *+Hong Kong, China *+Japan *Korea Total
Primary Language(s) Spoken
IIA Members 9/30/06
English English English English French/English English English
8 59 70 73 5,255 327 169
4 3 17 5 430 17 13
50.0 5.1 24.3 6.9 8.2 5.2 7.7
386 54,686
17 3,139
4.4 5.7
61,033
3,645
6.0
English English
2,602 486 3,088
177 38 215
6.8 7.8 7.0
English English
4874 7185 12,059
464 271 735
9.5 3.8 6.1
Chinese Chinese English
2,248 3,144 375
62 239 6
2.8 7.6 1.6
Japanese Korean
2,053 557 8,377
66 1 374
3.2 0.2 4.5
Spanish English
Usable Responses 12-15-06
Percentage of Members
*House, R.J., P.J. Hanges, M. Javidan, P.W. Dorfman, and V. Gupta (Eds), Culture, Leadership, and Organizations: The GLOBE Study of 62 Societies (Thousand Oaks, CA: Sage Publications), 2004. **Classification by Team Americas in consultation with The IIA, world map, and CIA World Factbook, https://www.cia.gov/ cia/publications/factbook/fields/2145.html +Responded to the Affiliate CBOK questionnaire.
The Institute of Internal Auditors Research Foundation
20 A Global Summary of the Common Body of Knowledge 2006 ______________________
APPENDIX 1-B (Cont.) CLUSTERING OF GROUPS AND NUMBER OF RESPONSES Affiliate or Chapter Group Group 5 **+Azerbaijan **+Bulgaria **+Cyprus **Czech Republic **Estonia *+Greece **Latvia **+Lithuania *Poland **Romania *+Russia-Moscow *+Slovenia *Ukraine Total Group 6 *+Austria **+Belgium *+Germany *+Luxembourg *+Netherlands *Switzerland Total
Primary Language(s) Spoken
IIA Members 9/30/06
Usable Responses 12-15-06
Percentage of Members
Azari/Russian Bulgarian Greek/Turkish Czech/English Estonian Greek Latvian Lithuanian Polish Romanian Russian Slovenian Ukrainian
133 357 276 886 135 456 123 130 520 214 492 15 25 3,762
1 71 30 166 16 80 1 3 69 42 129 1 2 611
0.8 19.9 10.9 18.7 11.9 17.5 0.8 2.3 13.3 19.6 26.2 6.7 8 16.2
German English/French/Dutch German French/English Dutch German/French
277 1,154 1,728 325 1,741 305 5,530
84 102 131 1 112 33 463
30.3 8.8 7.6 0.3 6.4 10.8 8.4
The Institute of Internal Auditors Research Foundation
_____________________________________________________ Chapter 1: Introduction 21
APPENDIX 1-B (Cont.) CLUSTERING OF GROUPS AND NUMBER OF RESPONSES Affiliate or Chapter Group Group 7 *+Argentina *+Bolivia *+Brazil **Chile *+Colombia *Costa Rica **+Dominican Republic *Ecuador *Guatemala *+Mexico **+Nicaragua **Panama **Paraguay **+Peru *+Venezuela Total Group 8 *+France *+Israel *+Italy *Portugal *+Spain Total Group 9 **Algeria *Egypt **+Lebanon **Oman **+Qatar **Tunisia *+Turkey **United Arab Emirates Total
Primary Language(s) Spoken
IIA Members 9/30/06
Usable Responses 12-15-06
Percentage of Members
Spanish Spanish Portuguese Spanish Spanish Spanish Spanish Spanish Spanish Spanish Spanish Spanish Spanish Spanish Spanish
562 215 1,358 33 432 186 213 531 75 842 136 69 114 328 376 5,470
57 8 97 4 94 40 3 7 4 91 6 6 3 72 36 528
10.1 3.7 7.1 12.1 21.8 21.5 1.4 1.3 5.3 10.8 4.4 8.7 2.6 22.0 9.6 9.7
French Hebrew Italian Portuguese Spanish
2,937 1,028 2,531 375 1,556 8,427
235 4 456 84 249 1,028
8.0 0.4 18.0 22.4 16.0 12.2
French Arabic/English Arabic/English Arabic/English Arabic/English Arabic/French Turkish English
45 61 105 176 233 306 554 349 1,829
4 4 13 5 8 2 80 16 132
8.9 6.6 12.4 2.8 3.4 0.7 14.4 4.6 7.2
The Institute of Internal Auditors Research Foundation
22 A Global Summary of the Common Body of Knowledge 2006 ______________________
APPENDIX 1-B (Cont.) CLUSTERING OF GROUPS AND NUMBER OF RESPONSES Affiliate or Chapter Group Group 10 *+Denmark *+Finland **Iceland **+Norway *+Sweden Total Group 11 **Bangladesh *India *Indonesia *+Malaysia **Pakistan - Karachi **Pakistan –Islamabad **Pakistan - Lahore *+Philippines **+Singapore **+Sri Lanka *+Thailand Total Group 12 **Botswana **Cameroon **+Congo-Kinshasa **Ethiopia **Ghana **Kenya **+Malawi *Nigeria **+Uganda *Zambia *Zimbabwe Total
Primary Language(s) Spoken Danish Finnish Icelandic Norwegian Swedish
English English Indonesian/English English English English English English English Sinhala/English Thai
English French French English English English English English English English English
IIA Members 9/30/06
Usable Responses 12-15-06
Percentage of Members
390 584 100 662 542 2,278
3 43 3 45 52 146
0.8 7.4 3.0 6.8 9.6 6.4
116 2,795 654 2,150 172 186 339 1,280 1,343 50 1,446 10,531
1 57 11 60 3 3 1 5 74 6 29 250
0.9 2.0 1.7 2.8 1.7 1.61 0.3 0.4 5.5 12.0 2.0 2.4
134 161 37 288 57 589 169 48 117 63 557 2,220
1 1 1 16 2 4 1 4 13 2 3 48
0.8 0.6 2.7 5.7 3.5 0.7 0.6 8.3 11.1 3.2 0.5 2.2
The Institute of Internal Auditors Research Foundation
_____________________________________________________ Chapter 1: Introduction 23
APPENDIX 1-B (Cont.) CLUSTERING OF GROUPS AND NUMBER OF RESPONSES Affiliate or Chapter Group Group 13 Not Classified – respondent did not specify affiliate or chapter
Primary Language(s) Spoken
IIA Members 9/30/06
Usable Responses 12-15-06
Percentage of Members
1,191
Affiliates that did not participate Total Membership Less members that were not sent an invitation to participate: Membership of affiliates that did not participate Eleven affiliates with only one response (2,109 members – 11 respondents) 39% of U.S. members who have opted not to receive e-mail from The IIA (54,686 x .39 = 21,328) 39% of Canadian members who have opted not to receive e-mail from The IIA (5,255 x .39 = 2,049) Total estimated membership that was sent an invitation to participate and estimated response rate
3,131 127,735
9,366
7.3
9,366
9.5
(3,131) (2,098)
(21,328)
(2.049)
99,129
The Institute of Internal Auditors Research Foundation
24 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
A Global Summary of the Common Body of Knowledge 2006
CONTENTS Chapter 2
Chapter 2: A Worldwide Picture of the Internal Audit Activity .......................................... 25 Introduction........................................................................................................................... 25 Survey Demographics Summary .......................................................................................... 26 Compliance with Internal Auditing Standards ..................................................................... 29 Staffing and Professional Development................................................................................ 43 Internal Auditor Skills........................................................................................................... 44 Internal Auditor Competencies and Knowledge Areas......................................................... 48 Emerging Roles of the Internal Audit Activity..................................................................... 53 Summary ............................................................................................................................... 58
Disclosure Copyright © 2007 by The Institute of Internal Auditors Research Foundation (IIARF), 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201. All rights reserved. Printed in the United States of America. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form by any means — electronic, mechanical, photocopying, recording, or otherwise — without prior written permission of the publisher. The IIARF publishes this document for informational and educational purposes. This document is intended to provide information, but is not a substitute for legal or accounting advice. The IIARF does not provide such advice and makes no warranty as to any legal or accounting results through its publication of this document. When legal or accounting issues arise, professional assistance should be sought and retained. The IIA’s International Professional Practices Framework for Internal Auditing (IPPF) comprises the full range of existing and developing practice guidance for the profession. The IPPF provides guidance to internal auditors globally and paves the way to world-class internal auditing. The mission of The IIA Research Foundation (IIARF) is to be the global leader in sponsoring, disseminating, and promoting research and knowledge resources to enhance the development and effectiveness of the internal auditing profession.
The Institute of Internal Auditors Research Foundation
_______________________ Chapter 2: A Worldwide Picture of the Internal Audit Activity 25
CHAPTER 2 A WORLDWIDE PICTURE OF THE INTERNAL AUDIT ACTIVITY Introduction Who would have thought that internal auditors would be described by the media as rock stars? The current demand for qualified internal auditors is greater than the supply. Business scandals around the world have not only reminded organization fiduciaries and management of their responsibilities in the areas of governance, control, and risk management, but have also resulted in increased legislation and regulation. The internal audit activity (IAA) has become a necessary or mandatory activity in organizations around the world. Some organizations are over 100 years old with large, well established IAAs, while many younger companies are just starting to develop and utilize their IAAs. Regardless of the size, type, or age of an organization, the role of internal auditing is evolving into a value-added activity that helps an organization manage its risks and take advantage of opportunities to improve. With the increase in scope of audit responsibility since 1999, the IAA must act to monitor the adequacy and effectiveness of management’s internal control framework and contribute to the integrity of corporate governance, risk assessment, and the financial, operating, and IT systems. Since 1941, The IIA has grown tremendously. Between June 2003 and September 2006, The IIA’s membership grew from 82,645 members to 127,735 members, a 54.6% increase in just over three years. The November 2006 IIA Insight stated that there are members in 165 countries and territories. Also, as of September 2006 there are 6,000 new Certified Internal Auditors (CIAs) for a total of 60,000 CIAs worldwide. There are 90 countries with CIA exam sites. What do internal auditors really need to know to perform their jobs with due care and to add value to their organizations? This CBOK 2006 research report summarizes the information gathered from respondents around the world regarding the current state of the internal auditing profession. It identifies the attributes of an effective IAA; internal auditor skills, competencies, and knowledge; internal audit tools and techniques; and emerging roles of the IAA. This informs the profession and those who benefit from its activities and services as well as serving as a basis for educating and testing the competence of those who enter and want to succeed in the profession.
The Institute of Internal Auditors Research Foundation
26 A Global Summary of the Common Body of Knowledge 2006 ______________________
Since the CAE and Practitioner CBOK 2006 questionnaires were released in September 2006, adherence to The IIA’s International Standards for the Professional Practice of Internal Auditing (Standards) as of September 2006 provides the basis for this study. The overall purpose of the CBOK 2006 project is to develop the most comprehensive database ever to capture a current view of the global state of the internal audit profession. The database will be updated to recognize the evolution of global internal audit practices. Future studies will build upon this baseline, allowing for comparison, analysis, and trending. The major topics covered in this chapter are a summary of the demographics of respondents and their organizations, compliance with the Standards, current status of the IAA, staffing and professional development, internal auditor skills, internal auditor competencies and knowledge, internal audit tools and techniques, and the emerging roles of the IAA. The number of respondents answering a specific question will often differ from the 9,366 total respondents in this study. This is due to the following reasons: • •
Not all of those who participated in the survey answered all of the questions asked. Results are shown and discussed only for those respondents who answered a particular survey question. Not all questions were asked of all respondents. o Some questions were asked only of CAEs (those in the highest position within the organization responsible for internal audit activities). o Some questions were asked only of Practitioners (all other internal auditors who are not CAEs). o Some questions were asked of all respondents: both CAEs and Practitioners.
Some participants’ responses are presented according to the respondents’ position in the IAA. These more detailed summaries of results may be provided for the five categories of respondents: CAEs, Audit Managers, Audit Seniors/Supervisors, Audit Staff, and Other. The respondents in the Other category consist primarily of other professional staff whose positions are not captured by the traditional job titles included in the survey. They may be members of the IAA, employed by service providers, or in organizations where their titles are less traditional but with duties within internal auditing.
Survey Demographics Summary The following is a brief summary of the demographics of the respondents and their organizations. Detailed tables and a discussion of the demographics are presented in Chapter 3. Respondents’
The Institute of Internal Auditors Research Foundation
_______________________ Chapter 2: A Worldwide Picture of the Internal Audit Activity 27
represent the following staff levels: CAEs (26.5%), Audit Managers (22.8%), Audit Seniors/ Supervisors (25.2%), Audit Staff (18.2%), and Others (7.3%).
Duration of Respondents’ IIA and/or Affiliate Membership and Respondents’ Age Survey results indicate that 58.6% of respondents have been members of The IIA for five years or less, 19.5% have been members for 6 to 10 years, and 15% have been members for 11 or more years. Although distribution of the original survey instrument was only to IIA members, 6.9% of the respondents indicated they are not members of The IIA. When asked about their age, respondents indicated 3.5% are 25 years old or under, 27.8% are between 26 and 34 years old, 34.8% are between the ages of 35 and 44, and 24.2% are between 45 and 54 years old. Only 9.3% are 55-64 years old and .4% are older than 65. The largest percentage of Audit Managers (41.5%) is between 35 and 44 years old.
Highest Level of Formal Education and Academic Major Thirty-eight point one percent of the respondents have obtained their bachelor’s (undergraduate) degree in business, and 28.9% have obtained a master’s (graduate) degree in business. Fourteen point three percent have a bachelor’s degree in a non-business subject and 9.4% have a master’s degree in a non-business field. There appears to be no pronounced relationship between the respondent’s highest level of education and their current position in the IAA. It also appears that for most respondents, a bachelor’s degree or comparable level of education is necessary to enter the profession. The top six academic majors of respondents are accounting (55.8%), general business/management (27%), finance (23.8%), economics (19.9%), auditing (17.8%), and internal auditing (12.7%) (NOTE: since respondents could mark all that apply, percentages exceed 100%). A higher percentage of CAEs (60.0%) and Audit Managers (59.9%) have an accounting major than members of the Audit Staff (45.0%).
Professional Qualification(s) and Area(s) of Professional Experience There are many professional organizations that have qualifying tests and certifications for those employed in accounting and auditing. Survey respondents were asked about their own qualifications. More than one-third (39.4%) of the respondents have a specific certification in internal auditing and about one-fourth (26.7%) of the respondents have a certification in public accounting/chartered accountancy. A much smaller number of respondents have certifications in information systems auditing (10.2%), management/general accounting (5.4%), and fraud examination (5.3%). Internal
The Institute of Internal Auditors Research Foundation
28 A Global Summary of the Common Body of Knowledge 2006 ______________________
auditing is the most common certification for respondents followed by public accounting/chartered accountancy. The possession of additional qualifications appears more common as individuals move up in the IAA. The five areas in which respondents have the most business experience are internal auditing (6.1 years), management (5.4 years), accounting (5.3 years), other professional experience (4.9 years), and finance (4.4 years). This pattern is consistent for those currently employed by service providers, privately held (non-listed) companies, publicly traded (listed) companies, and public sector. Service providers, for the purpose of this study, are defined as those who work on a contractual basis to aid organizations with assurance and consulting engagements. The not-for-profit sector respondents indicated less overall work experience.
Years of Existence of IAA and Years of CAE Experience The largest numbers of respondents work for IAAs that have been in existence for 0-5 years (28.4%) and another 21% of the respondents work for IAAs that have been in existence for 6-10 years. A total of 13.8% of respondents’ organizations have IAAs that have been in existence for 31 or more years. This is a very positive development for internal auditing as it shows that growth has accelerated in the past 10 years. Given the corporate governance issues and regulatory developments in recent years, this could be a reflection of the recognition by organizations and their boards of the need for internal auditing. When CAEs were asked about their years of experience as a CAE, more than half (56%) indicated they had been a CAE for 5 years or less and one-fourth of CAE respondents have between 6 and 10 years of CAE experience. Nineteen percent of CAE respondents have more than 10 years of experience in this position.
Organization Type, Service Providers, and Industry Classifications When asked about their current employers, 38% of all respondents indicate that they work for a publicly traded (listed) company, while 19.5% work for a privately held (non-listed) company. Twenty-three percent of all respondents currently work in the public sector. Ten point five percent of the respondents work for a service provider or as a consultant. Internal auditing is performed by members of the IAA as well as by external service providers. The survey population covered a broad range of industries. Since the respondents were asked to select all industries that applied to their organization, the total of industries selected is greater than 100%. The top 10 industries indicated by respondents are: banking/financial services/credit union (24.5%), other (13.9%), manufacturing (13.4%), financial, accounting, and/or business services
The Institute of Internal Auditors Research Foundation
_______________________ Chapter 2: A Worldwide Picture of the Internal Audit Activity 29
(11.1%), insurance (9.3%), utilities (7.9%), education (7.0%), communication/telecommunication (7.0%), healthcare (6.4%), and retail/wholesale (6.2%).
Geographical Areas and Legislation Affecting Internal Auditing Recognizing that organizations operate differently, in part based on the locations they service, data was collected on geographical areas served by the respondents’ organizations. Of the respondents, 39.2% indicate that their employer operates on an international/multinational scale, while 29.1% of employers operate on a national scale. The remaining 31.7% operate on a local, state/provincial, or regional basis. In the CBOK Affiliate questionnaire, affiliate leaders were asked about local and federal regulations and legislation affecting the profession of internal auditing. Of the 46 affiliates that responded, 36 (78%) indicate that their countries have legislation or regulations that affect the internal auditing profession in the public sector. In most of these affiliates, financial entities, banks, and insurance companies are subject to legislation that prescribes the establishment of, or the role of, internal auditing in an organization. The United States and Canada also have legislation affecting internal auditing. In 22 (61%) of the 36 affiliates where legislation or regulation affecting internal auditing exists, The IIA affiliate had an influence on the final form of the legislation or regulation. Those IIA affiliates that assisted in the development of the legislation or regulations took part in the discussions or provided input through participation in committees, work groups, and conferences. IIA affiliates also regularly issue their own opinions on drafts of local and national laws and regulations. The publication of position papers and articles reflecting their members’ ideas and opinions is a common method of participation in the evolution of local and national laws and regulations.
Compliance with Internal Auditing Standards Most of the participants in this study indicate that their IAAs are using the Standards and Practice Advisories. They also believe that the guidance provided to them by the Standards and Practice Advisories is adequate. Standards 1300, Quality Assurance and Improvement Program, and 2600, Resolution of Management’s Acceptance of Risk, received lower adequacy responses indicating that more or clearer guidance may be appropriate in the fields of quality assurance and improvement and resolution of management’s acceptance of risk. The respondents are using these two standards to a lesser extent when compared to the other standards. Overall, the guidance provided by the Attribute Standards is perceived by respondents to be better than that provided in the Performance Standards.
The Institute of Internal Auditors Research Foundation
30 A Global Summary of the Common Body of Knowledge 2006 ______________________
Respondents at all staff levels indicate that 81.9% of their IAAs use the Standards in whole or in part. In Figure 2-1, CAEs report the highest level of usage (85.1%) of the Standards by their IAA, while all other respondents report usage between 72.2% and 84.3.
Figure 2-1 Organizations’ Use of the Standards in Whole or in Part by Staff Level All Respondents (8,647) in Percentages
Percentage of Respondents
The most common reasons given by those respondents whose IAA does not adhere to the Standards are: • • •
Inadequate IAA staff (12.6%). Management of organization does not think it adds value (12.2%). Too time-consuming to comply with the Standards (12.2%).
The Institute of Internal Auditors Research Foundation
_______________________ Chapter 2: A Worldwide Picture of the Internal Audit Activity 31
• •
Compliance not supported by management of organization (11.9%). Superseded by local/government regulations/standards (10.7%).
Quality Assurance and Improvement Programs To supplement the research on compliance with the Standards, respondents were asked specific questions about their compliance with Standards 1300, 1311, and 1312 which require quality assurance and improvement programs, internal quality assessments, and external quality assessments. Standard 1300 requires the CAE to “develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity and continuously monitors its effectiveness.” The level of compliance is lowest for Standard 1300, Quality Assurance and Improvement Program. Approximately one-third of the respondents currently have a quality assurance and improvement program in accordance with Standard 1300. Approximately one-third of the respondents have had an internal assessment. One-third has never had an internal assessment. Almost one quarter of the respondents do not plan to have a quality assurance and improvement program in place within the next 12 months in accordance with Standard 1300, although approximately one-third of the respondents have such a program currently in place. Forty percent indicate that no external assessment has been performed. Less than 50% of the respondents indicate that their quality assessment and improvement programs include certain activities to monitor the effectiveness of these programs as suggested by PA13001, Quality Assurance and Improvement Program. Monitoring activities most often include engagement supervision and checklists to provide assurance that proper audit processes are followed. Approximately 30% of the respondents indicate that compliance with The IIA’s Standards or Code of Ethics are explicitly monitored as part of these activities. According to Standard 1311, Internal Assessments, the IAA should adopt a process to monitor and assess the overall effectiveness of the quality program. The process should include both internal and external assessments. There is no formal requirement mentioned in the standard regarding the frequency of the self-assessment, only that it be ongoing. The respondents were requested to indicate when their IAAs were last subject to a formal internal assessment. Of those responding, 23.6% have had an internal review within the last 12 months and an additional 8.7% had an internal review within the last five years. The CAE respondents indicated that 47.4% of their IAAs have never had an internal assessment. According to Standard 1312, External Assessments, the IAA should have an external assessment at least once every five years by a qualified, independent reviewer or review team external to the
The Institute of Internal Auditors Research Foundation
32 A Global Summary of the Common Body of Knowledge 2006 ______________________
organization. All IAAs that existed on January 1, 2002, when this standard became effective should have had an external assessment performed by January 1, 2007. Of all respondents, 39.7% have never had an external assessment. When analyzing this response by staff level, 53.7% of CAE respondents indicate that their organizations have not been subject to a formal external quality assessment and are not in compliance with Standard 1312. Note in Figure 2-2 that 28.4% of the respondents’ IAAs are five years old or less. This could be the reason why some of the IAAs have not had an external assessment.
Compliance with The IIA’s Code of Ethics As The IIA’s Code of Ethics must be followed by all those that provide internal auditing services, affiliate leaders were asked whether they required their members to follow The IIA’s Code of Ethics. Forty-six affiliate leaders responded to this question and all answered in the affirmative except for one which adopted a local version. When the affiliate leaders were asked how they handled ethical complaints against their members, the wide variety of responses ranged from the use of an ethics or disciplinary committee to action being left to the affiliate’s full board of directors.
Current Status of the Internal Audit Activity The IAA adds value in multiple ways. It helps the organization achieve its goals by providing suggestions for improvements to vital systems, processes, and procedures. The IAA helps ensure that controls are in place to provide safety and security for transactions and activities. Consulting services assist management in planning for the future and addressing difficult strategic and operational issues. The IAA is vital to the success and health of any organization operating today. Some parts of the world are just starting to recognize the importance of internal auditing and beginning to develop the internal auditing activity. Many IAAs are small or have been in existence for less than five years. Newer IAAs and/or those with smaller audit staffs may not have sufficient staff or personnel with all of the necessary skills and competencies to meet the needs of their organizations. Depending upon priorities and availability of resources, some audits or audit skills may need to be outsourced.
The Institute of Internal Auditors Research Foundation
_______________________ Chapter 2: A Worldwide Picture of the Internal Audit Activity 33
Years That the IAA and the Organization Have Existed To gain a perspective on the length of time respondents’ organizations have had IAAs, Figure 2-2 lists the number of years the respondents’ IAAs have been in existence. The largest number of respondents work for IAAs that have been in existence for 0-5 years (28.4%). Another 21% of the respondents work for IAAs that have been in existence for 6-10 years. Respondents indicate that 13.8% work in IAAs that have been in existence for 31 or more years. Given the corporate governance issues and regulatory developments in recent years, the large number of newer IAAs could be a reflection of the recognition by organizations of the need for the IAA and the need to conduct audits in these areas. A new IAA could also be the result of a corporate merger or acquisition. Although a newer IAA may not be as developed or have the same level of experience or expertise as a more mature one, a younger department does not necessarily equate to a weak or unskilled department.
Figure 2-2 Number of Years the IAA Has Existed in the Organization All Respondents (7,747) in Percentages 41+ Years 8.1% 0-5 Years 28.4%
31-40 Years 5.7%
21-30 Years 14.1%
6-10 Years 21.0%
11-20 Years 22.7%
The Institute of Internal Auditors Research Foundation
34 A Global Summary of the Common Body of Knowledge 2006 ______________________
Figure 2-3 reports how long respondents’ organizations have been in existence. A separate correlation test performed by the researchers confirms that there is a relationship between how long an organization has been in existence and how long the organization has had an IAA. Older companies tend to have established IAAs longer than younger companies.
Figure 2-3 Number of Years Organizations Have Existed All Respondents (8,165) in Percentages 0-5 Years 7.2% 6-10 Years 10.5%
41+ Years 51.0%
11-20 Years 14.0%
21-30 Years 9.3% 31-40 Years 8.0%
IAA’s Relationships within the Organization Relationship with the Audit/Oversight Committee To maintain independence, the IAA should have a charter approved by the audit committee of its governing board. An internal audit charter is required by The IIA’s Attribute Standard 1000, Purpose, Authority, and Responsibility, and Practice Advisory (PA) 1000-1, Internal Audit Charter. The charter provides the power from which the IAA can insist that they have the authority to conduct
The Institute of Internal Auditors Research Foundation
_______________________ Chapter 2: A Worldwide Picture of the Internal Audit Activity 35
the audits deemed necessary. The survey confirms that this practice is generally the case in the majority of IAAs with 72.3% of the respondents indicating their organization has an internal audit charter. IAAs without a charter may be less empowered from the audit customers’ perspective. The reporting relationships of the respondent CAEs are generally in accordance with the Standards and Practice Advisories. There is also a high level of input by the audit committee in the appointment and performance evaluation of CAEs. In the majority of cases, CAEs are reporting to the audit committee of the board and/or to a member of senior management. The survey did not allow the CAE to indicate a dual reporting relationship as recommended by The IIA. Dual reporting allows the IAA to build organizational independence while also serving senior management. Practice Advisory 2060-2, Relationship with the Audit Committee, defines the IAA’s and the audit committee’s relationship. As noted in Table 2-1, CAEs confirm that an audit/oversight committee exists in 72.6% of their organizations. The CAE’s relationship with the audit committee chairperson is very important. Of the respondent CAEs with audit committees, 63.2% meet regularly with the audit committee chair in addition to regular audit committee meetings. It is notable that of those that have audit committees, 91.3% of CAEs believe they have appropriate access to the audit committee. Public sector IAAs often do not have an audit committee structure in their organizations.
Table 2-1 CAE’s Relationship with Audit/Oversight Committee CAE Respondents Percentage of Yes Responses Question
Is there an audit/oversight committee in your organization? Does the CAE meet with the audit/oversight committee chairperson in addition to the regularly scheduled meetings? Does the CAE believe that he/she has appropriate access to the audit committee?
Total Respondents
Yes Percent of Total Responses
2,315
72.6
1,669
63.2
1,671
91.3
The Institute of Internal Auditors Research Foundation
36 A Global Summary of the Common Body of Knowledge 2006 ______________________
Organizations’ and CAEs’ Perceptions of the IAA A set of general questions asked all respondents to rank their perceptions about how their IAA is perceived by their organization. All respondents were asked to rank their level of agreement with the statements in Table 2-2 on a scale of 1 to 5 from Strongly Disagree (1) to Strongly Agree (5). The mean response for each question was calculated for the four levels of audit staff responding to the survey.
Table 2-2 Relationship of IAA to the Organization All Respondents in Means* Statement
Your internal audit activity is an independent objective assurance and consulting activity. Your internal audit activity adds value. Internal audit brings a systematic approach to evaluate the effectiveness of risk management. Your internal audit activity brings a systematic approach to evaluate the effectiveness of internal controls. Your internal audit activity brings a systematic approach to evaluate the effectiveness of governance processes. Your internal audit activity proactively examines important financial matters, risks, and internal controls. Your internal audit activity is an integral part of the governance process by providing reliable information to management.
CAE Audit Manager (Mean of (Mean of 2,033 2,374 Responses) Responses)
Audit Senior/ Audit Staff Supervisor (Mean of 1,626 (Mean of 2,251 Responses) Responses)
4.45
4.34
4.25
4.10
4.41
4.32
4.26
4.20
4.03
3.99
3.98
3.95
4.35
4.27
4.21
4.11
3.80
3.73
3.71
3.74
4.10
4.05
3.96
3.88
4.10
4.04
3.97
3.91
*The mean is the average response to: 1 = Strongly Disagree, 2 = Disagree, 3 = Neutral, 4 = Agree, 5 = Strongly Agree.
The Institute of Internal Auditors Research Foundation
_______________________ Chapter 2: A Worldwide Picture of the Internal Audit Activity 37
Table 2-2 (Cont.) Relationship of IAA to the Organization All Respondents in Means* Statement
The way our internal audit activity adds value to the governance process is through direct access to the audit committee. Your internal audit activity has sufficient status in the organization to be effective. Independence is a key factor for your internal audit activity to add value. Objectivity is a key factor for your internal audit activity to add value. Your internal audit activity is credible within your organization. Compliance with The IIA’s International Standards for the Professional Practice of Internal Auditing is a key factor for your internal audit activity to add value to the governance process. Compliance with The IIA’s Code of Ethics is a key factor for your internal audit activity to add value to the governance process.
CAE Audit Manager (Mean of (Mean of 2,033 2,374 Responses) Responses)
Audit Senior/ Audit Staff Supervisor (Mean of 1,626 (Mean of 2,251 Responses) Responses)
3.52
3.81
3.66
3.51
4.07
3.97
3.86
3.75
4.46
4.40
4.32
4.29
4.58
4.47
4.42
4.36
4.30
4.17
4.08
3.99
3.86
3.90
3.89
3.90
4.03
4.04
3.98
3.99
*The mean is the average response to: 1 = Strongly Disagree, 2 = Disagree, 3 = Neutral, 4 = Agree, 5 = Strongly Agree.
With the majority of means above 4.0, respondents, who are all members of the IAA giving their opinion about how others see the IAA, indicate that they believe their organizations perceive that IAAs are independent, objective, add value, and effectively evaluate internal controls. There is less certainty among respondents concerning their perceptions about the effectiveness of the IAA’s approach to risk management and evaluation of the effectiveness of governance processes. These
The Institute of Internal Auditors Research Foundation
38 A Global Summary of the Common Body of Knowledge 2006 ______________________
two areas are specifically addressed in the 1999 definition of internal auditing. Respondents’ perceptions indicate strong support for the IAA’s independence, objectivity, and credibility. While the IAA appears to be highly credible within the organization, there is less agreement about compliance with The IIA’s Standards and Code of Ethics. Statements with means around 4.0 indicate respondents’ agreement that the IAA has an effective approach to risk management; is proactive in looking at important financial matters, risks, and internal controls; has sufficient status in the organization; and compliance with The IIA’s Code of Ethics is a key factor for the IAA to add value to its organization. The statements ranked under 4.0 but above 3.5 indicate respondents have less support for the statements about effectiveness in the evaluation of corporate governance and compliance with the Standards. Overall, the perceptions by the respondents provide a very positive view of the IAA within their organizations.
Methods Used to Measure the Value Added by the IAA The responses to the questions about the methods used to measure the value added to the organization by the IAA show a variety of methods being used. These include self-assessment and assessment by others in the organization. The measures used include acceptance of recommendations (51.4%), auditee (customer) surveys (34.6%), and the number of management requests (26.8%). Reliance by the external auditors on the IAA is also used as a value indicator (33.5%). No formal measurement of value added exists in 32.6% of respondents’ IAAs.
Internal Audit Activity Managing the IAA Standard 2000 requires that the CAE, “should effectively manage the internal audit activity to ensure it adds value to the organization.” These activities include administrative activities such as developing an audit plan and assigning audit tasks. Performance Standard 2200 states, “Internal auditors should develop and record a plan for each engagement, including the scope, objectives, timing, and resource allocations.” Over 91.5% of all respondents believe that their IAA performs these administrative tasks.
Creating the Audit Plan Eighty-one point three percent of respondents follow Practice Advisories PA 2010-2, Linking the Audit Plan to Risk and Exposures, and PA 2040-1, Policies and Procedures, indicating that most The Institute of Internal Auditors Research Foundation
_______________________ Chapter 2: A Worldwide Picture of the Internal Audit Activity 39
IAAs use a proper planning process. Of the organizations served by the IAA, 73.3% have a corporate ethics policy/code of conduct. Internal audit risk assessments are performed by 69.5% of the respondents. In the IAA, 63.0% have an internal audit operating manual/policy statement. These are all positive indicators of effective internal audit processes. To comply with IIA Standard 2010, Planning, the IAA should create an audit plan using a riskbased technique. Respondents indicate that 95.6% of their IAAs create a plan for their audit activities at least annually, while 36.4% plan or revise their intentions multiple times a year. The use of risk-based methodology to determine the audit plan is required by IIA Performance Standard 2010 and elaborated in Practice Advisory PA 2010-1, Planning. Of CAE respondents, 86.7% use risk-based techniques in audit planning. When preparing their audit plans, requests from management are an additional consideration used by 73.1% of CAEs.
Scope of Work and Who Performs the Audits The definition of internal auditing and Standard 2100 includes three broad areas of responsibility for IAAs “to evaluate and contribute to the improvement of risk management, control, and governance processes.” The respondents were asked what percentage of the audits their IAAs performed and what percent are outsourced or done by other departments in the organization. The IAA performs 85.6% of the internal audits, 79.1% of the operational auditing, 56.3% of the investigations of fraud and irregularities, and 56% of the financial audits. IAAs also perform 47.1% of the ethics audits and 48.5% of the management effectiveness audits. Other types of work performed include control framework monitoring and development (58.9%) and compliance with corporate governance and regulatory code requirements (51.4%). Information risk assessment (47.5%), internal control testing and evaluation engagements (70.8%), and enterprise risk management (37.6%) are also performed by the IAA to determine what areas may need to be made more effective and efficient. The three largest audit areas that are outsourced/co-sourced outside the IAA are financial auditing (27.2%), information technology department assessment (18.8%), and quality/ISO audits (14.1%). The three areas where fewer audits are performed by the IAA are social and sustainability audits (40%), quality/ISO audits (32.5%), and ethics audits (27.4). Risk management work performed within organizations includes business viability assessments, enterprise risk management support and information risk assessment. The majority of business viability assessments are performed by other departments within the organization (51.6%). IAAs perform 24.6% of these audits while 16.8% of the respondents report that these audits are not performed at all. For enterprise risk management assessment activities, IAAs perform 37.6% of
The Institute of Internal Auditors Research Foundation
40 A Global Summary of the Common Body of Knowledge 2006 ______________________
these activities, other departments within the organization perform 43.6%, and 6.5% of these activities are co-sourced or outsourced. In the area of information risk assessment, the IAA performs 47.5% of the activities and other departments perform 30.9%. Practice Advisory 2120.A1-1, Assessing and Reporting on Control Processes, states that testing “compliance with laws, regulations, and contracts” is part of the IAA’s study and evaluation of internal controls. Two areas where the IAA performs compliance activities are compliance with company privacy policies (43.1%) and health, safety, and environment (22.1%). The definition of internal auditing includes consulting in its scope of acceptable audit activities. Areas of consulting included in the study indicate that 11.3% of the activities for corporate takeovers/ mergers are performed by IAAs while 50.4% are handled by other departments in the organization. The IAA provides 46.2% of the support for external auditors, while other departments provide 28.1% and co-sourced or outsourced work accounts for 14% of the activities required. Project management activities are performed mainly by other departments (58.3%) with 27.7% of these activities provided by the IAA. Both the IAA and other departments in the organization provide 39.6% of the activities for special projects with 15.4% being co-sourced or outsourced.
Performing the Engagement The demands on the IAA and its staff are increasing as the significance and usefulness of the work of the IAA become better known and valued. This can strain the resources of most IAAs as they enhance their presence in the organization. The use of tools and techniques helps the auditor successfully plan, monitor progress, document, analyze data, complete the audit, and determine the magnitude of audit findings. The objective for this area of the study was to determine which tools the IAA finds necessary for internal auditors to successfully perform their engagements. The tools and techniques included in this survey were identified by reviewing the Standards and Practice Advisories, internal auditing literature, past CBOK studies, and the current CBOK’s pilot study. Based on this review, 16 tools and techniques were identified as being important for the IAA and its staff when performing the audit. Some tools/techniques are in the area of audit administration (planning or managing) while others relate to helping internal auditors perform their engagements (analyzing data or statistical sampling). Respondents could not add to or amend the list that was included in the CBOK 2006 survey. The respondents were asked to indicate which listed tools and techniques their IAAs currently use or plan to use in the next three years by rating all the tools/ techniques listed on a five point scale: 1, Not Used, through 5, Extensively Used. Results are shown in Table 2-3, indicating the ranking of response means by position in the IAA.
The Institute of Internal Auditors Research Foundation
_______________________ Chapter 2: A Worldwide Picture of the Internal Audit Activity 41
The results in Table 2-3 show that that all respondents, regardless of their position, almost uniformly rank the same three tools as most used by the IAA. Other electronic communications was the highest ranked tool. Risk-based audit planning uniformly ranked second with a mean approximately one-half a percentage point less than that of electronic communications. Other than electronic communications (e.g., Internet, e-mail) and risk-based audit planning, only analytical review has a mean above 3.00 for all respondents. These three tools match the core tasks of the IAA: planning, documenting fieldwork, and communication. Documentation and communication can be very labor intensive when completed without technological support. As such, it is appropriate that the IAA would have first invested and developed tools in these areas.
Table 2-3 Extent the IAA Currently Uses Audit Tools and Techniques All Respondents by Rank* Tools/Techniques
Other electronic communication (e.g., Internet, e-mail) Risk-based audit planning Analytical review Electronic workpapers Statistical sampling Computer-assisted audit techniques Flowchart software Benchmarking Process mapping application Control self-assessment Data mining Continuous/real-time auditing The IIA’s quality assessment review tools Balanced scorecard or similar framework Total quality management techniques Process modeling software
Overall
CAE
Audit Audit Senior/ Manager Supervisor
Audit Staff
Other
1
1
1
1
1
1
2 3 4 5 6
2 3 4 5 6
2 4 3 6 5
2 3/4 3/4 5 6
2 4 3 5 6
2 3 4 5 6
7 8 9 10 11 12 13
8 7 9 11 10 12 13
7 8 9 10 11 13 12
7 9/10 8 9/10 12 11 14
8/9 11 8/9 10 12 7 14
7/8 7/8 10 9 12 11 14
14
14
14
13
15
15
15
15
15
15
13
13
16
16
16
16
16
16
*In some cases the rankings were tied. For example, rankings of Benchmarking and Control self-assessment at the Audit Senior/Supervisor level were tied.
The Institute of Internal Auditors Research Foundation
42 A Global Summary of the Common Body of Knowledge 2006 ______________________
Process modeling software is a tool that is generally not used (ranked 16 of 16) by the respondents. Based on ranks and means, other tools and techniques not currently used by many respondents are total quality management techniques, the balanced scorecard, the IIA’s quality assessment review tools, continuous/real-time auditing, data mining, and control self-assessment. Respondents were also asked to indicate their planned use of the listed tools and techniques in the next three years. Results show that in the next three years a higher number of CAEs and Practitioners will extensively use the listed tools and techniques, more than they presently do. Significant increases in usage were indicated for risk-based audit planning and computer-assisted audit techniques. Increased usage was also noted for The IIA’s quality assessment review tools, process modeling software, the balanced scorecard or similar frameworks, continuous real-time auditing, data mining, and control self-assessment. These findings are very important since these are the tools and techniques suggested by the Standards, practice advisories, and best practices.
Resolution of Major Differences Practice Advisory 2410-1, Communication Criteria, suggests, “As part of the internal auditor’s discussions with the engagement client, the internal auditor should try to obtain agreement on the results of the engagement and on a plan of action to improve operations, as needed.” CAE respondents were asked to indicate at what points in the audit process major differences are resolved. Several categories could be selected by each respondent indicating major issue resolution in multiple phases of the audit process. Of those responding, 44.5% usually resolve major differences during audit fieldwork and 45.2% usually resolve them during the audit reporting phase. Thirty-two point four percent sometimes resolve audit issues during planning, while 28.5% indicated that resolution rarely happens during the planning stage.
Reporting of Findings Standard 2440, Disseminating Results, states, “The chief audit executive should communicate results to the appropriate parties.” The majority of the respondents agree that the responsibility of reporting audit findings rests with the CAE. CAEs believe they should report the findings alone (75.1%) or jointly with the client (10.3%), while Audit Managers indicate they should report the findings alone (28.2%) or with the client (9.4%).
The Institute of Internal Auditors Research Foundation
_______________________ Chapter 2: A Worldwide Picture of the Internal Audit Activity 43
Monitoring Corrective Action In Standard 2500, Monitoring Progress, “The chief audit executive should establish and maintain a system to monitor the disposition of results communicated to management.” Standard 2500.A1 goes on to require “a follow-up process to monitor and ensure that management actions have been effectively implemented or that senior management has accepted the risk of not taking action.” Of the respondents in varying positions in the IAA, 37.5% to 54.5% believe that both the internal auditor and client together have the primary responsibility to monitor adoption of needed corrective action. From 25.8% to 35.7% of the respondents indicated that the internal auditor has the primary responsibility. The majority of respondents indicated that their organizations have some formal monitoring system. With the exception of the Other respondents (8.5%), only 2.0% to 3.4% indicated they had no formal follow-up procedures. Although these results indicate that this responsibility is often shared with management, the Standards state that the CAE is responsible for monitoring corrective action.
Staffing and Professional Development Staffing In most organizations, in-house internal auditors cover over 90% of the work. Publicly listed companies average the highest in-house audits with 95.4% coverage. Despite the opportunity for outsourcing and co-sourcing, most organizations are conducting their internal audits with in-house staff. Consultants are the largest group of service providers for IAAs. Thirty-three percent of CAEs indicated that their budget for co-sourcing and outsourcing will increase in the next three years. The survey responses indicate that most respondents’ IAAs are relatively small operations in terms of staffing but that staff is skewed to more experienced internal auditors. In 44% of the organizations, there are only two to five general Audit Staff members. The two main methods CAEs use to cover staff vacancies are reduction in areas of coverage (30.7%) and co-sourcing with internal audit service providers (28.7%).
The Institute of Internal Auditors Research Foundation
44 A Global Summary of the Common Body of Knowledge 2006 ______________________
Continuing Professional Development and Certification in Internal Auditing The IIA requires 80 hours of continuing professional development (CPD) every two years. The IIA Attribute Standard 1230, Continuing Professional Development, requires internal auditors to “enhance their knowledge, skills, and other competencies through continuing professional development.” Respondents were asked how many hours of formal training they received over the last 36 months or while they have been working in their IAA if less than 3 years. Training includes, but is not limited to, seminars, conferences, workshops, and in-house information sessions provided by either the respondent’s organization or other organizations. The range in hours of formal training reported is from none to more than 240 hours. There is an expectation that all respondents would have taken at least 120 hours of CPD over the prior threeyear period. Of the CAEs, 48.2% achieved or exceeded 120 hours of CPD. Another 16.4% of the CAEs attained the 80-119 hour level of CPD. The percentages of respondents at the other staff levels that achieved 120 or more hours of formal training are: 49.1% for Audit Managers, 42.4% for Audit Seniors/Supervisors, 35.5% for Audit Staff, and 34.1% for Others. Compliance with the Standards mandates 40 hours of CPD annually. In some parts of the world, due to the small size of the internal auditor population, it may be difficult to find the continuing professional development needed to upgrade skills. There are many ways that IAAs can obtain CPD for their staff even if funding or scarcity of local CPD courses are a concern. With the use of the Internet, members can attend online conferencing events provided by The IIA, download IIA position statements, and research online how to perform such activities as control self-assessment. The IIA has monographs and other materials on multiple topics to aid in training internal auditors. Of the respondents, 39.4% have a certification in internal auditing (e.g., CIA, MIIA), and about one-fourth of the respondents have a certification in public accounting/chartered accountancy. Possession of additional certification appears more common as individuals progress professionally in the IAA.
Internal Auditor Skills Since the scope of audit responsibilities outlined in the definition of internal auditing expanded in 1999, the types of audits and consulting activities performed by IAAs have increased. Skills used by internal auditors have evolved and changed to meet the challenges of performing these new types of audits.
The Institute of Internal Auditors Research Foundation
_______________________ Chapter 2: A Worldwide Picture of the Internal Audit Activity 45
Standard 1220, Due Professional Care, requires internal auditors to “apply the care and skill expected of a reasonably prudent and competent internal auditor.” The objective for this question is to determine the behavioral and technical skills necessary for internal auditors to successfully perform their jobs at their position in the IAA. Recognizing the evolutionary nature of the profession, the following two sections summarize the skills internal auditors are currently expected to possess as they perform their roles. All respondents were provided a list of technical and behavioral skills developed from the Standards and Practice Advisories, internal auditing literature, past CBOK studies, and the current CBOK 2006 pilot survey . Respondents were unable to amend or change the list of skills provided. CAEs were asked to identify the five most important technical and behavioral skills they and their staff need to possess in order to be successful at their position in the IAA. Practitioners were asked to indicate the importance of the listed skills to perform their work at their current staff position by ranking the skills on a scale of 1 (minimally important) to 5 (very important). As a guide when answering the survey questions, respondents were given the following definition of technical skills: “using terminology or subject matter in a particular field.” Behavioral skills were defined in the survey as “actions towards others measured by commonly accepted standards and management of one’s own actions.”
Technical Skills CAEs believe that understanding the business and risk analysis are skills that are most important for themselves. There is no individual technical skill that is highly rated by CAE respondents for all staff levels in the IAA. Technical skills that are considered more important for the Audit Staff but less critical for CAEs are identifying types of controls, use of information technology, statistical sampling, and data collection and analysis. Other skills, such as forensic skill/fraud awareness, risk analysis, and negotiating, are considered more important for CAEs and not as vital for the Audit Staff or Audit Seniors/Supervisors. As shown in Table 2-4, when reviewing the mean ranking of technical skills by Practitioners, the consistency in rankings among the three traditional staff levels (Audit Manager, Audit Senior/ Supervisor, and Audit Staff) is very noticeable. The decreasing importance of certain skills as one achieves higher levels in the IAA is indicated for some technical skills, but the direction of the change is more significant than the magnitude of the decrease. Statistical sampling and data collection and analysis have the largest changes between professional ranks.
The Institute of Internal Auditors Research Foundation
46 A Global Summary of the Common Body of Knowledge 2006 ______________________
Table 2-4 Importance to Respondent of Technical Skills to Perform Work Practitioner Respondents by Means* Technical Skills
Data collection and analysis Financial analysis Forensic skills/fraud awareness Identifying types of controls (e.g., preventative, detective) Interviewing ISO/quality knowledge Negotiating Research skills Risk analysis Statistical sampling Total quality management Understanding the business Use of information technology
Audit Manager
Audit Senior/ Supervisor
Audit Staff
4.1 3.8 3.6 4.3
4.3 3.9 3.6 4.2
4.4 3.7 3.6 4.1
4.3 2.9 3.7 3.9 4.4 3.2 2.9 4.5 4.1
4.3 2.9 3.6 4.0 4.3 3.3 2.9 4.4 4.1
4.3 3.0 3.5 4.0 4.2 3.5 3.0 4.3 4.1
*The mean is the average response to: 1 = minimally important to 5 = very important. Note: Not all respondents answered for all the skills. Total number of respondents was between 4,686 and 4,756.
Behavioral Skills The results show that CAEs and Practitioners almost uniformly consider confidentiality and objectivity among the five most important behavioral skills. The CAEs’ responses for other behavioral skills indicate a difference among the skills needed based on the professional levels analyzed (CAE, Audit Manager, Audit Senior/Supervisor, and Audit Staff). While leadership is considered the most important skill that CAEs should possess, CAEs indicate that for the Audit Staff, interpersonal skills and being a team player are most important. From the CAE’s perspective, when viewing the importance of behavioral skills across the array of hierarchical positions in the IAA, leadership, governance and ethics sensitivity, and staff management show a trend of increasing importance. As one progresses to higher levels of professional responsibility and status, being considered a team player and being able to work independently decline in importance.
The Institute of Internal Auditors Research Foundation
_______________________ Chapter 2: A Worldwide Picture of the Internal Audit Activity 47
Practitioners were asked to indicate the importance of the same 12 behavioral skills for performing their work at their current position in the organization. Respondents indicated importance on a scale of 1 (minimally important) to 5 (very important). Analysis broken up into three professional levels (Audit Manager, Audit Senior/Supervisor, and Audit Staff) is shown in Table 2-5. As indicated by a mean of 4.0 and above, practitioners consider almost all the behavioral skills listed to be important to perform their work at their current position in the IAA.
Table 2-5 Importance of Behavioral Skills to Perform Work Practitioner Respondents by Mean* Behavioral Skills
Confidentiality Facilitating Governance and ethics sensitivity Interpersonal skills Leadership Objectivity Relationship building Staff management Team building Team player Work well with all levels of management Working independently
Audit Manager
Audit Senior/ Supervisor
Audit Staff
4.8 4.1 4.4 4.6 4.3 4.8 4.4 4.1 4.2 4.3 4.6 4.2
4.8 4.0 4.3 4.5 4.1 4.8 4.4 3.8 4.0 4.2 4.6 4.2
4.7 3.9 4.3 4.5 3.9 4.7 4.3 3.5 3.9 4.2 4.5 4.2
*The mean is the average response to: 1 = minimally important to 5 = very important. Note: Not all respondents answered for all the skills. Total number of respondents is between 4,742 and 4,790.
No one person can possess all the behavioral and technical skills needed by the IAA to perform the different types of audits and consulting engagements necessary to fulfill all the needs of the organization. Although many of the staff can be generalists, IAAs may need to hire specialists and/ or outsource audits as needed.
The Institute of Internal Auditors Research Foundation
48 A Global Summary of the Common Body of Knowledge 2006 ______________________
Internal Auditor Competencies and Knowledge Areas Competency and knowledge areas are essential for the success of an individual internal auditor, the completion of an audit, and the overall success of the IAA. Standard 1210, Proficiency, requires the “internal audit activity collectively should possess or obtain the knowledge…and other competencies needed to perform its responsibilities.” Standard 1230, Continuing Professional Development, indicates that these competencies and knowledge areas must be continually updated and current. Internal auditors at all levels need to obtain and develop a range of competencies and knowledge areas that enable them to perform their work effectively and enable the IAA to function properly.
Competencies Competencies range from generally applicable individual skills such as time management and presentation skills to qualities that are specific to internal auditors such as the ability to promote the IAA within the organization. Internal auditors also must have different competencies for satisfactory performance at various hierarchical positions in the IAA. As a guide for respondents, competencies were defined in the survey as “skills essential to perform certain tasks.” The importance of competencies is highlighted since it is one of four principles in The IIA’s Code of Ethics. The Code of Ethics states that competency is when “internal auditors apply the knowledge, skills, and experience needed in the performance of internal auditing services.” Respondents were unable to amend or add to the list of competencies that was given. CAEs were asked to identify the five most important competencies they need to possess in order to be successful as the leader of their IAA. They were also asked to identify the five most important competencies that Audit Managers, Audit Seniors/Supervisors, and Audit Staff each need to perform their jobs. As shown in Table 2-6, CAEs commonly indicated as their most important competency the ability to promote the IAA within the organization. This is consistent with the Standards. Standard 2000, Managing the Internal Audit Activity, states that the CAE “should effectively manage the internal audit activity to ensure it adds value to the organization.” CAEs view the ability to be analytical and communicate as the most important competencies for Audit Seniors/Supervisors and the Audit Staff. Based on the CAEs’ responses, writing and analytical skills decline in importance as one advances in positional responsibility and status.
The Institute of Internal Auditors Research Foundation
_______________________ Chapter 2: A Worldwide Picture of the Internal Audit Activity 49
Table 2-6 Most Important Competencies by Staff Level CAE Respondents (2,092 ) in Percentages Competencies
Ability to promote the internal audit activity within the organization Analytical (ability to work through an issue) Change management Communication Conceptual thinking Conflict resolution Critical thinking Foreign language skills Keeping up to date with professional changes in opinions, standards, and regulations Organization skills Presentation skills Problem identification and solution Project planning and management Report development Time management Training and developing staff Understanding complex information systems Writing skills
CAE
Audit Manager
Audit Senior/ Supervisor
Audit Staff
78.1
28.3
10.9
9.3
24.9 34.7 60.3 38.0 41.2 31.3 13.4 41.3
31.5 20.4 46.7 20.7 35.3 26.3 10.8 31.0
47.7 7.6 43.2 16.1 20.2 31.0 8.1 22.9
63.9 4.1 51.9 17.8 7.2 43.9 12.4 22.5
30.3 37.4 21.6 24.7 13.0 15.8 30.1 12.4 23.6
27.9 25.5 23.8 35.7 23.0 18.7 38.2 14.9 24.2
22.0 15.5 34.5 24.3 27.3 28.2 20.9 16.1 32.0
20.9 13.0 47.0 7.1 22.1 40.2 2.6 16.3 51.0
Note: Each CAE respondent was able to select five technical skills from the provided list for each staff level.
The Institute of Internal Auditors Research Foundation
50 A Global Summary of the Common Body of Knowledge 2006 ______________________
Table 2-7 Importance of Competencies to Perform Work Practitioner Respondents in Means* Competencies
Ability to promote the internal audit activity within the organization Analytical (ability to work through an issue) Change management Communication Conceptual thinking Conflict resolution Critical thinking Foreign language skills Keeping up to date with professional changes in opinions, standards, and regulations Organization skills Presentation skills Problem identification and solution Project planning and management Report development Time management Training and developing staff Understanding complex information systems Writing skills
Audit Manager
Audit Senior/ Supervisor
Audit Staff
4.32
4.15
4.11
4.52 4.03 4.61 4.33 4.27 4.48 2.59 4.05
4.53 3.89 4.59 4.29 4.24 4.43 2.54 4.01
4.45 3.72 4.54 4.25 4.13 4.36 2.66 4.02
4.15 4.13 4.50 4.13 4.31 4.26 4.06 3.79 4.49
4.13 4.03 4.48 4.02 4.27 4.25 3.74 3.73 4.47
4.13 4.02 4.44 3.84 4.19 4.21 3.56 3.65 4.39
*The mean is the average response to: 1 = minimally important to 5 = very important. Note: Not all respondents answered for all the competencies. Total number of respondents was between 4,693 and 4,735.
Practitioners, when asked to indicate the importance of the eighteen competencies to their own job performance at their current position in the organization, considered almost all of the competencies equally important across the positional levels in the IAA. This is indicated by only marginal differences across staff levels in the means on Table 2-7. CAEs appear to be viewing competencies appropriate for a positional level from a department manager’s perspective, while Practitioners appear to view a variety of competencies necessary for their success.
The Institute of Internal Auditors Research Foundation
_______________________ Chapter 2: A Worldwide Picture of the Internal Audit Activity 51
Knowledge Areas This section looks at 19 areas of knowledge to determine which are important to internal auditors for the satisfactory performance of their job in the IAA. As indicated in Table 2-8, Practitioners were asked to indicate the importance of these 19 areas of knowledge to perform their work at their current position in their organization on a scale of 1 (minimally important) to 5 (very important). They were unable to amend or add to the list. Knowledge of auditing is overwhelmingly ranked first for Practitioner respondents at all levels, and Ethics is ranked second by all levels except for Audit Seniors/Supervisors where it is ranked third. Other knowledge areas consistently ranked in the top five for all Practitioner respondents are internal auditing standards, technical knowledge for your industry, and fraud awareness. There is an overall consistency of means for knowledge areas at all staff levels.
The Institute of Internal Auditors Research Foundation
52 A Global Summary of the Common Body of Knowledge 2006 ______________________
Table 2-8 Importance of Areas of Knowledge to Perform Work Practitioner Respondents in Means* Areas of Knowledge
Accounting Auditing Business law and government regulation Business management Changes to professional standards Enterprise risk management Ethics Finance Fraud awareness Governance Human resource management Internal auditing standards Information technology Managerial accounting Marketing Organization culture Organizational systems Strategy and business policy Technical knowledge for your industry
Audit Manager
Audit Senior/ Supervisor
Audit Staff
3.83 4.68 3.68 3.75 3.71 3.85 4.21 3.70 4.00 3.95 3.44 4.19 3.85 3.35 2.70 3.91 3.75 3.73 3.97
3.77 4.66 3.70 3.60 3.64 3.74 4.18 3.68 3.93 3.80 3.23 4.19 3.84 3.30 2.60 3.79 3.76 3.61 3.92
3.71 4.61 3.68 3.53 3.68 3.71 4.26 3.64 3.91 3.77 3.15 4.24 3.79 3.27 2.64 3.82 3.78 3.60 3.96
*The mean is the average response to: 1 = minimally important to 5 = very important. Note: Not all respondents answered for all the knowledge areas. Total number of respondents was between 4,711 and 4,751.
The Institute of Internal Auditors Research Foundation
_______________________ Chapter 2: A Worldwide Picture of the Internal Audit Activity 53
Emerging Roles of the Internal Audit Activity Changing Emphasis on Types of Audits This section focuses on the anticipated changes in the demand for general types of audits that will be performed by the IAA in the next three years. The definition of internal auditing in The IIA’s 1999 report, A Vision for the Future: Professional Practices Framework for Internal Auditing, acknowledges the importance of assurance services and consulting engagements in the areas of risk management, governance, and controls. With this expansion of scope, audits are expected to be performed by IAAs in these three areas. In order to assess the amount of staff, their required competencies, and the skills needed in the near future, the profession needs to anticipate changes in the demand for the IAA’s services. The IAA also must consider changes in their organizations’ risk maturity profiles and stakeholder requirements. Table 2-9 shows the opinions of all respondents to the question about whether they perceive the general types of audits performed by the IAA will increase, decrease, or stay the same over the next three years.
Table 2-9 Anticipated Changes in Types of Audits to Be Performed Within the Next Three Years All Respondents in Percentages Activity
Risk management Governance Regulatory compliance Operational auditing Review of financial processes
Total Increase Responses 6,728 6,704 6,698 6,715 6,724
79.5 63.2 46.9 46.2 43.5
Decrease
Stay the Same
Total Percent
2.3 4.0 11.7 14.7 14.6
18.2 32.8 41.4 39.1 41.9
100.0 100.0 100.0 100.0 100.0
The Institute of Internal Auditors Research Foundation
54 A Global Summary of the Common Body of Knowledge 2006 ______________________
Of respondents, 79.5% predict that the greatest increase in the type of audits performed in the next three years will be for risk management and 63.2% predict an increase in governance audits. The increase in these types of audits will need to be reflected in the IAA’s internal audit plan, resources allocated, and in the audit staff’s competencies. For many of the respondents, reviews of financial processes (43.5%), regulatory compliance (46.9%), and operational auditing (46.2%) show increases. Some respondents anticipate that less time will be spent on operational audits (14.7%), review of financial processes (14.6%), and regulatory compliance audits (11.7%).
IAAs’ Emerging Roles in Organizations’ Activities To gain an understanding of what roles IAAs have and will have in various types of activities performed within the organization, respondents were provided with a list of important tasks performed by organizations. They were asked to indicate if their IAA currently has a role in the area, if the IAA will likely have a role in the next three years, or if it is unlikely that the IAA will have a role. Role was defined as being within the IAA’s scope of work. The list was created by reviewing internal auditing literature and from the CBOK 2006 pilot survey. An overview of all responses is shown in Table 2-10. The respondents’ IAAs do some type of work in many of the areas listed. The four highest-rated areas where respondents indicate that their IAAs currently perform audits are fraud prevention (69% of respondents), risk management (66.6%), regulatory compliance assessment monitoring (64%), and corporate governance (52.2%). Areas where respondents’ IAAs currently have less developed roles are globalization (15.3%), environmental sustainability (14%), and emerging markets (11.5%). For areas where there is no current IAA involvement, respondents indicate that 17.7% to 38.1% of their IAAs plan some engagements in the next three years. Areas where the IAA’s current involvement is low and is expected to remain low are executive compensation (45.4%), environmental sustainability (39.9%), emerging markets (39.5%), globalization (35.2%), intellectual property and knowledge assessment (35.1%), and mergers and acquisitions (30.8%).
The Institute of Internal Auditors Research Foundation
_______________________ Chapter 2: A Worldwide Picture of the Internal Audit Activity 55
Table 2-10 Emerging Roles of the IAA Total Responses in Percentages Roles
Total Currently Likely to Have Unlikely to Not Total Respon- Have a Role a Role Within Have a Role Applicable dents the Next 3 Years
Alignment of strategy and performance measures (e.g., Balanced Scorecard) Benchmarking Corporate governance Corporate social responsibility Develop training and education of organization personnel (e.g., internal controls, risk management, regulatory requirements) Disaster recovery Evidential issues Emerging markets Environmental sustainability Executive compensation Fraud prevention/detection Globalization Intellectual property and knowledge assessment IT management assessment Knowledge management systems development review Mergers and acquisitions Project management Provide training to the audit committee Regulatory compliance assessment monitoring Risk management Strategic frameworks
6,500
23.1
35.2
30.1
11.6
100.0
6,476 6,511 6,415
28.6 52.2 23.6
35.7 31.2 31.6
26.0 11.4 33.8
9.7 5.2 11.0
100.0 100.0 100.0
6,522
46.6
34.4
15.3
3.7
100.0
6,490 6,385 6,426 6,436 6,429 6,530 6,431 6,391
34.0 39.8 11.5 14.0 16.0 69.0 15.3 19.2
26.1 23.9 22.5 24.7 17.7 22.9 21.1 28.4
29.0 23.5 39.5 39.9 45.4 5.7 35.2 35.1
10.9 12.8 26.5 21.4 20.9 2.4 28.4 17.3
100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0
6,453 6,387
46.1 26.1
32.2 38.1
16.8 26.9
4.9 8.9
100.0 100.0
6,437 6,410 6,436
18.4 39.8 31.2
23.7 27.6 34.4
30.8 25.1 21.7
27.1 7.5 12.7
100.0 100.0 100.0
6,442
64.0
23.0
9.2
3.8
100.0
6,509 6,407
66.6 27.0
25.5 36.8
5.6 27.7
2.3 8.5
100.0 100.0
The Institute of Internal Auditors Research Foundation
56 A Global Summary of the Common Body of Knowledge 2006 ______________________
Changing Legal Environment, Organization Systems, and Role of the IAA Table 2-11 captures CAE and Audit Manager respondents’ agreement with statements about their organizations and their IAA. The question asked if a statement currently applies, is likely to apply within the next three years, or will not apply in the foreseeable future. The respondents indicate that 61.2% of the IAAs currently reside in countries that have mandatory laws or regulations that require organizations to have an IAA and 13.1% anticipate their countries will have such requirements in the next three years. Corporate governance codes are complied with in 67.7% of the organizations with 22.7% of the respondents’ organizations anticipating compliance with corporate governance codes in the next three years. In 70.5% of the respondents’ organizations, there is an internal control framework and 24.3% indicate that their organizations will have a framework in the next three years. Assurance audits receive more emphasis than consulting services in 71.5% of the organizations.
The Institute of Internal Auditors Research Foundation
_______________________ Chapter 2: A Worldwide Picture of the Internal Audit Activity 57
Table 2-11 How Statements Apply to Your Organization CAEs’ and Audit Managers’ Agreement with Statements in Percentages Statement
Number of Currently Likely to Will Not Not Total Respondents Applies Apply Apply in the Applicable Within the Foreseeable Next 3 Future Years
Internal auditing is required by law or regulation where the organization is based. Internal auditors in the organization have an advisory role in strategy development The organization complies with a corporate governance code. The organization has implemented an internal control framework. The organization has implemented a knowledge management system The internal audit activity has provided training to audit committee members. The internal audit activity assumes an important role in the integrity of financial reporting. The internal audit activity educates organization personnel about internal controls, corporate governance, and compliance issues. The internal audit activity places more emphasis on assurance than consulting services.
3,464
61.2
13.1
12.9
12.8
100
3,445
28.9
32.7
30.3
8.1
100
3,447
67.7
22.7
4.3
5.3
100
3,443
70.5
24.3
3.5
1.7
100
3,423
25.6
43.9
20.6
9.9
100
3,424
34.0
32.3
18.5
15.2
100
3,437
55.7
25.6
13.8
4.9
100
3,437
64.3
25.3
7.3
3.1
100
3,448
71.5
15.2
8.4
4.9
100
The Institute of Internal Auditors Research Foundation
58 A Global Summary of the Common Body of Knowledge 2006 ______________________
The IAAs (64.3% currently, 25.3% more in three years) educate the organizations’ personnel about internal control, corporate governance, and compliance issues. Many IAAs (55.7% currently, 25.6% more in three years) have an important role in the integrity of their organizations’ financial reporting. Internal auditors have growing advisory roles in strategy development (28.9% currently, 32.7% more in three years) and training of audit committee members (34% currently, 32.3% more in three years). The top three statements that some respondents selected as will not apply in the foreseeable future are that internal auditors have a role in strategy development (30.3%), in the training of audit committee members (18.5%) and in the integrity of financial reporting (13.8%).
Summary Compliance with The IIA’s International Standards for the Professional Practice of Internal Auditing is essential if the responsibilities of internal auditors to their organizations are to be met. Respondents strongly believed that their organizations comply overall with the Standards. Reasons for not using the Standards related to organizational attributes, such as management’s perceptions that the Standards do not add value, lack of adequate IAA staff, and that it is too time-consuming to comply with them. IAAs should strive to fully comply with the Standards. It appears that Standard 1300, Quality Assurance and Improvement Program, is a barrier to full compliance for many organizations worldwide. Additional guidance with suggestions for less costly ways to comply with this standard could result in more members fully complying with the Standards. The CBOK 2006 database provides information about the evolving role of internal auditing as a value-added activity that helps an organization manage its risks and take advantage of opportunities. The profession of internal auditing is a rich resource for organizations as the IAA monitors the adequacy and effectiveness of management’s internal control framework and contributes to the integrity of corporate governance; risk assessment; and financial, operating, and IT systems. The CBOK 2006 database identifies the attributes of an effective IAA; internal auditor skills, competencies, and knowledge; internal audit tools and techniques; and the emerging roles of the IAA. This database can be used to inform the business community about what resources and services the internal auditor can provide and what skills and knowledge are needed by internal auditing professionals. The database will be updated to document the evolution of global internal audit practices. Future studies will build upon this baseline, allowing for comparison, analysis, and trending.
The Institute of Internal Auditors Research Foundation
_______________________ Chapter 2: A Worldwide Picture of the Internal Audit Activity 59
References 1. Morton, Peter, The New York Stars, camagazine.com, www.camagazine.com/index.cfm?ci_id=33982&la_id=1&print=true 2. Sams, Rachel, “New Accounting Laws Make Internal Auditors ‘Rock Stars,’” Baltimore Business Journal, June 5, 2006, baltimore.bizjournals.com/baltimore/stories/2006/06/05/story3.html 3. The Institute of Internal Auditors, “By the Numbers,” IIA Insight, Vol. 1/November 2006, pp. 8-9. 4. The Institute of Internal Auditors, The Professional Practices Framework (Altamonte Springs, FL: The Institute of Internal Auditors Research Foundation), 2005.
The Institute of Internal Auditors Research Foundation
60 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
A Global Summary of the Common Body of Knowledge 2006
CONTENTS Chapter 3
Chapter 3: Survey Demographics............................................................................................ 61 Introduction........................................................................................................................... 61 Staff Levels of Respondents ................................................................................................. 63 IIA Membership.................................................................................................................... 64 Age of the Respondents ........................................................................................................ 67 Highest Level of Formal Education ...................................................................................... 70 Professional Qualifications ................................................................................................... 76 Areas of Professional Experience ......................................................................................... 80 Years of Existence of IAA and Years of CAE Experience................................................... 81 Types of Organizations ......................................................................................................... 86 Service Providers of Internal Audit Services........................................................................ 89 Age of Organizations ............................................................................................................ 90 Industry Classification(s) ...................................................................................................... 91 Geographical Area Served by Organization ......................................................................... 96 Appendix 3............................................................................................................................ 99
Disclosure Copyright © 2007 by The Institute of Internal Auditors Research Foundation (IIARF), 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201. All rights reserved. Printed in the United States of America. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form by any means — electronic, mechanical, photocopying, recording, or otherwise — without prior written permission of the publisher. The IIARF publishes this document for informational and educational purposes. This document is intended to provide information, but is not a substitute for legal or accounting advice. The IIARF does not provide such advice and makes no warranty as to any legal or accounting results through its publication of this document. When legal or accounting issues arise, professional assistance should be sought and retained. The IIA’s International Professional Practices Framework for Internal Auditing (IPPF) comprises the full range of existing and developing practice guidance for the profession. The IPPF provides guidance to internal auditors globally and paves the way to world-class internal auditing. The mission of The IIA Research Foundation (IIARF) is to be the global leader in sponsoring, disseminating, and promoting research and knowledge resources to enhance the development and effectiveness of the internal auditing profession.
The Institute of Internal Auditors Research Foundation
_____________________________________________ Chapter 3: Survey Demographics 61
CHAPTER 3 SURVEY DEMOGRAPHICS
Introduction The following is a summary of the demographics of the CBOK 2006 respondents and their organizations. The total number of responses to the CAE and Practitioner questionnaires was 15,028. After consultation with an independent statistical expert, responses were determined to be not useable if the reply was blank or the respondent did not answer enough questions on important sections such as the use and application of the Standards. Upon completion of this process, 9,366 useable responses remained. This results in an overall 7.3% response from the 127,735 IIA members on September 30, 2006. Due to some affiliates not participating and some members who have opted not to receive e-mails from The IIA, the survey was sent to approximately 99,000 members resulting in an estimated 9.5% response rate. The overall purpose of the CBOK 2006 project is to develop the most comprehensive database ever to capture a current view of the global state of the internal audit profession. The database will be updated to recognize the evolution of global internal audit practices. Future studies will build upon this baseline, allowing for comparison, analysis, and trending. The number of respondents answering a specific question will often differ from the 9,366 total respondents in this study. This is due to the following reasons: • •
Not all of those who participated in the survey answered all the questions asked. Results are shown and discussed only for those respondents who answered a particular survey question. Not all questions were asked of all respondents. o Some questions were asked only of CAEs (those in the highest position within the organization responsible for internal audit activities). o Some questions were asked only of Practitioners (all other internal auditors who are not CAEs). o Some questions were asked of both CAEs and Practitioners.
Some participants’ responses are presented according to the respondents’ position in the internal audit activity (IAA). These more detailed summaries of results may be provided for the five
The Institute of Internal Auditors Research Foundation
62 A Global Summary of the Common Body of Knowledge 2006 ______________________
categories of respondents: CAEs, Audit Managers, Audit Seniors/Supervisors, Audit Staff, and Other. The respondents in the Other category consist primarily of other professional staff whose positions are not captured by the traditional job titles included in the survey. A review of their credentials indicates they may be members of the IAA, employed by service providers, or in organizations where their titles are less traditional but with duties within internal auditing. When relevant, results are given for each of the 13 groups. The groups are explained in Chapter 1. For a list of groups, please refer to Appendix 1-B of the report. Some tables have additional details. For example, Table 3-2 is the total of all respondents for that question with a related Table 3-2-1 showing the responses by group. A table can have more than one related table, where the second related table would be Table 3-2-2. Additional related tables may be located in Appendix 3 at the end of this chapter. A table that is in the Appendix can be clearly identified by an “A” at the end of its number. For example, Table 3-6-1-A is located in Appendix 3. Included in this chapter is information about the respondents, their IAA, and their organizations in the areas of: • • • • • • • • • • • • • •
Duration of respondent’s IIA membership. Age. Highest level of formal education. Academic major(s). Professional qualification(s). Area(s) of professional experience. Hierarchical position of the IAA. Years of experience as CAE. Years organizations have had an IAA. Organization type. Service providers. Industry classifications. Geographical area(s) served by respondent organizations. Legislation affecting internal auditing.
The Institute of Internal Auditors Research Foundation
_____________________________________________ Chapter 3: Survey Demographics 63
Staff Levels of Respondents Respondents were asked about their position in their organization. As indicated in Figure 3-1, 26.5% of the respondents are CAEs, 22.8% are Audit Managers, and 25.2% are Audit Seniors/ Supervisors. These three highest positional levels combined represent 74.5% of respondents. Members of the Audit Staff comprise 18.2% of the respondents and Others 7.3%. As indicated in Table 3-5, the Other respondents have as many credentials or more credentials as those respondents who identify themselves as Audit Seniors/Supervisors or Audit Staff.
Figure 3-1 Staff Level All Respondents (8,935) in Percentages
Audit Staff 18.2%
Other 7.3%
Chief Audit Executive 26.5% Audit Senior/ Supervisor 25.2% Audit Manager 22.8%
The Institute of Internal Auditors Research Foundation
64 A Global Summary of the Common Body of Knowledge 2006 ______________________
IIA Membership Figure 3-2 shows that 58.6% of the respondents became members of The IIA within the last 5 years, 19.5% have been members for 6 to 10 years, and 15% have been members for 11 or more years. This relatively high number of new members can be linked to the surge in importance of the profession. In June 2003, IIA membership was 82,645. It grew to 127,735 in September 2006, a 54% increase in three years. D.L. Clemmons noted in The IIA’s November 2006 edition of IIA Insight that, “Since 2005 The IIA’s strategic objectives have been to raise the profile of internal auditing and The IIA itself through strong advocacy efforts, globalization, and service to members...membership has risen 20 percent.” Although distribution of the original survey instrument was only to IIA members, 6.9% of the respondents indicated they are not members of The IIA.
Figure 3-2 Number of Years as a Member of The IIA All Respondents (8,874) in Percentages
Percentage of Respondents
The Institute of Internal Auditors Research Foundation
_____________________________________________ Chapter 3: Survey Demographics 65
Table 3-1 indicates that more than three-fourths (76.5%) of the Audit Staff respondents have been members of The IIA for 5 years or less. Forty-six point six percent of CAEs have been members for 5 years or less. Approximately one-fourth of the CAEs (24.3%) and Audit Managers (23.9%) and only 16.7% of the Other respondents have been IIA members for 6 to 10 years. One-fourth of CAEs (25.7%), 17.1 % of Audit Managers and 21.7% of the Other respondents have been members for 11 or more years.
Table 3-1 Number of Years as a Member of The IIA All Respondents in Percentages Number of Years
CAE Percent of 2,357 Respondents
Audit Audit Audit Staff Other Average Managers Senior/Supervisor Percent of Percent of Percent of Percent of Percent of 2,240 1,617 642 8,874 2,018 Respondents Respondents Respondents Total Respondents Responses
5 or less 6 to 10 11 or more Not a Member Total
46.6 24.3 25.7
53.2 23.9 17.1
65.2 19.8 8.4
76.5 7.6 3.3
51.8 16.7 21.7
58.6 19.5 15.0
3.4
5.8
6.6
12.6
9.8
6.9
100.0
100.0
100.0
100.0
100.0
100.0
The Institute of Internal Auditors Research Foundation
66 A Global Summary of the Common Body of Knowledge 2006 ______________________
Table 3-1-1 provides an overview of the duration of IIA membership in each of the 13 groups. The number of relatively new IIA members (5 years or less) is higher than the overall average in groups 9 (83.5%), 7 (80.6%), 5 (74.8%), 12 (74.5%), 4 (72.5%), and 8 (72.4%). These groups may represent a large number of countries where the internal audit profession is relatively new. The number of respondents with a longer membership history in The IIA (6 years or more) are in groups 10 (51.4%), 2 (48.6%), 6 (43.9%), 1 (43.4%), and 3 (43.0%). These groups appear to represent countries where the internal audit profession is more established.
Table 3-1-1 Number of Years as a Member of The IIA by Groups* All Respondents in Percentages Years
1
2
3
4
5
6
7
8
9
10
11
12
N/C**
5 or less 6 to 10 11 or more Not a Member Total
56.6 20.4 23.0
51.4 19.2 29.4
57.0 25.6 17.4
72.5 23.4 4.1
74.8 23.4 1.8
56.1 25.0 18.9
80.6 14.8 4.6
72.4 19.6 8.0
83.5 10.2 6.3
48.6 31.3 20.1
68.2 20.2 11.3
74.5 14.9 10.6
18.5 5.1 3.4
0.0
0.0
0.0
0.0
0.0
0.0
0.0
0.0
0.0
0.0
0.4
0.0
73.0
100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0
*For a list of groups, please see Appendix 1-B. **N/C = Respondents did not indicate Affiliate or Chapter membership.
The Institute of Internal Auditors Research Foundation
_____________________________________________ Chapter 3: Survey Demographics 67
Age of the Respondents Figure 3-3 provides an overview of the age of the survey respondents. The figure indicates that 34.8% of the survey respondents are between the ages of 35 and 44, 27.8% are between 26 and 34 years old, and 24.2% are between 45 and 54 years old. Only 9.3% are 55-64 years old, 3.5% are 25 years old or under, and as seen in Figure 3-3, 0.4% are older than 64.
Figure 3-3 Age of Respondents All Respondents (7,356) in Percentages
Percentage of Respondents
The Institute of Internal Auditors Research Foundation
68 A Global Summary of the Common Body of Knowledge 2006 ______________________
Table 3-2 breaks down the respondents’ age information into the 5 categories of survey respondents. Based on this information, a positive relationship between the respondent’s age and position in the IAA can be ascertained. More than half of the audit staff (52.4%) is younger than 35 years old, while slightly more than half of the CAEs (50.4%) are older than 44 years old. The largest percentage of Audit Managers (41.5%) are between 35 and 44 years old.
Table 3-2 Age of Respondents All Respondents in Percentages Number of Years
CAE Percent of 1,944 Respondents
Audit Manager Percent of 1,653 Respondents
Audit Senior/ Audit Staff Supervisor Percent of Percent of 1,376 1,848 Respondents Respondents
25 or less 26 to 34 35 to 44 45 to 54 55 to 64 65 or more Total
0.4 11.0 38.2 34.5 15.1 0.8
0.5 25.8 41.5 23.6 8.5 0.1
3.3 39.2 32.1 18.9 6.2 0.3
100.0
100.0
100.0
Other Percent of 535 Respondents
Average Percent of 7,356 Total Responses
11.2 41.2 26.4 16.3 4.8 0.1
4.7 20.2 33.8 27.3 12.5 1.5
3.5 27.8 34.8 24.2 9.3 0.4
100.0
100.0
100.0
The Institute of Internal Auditors Research Foundation
_____________________________________________ Chapter 3: Survey Demographics 69
Table 3-2-1 specifies the average age of the respondents in each of the 13 groups. Group 9 consists of relatively young respondents (35.2 years on average). Group 10 consists of relatively older respondents (46.1 years on average). This compares with the overall average age for all survey respondents of 40.5 years.
Table 3-2-1 Average Age of Respondents by Group* All Respondents in Percentages Group*
Average Age of the Respondents
1 2 3 4 5 6 7 8 9 10 11 12 N/C** Total
41.6 42.9 37.4 39.9 38.2 42.6 39.9 40.8 35.2 46.1 38.8 37.3 39.8 40.5
*For a list of groups, please see Appendix 1-B. **N/C = Respondents did not indicate Affiliate or Chapter membership.
The Institute of Internal Auditors Research Foundation
70 A Global Summary of the Common Body of Knowledge 2006 ______________________
Highest Level of Formal Education The survey asked about the educational background of the respondents. Figure 3-4 shows the highest level of formal education indicated by the respondents. Of the respondents, 38.1% have obtained their bachelor’s degree in business, and 28.9% have obtained a master’s degree in business. Fourteen point three percent have a bachelor’s degree in a non-business subject and 9.4% have a master’s degree in a non-business field.
Figure 3-4 Respondents’ Highest Level of Education All Respondents (8,920) in Percentages
Diploma in Business
Doctoral Degree
Percentage of Respondents
The Institute of Internal Auditors Research Foundation
_____________________________________________ Chapter 3: Survey Demographics 71
2.4
9.0
32.8
12.1
36.1
5.1
2.1 100.0
1.5
9.7
30.9
14.0
37.7
4.1
2.8 100.0
0.6
9.5
27.4
15.4
40.3
4.0
4.2 100.0
0.9
9.4
21.4
16.8
40.3
7.0
1.5 100.0
3.4
9.7
33.4
13.1
33.3
5.6
2.7 100.0
1.6
9.4
28.9
14.3
38.1
5.0
Audit Audit Senior/ Audit Staff Other Average Managers Supervisor Percent of Percent of Percent of Percent of Percent of 1,623 649 8,920 2,029 2,249 Respondents Respondents Total Respondents Respondents Responses
2.5 100.0
CAE Percent of 2,370 Respondents
Table 3-3 Respondents’ Highest Level of Education All Respondents in Percentages
Table 3-3 presents an overview of the highest level of education for each of the 5 categories of respondents surveyed. There appears to be no pronounced relationship between the respondents’ highest level of education and their current position in the IAA. It also appears that for most respondents, a bachelor’s degree or comparable level of education is necessary to enter the profession.
Level of Education
Secondary/ High School Bachelor’s/ Business Bachelor’s/ Not Business Major Master’s/ Graduate/ Diploma in Business Master’s/ Graduate/ Diploma in Other Fields Doctoral Degree Other Total
The Institute of Internal Auditors Research Foundation
The Institute of Internal Auditors Research Foundation
Table 3-3-1 Highest Level of Formal Education by Group* All Respondents in Percentages Level of Education
1
Secondary/High 1.8 School Bachelor’s/ 49.3 Business Bachelor’s/Not 13.0 Business Major Master’s/Graduate/ 28.8 Diploma in Business Master’s/Graduate/ 5.3 Diploma in Other Fields Doctoral Degree 0.9 Other 0.9 Total 100.0
2
3
4
5
6
7
8
9
10
11
12
N/C**
4.7
11.2
1.9
13.9
7.2
0.4
10.3
1.5
6.9
1.2
0.0
5.5
41.5
33.8
56.3
11.5
15.5
33.6
31.6
26.7
22.8
23.2
41.7
35.3
13.6
16.6
14.1
4.6
3.7
26.3
16.5
31.3
8.3
20.3
12.5
17.4
28.5
24.7
19.3
40.9
48.3
21.8
27.7
23.7
44.7
34.2
41.6
20.1
8.4
7.0
5.4
20.6
14.2
14.2
10.8
15.3
12.4
12.6
2.1
13.8
0.5 2.8 100.0
0.8 5.9 100.0
0.8 2.2 100.0
3.6 4.9 100.0
7.0 4.1 100.0
0.8 1.9 2.9 1.2 100.0 100.0
1.5 0.0 100.0
*For a list of groups, please see Appendix 1-B. **N/C = Respondents did not indicate Affiliate or Chapter membership.
1.4 1.6 0.0 1.4 3.5 6.9 2.1 6.5 100.0 100.0 100.0 100.0
72 A Global Summary of the Common Body of Knowledge 2006 ______________________
Table 3-3-1 provides the educational profile of the respondents in each of the 13 groups. Several differences among the groups can be highlighted. Bachelor’s degrees in business seem to be dominant in group 4 (56.3%), while master’s degrees in business are more prevalent in groups 6 (48.3%), 10 (44.7%), and 5 (40.9%). Group 12, with 83.3% of respondents and group 1 with 78.1% of those responding have either a bachelor’s or master’s degree in business. Group 9 is the only group to have less than 50.5% of respondents with a degree (bachelor’s or master’s) in business.
_____________________________________________ Chapter 3: Survey Demographics 73
Academic Major(s) Figure 3-5 lists the top six academic concentrations/majors indicated by survey respondents. Accounting is the most popular academic major (55.8%) followed by general business/management (27 %), finance (23.8%), economics (19.9%), auditing (17.8%), and internal auditing (12.7%).
Figure 3-5 Top Six Academic Majors All Respondents in Percentages
Percentage of Respondents Note: Since respondents were able to select all the majors that apply, percentages may not add up to 100%.
Table 3-4 on the following page provides additional information about respondents’ academic majors by staff level. A higher percentage of the CAEs (60.0%) and Audit Managers (59.9%) have accounting as a major than members of the Audit Staff (45.0%). Auditing as a major is more common for Audit Managers (22.1%) and CAEs (19.8%) than for the Audit Staff (12.5%).
The Institute of Internal Auditors Research Foundation
The Institute of Internal Auditors Research Foundation 59.9 3.5 22.1 4.8 19.3 2.7 24.3 26.0
10.1 14.9 6.2 5.6 2.9
2.2
60.0 3.5 19.8 4.1 24.3 3.6 25.6 29.4
7.1 12.7 6.8 5.4 3.4
2.6
2.4
3.0
6.0 5.5
13.2
9.8
17.9 4.3 24.2 26.6
17.9 4.7
55.1 3.2
3.5
3.5
6.6 4.7
11.3
7.7
16.5 3.7 19.5 25.7
12.5 4.2
45.0 4.6
1.2
2.8
6.9 5.4
11.4
9.8
20.9 3.5 24.9 26.6
16.9 4.1
57.5 4.8
CAE Audit Audit Audit Staff* Other* Percent of 2,374 Managers* Senior/ Percent of 1,626 Percent of 651 Respondents Percent of 2,033 Supervisor* Respondents Respondents Respondents Percent of 2,251 Respondents
* Note: Since respondents could mark all that apply, percentages may not add up to 100%.
Accounting Arts or Humanities Auditing Computer Science Economics Engineering Finance General Business/ Management Information Systems Internal Auditing Law Mathematics/ Statistics Science or Technical Field No Degree
Major
Table 3-4 Academic Major(s) All Respondents in Percentages*
2.5
3.1
6.5 5.3
12.7
8.9
19.9 3.6 23.8 27.0
17.8 4.4
55.8 3.9
Average Percent of 8,935 Total* Responses
74 A Global Summary of the Common Body of Knowledge 2006 ______________________
_____________________________________________ Chapter 3: Survey Demographics 75
Table 3-4-1 shows the rankings of the top five academic majors for the groups. Accounting is the most prevalent major in most groups, except for group 9 (2nd place), group 5 (3rd place), and group 8 (3rd place). In six of the groups, a general business/management major is second. The importance of a finance major varies among the groups. Three majors, accounting, general business/ management, and finance, appear in the top 5 of all groups. Auditing appears in the rankings of 11 of the groups. Despite the importance of technology, data management systems, and the accepted use of computer auditing, a major in information systems only appears in the top 5 of group 1 (5th place).
Table 3-4-1 Rankings of theTop Five Academic Major(s) by Group* All Respondents Major Accounting Auditing Economics Finance General Business/ Management Information Systems Internal Auditing
1
2
3
4
5
6
7
8
9
10
11
12
N/C**
1
1 4 3 5 2
1 2
1 5 4 3 2
3
1 4 3 5 2
1 2
3 5 1 4 2
2 5 1 3 4
1 5 3 4 2
1 3
1 4 5 2 3
1 2 5 3 4
4 3 2
4 5
1 2 4
5 4
2 4
5 3
5
3
*For a list of groups, please see Appendix 1-B. **N/C = Respondents did not indicate Affiliate or Chapter membership.
The Institute of Internal Auditors Research Foundation
5
76 A Global Summary of the Common Body of Knowledge 2006 ______________________
Professional Qualifications There are many professional organizations that have qualifying tests and certifications for individuals employed in accounting and auditing. Survey respondents were asked about their own qualifications and CAEs were asked about certification held by employees in their departments. The top five areas of respondents’ professional certification are shown in Figure 3-6. More than one-third (39.4%) of the respondents have a specific certification in internal auditing and about one-fourth (26.7%) of the respondents have a certification in public accounting/chartered accountancy. Internal auditing and public accounting are the most common areas for professional certification. A much smaller number of respondents have certifications in information systems auditing (10.2%), management/general accounting (5.4%), and fraud examination (5.3%).
Figure 3-6 Top Five Areas of Professional Certification(s) All Respondents in Percentages*
Fraud Examination
Percentage of Respondents *Since respondents were able to select all the certifications that apply, percentages may not add up to 100%.
The Institute of Internal Auditors Research Foundation
The Institute of Internal Auditors Research Foundation 46.4 12.6 3.1 5.0 32.7
6.0
2.9 5.6
11.0 5.1 4.8 38.3
6.2
2.1 7.6
4.8
2.5
3.6
23.0
3.6
4.3
10.5
38.9
2.2
2.9
3.6
11.0
2.0
2.7
4.6
26.8
6.1
3.4
7.8
28.7
5.2
3.5
12.4
44.2
5.3
2.8
5.4
26.7
4.1
3.7
10.2
39.4
Audit Audit Senior/ Audit Staff* Other* Average Managers* Supervisor* Percent of Percent of Percent of Percent of Percent of 1,625 651 8,934 2,033 2,251 Respondents Respondents Total* Respondents Respondents Responses
40.6
CAE Percent of 2,374 Respondents
* Note: Since respondents could mark all that apply, percentages may not add up to 100%.
Internal Auditing (such as CIA/ MIIA/PIIA) Information Systems Auditing (such as CISA/QiCA/CISM) Government Auditing/Finance (such as CIPFA/CGAP/CGFM) Control Self-assessment (such as CCSA) Public Accounting/Chartered Accountancy (such as CA/CPA /ACCA/ACA) Management/General Accounting (such as CMA/ CIMA/CGA) Accounting - Technician Level (such as CAT/AAT) Fraud Examination (such as CFE)
Type of Professional Qualification
Table 3-5 Professional Qualification(s) All Respondents in Percentages*
Table 3-5 provides specifics about the professional qualifications of the 5 categories of respondents. Internal auditing is the most common certification for respondents in all 5 categories followed by public accounting/chartered accountancy certification. The possession of additional qualifications appears more common as individuals progress professionally in the IAA. For example, more CAEs (40.6%) and Audit Managers (46.4%) have an internal auditing certification than members of the Audit Staff (26.8%).
_____________________________________________ Chapter 3: Survey Demographics 77
3.7 2.0 0.4
4.2 0.8
0.3
1.2
3.1
0.4
0.5
1.3
1.7
1.1
0.4
0.7
1.8
2.7
Audit Audit Senior/ Audit Staff* Other* Average Managers* Supervisor* Percent of Percent of Percent of Percent of Percent of 1,625 651 8,934 2,033 2,251 Respondents Respondents Total* Respondents Respondents Responses
5.0
CAE Percent of 2,374 Respondents
* Note: Since respondents could mark all that apply, percentages may not add up to 100%.
Financial Services Auditing (such as CFSA/CIDA/CBA) Fellowship (such as FCA/ FCCA/FCMA) Certified Financial Analyst (such as CFA)
Type of Professional Qualification
Table 3-5 Professional Qualification(s) All Respondents in Percentages*
78 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
_____________________________________________ Chapter 3: Survey Demographics 79
Table 3-5-1 presents the rankings of the top five areas of professional qualifications for the groups. In only 2 of the groups (groups 7 and 11) is certification in public accounting/chartered accountancy more prevalent than internal auditing certification. The importance of certification in the areas of internal auditing (1st place), public accounting (2nd place), and information systems auditing (3rd place) is consistent for 75% of the groups.
Table 3-5-1 Rankings of the Top Five Professional Qualifications by Group* All Respondents Qualifications Internal Auditing (such as CIA/MIIA/PIIA) Information Systems Auditing (such as CISA/QiCA/CISM) Government Auditing/ Finance (such as CIPFA/CGAP/CGFM) Control Self-assessment (such as CCSA Public Accounting/ Chartered Accountancy (such as CA/CPA/ ACCA/ACA) Management/General Accounting (such as CMA/CIMA/CGA) Accounting Technician Level (such as CAT/AAT) Fraud Examination (such as CFE) Financial Services Auditing (such as CFSA/CIDA/CBA) Fellowship (such as FCA/FCCA/FCMA)
1
2
3
4
5
6
7
8
9
10
11
1
1
1
1
1
1
2
1
1
1
2
1
1
3
3
3
3
5
3
4
5
3
2
3
3
5
3
2
2
4
4
2
2
4
5
5
4
3
2
2
1
4
5
5
4
4
5 2
2
3
1
4
5
4
5
3
5
12 N/C**
2
2
4
3
4
5
5
*For a list of groups, please see Appendix 1-B. **N/C = Respondents did not indicate Affiliate or Chapter membership.
The Institute of Internal Auditors Research Foundation
4
80 A Global Summary of the Common Body of Knowledge 2006 ______________________
Areas of Professional Experience Table 3-6 lists the respondents’ average years of experience by business area. This data was cross-tabulated with the respondents’ current business sector.
Table 3-6 Total Years of Professional Experience by Sector All Respondents Average Responses Type of Experience
Accounting Engineering External (Independent) Auditing Finance Information Technology Internal Auditing Management Other Professional Experience
Service Provider
Private Company
Publicly Listed Company
Governmental
Not-forProfit
5.6 2.3 5.4
6.0 3.7 4.5
5.5 2.8 3.1
5.9 3.6 5.6
3.6 0.3 1.1
5.3 2.5 3.9
4.7 4.4
5.1 5.3
5.1 5.5
4.7 4.4
2.2 1.7
4.4 4.3
5.4 5.2 4.2
6.4 6.1 5.3
6.7 6.0 4.8
7.2 6.4 6.2
4.9 3.4 3.8
6.1 5.4 4.9
The five areas in which respondents have the most business experience are: • • • • •
Overall Average Response
Internal auditing (6.1 years). Management (5.4 years). Accounting (5.3 years). Other professional experience (4.9 years). Finance (4.4 years).
The Institute of Internal Auditors Research Foundation
_____________________________________________ Chapter 3: Survey Demographics 81
This pattern is consistent for those currently employed by service providers, private companies, publicly listed companies, and governments. Service providers work on a contractual basis to assist organizations with assurance and consulting engagements. The not-for-profit sector respondents indicate less overall work experience. In Appendix 3, Tables 3-6-1-A to 3-6-5-A provide an overview of the types of work experience for each of the 5 categories of respondents tabulated by their current employer’s business sector. While Table 3-6-1-A shows the same top five types of professional experience for CAEs as the overall average for all respondents in Table 3-6, CAEs have relatively more experience in each of the business areas. For members of the Audit Staff, Table 3-6-4-A shows a different ranking for the top five types of experience than the overall average for all respondents in Table 3-6. Audit Staff members appear to have the most experience in professional areas other than those specified on the survey list. For the Audit Staff, accounting is the second most common area of experience and internal auditing and management are tied for third. The respondents classified as Other in Table 3-6-5-A have significant years of experience in accounting, internal auditing, and management. Other professional experience is also common for these individuals. Such high levels of experience provides support that those respondents classified as “Other” are qualified individuals working in less traditional environments.
Years of Existence of IAA and Years of CAE Experience Figure 3-7 on the following page lists the number of years the respondents’ IAAs have been in existence. The largest numbers of respondents work for IAAs that have been in existence for 05 years (28.4%) and another 21% of the respondents work for IAAs that have been in existence for 6-10 years. A total of 13.8% of respondent’s organizations have IAAs that have been in existence for 31 or more years. This is a positive development for internal auditing as it shows that growth has accelerated in the past 10 years. Given the corporate governance issues and regulatory developments in recent years, this could be a reflection of the recognition by organizations and their boards of the need for internal audit.
The Institute of Internal Auditors Research Foundation
82 A Global Summary of the Common Body of Knowledge 2006 ______________________
Figure 3-7 Number of Years the IAA Has Existed in the Organization All Respondents (7,747) in Percentages 41+ Years 8.1% 0-5 Years 28.4%
31-40 Years 5.7%
21-30 Years 14.1%
6-10 Years 21.0%
11-20 Years 22.7%
A young department does not necessarily equate to an unskilled or weak department. Newer IAAs may employ more experienced CAEs who start an audit activity based on their prior experiences and knowledge. Table 3-7 provides the number of years respondent organizations have had IAAs by groups. In group 5, respondents indicate that 60.5% of their IAAs are 0-5 years old and another 22.5% are 610 years old. Respondents in the other groups indicate between 20% - 33.9% of the IAAs are between 0-5 years old and an additional 16.1% - 33.1% indicate their IAAs are between 6-10 years old. A review of the countries in each group and historical events explain some of these differences since in some areas of the world, economies are more developed than others. In Appendix 3, Table 3-7-1-A shows the number of years respondent organizations have had IAAs by industry.
The Institute of Internal Auditors Research Foundation
_____________________________________________ Chapter 3: Survey Demographics 83
Table 3-7 Number of Years the IAA Has Existed by Groups* All Respondents in Percentages
Group
Respondents
More than 0-5 6-10 11-15 16-20 21-25 26-30 31-35 36-40 41-45 46-50 50 Years Years Years Years Years Years Years Years Years Years Years Total
1
3,025
23.8
16.1
10.9
12.6
9.2
8.9
3.1
4.8
.7
4.5
5.4
100.0
2
188
26.1
20.7
17.0
13.3
5.9
6.9
2.7
2.7
1.1
1.1
2.5
100.0
3
636
25.8
26.6
11.9
10.2
5.8
7.1
2.7
1.9
.5
4.2
3.3
100.0
4
347
25.6
33.1
15.9
13.3
3.2
3.5
1.2
2.0
.6
.8
.8
100.0
5
550
60.5
22.5
8.0
2.7
1.5
1.3
.0
1.1
.2
1.3
.9
100.0
6
423
23.6
18.0
10.4
7.6
8.0
11.6
3.1
2.6
.9
5.2
9.0
100.0
7
467
23.1
20.3
13.1
9.9
8.4
11.8
2.8
3.2
.6
2.6
4.2
100.0
8
910
32.7
25.3
14.3
11.1
5.5
3.7
1.9
1.3
.2
1.3
2.7
100.0 100.0
9
118
33.9
29.7
15.3
7.6
5.1
.8
.0
.0
.8
3.4
3.4
10
125
22.4
25.6
11.2
8.0
6.4
4.8
3.2
6.4
.0
3.2
8.8
100.0
11
226
28.8
24.3
11.9
10.2
5.8
8.4
1.3
4.0
.9
2.2
2.2
100.0
12
40
20.0
27.5
10.0
10.0
5.0
12.5
2.5
.0
7.5
2.5
2.5
100.0
N/C**
692
27.6
23.3
11.6
13.0
4.8
7.4
1.4
3.6
.6
3.3
3.4
100.0
Overall 7,747 Respondents in Category Overall Percent in Category
2,194
1,628
914
847
529
566
181
255
48
257
328
28.4
21.0
11.8
10.9
6.8
7.3
2.4
3.3
.6
3.3
4.2
*For a list of groups, please see Appendix 1-B. **N/C = Respondents did not indicate affiliate or chapter membership.
The Institute of Internal Auditors Research Foundation
100.0
84 A Global Summary of the Common Body of Knowledge 2006 ______________________
Figure 3-8 summarizes the respondents’ years of experience as CAEs. More than half (56%) indicated they have been a CAE for 5 years or less, 25% of CAE respondents have between 6 and 10 years of CAE experience, and 19% of CAE respondents have more than 10 years of experience in this position.
Figure 3-8 Years of Experience as a CAE CAE Respondents in Percentages
16 to 20 Years 6%
21 or More Years 3%
11 to 15 Years 10% 5 Years or Less 56% 6 to 10 Years 25%
The Institute of Internal Auditors Research Foundation
_____________________________________________ Chapter 3: Survey Demographics 85
Figure 3-9 lists the average years of work experience for CAEs by groups. The overall average number of years of experience as a CAE is 6.6 years. The CAEs in groups 5 (4.5 years) and 12 (4.7 years) have less experience as a CAE than their peers. The CAEs in groups 6 (8.2 years), 10 (8.1 years), and 11 (8.1 years) have relatively more experience as a CAE than the overall average.
Figure 3-9 Average Years of Experience as a CAE by Groups* CAE Respondents
Average Years of Experience *For a list of groups, please see Appendix 1-B. **N/C = Respondents did not indicate Affiliate or Chapter membership.
The Institute of Internal Auditors Research Foundation
86 A Global Summary of the Common Body of Knowledge 2006 ______________________
Types of Organizations As indicated in Figure 3-10, when asked about their current employers, 38% of all respondents indicate that they work for a publicly traded (listed) company, while 19.5% work for a privately held (non-listed) company. Twenty-three percent of all respondents currently work in the public sector and 10.5% work for a service provider or as a consultant. Internal auditing is performed by members of the IAA as well as by external service providers and consultants.
Figure 3-10 Types of Organizations All Participants (8,848) in Percentages
Service Provider / Consultant
10.5%
Publicly Traded (Listed) Company
38.0%
Privately Held (Non-listed) Company
19.5% 23.0%
Public Sector / Government Not-for-Profit Organization Other
6.2% 2.8% 0% 5% 10% 15% 20% 25% 30% 35% 40% Percentage of Respondents
The Institute of Internal Auditors Research Foundation
_____________________________________________ Chapter 3: Survey Demographics 87
While Table 3-8 shows that sector representation is relatively consistent for all 5 categories of respondents, only 44.5% of the Other respondents work in traditional public or private companies. Publicly traded and private (non-listed) employers tend to represent approximately 53% to 60% of the other four categories. The Other four respondent categories have the highest percentage (17.3%) of respondents working for service providers. This is approximately double that of CAEs, Senior/Supervisors, and Audit Staff members.
Table 3-8 Types of Organizations All Respondents in Percentages Type of Organization
CAE Percent of 2,356 Respondents
Audit Managers Percent of 2,016 Respondents
Audit Audit Staff Other Overall Senior/ Percent of Percent of Average Supervisor 1,608 637 of Percent of Percent of Respondents Respondents 8,848 2,231 Total Respondents Responses
Service Provider/ Consultant Publicly Traded (Listed) Company Privately Held (Non-listed) Company Public Sector/ Government Not-for-Profit Organization Other Total
8.8
13.5
9.2
8.3
17.3
10.5
34.9
42.2
40.7
37.1
29.7
38.0
24.9
18.3
18.4
16.2
14.8
19.5
21.9
18.5
23.7
30.3
20.6
23.0
7.1
5.4
6.3
5.2
7.1
6.2
2.4 100.0
2.1 100.0
1.7 100.0
2.9 100.0
10.5 100.0
2.8 100.0
The Institute of Internal Auditors Research Foundation
88 A Global Summary of the Common Body of Knowledge 2006 ______________________
Table 3-8-1 summarizes information about the types of organizations represented within the groups. Compared to the overall average of respondents working for service providers/consultants (shown in Table 3-8 as 10.5%), group 4 (4.1%) is well below the overall average and group 11 (18.3%) is significantly above the overall average. Publicly traded company representation is considerably below the overall average of 38% in group 2 (24.9%), while much above the overall average in groups 4 (68.8%) and 11 (49.3%). Privately held company representation is greatly above the overall average of 19.5% in groups 9 (38.1%) and 8 (30.8%). Compared to the public sector overall average of 23%, groups 4 (4.4%), 9 (10.3%), and 11 (12.9%) are much lower, and groups 2 (42.7%), 10 (35.4%), and 3 (35.3%) are well above the overall average. Not-for-profit organizations are represented significantly below the overall average of 6.2% in groups 5 (1.9%) and 10 (2.1%), but much above the overall average in group 12 (17.0%).
Table 3-8-1 Types of Organizations by Group* All Respondents in Percentages Type of Organization
1
2
3
4
5
6
8
9
Service Provider/ Consultant Publicly Traded (Listed) Company Privately Held (Non-listed) Company Public Sector/ Government Not-for-Profit Organization Other Total
10.0
12.2
13.8
4.1
11.8
12.0 11.9
9.5
7.1
8.3 18.3 10.6
9.4
41.6
24.9
31.3
68.8
27.4
35.5 28.6 37.5 31.8
36.1 49.3 27.7
31.8
14.8
11.3
12.0
16.9
23.5
25.6 28.7 30.8 38.1
14.6 13.7 19.2
23.9
22.7
42.7
35.3
4.4
31.3
19.9 20.4 17.6 10.3
35.4 12.9 23.4
23.2
8.9
7.0
4.4
3.3
1.9
5.7
7
5.6
3.4
3.2
10
2.1
11
12
3.3 17.0
N/C**
5.3
2.0 1.9 3.2 2.5 4.1 1.3 4.8 1.2 9.5 3.5 2.5 2.1 6.4 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0
*For a list of groups, please see Appendix 1-B. **N/C = Respondents did not indicate Affiliate or Chapter membership.
The Institute of Internal Auditors Research Foundation
_____________________________________________ Chapter 3: Survey Demographics 89
Service Providers of Internal Audit Services Internal auditing is performed by members of the IAA as well as by external service providers. As shown in Figure 3-11, 14% of the survey respondents provide internal audit services to client organizations. As some respondents did not answer all the questions, this percentage is close to but not totally consistent with Figure 3-10, which indicates that 10.5% of respondents work for a service provider or consulting company.
Figure 3-11 Service Provider of Internal Audit Services All Respondents (8,774) in Percentages Service Provider 14.0%
In-house Internal Audit Activity 86.0%
The Institute of Internal Auditors Research Foundation
90 A Global Summary of the Common Body of Knowledge 2006 ______________________
Age of Organizations Table 3-9 reports on how long respondents’ organizations have been in existence. A separate correlation test performed by the researchers confirmed that there is a relationship between how long an organization has been in existence and how long the organization has had an IAA.
Table 3-9 Number of Years Organizations Have Existed All Respondents in Percentages Number of Years
0-5 6-10 11-15 16-20 21-25 26-30 31-35 36-40 41-45 46-50 More than 50 years Total
Total Responses
Percentage of Total Respondents
590 856 648 496 321 442 299 355 165 461 3,532 8,165
7.2 10.5 7.9 6.1 3.9 5.4 3.7 4.3 2.0 5.6 43.4 100.0
In Appendix 3, Table 3-9-1-A lists the number of years the respondents’ organizations have existed by group. Groups 1, 2, 6, and 10 have a large number of respondents (43.5% - 59.3%) working in organizations that are more than 50 years old. Groups 4, 5, and 11 have respondents whose organizations have greater than 24% of their organizations (24.1% - 29.4%) that are less than 11 years old. Respondents for group 12 indicate that none of their employer organizations are over 70 years old.
The Institute of Internal Auditors Research Foundation
_____________________________________________ Chapter 3: Survey Demographics 91
Industry Classification(s) The survey population covers a broad range of industries. Since the respondents were asked to select all industries that applied to their organization, the total of the industries selected is greater than 100%. Figure 3-12 on the following page classifies survey respondents by the industry in which they work. The top 10 industries indicated by respondents are: 1. 2. 3. 4. 5. 6. 7. 8. 9. 10.
Banking/Financial Services/Credit Union (24.5%). Other (13.9%). Manufacturing (13.4%). Financial, Accounting, and/or Business Services (11.1%). Insurance (9.3%). Utilities (7.9%). Education (7.0%). Communication/Telecommunication (7.0%). Healthcare (6.4). Retail/Wholesale (6.2%).
The Institute of Internal Auditors Research Foundation
The Institute of Internal Auditors Research Foundation
Percentage of Respondents *Respondents were able to select all the classifications that apply, resulting in a total greater than 100%.
92 A Global Summary of the Common Body of Knowledge 2006 ______________________
Figure 3-12 Industry Classification All Respondents (8,934) in Percentages*
_____________________________________________ Chapter 3: Survey Demographics 93
Table 3-10 indicates that this pattern is basically consistent for all 5 categories of respondents.
Table 3-10 Industry Classification All Respondents in Percentages Industry Classification
Agricultural/ Forestry Banking/ Financial Services/ Credit Union Building and Construction Communication/ Telecommunication Consumer Goods Education Financial, Accounting, and/or Business Services Healthcare Hospitality/ Leisure/Tourism Insurance Manufacturing Mining and Oil Nonprofessional Services
CAE* Percent of 2,374 Respondents
Audit Audit Senior/ Audit Staff* Other* Average Manager* Supervisor* Percent of Percent of Percent of Percent of Percent of 1,625 651 8,934 2,033 2,251 Respondents Respondents Total Respondents Respondents Responses*
2.9
3.0
2.7
2.7
3.8
3.0
25.3
25.3
24.8
26.5
20.6
24.5
5.4
5.3
3.8
3.1
3.4
4.2
6.8
9.0
6.6
6.5
6.0
7.0
5.6
6.5
4.1
3.1
4.6
4.8
8.1 7.8
5.3 10.1
5.0 10.2
5.0 10.3
11.7 17.2
7.0 11.1
6.4 4.3
7.7 4.6
6.3 2.6
5.4 2.5
6.0 2.9
6.4 3.4
9.2 14.3 4.5 1.0
10.3 14.4 5.0 1.7
11.2 13.1 5.4 0.8
10.3 11.5 3.0 0.7
5.4 13.8 4.5 1.7
9.3 13.4 4.5 1.2
*Note: Since respondents could mark all that apply, percentages may not add up to 100%.
The Institute of Internal Auditors Research Foundation
94 A Global Summary of the Common Body of Knowledge 2006 ______________________
Table 3-10 (Cont.) Industry Classification All Respondents in Percentages Industry Classification
Pharmaceutical/ Chemical Professional Services Real Estate Retail/Wholesale Technology Trade Services Transport and Logistics Utilities Other
CAE* Percent of 2,374 Respondents
Audit Audit Senior/ Audit Staff* Other* Average Manager* Supervisor* Percent of Percent of Percent of Percent of Percent of 1,625 651 8,934 2,033 2,251 Respondents Respondents Total* Respondents Respondents Responses
3.4
3.7
2.5
1.9
3.1
2.9
4.7
4.9
3.6
3.2
5.8
4.4
4.0 6.7 5.5 2.6 7.0
4.1 8.8 6.1 2.7 5.9
2.8 6.4 4.3 1.6 5.3
2.4 4.3 3.9 1.3 5.5
2.5 4.6 5.2 1.7 4.8
3.2 6.2 5.0 2.0 5.7
7.5 14.2
8.4 12.1
8.3 12.5
7.6 14.8
7.8 16.1
7.9 13.9
*Note: Since respondents could mark all that apply, percentages may not add up to 100%.
Table 3-10-1 provides an overview of the industry representation in each of the groups. The largest group of respondents overwhelmingly work in the manufacturing sector in groups 4 (46.8%) and 11 (31.3%). These are significantly larger percentages than the total respondents’ average for manufacturing of 13.4% shown in Figure 3-12. The banking/financial services/credit union sector is considerably above the total respondents’ average of 24.5% in groups 7 (37.9%) and 6 (36.7%) but considerably below the average in group 4 (9.1%). The education sector is well represented in group 2 (15.8%) which is well above the total respondents’ average of 7%. In groups 4 (3.8%) and 7 (5.3%), the financial, accounting, and/or business services industry is less prevalent than elsewhere when compared with the total respondents’ average of 11.1%. The insurance industry has much less representation in groups 11 (4.0%), 5 (4.9%), and 4 (5.9%) than the total respondents’ average of 9.3%. In groups 4 (2.2%) and 9 (3%), organizations with employees in the utilities sector is much lower than the average of 7.9% for all respondents.
The Institute of Internal Auditors Research Foundation
_____________________________________________ Chapter 3: Survey Demographics 95
Table 3-10-1 Industry Classification by Group* All Respondents in Percentages Industry Classification
1
2
3
4
5
6
7
8
9
10
11
12 N/C**
Agricultural/ Forestry Banking/Financial Services/Credit Union Building and Construction Communication/ Telecommunication Consumer Goods Education Financial, Accounting, and/or Business Services Healthcare Hospitality/ Leisure/Tourism Insurance Manufacturing Mining and Oil Non-professional Services Pharmaceutical/ Chemical Professional Services Real Estate Retail/Wholesale Technology Trade Services Transport and Logistics Utilities Other
2.6
5.1
4.9
0.8
3.3
2.2
5.9
1.6
1.5
4.1
2.4
8.3
1.6
22.2
20.5
22.3
9.1 25.0
36.7
25.3 21.3 22.9
21.1
3.3
8.4
5.3
3.0
5.6
2.4
4.6
6.1
7.4
5.4
9.1
5.8
3.8 8.1 10.8
6.1 15.8 11.2
3.4 9.4 15.0
3.2 2.2 3.8
4.3 3.3 9.1
3.9 3.7 8.9
8.7 3.4
13.0 5.6
7.8 4.9
1.3 2.2
3.6 2.8
6.7 1.5
11.3 11.8 3.4 0.6
10.7 9.3 5.6 5.1
8.6 8.4 6.8 1.5
5.9 4.9 46.8 11.7 2.7 8.1 1.3 0.5
10.4 10.6 1.9 0.7
2.0
1.9
2.2
1.9
3.1
5.0
4.4
4.2
4.6
1.4
5.6
0.0
3.0
4.4
9.3
4.5
4.8
2.8
2.8
6.1
2.4
2.3
4.1
5.2
4.2
3.7
3.0 7.0 5.2 0.9 4.0
3.7 8.4 6.1 2.8 9.8
3.3 7.2 4.9 2.3 7.5
1.9 4.8 4.0 2.7 3.2
2.6 6.9 2.8 3.3 6.4
2.6 4.3 3.7 0.9 7.1
4.0 7.6 4.2 4.4 4.9
3.4 4.6 4.1 12.9 5.3 3.8 3.0 5.3 9.6 4.6
8.9 4.0 4.2 4.8 9.2 2.1 4.8 14.1 2.1 1.4 7.2 0.0 7.5 9.6 16.7
2.9 4.2 3.0 1.4 4.2
7.7 13.3
10.2 23.3
5.4 20.3
2.2 12.2 6.2 14.5
5.8 13.0
9.7 12.1 3.0 11.0 10.7 15.2
5.5 6.4 4.2 15.8 12.9 12.5
4.8 9.0
37.9 27.3 30.3
6.6
4.5
8.3
6.2 10.4
2.1
2.9
10.0 13.1
5.3
8.9 10.4 10.4
5.2
8.9 5.5 5.3
5.6 14.4 1.7 2.3 8.2 9.1
4.8 13.7 2.1 8.2 8.0 12.5 10.3 14.1 16.7
3.4 3.2 6.7
5.1 2.3
3.2 3.9
4.6 7.6
7.0 13.3 10.6 12.1 9.1 13.6 9.1 4.6 6.1 1.5 1.5 0.0
5.5 3.4
4.2 2.1
2.5 1.7
15.1 4.0 6.3 13.7 31.3 6.3 4.8 7.2 10.4 1.4 1.6 2.1
5.7 10.6 1.9 1.2
Note: Since respondents could mark all that apply, percentages may not add up to 100%. *For a list of groups, please see Appendix 1-B. **N/C = Respondents did not indicate Affiliate or Chapter membership.
The Institute of Internal Auditors Research Foundation
5.2 9.2
96 A Global Summary of the Common Body of Knowledge 2006 ______________________
Geographical Area Served by Organization Recognizing that companies compete differently, in part based on the locations they serve, data was collected on the geographical areas served by the respondents’ organizations. Their responses are shown in Figure 3-13. Of the respondents, 39.2% of the respondents indicate that their employer operates on an international/multinational scale, while 29.1% of employers operate on a national scale. The remaining 31.7% operate on a local, state/provincial, or regional basis.
Figure 3-13 Geographical Area Served by the Organization All Respondents (8,750) in Percentages
Percentage of Respondents
Table 3-11 indicates that the geographical regions served by the organizations employing the respondents are fairly consistent. Table 3-11-1 provides more detail on the geographical area served by the organizations for each of the 13 groups. Comparing these two tables, international/ multinational companies represent more than half of the respondents in groups 6 (58.6%) and 8 (53.4%) compared to the average percentage of 39.2% for all respondents. National companies seem to be more prevalent than the total average percentage of 29.1% in groups 10 (42.6%) and 12 (41.2%), while group 6 (19.7%) is well under the average percentage. Companies serving state/provincial regions are significantly above the average percentage response (10.9%) in group 2 (23.1%). The Institute of Internal Auditors Research Foundation
The Institute of Internal Auditors Research Foundation 100.0
30.2 100.0
14.6 17.3 11.0 22.4 34.7 100.0
Local State/Provincial Regional National International/ Multinational Total 39.8 100.0
13.5 8.2 5.1 33.4
3
42.2 100.0
19.4 3.2 9.1 26.1
4
35.7 100.0
6.8 14.4 8.5 34.6
5
*For a list of groups, please see Appendix 1-B. **N/C = Respondents did not indicate Affiliate or Chapter membership.
9.4 23.1 4.3 33.0
1*
Area
2
100.0
100.0
9.4 10.3 9.3 27.3 43.7
Audit Senior/ Supervisor Percent of 2,212 Respondents
100.0
11.1 11.9 8.2 32.9 35.9
58.6 100.0
4.8 7.9 9.0 19.7
6
46.2 100.0
7.2 1.9 7.8 36.9
7
53.4 100.0
2.3 0.8 6.0 37.5
8
7.4 2.5 12.3 37.7
9
45.3 100.0
5.0 4.3 2.8 42.6
10
100.0
16.6 11.6 8.7 28.4 34.7
13.0 2.2 4.6 41.2
12
36.0 100.0
13.2 6.6 9.3 34.9
N/C**
100.0
12.1 10.9 8.7 29.1 39.2
Average Percent of 8,750 Total Respondents
40.2 39.0 100.0 100.0
21.3 1.7 8.8 28.0
11
Other Percent of 620 Respondents
40.1 100.0
Audit Staff Percent of 1,588 Respondents
Table 3-11-1 Geographical Area Served by Group* All Respondents in Percentages
8.9 8.9 6.8 29.7 45.7
14.6 11.8 10.7 27.0 35.9
Local State/Provincial Regional National International/ Multinational Total
Audit Managers Percent of 2,004 Respondents
CAE Percent of 2,326 Respondents
Area
Table 3-11 Geographical Area Served by the Organization All Respondents in Percentages
_____________________________________________ Chapter 3: Survey Demographics 97
98 A Global Summary of the Common Body of Knowledge 2006 ______________________
References 1. Clemmons, D.L., “2006 A year of growth and change,” IIA Insight, Vol. 1/November 2006, p. 5.
The Institute of Internal Auditors Research Foundation
_____________________________________________ Chapter 3: Survey Demographics 99
APPENDIX 3 Table 3-6-1-A Total Years of Professional Experience by Sector CAEs’ Average Responses Type of Experience
Service Provider
Private Company
Publicly Listed Company
Governmental
Not-forProfit
Average Response
Accounting Engineering External (Independent) Auditing Finance Information Technology Internal Auditing Management Other Professional Experience
7.3 5.0 7.1
6.9 4.9 6.2
6.8 3.8 4.4
6.9 4.6 7.5
4.5 1.0 1.8
6.5 3.9 5.4
6.1 5.8
6.8 6.1
6.8 4.9
6.1 4.2
2.7 3.5
5.7 4.9
6.9 6.9 5.2
8.1 7.5 6.7
8.3 7.2 5.4
8.9 8.2 6.7
7.1 5.2 4.4
7.9 7.0 5.7
Table 3-6-2-A Total Years of Professional Experience by Sector Audit Managers’ Average Response Type of Experience Accounting Engineering External (Independent) Auditing Finance Information Technology Internal Auditing Management Other Professional Experience
Service Provider
Private Company
Publicly Listed Company
Governmental
Not-forProfit
Average Response
6.0 1.9 4.9
6.2 3.3 4.8
5.7 3.5 3.0
5.7 4.7 5.4
4.0 0.5 1.0
5.5 2.8 3.8
4.7 4.4
5.0 5.8
4.7 7.1
4.6 5.8
1.7 1.8
4.1 5.0
5.9
7.4
7.8
8.0
4.8
6.8
5.0 3.4
6.1 4.7
6.5 4.7
6.2 6.9
3.9 3.6
5.5 4.7
The Institute of Internal Auditors Research Foundation
100 A Global Summary of the Common Body of Knowledge 2006 ______________________
Table 3-6-3-A Total Years of Professional Experience by Sector Audit Supervisors’/Seniors’ Average Response Type of Experience Accounting Engineering External (Independent) Auditing Finance Information Technology Internal Auditing Management Other Professional Experience
Service Provider
Private Company
Publicly Listed Company
Governmental
Not-forProfit
Average Response
4.7 1.8 4.1
5.0 4.6 3.5
4.6 3.7 3.2
5.6 3.7 4.7
2.7 0.3 1.3
4.5 2.8 3.4
4.2 4.6
3.7 5.0
4.2 5.7
4.0 4.1
1.8 1.7
3.6 4.2
3.3
5.4
5.5
6.9
4.2
5.1
4.5 3.2
5.1 4.7
4.7 4.8
6.0 4.3
2.1 3.3
4.5 4.1
Table 3-6-4-A Total Years of Professional Experience by Sector Audit Staffs’ Average Response Type of Experience Accounting Engineering External (Independent) Auditing Finance Information Technology Internal Auditing Management Other Professional Experience
Service Provider
Private Company
Publicly Listed Company
Governmental
Not-forProfit
Average Response
3.2 1.2 2.7
5.1 2.3 2.4
4.1 0.9 1.4
4.9 2.4 2.7
2.2 0.0 0.3
3.9 1.4 1.9
3.1 2.8
3.6 4.6
3.5 4.4
3.9 3.7
1.3 0.6
3.1 3.2
3.3
3.4
3.5
4.7
2.3
3.4
3.1 4.9
4.1 5.0
3.3 4.5
5.1 6.8
1.5 2.1
3.4 4.7
The Institute of Internal Auditors Research Foundation
_____________________________________________ Chapter 3: Survey Demographics 101
Table 3-6-5-A Total Years of Professional Experience by Sector Others’ Average Response Type of Experience Accounting Engineering External (Independent) Auditing Finance Information Technology Internal Auditing Management Other Professional Experience
Service Provider
Private Company
Publicly Listed Company
Governmental
Not-forProfit
Average Response
7.3 3.5 6.4
6.8 3.3 3.1
5.5 2.7 3.1
6.9 2.5 7.1
6.2 0 1.1
6.5 2.4 4.2
6.1 4.4
6.5 4.7
5.6 5.1
4.6 4.6
4.4 1.5
5.4 4.1
5.4
7.0
7.0
6.3
4.8
6.1
5.7 4.6
6.9 4.7
6.4 4.8
5.4 6.5
4.8 7.8
5.8 5.7
The Institute of Internal Auditors Research Foundation
Number of Respondents Agricultural/Forestry Banking/Financial Services/Credit Union Building and Construction Communication and Telecommunications Consumer Goods Education Financial, Accounting, or Business Services Healthcare Hospitality/Leisure/Tourism Insurance Manufacturing Mining and Oil Non-professional Services Pharmaceutical/Chemical Professional Services Real Estate Retail/Wholesale Technology Trade Services Transport and Logistics Utilities Other 5.4 4.9 12.4 14.0 4.2 1.4 2,7 4.3 3.5 6.3 4.5 1.9 6.5 7.8 13.9
7.9 3.6 7.4 16.1 5.5 1.1 3.6 4.6 4.3 7.2 5.9 2.4 6.8 8.7 15.0
7.0 5.0 8.5 16.0 3.9 .7 2.9 5.4 2.8 7.2 5.9 2.9 7.0 5.8 13.1
914 3.1 26.7 4.5 7.4 4.8 6.3 9.8
2,191 1,628 2.6 3.1 17.4 21..9 5.8 4.8 8.8 9.4 5.8 5.8 5.1 5.8 10.2 10.4 6.7 3.2 12.3 13.1 5.8 1.4 3.3 3.4 3.8 5.9 5.0 1.8 5.0 7.4 12.6
847 2.2 27.3 5.1 5.4 5.3 7.7 7.8 4.7 1.7 11.7 8.5 3.2 .8 1.7 2.3 2.3 4.5 2.5 .9 4.3 7.0 11.2
529 1.9 27.8 1.7 6.2 2.5 6.4 7.9 5.7 1.9 10.4 8.3 5.7 .5 1.9 3.4 1.9 5.3 4.1 1.2 6.0 9.9 12.2
566 3.5 32.7 3.4 4.6 2.3 7.4 9.2 5.0 .6 7.7 9.4 1.1 1.7 3.9 2.2 2.2 3.3 3.3 2.2 6.6 8.8 14.9
181 2.8 26.5 2.2 6.6 3.3 9.9 9.4 5.5 3.5 12.2 12.9 3.9 1.2 4.3 3.1 4.3 11.0 4.7 2.7 7.1 10.6 10.6
255 3.5 34.9 5.5 6.7 5.5 9.0 9.8 2.1 2.1 6.3 8.3 6.3 4.2 2.1 0.0 4.2 12.5 0.0 0.0 2.1 8.3 10.4
48 4.2 41.7 6.3 0.0 2.1 8.3 6.3
4.3 1.6 8.9 12.8 4.3 .4 2.3 2.7 1.6 5.8 3.5 .8 4.7 13.2 8.9
257 3.5 37.7 3.1 3.5 3.5 5.4 8.9
5.2 1.8 10.7 11.6 2.4 1.2 2.7 3.0 3.0 8.5 5.8 2.1 3.4 9.5 11.9
328 2.4 44.5 3.4 4.9 4.3 4.0 9.8
0-5 6-10 11-15 16-20 21 -25 26-30 31-35 36-40 41-45 46-50 More Years Years Years Years Years Years Years Years Years Years than 50 Years
Table 3-7-1-A Number of Years the IAA Has Existed by Industry All Respondents in Percentages
102 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
_____________________________________________ Chapter 3: Survey Demographics 103
Table 3-9-1-A Number of Years Organizations Have Existed by Groups* All Respondents in Percentages Group
1 2 3 4 5 6 7 8 9 10 11 12 N/C** Total/ Overall Respondents in Category Overall Percent in Category
Respondents
3,241 189 648 354 552 434 504 954 125 135 228 39 762 8,165
0-5 6-10 11-15 16-20 21-25 26-30 31-35 36-40 41-45 46-50 More Total Years Years Years Years Years Years Years Years Years Years t h a n 50 Years
4.4 8.5 8.3 11.6 12.0 4.8 6.0 11.3 8.0 6.7 11.4 5.1 8.7 590
6.8 4.7 11.1 3.7 13.1 9.3 17.8 9.9 17.4 24.8 8.5 6.0 14.1 10.3 10.6 7.0 9.6 7.2 6.7 3.7 12.7 10.1 10.3 7.7 14.3 9.4 856 648
7.2 10.5
7.9
4.8 3.9 6.3 3.7 5.9 5.4 12.7 3.4 6.7 2.2 2.5 1.8 5.0 4.0 6.2 3.6 13.6 11.2 4.4 3.0 11.0 8.3 10.3 5.1 7.9 3.5 496 321
6.1
3.9
5.0 6.9 5.1 9.0 3.1 4.4 6.7 5.8 3.2 3.7 6.1 15.4 6.2 442
3.7 4.2 3.1 5.9 2.2 2.5 5.0 2.5 7.2 5.2 5.7 10.3 3.1 299
4.8 2.6 5.2 5.1 3.1 3.7 3.4 4.8 1.6 1.5 6.1 10.3 3.3 355
1.7 2.1 1.4 4.0 1.1 .9 3.6 1.5 5.6 3.7 4.8 7.7 1.8 165
5.7 7.4 5.7 3.7 4.3 8.5 6.5 5.6 8.0 2.2 4.8 0.0 5.4 461
5.4
3.7
4.3
2.0
5.6
*For a list of affiliate groups, please see Appendix 1-B. **N/C = Respondents did not indicate affiliate or chapter membership.
The Institute of Internal Auditors Research Foundation
54.5 43.5 37.5 16.9 23.1 56.4 35.4 41.1 24.8 59.2 18.8 17.8 36.4 3532
100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0
43.4 100.0
104 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
A Global Summary of the Common Body of Knowledge 2006
CONTENTS Chapter 4
Chapter 4: The Professional Practices Framework ............................................................. 105 Introduction......................................................................................................................... 105 CBOK 2006 Survey Questions Related to the Standards................................................... 107 Use of the Standards in Whole or in Part ........................................................................... 108 Compliance with the Standards .......................................................................................... 110 Adequacy of the Guidance Provided by the Standards ...................................................... 115 Use of and Adequacy of the Guidance Provided by the Practice Advisories ..................... 118 Reasons for Not Complying with the Standards ................................................................ 121 Quality Assurance and Improvement Program................................................................... 128 Compliance with The IIA’s Code of Ethics........................................................................ 146 Appendix 4-A: The IIA’s Standards and Practice Advisories as of September 2006 ................................................................................................... 147 Appendix 4-B...................................................................................................................... 165
Disclosure Copyright © 2007 by The Institute of Internal Auditors Research Foundation (IIARF), 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201. All rights reserved. Printed in the United States of America. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form by any means — electronic, mechanical, photocopying, recording, or otherwise — without prior written permission of the publisher. The IIARF publishes this document for informational and educational purposes. This document is intended to provide information, but is not a substitute for legal or accounting advice. The IIARF does not provide such advice and makes no warranty as to any legal or accounting results through its publication of this document. When legal or accounting issues arise, professional assistance should be sought and retained. The IIA’s International Professional Practices Framework for Internal Auditing (IPPF) comprises the full range of existing and developing practice guidance for the profession. The IPPF provides guidance to internal auditors globally and paves the way to world-class internal auditing. The mission of The IIA Research Foundation (IIARF) is to be the global leader in sponsoring, disseminating, and promoting research and knowledge resources to enhance the development and effectiveness of the internal auditing profession.
The Institute of Internal Auditors Research Foundation
_______________________________ Chapter 4: The Professional Practices Framework 105
CHAPTER 4 THE PROFESSIONAL PRACTICES FRAMEWORK Introduction The Institute of Internal Auditors’ (IIA) (2005) Professional Practices Framework (PPF) consists of the Definition of Internal Auditing, The IIA’s Code of Ethics, International Standards for the Professional Practice of Internal Auditing (Standards), and Practice Advisories.” The IIA’s Code of Ethics and the Standards are considered mandatory by The IIA for all those who provide internal auditing services. Guidance regarding how the Standards might be applied is included in Practice Advisories that are issued by The IIA’s Professional Issues Committee. The Practice Advisories are endorsed by The IIA and are strongly recommended. This chapter first summarizes the extent to which respondents use and are in compliance with The IIA’s Standards and the related Practice Advisories as of September 2006, when the CBOK questionnaires were distributed. Next, respondents’ opinions regarding the adequacy of the guidance provided in the Standards and Practice Advisories is presented. Then there is a discussion of the reasons why some respondents do not comply with the Standards. Another section reviews respondents’ compliance with Standard 1300, Quality Assurance and Improvement Program. The chapter concludes with a brief discussion about affiliate responses concerning their areas’ compliance with The IIA’s Code of Ethics. For reference, The IIA’s Standards, Practice Advisories, and Glossary to the Standards as of September 2006 are included in Appendix 4-A located at the end of this chapter. The Standards employ terms that have been given specific meanings that are defined in the Glossary. Diverse legal and cultural variations together with the purpose, size, and structure of organizations may affect the practice of internal auditing. The IIA regards full compliance with the Standards as essential for internal audit activities (IAAs) to meet their responsibilities to their organizations. If internal auditors are prohibited by law or regulation from complying with certain parts of the Standards, The IIA believes they should comply with all other parts of the Standards and make appropriate disclosures.
The Institute of Internal Auditors Research Foundation
106 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Standards were developed to serve the following purposes: • • • •
Delineate basic principles that represent the practice of internal auditing as it should be. Provide a framework for performing and promoting a broad range of value-added internal audit activities. Establish the basis for the evaluation of internal audit performance. Foster improved organizational processes and operations.
The Standards are continuously reviewed to determine when a revision is necessary. The last major revision occurred when the Board of Directors of The IIA voted to approve a new definition of internal auditing in 1999 and to update the PPF. The IIA considered the new Standards mandatory for all those that provide internal auditing services as of January 1, 2004. In December 2005, The IIA’s Executive Committee approved a plan to revise The IIA’s current guidance structure. The Standards consist of Attribute Standards, Performance Standards, and Implementation Standards. The Attribute Standards address the characteristics of organizations and parties performing internal audit services. The Performance Standards describe the nature of internal audit services and provide quality criteria against which the performance of these services may be evaluated. Implementation Standards expand on the Attribute and Performance Standards by providing guidance on specific types of engagements for assurance and consulting. The Attribute and Performance Standards apply to all internal audit activities and are divided into the following categories:
Attribute Standards 1000 – Purpose, Authority, and Responsibility 1100 – Independence and Objectivity 1200 – Proficiency and Due Professional Care 1300 – Quality Assurance and Improvement Program
Performance Standards 2000 – Managing the Internal Audit Activity 2100 – Nature of Work 2200 – Engagement Planning 2300 – Performing the Engagement 2400 – Communicating Results 2500 – Monitoring Progress 2600 – Resolution of Management’s Acceptance of Risks
The Institute of Internal Auditors Research Foundation
_______________________________ Chapter 4: The Professional Practices Framework 107
CBOK 2006 Survey Questions Related to the Standards The main objective of the CBOK 2006 study is to develop a summary of the global practice of internal auditing around the world. The questions included in the CBOK survey pertaining to the Standards were developed to determine the following: • • • • •
The extent to which internal auditors and their internal audit activities (IAAs) comply with the Attribute Standards, Performance Standards, and Practice Advisories. The level of compliance by internal auditors and their IAAs with individual Standards and Practice Advisories. Whether or not the guidance in the Standards is perceived by users to be adequate. The reasons for noncompliance with the Standards. Whether internal auditors and IAAs comply with the standards relating to quality assurance and improvement program.
The number of respondents answering a specific question will often differ from the 9,366 total respondents in this study. This is due to the following reasons: • •
Not all of those that participated in the survey answered all the questions asked. Results are shown and discussed only for those respondents who answered a particular survey question. Not all questions were asked of all respondents: o Some questions were asked only of CAEs (those in the highest position within the organization responsible for internal audit activities). o Some questions were asked only of Practitioners (all other internal auditors who are not CAEs). o Some questions were asked of both CAEs and Practitioners.
Some participants’ responses are presented according to the respondents’ position in the IAA. These more detailed summaries of results may be provided for the five categories of respondents: CAEs, Audit Managers, Audit Seniors/Supervisors, Audit Staff, and Other. The respondents in the Other category consist primarily of other professional staff whose position is not captured by the traditional job titles included in the survey. A review of their credentials indicates they may be members of the IAA, employed by service providers, or in organizations where their titles are less traditional but with duties within internal auditing.
The Institute of Internal Auditors Research Foundation
108 A Global Summary of the Common Body of Knowledge 2006 ______________________
When relevant, results are given for each of the groups. The groups are explained in Chapter 1. For a list of groups, please refer to Appendix 1-B of the report. Some tables have additional details. For example, Table 4-14 is the total of all respondents for that question with a related Table 4-141 showing the responses by group. A table can have more than one related table, where the second related table would be Table 4-14-2. Additional related tables may be located in Appendix 4-B at the end of this chapter. A table that is in the Appendix can be clearly identified by an “A” at the end of its number. For example, Table 4-3-1-A is located in Appendix 4-B.
Use of the Standards in Whole or in Part All respondents were asked if their organizations use the Standards in whole or in part. Of the 9,366 potential respondents, 8,647 responded to this question. A total of 7,085 (81.9%) of those responding noted that they use the Standards in whole or in part and 1,562 (18.1%) noted that they do not comply with the Standards. Those respondents that do not use the Standards were told to skip the questions on compliance and go directly to the questions asking why they do not use the Standards. Figure 4-1 shows the replies to this question by the respondents’ position in the IAA. While very similar results are reported by the respondents in other positions in the department, the highest incidence of use in whole or in part is reported by CAEs (85.1%) who should be in the best position in the IAA to judge whether the Standards are being applied.
Figure 4-1 Organizations’ Use of the Standards in Whole or in Part by Staff Level All Respondents (8,647) in Percentages
Percentage of Respondents The Institute of Internal Auditors Research Foundation
_______________________________ Chapter 4: The Professional Practices Framework 109
Use of the Standards by Industry in Whole or in Part Table 4-1 provides a list of the respondents’ use of the Standards in whole or in part by industry and by position in the IAA. The four industries where respondents indicate the most usage of the Standards in whole or in part are: • • • •
Trade Services (88%). Professional Services (87.1%). Building and Construction (86.8%). Utilities (86.7%).
The five industries where the respondents indicate the least usage of the Standards in whole or in part are: • • • • •
Pharmaceutical/Chemical (80.2%). Real Estate (80.4%). Non-professional Services (81.3%). Manufacturing (82.2%). Healthcare (82.2%).
Overall, there is a high level of usage of the Standards in whole or in part by all industries.
The Institute of Internal Auditors Research Foundation
110 A Global Summary of the Common Body of Knowledge 2006 ______________________
Table 4-1 Use of the Standards in Whole or in Part by Industry and Position in the IAA All Respondents in Percentages Industry
Number of CAE Audit Respondents Manager
Agricultural/Forestry Banking/Financial Services/ Credit Union Building and Construction Communication/ Telecommunication Consumer Goods Education Financial, Accounting, and/or Business Services Healthcare Hospitality/Leisure/Tourism Insurance Manufacturing Mining and Oil Non-professional Services Pharmaceutical/Chemical Professional Services Real Estate Retail/Wholesale Technology Trade Services Transport and Logistics Utilities Other
Audit Audit Other Average Senior/ Staff Supervisor
254 2,178
88.1 84.8
91.7 86.4
78.3 83.2
88.4 84.1
75.0 81.5
85.4 84.4
387 626
89.8 88.7
89.7 87.8
77.9 76.9
91.8 88.5
77.8 88.9
86.8 85.6
427 554 870
86.4 89.4 92.3
84.8 81.0 87.6
76.1 85.8 85.0
78.7 86.3 81.5
83.3 64.2 79.6
82.7 83.6 85.9
566 306 861 1,166 396 96 257 372 291 568 439 183 511 694 1,181
87.2 87.3 88.9 86.5 92.4 95.8 83.8 90.1 84.0 87.2 88.5 93.4 88.3 88.0 83.3
83.0 86.8 88.5 86.8 88.2 85.3 82.7 94.8 84.1 85.3 91.1 96.3 84.9 88.0 83.4
84.4 74.1 83.0 77.7 77.3 76.5 72.7 80.2 79.0 78.3 75.0 77.8 73.7 88.0 78.5
77.9 80.0 83.8 77.1 84.4 70.0 82.8 83.7 73.7 74.2 73.3 81.0 81.8 85.2 78.7
59.5 86.7 86.2 75.0 84.0 54.5 72.2 77.1 60.0 80.8 80.0 63.6 85.7 76.1 61.5
82.2 83.7 86.1 82.2 85.4 81.3 80.2 87.1 80.4 82.6 83.6 88.0 83.0 86.7 79.5
Compliance with the Standards For those 7,085 respondents that indicate they use the Standards in whole or in part, the next survey question asked if their organizations were in full compliance, partial compliance, not in compliance, or they did not know their organizations’ level of compliance for each of the individual
The Institute of Internal Auditors Research Foundation
_______________________________ Chapter 4: The Professional Practices Framework 111
standards. According to The IIA’s Tool 19, Standards Compliance Evaluation Summary, of the Quality Assessment Manual, 5th Edition, the extent of compliance with the Standards is expressed as either “generally conforms,” “partially conforms,” or “does not conform.” General conformance (full compliance in the questionnaire) implies that the “relevant structures, policies, and procedures of the activity, as well as the processes by which they are applied, comply with the requirements of the individual Standard…in all material aspects.” Partial conformance (partial compliance in the questionnaire) means the “activity is making good-faith efforts to comply with the requirements of the individual Standard.” Does not conform (not in compliance in the questionnaire) means “the activity is not aware of, is not making good-faith efforts to comply with, or is failing to achieve many/all of the objectives of the individual Standard.” For those that indicate their organizations use the Standards in whole or in part, Table 4-2 summarizes all respondents’ input and compares the responses of the CAEs and Practitioners concerning whether their IAAs fully comply, partially comply, or do not comply with an individual standard. Eighty-five point five percent (85.5%) of the 7,085 respondents’ IAAs that noted standards usage either fully comply (57.2%) or partially comply (28.3%) with the Standards. Of the respondents, 10.6% do not know whether their IAAs comply with any of the Standards.
Table 4-2* Organizations Compliance Levels with the Standards CAE, Practitioner, and All Respondents in Percentages CAE Full compliance Partial compliance Not in compliance Do not know Total
59.9 31.6 4.2 4.3 100.0
Practitioner 56.1 26.8 3.8 13.3 100.0
All Respondents 57.2 28.3 3.9 10.6 100.0
*Table 4-2 was compiled from Tables 4-3-1-A, 4-3-2-A and 4-3-3-A in Appendix 4-B.
The percentage of CAEs who do not know whether their IAAs comply with the Standards is much lower (4.3%) than that of Practitioners (13.3%). This may be due to the CAEs’ position as leader of the IAA providing them with more insight into the use of the Standards. It would appear that CAEs have more direct access to judge the use of the Standards than other members of the IAA.
The Institute of Internal Auditors Research Foundation
112 A Global Summary of the Common Body of Knowledge 2006 ______________________
As shown in Table 4-2, when asked about compliance to individual standards, 59.9% of CAE respondents and 56.1% of Practitioner respondents say that they are in full compliance with the Standards when in fact they are not. Table 4-3 shows that only 33.2% of CAE respondents and 43% of Practitioner respondents indicate they comply with Standard 1300. The IIA’s position is that full compliance means full compliance with all the Standards. Table 4-3 reveals that for CAE respondents, the four standards with the highest percentage of full compliance are Standards 1100 (73.6%), 2400 (68.6%), 1000 (68.1%), and 1200 (67%). This makes sense as three of the standards, 1100, Independence and Objectivity, 2400, Communicating Results, 1000, Purpose, Authority, and Responsibility, are all direct responsibilities of CAEs. All work, regardless of who performs it, should be done in accordance with Standard 1200, Proficiency and Due Professional Care.
Table 4-3 Full or Partial Compliance with the Standards CAE, Practitioner, and All Respondents in Percentages Standard
1000 – Purpose, Authority, and Responsibility 1100 – Independence and Objectivity 1200 – Proficiency and Due Professional Care 1300 – Quality Assurance and Improvement Program 2000 – Managing the Internal Audit Activity 2100 – Nature of Work 2200 – Engagement Planning 2300 – Performing the Engagement 2400 – Communicating Results 2500 – Monitoring Progress 2600 – Resolution of Management’s Acceptance of Risks Overall Average
CAE
Practitioner Full Partial
All Respondents Full Partial
26.7
60.8
24.2
63.0
25.0
73.6
22.0
64.1
22.2
66.9
22.2
67.0
28.3
61.1
25.1
62.9
26.1
33.2
45.0
43.0
31.7
40.0
35.7
61.8
32.0
55.8
27.5
57.6
28.9
59.3 60.4 62.1 68.6 56.1 49.0
32.8 32.5 31.8 26.2 35.5 35.0
56.8 56.7 58.7 62.3 51.3 46.1
26.9 27.5 26.7 23.8 30.6 28.8
57.5 57.7 59.7 64.1 52.6 46.9
28.7 29.0 28.2 24.6 32.1 30.7
59.9
31.6
56.1
26.8
57.2
28.3
Full
Partial
68.1
The Institute of Internal Auditors Research Foundation
_______________________________ Chapter 4: The Professional Practices Framework 113
The two standards with less than 50% full compliance according to CAE respondents are 2600, Resolution of Management’s Acceptance of Risks (49.0%), and 1300, Quality Assurance and Improvement Program (33.2%). Reasons for noncompliance with Standard 1300 are discussed in more detail in a later section of this chapter. Standard 2600 requires CAEs and senior management to discuss with the board any areas where the CAE feels that management has accepted residual risk that is unacceptable to the organization. It involves skills requiring CAEs to analyze many types of risks and reporting to the board disagreements with management over acceptable levels of risk for the organization. In Table 4-3, the order of the four highest standards (1100, 2400, 1000, 1200) for full compliance are the same for the categories All Respondents and CAEs. For Practitioners, the four standards with the highest percentages are the same, but the order differs, 1100 (64.1%), 2400 (62.3%), 1200 (61.1%), and 1000 (60.8%). Standard 1000 (63% full compliance and 25% partial compliance for all respondents) requires that the purpose, authority, and responsibility of the IAA be formally defined in an audit charter. Having the internal audit charter accepted by the board and management should be one of the first actions taken by a CAE when an IAA is established. The charter establishes the authority for IAAs to perform the scope of work as outlined in the Standards. Standard 1100 (66.9% full compliance and 22.2% partial compliance for all respondents), which deals with the independence and objectivity of the IAA, shows the highest incidence of full compliance by the respondents. Standard 2400 (64.1% full compliance and 24.6% partial compliance for all respondents) addresses the required communication of the results of the work performed by the IAAs at the end of each engagement. In Appendix 4-B, Tables 4-3-1-A (all respondents), 4-3-2-A (CAE), and 4-3-3-A (Practitioner) contain additional details of respondents’ compliance with each individual standard. These tables contain the respondents’ indication of full compliance, partial compliance, not in compliance, and do not know for each category of the Standards. Table 4-3-4-A to Table 4-3-6-A in Appendix 4-B lists by groups full compliance by IAAs for the respondents, partial compliance for all respondents, and the percentages for not in compliance with the Standards for all respondents. Refer to Appendix 1-B of this report for the list of groups. Groups 1, 2, 3, 7, 8, and 11 indicate consistently high compliance with the Standards. Although group 4 has consistently lower compliance with the Standards, it also has the highest partial compliance of any group. Group 9 has the highest overall percentages for noncompliance with the Standards. Standard 1300, Quality Assurance and Improvement Program, had the highest percentages of noncompliance ranging from groups 1 and 2 with 9.1% to a high of 24.2% in group 12.
The Institute of Internal Auditors Research Foundation
114 A Global Summary of the Common Body of Knowledge 2006 ______________________
Compliance by Types of Organization Table 4-4 shows the percentage of respondents by type of organization that indicate their organizations are in full compliance with specific standards. Service provider/consultant respondents have the highest level of full compliance with Standard 1300, Quality Assurance and Improvement Program (49.6%), and with Standard 2600, Resolution of Management’s Acceptance of Risks (53.1%). Publicly traded (listed) companies place a close second in full compliance for Standard 2600 (50.6%).
Table 4-4 Full Compliance to Standards by Type of Organization Percentage of All Participants Standard
Service Provider/ Consultant
1000 – Purpose, Authority, and Responsibility 1100 – Independence and Objectivity 1200 – Proficiency and Due Professional Care 1300 – Quality Assurance and Improvement Program 2000 – Managing the Internal Audit Activity 2100 – Nature of Work 2200 – Engagement Planning 2300 – Performing the Engagement 2400 – Communicating Results 2500 – Monitoring Progress 2600 – Resolution of Management’s Acceptance of Risks
Publicly Traded (Listed) Company
Privately Held (Nonlisted) Company
Public Not-forOther Sector/ Profit Government Organization
62.7
66.8
56.6
62.5
64.4
49.3
69.6
69.7
63.5
64.1
71.8
48.6
66.2
64.9
57.3
62.6
67.3
50.7
49.6
42.8
30.2
40.1
37.9
32.8
62.1
59.6
53.4
56.6
58.8
43.3
61.6 61.1
58.9 60.0
51.2 50.2
59.8 58.4
61.1 60.2
45.2 41.7
63.5
60.1
54.3
62.2
62.8
45.6
68.0
64.5
59.3
66.0
67.5
52.2
57.0 53.1
55.0 50.6
47.9 38.8
51.1 44.9
55.8 49.6
37.0 31.5
The Institute of Internal Auditors Research Foundation
_______________________________ Chapter 4: The Professional Practices Framework 115
Adequacy of the Guidance Provided by the Standards The development and issuance of the Standards is an ongoing process. The IIA’s Internal Auditing Standards Board engages in extensive consultation and discussions prior to the issuance or revision of the Standards. This includes worldwide solicitation of public comment through the exposure draft process. Although this process should provide assurance that the guidance provided by the Standards is supported by the profession, it is important to determine the views of current users regarding the adequacy of the guidance provided. Respondents who indicated that they use the Standards were asked to give their opinion about whether the guidance provided by individual standards is adequate for their IAA to apply that standard or if more guidance is needed. As presented in Table 4-5, an overall average of 83.2% of the respondents consider the guidance provided by the Standards to be adequate. The four standards that received the highest percentage for adequacy are 1100 (88.1%), Independence and Objectivity, 1200 (87%), Proficiency and Due Professional Care, 1000 (86.2%) Purpose, Authority, and Responsibility, and 2400 (85.2%) Communicating Results. These are the same four standards that have the highest compliance indicated by respondents in Table 4-3. In Table 4-5 all but two standards are rated above 80% for adequacy.
Table 4-5 Standards Guidance is Adequate All Respondents in Percentages Standard
1000 – Purpose, Authority, and Responsibility 1100 – Independence and Objectivity 1200 – Proficiency and Due Professional Care 1300 – Quality Assurance and Improvement Program 2000 – Managing the Internal Audit Activity 2100 – Nature of Work 2200 – Engagement Planning 2300 – Performing the Engagement 2400 – Communicating Results 2500 – Monitoring Progress 2600 – Resolution of Management’s Acceptance of Risks Overall Average
Total Number of Respondents
Yes
No
Do Not Use
Do Not Know
5,857 6,015 5,994 5,968 5,970 5,916 5,950 5,931 5,941 5,903 5,908
86.2 88.1 87.0 77.3 83.7 82.2 83.6 83.8 85.2 81.8 76.0
1.2 1.7 1.7 5.1 3.1 3.2 3.3 3.6 3.1 4.1 5.6
2.7 1.7 2.3 6.3 3.3 3.5 3.2 3.0 2.6 4.0 5.3
9.9 8.5 9.0 11.3 9.9 11.1 9.9 9.6 9.1 10.1 13.1
83.2
3.2
5.7
9.3
The Institute of Internal Auditors Research Foundation
116 A Global Summary of the Common Body of Knowledge 2006 ______________________
Such a high percentage of positive responses indicates that the guidance provided meets the expectations of the users of the Standards. The slightly lower response for Standards 1300 (77.3%), Quality Assurance and Improvement Program, and 2600 (76%), Resolution of Management’s Acceptance of Risk, in Figure 4-2 may indicate that more or clearer guidance may be appropriate in the areas of quality assurance and improvement and resolution of management’s acceptance of risk.
Figure 4-2 Standards Guidance is Adequate All Respondents in Percentages
Percentage of Respondents
The Institute of Internal Auditors Research Foundation
_______________________________ Chapter 4: The Professional Practices Framework 117
Table 4-6 shows that a higher percentage of CAEs (overall average 89%) than Practitioners (overall average 80.7%) regard the guidance provided by the Standards to be adequate. This may be due to CAEs having more experience with the Standards.
Table 4-6 Adequacy of Guidance Provided by Each of the Standards CAE, Practitioner, and All Respondents in Percentages Standard
1000 – Purpose, Authority, and Responsibility 1100 – Independence and Objectivity 1200 – Proficiency and Due Professional Care 1300 – Quality Assurance and Improvement Program 2000 – Managing the Internal Audit Activity 2100 – Nature of Work 2200 – Engagement Planning 2300 – Performing the Engagement 2400 – Communicating Results 2500 – Monitoring Progress 2600 – Resolution of Management’s Acceptance of Risks Overall Average
CAE
Practitioner
All Respondents
93.3 94.1 92.9 81.5 90.0 88.0 89.4 89.3 91.3 88.4 81.3 89.0
83.2 85.6 84.5 75.6 81.0 79.8 81.2 81.5 82.6 79.1 73.8 80.7
86.2 88.1 87.0 77.3 83.7 82.2 83.6 83.8 85.2 81.8 76.0 83.2
In Appendix 4-B, Tables 4-6-1-A (CAEs) and 4-6-2-A (Practitioners) list respondents’ responses by standard indicating whether the guidance provided is adequate, not adequate, do not use, or do not know. When asked about the adequacy of the guidance provided, a higher percentage of the Practitioner respondents replied “Do Not Know” than CAEs. For all of the Standards, Practitioner responses for “Do Not Know” range from 11.1% to 16.3%. In contrast, the CAE responses range is from a low of 2.3% to a high of 5.3%. This data indicates that CAEs in this study appear to find the guidance more adequate than do Practitioners. In Appendix 4-B, Tables 4-6-3-A (all respondents by groups), 4-6-4-A (CAEs by groups), and 4-65-A (Practitioners by groups) show respondents’ answers by groups to the question about the adequacy of guidance provided by the Standards. In the groups, CAEs consistently find the Standards guidance to be more adequate than Practitioners. Table 4-6-3-A indicates that a significant percentage of all respondents in all groups perceive the guidance provided by each of the Standards
The Institute of Internal Auditors Research Foundation
118 A Global Summary of the Common Body of Knowledge 2006 ______________________
to be adequate. On average, groups 7, 8, and 12 have the highest percentage of satisfaction with the guidance provided, while groups 1, 2, and 9 have the lowest average percentage of satisfaction. Table 4-6-6-A in Appendix 4-B provides a summary of all respondents by group who indicate that the guidance provided by the Standards is not adequate. Indicating a range of 11.6% to 14.5% for guidance is not adequate, group 9 has the highest level of dissatisfaction with Standards 2200 to 2500. With this group’s exception, the overall low percentages in this table support a high level of satisfaction with the adequacy of the guidance provided.
Use of and Adequacy of the Guidance Provided by the Practice Advisories Practice Advisories are continuously developed and issued. The purpose of the Practice Advisories is to provide guidance on the application of the Standards. Compliance with Practice Advisories is endorsed by The IIA and strongly recommended but not considered mandatory. The 7,085 respondents who use the Standards in whole or in part were asked whether their IAA uses the Practice Advisories in the PPF and to indicate whether they regard the guidance to be adequate. Figure 4-3 shows the percentages of all respondents to this question that use each of the Practice Advisories.
Figure 4-3 Respondents That Use the Practice Advisories All Respondents in Percentages
Percentage of Respondents The Institute of Internal Auditors Research Foundation
_______________________________ Chapter 4: The Professional Practices Framework 119
Table 4-7 indicates that on average 85.8% of the respondents that use the Standards also use the Practice Advisories. The Audit Staff (88.7%) report the highest overall use of the Practice Advisories. Ninety percent or more of the Audit Staff indicate that they use the Practice Advisories for Standards 1000, 1100, 1200, and 2300.
Table 4-7 Respondents That Use the Practice Advisories By Staff Level in Percentages Practice Advisory
CAE
Audit Manager
Audit Audit Senior/ Staff Supervisor
Other
Average
1000 – Purpose, Authority, and Responsibility 1100 – Independence and Objectivity 1200 – Proficiency and Due Professional Care 1300 – Quality Assurance and Improvement Program 2000 – Managing the Internal Audit Activity 2100 – Nature of Work 2200 – Engagement Planning 2300 – Performing the Engagement 2400 – Communicating Results 2500 – Monitoring Progress 2600 – Resolution of Management’s Acceptance of Risks Average
88.8
88.2
84.8
90.1
84.7
87.3
89.3 88.6
88.5 88.4
86.3 85.1
90.7 90.2
86.9 86.1
88.3 87.7
82.7
82.8
80.5
86.5
79.2
82.3
87.7
87.2
83.7
89.7
84.1
86.5
86.4 87.4 87.8 88.6 87.5 81.4
85.9 87.1 86.9 87.2 85.3 82.2
83.8 84.5 85.2 84.6 82.3 78.4
89.7 89.4 90.0 87.5 88.4 83.6
83.8 84.1 84.9 83.4 83.0 79.0
85.9 86.5 87.0 86.3 85.3 80.9
86.9
86.3
83.6
88.7
83.6
85.8
In Appendix 4-B, Table 4-7-1-A shows the percentage of respondents who do not use the Practice Advisories for all respondents. Groups 6, 1, 2, and 9 use the Practice Advisories the least.
The Institute of Internal Auditors Research Foundation
120 A Global Summary of the Common Body of Knowledge 2006 ______________________
The respondents were asked if they considered the guidance provided by the Practice Advisories to be adequate. Table 4-8 shows that for all respondents the overall average satisfaction with Practice Advisories is 82.5%. Standards 1300 (77.2%) and 2600 (75.4%) are the two standards that received the lowest percent of satisfaction. This corresponds to the lower level of compliance with these two Standards by all respondents in Table 4-3.
Table 4-8 Practice Advisory Guidance is Adequate CAE, Practitioner, and All Respondents in Percentages Practice Advisory
1000 – Purpose, Authority, and Responsibility 1100 – Independence and Objectivity 1200 – Proficiency and Due Professional Care 1300 – Quality Assurance and Improvement Program 2000 – Managing the Internal Audit Activity 2100 – Nature of Work 2200 – Engagement Planning 2300 – Performing the Engagement 2400 – Communicating Results 2500 – Monitoring Progress 2600 – Resolution of Management’s Acceptance of Risks Overall Average
CAE
Practitioner
All Respondents
86.7 86.7 86.2 76.2 83.5 81.8 83.5 83.9 84.4 82.6 75.2 82.7
85.7 86.2 85.1 77.7 83.4 82.5 83.1 83.3 83.8 80.5 75.4 82.4
86.0 86.3 85.4 77.2 83.4 82.3 83.2 83.5 84.0 81.1 75.4 82.5
In Appendix 4-B, Tables 4-8-1-A (all respondents), 4-8-2-A (CAE), and 4-8-3-A (Practitioner) show the respondents’ perception of the adequacy of the guidance provided by the Practice Advisories and the percentages that do not use each individual Practice Advisory. Table 4-8-4-A in Appendix 4-B shows all respondents’ perception of the adequacy of the guidance provided by the Practice Advisories by groups. This group table also indicates less satisfaction with the guidance provided to support for Standards 1300 and 2600. Respondents in groups 12, 7, and 8 indicate the highest levels of satisfaction with the adequacy of the Practice Advisories. While still indicating a high level of satisfaction with the guidance, groups 6 and 2 show the lowest relative levels of satisfaction with the guidance provided by the Practice Advisories.
The Institute of Internal Auditors Research Foundation
_______________________________ Chapter 4: The Professional Practices Framework 121
Reasons for Not Complying with the Standards All respondents were asked their reasons for not using the Standards in whole or in part. The question listed possible reasons for noncompliance and allowed for individual comments. Respondents could select more than one reason for noncompliance. Figure 4-4 shows the average percentage for all respondents for the reasons provided in the question regarding why they do not comply in whole or in part with the Standards.
Figure 4-4 Reasons for Not Complying in Whole or in Part with the Standards All Respondents (8,159) in Percentages*
Percentage of Respondents *Respondents who do not comply with the Standards could select more than one reason for noncompliance so the totals could add to more than 100%.
The Institute of Internal Auditors Research Foundation
122 A Global Summary of the Common Body of Knowledge 2006 ______________________
Table 4-9 shows the reasons respondents selected for not using the Standards in whole or in part by staff position.
Table 4-9 Reasons for Not Using the Standards in Whole or in Part All Respondents by Staff Position in Percentages* Reason
Standards or Practice Advisories are too complex Not appropriate for small organizations Too costly to comply Too timeconsuming Superseded by local/ government regulations or standards Not appropriate for my industry Compliance not supported by management/board Not perceived as adding value by management/ board Inadequate IAA staff Compliance not expected in my country Other
Number CAE Audit Audit Senior/ Audit Staff Other Average Who % of 2,263 Managers Supervisor % of 1,442 % of 569 % of 8,159 S e l e c t e d Respondents % of 1,845 % of 2,040 Respondents Respondents Respondents Category Respondents Respondents 473
7.1
5.5
5.4
4.4
6.2
5.8
846
16.4
8.5
7.4
7.1
11.4
10.4
765
13.3
8.9
7.9
6.2
8.6
9.4
992
16.1
12.1
11.4
8.6
8.1
12.2
875
10.3
10.0
12.6
9.6
11.1
10.7
342
4.4
3.3
4.1
4.7
5.3
4.2
970
11.9
12.0
12.6
11.0
11.1
11.9
996
13.6
11.4
13.5
9.9
10.5
12.2
1,026
14.4
11.9
11.7
11.6
13.2
12.6
467
5.9
5.3
6.6
4.9
5.3
5.7
983
11.4
12.7
12.8
8.7
17.9
12.0
*Respondents who do not comply with the Standards could select more than one reason for noncompliance so the totals could add to more than 100%.
The Institute of Internal Auditors Research Foundation
_______________________________ Chapter 4: The Professional Practices Framework 123
There appears to be three primary causes for noncompliance. The first relates to practitioners’ experiences in application and implementation of guidance or constraints within the IAA. Specific reasons related to this include the following: • • • • •
Inadequate staff (12.6%) Too time-consuming (12.2%) Not appropriate for small organizations (10.4%) Too costly to comply (9.4%) Standards or Practice Advisories are too complex (5.8%)
The second primary cause concerns lack of support by the organization’s management and includes the following specific reasons: • •
Not perceived as adding value by management/board (12.2%) Compliance not supported by management/board (11.9%)
The third primary cause involves the regulations or standards in the respondents’ countries or company, and includes the following reasons: • • •
Superseded by local/government regulations or standards (10.7%) Compliance not expected in my country (5.7%) Not appropriate for my industry (4.2%)
This knowledge should aid The IIA in formulating future guidance and in marketing the profession.
The Institute of Internal Auditors Research Foundation
124 A Global Summary of the Common Body of Knowledge 2006 ______________________
Open-ended Question for Noncompliance Respondents were provided with space to list other reasons why they did not comply with the Standards in whole or in part. Of the 417 respondents who provided a written response to the open-ended part of this question, most did not add any new reasons beyond those listed in Table 49, but expanded upon why they selected a particular reason. Table 4-10 categorizes these responses and lists the percentages of the 417 respondents that gave a particular response. Because seven respondents gave two reasons why they are not in full compliance with the Standards, there are a total of 424 responses.
Table 4-10 Reasons for Not Complying with the Standards in Whole or in Part From Open-ended Question for All Participants Reasons for Noncompliance
Other standards are used (GAGAS/Yellow Book; Own standards based on IIA’s; CICA; ISACA; CIPFA; GAAS; INTOSAI) Informal/partial use of the Standards Do not have the knowledge to implement Standards are not: adequate/relevant/practical/accepted/value added Working toward full implementation Newly established IAA or newly appointed in position Do not know Management does not support Not applicable as function is outsourced or respondents not in internal audit department Understaffed Full compliance to the Standards No IAA Other
Number of Respondents*
Percentage of 417 Respondents
94
22.5
57 54 41
13.7 12.9 9.8
40 36 23 21 13
9.6 8.6 5.5 5.0 3.1
10 5 4 26
2.4 1.2 1.0 6.2
*Since 7 of the 417 respondents provided two reasons for noncompliance with the Standards, there are 424 total responses.
The Institute of Internal Auditors Research Foundation
_______________________________ Chapter 4: The Professional Practices Framework 125
One respondent suggests that the local affiliate should perform an awareness campaign in his country for non-listed and small companies to show the need for IAAs to comply with the Standards.
Factors Affecting Compliance To better understand why some respondents are not in full compliance with the Standards, three factors were reviewed. First, since The IIA’s membership grew 54.6% from June 2003 to September 2006, Table 4-11 compares the number of years respondents have been members of The IIA to respondents’ compliance with the Standards in whole or in part. For those respondents who are members of The IIA, the longer they have been members the more likely they are to comply with the Standards in whole or in part.
Table 4-11 Compliance with the Standards in Whole or in Part Compared to the Number of Years as a Member of The IIA All Respondents in Percentages Number of Years as Member of IIA
Number of Respondents
Percentage of Respondents in Compliance in Whole or in Part
5 or less 6 to 10 11 or more Not a Member Total/Overall Average
5,044 1,694 1,307 568 8,613
80.7 86.2 88.4 64.8 81.9
The Institute of Internal Auditors Research Foundation
126 A Global Summary of the Common Body of Knowledge 2006 ______________________
The second factor considered is the number of years an organization has had an IAA. Table 4-12 suggests a trend indicating that the longer an organization has had an internal audit department the greater the IAA’s compliance with the Standards in whole or in part.
Table 4-12 Compliance with the Standards in Whole or in Part Compared to the Number of Years Organization has had an IAA All Respondents in Percentages Years Having an IAA
0-5 6-10 11-15 16-20 21-25 26-30 31-35 36-40 41-45 46-50 More than 50
Number of Respondents
2,147 1,586 902 835 523 561 180 250 48 254 323
Percentage of Respondent in Compliance in Whole or in Part 81.0 80.9 83.9 81.8 84.9 84.3 83.3 87.2 85.4 88.2 85.1
The Institute of Internal Auditors Research Foundation
_______________________________ Chapter 4: The Professional Practices Framework 127
The final factor reviewed is the impact of the number of full-time staff in the IAA on compliance with the Standards in whole of in part. Table 4-13 notes that with the exception of the 22-24 staff level category, the trend is that the larger the IAA’s audit staff, the higher level of compliance to the Standards in whole or in part.
Table 4 -13 Compliance with the Standards in Whole or in Part Compared to the Number of Full-Time Staff at Each Staff CAE Respondents in Percentages Number of Staff
1-3 4-6 7-9 10-12 13-15 16-18 19-21 22-24 25 or more Total
Number of Respondents
1,601 1,253 742 448 332 251 179 133 1,707 6,646
Percentage of Respondents in Compliance in Whole or in Part 75.7 82.0 83.2 83.3 84.3 84.5 85.2 84.7 88.0 82.3
In summary, all three factors, the longer a respondent has been a member of The IIA, or an organization has had an IAA, or the larger the number of staff in the IAA, positively affect the level of compliance by the IAA with the Standards.
The Institute of Internal Auditors Research Foundation
128 A Global Summary of the Common Body of Knowledge 2006 ______________________
Quality Assurance and Improvement Program Since Standard 1300, Quality Assurance and Improvement Program (QA&IP), relates to the monitoring of IAA compliance with the Standards, the survey included specific questions relating to internal and external assessments. One of the main objectives of the QA&IP Standard is to encourage the assessment of, application, and conformance with the Standards. According to Standard 1300, the CAE should develop and maintain a QA&IP that covers all aspects of the IAA and continuously monitors its effectiveness. This program includes periodic internal assessments, external quality assessments, and ongoing internal monitoring. Standard 1300 and the Practice Advisories further recommend that this program: • • • •
Provide assurance that the IAA is in conformity with The IIA’s Standards. Provide assurance that the IAA is in conformity with the IIA Code of Ethics. Add value and improve the organization’s operations. Include periodic internal and external quality assessments and ongoing internal monitoring.
Each part of the program should be designed to help the IAA provide this assurance and add value.
Standard 1300 Survey participants were asked whether or not their IAAs have QA&IPs in place in accordance with Standard 1300. Standard 1330, Use of “Conducted in Accordance with the Standards,” states that internal auditors are encouraged to report that their activities are conducted in accordance with the Standards. It further stipulates that internal auditors may use this statement only if assessment of their QA&IP demonstrates that the IAA is in compliance with the Standards. The value of this statement is that it implies the credibility of the work performed by the IAA and that the conclusions reached can be relied upon. The average response to the question of whether the respondent’s IAA has a QA&IP in place in accordance with Standard 1300 is reported in Figure 4-5. Of the total respondents, 32.8% say that they have a QA&IP in place and thus can use the phrase “Conducted in Accordance with the Standards” in reference to their audit engagements. A further 21.9% indicate that a QA&IP would be put in place within the next 12 months. Some respondents (7.3%) have a quality assurance program in place, but the program is not in accordance with Standard 1300. Of the respondents, 22.9% report that they do not have plans to put in place a QA&IP in the next 12 months.
The Institute of Internal Auditors Research Foundation
_______________________________ Chapter 4: The Professional Practices Framework 129
Figure 4-5 IAA Has a Quality Assurance and Improvement Program in Accordance with Standard 1300 All Respondents (7,269) in Percentages
Percentage of Respondents
If an IAA is not in compliance with Standard 1300, then the IAA is not in full compliance with the Standards. Of those responding, 38.8% of CAEs and 30.2% of all respondents indicate that they either do not have plans to put a QA&IP in place or they have quality programs that are not in accordance with Standard 1300. These organizations will not be able to report that they are in full compliance with the Standards. Table 4-14 presents the respondents’ answers to the question asking whether their IAAs have QA&IPs in place in accordance with Standard 1300 by staff level. Of CAE respondents, 5.4% say that they do not know whether their IAA has a QA&IP in accordance with Standard 1300. The “do not know” option to this question was selected by 10.6% of Audit Managers, 18.0% of
The Institute of Internal Auditors Research Foundation
130 A Global Summary of the Common Body of Knowledge 2006 ______________________
Audit Seniors/supervisors, and 26.7% of the Audit Staff respondents. As the quality assurance program is the responsibility of the CAE, practitioners at less senior levels may not know how the quality assurance requirements have been implemented. Yet, according to the Standards, quality assurance should form a part of every activity at all levels of the IAA. All internal audit staff should therefore be trained in the requirements of quality assurance and should be integrally involved in the quality assessment and improvement programs of their IAAs.
Table 4-14 IAA Has a Quality Assurance and Improvement Program in Accordance with Standard 1300 All Respondents by Staff Level in Percentages QA&IP Status
CAE % of 2082 Respondents
Audit Manager % of 1687 Respondents
Audit Audit Staff Other Average Senior/ % of 1239 % of 441 % of 7269 Supervisor Respondents Respondents Respondents % of 1820 Respondents
Currently in place To be put in place within the next 12 months No plans to put in place in the next 12 months Quality assurance program is not in accordance with Standard 1300 Do not know Total
26.6 29.2
36.5 23.2
36.0 19.0
36.1 15.8
24.5 10.9
32.8 21.9
29.2
22.6
19.6
17.6
23.8
22.9
9.6
7.1
7.4
3.8
7.0
7.3
5.4 100.0
10.6 100.0
18.0 100.0
26.7 100.0
33.8 100.0
15.1 100.0
The Institute of Internal Auditors Research Foundation
_______________________________ Chapter 4: The Professional Practices Framework 131
Table 4-14-1 shows compliance with Standard 1300 by groups. A noticeably higher than average percentage (54.7%) of respondents in groups 3 (70.5%), 2 (61.6%), and 1 (61%) indicate that they have a QA&IP in place or will put one in place within the next 12 months. The groups that have the highest percentages of respondents indicating that they have no plans to put a QA&IP in place are groups 12 (34.8%), 4 (34%), 8 (33.5%), and 11 (30.7%). Group 4 (20.7%) has the highest percentage of respondents who do not know whether they have such a program in place.
Table 4-14-1 IAA Has a Quality Assessment and Improvement Program in Accordance with Standard 1300 by Groups* All Respondents in Percentages Group
1 2 3 4 5 6 7 8 9 10 11 12 N/C** Overall Average/ Total
Number of Yes, Respondents Currently in Place
2,974 190 600 300 502 374 439 835 97 110 199 43 624 7,287
40.1 35.8 45.3 19.3 24.4 30.2 25.1 24.0 15.5 30.0 30.2 23.3 20.8 32.8
To Be Put in Place Within the Next 12 Months
No Plans to Put in Place in the Next 12 Months
20.9 25.8 25.2 14.3 27.5 21.1 26.9 20.5 28.9 26.4 23.1 27.9 17.5 21.9
17.6 16.9 12.7 34.0 27.7 24.1 27.6 33.5 29.8 26.4 30.7 34.8 27.6 22.9
Program Do Not is Not in Know Accordance with Standard 1300 5.1 8.9 5.5 11.7 9.8 16.0 10.8 6.9 13.4 7.2 5.5 7.0 7.7 7.3
*For a list of groups, please see Appendix 1-B. **N/C = Respondent did not indicate Affiliate or Chapter membership.
The Institute of Internal Auditors Research Foundation
16.3 12.6 11.3 20.7 10.6 8.6 9.6 15.1 12.4 10.0 10.5 7.0 26.4 15.1
Total
100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0
132 A Global Summary of the Common Body of Knowledge 2006 ______________________
Internal Assessments According to Standard 1311, Internal Assessments should include a process to monitor and assess the overall effectiveness of the quality program. Internal assessments should include both: • •
Ongoing review of the performance of the IAA. Periodic reviews performed through self-assessment or by other persons within the organization with knowledge of internal auditing practices and the Standards.
The respondents were asked when their IAAs last had a formal internal quality assessment, periodic or ongoing, in accordance with Standard 1311. Table 4-15 indicates, by staff level, when the IAA was last subject to an internal quality assessment. On average, 23.6% of the respondents’ IAAs have had an internal review within the last 12 months and a further 8.7% had a review within the last 5 years. By the end of 2006, an average of 8.1% additional respondents anticipate their IAAs will have had an internal quality assessment (note that the questionnaires were sent out in September 2006). On average, 35.3% of the respondents indicate that they have never had an internal assessment. From predominantly lower staff levels and Other, on average 15.9% of the respondents do not know if their IAA had a formal internal quality assessment. Only 5.2% of the CAE’s indicated they did not know when their IAA was last subject to a formal internal assessment, while 26.7% of the Audit Staff indicated they did not know. This may be ascribed to a lack of knowledge at their level of responsibility. A higher percentage (47.4%) of CAEs indicates that an internal quality assessment has never been done, which may be more accurate as the CAE is normally the person responsible for organizing such reviews.
The Institute of Internal Auditors Research Foundation
_______________________________ Chapter 4: The Professional Practices Framework 133
Table 4-15 When IAA Was Last Subject to a Formal Internal Quality Assessment in Accordance with Standard 1311 All Respondents by Staff Level in Percentages Timing
Scheduled to be completed prior to January 1, 2007, but not yet completed Within the last 12 months 1-3 years ago 4-5 years ago More than 5 years ago Never The internal review was not done in accordance with Standard 1311 Do not know
CAE % of 2,083 Respondents
Audit Manager % of 1,678 Respondents
Audit Audit Staff Other Average Senior/ % of 1,240 % of 430 % of 7,249 Supervisor Respondents Respondents Respondents % of 1,818 Respondents
8.7
8.3
8.4
7.5
4.7
8.1
21.0
27.9
24.0
24.4
15.3
23.6
6.5 1.2 1.5
8.1 1.4 1.3
8.9 1.2 1.1
6.0 1.6 1.0
7.7 0.7 1.2
7.4 1.3 1.2
47.4 8.5
32.5 7.4
30.3 6.6
26.1 6.7
35.3 3.7
35.3 7.2
5.2
13.1
19.5
26.7
31.4
15.9
The Institute of Internal Auditors Research Foundation
134 A Global Summary of the Common Body of Knowledge 2006 ______________________
The following compares the results in Table 4-14 (the IAA has a QA&IP in place) to the percentages in Table 4-15 (the internal assessment is scheduled to be completed prior to January 1, 2007, or completed a quality assessment within the last 12 months). The percentages are fairly close for both tables. For example, Table 4-14 lists CAE respondents indicating that 26.6% have a QA&IP in place, and Table 4-15 has a total of 29.7% CAE respondents having had a formal quality assessment in accordance with Standard 1311 complete in the last 12 months or scheduled before January 1, 2007. For all respondents in this comparison, Table 4-14 had 32.8% of respondents having a QA&IP in place, and Table 4-15 has a total of 31.7% completed within the last 12 months or scheduled to be completed by January 1, 2007. In Appendix 4-B, Table 4-15-1-A contains the status of the internal assessment by groups. For six of the groups, more than 40% of respondents have never had an internal assessment. For groups 6, 8, and 12, more than 11% of the respondents have completed a quality assessment that was not in accordance with Standard 1311. Only group 3 respondents indicate that 43.4% of their IAAs have had an assessment in accordance with Standard 1311 in the last 5 years. Eleven point four percent to 14.9% of the respondents in groups 3, 10, and 12 anticipate completing an assessment prior to January 1, 2007. Two factors should be considered when reviewing which respondents’ organizations have had an internal quality assessment. The first is whether the length of time the IAA has been in existence within the organization has any effect on compliance to Standard 1311. Table 4-16 compares the length of time that respondents’ organizations have had an IAA with when or if they have had an internal assessment. IAAs that have been in existence for 0 to 5 years have the highest percentage (54.2%) of never having had an internal assessment. That percentage drops to 38% for those organizations whose IAAs have been in existence for 6 to 10 years. It appears that, generally, the longer the organization has had an IAA the more likely they are to have an internal assessment program in place.
The Institute of Internal Auditors Research Foundation
_______________________________ Chapter 4: The Professional Practices Framework 135
Table 4-16 Years the IAA has Existed in an Organization Compared to When the IAA had an Internal Assessment All Respondents in Percentages Years IAA Existed
0-5 6-10 11-15 16-20 21-25 26-30 31-35 36-40 41-45 46-50 More than 50 years
Number of Scheduled Within 1-3 4-5 More Never The I Do Total Respondents to Be the Last Years Years Than Internal Not Know Completed 12 Ago Ago 5 Review Was Prior to Months Years Not Done in January 1, Ago Accordance 2007, But with Not Yet Standard Completed 1311 1,857 1,364 774 727 727 465 145 208 38 198 266
7.7 7.7 8.4 10.0 9.0 8.8 8.3 7.7 13.2 6.1 9.4
14.8 21.8 25.2 23.4 30.4 31.0 31.7 35.1 39.5 31.8 36.1
4.0 6.2 7.4 10.6 10.1 9.7 11.7 13.0 5.3 12.1 10.2
0.5 1.1 1.8 2.6 2.9 1.1 1.4 0.5 5.3 3.0 1.1
0.2 1.2 1.4 2.3 1.3 1.5 0.7 1.4 .0 3.0 1.5
54.2 38.0 35.1 25.9 25.8 24.3 26.2 25.0 15.8 18.7 13.5
7.3 8.1 7.2 6.2 7.7 8.2 8.3 4.8 7.9 6.1 8.6
The Institute of Internal Auditors Research Foundation
11.3 15.9 13.5 19.0 12.8 15.4 11.7 12.5 13.2 19.2 19.6
100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0
136 A Global Summary of the Common Body of Knowledge 2006 ______________________
The second factor to consider is the number of audit staff in the IAA. Table 4-17 shows that for staff levels of 1-3, respondents indicate that 58.2% of their IAAs have never had an internal review. As the size of the IAA staff increases, fewer respondents’ IAAs have never had an internal review with one exception (organizations with a staff size of 10-12). With a staff of 25 or more only 14.2% indicated that their IAA had never had an internal review. It appears that the number of years the IAA has existed and the number of staff in the IAA affect whether an IAA has had an internal assessment program.
Table 4-17 Number of Audit Staff in the IAA Compared to When the IAA had an Internal Assessment All Respondents in Percentages Number of Staff
1-3 4-6 7-9 10-12 13-15 16-18 19-21 22-24 25 or more
Number of Scheduled Within 1-3 4-5 More Never The I Do Total Respondents to Be the Last Years Years Than Internal Not Know Completed 12 Ago Ago 5 Review Was Prior to Months Years Not Done in January 1, Ago Accordance 2007, But with Not Yet Standard Completed 1311
1,859 1,319 775 451 351 265 186 137 1,561
5.9 8.6 7.7 8.2 12.3 12.5 8.6 12.4 9.5
11.5 18.0 26.1 23.5 25.4 27.2 30.6 34.3 39.4
4.1 6.7 8.1 9.1 9.7 7.5 9.1 10.9 10.4
1.0 1.1 1.8 1.3 1.1 .8 2.7 1.5 1.8
1.0 1.2 1.4 2.0 .9 1.5 .5 2.2 1.3
58.2 42.7 30.6 31.9 26.2 24.9 19.4 18.2 14.2
7.0 8.3 7.7 7.3 7.7 9.1 7.5 8.8 5.4
The Institute of Internal Auditors Research Foundation
11.3 13.4 16.6 16.7 16.7 16.5 21.6 11.7 18.0
100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0
_______________________________ Chapter 4: The Professional Practices Framework 137
External Assessments According to Standard 1312, External Assessments, the IAA should have an external assessment at least once every 5 years by a qualified, independent reviewer or review team from outside the organization. All IAAs that existed on January 1, 2002, when this standard became effective should have had an external assessment performed by January 1, 2007. For external reviews, Practice Advisory 1312-1, External Assessments, recommends that an opinion on the IAA’s compliance to the Standards based on a structured rating process be communicated to the CAE. Figure 4-6 indicates when all respondents’ IAAs were last subject to an external quality assessment. The average response for all respondents indicates that 39.7% of respondents’ IAAs have never had an external assessment.
Figure 4-6 When the IAA was Last Subject to a Formal External Quality Assessment in Accordance with Standard 1312 All Respondents (7,230) in Percentages
Percentage of Respondents
The Institute of Internal Auditors Research Foundation
138 A Global Summary of the Common Body of Knowledge 2006 ______________________
Table 4-18 indicates by staff level when respondents’ IAAs were last subject to an external quality assessment. Comparing the average response (39.7%) indicating the IAA has not had an external review to the different levels of staff, 53.7% of the CAE respondents indicate their IAA has not had an external review. This is probably more reflective of the actual status as the CAE is responsible for arranging the external review. It appears that for 44.4% of those responding to this question, their organizations have not been subject to a formal external quality assessment and are not in compliance with Standard 1312 and are therefore not in full compliance with the Standards.
Table 4-18 When the IAA was Last Subject to a Formal External Quality Assessment in Accordance with Standard 1312 All Respondents in Percentages Timing
CAE % of 2,073 Respondents
Audit Manager % of 1,674 Respondents
Audit Audit Staff Other Average Senior/ % of 1,241 % of 429 % of 7,230 Supervisor Respondents Respondents Respondents % of 1,813 Respondents
Scheduled to be completed prior to January 1, 2007, but not yet completed Within the last 12 months 1-3 years ago 4-5 years ago More than 5 years ago Never The external review was not done in accordance with Standard 1312 Do not know
7.7
8.7
7.4
7.2
4.4
7.6
13.8
16.9
17.9
19.1
14.5
16.5
6.9 2.2 1.7
11.2 1.8 2.1
12.0 2.4 1.7
8.8 1.9 1.2
7.5 1.6 1.2
9.5 2.1 1.7
53.7 7.7
38.6 4.9
33.4 4.2
28.7 2.4
35.0 2.3
39.7 5.0
6.3
15.8
21.0
30.7
33.5
17.9
The Institute of Internal Auditors Research Foundation
_______________________________ Chapter 4: The Professional Practices Framework 139
Table 4-18-1 shows the results for external quality assessments for the groups. More than 40% of the respondents in groups 3 (48.9%), 2 (42.2%), 10 (43.9%), and 1 (41.5%) indicate that their IAA has had a formal external assessment in the last 5 years or will have one completed by January 1, 2007, in accordance with Standard 1312. More than 50% of respondents in groups 9 (59.6%), 12 (59.5%), 5 (54.5%), 4 (51.9%), and 8 (51.5%) noted that they have never had an external assessment.
Table 4-18-1 When the IAA was Last Subject to a Formal External Quality Assessment in Accordance with Standard 1312 by Groups* All Respondents in Percentages Timing Scheduled to be completed prior to January 1, 2007 Within the last 12 months 1-3 years ago 4-5 years ago More than 5 years ago Never Not done in accordance with Standard 1312 Do not know Total percentage Total number of respondents
1
2
8.3
7.5
19.7
3
4
5
6
7
8
9
11.9
3.7
8.3
6.2
6.1
5.6
5.1 18.4
12.8
19.0
15.5
11.4
13.2
17.9
11.9
14.1 13.2
11.0 2.5 2.0
18.2 3.7 3.7
15.1 2.9 2.3
4.7 2.7 5.7
9.8 0.6 0.6
8.9 3.5 1.1
5.4 1.4 0.9
6.5 0.8 0.4
31.1 2.3
32.6 4.3
28.7 3.2
51.9 3.4
54.5 6.8
43.5 12.1
48.0 8.8
51.5 8.2
9.1 1.0 0.0
10
8.8 3.5 0.9
59.6 40.4 1.0 4.4
11 9.6
12 7.1
N/C** 4.0
16.2 14.3 12.6
5.1 1.5 0.5
4.8 0.0 2.4
6.3 1.3 1.1
39.6 59.5 48.0 7.7 4.8 7.2
23.1 17.2 16.9 12.4 8.0 11.5 11.5 15.1 10.1 10.4 19.8 7.1 19.5 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 2,956 187 596 297 499 372 442 827 99 114 197 42 621
*For a list of groups, please see Appendix 1-B. **N/C = Respondents did not indicate affiliate or chapter membership.
The Institute of Internal Auditors Research Foundation
140 A Global Summary of the Common Body of Knowledge 2006 ______________________
To determine if the length of time the IAA has been in existence within an organization has any effect on compliance to Standard 1312, Table 4-19 compares the length of time that respondents’ organizations have had an IAA to when and if they have had an external assessment. IAAs that have been in existence for 0 to 5 years have the highest percentage (61.2%) of never having had an external assessment. The percentage for never having an external assessment drops to 40.4% for those organizations whose IAAs have been in existence for 6 to 10 years. It appears that, generally, the longer the organization has had an IAA the more likely they have had an external assessment.
Table 4-19 Years the IAA has Existed in an Organization Compared to When the IAA had an External Assessment All Participants in Percentages Years Number Scheduled IAA of to Be Been in Respondents Completed Existence Prior to January 1, 2007, But Not Yet Completed 0-5 6-10 11-15 16-20 21-25 26-30 31-35 36-40 41-45 46-50 More than 50 years
1,853 1,365 770 723 449 462 142 210 39 196 266
5.8 8.6 7.8 7.9 8.7 8.4 7.7 11.0 23.1 6.1 9.8
Within 1-3 4-5 More Never The I Do Total the Last Years Years Than Internal Not 12 Ago Ago 5 Review was Know Months Years Not Done in Ago Accordance with Standard 1312
8.9 14.7 16.2 17.2 26.5 22.5 16.2 27.1 20.5 26.0 24.4
5.0 8.2 10.3 11.3 11.6 11.7 21.8 13.8 12.8 14.3 19.5
0.8 2.1 2.7 3.6 1.8 3.7 3.5 1.9 5.1 3.1 2.3
0.2 1.8 2.1 3.5 2.0 2.4 0.7 1.9 .0 3.1 2.6
61.2 40.4 40.6 29.6 30.3 27.3 28.9 27.1 15.4 23.0 16.9
The Institute of Internal Auditors Research Foundation
4.6 5.7 5.7 4.7 5.8 7.6 6.3 1.4 7.7 2.0 5.6
13.5 18.5 14.6 22.2 13.3 16.4 14.9 15.8 15.4 22.4 18.9
100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0
_______________________________ Chapter 4: The Professional Practices Framework 141
As shown in Table 4-20, the number of audit staff in the IAA was compared to whether the IAA has had an external assessment. This factor appears to have a marked influence on the IAA having an external assessment. IAAs that have an audit staff of 1-3 indicate that 60.4% never have had an external assessment. This drops to 49% for a staff size of 4-6 and to 17.8% for IAAs with an audit staff of 25 or more.
Table 4-20 Number of Audit Staff in the IAA Compared to When the IAA had an External Assessment All Participants in Percentages Number of Staff
1-3 4-6 7-9 10-12 13-15 16-18 19-21 22-24 25 or more
Number Scheduled of to Be Respondents Completed Prior to January 1, 2007, But Not Yet Completed
1,854 1,311 770 448 352 265 187 137 1,559
5.1 7.8 8.4 6.0 9.9 9.4 6.4 13.1 10.1
Within 1-3 4-5 More Never The I Do Total the Last Years Years Than Internal Not 12 Ago Ago 5 Review was Know Months Years Not Done in Ago Accordance with Standard 1312
7.9 12.5 18.7 18.1 18.5 16.6 25.7 19.7 26.5
4.9 6.6 9.9 8.7 13.9 10.9 10.2 18.2 16.5
1.7 1.8 1.9 2.7 2.3 3.8 3.7 4.4 2.4
1.3 1.6 3.0 1.8 1.7 1.9 2.1 1.5 1.6
60.4 49.0 37.0 39.1 31.3 32.1 25.7 19.7 17.8
5.7 5.9 4.8 4.5 4.3 6.4 5.3 6.6 3.7
13.0 14.8 16.3 19.1 18.1 18.9 20.9 16.8 21.4
100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0
As with internal assessments, the length of time an IAA has been in existence and the number of audit staff in the IAA affect whether IAAs have had an external assessment.
The Institute of Internal Auditors Research Foundation
142 A Global Summary of the Common Body of Knowledge 2006 ______________________
Quality Assurance and Improvement Program Activities Respondents were asked what types of activities their IAAs used when performing internal and external quality assessments. Practice Advisory 1300-1, Quality Assurance and Improvement Program, states that the quality assurance and improvement program should include activities that are designed to provide reasonable assurance of compliance with the Standards such as appropriate supervision of the audit team. The respondents were requested to indicate which of the listed activities they performed as part of their internal audit quality assessment and improvement program. Figure 4-7 shows the responses given by staff level. As respondents could mark more than one activity the total percentage may be greater than 100%. On average, the activities that are included most often are engagement supervision (42.7%), checklists/manuals to provide assurance that proper audit processes are followed (40.6%), and feedback from audit customers at the end of an audit (38.5%). The least used activities are verification that the IAA is in compliance with the Standards (28.4%), review by external party (20.4%), and compliance with non-IIA standards or codes (19.0%).
The Institute of Internal Auditors Research Foundation
_______________________________ Chapter 4: The Professional Practices Framework 143
Figure 4-7 Activities Performed by IAAs as Part of a QA&IP All Respondents (8,159) in Percentages
42.7%
Engagement supervision Checklists/manuals to provide assurance that proper audit processes are followed Feedback from audit customers at the end of an audit Internal audit professionals are in compliance with The IIA's Code of Ethics
40.6% 38.5% 31.1% 30.1%
Reviews by other members of IAA Verification that the IAA is in compliance with The Standards
28.4%
Review by external party
20.4%
Compliance with non-IIA standards or codes
19.0%
Not applicable
13.4% 12.2%
Do not know 0%
10%
20%
30%
40%
50%
Percentage of Respondents Note: The respondents were asked to mark all that apply so the total of the percentages may be more than 100.
The Institute of Internal Auditors Research Foundation
144 A Global Summary of the Common Body of Knowledge 2006 ______________________
Table 4-21 shows the responses for the types of activities performed as part of a QA&IP given by staff level.
Table 4-21 Activities Performed by IAAs as Part of a QA&IP All Respondents by Staff Level in Percentages Activity
Engagement supervision Checklists/ manuals to provide assurance that proper audit processes are followed Feedback from audit customers at the end of an audit Internal audit professionals are in compliance with The IIA’s Code of Ethics Reviews by other members of the IAA Verification that the IAA is in compliance with the Standards
CAE % of 2,263 Respondents
Audit Managers % of 1,845 Respondents
Audit Audit Staff Other Average Senior/ % of 1,442 % of 569 % of Supervisor Respondents Respondents 8,159 % of 2,040 ResponRespondents dents
48.8
54.2
47.4
38.1
24.8
42.7
44.8
49.9
43.9
38.0
26.7
40.6
41.4
47.4
41.7
38.5
23.4
38.5
37.6
38.9
31.3
28.7
19.3
31.1
27.2
39.1
35.6
30.9
17.9
30.1
35.6
36.7
27.6
26.0
16.5
28.4
Note: The respondents were asked to mark all that apply so the total of the percentages may be more than 100.
The Institute of Internal Auditors Research Foundation
_______________________________ Chapter 4: The Professional Practices Framework 145
Table 4-21 (Cont.) Activities Performed by IAAs as Part of a QA&IP All Respondents by Staff Level in Percentages Activity
Review by external party Compliance with non-IIA standards or codes Not applicable Do not know
CAE % of 2,263 Respondents
Audit Managers % of 1,845 Respondents
Audit Audit Staff Other Average Senior/ % of 1,442 % of 569 % of Supervisor Respondents Respondents 8,159 % of 2,040 ResponRespondents dents
21.3
25.4
22.2
18.0
15.1
20.4
19.4
23.1
21.9
17.5
13.5
19.0
16.4 3.4
11.8 8.2
10.9 11.9
10.1 17.5
17.8 20.0
13.4 12.2
Note: The respondents were asked to mark all that apply so the total of the percentages may be more than 100.
Table 4-21-1-A in Appendix 4-B analyzes the responses by groups for the types of activities performed as part of a QA&IP. Consistently throughout the groups, engagement supervision (63.9% to 32.1%), checklists/manuals (57.4% to 33.3%), and feedback from audit customers (55.3% to 31.1%) are the most used activities. Least utilized items by groups include review by external party (34.0% to 12.6%) and reviews of compliance with non-IIA standards or codes (28.0% to 14.7%). These results are consistent with the summary results in Table 4-21. Education of key personnel (audit committees and management) to make them aware of the importance of compliance and the value that may be derived from the quality assessment process may help to increase compliance with Standard 1300.
The Institute of Internal Auditors Research Foundation
146 A Global Summary of the Common Body of Knowledge 2006 ______________________
Compliance with The IIA’s Code of Ethics As part of the CBOK Affiliate survey, affiliates were asked whether they require their members to follow The IIA’s Code of Ethics. Of the 46 affiliates responding to this question, all but one answered in the affirmative. One affiliate has adopted a local version of a code of ethics. The affiliates were then asked how they handled ethical complaints against their members. A wide variety of responses were received. In a number of instances no complaints had ever been received so no process had been put in place. In most cases, complaints were handled by an ethics or disciplinary committee, while some actions were left to the affiliate’s board of directors. In two cases, investigations were conducted in consultation with The IIA.
Summary A large majority of the participants in this study indicate that their IAAs are using the Standards in whole or in part. Compliance with the Standards is affected by the length of time an individual has been a member of The IIA, the number of years an organization has had an IAA, and the number of staff in the IAA. Compliance with Standard 1300 is influenced by the period of time an organization has had an IAA and the size of the audit staff. A large majority of the respondents also believe that the guidance provided by the Standards and most Practice Advisories is adequate. Standards 1300, Quality Assurance and Improvement Program, and 2600, Resolution of Management’s Acceptance of Risks, have lower levels of usage and satisfaction with the adequacy of guidance provided by the Standards. More or clearer guidance may be appropriate in these areas.
References 1. The Institute of Internal Auditors, A Vision for the Future: The Professional Practices Framework for Internal Auditing (Altamonte Springs, FL: The Institute of Internal Auditors), 1999. 2. The Institute of Internal Auditors, The Professional Practices Framework (Altamonte Springs, FL: The Institute of Internal Auditors), 2005. 3. The Institute of Internal Auditors, Quality Assessment Manual (Altamonte Springs, FL: The Institute of Internal Auditors), February 2006. 4. The Institute of Internal Auditors, The Institute of Internal Auditors Executive Summary (Altamonte Springs, FL: The Institute of Internal Auditors), September 13, 2006. 5. The Institute of Internal Auditors, IIA International Professional Practices Framework – Exposure Document (Altamonte Springs, FL: The Institute of Internal Auditors), 2007.
The Institute of Internal Auditors Research Foundation
_______________________________ Chapter 4: The Professional Practices Framework 147
APPENDIX 4-A THE IIA’S STANDARDS, PRACTICE ADVISORIES, AND GLOSSARY TO THE STANDARDS AS OF SEPTEMBER 20061 ATTRIBUTE STANDARDS 1000 – Purpose, Authority, and Responsibility The purpose, authority, and responsibility of the internal audit activity should be formally defined in a charter, consistent with the Standards, and approved by the board. 1000.A1 – The nature of assurance services provided to the organization should be defined in the audit charter. If assurances are to be provided to parties outside the organization, the nature of these assurances should also be defined in the charter. 1000.C1 – The nature of consulting services should be defined in the audit charter. 1100 – Independence and Objectivity The internal audit activity should be independent, and internal auditors should be objective in performing their work. 1110 – Organizational Independence The chief audit executive should report to a level within the organization that allows the internal audit activity to fulfill its responsibilities. 1110.A1 – The internal audit activity should be free from interference in determining the scope of internal auditing, performing work, and communicating results. 1120 – Individual Objectivity Internal auditors should have an impartial, unbiased attitude and avoid conflicts of interest. 1130 – Impairments to Independence or Objectivity If independence or objectivity is impaired in fact or appearance, the details of the impairment should be disclosed to appropriate parties. The nature of the disclosure will depend upon the impairment.
1
Standards are always being updated as the profession evolves.
The Institute of Internal Auditors Research Foundation
148 A Global Summary of the Common Body of Knowledge 2006 ______________________
1130.A1 – Internal auditors should refrain from assessing specific operations for which they were previously responsible. Objectivity is presumed to be impaired if an internal auditor provides assurance services for an activity for which the internal auditor had responsibility within the previous year. 1130.A2 – Assurance engagements for functions over which the chief audit executive has responsibility should be overseen by a party outside the internal audit activity. 1130.C1 – Internal auditors may provide consulting services relating to operations for which they had previous responsibilities. 1130.C2 – If internal auditors have potential impairments to independence or objectivity relating to proposed consulting services, disclosure should be made to the engagement client prior to accepting the engagement. 1200 – Proficiency and Due Professional Care Engagements should be performed with proficiency and due professional care. 1210 – Proficiency Internal auditors should possess the knowledge, skills, and other competencies needed to perform their individual responsibilities. The internal audit activity collectively should possess or obtain the knowledge, skills, and other competencies needed to perform its responsibilities. 1210.A1 – The chief audit executive should obtain competent advice and assistance if the internal audit staff lacks the knowledge, skills, or other competencies needed to perform all or part of the engagement. 1210.A2 – The internal auditor should have sufficient knowledge to identify the indicators of fraud but is not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud. 1210.A3 – Internal auditors should have knowledge of key information technology risks and controls and available technology-based audit techniques to perform their assigned work. However, not all internal auditors are expected to have the expertise of an internal auditor whose primary responsibility is information technology auditing. 1210.C1 – The chief audit executive should decline the consulting engagement or obtain competent advice and assistance if the internal audit staff lacks the knowledge, skills, or other competencies needed to perform all or part of the engagement.
The Institute of Internal Auditors Research Foundation
_______________________________ Chapter 4: The Professional Practices Framework 149
1220 – Due Professional Care Internal auditors should apply the care and skill expected of a reasonably prudent and competent internal auditor. Due professional care does not imply infallibility. 1220.A1 – The internal auditor should exercise due professional care by considering the: • Extent of work needed to achieve the engagement’s objectives. • Relative complexity, materiality, or significance of matters to which assurance procedures are applied. • Adequacy and effectiveness of risk management, control, and governance processes. • Probability of significant errors, irregularities, or noncompliance. • Cost of assurance in relation to potential benefits. 1220.A2 – In exercising due professional care the internal auditor should consider the use of computer-assisted audit tools and other data analysis techniques. 1220.A3 – The internal auditor should be alert to the significant risks that might affect objectives, operations, or resources. However, assurance procedures alone, even when performed with due professional care, do not guarantee that all significant risks will be identified. 1220.C1 – The internal auditor should exercise due professional care during a consulting engagement by considering the: • Needs and expectations of clients, including the nature, timing, and communication of engagement results. • Relative complexity and extent of work needed to achieve the engagement’s objectives. • Cost of the consulting engagement in relation to potential benefits. 1230 – Continuing Professional Development Internal auditors should enhance their knowledge, skills, and other competencies through continuing professional development. 1300 – Quality Assurance and Improvement Program The chief audit executive should develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity and continuously monitors its effectiveness. This program includes periodic internal and external quality assessments and ongoing internal monitoring. Each part of the program should be designed to help the internal auditing activity add value and improve the organization’s operations and to provide assurance that the internal audit activity is in conformity with the Standards and the Code of Ethics.
The Institute of Internal Auditors Research Foundation
150 A Global Summary of the Common Body of Knowledge 2006 ______________________
1310 – Quality Program Assessments The internal audit activity should adopt a process to monitor and assess the overall effectiveness of the quality program. The process should include both internal and external assessments. 1311 – Internal Assessments Internal assessments should include: • Ongoing reviews of the performance of the internal audit activity; and • Periodic reviews performed through self-assessment or by other persons within the organization, with knowledge of internal audit practices and the Standards. 1312 – External Assessments External assessments, such as quality assurance reviews, should be conducted at least once every five years by a qualified, independent reviewer or review team from outside the organization. 1320 – Reporting on the Quality Program The chief audit executive should communicate the results of external assessments to the board. 1330 – Use of “Conducted in Accordance with the Standards” Internal auditors are encouraged to report that their activities are “conducted in accordance with the International Standards for the Professional Practice of Internal Auditing.” However, internal auditors may use the statement only if assessments of the quality improvement program demonstrate that the internal audit activity is in compliance with the Standards. 1340 – Disclosure of Noncompliance Although the internal audit activity should achieve full compliance with the Standards and internal auditors with the Code of Ethics, there may be instances in which full compliance is not achieved. When noncompliance impacts the overall scope or operation of the internal audit activity, disclosure should be made to senior management and the board.
PERFORMANCE STANDARDS 2000 – Managing the Internal Audit Activity The chief audit executive should effectively manage the internal audit activity to ensure it adds value to the organization. 2010 – Planning The chief audit executive should establish risk-based plans to determine the priorities of the internal audit activity, consistent with the organization’s goals. The Institute of Internal Auditors Research Foundation
_______________________________ Chapter 4: The Professional Practices Framework 151
2010.A1 – The internal audit activity’s plan of engagements should be based on a risk assessment, undertaken at least annually. The input of senior management and the board should be considered in this process. 2010.C1 – The chief audit executive should consider accepting proposed consulting engagements based on the engagement’s potential to improve management of risks, add value, and improve the organization’s operations. Those engagements that have been accepted should be included in the plan. 2020 – Communication and Approval The chief audit executive should communicate the internal audit activity’s plans and resource requirements, including significant interim changes, to senior management and to the board for review and approval. The chief audit executive should also communicate the impact of resource limitations. 2030 – Resource Management The chief audit executive should ensure that internal audit resources are appropriate, sufficient, and effectively deployed to achieve the approved plan. 2040 – Policies and Procedures The chief audit executive should establish policies and procedures to guide the internal audit activity. 2050 – Coordination The chief audit executive should share information and coordinate activities with other internal and external providers of relevant assurance and consulting services to ensure proper coverage and minimize duplication of efforts. 2060 – Reporting to the Board and Senior Management The chief audit executive should report periodically to the board and senior management on the internal audit activity’s purpose, authority, responsibility, and performance relative to its plan. Reporting should also include significant risk exposures and control issues, corporate governance issues, and other matters needed or requested by the board and senior management. 2100 – Nature of Work The internal audit activity should evaluate and contribute to the improvement of risk management, control, and governance processes using a systematic and disciplined approach.
The Institute of Internal Auditors Research Foundation
152 A Global Summary of the Common Body of Knowledge 2006 ______________________
2110 – Risk Management The internal audit activity should assist the organization by identifying and evaluating significant exposures to risk and contributing to the improvement of risk management and control systems. 2110.A1 – The internal audit activity should monitor and evaluate the effectiveness of the organization’s risk management system. 2110.A2 – The internal audit activity should evaluate risk exposures relating to the organization’s governance, operations, and information systems regarding the: • Reliability and integrity of financial and operational information. • Effectiveness and efficiency of operations. • Safeguarding of assets. • Compliance with laws, regulations, and contracts. 2110.C1 – During consulting engagements, internal auditors should address risk consistent with the engagement’s objectives and be alert to the existence of other significant risks. 2110.C2 – Internal auditors should incorporate knowledge of risks gained from consulting engagements into the process of identifying and evaluating significant risk exposures of the organization. 2120 – Control The internal audit activity should assist the organization in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement. 2120.A1 – Based on the results of the risk assessment, the internal audit activity should evaluate the adequacy and effectiveness of controls encompassing the organization’s governance, operations, and information systems. This should include: • Reliability and integrity of financial and operational information. • Effectiveness and efficiency of operations. • Safeguarding of assets. • Compliance with laws, regulations, and contracts. 2120.A2 – Internal auditors should ascertain the extent to which operating and program goals and objectives have been established and conform to those of the organization. 2120.A3 – Internal auditors should review operations and programs to ascertain the extent to which results are consistent with established goals and objectives to determine whether operations and programs are being implemented or performed as intended.
The Institute of Internal Auditors Research Foundation
_______________________________ Chapter 4: The Professional Practices Framework 153
2120.A4 – Adequate criteria are needed to evaluate controls. Internal auditors should ascertain the extent to which management has established adequate criteria to determine whether objectives and goals have been accomplished. If adequate, internal auditors should use such criteria in their evaluation. If inadequate, internal auditors should work with management to develop appropriate evaluation criteria. 2120.C1 – During consulting engagements, internal auditors should address controls consistent with the engagement’s objectives and be alert to the existence of any significant control weaknesses. 2120.C2 – Internal auditors should incorporate knowledge of controls gained from consulting engagements into the process of identifying and evaluating significant risk exposures of the organization. 2130 – Governance The internal audit activity should assess and make appropriate recommendations for improving the governance process in its accomplishment of the following objectives: • Promoting appropriate ethics and values within the organization. • Ensuring effective organizational performance management and accountability. • Effectively communicating risk and control information to appropriate areas of the organization. • Effectively coordinating the activities of and communicating information among the board, external and internal auditors, and management. 2130.A1 – The internal audit activity should evaluate the design, implementation, and effectiveness of the organization’s ethics-related objectives, programs, and activities. 2130.C1 – Consulting engagement objectives should be consistent with the overall values and goals of the organization. 2200 – Engagement Planning Internal auditors should develop and record a plan for each engagement, including the scope, objectives, timing, and resource allocations. 2201 – Planning Considerations In planning the engagement, internal auditors should consider: • The objectives of the activity being reviewed and the means by which the activity controls its performance.
The Institute of Internal Auditors Research Foundation
154 A Global Summary of the Common Body of Knowledge 2006 ______________________
• • •
The significant risks to the activity, its objectives, resources, and operations and the means by which the potential impact of risk is kept to an acceptable level. The adequacy and effectiveness of the activity’s risk management and control systems compared to a relevant control framework or model. The opportunities for making significant improvements to the activity’s risk management and control systems. 2201.A1 – When planning an engagement for parties outside the organization, internal auditors should establish a written understanding with them about objectives, scope, respective responsibilities, and other expectations, including restrictions on distribution of the results of the engagement and access to engagement records. 2201.C1 – Internal auditors should establish an understanding with consulting engagement clients about objectives, scope, respective responsibilities, and other client expectations. For significant engagements, this understanding should be documented.
2210 – Engagement Objectives Objectives should be established for each engagement. 2210.A1 – Internal auditors should conduct a preliminary assessment of the risks relevant to the activity under review. Engagement objectives should reflect the results of this assessment. 2210.A2 – The internal auditor should consider the probability of significant errors, irregularities, noncompliance, and other exposures when developing the engagement objectives. 2210.C1 – Consulting engagement objectives should address risks, controls, and governance processes to the extent agreed upon with the client. 2220 – Engagement Scope The established scope should be sufficient to satisfy the objectives of the engagement. 2220.A1 – The scope of the engagement should include consideration of relevant systems, records, personnel, and physical properties, including those under the control of third parties. 2220.A2 – If significant consulting opportunities arise during an assurance engagement, a specific written understanding as to the objectives, scope, respective responsibilities, and other expectations should be reached and the results of the consulting engagement communicated in accordance with consulting standards. The Institute of Internal Auditors Research Foundation
_______________________________ Chapter 4: The Professional Practices Framework 155
2220.C1 – In performing consulting engagements, internal auditors should ensure that the scope of the engagement is sufficient to address the agreed-upon objectives. If internal auditors develop reservations about the scope during the engagement, these reservations should be discussed with the client to determine whether to continue with the engagement. 2230 – Engagement Resource Allocation Internal auditors should determine appropriate resources to achieve engagement objectives. Staffing should be based on an evaluation of the nature and complexity of each engagement, time constraints, and available resources. 2240 – Engagement Work Program Internal auditors should develop work programs that achieve the engagement objectives. These work programs should be recorded. 2240.A1 – Work programs should establish the procedures for identifying, analyzing, evaluating, and recording information during the engagement. The work program should be approved prior to its implementation, and any adjustments approved promptly. 2240.C1 – Work programs for consulting engagements may vary in form and content depending upon the nature of the engagement. 2300 – Performing the Engagement Internal auditors should identify, analyze, evaluate, and record sufficient information to achieve the engagement’s objectives. 2310 – Identifying Information Internal auditors should identify sufficient, reliable, relevant, and useful information to achieve the engagement’s objectives. 2320 – Analysis and Evaluation Internal auditors should base conclusions and engagement results on appropriate analyses and evaluations. 2330 – Recording Information Internal auditors should record relevant information to support the conclusions and engagement results. 2330.A1 – The chief audit executive should control access to engagement records. The chief audit executive should obtain the approval of senior management and/or legal counsel prior to releasing such records to external parties, as appropriate. The Institute of Internal Auditors Research Foundation
156 A Global Summary of the Common Body of Knowledge 2006 ______________________
2330.A2 – The chief audit executive should develop retention requirements for engagement records. These retention requirements should be consistent with the organization’s guidelines and any pertinent regulatory or other requirements. 2330.C1 – The chief audit executive should develop policies governing the custody and retention of engagement records, as well as their release to internal and external parties. These policies should be consistent with the organization’s guidelines and any pertinent regulatory or other requirements. 2340 – Engagement Supervision Engagements should be properly supervised to ensure objectives are achieved, quality is assured, and staff is developed. 2400 – Communicating Results Internal auditors should communicate the engagement results. 2410 – Criteria for Communicating Communications should include the engagement’s objectives and scope as well as applicable conclusions, recommendations, and action plans. 2410.A1 – Final communication of engagement results should, where appropriate, contain the internal auditor’s overall opinion and or conclusions. 2410.A2 – Internal auditors are encouraged to acknowledge satisfactory performance in engagement communications. 2410.A3 – When releasing engagement results to parties outside the organization, the communication should include limitations on distribution and use of the results. 2410.C1 – Communication of the progress and results of consulting engagements will vary in form and content depending upon the nature of the engagement and the needs of the client. 2420 – Quality of Communications Communications should be accurate, objective, clear, concise, constructive, complete, and timely.
The Institute of Internal Auditors Research Foundation
_______________________________ Chapter 4: The Professional Practices Framework 157
2421 – Errors and Omissions If a final communication contains a significant error or omission, the chief audit executive should communicate corrected information to all parties who received the original communication. 2430 – Engagement Disclosure of Noncompliance with the Standards When noncompliance with the Standards impacts a specific engagement, communication of the results should disclose the: • Standard(s) with which full compliance was not achieved, • Reason(s) for noncompliance, and • Impact of noncompliance on the engagement 2440 – Disseminating Results The chief audit executive should communicate results to the appropriate parties. 2440.A1 – The chief audit executive is responsible for communicating the final results to parties who can ensure that the results are given due consideration. 2440.A2 – If not otherwise mandated by legal, statutory, or regulatory requirements, prior to releasing results to parties outside the organization, the chief executive should: • Assess the potential risk to the organization. • Consult with senior management and/or legal counsel as appropriate. • Control dissemination by restricting the use of the results. 2440.C1 – The chief audit executive is responsible for communicating the final results of consulting engagements to clients. 2440.C2 – During consulting engagements, risk management, control, and governance issues may be identified. Whenever these issues are significant to the organization, they should be communicated to senior management and the board. 2500 – Monitoring Progress The chief audit executive should establish and maintain a system to monitor the disposition of results communicated to management. 2500.A1 – The chief audit executive should establish a follow-up process to monitor and ensure that management actions have been effectively implemented or that senior management has accepted the risk of not taking action.
The Institute of Internal Auditors Research Foundation
158 A Global Summary of the Common Body of Knowledge 2006 ______________________
2500.C1 – The internal audit activity should monitor the disposition of results of consulting engagements to the extent agreed upon with the client. 2600 – Resolution of Management’s Acceptance of Risks When the chief audit executive believes that senior management has accepted a level of residual risk that may be unacceptable to the organization, the chief audit executive should discuss the matter with senior management. If the decision regarding residual risk is not resolved, the chief audit executive and senior management should report the matter to the board for resolution.
Practice Advisories Attribute Standards PA 1000-1 Internal Audit Charter PA 1000.C1-1 Principles Guiding the Performance of Consulting Activities of Internal Auditors PA 1000.C1-2 Additional Considerations for Formal Consulting Engagements PA 1100-1 Independence and Objectivity PA 1110-1 Organizational Independence PA 1110-2 Chief Audit Executive (CAE) Reporting Lines PA 1110.A1-1 Disclosing Reasons for Information Requests PA 1120-1 Individual Objectivity PA 1130-1 Impairments to Independence or Objectivity PA 1130.A1-1 Assessing Operations for Which Internal Auditors Were Previously Responsible PA 1130.A1-2 Internal Auditing’s Responsibility for Other (Non-audit) Functions PA 1200-1 Proficiency and Due Professional Care PA 1210-1 Proficiency PA 1210.A1-1 Obtaining Services to Support or Complement the Internal Audit Activity PA 1210.A2-1 Identification of Fraud PA 1210.A2-2 Responsibility for Fraud Detection PA 1220-1 Due Professional Care PA 1230-1 Continuing Professional Development PA 1300-1 Quality Assurance and Improvement Program PA 1310-1 Quality Program Assessments PA 1311-1 Internal Assessments PA 1312-1 External Assessments PA 1312-2 External Assessments Self-assessment with Independent Validation PA 1320-1 Reporting on the Quality Program PA 1330-1 Use of “Conducted in Accordance with the Standards”
The Institute of Internal Auditors Research Foundation
_______________________________ Chapter 4: The Professional Practices Framework 159
Performance Standards PA 2000-1 Managing the Internal Audit Activity PA 2010-1 Planning PA 2010-2 Linking the Audit Plan to Risk and Exposures PA 2020-1 Communication and Approval PA 2030-1 Resource Management PA 2040-1 Policies and Procedures PA 2050-1 Coordination PA 2050-2 Acquisition of External Audit Services PA 2060-1 Reporting to Board and Senior Management PA 2060-2 Relationship with the Audit Committee PA 2100-1 Nature of Work PA 2100-2 Information Security PA 2100-3 Internal Auditing’s Role in the Risk Management Process PA 2100-4 Internal Auditing’s Role in Organizations Without a Risk Management Process PA 2100-5 Legal Considerations in Evaluating Regulatory Compliance Programs PA 2100-6 Control and Audit Implications of E-commerce Activities PA 2100-7 Internal Auditing’s Role in Identifying and Reporting Environmental Risks PA 2100-8 Internal Auditing’s Role in Evaluating an Organization’s Privacy Framework PA 2110-1 Assessing the Adequacy of Risk Management Processes PA 2110-2 Internal Auditing’s Role in the Business Continuity Process PA 2120.A1-1 Assessing and Reporting on Control Processes PA 2120.A1-2 Using Control Self-assessment for Assessing the Adequacy of Control Processes PA 2120.A1-3 Internal Auditing’s Role in Quarterly Financial Reporting, Disclosures, and Management Certifications PA 2120.A1-4 Auditing the Financial Reporting Process PA 2120.A4-1 Control Criteria PA 2130-1 Role of the Internal Audit Activity and Internal Auditor in the Ethical Culture of an Organization PA 2200-1 Engagement Planning PA 2210-1 Engagement Objectives PA 2210.A1-1 Risk Assessment in Engagement Planning PA 2230-1 Engagement Resource Allocation PA 2240-1 Engagement Work Program PA 2240.A1-1 Approval of Work Programs
The Institute of Internal Auditors Research Foundation
160 A Global Summary of the Common Body of Knowledge 2006 ______________________
PA 2300-1 PA 2310-1 PA 2320-1 PA 2330-1 PA 2330.A1-1 PA 2330.A1-2 PA 2330.A2-1 PA 2340-1 PA 2400-1 PA 2410-1 PA 2420-1 PA 2440-1 PA 2440-2 PA 2440-3 PA 2500-1 PA 2500.A1-1 PA 2600-1
Internal Auditing’s Use of Personal Information in Conducting Audits Identifying Information Analysis and Evaluation Recording Information Control of Engagement Records Legal Considerations in Granting Access to Engagement Records Retention of Records Engagement Supervision Legal Considerations in Communicating Results Communication Criteria Quality of Communications Recipients of Engagement Results Communications Outside the Organization Communicating Sensitive Information Within and Outside the Chain of Command Monitoring Progress Follow-up Process Management’s Acceptance of Risks
The Institute of Internal Auditors Research Foundation
_______________________________ Chapter 4: The Professional Practices Framework 161
GLOSSARY TO THE STANDARDS
Add Value Value is provided by improving opportunities to achieve organizational objectives, identifying operational improvement, and/or reducing risk exposure through both assurance and consulting services. Adequate Control Present if management has planned and organized (designed) in a manner that provides reasonable assurance that the organization’s risks have been managed effectively and that the organization’s goals and objectives will be achieved efficiently and economically. Assurance Services An objective examination of evidence for the purpose of providing an independent assessment on risk management, control, or governance processes for the organization. Examples may include financial, performance, compliance, system security, and due diligence engagements. Board A board is an organization’s governing body, such as a board of directors, supervisory board, head of an agency or legislative body, board of governors or trustees of a nonprofit organization, or any other designated body of the organization, including the audit committee, to whom the chief audit executive may functionally report. Charter The charter of the internal audit activity is a formal written document that defines the activity’s purpose, authority, and responsibility. The charter should (a) establish the internal audit activity’s position within the organization; (b) authorize access to records, personnel, and physical properties relevant to the performance of engagements; and (c) define the scope of internal audit activities. Chief Audit Executive Top position within the organization responsible for internal audit activities. Normally, this would be the internal audit director. In the case where internal audit activities are obtained from outside service providers, the chief audit executive is the person responsible for overseeing the service contract and the overall quality assurance of these activities, reporting to senior management and the board regarding internal audit activities, and follow-up of engagement results. The term also includes such titles as general auditor, chief internal auditor, and inspector general.
The Institute of Internal Auditors Research Foundation
162 A Global Summary of the Common Body of Knowledge 2006 ______________________
Code of Ethics The Code of Ethics of The Institute of Internal Auditors (IIA) are Principles relevant to the profession and practice of internal auditing, and Rules of Conduct that describe behavior expected of internal auditors. The Code of Ethics applies to both parties and entities that provide internal audit services. The purpose of the Code of Ethics is to promote an ethical culture in the global profession of internal auditing. Compliance Conformity and adherence to policies, plans, procedures, laws, regulations, contracts, or other requirements. Conflict of Interest Any relationship that is or appears to be not in the best interest of the organization. A conflict of interest would prejudice an individual’s ability to perform his or her duties and responsibilities objectively. Consulting Services Advisory and related client service activities, the nature and scope of which are agreed with the client and which are intended to add value and improve an organization’s governance, risk management, and control processes without the internal auditor assuming management responsibility. Examples include counsel, advice, facilitation, and training. Control Any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. Management plans, organizes, and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved. Control Environment The attitude and actions of the board and management regarding the significance of control within the organization. The control environment provides the discipline and structure for the achievement of the primary objectives of the system of internal control. The control environment includes the following elements: • Integrity and ethical values. • Management’s philosophy and operating style. • Organizational structure. • Assignment of authority and responsibility. • Human resource policies and practices. • Competence of personnel.
The Institute of Internal Auditors Research Foundation
_______________________________ Chapter 4: The Professional Practices Framework 163
Control Processes The policies, procedures, and activities that are part of a control framework, designed to ensure that risks are contained within the risk tolerances established by the risk management process. Engagement A specific internal audit assignment, task, or review activity, such as an internal audit, control selfassessment review, fraud examination, or consultancy. An engagement may include multiple tasks or activities designed to accomplish a specific set of related objectives. Engagement Objectives Broad statements developed by internal auditors that define intended engagement accomplishments. Engagement Work Program A document that lists the procedures to be followed during an engagement, designed to achieve the engagement plan. External Service Provider A person or firm, outside of the organization, who has special knowledge, skill, and experience in a particular discipline. Fraud Any illegal acts characterized by deceit, concealment, or violation of trust. These acts are not dependent upon the application of threat of violence or of physical force. Frauds are perpetrated by parties and organizations to obtain money, property, or services; to avoid payment or loss of services; or to secure personal or business advantage. Governance The combination of processes and structures implemented by the board in order to inform, direct, manage, and monitor the activities of the organization toward the achievement of its objectives. Impairments Impairments to individual objectivity and organizational independence may include personal conflicts of interest, scope limitations, restrictions on access to records, personnel, and properties, and resource limitations (funding). Independence The freedom from conditions that threaten objectivity or the appearance of objectivity. Such threats to objectivity must be managed at the individual auditor, engagement, functional, and organizational levels.
The Institute of Internal Auditors Research Foundation
164 A Global Summary of the Common Body of Knowledge 2006 ______________________
Internal Audit Activity A department, division, team of consultants, or other practitioner(s) that provides independent, objective assurance and consulting services designed to add value and improve an organization’s operations. The internal audit activity helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. Objectivity An unbiased mental attitude that allows internal auditors to perform engagements in such a manner that they have an honest belief in their work product and that no significant quality compromises are made. Objectivity requires internal auditors not to subordinate their judgment on audit matters to that of others. Residual Risk The risk remaining after management takes action to reduce the impact and likelihood of an adverse event, including control activities in responding to a risk. Risk The possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact and likelihood. Risk Management A process to identify, assess, manage, and control potential events or situations to provide reasonable assurance regarding the achievement of the organization’s objectives. Should The use of the word “should” in the Standards represents a mandatory obligation. Standard A professional pronouncement promulgated by the Internal Auditing Standards Board that delineates the requirements for performing a broad range of internal audit activities, and for evaluating internal audit performance.
The Institute of Internal Auditors Research Foundation
_______________________________ Chapter 4: The Professional Practices Framework 165
APPENDIX 4-B Table 4-3-1-A IAA is in Full Compliance with the Standards All Respondents in Percentages Standard
Number of Respondents
Full Compliance
Partial Compliance
Not in Compliance
Do Not Know
1000 – Purpose, Authority, and Responsibility 1100 – Independence and Objectivity 1200 – Proficiency and Due Professional Care 1300 – Quality Assurance and Improvement Program 2000 – Managing the Internal Audit Activity 2100 – Nature of Work 2200 – Engagement Planning 2300 – Performing the Engagement 2400 – Communicating Results 2500 – Monitoring Progress 2600 – Resolution of Management’s Acceptance of Risks
5,947
63.0
25.0
2.2
9.8
5,953
66.9
22.2
2.7
8.2
5,923
62.9
26.1
2.0
9.0
5,896
40.0
35.7
12.1
12.2
5,900
57.6
28.9
3.3
10.2
5,844 5,886 5,881
57.5 57.7 59.7
28.7 29.0 28.2
2.3 2.9 1.9
11.5 10.4 10.2
5,896
64.1
24.6
2.0
9.3
5,873 5,873
52.6 46.9
32.1 30.7
4.4 7.4
10.9 15.0
The Institute of Internal Auditors Research Foundation
166 A Global Summary of the Common Body of Knowledge 2006 ______________________
Table 4-3-2-A IAA is in Full Compliance with the Standards CAE Respondents in Percentages Standard
Number of Respondents
Full Compliance
Partial Compliance
Not in Compliance
Do Not Know
1000 – Purpose, Authority, and Responsibility 1100 – Independence and Objectivity 1200 – Proficiency and Due Professional Care 1300 – Quality Assurance and Improvement Program 2000 – Managing the Internal Audit Activity 2100 – Nature of Work 2200 – Engagement Planning 2300 – Performing the Engagement 2400 – Communicating Results 2500 – Monitoring Progress 2600 – Resolution of Management’s Acceptance of Risks
1,765
68.1
26.7
2.0
3.2
1,772
73.6
22.0
2.1
2.3
1,760
67.0
28.3
1.5
3.2
1,746
33.2
45.0
16.1
5.7
1,754
61.8
32.0
2.7
3.5
1,730 1,749 1,743
59.3 60.4 62.1
32.8 32.5 31.8
2.6 2.7 1.9
5.3 4.4 4.2
1,738
68.6
26.2
2.1
3.1
1,730 1,742
56.1 49.0
35.5 35.0
4.1 8.0
4.3 8.0
The Institute of Internal Auditors Research Foundation
_______________________________ Chapter 4: The Professional Practices Framework 167
Table 4-3-3-A IAA is in Full Compliance with the Standards Practitioner Respondents in Percentages Standard
Number of Respondents
Full Compliance
Partial Compliance
Not in Compliance
Do Not Know
1000 – Purpose, Authority, and Responsibility 1100 – Independence and Objectivity 1200 – Proficiency and Due Professional Care 1300 – Quality Assurance and Improvement Program 2000 – Managing the Internal Audit Activity 2100 – Nature of Work 2200 – Engagement Planning 2300 – Performing the Engagement 2400 – Communicating Results 2500 – Monitoring Progress 2600 – Resolution of Management’s Acceptance of Risks
4,169
60.8
24.2
2.3
12.7
4,167
64.1
22.2
2.9
10.8
4,149
61.1
25.1
2.1
11.7
4,136
43.0
31.7
10.4
14.9
4,132
55.8
27.5
3.6
13.1
4,101 4,123 4,124
56.8 56.7 58.7
26.9 27.5 26.7
2.2 2.9 1.9
14.1 13.0 12.7
4,144
62.3
23.8
2.0
11.9
4,130 4,117
51.3 46.1
30.6 28.8
4.5 7.0
13.6 18.1
The Institute of Internal Auditors Research Foundation
168 A Global Summary of the Common Body of Knowledge 2006 ______________________
Table 4-3-4-A IAA is in Full Compliance with the Standards by Groups* All Respondents in Percentages Standard
1
2
3
4
5
6
7
8
9
10
11
12
N/C**
1000 1100 1200 1300 2000 2100 2200 2300 2400 2500 2600
68.9 70.6 69.1 47.2 63.8 64.7 63.3 67.3 69.7 60.1 57.9
61.8 66.2 69.2 37.7 60.1 61.3 59.1 60.4 66.2 57.1 48.1
62.7 65.4 63.3 40.2 57.4 55.4 58.9 61.5 67.9 51.7 50.0
51.0 54.3 46.5 25.9 47.0 44.3 33.3 35.0 41.3 31.2 29.1
58.1 61.8 52.9 35.5 52.5 46.6 54.6 51.0 56.9 48.2 33.6
60.9 71.1 60.5 34.3 56.4 50.0 52.2 55.6 63.5 53.8 41.3
58.7 66.9 64.9 38.7 55.9 57.2 57.6 57.8 61.6 47.6 37.7
61.7 66.7 59.9 35.2 52.5 56.7 58.3 60.5 63.9 47.7 37.3
62.8 66.2 60.5 32.0 50.7 51.3 56.6 55.8 60.5 50.6 35.5
63.6 70.0 56.9 30.0 56.0 49.5 50.0 47.7 56.0 39.8 36.4
62.4 73.2 61.3 29.5 57.3 57.6 56.6 52.4 64.4 53.1 46.6
55.9 63.6 55.9 21.2 48.4 44.8 56.3 40.6 68.8 50.0 40.6
48.3 54.0 50.6 33.3 43.8 45.2 46.5 46.7 51.3 40.2 33.4
*For a list of groups, please see Appendix 1-B. **N/C = Respondents did not indicate affiliate or chapter membership.
Table 4-3-5-A IAA Partially Complies with the Standards by Groups* All Respondents in Percentages Standard
1
2
3
4
5
6
7
8
9
10
11
12
N/C**
1000 1100 1200 1300 2000 2100 2200 2300 2400 2500 2600
14.2 13.9 15.0 25.8 19.0 17.0 18.7 16.1 14.5 21.3 19.8
23.7 21.4 20.5 40.9 29.4 26.0 27.9 29.2 23.4 29.9 33.1
27.8 25.3 28.2 38.3 29.8 32.4 30.5 29.8 23.6 35.8 32.1
43.7 38.8 46.5 53.8 43.7 45.5 57.3 55.7 51.0 51.8 48.6
34.8 31.8 39.7 43.7 35.2 42.8 35.3 39.6 33.2 39.2 42.0
33.2 24.3 33.0 43.7 35.4 38.6 37.9 35.0 30.9 35.5 37.7
34.9 28.1 29.8 43.1 37.6 36.1 37.0 37.8 32.6 43.1 43.9
29.9 27.2 34.4 38.1 38.7 35.8 34.3 33.1 30.1 40.6 37.6
26.9 16.9 28.9 38.7 34.7 36.8 31.6 33.8 31.6 33.8 34.2
27.3 23.6 33.9 46.4 28.4 36.7 38.9 41.3 36.7 48.1 37.3
31.5 22.8 32.0 53.7 34.0 32.6 33.6 39.9 27.4 36.7 36.5
38.2 33.3 41.2 51.5 48.4 48.3 40.6 53.1 28.1 43.8 37.5
38.3 32.8 37.3 43.7 39.7 39.3 38.3 38.5 35.3 40.7 38.5
*For a list of groups, please see Appendix 1-B. **N/C = Respondents did not indicate affiliate or chapter membership.
The Institute of Internal Auditors Research Foundation
_______________________________ Chapter 4: The Professional Practices Framework 169
Table 4-3-6-A IAA is Not in Compliance with the Standards by Groups* All Respondents in Percentages Standard
1
2
3
4
5
6
7
8
9
10
11
12
N/C**
1000 1100 1200 1300 2000 2100 2200 2300 2400 2500 2600
1.1 1.6 1.1 9.1 1.5 1.2 1.9 1.2 1.2 2.4 3.1
3.9 3.2 1.3 9.1 1.3 1.3 1.9 0.6 0.6 0.6 4.5
2.1 3.7 1.9 12.9 5.4 3.1 3.4 1.7 1.7 5.2 7.4
1.6 4.1 3.7 14.2 4.0 3.3 3.7 2.8 3.6 8.1 9.7
2.6 3.1 3.1 12.6 5.8 2.9 4.3 3.6 5.1 6.3 13.3
2.0 1.6 1.6 15.3 3.9 3.4 3.3 2.0 1.0 4.0 8.0
3.4 3.6 3.7 14.3 4.2 3.9 3.4 1.7 3.6 6.8 13.2
4.0 3.1 2.1 18.2 4.4 2.4 3.8 2.3 2.4 6.4 10.9
5.1 11.7 5.3 16.0 8.0 6.6 5.3 3.9 2.6 7.8 21.1
1.8 0.0 3.7 14.5 4.6 4.6 2.8 2.8 0.9 5.6 10.0
0.7 0.0 1.3 12.1 3.3 2.1 3.5 1.4 2.7 4.1 8.8
5.9 3.0 2.9 24.2 3.2 3.4 0.0 6.3 0.0 6.3 18.8
3.8 5.5 2.9 11.9 5.4 3.9 3.6 3.9 2.7 7.3 10.2
*For a list of groups, please see Appendix 1-B. **N/C = Respondents did not indicate affiliate or chapter membership.
The Institute of Internal Auditors Research Foundation
170 A Global Summary of the Common Body of Knowledge 2006 ______________________
Table 4-6-1-A Standards Guidance is Adequate CAE Respondents in Percentages Standard
1000 – Purpose, Authority, and Responsibility 1100 – Independence and Objectivity 1200 – Proficiency and Due Professional Care 1300 – Quality Assurance and Improvement Program 2000 – Managing the Internal Audit Activity 2100 – Nature of Work 2200 – Engagement Planning 2300 – Performing the Engagement 2400 – Communicating Results 2500 – Monitoring Progress 2600 – Resolution of Management’s Acceptance of Risks Overall Average
Number of Respondents
Yes
No
Do Not Use
Do Not Know
1,791
93.3
1.1
2.7
2.9
1,775 1,767
94.1 92.9
2.1 1.7
1.5 2.5
2.3 2.9
1,761
81.5
6.1
8.7
3.7
1,755
90.0
3.6
3.3
3.1
1,738 1,752 1,744 1,751 1,732 1,729
88.0 89.4 89.3 91.3 88.4 81.3
3.7 3.3 3.9 3.2 4.0 6.5
3.9 4.2 3.7 2.9 4.1 6.9
4.4 3.1 3.1 2.6 3.5 5.3
89.0
3.6
4.0
3.4
The Institute of Internal Auditors Research Foundation
_______________________________ Chapter 4: The Professional Practices Framework 171
Table 4-6-2-A Standards Guidance is Adequate Practitioner Responses in Percentages Standard
1000 – Purpose, Authority, and Responsibility 1100 – Independence and Objectivity 1200 – Proficiency and Due Professional Care 1300 – Quality Assurance and Improvement Program 2000 – Managing the Internal Audit Activity 2100 – Nature of Work 2200 – Engagement Planning 2300 – Performing the Engagement 2400 – Communicating Results 2500 – Monitoring Progress 2600 – Resolution of Management’s Acceptance of Risks Overall Average
Number of Respondents
Yes
No
Do Not Use
Do Not Know
4,266
83.2
1.3
2.7
12.8
4,240 4,227
85.6 84.5
1.6 1.7
1.7 2.2
11.1 11.6
4,207
75.6
4.7
5.3
14.4
4,215
81.0
2.9
3.3
12.8
4,178 4,198 4,187 4,190 4,171 4,179
79.8 81.2 81.5 82.6 79.1 73.8
2.9 3.3 3.5 3.1 4.1 5.2
3.3 2.8 2.7 2.4 3.9 4.7
14.0 12.7 12.3 11.9 12.9 16.3
80.7
3.1
3.2
13.0
The Institute of Internal Auditors Research Foundation
172 A Global Summary of the Common Body of Knowledge 2006 ______________________
Table 4-6-3-A Standards Guidance is Adequate by Groups* All Respondents in Percentages Standard
1
2
3
4
5
6
7
8
9
10
1000 1100 1200 1300 2000 2100 2200 2300 2400 2500 2600
81.9 83.7 82.6 75.6 80.8 78.9 80.1 81.0 81.5 79.1 75.7
83.8 84.1 87.3 78.3 82.9 82.2 81.0 82.1 83.3 82.1 74.4
88.1 89.5 88.3 79.1 83.7 81.1 84.8 83.7 86.9 83.4 79.3
90.7 91.5 92.7 79.3 86.1 84.3 82.7 82.7 86.8 79.7 75.2
91.6 93.6 89.9 77.7 85.7 82.4 88.2 87.1 88.6 85.6 72.6
90.5 92.7 91.1 77.7 89.4 84.0 84.1 86.6 88.6 85.4 74.8
90.8 94.3 93.1 86.9 90.4 89.4 92.2 91.2 92.0 88.1 83.6
92.7 93.9 93.2 77.3 89.4 90.5 91.3 91.7 91.7 87.6 77.3
93.2 93.2 91.5 72.5 80.3 81.7 76.8 76.8 78.3 74.3 64.8
91.5 91.6 89.5 77.6 85.7 82.9 86.7 84.6 88.5 79.8 76.9
11
12
88.0 100.0 91.1 100.0 88.4 97.1 81.2 91.4 83.2 97.1 85.0 96.9 87.5 91.2 86.8 85.3 88.8 97.1 86.2 91.2 78.4 90.9
N/C** 81.5 85.2 83.8 72.9 78.1 78.9 78.8 78.2 80.3 75.9 69.8
*For a list of groups, please see Appendix 1-B. **N/C = Respondents did not indicate affiliate or chapter membership.
Table 4-6-4-A Standards Guidance is Adequate by Groups* CAE Respondents in Percentages Standard
1
2
3
4
5
6
7
8
1000 1100 1200 1300 2000 2100 2200 2300 2400 2500 2600
92.2 92.4 91.9 82.5 90.6 88.2 89.0 89.6 90.6 89.1 84.7
92.9 91.2 98.6 83.8 92.6 92.6 87.0 89.7 91.2 89.6 79.1
96.8 96.7 95.2 86.9 91.8 86.9 87.4 88.2 90.9 86.9 83.6
96.1 96.1 97.4 87.0 90.8 90.5 89.3 89.3 92.1 86.5 81.1
92.4 96.5 91.1 75.7 88.2 80.6 90.3 88.8 93.1 91.5 69.0
94.9 96.6 94.9 76.7 92.2 84.8 84.3 87.7 93.9 89.6 80.7
91.9 96.0 92.8 89.5 88.5 91.6 92.6 89.7 92.7 89.5 84.4
95.5 95.9 92.7 74.9 91.6 91.0 93.0 92.5 93.0 90.0 80.9
9
10
11
12
N/C**
93.5 100.0 93.5 100.0 93.3 97.1 75.9 82.9 82.8 91.4 82.1 94.3 89.3 94.3 79.3 94.3 82.8 97.1 80.0 82.4 66.7 85.7
93.3 95.0 89.8 86.7 86.7 89.7 91.4 91.1 91.2 89.3 78.9
100.0 100.0 100.0 100.0 100.0 100.0 100.0 87.5 100.0 87.5 100.0
87.8 88.5 89.4 78.9 81.9 83.9 85.4 82.8 85.1 79.8 74.5
*For a list of groups, please see Appendix 1-B. **N/C = Respondents did not indicate affiliate or chapter membership.
The Institute of Internal Auditors Research Foundation
_______________________________ Chapter 4: The Professional Practices Framework 173
Table 4-6-5-A Standards Guidance is Adequate by Groups* Practitioner Respondents in Percentages Standard
1
2
3
4
5
6
7
8
9
10
1000 1100 1200 1300 2000 2100 2200 2300 2400 2500 2600
77.9 80.4 79.1 73.0 77.0 75.3 76.6 77.7 78.0 75.2 72.3
76.7 78.7 78.7 74.2 75.6 74.2 76.4 76.1 77.3 76.4 70.8
85.5 87.3 86.1 76.9 81.3 79.3 84.0 82.3 85.7 82.3 78.0
88.6 89.8 90.4 76.5 84.3 81.8 80.6 79.4 84.1 77.4 72.7
91.0 91.8 89.1 78.6 84.1 83.2 86.9 85.9 86.0 82.1 74.2
87.9 90.4 88.8 78.1 87.8 83.5 83.9 85.8 85.4 82.8 71.2
90.3 93.7 93.2 86.0 91.0 88.6 92.0 91.7 91.7 87.6 83.3
91.3 93.0 93.5 78.5 88.2 90.3 90.5 91.4 91.1 86.4 75.5
93.0 92.9 90.2 70.0 78.6 81.4 68.3 75.0 75.0 70.0 63.4
87.3 87.5 85.9 75.0 82.9 77.1 82.9 79.7 84.1 78.6 72.5
11
12
84.7 100.0 88.7 100.0 87.5 96.3 77.7 88.9 81.1 96.2 82.1 95.8 85.1 88.5 84.2 84.6 87.4 96.2 84.4 92.3 78.1 88.0
N/C** 79.5 84.0 82.0 71.2 76.9 77.3 76.7 77.0 78.8 74.9 68.5
*For a list of groups, please see Appendix 1-B. **N/C = Respondents did not indicate affiliate or chapter membership.
Table 4-6-6-A Standards Guidance is Not Adequate by Groups* All Respondents in Percentages Standard
1
2
3
4
5
6
7
8
9
10
11
1000 1100 1200 1300 2000 2100 2200 2300 2400 2500 2600
0.8 1.3 1.5 3.8 2.1 2.4 2.4 2.2 2.4 3.1 4.1
1.3 5.1 1.9 4.5 5.1 2.5 4.4 5.1 3.8 3.2 7.1
1.3 2.2 2.4 7.9 4.0 5.7 3.8 5.3 3.4 5.1 6.1
2.0 2.4 1.2 7.7 4.9 4.1 5.3 5.3 3.7 5.8 6.2
1.0 1.0 2.5 5.7 3.2 3.7 2.9 5.5 4.0 3.8 8.5
1.3 1.6 1.0 6.5 2.2 3.9 4.2 3.0 3.2 3.2 5.9
1.9 1.9 1.7 1.9 2.5 3.3 2.5 2.8 3.6 3.6 5.3
1.0 1.5 0.4 5.1 2.5 1.4 2.1 2.1 2.4 3.0 5.0
0.0 0.0 1.4 2.9 9.9 7.0 14.5 13.0 11.6 14.3 9.9
0.0 0.9 2.9 9.3 4.8 5.7 5.7 7.7 3.8 10.6 7.7
2.5 2.5 2.6 7.8 7.7 4.6 4.6 5.3 3.3 5.3 9.2
*For a list of groups, please see Appendix 1-B. **N/C = Respondents did not indicate affiliate or chapter membership.
The Institute of Internal Auditors Research Foundation
12 0.0 0.0 2.9 2.9 0.0 0.0 2.9 8.8 0.0 5.9 3.0
N/C** 3.2 3.5 3.2 8.2 4.7 4.3 5.6 6.6 4.7 7.3 8.7
174 A Global Summary of the Common Body of Knowledge 2006 ______________________
Table 4-7-1-A IAA Does Not Use Practice Advisories by Groups* All Respondents in Percentages Standard
1
2
3
4
5
6
7
8
9
10
11
12
N/C**
1000 1100 1200 1300 2000 2100 2200 2300 2400 2500 2600
15.2 14.6 15.2 17.5 15.6 16.4 15.7 15.4 15.4 16.4 18.2
11.5 12.3 13.8 18.0 15.3 17.0 19.0 17.5 15.6 16.1 24.5
10.6 11.0 11.0 12.6 12.1 11.6 12.4 11.6 11.1 13.3 14.4
8.7 7.3 7.7 15.9 7.2 9.6 10.0 10.1 7.9 9.4 20.2
7.3 7.0 8.1 16.8 10.0 11.8 8.4 7.9 9.7 11.1 21.2
17.1 16.0 18.6 20.6 18.9 22.2 20.8 18.7 16.7 18.3 27.1
10.0 7.1 7.9 16.0 10.5 8.6 8.1 8.7 9.1 12.8 15.9
7.6 6.7 7.5 20.1 9.3 9.3 7.1 7.1 7.4 11.0 20.3
12.5 14.3 13.1 27.0 14.5 11.1 12.9 11.1 12.9 12.7 28.3
12.2 10.2 11.1 16.9 10.2 11.4 12.4 11.4 11.4 13.8 18.2
7.3 7.3 7.5 15.8 8.9 9.0 7.4 6.6 7.4 8.3 11.1
3.4 3.4 6.9 13.8 3.4 3.4 3.4 6.9 3.4 3.4 13.8
13.3 11.6 11.6 16.9 14.2 16.4 15.8 15.6 14.5 16.6 19.9
*For a list of groups, please see Appendix 1-B. **N/C = Respondents did not indicate affiliate or chapter membership.
The Institute of Internal Auditors Research Foundation
_______________________________ Chapter 4: The Professional Practices Framework 175
Table 4-8-1-A Practice Advisory Guidance is Adequate All Respondents in Percentages Practice Advisory
1000 – Purpose, Authority, and Responsibility 1100 – Independence and Objectivity 1200 – Proficiency and Due Professional Care 1300 – Quality Assurance and Improvement Program 2000 – Managing the Internal Audit Activity 2100 – Nature of Work 2200 – Engagement Planning 2300 – Performing the Engagement 2400 – Communicating Results 2500 – Monitoring Progress 2600 – Resolution of Management’s Acceptance of Risks Overall Average
Number of Respondents
Yes
No
Do Not Use
4,801 4,792 4,779 4,759
86.0 86.3 85.4 77.2
1.7 2.2 2.4 5.5
12.3 11.5 12.2 17.3
4,755 4,735 4,748 4,739 4,747 4,731 4,733
83.4 82.3 83.2 83.5 84.0 81.1 75.4
3.4 3.8 3.7 3.7 3.4 4.5 5.8
13.1 13.9 13.1 12.8 12.6 14.4 18.8
82.5
3.7
13.8
The Institute of Internal Auditors Research Foundation
176 A Global Summary of the Common Body of Knowledge 2006 ______________________
Table 4-8-2-A Practice Advisory Guidance is Adequate CAE Respondents in Percentages Practice Advisory
1000 – Purpose, Authority, and Responsibility 1100 – Independence and Objectivity 1200 – Proficiency and Due Professional Care 1300 – Quality Assurance and Improvement Program 2000 – Managing the Internal Audit Activity 2100 – Nature of Work 2200 – Engagement Planning 2300 – Performing the Engagement 2400 – Communicating Results 2500 – Monitoring Progress 2600 – Resolution of Management’s Acceptance of Risks Overall Average
Number of Respondents
Yes
No
Do Not Use
1,455 1,442 1,433 1,427
86.7 86.7 86.2 76.2
2.1 2.6 2.4 6.5
11.2 10.7 11.4 17.3
1,427 1,420 1,425 1,422 1,422 1,417 1,416
83.5 81.8 83.5 83.9 84.4 82.6 75.2
4.2 4.6 3.9 3.9 4.2 4.9 6.2
12.3 13.6 12.6 12.2 11.4 12.5 18.6
82.7
4.2
13.1
The Institute of Internal Auditors Research Foundation
_______________________________ Chapter 4: The Professional Practices Framework 177
Table 4-8-3-A Practice Advisory Guidance is Adequate Practitioner Respondents in Percentages Practice Advisory
1000 – Purpose, Authority, and Responsibility 1100 – Independence and Objectivity 1200 – Proficiency and Due Professional Care 1300 – Quality Assurance and Improvement Program 2000 – Managing the Internal Audit Activity 2100 – Nature of Work 2200 – Engagement Planning 2300 – Performing the Engagement 2400 – Communicating Results 2500 – Monitoring Progress 2600 – Resolution of Management’s Acceptance of Risks Overall Average
Number of Respondents
Yes
No
Do Not Use
3,356 3,350 3,346 3,332
85.7 86.2 85.1 77.7
1.6 2.0 2.4 4.9
12.7 11.8 12.5 17.4
3,328 3,315 3,323 3,317 3,323 3,314 3,317
83.4 82.5 83.1 83.3 83.8 80.5 75.4
3.0 3.4 3.5 3.6 3.0 4.4 5.6
13.6 14.1 13.4 13.1 13.2 15.1 19.0
82.4
3.4
14.2
The Institute of Internal Auditors Research Foundation
178 A Global Summary of the Common Body of Knowledge 2006 ______________________
Table 4-8-4-A Practice Advisory Guidance is Adequate by Groups* All Respondents in Percentages Standard
1
2
3
4
5
6
7
8
9
10
11
12
N/C**
1000 1100 1200 1300 2000 2100 2200 2300 2400 2500 2600
83.6 84.0 83.0 78.4 82.4 81.3 81.9 82.2 82.6 80.8 78.4
84.9 81.2 84.1 74.8 78.8 78.5 75.9 79.6 80.7 77.4 66.9
87.3 86.4 85.7 81.0 84.6 84.1 82.6 84.4 86.1 81.7 78.5
87.4 89.4 89.6 74.2 87.8 84.8 80.6 81.0 85.9 83.9 68.5
91.7 90.4 89.3 77.6 85.8 82.7 87.7 84.9 84.7 81.1 68.2
81.3 81.0 79.7 73.9 76.8 73.5 73.3 77.4 80.8 77.4 66.9
88.9 92.1 90.4 81.5 87.7 87.1 90.2 88.7 87.7 82.0 79.5
90.5 91.2 91.0 74.4 87.1 88.1 90.3 90.1 89.2 84.8 75.7
87.5 85.7 83.6 66.7 82.3 81.0 79.0 81.0 79.0 79.4 60.0
86.7 87.5 84.4 70.8 83.0 77.3 82.0 83.0 79.5 81.6 76.1
89.1 89.8 87.3 75.2 80.0 82.1 83.8 85.3 85.2 85.7 75.6
96.6 96.6 93.1 86.2 96.6 93.1 96.6 93.1 96.6 93.1 86.2
83.2 84.1 83.4 74.3 79.7 78.3 79.5 79.1 79.6 75.2 70.7
*For a list of groups, please see Appendix 1-B. **N/C = Respondents did not indicate affiliate or chapter membership.
The Institute of Internal Auditors Research Foundation
_______________________________ Chapter 4: The Professional Practices Framework 179
Table 4-15-1-A When IAA was Last Subject to a Formal Internal Quality Assessment in Accordance with Standard 1311 by Groups* All Respondents in Percentages Timing
1
2
3
4
5
6
7
8
9
10
11
12
N/C**
To be completed prior to January 1, 2007 Within the last 12 months 1-3 years ago 4-5 years ago More than 5 years ago Never Not done in accordance with Standard 1311 Do not know Total percentage Total respondents
9.2
7.4
11.4
6.1
7.8
3.5
6.5
7.2
4.0
14.9
7.6
14.3
6.1
25.5
21.6
30.2
16.4
22.2
25.1
24.8
21.1
18.2
20.3 23.0
16.7
16.5
8.5
8.9
10.9
4.7
5.0
6.7
8.2
5.5
7.1
7.0
5.6
4.8
5.2
1.4
4.2
2.3
1.3
0.8
0.9
0.9
0.7
2.0
2.6
0.0
0.0
0.8
1.4
4.2
1.0
3.0
0.6
0.8
0.5
0.7
1.0
0.0
0.0
0.0
1.3
28.5 3.7
27.9 5.3
22.9 5.9
52.8 2.7
47.0 8.4
41.2 11.6
39.5 9.8
43.3 16.9
53.5 6.1
33.3 36.2 7.0 9.2
45.2 11.9
44.3 8.4
21.8
20.5
15.4
13.0
8.2
10.2
9.8
4.6
8.1
14.9 18.4
7.1
17.4
100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0
100.0
2,967
190
599
299
500
371
440
830
99
114
*For a list of groups, please see Appendix 1-B. **N/C = Respondents did not indicate affiliate or chapter membership.
The Institute of Internal Auditors Research Foundation
196
42
619
180 A Global Summary of the Common Body of Knowledge 2006 ______________________
Table 4-21-1-A Activities Performed by IAAs as Part of a Quality Assessment and Improvement Program by Groups* All Respondents in Percentages Activity Engagement supervision Checklists/ manuals to provide assurance that proper audit processes are followed Feedback from audit customers at the end of an audit Internal audit professionals are in compliance with The IIA’s Code of Ethics Reviews by other members of the IAA
1
2
3
4
5
46.0
43.7
53.7
32.1 37.8
44.8
48.5
51.6
41.6
55.3
34.6
33.9
6
7
8
9
52.4 63.9
44.7
38.4 38.5
52.1 48.8
53.4
42.9 40.4
33.0
36.9
38.8
45.4
10
11
12
N/C**
38.8
38.5 47.1
53.2
27.1
33.3
34.5
38.5 52.4
57.4
23.2
43.3 40.0
31.1
32.8
40.0 44.0
36.2
24.0
36.0 36.8
31.2 34.7
30.1
31.0
34.8 28.9
36.2
18.1
26.2 21.3
31.9 35.1
24.4
27.6
33.3 36.4
31.9
17.7
*For a list of groups, please see Appendix 1-B. **N/C = Respondents did not indicate affiliate or chapter membership. Note: The respondents were asked to mark all that apply so the total of the percentages may be more than 100.
The Institute of Internal Auditors Research Foundation
_______________________________ Chapter 4: The Professional Practices Framework 181
Table 4-21-1-A (Cont.) Activities Performed by IAAs as Part of a Quality Assessment and Improvement Program by Groups* All Respondents in Percentages Activity
1
2
3
4
5
Verification that the IAA is in compliance with the Standards Review by external party Compliance with non-IIA standards or codes Not applicable I do not know Total number of respondents
33.3
31.6
38.6
26.8 31.4
22.6
31.1
32.7
19.8
27.7
13.3
6
7
8
9
29.3 30.8
25.5
13.4 18.8
28.1 21.0
23.6
21.4 19.9
12.1
7.9
7.7 12.9
14.2
7.8
9.5
7.4
3,332
206
661
336
10
11
12
N/C**
24.1
37.0 29.3
31.9
14.0
12.6
14.7
19.3 22.2
34.0
11.3
19.0 28.0
15.7
15.5
14.8 14.7
23.4
13.2
11.7
9.8
18.1
20.7
8.1 12.9
23.4
9.2
4.9
4.0
2.9
9.2
4.3
10.4
5.8
0.0
7.7
574
420
490
945
116
135
225
47
1,057
*For a list of groups, please see Appendix 1-B. **N/C = Respondents did not indicate affiliate or chapter membership. Note: The respondents were asked to mark all that apply so the total of the percentages may be more than 100.
The Institute of Internal Auditors Research Foundation
182 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
A Global Summary of the Common Body of Knowledge 2006
CONTENTS Chapter 5
Chapter 5: Current Status of the Internal Audit Activity ................................................... 183 Introduction......................................................................................................................... 183 The IAA’s Relationship within the Organization ............................................................... 184 Relationship with the Audit Committee.............................................................................. 191 External Relationships - Legislation Affecting Internal Auditing ...................................... 192 Organizations’ and CAEs’ Perceptions About the IAA...................................................... 194 Methods Used to Measure the Value Added by the IAA.................................................... 197 Internal Audit Activity........................................................................................................ 200 Managing the Internal Audit Activity................................................................................. 202 Creating the Audit Plan....................................................................................................... 204 Allocation of IAAs’ Time................................................................................................... 207 Performing the Engagement - The Use of Tools ................................................................ 214 Current Usage of Audit Tools and Techniques................................................................... 216 Predictive Changes in the Use of Audit Tools and Techniques Over the Next Three Years........................................................................................... 227 Resolution of Major Differences ........................................................................................ 233 Reporting of Findings ......................................................................................................... 235 Monitoring Corrective Action............................................................................................. 237 Summary ............................................................................................................................. 239 Appendix 5.......................................................................................................................... 240
Disclosure Copyright © 2007 by The Institute of Internal Auditors Research Foundation (IIARF), 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201. All rights reserved. Printed in the United States of America. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form by any means — electronic, mechanical, photocopying, recording, or otherwise — without prior written permission of the publisher. The IIARF publishes this document for informational and educational purposes. This document is intended to provide information, but is not a substitute for legal or accounting advice. The IIARF does not provide such advice and makes no warranty as to any legal or accounting results through its publication of this document. When legal or accounting issues arise, professional assistance should be sought and retained. The IIA’s International Professional Practices Framework for Internal Auditing (IPPF) comprises the full range of existing and developing practice guidance for the profession. The IPPF provides guidance to internal auditors globally and paves the way to world-class internal auditing. The mission of The IIA Research Foundation (IIARF) is to be the global leader in sponsoring, disseminating, and promoting research and knowledge resources to enhance the development and effectiveness of the internal auditing profession.
The Institute of Internal Auditors Research Foundation
____________________________ Chapter 5: Current Status of the Internal Audit Activity 183
CHAPTER 5 CURRENT STATUS OF THE INTERNAL AUDIT ACTIVITY
Introduction This chapter summarizes the respondents’ perceptions about their internal audit activities’ (IAAs’) relationships within the organization and how the IAA performs the steps in the audit process. The chapter follows the outline of the audit process. The topics covered start with respondents’ IAAs reporting relationships within their organizations, their relationships with their audit (oversight) committees, and how IAAs measure the value they add to their organizations. This chapter then addresses the IAA’s processes to perform an audit, including the management of the IAA; planning and scope of work; the range of internal audit tasks; types of audits that are performed; and allocation of audit time. The next section of this chapter reviews the tools that are currently used or plan to be used by internal auditors to prepare audit plans and perform engagements. The final section covers how respondents report audit findings and how issues are addressed and resolved. The number of respondents answering a specific question will often differ from the 9,366 total respondents in this study. This is due to the following reasons: • •
Not all of those that participated in the survey answered all the questions asked. Results are shown and discussed only for those respondents who answered a particular survey question. Not all questions were asked of all respondents. o Some questions were asked only of CAEs (those in the highest position within the organization responsible for internal audit activities). o Some questions were asked only of Practitioners (all other internal auditors who are not CAEs). o Some questions were asked of both CAEs and Practitioners.
Some participants’ responses are presented according to the respondents’ position in the IAA. These more detailed summaries of results may be provided for the five categories of respondents: CAEs, Audit Managers, Audit Seniors/Supervisors, Audit Staff, and Other. The respondents in the Other category consist primarily of other professional staff whose position is not captured by the
The Institute of Internal Auditors Research Foundation
184 A Global Summary of the Common Body of Knowledge 2006 ______________________
traditional job titles included in the survey. A review of their credentials indicates they may be members of the IAA, employed by service providers, or in organizations where their titles are less traditional but with duties within internal auditing. When relevant, results are given for each of the 13 groups. The groups are explained in Chapter 1. For a list of groups, please refer to Appendix 1-B of this report. Some tables have additional details. For example, Table 5-17 is the total of all respondents for that question with a related Table 5-17-2 showing the responses by group. Additional related tables may be located in Appendix 5 at the end of this chapter. A table that is in the Appendix can be clearly identified by an “A” at the end of its number. For example, Table 5-3-1-A is located in Appendix 5.
The IAA’s Relationships within the Organization Reporting Relationships For the IAA to remain independent, the CAE’s reporting status is very important. The IIA recommends a dual reporting relationship where the CAE reports to the audit committee of the board as well as to a senior management executive. Such matrix reporting allows the IAA to build organizational independence while also serving management. Survey questions asked about reporting relationships for the CAE. The results of the survey indicate that the reporting status of CAEs was generally in accordance with the International Standards for the Professional Practice of Internal Auditing (Standards) Attribute Standard 1110, Organizational Independence. This standard requires the IAA to be independent and internal auditors to be objective in performing their work. Practice Advisory 11102, Chief Audit Executive (CAE) Reporting Lines states “the CAE should report functionally to the audit committee or its equivalent” and administratively to the chief executive officer of the organization. The largest percentage of responding CAEs indicate that they report to the audit committee.
The Institute of Internal Auditors Research Foundation
____________________________ Chapter 5: Current Status of the Internal Audit Activity 185
As detailed in Figure 5-1, 47.3% of CAEs report to the audit committee level and another 43.4% report to the executive level of management. Only 5.1% report to a staff manager position.
Figure 5-1 CAE’s Reporting Status CAE Respondents (2,367) in Percentages
Other 4.2%
Independent position reporting to the audit committee of the board/ oversight board 47.3%
Staff position reporting to a staff manager 5.1% Officer position reporting to executive management/ high-level government official 20.6%
Manager position reporting to executive management/ high-level government official 22.8%
The Institute of Internal Auditors Research Foundation
186 A Global Summary of the Common Body of Knowledge 2006 ______________________
To gain a better understanding of the factors that could influence the reporting level of the CAE, Table 5-1 looks at reporting status by type of organization. The IIA believes that the CAE should functionally report to the audit committee. It is apparent that this occurs in the majority of cases in publicly listed and not-for-profit organizations. This is not the case in the public sector where there is a tendency to report to either a line manager or a high government official. This could reflect differences in the organizational configuration of public sector operations where the audit committee structure is often absent.
Table 5-1 CAE’s Reporting Status by Type of Organization CAE Respondents in Percentages Type of Organization
Not-forProfit Organization Publicly Traded (Listed) Company Privately Held (Non-listed) Company Other Service Provider/ Consultant Public Sector/ Government
Number of Respondents
Independent Position Reporting to the Audit Committee of the Board/ Oversight Board
Officer Managerial Staff Position Other Total Position Position Reporting to a Reporting to Reporting to Staff Manager the Executive Executive Management/ Management/ High-level High-level Government Government Official Official
171
56.1
13.5
21.1
6.4
2.9
100.0
820
55.3
17.4
19.9
5.1
2.3
100.0
587
47.5
22.0
22.5
5.5
2.5
100.0
56 205
41.1 38.0
21.4 22.9
23.2 17.7
3.6 2.9
10.7 18.5
100.0 100.0
521
36.1
25.6
29.8
5.2
3.3
100.0
The Institute of Internal Auditors Research Foundation
____________________________ Chapter 5: Current Status of the Internal Audit Activity 187
The high level of reporting status and the importance of the CAE’s relationship with the board is reinforced by those involved in the CAE’s appointment and performance review. The responses listed in Figure 5-2 indicate that 51.2% of the CAE respondents were appointed by the audit committee, and the chairperson of the board was involved in nearly one-third of the CAE respondents’ appointments.
Figure 5-2 Position that Appoints CAE CAE Respondents (2,359) in Percentages
Note: The respondents were asked to mark all that apply so the total of the percentages may be more than 100.
There is evidence of involvement of the CEO in 54.4% of CAE respondents’ appointments. The CFO had a role in the CAE respondent’s appointment 27.8% of the time. This level of involvement by the board, the audit committee, and senior management in the appointment of the CAE reinforces the overall high level of CAE reporting status and the importance of the CAE to the organization.
The Institute of Internal Auditors Research Foundation
188 A Global Summary of the Common Body of Knowledge 2006 ______________________
Table 5-2 shows, by group, information about the position that appoints the CAE (see Appendix 1B for a list of the groups). There are noticeable differences between the group results for CAEs that are appointed by the audit committee chairperson in groups 1, 2, 3, 11, and 12 (61.6% to 68%) and in groups 4 to 10 (26% to 38%).
Table 5-2 Position that Appoints CAE by Group* CAE Respondents in Percentages Position
1
Audit Committee/ Oversight Committee/ Committee Chairperson Chief Executive Officer Chairperson of the Board Chief Financial Officer Another person reporting to CFO Other
2
3
4
5
6
7
8
9
10
11
12
N/C**
68.0 61.6 67.1 38.0 26.0 26.0 29.8 36.7 37.0 31.9 65.4 66.7
41.6
55.6 67.4 58.6 37.0 55.0 56.0 50.4 58.4 37.0 59.6 49.4 55.6 18.3 10.5 13.8 68.0 44.0 49.0 44.3 52.8 43.5 40.4 33.3 33.3
47.0 38.9
41.8 32.6 46.7 6.8 4.7 5.3
8.5 14.8 11.1 2.1 0.0 0.0
20.1 0.7
6.4
13.4
7.0 10.0 26.0 6.1 15.4 10.9 3.0 0.0 3.0 0.8 1.3 2.2
13.4 23.3 15.8 14.0 21.0 10.0 17.6
8.2
6.5
4.9
0.0
*For a list of groups, please see Appendix 1-B. **N/C = Respondents did not indicate affiliate or chapter membership. Note: The respondents were asked to mark all that apply so the total of percentages may be more than 100.
Tied to the discussion of the reporting level of CAEs within an organization is who undertakes the performance review of the CAE. Despite the recommended dual reporting structure, evaluation is primarily a management responsibility (Practice Advisory 1110-2). Board members and/or audit committee members usually do not have sole responsibility for such functions for the CAE, although their input in the evaluation process is valuable. Figure 5-3 summarizes the CAEs’ responses indicating the level within an organization that performs their evaluation. The audit committee’s involvement is most prevalent in the CAEs’ evaluation (48.7%) with an almost equal input by the CEO (44.9%) and significant input by senior management (31.2%). The chairperson of the board is involved with 16.4% of the CAEs’ evaluations while the
The Institute of Internal Auditors Research Foundation
____________________________ Chapter 5: Current Status of the Internal Audit Activity 189
entire board is involved 16.1% of the time. As CAE respondents could indicate all those who participated in their evaluation and the percentages in Figure 5-3 add up to well over 100.0%, it appears that input from several high-level officials of an organization are combined to evaluate the performance of the CAE.
Figure 5-3 Evaluation of CAEs’ Performance CAE Respondents (2,359) in Percentages
Note: The respondents were asked to mark all that apply so the total of the percentages may be more than 100.
The Institute of Internal Auditors Research Foundation
190 A Global Summary of the Common Body of Knowledge 2006 ______________________
Table 5-3 shows group differences indicating who evaluates the CAE. Further analysis by type of organization is provided in Table 5-3-1-A in Appendix 5. This table indicates that the audit committee is most involved in publicly traded and not-for-profit organizations. The chief executive officer takes the lead in privately held and public sector organizations.
Table 5-3 Evaluation of CAEs’ Performance by Group* CAE Respondents in Percentages Position
1
2
Board of Directors Chairperson of the Board Chief Executive Officer Audit Committee/ Oversight Committee/ Committee Chairperson Senior Management Auditee/Client at the end of audit Supervisor periodically Peers/Subordinates periodically Not evaluated
7.1 6.5
5.8 4.7
3
4
5
6
7
8
9
10
11
12
N/C**
9.9 23.0 34.0 26.0 25.2 24.9 19.6 25.5 19.8 11.1 5.9 57.0 20.0 23.0 26.7 31.5 15.2 12.8 13.6 11.1
14.1 18.1
42.1 59.3 46.1 49.0 45.0 44.0 42.7 50.8 39.1 44.7 46.9 77.8 59.8 62.8 67.8 21.0 27.0 29.0 35.1 44.9 37.0 36.2 64.2 88.9
40.3 35.6
38.0 38.4 41.4 25.0 32.0 12.0 25.2 26.6 26.1 23.4 13.6 0.0 8.1 19.8 27.6 5.0 14.0 15.0 14.5 9.5 0.0 27.7 7.4 22.2
28.2 6.0
9.7 5.8 8.6 4.6 14.0 15.1
5.0 11.0 11.0 6.0 5.0 7.0
4.6 4.6
4.9 3.0
4.3 4.3 4.3 10.6
2.5 11.1 6.2 11.1
6.7 2.7
3.0
1.0
5.3
2.0
6.5 10.6
4.9
7.4
3.5
3.9
3.0 6.0
0.0
*For a list of groups, please see Appendix 1-B. **N/C = Respondents did not indicate affiliate or chapter membership. Note: The respondents were asked to mark all that apply so the total of percentages may be more than 100.
The Institute of Internal Auditors Research Foundation
____________________________ Chapter 5: Current Status of the Internal Audit Activity 191
Relationship with the Audit Committee Practice Advisory 2060-2, Relationship with the Audit Committee, governs the relationship of the IAA and the audit committee. As noted in Table 5-4, CAEs confirm that an audit/oversight committee exists in 72.6% of their organizations. The CAE’s relationship with the committee chairperson is very important. Of respondent CAEs with audit committees, 63.2% meet regularly with their audit committee chair in addition to attending regular audit committee meetings. It is notable that of those that have audit/oversight committees, 91.3% of CAEs believe they have appropriate access to the committee.
Table 5-4 CAE’s Relationship with Audit/Oversight Committee CAE Respondents Percentage of Yes Responses Question
Is there an audit/oversight committee in your organization? Does the CAE meet with the audit/ oversight committee chairperson in addition to the regularly scheduled meetings? Does the CAE believe that he/she has appropriate access to the audit/ oversight committee?
Total Respondents
Yes Percent of Total Responses
2,315
72.6
1,669
63.2
1,671
91.3
As indicated in Table 5-4-1-A in Appendix 5, CAE responses by groups have some major differences relating to the CAE’s relationship with an audit committee. These differences appear to be primarily related to the existence of the audit committee structure in some groups and not in others. CAEs in groups 1, 2, 3, and 11 specify that 81.5% to 92.9% of their organizations have an audit committee, compared to CAEs in the other groups who indicate that 38.7% to 69.5% of their organizations have an audit committee. In group 12, all respondents have an audit committee.
The Institute of Internal Auditors Research Foundation
192 A Global Summary of the Common Body of Knowledge 2006 ______________________
For those CAEs that have an audit committee, Table 5-5 summarizes the number of audit committee meetings held in the last fiscal year, the number of meetings CAEs were invited to attend, and the number of meetings attended by the CAEs. The CAEs responding indicate that 96.9% of audit committees met between 1 and 12 times per year. The majority of audit committees (82.7%) met 4 or more times per year. There is also a close correlation between the number of audit committee meetings held, the number of meetings the CAEs were invited to attend, and the number of times the CAEs actually attended the meetings.
Table 5-5 Audit/Oversight Committee Meetings During Last Fiscal Year CAE Respondents in Percentages Number of Audit Committee Meetings None 1 2 3 4 5 6 7 8 9 10 11 12 More than 12 Total
Meetings Held Percent of 1,661 Total Respondents
Meetings the CAE was Invited to Attend Percent of 1,657 Total Respondents
Meetings the CAE Attended Percent of 1,656 Total Respondents
1.8 5.9 9.6 35.5 10.2 11.8 2.6 6.1 1.4 4.3 1.3 6.4
8.0 4.8 7.4 8.6 31.6 9.4 9.7 2.5 5.1 1.3 3.2 0.8 4.8
7.9 4.7 7.9 8.8 31.6 9.6 9.0 2.8 5.0 1.3 3.5 1.3 4.0
3.1 100.0
2.8 100.0
2.6 100.0
External Relationships - Legislation Affecting Internal Auditing In the CBOK Affiliate questionnaire, IIA affiliate leaders were asked about local and federal regulations and legislation affecting the profession of internal auditing. Of the 46 affiliates that
The Institute of Internal Auditors Research Foundation
____________________________ Chapter 5: Current Status of the Internal Audit Activity 193
responded, 78% indicate that their countries have legislation or regulations affecting the internal auditing profession. Table 5-6 lists the 36 affiliates whose countries have laws and regulations affecting internal auditing. The United States and Canada also have legislation affecting internal auditing. In a majority of the responding affiliates’ countries, legislation or regulations exist affecting internal auditing in the public sector. In most of these affiliates, financial entities, banks, and insurance companies are subjected to legislation that prescribes the establishment or the role of internal auditing in an organization. In several affiliates (e.g., The Netherlands, Norway, South Africa, and Spain), corporate governance requirements for listed companies strongly recommend the installation of an IAA as part of their corporate governance structure. In other affiliates (e.g., France, Italy, United Kingdom, and Ireland), it is recommended that all private companies, whether listed or not, have an IAA. In a few affiliates (e.g., Belgium and Turkey), initiatives have been taken to create a more formal legal framework for the internal audit profession.
Table 5-6 Countries with Legislation or Regulation Affecting Internal Auditing Argentina Australia Austria Azerbaijan Belgium Bolivia Bulgaria Canada Congo Denmark Dominican Republic Finland France Germany Israel Italy Japan Lebanon Lithuania
Luxembourg Mexico The Netherlands Norway Peru Philippines Russia Singapore Slovenia South Africa Spain Sweden Taiwan Thailand Turkey Uganda United Kingdom and Ireland United States Venezuela
The Institute of Internal Auditors Research Foundation
194 A Global Summary of the Common Body of Knowledge 2006 ______________________
In 61% (22 affiliates) of the 36 responding affiliates where legislation or regulation affecting internal auditing exists, The IIA affiliate had an influence on the final form of the legislation or regulation. Table 5-7 provides an overview of these 22 affiliates.
Table 5-7 Countries Where the IIA Affiliate Influenced Legislation or Regulation Affecting Internal Auditing Australia Azerbaijan Bulgaria Denmark Finland France Germany Italy Japan Luxembourg Mexico
The Netherlands Norway Philippines Russia South Africa Spain Sweden Taiwan Thailand Turkey United Kingdom and Ireland
Those IIA affiliates that assisted in the development of the legislation or regulations took part in the discussions and provided input through participation and lobbying in committees, work groups, and conferences. IIA affiliates also regularly issue their own opinions on drafts of local and national laws and regulations. The publication of position papers and articles reflecting their members’ ideas and opinions is a common method of participation in the evolution of local and national laws and regulations.
Organizations’ and CAEs’ Perceptions About the IAA To gain an understanding of how the IAA is perceived within their organization, all respondents were asked to rank their level of agreement with the statements in Table 5-8 on a scale of 1- 5, from strongly disagree (1) to strongly agree (5). The mean response for each question was calculated for the four IAA staff levels responding to the survey. With means mostly above 4.2 for all staff levels, most auditees indicate their IAA is highly independent, objective, adds value, and effectively evaluates internal controls. This is generally supported by the group results in Table 5-8-1-A located in Appendix 5.
The Institute of Internal Auditors Research Foundation
____________________________ Chapter 5: Current Status of the Internal Audit Activity 195
Statements with means around 4.0 indicate respondents’ agreement that their IAAs have an effective approach to risk management; are an integral part of the governance process; are credible within the organization; are proactive in looking at important financial matters, risks, and internal controls; have sufficient status in the organization; and that compliance with the IIA’s Code of Ethics is a key factor for their IAAs to add value to their organizations. The statements ranked under 4.0 but above 3.5 indicate respondents have less support for the statements about effectiveness in the evaluation of corporate governance and compliance with The IIA’s Standards. Overall, the perceptions by the respondents provide a very positive view about the IAA within their organizations. In Table 5-8-1-A in Appendix 5, mean responses for these statements for CAEs by groups show very similar results across all groups.
Table 5-8 Relationship of IAA to the Organization All Respondents in Means* Statement
CAE Mean of 2,374 Respondents
Audit Audit Senior/ Manager Supervisor Mean Mean of 2,033 of 2,251 Respondents Respondents
Audit Staff Mean of 1,626 Respondents
Your internal audit function is an independent objective assurance and consulting activity. Your internal audit function adds value. Internal audit brings a systematic approach to evaluate the effectiveness of risk management. Your internal audit function brings a systematic approach to evaluate the effectiveness of internal controls. Your internal audit function brings a systematic approach to evaluate the effectiveness of governance processes. Your internal audit function proactively examines important financial matters, risks, and internal controls.
4.45
4.34
4.25
4.10
4.41
4.32
4.26
4.20
4.03
3.99
3.98
3.95
4.35
4.27
4.21
4.11
3.80
3.73
3.71
3.74
4.10
4.05
3.96
3.88
*The mean is the average response to: 1 = Strongly Disagree, 2 = Disagree, 3 = Neutral, 4 = Agree, 5 = Strongly Agree.
The Institute of Internal Auditors Research Foundation
196 A Global Summary of the Common Body of Knowledge 2006 ______________________
Table 5-8 (Cont.) Relationship of IAA to the Organization All Respondents in Means* Statement
Your internal audit function is an integral part of the governance process by providing reliable information to management. The way our internal audit function adds value to the governance process is through direct access to the audit committee. Your internal audit function has sufficient status in the organization to be effective. Independence is a key factor for your internal audit function to add value. Objectivity is a key factor for your internal audit function to add value. Your internal audit function is credible within your organization. Compliance with The IIA’s International Standards for the Professional Practice of Internal Auditing is a key factor for your internal audit activity to add value to the governance process. Compliance with The IIA’s Code of Ethics is a key factor for your internal audit function to add value to the governance process.
CAE Mean of 2,374 Respondents
Audit Audit Senior/ Manager Supervisor Mean Mean of 2,033 of 2,251 Respondents Respondents
Audit Staff Mean of 1,626 Respondents
4.10
4.04
3.97
3.91
3.52
3.81
3.66
3.51
4.07
3.97
3.86
3.75
4.46
4.40
4.32
4.29
4.58
4.47
4.42
4.36
4.30
4.17
4.08
3.99
3.86
3.90
3.89
3.90
4.03
4.04
3.98
3.99
*The mean is the average response to: 1 = Strongly Disagree, 2 = Disagree, 3 = Neutral, 4 = Agree, 5 = Strongly Agree.
The Institute of Internal Auditors Research Foundation
____________________________ Chapter 5: Current Status of the Internal Audit Activity 197
Methods Used to Measure the Value Added by the IAA The IIA defines internal auditing as “an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations.” In The IIA’s Standards Glossary, add value is defined as, “Value is provided by improving opportunities to achieve organizational objectives, identifying operational improvement, and/or reducing risk exposure through both assurance and consulting services.” Figure 5-4 on the following page lists the methods used by the respondents’ organizations to measure the value added by their IAAs. The measures include acceptance and implementation of recommendations (51.4%), assessment by customer surveys from audited departments (34.6%), and the number of management requests for internal assurance or consulting projects (26.8%). Reliance by the external auditors on the IAA is also used as a value-added indicator (33.5%). No formal measurement of value added was indicated in 32.6% of the 2,361 respondents. As can be seen in Table 5-9, considerable differences exist between groups in the methods used to evaluate the value added by IAAs. There are significant differences when relying on customer/ auditee surveys (10.9% - 57.9%), reliance by external auditors (9.7% - 77.8%), and the number of major audit findings (4.3% - 66.7%). There was variation between groups where there is no formal measurement of value added by IAAs’ services with a high of 47.5% for group 6.
The Institute of Internal Auditors Research Foundation
198 A Global Summary of the Common Body of Knowledge 2006 ______________________
Figure 5-4 Methods Used to Measure Value Added by the IAA CAE Respondents (2,361) in Percentages
internal audit activity
internal audit assurance or consulting
Note: The respondents were asked to mark all that apply so the total of the percentages may be more than 100.
The Institute of Internal Auditors Research Foundation
The Institute of Internal Auditors Research Foundation
Method of Evaluation
1
2
3
4
5
6
7
8
9
10
11
12
N/C**
Customer/client surveys from audited departments Recommendations accepted/implemented Cost savings and improvements from recommendations implemented Number of management requests for internal audit assurance or consulting projects Reliance by external auditors on the internal audit activity Budget to actual audit hours Cycle time from entrance conference to draft report Number of major audit findings Other No formal measurement of value added Total respondents by group
37.5
50.0
57.9
32.0
26.0
24.4
33.6
23.0
10.9
55.3
32.9
44.4
32.0
46.9
52.3
55.3
59.2
53.7
34.4
62.6
56.3
60.9
31.9
64.6 100.0.0
58.0
30.1
27.9
17.8
49.5
31.1
17.5
34.4
21.7
30.4
17.0
42.7
66.7
36.0
28.0
44.2
34.9
21.4
21.5
14.4
26.7
23.7
32.6
12.8
39.0
77.8
23.3
37.7
46.5
50.7
9.7
16.4
32.5
30.5
33.2
10.9
34.0
34.1
77.8
26.7
17.9 10.8
30.2 12.8
25.7 13.8
8.7 3.9
12.4 5.6
18.8 12.5
22.9 11.5
9.9 10.2
26.1 15.2
19.1 14.9
14.6 13.4
33.3 11.1
12.7 12.7
15.2
19.8
18.4
44.7
37.3
15.0
29.8
18.4
37.0
4.3
30.5
66.7
29.3
11.1 34.5
11.6 24.4
17.1 27.6
3.9 35.0
18.6 27.1
7.5 47.5
4.6 31.3
9.9 32.6
8.7 26.1
8.5 31.9
9.8 23.2
11.1 11.1
11.3 30.0
914
86
152
103
177
160
131
304
46
47
82
9
150
*For a list of groups, please see Appendix 1-B. **N/C = Respondents did not indicate affiliate or chapter membership. Note: The respondents were asked to mark all that apply so the total of percentages may be more than 100.
____________________________ Chapter 5: Current Status of the Internal Audit Activity 199
Table 5-9 Methods Used to Measure Value Added by the IAA by Group* All Respondents by Group in Percentages
200 A Global Summary of the Common Body of Knowledge 2006 ______________________
Internal Audit Activity Governing Documents in the Organization According to Standard 2130, Governance, the IAA “should assess and make appropriate recommendations for improving the governance process.” Table 5-10 shows the types of documents that support the establishment of corporate governance in an organization. Respondents report that 73.3% of their organizations have a corporate ethics policy/code of ethics/code of conduct and 66.3% have a long-term strategic plan. Only 53.2% of the respondents’ organizations have a corporate governance code and 56.9% have an audit oversight/committee charter.
5,322 4,974
6,201
6,859
Number of Yes Responses
56.9 53.2
66.3
73.3
Percent of Respondents
Table 5-10 Documents that Exist in the Organization Supporting the Establishment of Corporate Governance All Respondents in Percentages Documents
Corporate Ethics Policy/Code of Ethics/ Code of Conduct Long-term Strategic Plan for the Organization Audit Oversight/Committee Charter Corporate Governance Code
Note: The respondents were asked to mark all that apply so the total responses may be more than the total number of respondents and the percentages may be more than 100.
The Institute of Internal Auditors Research Foundation
____________________________ Chapter 5: Current Status of the Internal Audit Activity 201
Figure 5-5 shows the type of documents that support the work and performance of the IAA. Each is important to the success of the IAA. An internal audit charter is required by The IIA’s Attribute Standard 1000, Purpose, Authority, and Responsibility, and Practice Advisory (PA) 1000-1, Internal Audit Charter. Documented audit plans are expected to be in use. Compliance with Performance Standard 2010, Planning, requires the CAE to “Establish risk-based plans to determine the priorities of the IAA.”
Figure 5-5 Documents that Exist in the Organization Supporting the Work and Performance of the IAA All Respondents in Percentages
Audit Activity
Note: The respondents were asked to mark all that apply so the total percentages may be more than 100.
The respondents indicate that 81.3% of their IAAs have an audit plan, 72.3% of their IAAs have an internal audit charter, and 60.1% have a mission statement. A majority of respondents’ IAAs (69.5%) use internal audit risk assessments to develop the audit plan. Respondents indicate that 63% of their IAAs have an internal audit operating manual/policy statement and 40.3% have an audit plan that is longer than one year. These are all positive signs for effective internal audit procedures.
The Institute of Internal Auditors Research Foundation
202 A Global Summary of the Common Body of Knowledge 2006 ______________________
Managing the Internal Audit Activity To gather information about compliance with The IIA’s Standards, all respondents were asked questions about who performed administrative tasks, quality assessments of the IAA, and technical competency training for internal auditors. The questions required the respondent to indicate what percentage of these activities are performed by the IAA, by service providers, or not performed at all. Performance Standard 2000 requires that the chief audit executive (CAE) “should effectively manage the internal audit activity to ensure it adds value to the organization.” These activities include administrative activities such as developing an audit plan and assigning audit tasks. Performance Standard 2200 states that, “Internal auditors should develop and record a plan for each engagement, including the scope, objectives, timing, and resource allocations.” The results in Table 5-11 show that 91.5% of all respondents believe that their IAA performs the administrative tasks appropriate for the department. The vast majority of IAA leadership takes charge of the administrative responsibilities inherent in the IAA.
Table 5-11 Managing the Internal Audit Activity Who Performs Audit Activities All Respondents in Percentages Activity
Administrative (audit plan, assign tasks) Technical competency training for auditors Quality assessment of internal audit activity
Total Number of Respondents by Activity
IAA
Other Co-Sourced OutNot Total Departments sourced Performed Percent in by Organization Activity
7,750
91.5
3.6
2.3
1.2
1.4
100.0
8,746
44.4
14.1
6.6
21.3
13.6
100.0
8,212
37.0
13.5
5.3
17.4
26.8
100.0
Note: Since respondents were asked to mark all that apply, the total number of respondents may not be the same for each activity.
The Institute of Internal Auditors Research Foundation
____________________________ Chapter 5: Current Status of the Internal Audit Activity 203
To continuously monitor the effectiveness of the IAA, Standard 1300 states, “The CAE should develop and maintain a quality assurance and improvement program” (QA&IP). The QA&IP should include both ongoing and periodic internal assessments that cover the entire spectrum of audit and consulting work performed by the internal audit activity. The quality of the internal audit activities are assessed by the IAA (37%), other departments (13.5%), or outsourced (17.4%). About twenty-seven percent (26.8%) of the respondents do not perform quality assessments of their internal audit activities. More details about respondents’ QA&IP programs can be found in Chapter 4. Standard 1210 requires that internal auditors “possess the knowledge, skills, and other competencies needed to perform their individual responsibilities.” To be certain that the audit staff has the necessary skills, 44.4% of the IAAs provide technical competency training for auditors. Other departments within the organization provide 14.1% of the training, and 27.9% of training is either co-sourced or outsourced. Of the respondents, 13.6% indicate that no training for the audit staff is provided.
The Institute of Internal Auditors Research Foundation
204 A Global Summary of the Common Body of Knowledge 2006 ______________________
Creating the Audit Plan In accordance with IIA Performance Standard 2010 on Planning, the CAE should plan what to audit based on risk assessment. Figure 5-6 indicates that 95.6% of CAEs plan their audit activity at least annually, including 36.4% who update their plan multiple times a year.
Figure 5-6 Percentage Frequency of Audit Plan Updating CAE Respondents (2,305) in Percentages
No audit plan 3.2%
Every two years 0.7% More than every two years 0.5%
Multiple times per year 36.4%
Every year 59.2%
The Institute of Internal Auditors Research Foundation
____________________________ Chapter 5: Current Status of the Internal Audit Activity 205
Figure 5-7 lists the methods CAEs use to determine the audit plan. The use of risk-based methodology required by Performance Standard 2010 and Practice Advisory PA 2010-1, Planning, is used by 86.7% of the respondents. This method is supplemented by 73.1% of respondents who include requests from management. Audit planning is also influenced by consulting the previous year’s plan (62.8%) and consultation with divisional or business heads (62.9%). Strong influence on the audit plan can come from audit committee requests (55.5%) and compliance/regulatory requirements (58.8%) as well.
Figure 5-7 How the Audit Plan is Established CAE Respondents (2,288) in Percentages
Note: The respondents were asked to mark all that apply so the total percentages may be more than 100.
The Institute of Internal Auditors Research Foundation
206 A Global Summary of the Common Body of Knowledge 2006 ______________________
As shown in Table 5-12, the groups’ CAEs show a consistently high percentage of reliance on riskbased methodology for audit planning, from a low of 75% to a high of 100%. Audit committee/ oversight committee requests are strongly supported in groups 1, 2, 3, 11, and 12, and there is high reliance and compliance/regulatory requirements in groups 1, 2, 7, and 12. Requests from management and review of previous year’s audit plan are also supported.
Table 5-12 How Audit Plan is Established by Groups* CAE Respondents in Percentages Method
1
Use of a risk-based methodology Consult previous years audit plan Consultation with divisional or business heads Requests from management Audit committee/ oversight committee requests Compliance/regulatory requirements Requests from or consultation with external auditors Other Total number of respondents
2
3
4
5
6
7
8
9
10
11
12
N/C**
89.1 94.2 94.6 87.3 85.1 89.8 82.0 77.2 75.0 93.6 91.3 100.0
78.7
62.0 61.6 59.2 80.4 60.6 65.6 60.9 59.9 56.8 53.2 66.3 88.9
68.1
73.1 87.2 78.9 42.2 52.6 49.7 46.1 54.1 40.9 80.9 57.5 44.4
49.6
78.8 81.4 72.8 53.9 74.9 71.3 64.1 73.5 68.2 59.6 67.5 88.9
62.4
65.7 81.4 68.0 36.3 28.0 38.9 37.5 51.0 47.7 51.1 71.3 77.8
48.9
66.2 67.4 58.5 43.1 39.4 59.2 65.6 55.1 52.3 34.0 55.0 77.8
56.0
40.8 58.1 50.3 22.5 16.6 47.1 22.7 23.1 9.1 38.3 35.0 33.3
30.5
8.9
9.3
878
86
7.5
7.8 14.9 12.1 15.6 7.5 11.4
147 102
175
157
128 294
44
8.5
6.3 22.2
7.1
47
80
141
9
*For a list of affiliate groups, please see Appendix 1-B. **N/C = Respondents did not indicate affiliate or chapter membership. Note: The respondents were asked to mark all that apply so that the total percent by group may be more than 100.
The Institute of Internal Auditors Research Foundation
____________________________ Chapter 5: Current Status of the Internal Audit Activity 207
Allocation of IAAs’ Time The definition of internal auditing and Standard 2100, Nature of Work, includes three broad areas of responsibility for IAAs to “evaluate and contribute to the improvement of risk management, control, and governance processes.” The following summarizes the respondent’s responses about the how IAAs’ time is allocated, the types of audits performed in the organization and who performs them, and what tools are used by the IAA when performing their work. Audits are generally placed in three categories, (1) general types of audits, (2) audits performed in the areas of risk management, control, and governance processes, and (3) other audit activities. In order to gauge the extent of various types of internal audit activities performed by the IAAs, respondents were asked to estimate the time spent on compliance audits, consulting/advisory, financial process audits, fraud investigations, governance audits, information technology audits, operational, management audits, and other types of audits. Table 5-13 on the following page shows the mean percentage of time spent for all respondents over a period of 6 years (3 years ago, currently, and an estimate for 3 years from now).
The Institute of Internal Auditors Research Foundation
208 A Global Summary of the Common Body of Knowledge 2006 ______________________
Table 5-13 Average of IAAs’ Time Spent on Audits for All Respondents in Mean Percentages Activity
Mean Percentage of Time Spent 3 Years Ago
Mean Percentage of Current Time Spent
Mean Percentage of Time Expected to be Spent 3 Years from Now
Anticipated Change in Mean Percentage of Time Spent from 2003 to 2009
Compliance audits (laws, regulations, and policy) Operational Financial process audits (including assistance to the external auditor) Consulting/advisory Information technology audits Other Fraud investigations (forensic accounting/auditing Management audits Governance audits (ethics, control framework, regulatory, linkage of strategy, and company performance) Total
23.4
22.4
19.9
-3.5
22.5 15.5
21.1 14.9
19.5 13.8
-3.0 -1.7
8.2 7.9 6.6 5.9
9.8 9.7 3.3 6.1
11.5 12.3 2.6 6.2
+3.3 +4.4 -4.0 +0.3
5.2 4.8
5.5 7.2
5.8 8.4
+0.6 +3.6
100.0
100.0
100.0
Note: Responses are in percentages and the mean percentage is the average response for that activity.
For the six-year period, while no one type of audit appears to dominate the work performed by IAAs, respondents indicate that most of the IAAs’ time was, is, and will be spent on compliance audits (23.4% past, 22.4% current, and 19.9% future). Time spent on operational auditing is a close second with 22.5% in the past, 21.1% currently, and 19.5% in the future. The third largest type of audit is financial with 15.5% of audit time three years ago, 14.9% currently, and 13.8% in the future. As the time spent on those types of audits has been decreasing, the time spent on consulting, governance, and information technology is increasing. This seems reasonable since the definition of internal auditing changed to include consulting and governance in 1999.
The Institute of Internal Auditors Research Foundation
____________________________ Chapter 5: Current Status of the Internal Audit Activity 209
Types of Audits Performed Table 5-14 lists types of audits and who performs them. The top four types of audits performed by the IAA are internal auditing (85.6%), operational auditing (79.1%), investigations of fraud and irregularities (56.3%), and financial auditing (56%). Other IAA engagements include ethics audits (47.1%), management effectiveness audits (48.5%), and information technology department assessments (45.4%). The three largest audit areas that are co-sourced or outsourced are financial auditing (27.2%), information technology department assessment (18.8%), and quality/ISO audits (14.1%). The three areas where audits are less likely to be performed by the IAA are social and sustainability audits (40.0%), quality/ISO audits (32.6%), and ethics audits (27.4%). The results in Table 5-13 indicate that IAAs anticipate spending most of their time on compliance audits, operational audits, and financial process audits. Table 5-14 shows that operational audits and financial auditing are most often performed by the IAA. The internal auditing category in Table 5-14 presumes to include compliance auditing since that was not asked separately in this survey question. The results for where the IAA’s time is spent and who performs these audit activities appear to be consistent for the respondents. Fraud investigations, ethics audits, and information technology department audits do not consume much IAA time in Table 5-13, but are in the domain of many IAAs as indicated in Table 5-14.
The Institute of Internal Auditors Research Foundation
210 A Global Summary of the Common Body of Knowledge 2006 ______________________
Table 5-14 Types of Audits Who Performs Audit Activities All Respondents in Percentages Type of Audit
Internal auditing Operational audits Investigations of fraud and irregularities Financial auditing Management effectiveness review/audit Ethics audits Information technology department assessment Social and sustainability audits Quality/ISO audits
Total IAA Other CoOutNot Total Number Department in Sourced sourced Performed Percent of Respondents Organization by Activity by Activity 7,918 8,443 9,877
85.6 79.1 56.3
3.4 11.9 31.4
4.8 3.6 5.9
3.3 2.5 3.8
2.9 2.9 2.6
100.0 100.0 100.0
8,989 8,324
56.0 48.5
14.7 28.4
7.2 3.7
20.0 3.1
2.1 16.3
100.0 100.0
7,828 8,959
47.1 45.4
21.3 28.8
3.0 8.8
1.2 10.0
27.4 7.0
100.0 100.0
7,648
22.7
30.4
3.4
3.5
40.0
100.0
7,896
20.5
32.8
4.6
9.5
32.6
100.0
The Institute of Internal Auditors Research Foundation
____________________________ Chapter 5: Current Status of the Internal Audit Activity 211
Risk, Controls, and Governance Audits Practice Advisory 1311-1, Internal Assessments, states, “The CAE is responsible for establishing an internal audit activity whose scope of work includes all the activities in the Standards and in the definition of internal auditing,” which includes effectiveness of risk management, control, and governance processes. Realizing that all audits have some elements of all three, the following summarizes the type of audit activities performed in these three areas and who performs these audits.
Effectiveness of Risk Management The internal auditor has several responsibilities for the effectiveness of risk management within an organization. Standard 2110, Risk Management, states that the IAA should “assist the organization by identifying and evaluating significant exposures to risk and contributing to the improvement of risk management and control systems.” Standard 2600, Resolution of Management’s Acceptance of Risks, highlights the importance of the CAE discussing risks and other internal audit findings with senior management. If the decision regarding residual risk is not resolved, the CAE should report the matter to the board for resolution. Table 5-15 shows the major audit activities performed in the risk, control, and governance areas. Risk management work performed within organizations includes business viability assessments, information risk assessment, and enterprise risk management. While the majority of business viability assessments are performed by other departments within the organization (51.6%), IAAs perform 24.6% of these audits and 16.8% of the respondents report that these audits are not performed. In the area of information risk assessment, the IAA performs 47.5% of the activities and other departments perform 30.9% and 15.2% of this work is co-sourced or outsourced. For enterprise risk management activities, IAAs perform 37.6% of these assessment activities, other departments within the organization perform 43.6%, and 6.5% of these activities are co-sourced or outsourced.
The Institute of Internal Auditors Research Foundation
212 A Global Summary of the Common Body of Knowledge 2006 ______________________
Table 5-15 Who Performs Risk, Control, and Governance Audit Activities All Respondents in Percentages Activity
Internal control testing/systems evaluation Control framework monitoring and development Compliance with corporate governance and regulatory code requirements Information risk assessment Enterprise risk management Resource management and controls Linkage of strategy and company performance Business viability assessments
Total IAA Other CoOutNot Total Number Department in Sourced sourced Performed Percent of Respondents Organization by Activity by Activity 9,366
70.8
17.0
6.3
4.2
1.7
100.0
8,772
58.9
28.6
4.6
1.5
6.4
100.0
9,181
51.4
35.3
5.0
2.0
6.3
100.0
9,282
47.5
30.9
8.2
7.0
6.4
100.0
8,679
37.6
43.6
5.0
1.5
12.3
100.0
8,096
32.1
47.9
3.6
2.0
14.4
100.0
8,266
26.3
55.8
3.8
1.6
12.5
100.0
7,742
24.6
51.6
4.5
2.5
16.8
100.0
The Institute of Internal Auditors Research Foundation
____________________________ Chapter 5: Current Status of the Internal Audit Activity 213
Audits of Controls Standard 2120, Control, states that the IAA should “assist the organization in maintaining effective controls.” In Table 5-15, respondents indicate that 70.8% of the activities to test internal controls and systems evaluation are done by the IAA. Other departments perform 17% of the same activities and 10.5% of these activities are co-sourced or outsourced.
Corporate Governance Standard 2130, Governance, requires IAAs to “assess and make appropriate recommendations for improving the governance process.” Table 5-15 lists several governance audit activities performed within organizations. The corporate governance activities performed by IAA includes control framework monitoring and development (58.9%), compliance with corporate governance and regulatory code requirements (51.4%), resource management and controls (32.1%), and linkage of strategy and company performance (26.3%). Logically, other departments within organizations are very active in compliance with corporate governance and regulatory code requirements (35.3%) and in the areas of linkage of strategy and company performance (55.8%) and resource management and controls (47.9%).
Compliance or Special Consulting Projects Table 5-16 shows audit activities from the list provided to the respondents in the CBOK 2006 questionnaire that are compliance activities or special consulting projects. Practice Advisory 2120.A1-1, Assessing and Reporting on Control Processes, states that testing “compliance with laws, regulations, and contracts” is part of the IAA’s study and evaluation of internal controls. Two areas where the IAA performs compliance activities are compliance with company privacy policies (43.1%) and health, safety, and environment (22.1%). The definition of internal auditing includes consulting in its scope of acceptable audit activity. A few areas of consulting included in the study indicate that 11.3% of the activities for corporate takeovers/mergers are performed by IAAs while 50.4 % are handled by other departments in the organization. The IAA provides 46.2% of the support for external auditors, other departments provide 28.1% and co-sourced or outsourced work accounts for 14% of the activities required. Project management activities are performed mainly by other departments (58.3%) with 27.7% of these activities performed by the IAA. The IAA and other departments in the organization each provide 39.6% of the activities for special projects with 15.4% being co-sourced or outsourced.
The Institute of Internal Auditors Research Foundation
214 A Global Summary of the Common Body of Knowledge 2006 ______________________
Table 5-16 Who Performs Other Audit Activities All Respondents in Percentages Activity
External audit assistance Compliance with company privacy policies Special projects Project management Health, safety, and environment Corporate takeovers/mergers
Total IAA Other CoOutNot Total Number Department in Sourced sourced Performed Percent of Respondents Organization by Activity by Activity 8,421
46.2
28.1
5.1
8.9
11.7
100.0
8,584
43.1
42.1
4.0
1.6
9.2
100.0
10,414 8,542
39.6 27.7
39.6 58.3
8.3 5.1
7.1 2.8
5.4 6.1
100.0 100.0
8,083
22.1
57.3
4.2
3.0
13.4
100.0
7,796
11.3
50.4
4.9
3.8
29.6
100.0
Performing the Engagement – The Use of Tools This section summarizes the use of 16 tools and techniques currently in place or planned to be used by IAAs globally. The demands on the IAA and its staff are increasing as the significance and usefulness of the work of the IAA become better known and valued throughout the organization. Internal audit is designed to add value and improve an organization’s operations by bringing a systematic, disciplined approach to evaluation, improvement, and effectiveness of risk management, controls, and governance. As internal auditing resources may be constrained, the IAA must use audit tools and techniques to use its time efficiently. The tools and techniques in the CBOK survey were identified by reviewing the Standards and Practice Advisories, internal auditing literature, past CBOK studies, and the CBOK 2006 pilot study. Based on this review, 16 tools and techniques
The Institute of Internal Auditors Research Foundation
____________________________ Chapter 5: Current Status of the Internal Audit Activity 215
were identified as being important for the IAA. Respondents could not add to or amend the list that was included in the CBOK 2006 survey. Some of the tools listed help with audit administration (planning, managing, preparing working papers, etc.) while others relate to helping internal auditors perform their engagements (analyzing data, statistical sampling, etc.). All the tools contribute to the IAA adding value to the organization. The selection of tools and techniques in this survey is supported by the Standards and Practice Advisories. In the Standards and expanded upon in the Practice Advisories, certain tools are emphasized: •
Attribute Standard 1220, Due Professional Care, recommends that the internal auditor in exercising due professional care should consider the use of computer-assisted audit tools and other data analysis techniques.
•
Analytical review is supported in Practice Advisory 2100-10, Audit Sampling.
•
Risk-based audit planning is addressed in Standard 2010, Planning, which requires the chief audit executive to establish risk-based plans to determine the priorities of the internal audit activity, consistent with the organization’s goals.
•
Standard 2010.A1, Assurance Engagement, states that the IAA plan of engagements should be based on a risk assessment, undertaken at least annually. This issue is also analyzed by the Practice Advisory 2010-2, Linking the Audit Plan to Risk and Exposures.
•
Practice Advisory 2100-10, “Audit Sampling is defined as the application of audit procedures to less than 100 percent of the population to enable the auditor to evaluate audit evidence about some characteristics of the items selected to form or assist in forming a conclusion concerning the population. Statistical sampling involves the use of techniques from which mathematically constructed conclusions regarding the population can be drawn.”
•
Practice Advisory 1311-1, Internal Assessments, suggests that Periodic Assessment may include benchmarking of the IAA practices and performance metrics against relevant best practices of the internal auditing profession.
•
The balanced scorecard tool is mentioned in Practice Advisory 1311-2, Establishing Measures (Quantitative Metrics and Qualitative Assessments) to Support Reviews of Internal Audit
The Institute of Internal Auditors Research Foundation
216 A Global Summary of the Common Body of Knowledge 2006 ______________________
Activity Performance. This Practice Advisory reflects recommended practices for measuring the performance of internal auditing and it is related to Standard 1311, Internal Assessments. •
Practice Advisory 2120.A1-2, Using Control Self Assessment (CSA) for Assessing the Adequacy of Control Processes, states that the CSA methodology can be used by managers and internal auditors for assessing the adequacy of the organization’s risk management and control processes. Internal auditors can utilize CSA programs for gathering relevant information about risks and controls, for focusing the audit plan on high risk, unusual areas, and to forge greater collaboration with operating managers and work teams.
•
Standard 1300, Quality Assurance and Improvement Program, requires the CAE to develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity and continuously monitors its effectiveness. This program includes periodic internal and external quality assessments and ongoing internal monitoring.
The respondents were asked to indicate which tools/techniques their IAAs currently use or plan to use in the next three years by rating all the tools listed on a five point scale from 1, not used, to 5, extensively used. Results are shown in means and/or in the frequency of respondents selecting a tool/technique. Tables include responses by position, by response type, and/or by groups.
Current Usage of Audit Tools and Techniques The use of various tools and techniques is fundamental for the effectiveness and efficiency of the IAA in performing their engagements. The use of these tools/techniques helps the auditor successfully plan, monitor progress, document, analyze data, complete the audit, and determine the magnitude of audit findings. Table 5-17 indicates the extent that respondent IAAs currently use sixteen different audit tools/techniques. The means listed in the table summarize the responses given by each staff level of auditors: CAEs, Audit Managers, Audit Seniors/Supervisors, Audit Staff, and Other. The mean was calculated based on a scale of 1 (not used) to 5 (extensively used). An overall mean for each item is also presented. The results show that CAEs and Practitioners almost uniformly rank the tools/techniques currently used by the IAA the same. Electronic communication (e.g., Internet, e-mail), risk-based audit planning, analytical review, and electronic workpapers are currently the most utilized tools. Electronic communication is overwhelmingly the highest ranked tool/technique for all respondents.
The Institute of Internal Auditors Research Foundation
____________________________ Chapter 5: Current Status of the Internal Audit Activity 217
Table 5-17 Extent the IAA Currently Uses Audit Tools/Techniques All Respondents by Mean* Tools/Techniques
Other electronic communication (e.g., Internet, e-mail) Risk-based audit planning Analytical review Electronic workpapers Statistical sampling Computer-assisted audit techniques Flowchart software Benchmarking Process mapping application Control self-assessment Data mining Continuous/real-time auditing The IIA’s quality assessment review tools Balanced scorecard or similar framework Total quality management techniques Process modeling software
Number of Respondents
Overall Mean
CAE
Audit Manager
Audit Audit Other Senior/ Staff Supervisor
6,629
4.08
3.98
4.15
4.19
4.13
3.64
6,596
3.56
3.57
3.63
3.58
3.54
3.08
6,619 6,566 6,522 6,567
3.21 3.19 2.77 2.67
3.12 2.99 2.64 2.54
3.21 3.28 2.69 2.73
3.28 3.28 2.83 2.73
3.23 3.38 3.00 2.73
3.05 2.90 2.76 2.68
6,526 6,494 6,496
2.42 2.41 2.36
2.31 2.37 2.22
2.51 2.44 2.39
2.45 2.42 2.43
2.46 2.42 2.46
2.41 2.41 2.39
6,497 6,385 6,483
2.30 2.26 2.21
2.09 2.18 2.06
2.27 2.26 2.12
2.42 2.29 2.30
2.54 2.37 2.47
2.40 2.18 2.22
6,409
2.06
1.93
2.13
2.07
2.18
2.09
6,417
2.02
1.85
2.06
2.09
2.13
2.07
6,366
1.97
1.79
1.98
2.00
2.19
2.11
6,352
1.69
1.51
1.66
1.78
1.88
1.87
*The mean is the average response to: 1 = Not Used, 2 = Moderately Used, 3 = Average Use, 4 = Very Much Used, 5 = Extensively Used. Note: Since respondents were asked to mark all that apply, the total number of respondents may not be the same for each audit tool/technique.
The Institute of Internal Auditors Research Foundation
218 A Global Summary of the Common Body of Knowledge 2006 ______________________
The tools/techniques that obtained the highest overall means from all respondents are: 1. 2. 3. 4. 5.
Other electronic communication (e.g., Internet, e-mail) (4.08). Risk-based audit planning (3.56). Analytical review (3.21). Electronic workpapers (3.19). Statistical sampling (2.77).
The tools/techniques that received the lowest overall mean responses are: 12. 13. 14. 15. 16.
Continuous/real-time auditing (2.21). The IIA’s quality assessment review tools (2.06). Balanced scorecard or similar framework (2.02). Total quality management techniques (1.97). Process modeling software (1.69).
As shown in Table 5-17-1-A, even in regions of the world where access to the Internet might not be easily or readily available, it is generally ranked the highest. Electronic working papers and riskbased audit planning are uniformly ranked high by all respondents. Many of the remaining tools are grouped in the 2.00 to 2.50 range, indicating moderate to average use.
The Institute of Internal Auditors Research Foundation
____________________________ Chapter 5: Current Status of the Internal Audit Activity 219
Table 5-18 shows the means in rank order of use by staff level of the respondents. Each ranking goes from 1, the tool/technique with the highest mean, to 16, the tool/technique with the lowest mean. The consistency in ranking by all staff levels about usage of tools and techniques by their IAAs is evident.
Table 5-18 Extent the IAA Currently Uses Audit Tools/Techniques All Respondents by Mean Rank Tools/Techniques
Other electronic communication (e.g., Internet, e-mail) Risk-based audit planning Analytical review Electronic workpapers Statistical sampling Computer-assisted audit techniques Flowchart software Benchmarking Process mapping application Control self-assessment Data mining Continuous/real-time auditing The IIA’s quality assessment review tools Balanced scorecard or similar framework Total quality management techniques Process modeling software
Overall Average
CAE
Audit Manager
Audit Senior/ Supervisor
Audit Staff
Other
1
1
1
1
1
1
2 3 4 5 6
2 3 4 5 6
2 4 3 6 5
2 3/4 3/4 5 6
2 4 3 5 6
2 3 4 5 6
7 8 9 10 11 12 13
8 7 9 11 10 12 13
7 8 9 10 11 13 12
7 9/10 8 9/10 12 11 14
8/9 11 8/9 10 12 7 14
7/8 7/8 10 9 12 11 14
14
14
14
13
15
15
15
15
15
15
13
13
16
16
16
16
16
16
Note: In some cases the rankings were tied. For example, rankings of Benchmarking and Control Self Assessment at the Audit Senior/Supervisor level were tied.
The Institute of Internal Auditors Research Foundation
220 A Global Summary of the Common Body of Knowledge 2006 ______________________
Although the means are generally lower for CAEs than for other respondents, the comparison of the overall means with the means and rankings for CAEs and other respondents does not show any significant differences between the categories of respondents. The only major differences between the means for the different staff levels relate to: • • • •
Continuous real-time auditing (2.06, ranked 12 for the CAE versus 2.47, ranked 7 for Audit Staff). Electronic working papers (2.99, ranked 4 for the CAE versus 3.38, ranked 3 for Audit Staff). Control self-assessment (2.09, ranked 11 for the CAE versus 2.54, ranked 10 for the Audit Staff). Statistical sampling (2.64, ranked 5 for the CAE versus 3.00, ranked 5 for Audit Staff).
The analysis of the means according to the 13 groups is provided in Table 5-17-1-A in Appendix 5. There are noticeable differences for electronic workpapers (3.53 for group 8 and 1.97 for group 12), risk-based audit planning (3.91 for group 3, 3.86 for groups 2 and 10, and 2.53 for group 4), and other electronic communication (4.38 for group 10; and 3.15 for group 12). Differences related to access to electronic resources may be reflected in the results for some of the groups. Table 5-17-2 shows the rankings by groups. Each ranking goes from 1, the tool/technique with the highest mean in the group, to 16, the tool/technique with the lowest mean in the group. This comparison shows that the degree of consensus on most tools and techniques among the different groups is very high. This is the case for other electronic communications which ranks first or second in each group. Process modeling software is always ranked between 13 and 16, analytical review is always ranked between second and sixth and electronic workpapers is ranked between third and seventh. The highest variability in this comparison, which indicates the lowest level of consensus, relates to data mining (groups 7 and 9), continuous real-time auditing (groups 4 and 11), control self-assessment (groups 4 and 12), and process mapping application (groups 8 and 10). When analyzing the ranking information most groups are within two rankings of the overall ranking. Exceptions are group 7 with 50% of their rankings more than two places away, group 10 with 37.5% of their rankings more than two places away, and groups 1, 4, and 12 have 31% of their rankings more than two places away from the overall ranking.
The Institute of Internal Auditors Research Foundation
____________________________ Chapter 5: Current Status of the Internal Audit Activity 221
Table 5-17-2 Tools and Techniques Currently Used by Group* All Respondents by Mean Rank** Overall 1 Tools/Techniques**** Average Other electronic 1 1 communication (e.g., Internet, e-mail) Risk-based audit 2 2 planning Analytical review 3 5 Electronic workpapers 4 3 Statistical sampling 5 6 Computer-assisted 6 4 audit techniques Flowchart software 7 8 Benchmarking 8 11 Process mapping 9 13 application Control self10 12 assessment Data mining 11 7 Continuous/real-time 12 9 auditing The IIA’s quality 13 10 assessment review tools Balanced scorecard 14 15 or similar framework Total quality 15 14 management techniques Process modeling 16 16 software
2
3
4
5
6
7
8
9
10
11 12 N/C***
2
2
1
1
1
2
1
1
1
1
1
1
1
1
6
2
2
1
2
2
2
2
2
2
4 5 7 3
5 3 6 4
2 3 7 9
4 3 6 5
4 3 6 5
6 3 5 4
4 3 7 6
3 5 7 4
4 3 9 5
3 5 6 4
5 7 4 3
4 3 6 5
11 8 10
13 7 12
11 10 8
9 11 7
13 8 7
11 14 7
11 10 5
11 10 12
12 6 14
13 7 10
14 6 9
11 12 9
6
8
4
10
10
8
8
8
7
8
13
8
9 12
11 10
12 5
8 13
9 11
16 9
9 13
6 13 9 10
11 14
11 10
10 7
13
9
14
12
12
10
14
13
8
9
12
13
14
15
16
15
14
15
12
15
11
15
15
15
15
14
13
14
16
12
16
14
15
12
8
14
16
16
15
16
15
13
15
16
16
16
16
16
*For a list of groups, please see Appendix 1-B. **The ranking goes from 1 (the tool/technique with the highest mean in the group) to 16 (the tool/technique with the lowest mean in the group). ***N/C = Respondents did not indicate affiliate or chapter membership. ****The tools/techniques are presented in the table in a decreasing order, according to the ranking of the overall means.
The Institute of Internal Auditors Research Foundation
222 A Global Summary of the Common Body of Knowledge 2006 ______________________
Table 5-19 summarizes how all respondents’ replies are distributed along the 5 options: not used; moderately used; average use; very much used; and extensively used. The frequencies show the extent to which the internal audit activity (IAA) currently uses the listed audit tools and techniques when compared to the overall mean usage of all respondents’ IAAs. This table provides a more detailed picture of overall usage of tools and techniques. Since some respondents’ organizations and IAAs are much larger and older than others, they may use more audit tools and have more resources to purchase and apply the listed tools and techniques.
Table 5-19 Extent the IAA Currently Uses the Listed Audit Tools/Techniques All Respondents by Mean and Frequency Tools/Techniques
Number of Mean* Respondents
Other electronic communication (e.g., Internet, e-mail) Risk-based audit planning Analytical review Electronic workpapers Statistical sampling Computer-assisted audit techniques Flowchart software Benchmarking Process mapping application Control selfassessment Data mining Continuous/real-time auditing
% Not Used
% Moderately Used
% Average Use
% Very Much Used
% Extensively Used
6,643
4.08
2.7
6.9
16.7
27.5
46.2
6,611
3.56
8.0
13.6
21.3
28.8
28.3
6,634 6,580 6,536 6,581
3.21 3.19 2.77 2.67
6.5 19.8 18.0 22.3
20.5 15.6 25.9 25.4
31.1 17.2 27.5 25.0
29.6 20.9 18.8 17.5
12.3 26.5 9.8 9.8
6,540 6,505 6,510
2.42 2.41 2.36
31.7 24.9 36.1
24.8 30.9 21.4
21.6 26.6 20.9
13.5 13.7 13.9
8.4 3.9 7.7
6,511
2.30
34.1
26.0
21.1
13.0
5.8
6,399 6,497
2.26 2.21
36.1 39.0
25.4 23.8
20.8 19.7
12.1 12.4
5.6 5.1
*The mean is the average response to: 1 = Not Used, 2 = Moderately Used, 3 = Average Use, 4 = Very Much Used, 5 = Extensively Used.
The Institute of Internal Auditors Research Foundation
____________________________ Chapter 5: Current Status of the Internal Audit Activity 223
Table 5-19 (Cont.) Extent the IAA Currently Uses the Listed Audit Tools/Techniques All Respondents by Mean and Frequency Tools/Techniques
Number of Mean* Respondents
The IIA’s quality assessment review tools Balanced scorecard or similar framework Total quality management techniques Process modeling software
% Not Used
% Moderately Used
% Average Use
% Very Much Used
% Extensively Used
6,424
2.06
46.6
20.8
17.4
10.5
4.7
6,427
2.02
48.4
19.2
18.8
9.8
3.8
6,380
1.97
48.6
21.9
17.5
8.5
3.5
6,366
1.69
62.7
16.6
12.4
5.8
2.5
*The mean is the average response to: 1 = Not Used, 2 = Moderately Used, 3 = Average Use, 4 = Very Much Used, 5 = Extensively Used.
Extensively Used The analysis of the usage frequencies reveals that some tools are used extensively for a significant portion (more than 25%) by the respondents’ IAAs: 1. Other electronic communication (e-mail, Internet) (46.2%) 2. Risk-based audit plan (28.3%) 3. Electronic working papers (26.5%) These particular tools match three core tasks of the IAA, planning, documenting field work, and communication. The latter two tasks can be very labor intensive when completed without technology support. For IAAs to have invested and developed tools in these areas seems appropriate.
The Institute of Internal Auditors Research Foundation
224 A Global Summary of the Common Body of Knowledge 2006 ______________________
The frequency of the extensively used category for these three tools and techniques shows their importance to the IAAs. The use of these tools allows the IAA to function efficiently and effectively. This is especially true for the use of electronic communication and electronic working papers which help with audit administration. A risk-based audit plan also helps with the performance of the audit. When available resources are limited, both financially and by number of staff, technology allows the IAA to expand its scope. These findings are consistent with those based on the mean scores for other electronic communication and risk-based audit plan. As shown on the frequency distribution in Table 5-19, there is a difference for analytical review, which has a relatively high overall mean (3.21) and ranking (3) but has a lower percentage in the extensively used category (12.3%). Although electronic workpapers is ranked fourth with a mean of 3.19, in the frequency distribution it is shown as having 26.5% of respondents indicating extensively use. The use of a risk-based audit plan is in keeping with Standard 2010.A1, Planning, which states that the IAA’s “Plan of engagements should be based on a risk assessment, undertaken at least annually.” This is supported elsewhere in the Standards and Practice Advisories. Over 78% of respondents indicate that they extensively use, very much use, or have average use of this technique. In Appendix 5, Table 5-19-1-A shows extensively used responses for tools/techniques by auditor position. This table reveals that there are usually lower frequencies for the response “extensively used” for CAEs. This is consistent with the means analysis. This may be due to the increased administrative work and outreach that CAEs do in their daily work. As the head of the department, the CAE must be aware of the activities and audits undertaken, but be less involved in the daily operating activities and the audit process. Standard 2030, Resource Management, states that the CAE “should ensure that internal audit resources are appropriate, sufficient, and effectively deployed to achieve the approved plan.” The most significant differences in this table are for electronic communications (41.5% for the CAE, 50.6% for Audit Seniors/Supervisors), electronic workpapers (21.1% for CAEs, Audit Staff 30.9%), and risk-based audit planning (29.6% for Audit Seniors/ Supervisors, Other 17%).
Not Used The analysis of frequencies makes it possible to identify those tools that are currently not used at all by respondents in auditing activities. According to Practice Advisory 1210-1, Proficiency, not everyone in the IAA must be able to apply the tools and techniques required in performing engagements. Rather, the IAA must collectively possess this ability. This means that all members of the IAA should be aware of the use of various tools and techniques in the department, but each staff member need not have a specific facility and ability to use the tool.
The Institute of Internal Auditors Research Foundation
____________________________ Chapter 5: Current Status of the Internal Audit Activity 225
An unusually high number of the listed tools and techniques are indicated as not being used at all based on Table 5-19. This information can be very important for practitioners, consultants, standard setters, software companies, and others servicing or involved with the internal audit profession. More than one-fifth of the respondents do not use benchmarking (24.9%) or computer-assisted audit techniques (22.3%). The least used tool is process modeling software which is not used by 62.7% of respondents. Many other tools are indicated as not being used by more than 30% of respondents. The percentage of respondents that do not currently use the listed tools and techniques that fall into this category are: • • • • • • • • •
Process modeling software (62.7% of respondents do not use this tool). Total quality management techniques (48.6%). The balanced scorecard or similar framework (48.4%). The IIA’s quality assessment review tools (46.6%). Continuous/real-time auditing (39.0%). Data mining (36.1%). Process mapping application (36.1%). Control self-assessment (34.1%). Flowchart software (31.7%).
Standard 1300, Quality Assurance and Improvement Program, requires the CAE to “develop and maintain a quality assurance and improvement program…and continuously monitors its effectiveness.” This program is “designed to help the internal audit activity add value and improve the organization’s operations.” Many IAAs see value in implementing this standard. Low use of The IIA’s quality assessment review (QAR) tools makes compliance with this standard and contributing to the organization’s governance, risk management, and effectiveness more difficult. In Chapter 4, 32.8% of respondents indicated that they currently have a quality assessment and improvement program in place and 21.9% intend to put one in place in the next 12 months. According to Practice Advisory 2100-6, Control and Audit Implications of E-commerce Activities, when control self-assessment (CSA) is used by management to review controls, the IAA should review the policies for authenticating transactions and evaluating controls. The use of electronic systems and models is the most effective way to monitor and evaluate e-commerce activities. The list of tools and techniques above indicates that many respondents do not use the listed tools and techniques that would enable IAA staff to easily test systems and controls.
The Institute of Internal Auditors Research Foundation
226 A Global Summary of the Common Body of Knowledge 2006 ______________________
Table 5-19 further reveals that statistical sampling (indicated as not used by 18%) is often used in a moderate or average way. This is in accordance with Practice Advisory 2100-10, Audit Sampling. The use of benchmarking is similar. Some management techniques, such as total quality management (48.6% not used) and the balanced scorecard (48.4% not used), are not generally used in internal audit activities. Control self-assessment (CSA) is not widely used by the IAA (34.1% not used), so that in most organizations the involvement of management in self-evaluating the control activity might not be fully exploited. However, it is important to distinguish between control self-assessment as an audit technique for the internal auditor to complete an audit engagement and CSA as a management practice implemented in an organization with or without the involvement of the IAA. Management should self-assess their internal control on an ongoing basis as part of their managerial responsibilities external to the IAA. In Appendix 5, Table 5-19-2-A shows by frequency and positional level of the respondent the audit tools and techniques that are not currently used by the IAA. The frequencies for the answer “not used” are generally higher for CAE respondents than for Practitioners. Differences between the frequencies for tools not used are markedly different for control self-assessment (40.8% CAE, 27.3% for Audit Staff), process modeling software (69.9% CAE, 55.3% Audit Staff), and total quality management techniques (54.1% CAE, 41.6% Audit Staff).This continues the pattern previously noted. In Appendix 5, Table 5-19-3-A details the frequency for all 13 groups for the response “not currently used.” Major differences include the use of electronic workpapers (66.7% in group 12 versus 7.8% in group 8), flowchart software (73.5% in group 12 versus 25.5% in group 1), and process mapping application (62.5% in group 12 versus 22.5 in group 8). In group 12, for most tools/ techniques the frequency of the not used response is higher than in other groups. Other differences among the groups indicate a general lack of consistency in the use of the listed tools and techniques globally. The groups’ means and frequencies highlight differences in the current practice globally among the listed tools and techniques. Electronic communication and electronic working papers are extensively used. Process modeling software is often not used by auditors (62.7%), while computer-assisted audit techniques and flowchart software are moderately used. In some respondents’ organizations, process mapping application and data mining are not used (frequency of 36.1% for each tool). This is also true for continuous/real-time auditing (39.0% not used). Standard 1220, Due Professional Care, recommends that the internal auditor exercise due professional care and consider the use of computer-assisted audit tools and other data analysis techniques.
The Institute of Internal Auditors Research Foundation
____________________________ Chapter 5: Current Status of the Internal Audit Activity 227
Respondents by group indicate that auditing techniques such as analytical review and a risk-based approach for audit planning are generally used and in many cases used extensively. Data suggests that IAAs are focusing their resources and activities on critical areas and on the organization’s primary business risks.
Predictive Changes in the Use of Audit Tools and Techniques Over the Next Three Years It is important to understand how the IAA plans to change the way it performs audits and how it plans to become more effective and efficient as it adds value to its organization. Table 5-20 provides an overall view of the extent to which respondents’ IAAs intend to use the listed tools and techniques in the next three years. Again, respondents did not have an opportunity to list tools not mentioned on the pre-established list. An overall mean response and means by respondents’ staff level are provided. Using the overall mean for all respondents, the top five means for tools where usage is expected to increase are: 1. 2. 3. 4. 5.
Other electronic communication (e.g., Internet, e-mail) (4.16). Risk-based audit planning (3.99). Electronic workpapers (3.68). Analytical review (3.42). Computer-assisted audit techniques (CAAT) (3.37).
Respondents are consistent with their emphasis on the same tools and techniques as they are currently using. The only change in the top five tools when compared to current use is with number five. Statistical sampling (currently ranked sixth) has been replaced by computer-assisted audit techniques which had been ranked sixth.
The Institute of Internal Auditors Research Foundation
228 A Global Summary of the Common Body of Knowledge 2006 ______________________
Table 5-20 Extent the IAA Plans to Use the Listed Audit Tools/Techniques in the Next Three Years All Respondents by Mean* Tools/Techniques
Number of Respondents
Mean
CAE
Audit Manager
Audit Audit Other Senior/ Staff Supervisor
Other electronic communication (e.g., Internet, e-mail) Risk-based audit planning Electronic workpapers Analytical review Computer-assisted audit techniques Statistical sampling Data mining Control self-assessment Benchmarking Continuous/real-time auditing Flowchart software The IIA’s quality assessment review tools Process mapping application Total quality management techniques Balanced scorecard or similar framework Process modeling software
4,751
4.16
4.11
4.20
4.24
4.21
3.87
4,789 4,816 4,731 4,826
3.99 3.68 3.42 3.37
4.09 3.59 3.41 3.36
4.05 3.81 3.42 3.44
3.96 3.75 3.46 3.39
3.84 3.71 3.42 3.26
3.54 3.39 3.25 3.23
4,756 4,731 4,816 4,741 4,845
3.04 2.84 2.82 2.79 2.78
2.95 2.84 2.75 2.80 2.73
3.00 2.88 2.76 2.84 2.80
3.10 2.86 2.89 2.77 2.82
3.17 2.80 2.97 2.73 2.87
3.15 2.63 2.88 2.74 2.69
4,794 4,799
2.77 2.73
2.71 2.73
2.84 2.82
2.77 2.69
2.78 2.66
2.82 2.70
4,767 4,772
2.72 2.43
2.65 2.34
2.71 2.44
2.79 2.46
2.79 2.52
2.77 2.57
4,770
2.38
2.31
2.44
2.39
2.41
2.41
4,749
2.08
1.95
2.05
2.17
2.23
2.30
*The mean is the average response to: 1 = Not Used, 2 = Moderately Used, 3 = Average Use, 4 = Very Much Used, 5 = Extensively Used.
The Institute of Internal Auditors Research Foundation
____________________________ Chapter 5: Current Status of the Internal Audit Activity 229
In Appendix 5, Table 5-20-1-A shows groups’ means for use of tools and techniques in the next three years. Again there is consistency globally when taking out the high and low outliers. There are noticeable differences for total quality management between group 8 and group 12. Other tools with a difference of more than 1.25 between groups include benchmarking, CAAT, continuous/ real-time auditing, data mining, risk-based audit planning, and statistical sampling. By comparing the overall means from Table 5-20 and rankings from Table 5-21, with the means and rankings for CAEs and other practitioners by staff level, there is a high level of consistency between the staff levels. This reinforces the expectation that CAEs would adequately communicate plans and expectations with all members of the IAA staff. The only major difference is for the planned use of risk-based audit planning (4.09 for the CAE versus 3.54 for Other), but all positions rank this technique as second most used or to be used.
The Institute of Internal Auditors Research Foundation
230 A Global Summary of the Common Body of Knowledge 2006 ______________________
Table 5-21 Extent the IAA Plans to Use the Listed Audit Tools/Techniques in the Next Three Years All Respondents by Rank* Tools/Techniques
Other electronic communication (e.g., Internet, e-mail) Risk-based audit planning Electronic workpapers Analytical review Computer-assisted audit techniques Statistical sampling Data mining Control self-assessment Benchmarking Continuous/real-time auditing Flowchart software The IIA’s quality assessment review tools Process mapping application Total quality management techniques Balanced scorecard or similar framework Process modeling software
Number of Respondents
Overall Average
CAE
Audit Manager
Audit Audit Other Senior/ Staff Supervisor
4,751
1
1
1
1
1
1
4,789 4,816 4,731 4,826
2 3 4 5
2 3 4 5
2 3 5 4
2 3 4 5
2 3 4 5
2 3 4 5
4,756 4,731 4,816 4,741 4,845
6 7 8 9 10
6 7 9 8 10/11
6 7 12 8/9 11
6 8 7 11/12 9
6 9 7 12 8
6 13 7 10 12
4,794 4,799
11 12
12 10/11
8/9 10
11/12 13
11 13
8 11
4,767 4,772
13 14
13 14
13 14/15
10 14/15
10 14
9 14
4,770
15
15
14/15
14/15
15
15
4,749
16
16
16
16
16
16
Note: In some cases the rankings were tied. For example, rankings of continuous/real-time auditing and The IIA’s quality assessment review tools at the CAE level were tied.
The Institute of Internal Auditors Research Foundation
____________________________ Chapter 5: Current Status of the Internal Audit Activity 231
The frequency analysis provides another view of the extent the IAA plans to use the listed audit tools/techniques in the next three years. Table 5-22 reports the frequencies for all respondents.
Table 5-22 Extent the IAA Plans to Use the Listed Audit Tools/Techniques in the Next Three Years All Respondents by Mean and Frequency Tools/Techniques
Number of Mean* Respondents
Other electronic communication (e.g., Internet, e-mail) Risk-based audit planning Electronic workpapers Analytical review Computer -assisted audit techniques Statistical sampling Data mining Control self-assessment Benchmarking Continuous/real-time auditing Flowchart software The IIA’s quality assessment review tools Process mapping application Total quality management techniques Balanced scorecard or similar framework Process modeling software
% Not Used
% Moderately Used
% Average Use
% Very Much Used
% Extensively Used
4,751
4.16
1.6
5.6
16.3
28.1
48.4
4,789
3.99
3.1
6.6
17.6
33.6
39.1
4,816 4,731 4,826
3.68 3.42 3.37
8.0 4.3 7.8
10.7 14.6 15.8
20.5 31.5 26.8
27.0 33.9 31.1
33.8 15.7 18.5
4,756 4,731 4,816 4,741 4,845
3.04 2.84 2.82 2.79 2.78
10.5 18.7 15.1 13.5 18.0
21.8 21.9 26.3 27.6 24.3
32.7 26.5 28.6 31.4 27.8
23.7 22.4 21.1 21.3 21.0
11.3 10.5 8.8 6.2 8.9
4,794 4,799
2.77 2.73
19.4 20.3
24.3 23.7
26.8 27.5
19.0 19.4
10.5 9.1
4,767
2.72
22.6
22.2
25.6
19.8
9.8
4,772
2.43
30.0
24.5
24.7
14.6
6.2
4,770
2.38
31.2
24.1
25.0
15.0
4.7
4,749
2.08
43.9
22.4
19.6
10.0
4.1
*The mean is the average response to: 1 = Not Used, 2 = Moderately Used, 3 = Average Use, 4 = Very Much Used, 5 = Extensively Used.
The Institute of Internal Auditors Research Foundation
232 A Global Summary of the Common Body of Knowledge 2006 ______________________
Tools that Will Be Extensively Used Generally, respondents expect that there will be an extensive use of a wide range of tools in the next three years, usually more than at present. The results when comparing the overall frequency in Table 5-22 with the results in Table 5-19 show several significant increases in the use of the listed tools. • • • •
Risk-based audit planning (usage of 39.1% in the next three years versus 28.3% current usage) Computer-assisted audit techniques (18.5% in the next three years versus 9.8% currently) Electronic workpapers (33.8% in the next three years versus 26.5% currently) The IIA’s quality assessment review tools (9.1% in the next three years versus 4.7% currently)
The general increase in the frequencies of the “extensively used” response is consistent for both CAEs and Practitioners. There are slight differences between the two categories of respondents when comparing the results in Table 5-19-1-A and Table 5-22-1-A: • •
Risk-based audit planning (12.9% increase for CAE versus 7.0% increase for Audit Staff) Other electronic communication (8.3% increase for Other versus 0.7% increase for Audit Manager)
Tools that Will Not be Used in the Next Three Years Table 5-23 compares some of the results of Table 5-22-2-A in Appendix 5 that lists the tools that will not be used in the next three years with Table 5-19-2-A in Appendix 5 that shows tools not currently used. The decrease in the overall frequencies for all respondents (which means an increase in the number of respondents who will use a certain tool) is particularly relevant for the following tools and techniques.
The Institute of Internal Auditors Research Foundation
____________________________ Chapter 5: Current Status of the Internal Audit Activity 233
Table 5-23 Comparison of Audit Tools/Techniques Not Currently Used by the IAA Now and in the Next Three Years All Respondents Percentage Tools and Techniques
Process modeling software Balanced scorecard or similar framework IIA’s quality assessment review tools Continuous real-time auditing Data mining Control self-assessment (CSA) Computer-assisted audit techniques
Respondents Indicating Currently Not Used
Respondents Projecting That This Tool Will Not Be Used in the Next Three Years
62.7 48.4
43.9 31.2
46.6
20.3
39.0 36.1 34.1 22.3
18.0 18.7 15.1 7.8
These findings are important since they reveal that most CAEs and Practitioners in the near future intend to use the tools and techniques suggested by the Standards, Practice Advisories, and best practices even when they are currently not used today. The expected increase for the CSA tool as well as for continuous/real-time auditing will contribute to making management more aware of and responsible for the internal control system.
Resolution of Major Differences Practice Advisory 2410-1, Communication Criteria, suggests “As part of the internal auditor’s discussions with the engagement client, the internal auditor should try to obtain agreement on the results of the engagement and on a plan of action to improve operations, as needed.” Respondents were asked to indicate at what points in the audit process major differences are resolved. Each category could be selected by each respondent since they may resolve major issues in several phases of the audit process. Table 5-24 shows that 44.5% of the respondents usually resolve major differences during fieldwork and 45.2% usually resolve them during audit reporting. Thirty-two point four percent sometimes resolve audit issues during planning, and 28.5% indicated that resolution rarely happens during the planning stage.
The Institute of Internal Auditors Research Foundation
234 A Global Summary of the Common Body of Knowledge 2006 ______________________
Table 5-24 When Are Major Audit Issues Resolved for All Respondents by Percentage When Resolved
Never Rarely Sometimes Usually Always Total
During Planning % of 6,358 Respondents
During Audit Fieldwork % of 6,710 Respondents
16.1 28.5 32.4 16.3 6.7 100.0
1.9 6.6 37.1 44.5 9.9 100.0
During Audit Reporting % of 6,760 Respondents
2.0 7.1 27.8 45.2 17.9 100.0
After the Never* Audit % of 4,319 Report is Respondents Issued % of 6,398 Respondents 18.6 31.6 20.6 18.6 10.6 100.0
61.2 24.4 9.2 2.6 2.6 100.0
*The researchers presume this means that issues were never left unresolved throughout the process.
Approximately 23% of all respondents believed that audit issues are always or usually resolved during planning; about half of them noted that audit issues are usually or always resolved during audit fieldwork (54.4%); and about 63.1% of them thought that issues are resolved during audit reporting. About 5.2% of these issues do not appear to ever be followed up. It seems that major audit issues are resolved throughout the audit process but predominantly during fieldwork and the audit reporting period.
The Institute of Internal Auditors Research Foundation
____________________________ Chapter 5: Current Status of the Internal Audit Activity 235
Reporting of Findings Standard 2440, Disseminating Results, states, “The chief audit executive should communicate results to the appropriate parties.” Figure 5-8 indicates that a majority of 58.8% of the respondents agree that the responsibility of reporting audit findings rests with the CAE. The next staff level for reporting results that respondents selected is the Audit Manager (19.6%).
Figure 5-8 Primary Responsibility for Reporting Findings to Senior Management All Respondents (7,119) in Percentages No formal reporting of results 1.1%
Other 1.9%
Auditee/client 3.4% Both internal audit manager and auditee/client 7.4%
CAE 58.8%
Both CAE and auditee/client 7.8% Internal audit manager 19.6%
The Institute of Internal Auditors Research Foundation
236 A Global Summary of the Common Body of Knowledge 2006 ______________________
As shown in Table 5-25, CAEs believe they have the primary responsibility for reporting the audit findings alone (75.1%) or jointly (10.3%) with the auditee/client, while Audit Managers indicate they should report the findings alone (28.2%) or with the auditee/client (9.4%). Audit Senior/ Supervisor, Audit Staff, and Other concur with the Audit Manager respondents.
Table 5-25 Primary Responsibility for Reporting Findings to Senior Management All Respondents in Percentages Responsibility Total CAE Audit Audit Audit Staff Other Overall for Reporting Respondents Respondents Manager Senior/ Respondents Respondents Average Findings by % of Total Respondents Supervisor % of Total % of Total % Position % of Total Respondents % of Total
CAE Internal audit manager Both chief audit executive and auditee/ client Both internal audit manager and auditee/client Auditee/ client Other No formal reporting of results Total respondents/total
4,187 1,396
75.1 6.4
51.6 28.2
54.7 24.4
51.6 24.3
43.0 18.0
58.8 19.6
555
10.3
6.6
5.9
6.9
10.0
7.8
528
3.6
9.4
9.8
8.0
7.0
7.4
240
2.7
2.8
2.5
5.2
7.5
3.4
134 79
0.9 1.0
0.8 0.6
2.1 0.6
2.9 1.1
7.5 7.0
1.9 1.1
7,119
100.0
100.0
100.0
100.0
100.0
100.0
The Institute of Internal Auditors Research Foundation
____________________________ Chapter 5: Current Status of the Internal Audit Activity 237
Monitoring Corrective Action In Standard 2500, Monitoring Progress, “The chief audit executive should establish and maintain a system to monitor the disposition of results communicated to management.” Standard 2500.A1 goes on to require that “a follow-up process to monitor and ensure that management actions have been effectively implemented or that senior management has accepted the risk of not taking action.” Figure 5-9 provides respondents’ beliefs about who has the primary responsibility for monitoring corrective action on findings listed in audit reports. Fifty percent believe that both the internal auditor and auditee/client have the primary responsibility for monitoring corrective action.
Figure 5-9 Primary Responsibility for Monitoring Corrective Action Taken All Respondents (7,116) in Percentages
Other 1.9%
No formal follow-up 3.1% Auditee/client 13.7%
Both internal auditor and auditee/client 50.0% Internal auditor 31.3%
The Institute of Internal Auditors Research Foundation
238 A Global Summary of the Common Body of Knowledge 2006 ______________________
In Table 5-26, the majority of the respondents (37.5% to 54.5%) believe that both the internal auditor and auditee/client together have the primary responsibility to monitor that needed corrective action has been adopted. Between 25.8% and 35.7% of the respondents indicated that the internal auditor has the primary responsibility. With the exception of the Other respondents (8.5%), only 2.0% to 3.4% indicated they had no formal follow-up procedures.
Table 5-26 Primary Responsibility for Monitoring Corrective Actions Taken All Respondents in Percentages Primary Total CAE Audit Audit Audit Staff Other Overall Responsibility Respondents Respondents Manager Senior/ Respondents Respondents Average by Position % of Total Respondents Supervisor % of Total % of Total Total % of Total Respondents Percent % of Total Both internal audit and auditee/client Internal auditor Auditee/client No formal follow-up Other Total respondents
3,560
54.5
51.8
47.9
46.9
37.5
50.0
2,226 974 219
28.0 14.0 2.0
30.4 13.7 2.8
34.3 12.5 3.4
35.7 12.9 3.0
25.8 19.2 8.5
31.3 13.7 3.1
137 7,116
1.5 100.0
1.3 100.0
1.9 100.0
1.5 100.0
9.0 100.0
1.9 100.0
The Institute of Internal Auditors Research Foundation
____________________________ Chapter 5: Current Status of the Internal Audit Activity 239
Summary The operation of the internal audit activity is complex and demanding. The chief audit executive must manage both internal and external relationships, the administration and organization of the activity, the plan and functioning of the audits performed, and resolve any issues that arise. The Standards and Practice Advisories provide the guidance needed to accomplish these tasks, but compliance may be challenging due to internal and external limitations placed upon the department. The appointment procedures, performance evaluations, and reporting relationships for CAEs are generally in accordance with Standard 1100, Independence and Objectivity, and 1110, Organizational Independence. IAA independence is maintained by having board and senior management involvement in the CAE’s hiring and performance evaluation. The matrix relationship and participation of key constituents helps maintain independence and the IAA’s position in the organization. Perceptions by CAE respondents provide a very positive view about the IAA within their organizations, and the IAA is seen as highly credible. Many IAAs are relatively young but follow the guidance included in the Standards and utilize the documents recommended by The IIA. Most IAAs use a risk-based approach to engagement planning and allocate time in accordance with the needs of the organization, focusing on the effectiveness of risk management, control, and governance processes. CAEs and Practitioners almost uniformly rank the tools currently used by the IAA the same, with electronic communication (e.g., Internet, e-mail), risk-based audit planning, analytical review, and electronic workpapers as the most used tools. These tools are also expected to be the most used in the next three years. Major audit issues are resolved throughout the audit process but predominantly during fieldwork and the audit reporting period.
The Institute of Internal Auditors Research Foundation
The Institute of Internal Auditors Research Foundation 13.3
22.6
10.9
23.8
9.9
25.5
811
583
515
206
171
55
16.4
10.5
11.7
11.5
20.4
19.4
47.3
48.0
30.6
50.5
49.9
41.4
47.3
55.6
31.6
34.8
44.4
64.6
25.5
29.2
29.1
29.9
27.1
36.7
3.6
11.7
20.4
12.8
9.4
9.5
5.5
7.6
9.7
7.2
7.0
9.0
Note: The respondents were asked to mark all that apply so the total of the percentages may be more than 100.
Publicly Traded (Listed) Company Privately Held (Non-listed) Company Public Sector/ Government Service Provider/ Consultant Not-forProfit Organization Other
1.8
4.1
12.1
7.4
3.6
5.2
3.6
9.4
8.7
5.0
2.4
1.5
Type of Total Board of Chair Chief Audit Senior Auditee/ Supervisor Peers/ Not Organization/ Respon- Directors of the Executive Committee/ ManageClient Periodically Subordinates Evaluated Number of dents Board Officer Oversight ment at the End Periodically Respondents Committee/ of Audit Committee Chairperson
Table 5-3-1-A Evaluation of CAE’s Performance by Type of Organization CAE Respondents in Percentages
APPENDIX 5
240 A Global Summary of the Common Body of Knowledge 2006 ______________________
____________________________ Chapter 5: Current Status of the Internal Audit Activity 241
Table 5-4-1-A CAE’s Relationship with Audit/Oversight Committee by Group* CAE Respondents - Percentage of Yes Responses Question Is there an audit/ oversight committee in your organization? Does the CAE meet with the audit/ oversight committee chairperson in addition to the regularly scheduled meetings? Does the CAE believe that he/she has appropriate access to the audit/ oversight committee?
1
2
3
4
5
6
7
8
9
10
11
12
N/C**
85.2 92.9 91.4 53.5 38.7 49.7 51.2 69.5 65.8 54.3 81.5 100.0
65.5
64.1 75.6 75.5 70.6 62.3 43.4 67.2 48.8 69.2 44.0 77.3
77.8
59.6
93.9 91.0 92.0 90.0 88.2 85.5 88.1 88.1 89.3 92.0 93.9
88.9
84.2
*For a list of groups, please see Appendix 1-B. **N/C = Respondents did not indicate affiliate or chapter membership.
The Institute of Internal Auditors Research Foundation
The Institute of Internal Auditors Research Foundation 3.96 4.19 4.44
3.15 3.98 4.33
3.91 4.08 4.67 4.39 4.45 5.00 4.61 4.51 4.78
3.70 3.87 3.80 3.27 3.09 2.78 3.33 3.51 3.48
4.07 4.21 4.03 3.90 4.09 4.26 4.27 4.00 4.00 4.43 4.55 4.38 4.32 4.30 4.62 4.67 4.55 4.49 4.56 4.64 4.64 4.38 4.51 4.75 4.73 4.64 4.56
12
4.19 4.37 4.22 3.88 4.04 3.97 4.11 3.99 4.09
11
3.80 4.13 4.22
10
4.16 4.18 4.10 4.16 3.87 4.12 4.34 3.98 3.98
9
3.85 3.95 4.22
8
3.84 4.05 3.96 3.65 3.80 3.58 3.90 3.66 3.70
7
4.13 4.40 4.67
6
4.41 4.51 4.42 3.93 4.23 4.47 4.40 4.34 4.13
5
4.43 4.37 5.00 3.80 4.13 4.56
4
4.46 4.55 4.30 4.12 4.35 4.40 4.51 4.40 4.39 3.99 4.23 4.08 3.80 4.02 4.00 4.19 4.10 4.05
3 4.57 4.44 4.78
2
4.45 4.57 4.44 4.21 4.41 4.64 4.63 4.43 4.31
1
*For a list of groups, please see Appendix 1-B. **The mean is the average response to: 1 = Strongly Disagree, 2 = Disagree, 3 = Neutral, 4 = Agree, 5 = Strongly Agree. ***N/C = Respondents did not indicate affiliate or chapter membership.
Your internal audit function is an independent objective assurance and consulting activity. Your internal audit function adds value. Internal audit brings a systematic approach to evaluate the effectiveness of risk management. Your internal audit function brings a systematic approach to evaluate the effectiveness of internal controls. Your internal audit function brings a systematic approach to evaluate the effectiveness of governance processes. Your internal audit function proactively examines important financial matters, risks, and internal controls. Your internal audit function is an integral part of the governance process by providing reliable information to management. The way our internal audit function adds value to the governance process is through direct access to the audit committee. Your internal audit function has sufficient status in the organization to be effective. Independence is a key factor for your internal audit function to add value. Objectivity is a key factor for your internal audit function to add value.
Statement
Table 5-8-1-A Relationship of IAA to the Organization by Group* CAE Respondents in Means**
4.41
4.38
3.89
3.34
3.90
4.02
3.62
4.15
4.28 4.00
4.27
N/C***
242 A Global Summary of the Common Body of Knowledge 2006 ______________________
7
8
9
10
11
12
4.22 4.13 4.78
6
3.99 4.04 4.11 3.99 4.11 3.99 4.42 3.91 4.20
5
3.98 3.91 4.56
4
3.74 3.85 3.99 3.99 4.01 3.83 4.27 3.79 4.07
3 4.28 4.33 4.33
2
4.35 4.45 4.22 4.05 4.19 4.52 4.51 4.16 4.24
1
*For a list of groups, please see Appendix 1-B. **The mean is the average response to: 1 = Strongly Disagree, 2 = Disagree, 3 = Neutral, 4 = Agree, 5 = Strongly Agree. ***N/C = Respondents did not indicate affiliate or chapter membership.
Your internal audit function is credible within your organization. Compliance with The IIA’s International Standards for the Professional Practice of Internal Auditing is a key factor for your internal audit function to add value to the governance process. Compliance with The IIA’s code of ethics is a key factor for your internal audit function to add value to the governance process.
Statement
Table 5-8-1-A (Cont.) Relationship of IAA to the Organization by Group* CAE Respondents in Means**
3.80
3.77
4.13
N/C***
____________________________ Chapter 5: Current Status of the Internal Audit Activity 243
The Institute of Internal Auditors Research Foundation
3.10 1.91 2.39 2.70 1.98 2.41 2.05 2.78 2.43 3.99 2.46 1.69 3.86 2.60 1.92 1.84
2.21 1.61 3.71 2.82 2.25 2.09
2
3.24 2.04 2.49 2.75 2.06 2.25 2.30 3.20 2.61 4.26
1
2.25 1.64 3.91 2.72 2.14 2.11
2.97 2.15 2.46 2.68 2.13 2.33 2.11 3.31 2.20 4.19
3
2.59 1.67 2.53 2.59 1.82 1.85
2.98 1.52 2.12 2.39 2.79 2.76 2.15 2.73 2.12 3.39
4
2.43 1.73 3.54 2.81 1.98 1.97
3.47 1.98 2.58 2.53 2.47 2.41 2.77 3.34 2.44 4.07
5
2.25 1.73 3.71 2.53 1.99 1.86
3.33 1.80 2.29 2.74 2.26 2.11 2.19 3.10 2.18 4.11
6
2.67 1.95 3.38 2.81 1.95 1.86
3.31 2.13 2.19 2.91 2.46 2.31 1.88 3.12 2.38 3.84
7
2.69 1.79 3.36 2.82 1.78 1.63
3.10 2.17 2.28 2.43 2.09 2.32 2.28 3.53 2.37 3.95
8
2.35 1.78 3.23 2.85 1.83 2.02
3.57 1.98 2.70 3.00 2.60 2.55 2.86 3.26 2.51 4.05
9
1.89 1.56 3.86 2.18 2.01 1.75
3.20 2.11 2.53 2.40 2.01 2.20 1.85 3.21 2.10 4.38
10
2.49 1.71 3.52 2.71 2.06 2.14
3.44 2.09 2.45 2.54 2.16 2.24 2.29 2.56 2.32 3.90
11
1.84 1.42 3.55 3.00 1.91 1.97
3.32 1.76 2.47 2.50 2.44 2.19 2.12 1.97 1.68 3.15
2.40 1.77 3.17 2.77 1.82 1.91
3.07 1.977 2.302 2.051 2.49 2.29 2.15 3.10 2.20 3.84
12 N/C***
*For a list of affiliate groups, please see Appendix 1-B. **The mean is the average response to: 1 = Not Used, 2 = Moderately Used, 3 = Average Use, 4 = Very Much Used, 5 = Extensively Used. ***N/C = Respondents did not indicate affiliate or chapter membership.
Analytical review Balanced scorecard or similar framework Benchmarking Computer-assisted audit techniques Continuous/real-time auditing Control self-assessment Data mining Electronic workpapers Flowchart software Other electronic communication (e.g., Internet, e-mail) Process mapping application Process modeling software Risk-based audit planning Statistical sampling The IIA’s quality assessment review tools Total quality management techniques
Tools/Techniques
Table 5-17-1-A Extent the IAA Currently Uses the Listed Audit Tools/Techniques by Group* All Respondents by Means**
244 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
____________________________ Chapter 5: Current Status of the Internal Audit Activity 245
Table 5-19-1-A Audit Tools/Techniques that are Currently Extensively Used All Respondents by Frequency* Tools/Techniques**
Mean
CAE
Audit Manager
Audit Senior/ Supervisor
Audit Staff
Other
Other electronic communication (e.g., Internet, e-mail) Risk-based audit planning Electronic workpapers Analytical review Computer-assisted audit techniques Statistical sampling Flowchart software Process mapping application Control self-assessment Data mining Continuous/real-time auditing The IIA’s quality assessment review tools Balanced scorecard or similar framework Benchmarking Total quality management techniques Process modeling software
46.3
41.5
49.5
50.6
48.5
31.7
28.3 26.5 12.4 9.8 9.7 8.3 7.7 5.7 5.6 5.1 4.6
28.1 21.1 10.8 6.9 7.2 6.2 5.8 3.8 4.5 3.0 3.5
28.8 28.4 11.5 10.2 8.1 8.6 8.0 5.3 5.2 4.3 5.2
29.6 30.1 13.5 11.0 10.7 9.3 9.1 6.2 5.6 5.9 4.4
29.5 30.9 15.0 12.5 15.3 10.7 9.2 9.0 8.0 8.2 6.4
17.0 18.4 12.8 11.1 9.8 8.1 6.4 7.3 6.1 7.0 4.9
3.9
1.9
4.1
4.4
6.0
4.9
3.9 3.5 2.5
3.6 2.3 1.1
2.8 3.6 2.2
4.4 3.4 3.0
5.1 5.9 4.2
5.4 4.3 4.1
*As this is a frequency for only the currently “Extensively Used” category, the rows will not add across to 100. **The tools/techniques are presented in the table in a decreasing order, according to the ranking of the overall average.
The Institute of Internal Auditors Research Foundation
246 A Global Summary of the Common Body of Knowledge 2006 ______________________
Table 5-19-2-A Audit Tools/Techniques Currently Not Used All Respondents by Frequency* Tools/Techniques**
Process modeling software Total quality management techniques Balanced scorecard or similar framework The IIA’s quality assessment review tools Continuous/real-time auditing Data mining Process mapping application Control self-assessment Flowchart software Benchmarking Computer-assisted audit techniques Electronic workpapers Statistical sampling Risk-based audit planning Analytical review Other electronic communication (e.g., Internet, e-mail)
Mean
CAE
Audit Manager
Audit Senior/ Supervisor
Audit Staff
Other
62.7 48.6 48.4
69.9 54.1 52.9
64.0 48.3 46.9
58.7 47.8 46.2
55.3 41.6 46.2
55.7 42.2 46.6
46.6
49.8
43.8
47.5
43.5
46.0
39.0 36.1 36.1 34.1 31.7 24.9 22.3 19.8 18.0 8.0 6.5 2.7
42.9 38.0 40.1 40.8 33.9 23.8 23.7 22.3 19.6 6.6 5.4 2.9
42.5 34.6 35.1 35.1 27.1 23.0 19.8 18.2 19.3 7.2 5.7 2.6
34.8 35.5 34.3 30.5 31.3 26.4 21.1 19.3 16.8 7.9 5.9 1.6
31.9 34.5 33.7 27.3 34.1 26.4 24.4 17.1 14.7 9.6 8.3 2.3
42.7 39.6 33.7 30.2 33.9 28.4 24.9 23.6 18.7 16.1 12.5 7.7
*As this is a frequency for only the currently “Not Used” category, the rows will not add across to 100. **The tools/techniques are presented in the table in a decreasing order, according to the ranking of the overall average.
The Institute of Internal Auditors Research Foundation
4.9 47.5 19.4 18.2 50.0 29.9 38.5 27.8 30.0 3.3 34.4 60.6 6.6 19.1 48.3 54.7
42.1 66.9 6.3 16.8 39.7 42.6
2
5.8 49.3 22.8 18.8 44.3 37.9 33.0 22.7 25.5 2.0
1
40.3 66.3 4.8 20.5 45.7 44.6
8.2 43.8 23.0 21.3 46.4 34.9 40.3 20.1 40.4 1.8
3
28.3 63.6 24.2 17.0 49.0 47.8
6.7 68.0 35.7 26.5 16.8 13.9 36.8 25.7 38.0 7.2
4
31.9 59.2 6.6 17.5 48.7 47.4
3.5 47.0 23.8 29.0 32.2 29.9 20.3 11.8 33.0 1.5
5
35.7 56.2 4.0 18.1 45.2 49.0
3.4 53.0 22.7 18.7 33.9 40.4 34.1 17.5 34.9 1.2
6
24.3 52.0 10.4 18.1 52.4 55.7
4.5 42.3 33.3 18.6 27.6 32.5 54.9 17.9 32.8 4.3
7
22.5 56.5 8.4 16.5 56.8 64.8
10.2 40.0 25.2 29.8 40.8 29.0 37.1 7.8 32.2 2.7
8
39.1 63.7 13.7 20.7 59.6 52.7
7.4 59.1 19.6 21.7 28.0 34.4 22.0 14.6 36.7 6.4
9
51.8 67.9 5.4 32.4 49.5 56.0
5.4 46.4 18.8 27.3 46.3 27.9 51.8 14.3 39.3 1.8
10
37.1 62.1 5.6 20.8 46.9 41.9
2.2 44.3 21.5 28.2 40.9 37.6 38.9 34.8 36.2 3.3
11
62.5 81.8 8.8 14.7 60.6 59.4
14.7 63.6 37.5 38.2 35.3 50.0 48.5 66.7 73.5 23.5
33.2 59.5 14.6 20.0 57.1 52.2
9.9 52.6 32.2 25.4 27.9 33.5 43.0 20.9 41.2 3.2
12 N/C***
*For a list of affiliate groups, please see Appendix 1-B. **The mean is the average response to: 1 = Not Used, 2 = Moderately Used, 3 = Average Use, 4 = Very Much Used, 5 = Extensively Used. ***N/C = Respondents did not indicate affiliate or chapter membership.
Analytical review Balanced scorecard or similar framework Benchmarking Computer-assisted audit techniques Continuous/real-time auditing Control self-assessment Data mining Electronic workpapers Flowchart software Other electronic communication (e.g., Internet, e-mail) Process mapping application Process modeling software Risk-based audit planning Statistical sampling The IIA’s quality assessment review tools Total quality management techniques
Tools/Techniques
Table 5-19-3-A Audit Tools/Techniques Currently Not Used by Group* All Respondents by Mean**
____________________________ Chapter 5: Current Status of the Internal Audit Activity 247
The Institute of Internal Auditors Research Foundation
3.36 2.24 2.18 3.24 2.07 3.10 2.79 3.28 2.71 4.12 2.72 1.95 4.28 2.89 2.58 2.16
2.53 1.91 4.13 3.09 2.86 2.43
2
3.51 2.37 2.86 3.54 2.87 2.75 3.03 3.82 2.93 4.35
1
2.80 2.19 4.36 3.08 2.92 2.73
3.37 2.61 3.01 3.54 2.91 2.98 2.85 4.00 2.74 4.35
3
2.90 2.15 3.01 3.01 2.41 2.45
3.34 2.13 2.49 2.83 3.02 3.10 2.46 3.15 2.49 3.47
4
3.29 2.56 4.18 3.37 3.04 2.83
3.74 2.60 3.09 3.46 2.97 3.10 3.15 4.00 3.13 4.35
5
2.82 2.21 4.17 2.92 2.60 2.21
3.56 2.22 2.79 3.37 2.63 2.67 2.69 3.56 2.46 4.25
6
2.75 2.30 3.56 2.89 2.60 2.46
2.86 2.27 2.29 3.14 2.62 2.65 2.22 3.29 2.56 3.50
7
2.80 1.99 3.66 2.78 2.18 1.91
3.02 2.30 2.52 2.79 2.26 2.66 2.55 3.58 2.42 3.86
8
2.98 2.35 4.17 3.44 2.94 2.87
4.11 2.51 3.25 4.08 3.34 3.36 3.56 4.01 3.19 4.36
9
2.27 1.88 4.24 2.53 2.85 2.09
3.55 2.40 2.99 3.24 2.41 2.89 2.28 3.61 2.30 4.46
10
3.98 2.33 4.07 3.20 3.01 2.89
3.82 2.77 3.04 3.45 2.80 3.01 2.91 3.31 2.87 4.10
11
3.55 2.87 4.36 4.00 3.52 3.57
3.96 3.36 3.76 4.23 3.52 3.50 3.52 3.62 3.48 4.36
2.78 2.19 3.53 2.91 2.49 2.41
3.22 2.23 2.50 3.14 2.83 2.79 2.57 3.40 2.53 3.84
12 N/C***
*For a list of groups, please see Appendix 1-B. **The mean is the average response to: 1 = Not Used, 2 = Moderately Used, 3 = Average Use, 4 = Very Much Used, 5 = Extensively Used. ***N/C = Respondents did not indicate affiliate or chapter membership.
Analytical review Balanced scorecard or similar framework Benchmarking Computer-assisted audit techniques Continuous/real-time auditing Control self-assessment Data mining Electronic workpapers Flowchart software Other electronic communication (e.g., Internet, e-mail) Process mapping application Process modeling software Risk-based audit planning Statistical sampling The IIA’s quality assessment review tools Total quality management techniques
Tools/Techniques
Table 5-20-1-A Extent the IAA Plans to Use the Listed Audit Tools/Technique in the Next Three Years by Group* All Respondents by Mean**
248 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
____________________________ Chapter 5: Current Status of the Internal Audit Activity 249
Table 5-22-1-A Audit Tools/Techniques that Will Be Extensively Used in the Next Three Years All Respondents by Frequency* Tools/Techniques**
Other electronic communication (e.g., Internet, e-mail) Risk-based audit planning Electronic workpapers Computer-assisted audit techniques Analytical review Statistical sampling Flowchart software Data mining Process mapping application The IIA’s quality assessment review tools Continuous/real-time auditing Control self-assessment Benchmarking Total quality management techniques Balanced scorecard or similar framework Process modeling software
Mean
CAE
Audit Manager
Audit Senior/ Supervisor
Audit Staff
Other
48.5
45.2
50.2
51.7
51.5
40.0
39.1 33.9 18.5 15.7 11.4 10.5 10.4 9.8 9.0
41.0 29.6 16.7 14.8 9.5 8.8 9.4 7.8 8.2
41.2 37.6 20.4 14.5 10.9 11.1 10.6 9.1 10.4
38.1 36.9 19.6 16.6 12.3 10.4 10.8 11.4 8.6
36.5 36.8 18.0 18.7 15.0 13.3 12.3 12.7 8.8
27.2 26.9 17.9 15.1 13.0 12.4 10.6 12.2 12.4
8.9 8.8 6.2 6.2 4.7
7.4 7.2 6.4 4.7 3.3
8.2 7.9 5.2 6.6 4.4
10.0 9.4 6.6 6.3 4.9
11.8 12.8 7.3 7.9 7.8
10.6 11.1 5.4 10.9 5.3
4.1
2.0
3.8
5.6
5.9
8.1
*As this is a frequency for only the “Extensively Used in the Next Three Years” category, the rows will not add across to 100. **The tools/techniques are presented in the table in a decreasing order, according to the ranking of the mean.
The Institute of Internal Auditors Research Foundation
250 A Global Summary of the Common Body of Knowledge 2006 ______________________
Table 5-22-2-A Audit Tools/Techniques that Will Not Be Used in the Next Three Years All Respondents by Frequency* Tools/Techniques**
Process modeling software Balanced scorecard or similar framework Total quality management techniques Process mapping application The IIA’s quality assessment review tools Flowchart software Data mining Continuous/real-time auditing Control self-assessment Benchmarking Statistical sampling Electronic workpapers Computer-assisted audit techniques Analytical review Risk-based audit planning Other electronic communication (e.g., Internet, e-mail)
Overall Average
CAE
Audit Manager
Audit Senior/ Supervisor
Audit Staff
Other
43.9 31.2
47.9 32.3
44.5 28.7
41.0 31.9
39.8 32.0
38.1 31.3
30.0 22.6 20.3
31.4 24.1 18.7
29.5 23.3 18.6
29.3 21.1 22.1
29.3 21.0 23.6
28.5 21.2 23.5
19.4 18.7 18.0 15.1 13.5 10.5 8.0 7.8 4.3 3.1 1.6
19.9 17.1 18.0 14.5 11.2 11.3 8.3 7.3 3.2 2.1 1.4
17.2 18.1 16.9 17.9 11.9 10.6 5.8 6.1 4.0 2.8 1.7
19.3 18.9 17.9 13.3 15.7 10.3 8.0 8.1 3.8 2.7 1.1
22.1 21.7 18.6 14.5 17.3 9.2 9.1 10.7 7.1 5.6 1.7
19.1 25.1 23.3 17.7 17.0 9.3 12.1 10.8 9.2 7.6 5.5
*As this is a frequency for only the “Will Not Be Used in the Next Three Years” category, the rows will not add across to 100. **The tools/techniques are presented in the table in a decreasing order, according to the ranking of the mean.
The Institute of Internal Auditors Research Foundation
A Global Summary of the Common Body of Knowledge 2006
CONTENTS Chapter 6
Chapter 6: Staffing and Professional Development ............................................................. 251 Introduction......................................................................................................................... 251 Staffing................................................................................................................................ 252 Service Providers ................................................................................................................ 259 Continuing Professional Development ............................................................................... 266 Summary ............................................................................................................................. 271 Appendix 6.......................................................................................................................... 272
Disclosure Copyright © 2007 by The Institute of Internal Auditors Research Foundation (IIARF), 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201. All rights reserved. Printed in the United States of America. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form by any means — electronic, mechanical, photocopying, recording, or otherwise — without prior written permission of the publisher. The IIARF publishes this document for informational and educational purposes. This document is intended to provide information, but is not a substitute for legal or accounting advice. The IIARF does not provide such advice and makes no warranty as to any legal or accounting results through its publication of this document. When legal or accounting issues arise, professional assistance should be sought and retained. The IIA’s International Professional Practices Framework for Internal Auditing (IPPF) comprises the full range of existing and developing practice guidance for the profession. The IPPF provides guidance to internal auditors globally and paves the way to world-class internal auditing. The mission of The IIA Research Foundation (IIARF) is to be the global leader in sponsoring, disseminating, and promoting research and knowledge resources to enhance the development and effectiveness of the internal auditing profession.
The Institute of Internal Auditors Research Foundation
_______________________________ Chapter 6: Staffing and Professional Development 251
CHAPTER 6 STAFFING AND PROFESSIONAL DEVELOPMENT Introduction This chapter summarizes the respondents’ perceptions about staffing their internal audit activities (IAA) and their staffs’ qualifications. The topics addressed include staffing of the IAA, service providers, staff evaluation, number of staff with certifications, and continuing professional development. The main objective of the CBOK 2006 study is to develop a summary of the global practice of internal auditing around the world. The number of respondents answering a specific question will often differ from the 9,366 total respondents in this study. This is due to the following reasons: • •
Not all of those that participated in the survey answered all the questions asked. Results are shown and discussed only for those respondents who answered a particular survey question. Not all questions were asked of all respondents. o Some questions were asked only of CAEs (those in the highest position within the organization responsible for internal audit activities). o Some questions were asked only of Practitioners (all other internal auditors who are not CAEs). o Some questions were asked of both CAEs and Practitioners.
Some participants’ responses are presented according to the respondents’ position in the IAA. These more detailed summaries of results may be provided for the five categories of respondents: CAEs, Audit Managers, Audit Seniors/Supervisors, Audit Staff, and Other. The respondents in the Other category consist primarily of other professional staff whose position is not captured by the traditional job titles included in the survey. A review of their credentials indicates they may be members of the IAA, employed by service providers, or in organizations where their titles are less traditional but with duties within internal auditing. When relevant, results are given for each of the 13 groups. The groups are explained in Chapter 1. For a list of groups, please refer to Appendix 1-B of the report. Some tables have additional details.
The Institute of Internal Auditors Research Foundation
252 A Global Summary of the Common Body of Knowledge 2006 ______________________
For example, Table 6-1 has a related Table 6-1-1. Additional related tables may be located in Appendix 6 at the end of this chapter. A table that is in the Appendix can be clearly identified by an “A” at the end of its number. For example, Table 6-7-1-A is located in Appendix 6.
Staffing Number of Staff in the IAA Practice Advisory 2230-1 states, “The number and experience level of the internal auditing staff required should be based on an evaluation of the nature and complexity of the engagement assignment, time constraints, and available resources.” Several survey questions were asked to gain an understanding of the type of staff, use of co-sourcing, and size of respondents’ IAAs. Table 6-1 lists CAE responses to the current number of audit staff by staff level in their IAAs. Of the 359 CAEs that responded to the use of external auditors as staff, 49.3% or 177 indicate they use this source for audit staff and 255 of 438 CAE respondents use contract audit staff.
Table 6-1 Number of Full-time Staff at Each Staff Level in the IAA CAE Respondents in Percentages Number CAEs Audit Audit Audit Staff External Contract at Each % of Managers Seniors/ % of Auditors Audit Staff Staff 2,184 CAE % of Supervisors 1,742 CAE (co-sourced) (co-sourced) Level Respondents 1,173 CAE % of Respondents % of % of Respondents 954 CAE 359 CAE 438 CAE Respondents Respondents Respondents
None One 2-5 6-10 11 or More Total
Support Staff (Administrative, Secretarial, & Clerical) Total of 936 CAE Respondents
0.4 90.1 6.0 1.8 1.7
10.9 36.7 41.6 6.3 4.5
13.2 27.7 41.7 9.1 8.3
3.9 19.5 44.0 14.4 18.2
50.7 12.3 24.5 7.2 5.3
41.6 22.1 27.6 4.3 4.4
12.7 54.6 25.4 3.4 3.9
100.0
100.0
100.0
100.0
100.0
100.0
100.0
The Institute of Internal Auditors Research Foundation
_______________________________ Chapter 6: Staffing and Professional Development 253
Table 6-1-1 shows that very few of the CAE respondents’ IAAs have part-time staff and those tend to be at the audit staff level or with outsourced personnel.
Table 6-1-1 Number of Part-time Staff in the IAA CAE Respondents in Percentages Number of Staff
CAE % of 153 CAE Respondents
Audit Managers % of 119 CAE Respondents
Audit Audit Staff External Contract Seniors/ % of Auditors Audit Staff Supervisors 231 CAE (co-sourced) (co-sourced) % of Respondents % of % of 120 CAE 181 CAE 194 CAE Respondents Respondents Respondents
None One 2-5 6-10 11 or More Total
51.6 39.2 6.5 2.0 0.7
70.6 19.3 8.4 0.8 0.9
65.0 21.7 12.5 0.0 0.8
31.2 37.7 26.8 2.2 2.1
42.0 19.3 32.6 3.3 2.8
42.3 29.4 22.7 2.1 3.5
39.8 53.4 4.9 0.5 1.4
100.0
100.0
100.0
100.0
100.0
100.0
100.0
The Institute of Internal Auditors Research Foundation
Support Staff (Administrative, Secretarial, & Clerical) % of 206 CAE Respondents
254 A Global Summary of the Common Body of Knowledge 2006 ______________________
Many of the respondents’ IAAs have a fairly small number of staff members at each staff level. Figure 6-1 reports that 24% of the respondents to this question indicate that their IAAs have 1-3 members of the audit staff. Another 18.9% have 4-6 staff members and an additional 11.1% have 7-9 staff members in their IAAs. Of the respondents, 25.8% have 25 or more staff members in their IAA.
Figure 6-1 Number of Full-time Staff at Each Staff Level All Respondents (6,646) in Percentages 1-3 24.0%
25 or more 25.8%
22-24 2.0% 4-6 18.9%
19-21 2.7% 16-18 3.8% 13-15 5.0%
10-12 6.7%
7-9 11.1%
The Institute of Internal Auditors Research Foundation
_______________________________ Chapter 6: Staffing and Professional Development 255
Open Staff Positions Several questions were asked about hiring practices for open positions and what methods are used to make up for staff vacancies. As seen in Figure 6-2, special incentives to hire staff are not generally used. Only 12.8% of CAEs’ organizations offer relocation expenses, 10.9% provide a transportation allowance, and 8.4% give a signing bonus.
Figure 6-2 Special Incentives Offered to Hire Staff CAE Respondents (2,367) in Percentages
Percentage of Respondents
The Institute of Internal Auditors Research Foundation
256 A Global Summary of the Common Body of Knowledge 2006 ______________________
CAEs were also asked what methods are used to make up for staff vacancies. Figure 6-3 show that 28.2% of CAE respondents replied that their IAAs have no vacancies. CAEs indicate that the two most common methods used to cover staff vacancies are reduction in the areas of audit coverage (30.7%) and co-sourcing from internal audit service providers (28.7%).
Figure 6-3 Methods Used to Make Up for Staff Vacancies CAE Respondents (2,367) in Percentages
Percentage of Respondents Note: The respondents were asked to mark all that apply so the total of the percentages may be more than 100.
The Institute of Internal Auditors Research Foundation
_______________________________ Chapter 6: Staffing and Professional Development 257
For groups, Table 6-2 points out that a reduction in coverage is a general strategy common to all groups, whereas the use of co-sourcing is primarily practiced in groups 1, 2, 3, and 11. Groups 5 (39.7%) and 6 (39.1%) have the highest percentages of no vacancies. Groups 12 (11.1%) and 11 (14.8%) report the lowest levels of no vacancies and the highest level of reducing the areas of audit coverage, 44.4% and 37% respectively, due to lack of staff.
Table 6-2 Methods Used to Make Up for Staff Vacancies CAE Respondents in Percentages by Groups* Methods
1
Facilitate control selfassessments in place of audits Reduce areas of coverage Increased use of audit software Borrowing staff from other departments Co-sourcing from internal audit service providers No vacancies Other methods Respondents
2
3
4
5
6
7
8
9
10
11
12
N/C**
5.4 14.0 14.7 35.6 16.8 10.3 16.7 11.7 15.2 10.6 18.5 44.4
17.9
35.3 26.7 34.7 23.1 21.2 23.7 26.5 33.0 19.6 23.4 37.0 44.4
25.2
10.6 11.6 18.0 18.3 10.3 17.3 20.5 12.6 26.1
8.5 29.6 33.3
15.9
4.3 14.9 13.6 33.3
15.9
34.6 41.9 43.3 11.5 14.7 21.8 22.0 27.5 17.4 29.8 33.3 11.1
17.2
28.0 24.4 21.3 29.8 39.7 39.1 27.3 24.9 30.4 25.5 14.8 11.1 8.4 10.5 14.0 10.6 14.7 8.3 15.2 16.2 19.6 17.0 17.3 22.2 912 86 150 104 184 156 132 309 46 47 81 9
27.8 19.9 151
11.4 17.4 13.3 19.2 17.9 12.8
8.3 14.2
*For a list of groups, please see Appendix 1-B. **N/C = Respondents did not indicate affiliate or chapter membership. Note: The respondents were asked to mark all that apply so the total of the percentages may be more than 100.
Missing Skills Standard 1210.A1, Proficiency, notes that, “The CAE should obtain competent advice and assistance if the internal audit staff lacks the knowledge, skills, or other competencies needed to perform all or part of the engagement.” Standard 1210.C1 goes on to state, “The CAE should decline the consulting engagement or obtain competent advice and assistance if the internal audit staff lacks the knowledge, skills, or other competencies needed to perform all or part of the engagement.”
The Institute of Internal Auditors Research Foundation
258 A Global Summary of the Common Body of Knowledge 2006 ______________________
Skill shortages are an issue that CAEs must often address in creative ways. Methods respondents use to compensate for missing skill sets are indicated in Figure 6-4. In only 13.1% of the respondents’ IAAs are there no missing skill sets. The most typical techniques to address skill shortages are through the use of co-sourcing/outsourcing (51.4%), reduction of areas of coverage (17.7%), and borrowing staff from other departments (14.5%).
Figure 6-4 Methods Used to Compensate for Missing Skills CAE Respondents (2,367) in Percentages
Percentage of Respondents Note: The respondents were asked to mark all that apply so the total of the percentages may be more than 100.
The Institute of Internal Auditors Research Foundation
_______________________________ Chapter 6: Staffing and Professional Development 259
Service Providers Respondents by Staff Level that are Service Providers Respondents were asked if they work for a service provider or worked for an in-house IAA. As shown in Figure 6-5, 86% indicate that they work within an organization and 14% of the respondents indicate that they work for service providers.
Figure 6-5 Service Provider of Internal Audit Services All Respondents (8,774) in Percentages Service Provider 14.0%
In-house Internal Audit Activity 86.0%
The Institute of Internal Auditors Research Foundation
260 A Global Summary of the Common Body of Knowledge 2006 ______________________
Table 6-3 shows by staff level if the respondents work for an in-house IAA or work for a service provider.
Table 6-3 Staff Levels at In-house IAA or Service Provider All Respondents in Percentages Staff Level of Respondent
Number of Respondents
Percent of Staff Level Working In-house IAA
Percent of Staff Level Working for a Service Provider
Total
CAEs Audit Managers Audit Seniors/Supervisors Audit Staff Other Total/Average
2,337 2,004 2,208 1,595 630 8,774
86.7 83.0 87.2 88.7 82.1 86.0
13.3 17.0 12.8 11.3 17.9 14.0
100.0 100.0 100.0 100.0 100.0 100.0
The Institute of Internal Auditors Research Foundation
_______________________________ Chapter 6: Staffing and Professional Development 261
Outsourced IAA Activities Figure 6-6 indicates the percentage of the IAAs’ activities that are performed by service providers. Sixty-eight point eight percent of CAE respondents indicate that 10% or less of their IAAs’ audit work is being co-sourced/outsourced. All respondents indicated some level of outsourcing/cosourcing.
Figure 6-6 IAA’s Audit Activities - Percentage Outsourced/Co-sourced CAE Respondents (2,222) in Percentages
Percentage of Respondents
The Institute of Internal Auditors Research Foundation
262 A Global Summary of the Common Body of Knowledge 2006 ______________________
As described in Table 6-4, 33% of CAEs indicate that their budget for co-sourcing/outsourcing is projected to increase in the next three years. It appears that most organizations are conducting their internal audits with in-house audit staff.
Table 6-4 Anticipated Budget Changes for Outsourced/Co-sourced Activities in the Next Three Years CAE Respondents in Percentages Change Anticipated Remain the same Increase Decrease Total
Percent of 2,145 Respondents 55.7 33.0 11.3 100.0
Staff Evaluation Table 6-5 summarizes how audit staff is evaluated. The audit staff is mainly evaluated by a supervisor on a periodic basis (78.5%). Customer/auditee feedback is the second most commonly used method for evaluation of audit staff performance (45.6%).
Table 6-5 Method of Staff Evaluation CAE Respondents in Percentages Methods of Staff Evaluation By supervisor periodically Customer/auditee feedback Peers/subordinates periodically Other
Percent of 2,367 Respondents 78.5 45.6 23.4 15.5
Note: The respondents were asked to mark all that apply so the total of the percentages may be more than 100.
The Institute of Internal Auditors Research Foundation
_______________________________ Chapter 6: Staffing and Professional Development 263
Certifications To ensure an adequate grounding of skills and abilities among the audit staff, it is important for individuals in the IAA to be Certified Internal Auditors (CIA). Other certifications such as CGAP, CCSA, CFSA, and CISA are also important to show the staff’s proficiency in specialized areas. CAE respondents were asked about the types of certifications held by their staff. Figure 6-7 provides a listing of the staff certification profile from responding CAEs. A staff member could have more than one certification. This table indicates that the audit staff has a wide range of certifications. Public accounting is the most common (35.0%), followed by the CIA certification (28.6%).
Figure 6-7 IAA Staff Members with Certifications CAE Respondents (7,072) in Percentages
Percentage of Respondents Note: The respondents were asked to mark all that apply so the total of the percentages may be more than 100.
The Institute of Internal Auditors Research Foundation
The Institute of Internal Auditors Research Foundation 20.0
6.4
6.9 51.4
19.5
18.5
9.1 39.6
24.1
10.9
14.8
13.0
26.0
3
17.9
14.5
6.0
11.7
40.9
4
16.3
9.4
13.9
6.6
21.9
5
29.4
10.1
6.5
18.4
28.9
6
39.9
4.3
2.6
9.7
7.7
7
21.3
9.3
.6
9.2
17.7
8
26.4
8.0
1.3
19.1
28.8
9
34.8
8.1
5.4
13.7
28.7
10
*For a list of groups, please see Appendix 1-B. **N/C = Respondents did not indicate affiliate or chapter membership. Note: The respondents were asked to mark all that apply so the total of the percentages may be more than 100.
45.3
31.0
Internal Auditing (such as CIA/MIIA/PIIA) Information Systems Auditing (such as CISA/ QiCA/CISM) Government Auditing/ Finance (such as CIPFA/ CGAP/CGFM) Control Self-assessment (such as CCSA) Public Accounting/ Chartered Accountancy (such as CA/CPA/ ACCA/ACA)
2
1
Type of Certificate
Table 6-6 IAA Staff Members With Certificates CAE Respondents - Percentages by Groups*
30.8
5.0
0.0
13.4
23.8
11
29.8
6.67
5.0
15.5
19.3
12
31.95
6.00
8.25
10.83
27.08
N/C**
In Table 6-6, the types of certifications held by groups are listed. CAEs in groups 2 (45.3%) and 4 (40.9%) indicate their staff have the highest percentages of CIAs. Distribution of the main certifications in Figure 6-7 are generally consistent with the group distribution in Table 6-6. When the CAEs were asked if there is a need for additional certifications beyond the CIA/MIIA/PIIA for audit managers, 40.9% of CAEs agreed it was necessary. Many CAEs (40.4%) believe that they need other certifications in addition to the CIA/MIIA/PIIA designation.
264 A Global Summary of the Common Body of Knowledge 2006 ______________________
1
10.0 1.1
17.28 0.97 26.19 21.7 517 240
11.2 0.0
29.9 0.0 31.4 244
1.7
0.0
1.2
4.5
27.5
20.4
6.6
14.9
4
15.5
3
23.3
2
44.0 398
1.3
10.2
4.1
8.9
4.1
2.1
5
48.3 435
8.2
19.5
6.3
3.0
13.7
5.2
6
14.2 402
1.5
8.4
3.5
2.9
9.6
1.7
7
29.9 682
5.3
6.8
2.6
2.9
18.2
14.6
8
15.2 129
0.0
6.3
0.0
12.2
7.8
9.0
9
39.9 163
0.0
0.0
2.2
1.9
0.0
8.0
10
*For a list of groups, please see Appendix 1-B. **N/C = Respondents did not indicate affiliate or chapter membership. Note: The respondents were asked to mark all that apply so the total of the percentages may be more than 100.
Management/General 17.2 Accounting (such as CMA/CIMA/CGA) Accounting - technician 2.2 level (such as CAT/AAT) Fraud Examination 16.2 (such as CFE) Financial Services 19.0 Auditing (such as CFSA/CIDA/CBA) Fellowship (such as 5.4 FCA/FCCA/FCMA) Certified Financial 2.6 Analyst (such as CFA) Other Certifications 23.7 Total Number of 3,095 Respondents Per Group
Type of Certificate
Table 6-6 (Cont.) IAA Staff Members With Certificates CAE Respondents - Percentages by Groups*
29.0 302
4.38
10.8
6.7
3.6
10.1
12.9
11
62.9 35
0.0
0.0
5.0
5.0
3.9
19.1
12
37.59 430
1.45
10.11
5.80
16.81
13.76
14.44
N/C**
_______________________________ Chapter 6: Staffing and Professional Development 265
The Institute of Internal Auditors Research Foundation
266 A Global Summary of the Common Body of Knowledge 2006 ______________________
Continuing Professional Development The IIA requires 80 hours of continuing professional development (CPD) every two years. The IIA Attribute Standard 1230, Continuing Professional Development, requires internal auditors to “enhance their knowledge, skills, and other competencies through continuing professional development.” Respondents were asked how many hours of formal training they received over the last 36 months or while they have been working in their IAA if less than 3 years. Training includes, but is not limited to, seminars, conferences, workshops, and in-house information sessions provided by either the respondents’ organization or other organizations.
Hours of Training Over the Last 36 Months by Staff Level Table 6-7 lists the number of hours of formal training by staff level taken by the respondents during the 36-month period prior to responding to the CBOK 2006 survey. The range in hours of formal training reported is from none to 240 or more hours. There is an expectation that all respondents would have taken at least 120 hours of CPD over the prior three-year period. Of the CAEs, 48.2% achieved or exceeded 120 hours of CPD. Another 16.4% of the CAEs attained the 80-119 hour level of CPD. The percentages of respondents at the other staff levels that achieved 120 or more hours of formal training are 49.1% for Audit Managers, 42.4% for Senior/Supervisors, 35.5% for Audit Staff, and 34.1% for Others.
Table 6-7 Hours of Formal Training During the Last 36 Months or While in IAA if Less Than 3 Years All Respondents in Percentages Number of Hours
CAE of 2,288 Respondents
Audit Manager of 1,947 Respondents
Audit Senior/ Supervisor of 2,159 Respondents
Audit Staff of 1,558 Respondents
Others of 598 Respondents
None 1-39 40-79 80-119 120-159 160-199 200-239 240 or More Total
0.9 11.6 22.9
1.2 11.2 21.7
1.2 13.2 24.5
2.2 19.1 25.4
7.4 19.4 23.9
16.4 23.9 4.9 6.5 12.9 100
16.8 24.8 5.8 6.3 12.2 100
18.7 20.6 5.1 5.6 11.1 100
17.8 16.9 3.1 4.6 10.9 100
15.2 16.7 4.7 3.0 9.7 100
The Institute of Internal Auditors Research Foundation
_______________________________ Chapter 6: Staffing and Professional Development 267
In Appendix 6, Tables 6-7-1-A through 6-7-6-A provide more detailed data for the groups. The tables show details about the hours of formal training received by all respondents within the last 36 months and then broken down by category of internal audit staff.
Hours of Training Compared to Years as a Member of IIA Table 6-8 looks at whether the period of IIA membership has any affect on the amount of CPD taken by respondents. It does appear that respondents who have been IIA members for a longer period of time have taken more CPD in the 36 months prior to the survey. For respondents that have been members for 11 or more years, 54.6% have taken 120 or more hours of CPD compared to 50.3% of respondents who have been members for 6-10 years, and 39.4% of respondents who have been members for 1-5 years.
Table 6-8 Comparing Hours of CPD During the Last 36 Months and Years as a Member of The IIA All Respondents in Percentages Number of Hours of Formal Training None 1- 39 40-79 80-119 120-159 160-199 200-239 240 or More Total
IIA Member for 1-5 Years of 5,014 Respondents 1.8 15.5 25.4 17.9 18.5 4.0 5.5 11.4 100.0
IIA Member for 6-10 Years of 1,657 Respondents 0.9 9.4 21.8 17.6 26.6 5.8 5.8 12.1 100.0
IIA Member for 11 or More Years of 1,266 Respondents 1.4 9.1 20.5 14.4 30.0 7.9 6.6 10.1 100.0
The Institute of Internal Auditors Research Foundation
268 A Global Summary of the Common Body of Knowledge 2006 ______________________
CIA/MIIA/PIIA Certification and Hours of CPD Figure 6-8 summarizes the number of hours of CPD taken by respondents who have their CIA/ MIIA/PIIA certification. Of those that indicate that they are a CIA/MIIA/PIIA, 51% have taken 120 or more hours of CPD.
Figure 6-8 Number of Hours of Formal Training During the Last 36 Months for CIA/MIIA/PIIA Respondents All Respondents (3,366) in Percentages 240 or more hours 12.7%
None 1.1%
1-39 hours 9.9%
200-239 hours 6.2% 160-199 hours 6.0%
120-159 hours 26.1%
40-79 hours 21.4%
80-119 hours 16.6%
Hours of Training Required by Law/Statute To further understand the factors impacting the amount of CPD taken by internal auditors, respondents were asked how many hours of training over a 12-month period are required by law/ statute in the country where they work. The benchmark for a 24-month period is still the 80 hours required by The IIA, but it is acknowledged that there could be some country specific variation. In Table 6-9, the replies appear to be consistent across all levels of audit staff. Respondents that
The Institute of Internal Auditors Research Foundation
_______________________________ Chapter 6: Staffing and Professional Development 269
indicate they do not have any law/statute requiring CPD in the countries where they work range from 38.0% to 41.2%. Countries that have statutory requirements for 31-40 hours per year of CPD range from 25.0% to 32.8%. A few countries require more than 40 hours of CPD annually. The relatively high percentage of respondents that work in countries that have no or minimum statutory CPD requirement, may help explain why many of the respondents in Table 6-7 indicate that they have taken the equivalent of 119 hours or less of CPD in the past 36 months.
Table 6-9 Hours of Training Over a 12-Month Period Required by Law/Statute All Respondents in Percentages Number of Hours
CAE % of 2,028 Respondents
Audit Manager % of 1,687 Respondents
None 1-10 11-20 21-30 31-40 41-50 51-60 61-70 Over 70 Total
41.0 5.6 8.5 4.8 30.3 1.9 1.6 0.1 6.2 100.0
38.1 3.7 9.1 5.0 32.8 2.1 1.7 0.3 7.2 100.0
Audit Senior/ Supervisor % of 1,832 Respondents 41.2 4.5 8.3 5.5 29.5 2.3 2.1 0.5 6.1 100.0
Audit Staff % of 1,177 Respondents
38.0 9.0 8.0 5.0 25.0 3.0 1.0 1.0 10.0 100.0
Others % of 513 Respondents
39.0 4.0 12.0 7.0 28.0 2.0 1.0 0.0 7.0 100.0
Frequency of Types of Training The survey asked the CAEs to provide information on the frequency of training in several specific areas for themselves and other members of the IAA. Respondents were asked to indicate whether the training was more frequent than annually, annually, less frequently than annually, as needed, or never. The detailed results are shown in Table 6-10. CAEs report that training on the Standards and professional practices are most common with 46.3% receiving training annually or more frequently than annually and 37.5% receiving training as needed. Another important training area is basic/advanced technology, with 36.3% of the training being provided annually or more frequently
The Institute of Internal Auditors Research Foundation
270 A Global Summary of the Common Body of Knowledge 2006 ______________________
2,232
2,211 2,242
2,217
2,231
2,286
Number of Respondents
9.4
6.7 8.8
9.5
13.0
18.5
More Frequently than Annually
17.1
31.4 18.4
22.5
23.3
27.8
Annually
15.6
13.8 15.3
17.2
12.3
12.1
Less Frequently than Annually
43.5
35.9 46.9
41.1
46.3
37.5
14.4
12.2 10.6
9.7
5.1
4.1
As Never Needed
100.0
100.0 100.0
100.0
100.0
100.0
Total
Table 6-10 Frequency of Types of Training CAE Respondents in Percentages
and 46.3% being trained as necessary. This result is expected as the IAA seeks skill upgrades when new technology becomes available.
Type of Training
Standards and professional practices Basic/advanced technology Anti-fraud techniques Ethics training Communication skills Team-building skills
The responses given to the question on ethics training could reflect the desire for improving corporate governance or the need for more transparent business practices following many widely publicized corporate collapses in recent years. It was reported that 38.1% of ethics training sessions took place annually or more frequently and 35.9% as needed. It is interesting to note that 12.2% of respondents indicate that ethics training is never provided, compared with 4.1% indicating no training on the Standards and professional practices and 5.1% indicating no training on basic/ advanced technology.
The Institute of Internal Auditors Research Foundation
_______________________________ Chapter 6: Staffing and Professional Development 271
Summary The majority (54%) of the CAE respondents’ IAAs have 9 or fewer staff and 25.8% of the IAAs have 25 or more audit staff. A minority of respondents offer incentives to attract individuals for open positions in the IAA. The respondents’ most used methods to compensate for missing skill sets are to reduce the audit scope or to outsource the task. Over 25% of the respondents hold a CIA/MIIA/PIIA designation. About half of the CAE respondents received 120 hours of CPD over the 36 months prior to the CBOK 2006 survey.
The Institute of Internal Auditors Research Foundation
Table 6-7-1-A Hours of Formal Training During Last 36 Months or While in IAA if Less Than 3 Years All Respondents in Percentages by Groups* The Institute of Internal Auditors Research Foundation
Number of Hours
None 1- 39 40-79 80-119 120- 159 160-199 200-239 240 or More Total
1
2
3
4
5
6
7
8
9
1.1 1.0 2.9 1.1 1.8 0.7 1.6 1.9 3.3 9.7 13.1 14.2 35.2 10.2 13.6 8.4 16.8 23.6 23.5 21.4 27.9 26.4 18.5 25.4 16.7 28.1 25.2 16.9 21.8 15.2 16.8 18.9 18.3 14.9 18.7 15.4 30.1 19.4 15.3 10.5 15.7 19.2 16.7 14.6 12.2 6.1 3.9 4.9 2.6 6.5 4.5 4.5 3.1 4.1 5.9 9.2 4.9 2.0 5.8 4.9 9.6 4.6 6.5 6.7 10.2 14.7 5.4 22.6 13.4 27.6 12.2 9.7 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0
*For a list of groups, please see Appendix 1-B. **N/C = Respondents did not indicate affiliate or chapter membership.
10
11
12
N/C**
1.5 14.6 23.4 20.4 13.1 2.9 5.8 18.3 100.0
2.2 20.3 25.1 17.3 16.5 3.5 5.6 9.5 100.0
2.4 12.2 19.5 22.0 24.4 2.4 4.9 12.2 100.0
4.3 21.7 20.4 17.3 14.6 2.5 4.8 14.4 100.0
272 A Global Summary of the Common Body of Knowledge 2006 ______________________
APPENDIX 6
Number of Hours
The Institute of Internal Auditors Research Foundation
None 1-39 40-79 80-119 120-159 160-199 200-239 240 or More Total
1
2
3
4
5
6
7
0.5 0.0 1.4 1.0 1.7 0.6 0.0 6.5 12.2 8.2 40.4 7.9 16.7 6.9 21.3 25.6 23.8 21.2 14.1 31.4 15.3 13.9 12.2 13.6 18.3 23.7 16.7 13.0 34.7 19.5 21.1 9.6 17.5 18.6 18.3 7.2 4.9 5.4 1.9 7.3 3.8 2.3 6.8 11.0 8.2 1.9 7.9 3.2 9.2 9.1 14.6 18.3 5.7 19.9 9.0 35.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0
*For a list of groups, please see Appendix 1-B. **N/C = Respondents did not indicate affiliate or chapter membership.
8
9
10
1.3 4.8 2.3 15.2 19.0 11.6 30.7 26.2 23.3 20.5 16.7 18.6 14.9 9.5 14.0 1.7 2.4 2.3 4.0 4.8 9.3 11.7 16.6 18.6 100.0 100.0 100.0
11
12
0.0 15.6 28.6 13.0 20.8 2.6 10.4 9.0 100.0
0.0 0.0 14.3 57.1 0.0 0.0 14.3 14.3 100.0
N/C**
2.1 17.5 19.6 19.6 21.7 2.8 5.6 11.1 100.0
_______________________________ Chapter 6: Staffing and Professional Development 273
Table 6-7-2-A Hours of Formal Training During Last 36 Months or While in IAA if Less Than 3 Years CAE Respondents in Percentages by Groups*
Number of Hours
The Institute of Internal Auditors Research Foundation
None 1-39 40-79 80-119 120-159 160-199 200-239 240 or More Total
1
0.7 7.4 20.2 15.0 35.8 7.6 5.9 7.4 100.0
2
3
4
5
6
7
8
9
0.0 2.5 0.0 1.0 2.0 1.5 1.8 0.0 9.8 14.5 28.9 6.0 6.9 3.6 17.3 13.0 21.6 26.0 33.3 23.0 19.6 16.8 25.3 26.1 27.5 12.5 13.3 20.0 27.5 15.3 17.8 17.4 21.6 17.5 20.0 19.0 22.5 18.2 11.6 13.0 3.9 4.5 0.0 9.0 2.9 5.8 4.9 8.7 9.8 5.5 0.0 6.0 6.9 8.8 6.7 17.4 5.8 17.0 4.5 16.0 11.8 29.9 14.7 4.3 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0
*For a list of groups, please see Appendix 1-B. **N/C = Respondents did not indicate affiliate or chapter membership.
10
11
0.0 1.4 0.0 23.0 27.3 24.3 22.7 16.2 18.2 17.6 0.0 4.1 9.1 5.4 22.7 8.1 100.0 100.0
12
0.0 15.4 0.0 15.4 53.8 0.0 7.7 7.7 100.0
N/C**
2.0 22.3 18.9 20.3 12.2 3.4 5.4 15.5 100.0
274 A Global Summary of the Common Body of Knowledge 2006 ______________________
Table 6-7-3-A Hours of Formal Training During Last 36 Months or While in IAA if Less Than 3 Years Audit Manager Respondents in Percentages by Groups*
Number of Hours
The Institute of Internal Auditors Research Foundation
None 1-39 40-79 80-119 120-159 160-199 200-239 240 or More Total
1
2
3
4
5
6
7
8
9
0.8 0.0 1.6 0.0 0.0 0.0 2.3 2.0 6.5 9.2 15.2 17.4 28.8 11.9 7.8 10.5 16.8 29.0 25.4 15.2 33.7 27.4 20.3 31.4 16.3 22.8 29.0 18.9 30.4 17.9 21.9 16.1 15.7 17.4 17.8 19.4 28.3 17.4 10.3 8.2 16.1 15.7 15.7 20.8 6.5 5.6 4.3 4.9 6.8 5.6 7.8 5.8 3.0 0.0 6.2 6.6 3.3 2.7 3.5 3.9 11.1 4.6 6.5 5.6 10.9 10.9 4.2 26.5 17.7 20.9 12.2 3.1 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0
*For a list of groups, please see Appendix 1-B. **N/C = Respondents did not indicate affiliate or chapter membership.
10
11
0.0 2.4 14.3 19.0 25.0 21.4 21.4 26.2 7.1 14.3 3.6 2.4 7.1 2.4 21.5 11.9 100.0 100.0
12
N/C**
0.0 22.2 44.4 11.1 11.1 0.0 0.0 11.2 100.0
1.8 21.6 19.9 17.5 12.3 3.5 4.7 18.7 100.0
_______________________________ Chapter 6: Staffing and Professional Development 275
Table 6-7-4-A Hours of Formal Training During Last 36 Months or While in IAA if Less Than 3 Years Audit Senior/Supervisor Respondents in Percentages by Groups*
Number of Hours
The Institute of Internal Auditors Research Foundation
None 1-39 40-79 80-119 120-159 160-199 200-239 240 or More Total
1
2
3
4
5
6
7
8
9
1.3 6.3 3.3 2.2 5.0 0.0 0.0 0.5 0.0 16.3 12.5 15.8 40.2 14.9 20.0 10.0 17.1 38.1 27.0 31.3 30.0 27.2 16.8 11.7 20.0 32.1 14.3 20.8 25.0 17.5 10.9 11.9 13.3 12.5 19.2 9.5 22.1 18.8 12.5 9.8 11.9 20.0 20.0 13.0 14.3 3.4 0.0 4.2 1.1 5.0 3.3 2.5 3.6 9.5 4.7 6.1 4.2 2.2 6.9 8.3 5.0 4.1 0.0 4.4 0.0 12.5 6.4 27.6 23.4 30.0 10.4 14.3 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0
*For a list of groups, please see Appendix 1-B. **N/C = Respondents did not indicate affiliate or chapter membership.
10
11
3.2 4.2 12.9 29.2 25.8 16.7 19.4 25.0 19.4 8.3 6.5 4.2 0.0 0.0 12.8 12.4 100.0 100.0
12
0.0 0.0 28.6 28.6 14.3 0.0 0.0 28.5 100.0
N/C**
4.6 23.5 21.8 15.5 13.0 0.8 5.0 15.8 100.0
276 A Global Summary of the Common Body of Knowledge 2006 ______________________
Table 6-7-5-A Hours of Formal Training During Last 36 Months or While in IAA if Less Than 3 Years Audit Staff in Percentages by Groups*
Number of Hours
The Institute of Internal Auditors Research Foundation
None 1-39 40-79 80-119 120-159 160-199 200-239 240 or More Total
1
2
3
4
5
6
7
8
9
5.5 9.1 15.4 2.8 2.3 0.0 6.9 10.0 0.0 14.1 27.3 15.4 27.8 13.6 29.6 20.7 24.0 16.7 25.9 0.0 17.9 27.8 25.0 22.2 20.7 30.0 33.3 15.7 27.3 12.8 22.2 20.5 14.8 10.3 12.0 0.0 22.7 18.2 15.4 8.3 9.1 18.5 3.4 8.0 50.0 5.9 0.0 7.7 2.8 4.5 3.7 3.4 2.0 0.0 3.1 9.1 0.0 2.8 2.3 3.7 13.8 2.0 0.0 7.1 9.0 15.4 5.5 22.7 7.5 20.8 12.0 0.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0
*For a list of groups, please see Appendix 1-B. **N/C = Respondents did not indicate affiliate or chapter membership.
10
11
0.0 14.3 53.8 21.4 7.7 35.7 23.1 7.1 0.0 7.1 0.0 7.1 0.0 0.0 15.4 7.3 100.0 100.0
12
N/C**
20.0 20.0 20.0 0.0 20.0 20.0 0.0 0.0 100.0
15.9 24.6 18.8 13.0 17.4 2.9 1.5 5.9 100.0
_______________________________ Chapter 6: Staffing and Professional Development 277
Table 6-7-6-A Hours of Formal Training During Last 36 Months or While in IAA if Less Than 3 Years Other Respondents in Percentages by Groups*
278 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
A Global Summary of the Common Body of Knowledge 2006
CONTENTS Chapter 7
Chapter 7: Internal Audit Skills ............................................................................................ 279 Introduction......................................................................................................................... 279 Technical Skills................................................................................................................... 281 Behavioral Skills................................................................................................................. 289 Summary ............................................................................................................................. 299 Appendix 7.......................................................................................................................... 300
Disclosure Copyright © 2007 by The Institute of Internal Auditors Research Foundation (IIARF), 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201. All rights reserved. Printed in the United States of America. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form by any means — electronic, mechanical, photocopying, recording, or otherwise — without prior written permission of the publisher. The IIARF publishes this document for informational and educational purposes. This document is intended to provide information, but is not a substitute for legal or accounting advice. The IIARF does not provide such advice and makes no warranty as to any legal or accounting results through its publication of this document. When legal or accounting issues arise, professional assistance should be sought and retained. The IIA’s International Professional Practices Framework for Internal Auditing (IPPF) comprises the full range of existing and developing practice guidance for the profession. The IPPF provides guidance to internal auditors globally and paves the way to world-class internal auditing. The mission of The IIA Research Foundation (IIARF) is to be the global leader in sponsoring, disseminating, and promoting research and knowledge resources to enhance the development and effectiveness of the internal auditing profession.
The Institute of Internal Auditors Research Foundation
_______________________________________________ Chapter 7: Internal Audit Skills 279
CHAPTER 7 INTERNAL AUDIT SKILLS
Introduction Recognizing the evolutionary nature of the profession, this chapter summarizes the skills internal auditors are expected to possess today while they perform as internal auditors in their IAA or for client organizations. All respondents were provided with a list of technical and behavioral skills developed from the International Standards for the Professional Practice of Internal Auditing (Standards), Practice Advisories, internal auditing literature, past CBOK studies, and the CBOK 2006 pilot study. Respondents were unable to amend or change the list of skills provided in the CBOK 2006 survey. As a guide when answering the survey questions, respondents were given the following definition of technical skills: “using terminology or subject matter in a particular field.” Behavioral skills were defined in the survey as “actions toward others measured by commonly accepted standards and management of one’s own actions.” The number of respondents answering a specific question will often differ from the 9,366 total respondents in this study. This is due to the following reasons: • •
Not all of those that participated in the survey answered all of the questions asked. Results are shown and discussed only for those respondents who answered a particular survey question. Not all questions were asked of all respondents. o Some questions were asked only of CAEs (those in the highest position within the organization responsible for internal audit activities). o Some questions were asked only of Practitioners (all other internal auditors who are not CAEs). o Some questions were asked of both CAEs and Practitioners.
Some participants’ responses are presented according to the respondents’ position in the IAA. These more detailed summaries of results may be provided for the four categories of respondents: CAEs, Audit Managers, Audit Seniors/Supervisors, and Audit Staff. When relevant, results are given for each of the 13 groups. The groups are explained in Chapter 1. For a list of groups, please refer to Appendix 1-B of the report. Some tables have additional details.
The Institute of Internal Auditors Research Foundation
280 A Global Summary of the Common Body of Knowledge 2006 ______________________
For example, Table 7-4 is the total of all respondents for that question with a related Table 7-4-1 showing the responses by group. A table can have more than one related table, where the second related table would be 7-4-2. Additional related tables may be located in Appendix 7 at the end of this chapter. A table that is in the Appendix can be clearly identified by an “A” at the end of its number. For example, Table 7-1-1-A is located in Appendix 7. The possession and use of certain behavioral and technical skills are necessary elements for internal audit practitioners to achieve a high level of quality performance in their internal auditing work. The Standards and Practice Advisories each indicate specific skills that are appropriate for internal auditors to possess. Standard 1220, Due Professional Care, requires internal auditors to “apply the care and skill expected of a reasonably prudent and competent internal auditor.” Standard 1210, Proficiency, states, “Internal auditors should possess the knowledge, skills, and other competencies needed to perform their individual responsibilities.” The standard continues, “The internal audit activity collectively should possess or obtain the knowledge, skills, and other competencies needed to perform its responsibilities.” The possession and application of technical skills enable internal auditors to achieve a high level of performance in their activities. The selection of technical skills in the survey is supported by the Standards and Practice Advisories which emphasize certain technical skills: • • • • •
Attribute Standard 1210.A2 – “The internal auditor should have sufficient knowledge to identify the indicators of fraud...” Attribute Standard 1210.A3 – “Internal auditors should have knowledge of key information technology risks and controls...” Performance Standard 2120.A1 – “...the internal audit activity should evaluate the adequacy and effectiveness of controls...” Performance Standard 2210.A1 – “Internal auditors should conduct a preliminary assessment of the risks relevant to the activity under review…” Performance Standard 2320 – “Internal auditors should base conclusions and engagement results on appropriate analyses and evaluations.”
The objectives for this survey question were to understand the current skill framework of technical and behavioral skills necessary for internal auditors to successfully perform their jobs in their position within the internal audit activity (IAA). Figure 7-1 lists the technical and behavioral skills included in CBOK 2006.
The Institute of Internal Auditors Research Foundation
_______________________________________________ Chapter 7: Internal Audit Skills 281
Figure 7-1 Technical and Behavioral Skills
Technical Skills
Behavioral Skills
Data collection and analysis Financial analysis Forensic skills/fraud awareness Identifying types of controls Interviewing ISO/quality knowledge Negotiating Research skills Risk analysis Statistical sampling Total quality management Understanding business Use of information technology Confidentiality Facilitating Governance and ethics sensitivity Interpersonal skills Leadership Objectivity Relationship building Staff management Team building Team player Working independently Work well with all levels of management
Technical Skills CAE Respondents Chief audit executives (CAEs) were asked to identify the five most important technical and behavioral skills they need to possess in order to be successful as the leader of their IAA. They were also asked to identify the five most important technical and behavioral skills that the Audit
The Institute of Internal Auditors Research Foundation
282 A Global Summary of the Common Body of Knowledge 2006 ______________________
Managers, Audit Seniors/Supervisors, and Audit Staff each need to perform their jobs. The results can be used to identify similarities among the CAEs’ responses. Table 7-1 shows the CAEs’ selection of the five most important technical skills by staff level from the 13 listed in the questionnaire. Understanding the business and risk analysis are skills that on average get the highest scores. There is no individual technical skill that is highly rated by CAE respondents for all staff levels in the IAA. The higher the percentages in Table 7-1 for each technical skill the more CAEs agreed on the importance of that skill.
Table 7-1 Most Important Technical Skills by Staff Level CAE Respondents (2,092) in Percentages Technical Skills
CAE
Audit Manager
Audit Senior/ Supervisor
Audit Staff
Data collection and analysis Financial analysis Forensic skills/fraud awareness Identifying types of controls (e.g., preventative, detective) Interviewing ISO/quality knowledge Negotiating Research skills Risk analysis Statistical sampling Total quality management Understanding the business Use of information technology
15.2 35.9 43.2 30.8
14.7 35.4 38.7 33.6
33.9 36.4 31.7 45.2
77.6 35.1 20.9 52.1
37.7 18.9 68.7 20.8 74.9 6.5 33.4 78.3 28.3
37.8 16.0 49.5 19.6 59.0 8.8 21.0 58.6 30.4
44.1 10.7 23.5 29.9 41.3 20.7 10.6 43.9 37.3
58.3 7.6 7.3 41.5 27.5 29.5 3.7 45.5 51.4
Note: Each CAE respondent was able to select five technical skills from the provided list for each staff level.
The Institute of Internal Auditors Research Foundation
_______________________________________________ Chapter 7: Internal Audit Skills 283
CAE At the CAE position, high-level technical skills are vital for the IAA to be successful. For their own category, the technical skills most commonly chosen as important are: • • • • •
Understanding the business (78.3%). Risk analysis (74.9%). Negotiating (68.7%). Forensic skills/fraud awareness (43.2%). Interviewing (37.7%).
From the list provided, the CAEs indicate that understanding the business (78.3%), risk analysis (74.9%), and negotiating (68.7%) are especially important technical skills they need to perform their role in the IAA. These results are in accordance with Performance Standard 2010, Planning, and its related Practice Advisories that require the CAE to establish a risk-based audit plan to determine the priorities of the internal audit activity. As this is a high-level technical skill, it is appropriate that it is not vital at lower staff levels. Forensic skills/fraud awareness skills were also commonly chosen as important (43.2%). This seems appropriate as Standard 2210A.2 requires the internal auditor to consider for all assurance engagements “the probability of significant errors, irregularities, noncompliance, and other exposures when developing the engagement objectives.”
Audit Manager For the Audit Manager category, the technical skills most commonly chosen as important by CAEs are: • • • • •
Risk analysis (59%). Understanding the business (58.6%). Negotiating (49.5%). Forensic skills/fraud awareness (38.7%). Interviewing (37.8%).
For Audit Managers, risk analysis (59%) and understanding the business (58.6%) are critical for successful performance of duties. CAEs also identified negotiating (49.5%) as an important technical skill for Audit Managers, although there is a more than 19% decrease in the importance of this skill from the CAE level. The most commonly chosen technical skills are the same at both the CAE and the Audit Manager level.
The Institute of Internal Auditors Research Foundation
284 A Global Summary of the Common Body of Knowledge 2006 ______________________
Audit Senior/Supervisor For the Audit Senior/Supervisor category, the technical skills that were most commonly chosen by CAEs as important are: • • • • •
Identifying types of controls (45.2%). Interviewing (44.1%). Understanding the business (43.9%). Risk analysis (41.3%). Use of information technology (37.3%).
Some technical skills become less important at the Audit Senior/Supervisor level than the Audit Manager level. One example shown in Table 7-1 is forensic skill/fraud awareness, which decreases from 38.7% at the Audit Manager level to 31.7% at the Audit Senior/Supervisor level. Another decrease is found in risk analysis, which decreases from 59.0% at the Audit Manager level to 41.3% at the Audit Senior/Supervisor level. Understanding the business follows the same pattern, decreasing from 58.6% at the Audit Manager level to 43.9% at the Audit Senior/Supervisor level. There are also some technical skills that are newly identified as important by CAEs when they considered the Audit Senior/Supervisor level. Identifying types of controls (45.2%) and the use of information technology (37.3%) were chosen by CAEs as important to the Audit Senior/Supervisor level.
Audit Staff For the Audit Staff category, the technical skills that were most commonly chosen by CAEs as important are: • • • • •
Data collection and analysis (77.6%). Interviewing (58.3%). Identifying types of controls (52.1%). Use of information technology (51.4%). Understanding the business (45.5%).
The Institute of Internal Auditors Research Foundation
_______________________________________________ Chapter 7: Internal Audit Skills 285
CAE respondents indicate that the technical skills needed by each staff level change as they progress to higher staff levels. For example, while 77.6% of the CAEs selected data collection and analysis as an important technical skill for the Audit Staff, only 14.7% indicate that it is important for Audit Managers, and 15.2% selected it as important for CAEs. For negotiating, 68.7 % feel that it is important for CAEs and only 7.3% note that it is considered an important technical skill for the Audit Staff. Identifying types of controls was identified by CAEs as slightly increasing in importance from 45.2% at the Audit Senior/Supervisor level to 52.1% at the Audit Staff level. Interviewing also shows an increase from 44.1% at the Audit Senior/Supervisor level to 58.3% at the Audit Staff level. The use of information technology shows a relatively large increase from 37.3% at the Audit Senior/Supervisor level to 51.4% at the Audit Staff level. In Appendix 7, Tables 7–1-1-A (CAEs), 7-1-2-A (Audit Managers), 7-1-3-A (Audit Seniors/ Supervisors), and 7-1-4-A (Audit Staff) show CAE responses for technical skills broken out for the 13 groups. Overall the tabulation by CAE by groups agrees with the top five technical skills for each staff level. These results clearly indicate that the CAE respondents believe that the technical skills appropriate for success in the IAA differ at various staff levels in the IAA.
Practitioner Respondents While CAEs ranked the five most important technical skills for all staff levels including themselves, the Practitioners were asked to indicate the importance of all thirteen technical skills to perform their work at their current staff position. The practitioner respondents indicated importance of the technical skill to them on a scale of 1 (minimally important) to 5 (very important). Table 7-2 divides the mean responses into the three staff levels: Audit Manager, Audit Senior /Supervisor, and Audit Staff. The results for technical skills show little variation by staff levels. The skills that consistently get the highest mean scores from the Practitioner respondents are data collection and analysis, identifying types of controls, interviewing, research skills, risk analysis, and understanding the business. The higher the mean in Table 7-2 for each technical skill the more Practitioners agreed on the importance of that skill.
The Institute of Internal Auditors Research Foundation
286 A Global Summary of the Common Body of Knowledge 2006 ______________________
Table 7-2 Importance to Respondent of Technical Skills to Perform Work Practitioner Respondents by Means* Technical Skills
Data collection and analysis Financial analysis Forensic skills/fraud awareness Identifying types of controls (e.g., preventative, detective) Interviewing ISO/quality knowledge Negotiating Research skills Risk analysis Statistical sampling Total quality management Understanding the business Use of information technology
Audit Manager
Audit Senior/ Supervisor
Audit Staff
4.1 3.8 3.6 4.3
4.3 3.9 3.6 4.2
4.4 3.7 3.6 4.1
4.3 2.9 3.7 3.9 4.4 3.2 2.9 4.5 4.1
4.3 2.9 3.6 4.0 4.3 3.3 2.9 4.4 4.1
4.3 3.0 3.5 4.0 4.2 3.5 3.0 4.3 4.1
*The mean is the average response to: 1 = minimally important to 5 = very important. Note: Not all respondents answered for all the skills. Total number of respondents was between 4,686 and 4,756.
The skills related to quality (ISO/quality knowledge and TQM) received the lowest ranking of all the skills for all three professional levels in the IAA.
The Institute of Internal Auditors Research Foundation
_______________________________________________ Chapter 7: Internal Audit Skills 287
In Table 7-2-1, the main differences that emerge by comparing group data are those skills that are generally not considered as important by Practitioners: statistical sampling, total quality management, and negotiating. Group 9 considers statistical sampling to be very important (mean of 3.9) while group 10 has a much lower mean (2.8). Group 12 differs from the others for TQM with a mean of 3.4 which is very different than group 10’s mean of 2.4. Negotiating gets its highest score in groups 2, 3, and 7 (4.0) while group 10 gives this skill a much lower value (2.9).
Table 7-2-1 Importance to Respondent of Technical Skills to Perform Work by Groups* Practitioner Respondents in Means** Technical Skills
1
2
3
4
5
Data collection and analysis Financial analysis Forensic skills/fraud awareness Identifying types of controls (e.g., preventative, detective) Interviewing ISO/quality knowledge Negotiating Research skills Risk analysis Statistical sampling Total quality management Understanding business Use of information technology
4.2
4.0
4.2
4.4
3.8 3.6
3.5 3.4
3.8 3.5
4.3
4.4
4.4 2.8 3.5 4.0 4.2 3.2 2.9
6
7
8
9
10
11
12 N/C***
4.5 4.0
4.6
4.2
4.4
4.2
4.3
4.5
4.3
4.0 3.9
3.9 3.4 3.7 3.3
4.1 3.8
3.5 3.3
4.2 4.0
3.4 3.3
4.3 3.5
4.1 3.8
3.9 3.7
4.4
4.1
4.1 3.8
4.41 3.8
4.4
4.2
4.2
4.5
4.1
4.3 2.8 4.0 3.9 4.4 3.0 2.7
4.4 3.1 4.0 3.9 4.4 3.2 3.1
3.9 3.4 3.7 3.7 4.2 3.5 3.2
4.4 3.0 3.9 4.1 4.4 3.5 3.1
4.4 2.6 3.5 3.7 4.3 2.9 2.6
4.3 3.4 4.0 4.1 4.5 3.7 3.3
4.2 2.8 3.4 3.7 4.4 3.3 2.7
4.1 3.0 3.9 4.3 4.3 3.9 3.3
4.4 2.6 2.9 3.1 4.5 2.8 2.4
4.3 3.1 3.8 3.8 4.3 3.5 3.2
4.2 3.3 3.6 3.8 4.2 3.8 3.4
4.1 3.3 3.7 3.9 4.2 3.5 3.1
4.7
4.5
4.6
4.3
4.3 4.5
4.5
4.2
4.5
4.6
4.5
4.5
4.4
4.1
3.9
4.3
4.0
4.1 3.9
4.4
4.0
4.2
4.2
4.1
4.0
4.2
*For a list of groups, please see Appendix 1-B. **The mean is the average response to: 1 = minimally important to 5 = very important. ***N/C = Respondents did not indicate affiliate or chapter membership.
The Institute of Internal Auditors Research Foundation
288 A Global Summary of the Common Body of Knowledge 2006 ______________________
To add to the understanding of the importance placed by the Practitioners on the different technical skills by staff level, the data from Table 7-2 is displayed in rank order by staff level in Table 7-3. In Table 7-3, the technical skills are ranked from 1 (most important) through 13 (least important). There is a high level of consistency in the ranking of technical skills among the three staff levels (Audit Manager, Audit Senior/Supervisor, and Audit Staff). The relative decreasing importance of certain skills as one achieves higher staff levels in the IAA is only indicated for data collection and analysis. There is only slightly more importance of risk analysis and identifying types of controls as one achieves higher staff levels in the IAA.
Table 7-3 Rankings of Technical Skills by Staff Level Practitioner Respondents by Rank Technical Skills
Data collection and analysis Financial analysis Forensic skills/fraud awareness Identifying types of controls (e.g., preventative, detective) Interviewing ISO/quality knowledge Negotiating Research skills Risk analysis Statistical sampling Total quality management Understanding the business Use of information technology
Audit Manager
Audit Senior/ Supervisor
Audit Staff
5/6 8 10 3/4
2/3/4 8 9/10 5
1 8 9 5/6
3/4 12/13 9 7 2 11 12/13 1 5/6
2/3/4 12/13 9/10 7 2/3/4 11 12/13 1 6
2/3 12/13 10/11 7 4 10/11 12/13 2/3 5/6
Note: In some cases the rankings are tied. For example, rankings of Data Collection and Analysis and Use of Information Technology at the Audit Manager level are tied.
The Institute of Internal Auditors Research Foundation
_______________________________________________ Chapter 7: Internal Audit Skills 289
Behavioral Skills CAE Respondents For an IAA to be successful, internal auditors must possess the appropriate level of skills that are fundamental for performance of their work (Standard 1210, Proficiency). From the twelve behavioral skills that were listed in the survey question, CAEs were asked to indicate the five most important for various professional staff levels in the IAA. The results can be used to identify similarities among the CAEs’ responses. Table 7-4 provides an overall view of the skills that CAEs chose as important for those performing internal auditing activities at the CAE, Audit Manager, Audit Senior/Supervisor, and Audit Staff levels in the IAA. Their responses are presented in percentages by frequency of response for those that answered the question. The higher the percentages in Table 7-4 for each behavioral skill the more CAEs agreed on the importance of that skill. CAEs selected confidentiality first or second for all staff levels with a low of 53.2% for Audit Managers to a high of 73.4% for the Audit Staff. CAEs also selected objectivity (45.7% to 73.7%) and interpersonal skills (44% to 67.4%) as highly needed behavioral skills for all staff levels.
The Institute of Internal Auditors Research Foundation
290 A Global Summary of the Common Body of Knowledge 2006 ______________________
Table 7-4 Most Important Behavioral Skills by Staff Level CAE Respondents (2,092) in Percentages Behavioral Skills
Confidentiality Facilitating Governance and ethics sensitivity Interpersonal skills Leadership Objectivity Relationship building Staff management Team building Team player Work well with all levels of management Working independently
CAE
Audit Manager
Audit Senior/ Supervisor
Audit Staff
68.7 34.3 54.8 49.0 75.1 58.2 44.7 34.8 32.9 15.2 58.3 18.9
53.2 33.3 32.0 44.0 48.8 45.7 30.9 44.0 39.4 18.4 42.6 16.9
56.2 28.6 23.5 49.9 21.8 54.3 24.7 30.1 30.8 34.9 35.2 26.4
73.4 13.4 24.1 67.4 3.4 73.7 29.0 2.2 7.8 65.2 40.3 55.6
Note: Each CAE respondent was able to select five behavioral skills from the provided list for each staff level.
The importance of objectivity and confidentiality is supported by many references in the Professional Practices Framework. Objectivity and confidentiality are two of the four principles in The IIA’s Code of Ethics. The IIA’s Code of Ethics states for objectivity, “Internal auditors exhibit the highest level of professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined.” For confidentiality, The IIA’s Code of Ethics states, “Internal auditors respect the value and ownership of information they receive and do not disclose information without appropriate authority unless there is a legal or professional obligation to do so.” According to the Code, internal auditors must be prudent in their use and protection of information acquired. Information cannot be used for personal gain or in a way that would be against the law or hurt the organization.
The Institute of Internal Auditors Research Foundation
_______________________________________________ Chapter 7: Internal Audit Skills 291
The following discusses the CAE’s rankings by staff level based on Table 7-4.
CAE The behavioral skills CAEs commonly chose as important at their level are: • • • • •
Leadership (75.1%). Confidentiality (68.7%). Work well with all levels of management (58.3%). Objectivity (58.2%). Governance and ethics sensitivity (54.8%).
For CAEs, the importance of relationships and leadership skills instead of skills emphasizing their own individual success is supported in Standards 2440, Disseminating Results, 2500, Monitoring Progress, and 2600, Resolution of Management’s Acceptance of Risks. Each requires the CAE to communicate with management and monitor progress. Practice Advisory 2340-1 states that the CAE, “Is responsible for assuring that appropriate engagement supervision is provided.” CAEs did not commonly choose as important behavioral skills such as team player (15.2%) and working independently (18.9%).
Audit Manager The most important behavioral skills that CAEs commonly believe Audit Managers should possess at their level are: • • • • • •
Confidentiality (53.2%). Leadership (48.8%). Objectivity (45.7%). Interpersonal skills (44.0%). Staff management (44.0%). Works well with all levels of management (42.6%).
The importance of staff management skills at higher levels in the IAA is consistent with Standard 2340, which states that “engagements should be properly supervised to ensure objectives are achieved...” Based on Standard 2030, Resource Management, if they are managing the engagement properly, they are ensuring that the staff is effectively deployed to achieve the approved plan. Progression in hierarchical position in the IAA from Audit Staff to Audit Manager results in a relative decrease in importance of the percentage ranking for confidentiality, objectivity, interpersonal skills, and team player as shown by the percentages attributed to each.
The Institute of Internal Auditors Research Foundation
292 A Global Summary of the Common Body of Knowledge 2006 ______________________
Audit Senior/Supervisor For the Audit Senior/Supervisor level, the behavioral skills chosen by CAEs as important include: • • • • •
Confidentiality (56.2%). Objectivity (54.3%). Interpersonal skills (49.9%). Work well with all levels of management (35.2%). Team player (34.9%).
Comparing four of the behavioral skills CAEs chose as important for the Audit Manager and Audit Senior/Supervisor levels, confidentiality is important at all levels. This holds true when comparing the Audit Manager (53.2%) and the Audit Senior/Supervisor (56.2%) levels. Objectivity is also relatively close in importance at both levels (45.7% and 54.3%). Interpersonal skills show close alignment for the Audit Manager (44.0%) and Audit Senior/Supervisor (49.9%) levels. Work well with all levels of management is also commonly chosen as important by CAEs for both of these levels (42.6% ad 35.2%).
Audit Staff A comparison of the CAEs’ responses regarding the important behavioral skills related to the four staff levels reveals some noticeable differences. For the Audit Staff, the most commonly chosen behavioral skills CAEs believe they should possess are: • • • • •
Objectivity (73.7%). Confidentiality (73.4%). Interpersonal skills (67.4%). Team player (65.2%). Working independently (55.6%).
Skills indicated by CAEs as not critical for Audit Staff members to possess at this point in their internal auditing career are staff management (2.2%), leadership (3.4%), and team building (7.8%). In Table 7-4, when comparing results for Audit Seniors/Supervisors and Audit Staff to those of Audit Managers, CAE respondents’ choices show a trend of increasing importance for:
The Institute of Internal Auditors Research Foundation
_______________________________________________ Chapter 7: Internal Audit Skills 293
• • • •
Leadership (3.4% to 48.8%). Staff management (2.2% to 44.0%). Team building (7.8% to 39.4%). Facilitating (13.4% to 33.3%).
CAE Respondents by Staff Level for Groups Tables 7-4-1 (CAEs), 7-4-2 (Audit Managers), 7-4-3 (Audit Seniors/Supervisors), and 7-4-4 (Audit Staff) show the selections by CAEs by groups of the most commonly chosen behavioral skills. Table 7-4-1 shows the behavioral skills CAEs by group chose as important for the performance of their job. Variability of results relate predominantly to facilitating, works well with all levels of management, governance and ethics sensitivity, and staff management.
Table 7-4-1 Most Important Behavioral Skills for CAEs by Groups* CAE Respondents in Percentages Behavioral Skills
1
Confidentiality Facilitating Governance and ethics sensitivity Interpersonal skills Leadership Objectivity Relationship building Staff management Team building Team player Working independently Work well with all levels of management
2
3
4
5
6
7
8
9
10
11
12
N/C**
65.2 66.7 67.9 74.4 72.7 71.5 81.6 75.9 62.5 50.0 72.5 32.2 34.6 32.1 33.7 52.1 38.7 28.9 37.2 30.0 14.3 24.6 48.0 59.3 53.7 73.3 50.3 54.7 69.3 63.5 65.0 40.5 68.1
62.5 50.0 75.0
61.1 33.6 52.7
52.6 78.4 52.0 45.8 26.1 28.4 8.2 10.9 64.0
37.5 75.0 75.0 37.5 12.5 37.5 12.5 25.0 50.0
40.5 60.3 57.3 37.4 28.2 31.3 17.6 26.7 47.3
59.3 75.3 56.8 60.5 29.6 33.3 13.6 19.8 65.4
53.0 88.1 53.7 63.4 36.6 32.8 13.4 12.7 59.7
54.7 64.0 65.1 36.0 30.2 45.3 20.9 36.0 47.7
50.9 66.7 70.3 40.0 58.8 41.2 27.9 29.1 69.1
40.9 72.3 59.1 38.7 43.8 24.8 10.2 19.7 56.9
46.5 78.9 64.9 44.7 33.3 33.3 37.7 25.4 48.2
39.8 75.6 64.7 42.5 51.5 44.4 22.2 25.6 41.0
35.0 80.0 65.0 32.5 27.5 37.5 7.5 25.0 55.0
45.2 57.1 54.8 38.1 28.6 19.0 9.5 19.0 76.2
59.4 78.3 65.2 46.4 33.3 29.0 17.4 21.7 65.2
*For a list of groups, please see Appendix 1-B. **N/C = Respondents did not indicate affiliate or chapter membership. Note: Each CAE respondent was able to select five behavioral skills from the provided list for each staff level.
The Institute of Internal Auditors Research Foundation
294 A Global Summary of the Common Body of Knowledge 2006 ______________________
In Table 7-4-2 for Audit Managers, CAEs in group 4 indicate that governance and ethics sensitivity (60.5%) and leadership (69.8%) are commonly important for Audit Managers. Governance and ethics sensitivity is one of the most important behavior skills for only 21.6% of the CAE respondents belonging to group 1. Leadership is considered an important skill by CAEs for Audit Managers for only 33.3% of respondents in group 10. A major difference between CAE respondents by group is for facilitating, which is identified as much less important in group 10. Staff management skills are commonly chosen as important by CAEs in group 3 (59.7%) but not by CAEs in group 10 (23.8%).
Table 7-4-2 Most Important Behavioral Skills for Audit Manager by Groups* CAE Respondents in Percentages Behavioral Skills
1
Confidentiality Facilitating Governance and ethics sensitivity Interpersonal skills Leadership Objectivity Relationship building Staff management Team building Team player Working independently Work well with all levels of management
2
3
4
5
6
7
8
9
10
11
12
N/C**
50.8 54.3 56.7 61.6 49.7 54.7 63.2 57.1 47.5 33.3 62.3 75.0 29.3 30.9 38.1 46.5 42.4 30.7 34.2 35.7 45.0 9.5 36.2 50.0 21.6 28.4 31.3 60.5 29.1 34.3 45.6 43.6 50.0 31.0 40.6 62.5
45.8 32.8 35.1
47.9 49.9 41.4 29.7 42.9 38.3 11.4 13.6 47.5
38.2 47.3 43.5 27.5 38.2 31.3 23.7 22.1 36.6
55.6 37.0 46.9 34.6 53.1 33.3 16.0 14.8 49.4
61.9 46.3 49.3 42.5 59.7 43.3 19.4 13.4 56.0
39.5 69.8 43.0 32.6 45.3 55.8 16.3 22.1 38.4
42.4 50.9 49.1 29.7 49.1 39.4 27.3 21.8 38.8
31.4 35.8 43.8 27.0 38.7 41.6 13.1 16.1 31.4
32.5 57.9 56.1 26.3 33.3 35.1 37.7 17.5 38.6
33.8 44.7 47.4 33.5 44.4 43.6 27.1 18.8 33.1
35.0 50.0 52.5 20.0 47.5 27.5 15.0 10.0 27.5
42.9 33.3 40.5 26.2 23.8 40.5 14.3 21.4 42.9
58.0 59.4 60.9 39.1 50.7 40.6 24.6 31.9 52.2
62.5 50.0 87.5 37.5 50.0 25.0 12.5 25.0 25.0
*For a list of groups, please see Appendix 1-B. **N/C = Respondents did not indicate affiliate or chapter membership. Note: Each CAE respondent was able to select five behavioral skills from the provided list for each staff level.
The Institute of Internal Auditors Research Foundation
_______________________________________________ Chapter 7: Internal Audit Skills 295
Table 7-4-3 highlights the CAEs’ responses for Audit Seniors/Supervisors. With the exception of CAEs in groups 4, 5, and 12, there is remarkable consistency among CAEs in the groups. The main differences are for staff management and leadership. For CAEs in group 4, these two skills are considered quite important (53.5% and 46.5%) while group 5 indicates that these skills are not important for Audit Seniors/Supervisors (13.9% and 7.9%). The percentages from Table 7-4 for these two categories are respectively 30.1% and 21.8%. Another large difference relates to facilitating where group 4 considers this much more important (57%) than group 10 (19%).
Table 7-4-3 Most Important Behavioral Skills for Audit Seniors/Supervisors by Groups* CAE Respondents in Percentages Behavioral Skills
1
Confidentiality Facilitating Governance and ethics sensitivity Interpersonal skills Leadership Objectivity Relationship building Staff management Team building Team player Working independently Work well with all levels of management
2
3
4
5
6
7
8
9
10
11
12
N/C**
52.5 24.3 14.7
53.1 63.4 57.0 56.4 61.3 68.4 61.7 65.0 40.5 59.4 87.5 27.2 25.4 57.0 35.2 31.4 31.6 26.3 37.5 19.0 42.0 37.5 22.2 22.4 41.9 33.3 27.7 39.5 28.2 47.5 14.3 29.0 25.0
45.0 25.2 21.4
52.6 20.9 52.0 22.1 32.1 33.3 29.1 23.9 38.0
61.7 14.8 51.9 30.9 32.1 29.6 27.2 22.2 40.7
46.6 28.2 55.0 22.9 22.9 33.6 34.4 29.0 24.4
63.4 17.9 54.5 35.8 41.0 29.9 43.3 31.3 50.0
57.0 46.5 40.7 34.9 53.5 46.5 27.9 25.6 39.5
42.4 7.9 53.3 30.3 13.9 17.0 32.1 30.3 27.3
38.0 17.5 62.8 20.4 31.4 24.8 38.0 38.0 31.4
37.7 36.8 57.9 21.1 23.7 31.6 56.1 18.4 30.7
42.5 19.9 58.6 21.8 26.7 28.9 41.4 26.7 29.7
47.5 27.5 60.0 20.0 37.5 42.5 45.0 15.0 37.5
47.6 21.4 40.5 28.6 16.7 16.7 28.6 19.0 40.5
62.3 27.5 62.3 27.5 29.0 33.3 44.9 37.7 33.3
87.5 25.0 100.0 50.0 37.5 25.0 50.0 25.0 25.0
*For a list of groups, please see Appendix 1-B. **N/C = Respondents did not indicate affiliate or chapter membership. Note: Each CAE respondent was able to select five behavioral skills from the provided list for each staff level.
The Institute of Internal Auditors Research Foundation
296 A Global Summary of the Common Body of Knowledge 2006 ______________________
In Table 7-4-4 (Audit Staff) there are uniformly low indicators of importance for staff management, leadership, team building, and facilitating. Group 6 believes that working independently is important for Audit Staff (70.8%) while group 7 considers this skill much less important (35.1%). Being a team player is vital for CAEs in group 7 (72.8%) and much less important in group 9 (37.5%). Whereas CAEs in group 9 believe that governance and ethics sensitivity is very important (45.0%) for Audit Staff when compared to the average 24.1% in Table 7-4, CAEs in group 12 show the lowest percentage for this skill (12.5%). CAEs’ range of percentages for objectivity is 100% for group 12, 82.5% for group 7, and 52.3% for group 4. The percentage from Table 7-4 is 73.7%. Works well with all levels of management ranges from a low of 12.5% in group 12 to a high of 52.3% in group 4.
Table 7-4-4 Most Important Behavioral Skills for Audit Staff by Groups* CAE Respondents in Percentages Behavioral Skills
1
Confidentiality Facilitating Governance and ethics sensitivity Interpersonal skills Leadership Objectivity Relationship building Staff management Team building Team player Working independently Work well with all levels of management
2
3
4
5
6
7
8
9
10
11
12
N/C**
71.7 69.1 76.9 65.1 71.5 75.9 84.2 81.2 77.5 59.5 71.0 100.0 65.6 9.0 8.6 7.5 32.6 23.0 10.2 16.7 16.5 15.0 14.3 20.3 0.0 15.3 14.5 25.9 24.6 31.4 35.8 21.2 42.1 29.7 45.0 26.2 33.3 12.5 27.5 76.1 2.9 76.2 25.8 1.3 5.1 65.9 60.6 43.8
77.8 2.5 61.7 34.6 1.2 8.6 59.3 56.8 45.7
65.7 2.2 77.6 37.3 0.7 4.5 71.6 62.7 50.7
70.9 4.7 52.3 41.9 9.3 22.1 61.6 65.1 52.3
58.8 1.8 69.1 35.2 0.6 17.0 72.1 59.4 23.6
55.5 0.7 75.2 24.1 0.7 2.9 65.7 70.8 40.9
54.4 13.2 82.5 24.6 10.5 8.8 72.8 35.1 32.5
60.9 2.3 75.6 27.8 1.5 8.3 68.4 43.6 38.7
55.0 7.5 80.0 47.5 5.0 10.0 37.5 45.0 25.0
61.9 0.0 71.4 31.0 0.0 4.8 45.2 47.6 33.3
71.0 100.0 56.5 2.9 0.0 6.1 72.5 100.0 65.6 27.5 37.5 26.0 2.9 0.0 2.3 8.7 0.0 10.7 59.4 75.0 55.7 49.3 50.0 41.2 40.6 12.5 35.9
*For a list of groups, please see Appendix 1-B. **N/C = Respondents did not indicate affiliate or chapter membership. Note: Each CAE respondent was able to select five behavioral skills from the provided list for each staff level.
The Institute of Internal Auditors Research Foundation
_______________________________________________ Chapter 7: Internal Audit Skills 297
Practitioner Respondents Practitioners were asked to indicate the importance of each of the twelve behavioral skills to perform their work at their current position in their organization. These respondents were asked to use a scale of importance from 1 (minimally important) to 5 (very important). The data is divided into the three staff levels: Audit Manager, Audit Senior/Supervisor, and Audit Staff. The higher the mean in Table 7-5 for each behavioral skill the more Practitioners agreed on the importance of that skill. Practitioners consider almost all of the behavioral skills to be important with only marginal differences in the means. The only skill categories with ratings below 4.0 are: • • •
Staff management (the lowest score of all categories analyzed). Facilitating (among the lowest scores given a skill by all respondents). Leadership and team building (a mean lower than 4.0 only for the Audit Staff category).
Table 7-5 Importance of Behavioral Skills to Perform Work Practitioner Respondents by Mean* Behavioral Skills
Confidentiality Facilitating Governance and ethics sensitivity Interpersonal skills Leadership Objectivity Relationship building Staff management Team building Team player Work well with all levels of management Working independently
Audit Manager
Audit Senior/ Supervisor
Audit Staff
4.8 4.1 4.4 4.6 4.3 4.8 4.4 4.1 4.2 4.3 4.6 4.2
4.8 4.0 4.3 4.5 4.1 4.8 4.4 3.8 4.0 4.2 4.6 4.2
4.7 3.9 4.3 4.5 3.9 4.7 4.3 3.5 3.9 4.2 4.5 4.2
*The mean is the average response to: 1 = minimally important to 5 = very important. Note: Not all respondents answered for all the skills. Total number of respondents is between 4,742 and 4,790.
The Institute of Internal Auditors Research Foundation
298 A Global Summary of the Common Body of Knowledge 2006 ______________________
The practitioner results highlight many similarities with the CAE respondents. Confidentiality and objectivity are the skills that practitioners consider the most important for all professional levels. This is consistent with Practice Advisory 1120-1, Individual Objectivity, which states, “Objectivity is an independent mental attitude which internal auditors should maintain in performing engagements.” Interpersonal skills and works well with all levels of management are also viewed by respondents as very important to perform audit work. Table 7-5-1 shows the means of the Practitioner responses by groups. The responses show that all listed behavorial skills are considered important, regardless of where respondents reside. Confidentiality and objectivity are the highest ranking skills for all groups. Considering the contents of The IIA’s Code of Ethics and the Standards, the uniformity of this perception among practitioners globally is very important. Almost universally the lowest rankings by Practitioner groups are for staff management, facilitating, and leadership. Staff management has a mean of more than 4.0 only for groups 12 and 7. For the other groups, the mean varies from 3.4 for group 10 to 4.0 for group 3. Regarding leadership, group 12 considers this behavioral skill to be very important (4.6) to perform audit work, while groups 5 and 6 assign leadership a much lower value (3.7).
Table 7-5-1 Importance of Behavioral Skills to Perform Work by Groups* Practitioner Respondents in Means** Behavioral Skills
1
2
3
4
5
6
7
8
9
10
11
12 N/C***
Confidentiality Facilitating Governance and ethics sensitivity Interpersonal skills Leadership Objectivity Relationship building Staff management Team building Team player Work well with all levels of management Working independently
4.8 4.1 4.3
4.7 4.1 4.4
4.8 3.9 4.4
4.6 3.8 4.2
4.7 4.1 4.2
4.8 3.8 4.1
4.9 4.3 4.6
4.7 3.9 4.2
4.7 4.1 4.2
4.7 3.5 4.3
4.7 4.0 4.1
4.9 4.0 4.4
4.7 4.0 4.3
4.6 4.3 4.7 4.5 3.9 4.1 4.3 4.4
4.7 4.3 4.8 4.5 3.7 4.0 4.2 4.3
4.6 4.2 4.8 4.5 4.0 4.1 4.2 4.3
4.5 4.0 4.7 4.2 3.8 4.1 4.1 4.1
4.5 3.7 4.7 4.2 3.7 4.0 4.2 4.1
4.3 3.7 4.7 4.0 3.5 3.7 4.0 4.3
4.5 4.4 4.8 4.2 4.2 4.3 4.5 3.9
4.3 3.8 4.7 4.2 3.8 4.0 4.2 3.7
4.3 4.1 4.7 4.3 3.9 4.0 4.1 4.4
4.3 3.8 4.8 4.1 3.4 3.7 4.0 4.3
4.5 4.2 4.5 4.2 3.9 4.1 4.2 4.3
4.7 4.6 4.8 4.5 4.5 4.5 4.4 4.4
4.4 4.0 4.7 4.2 3.8 4.0 4.2 4.1
4.7
4.7
4.7
4.3
4.5
4.5
4.6
4.4
4.4
4.6
4.5
4.6
4.4
*For a list of groups, please see Appendix 1-B. **The mean is the average response to: 1 = minimally important to 5 = very important. ***N/C = Respondents did not indicate affiliate or chapter membership.
The Institute of Internal Auditors Research Foundation
_______________________________________________ Chapter 7: Internal Audit Skills 299
Summary For their own position, CAEs indicate understanding the business and risk analysis as important technical skills for them to possess. CAEs indicate noticeable difference in technical skills needed between the various staff levels. Technical skills that are considered more important by CAEs for the Audit Staff but less vital for themselves are data collection and analysis, identifying types of controls, and use of information technology. CAEs considered other technical skills, such as understanding the business, risk analysis, and negotiating, to be more important for themselves but not as important for the Audit Staff or Audit Seniors/Supervisors. Practitioners uniformly indicate the need for most of the technical skills and behavioral skills at their own staff level. Practitioners consider most technical and behavioral skills listed to be important to perform their work at their current position in the IAA. The results show that the CAEs and Practitioners almost uniformly consider confidentiality and objectivity to be important behavioral skills.
The Institute of Internal Auditors Research Foundation
300 A Global Summary of the Common Body of Knowledge 2006 ______________________
APPENDIX 7 Table 7-1-1-A Most Important Technical Skills for CAEs by Groups* CAE Respondents in Percentages Technical Skills
1
Data collection and analysis Financial analysis Forensic skills/fraud awareness Identifying types of controls (e.g., preventative, detective) Interviewing ISO/quality knowledge Negotiating Research skills Risk analysis Statistical sampling Total quality management Understanding the business Use of information technology
2
11.1 13.6
3
4
5
6
7
8
9
10
11
12
N/C**
9.0 39.5 27.9 11.7 21.9 14.3 17.5 16.7 11.6 12.5
16.8
37.7 23.5 38.8 44.2 38.8 35.0 28.1 34.6 40.0 26.2 39.1 12.5 45.4 34.6 35.1 68.6 46.7 35.8 43.9 37.6 42.5 33.3 53.6 25.0
32.8 38.9
26.6 34.6 14.9 53.5 32.1 29.2 28.9 38.3 57.5 35.7 30.4 25.0
32.8
35.2 13.1 70.1 14.5 76.1 3.2 30.3
25.0 12.5 50.0 50.0 62.5 0.0 25.0
37.4 16.8 49.6 16.0 61.8 7.6 29.8
83.9 86.4 88.8 53.5 65.5 72.3 74.6 83.8 57.5 88.1 82.6 75.0
59.5
28.9 27.2 35.1 32.6 36.4 12.4 39.5 17.7 40.0 26.2 37.7 50.0
24.4
46.9 14.8 77.8 28.4 80.2 6.2 24.7
38.8 24.6 75.4 28.4 74.6 3.7 38.1
39.5 25.6 54.7 19.8 74.4 18.6 34.9
47.9 29.7 69.1 42.4 69.1 12.7 50.3
36.5 15.3 70.8 19.0 70.8 3.6 32.1
24.6 29.8 65.8 20.2 74.6 13.2 43.0
40.2 21.4 77.4 21.8 82.0 7.5 28.2
45.0 20.0 55.0 22.5 75.0 15.0 42.5
47.6 11.9 57.1 9.5 71.4 0.0 19.0
33.3 34.8 65.2 33.3 78.3 11.6 46.4
*For a list of groups, please see Appendix 1-B. **N/C = Respondents did not indicate affiliate or chapter membership. Note: Each CAE respondent was able to select five technical skills from the provided list for each staff level.
The Institute of Internal Auditors Research Foundation
_______________________________________________ Chapter 7: Internal Audit Skills 301
Table 7-1-2-A Most Important Technical Skills for Audit Managers by Groups* CAE Respondents in Percentages Technical Skills
1
Data collection and analysis Financial analysis Forensic skills/fraud awareness Identifying types of controls (e.g., preventative, detective) Interviewing ISO/quality knowledge Negotiating Research skills Risk analysis Statistical sampling Total quality management Understanding business Use of information technology
2
3
4
5
6
7
8
12.7 18.5 14.9 27.9 18.2 10.9 13.2 14.3
9
10
11
12
N/C**
7.5 21.4 20.3 12.5
14.5
36.0 19.8 35.8 59.3 39.4 27.0 24.6 32.3 40.0 28.6 47.8 25.0 41.9 33.3 42.5 47.7 33.9 32.8 41.2 34.6 32.5 33.3 44.9 50.0
39.7 30.5
29.9 40.7 35.1 48.8 33.9 27.0 36.8 38.7 45.0 23.8 36.2 37.5
32.1
35.0 9.3 48.1 15.8 59.2 6.2 16.5
50.0 12.5 62.5 25.0 37.5 0.0 37.5
39.7 19.1 38.2 17.6 48.9 9.2 18.3
61.7 65.4 76.9 46.5 50.9 51.1 52.6 60.2 45.0 64.3 63.8 50.0
44.3
33.2 28.4 31.3 25.6 37.0 14.6 32.5 22.6 40.0 23.8 47.8 37.5
28.2
45.7 12.3 54.3 21.0 60.5 6.2 13.6
42.5 16.4 59.0 22.4 72.4 8.2 17.9
47.7 32.6 60.5 18.6 64.0 9.3 48.8
38.8 26.1 50.9 30.3 49.7 7.9 34.5
34.3 16.1 46.7 17.5 51.1 10.9 16.1
23.7 27.2 49.1 28.1 64.9 14.9 24.6
42.5 17.7 50.8 21.1 60.9 12.0 18.8
47.5 15.0 45.0 10.0 65.0 15.0 37.5
35.7 4.8 28.6 14.3 47.6 4.8 16.7
40.6 30.4 60.9 31.9 69.6 18.8 31.9
*For a list of groups, please see Appendix 1-B. **N/C = Respondents did not indicate affiliate or chapter membership. Note: Each CAE respondent was able to select five technical skills from the provided list for each staff level.
The Institute of Internal Auditors Research Foundation
302 A Global Summary of the Common Body of Knowledge 2006 ______________________
Table 7-1-3-A Most Important Technical Skills for Audit Seniors/Supervisors by Groups* CAE Respondents in Percentages Technical Skills
1
Data collection and analysis Financial analysis Forensic skills/fraud awareness Identifying types of controls (e.g., preventative, detective) Interviewing ISO/quality knowledge Negotiating Research skills Risk analysis Statistical sampling Total quality management Understanding the business Use of information technology
2
3
4
5
6
7
8
9
10
11
12
N/C**
34.8 37.0 41.8 44.2 32.1 30.7 33.3 29.7 40.0 23.8 34.8 62.5 26.0 35.2 22.2 42.5 46.5 38.8 35.8 42.1 33.8 37.5 26.2 50.7 25.0 33.6 33.1 28.4 29.9 38.4 28.5 29.9 36.8 26.7 40.0 23.8 43.5 50.0 27.5 43.8 46.9 55.2 55.8 37.0 41.6 53.5 45.5 45.0 33.3 56.5 37.5 39.7
42.6 3.9 20.6 27.4 35.3 18.4 6.0
42.0 4.9 24.7 29.6 40.7 14.8 4.9
53.0 3.0 24.6 20.1 57.5 20.9 11.2
50.0 40.7 41.9 38.4 55.8 20.9 36.0
33.9 22.4 15.8 37.6 33.3 20.6 12.7
52.6 6.6 36.5 30.7 38.7 21.9 6.6
36.8 24.6 21.1 42.1 54.4 32.5 19.3
48.5 10.5 23.7 36.1 48.1 22.2 10.2
32.5 20.0 27.5 30.0 35.0 20.0 17.5
42.9 4.8 23.8 11.9 40.5 4.8 7.1
52.2 24.6 33.3 26.1 42.0 34.8 17.4
37.5 25.0 25.0 12.5 37.5 37.5 12.5
42.7 13.7 19.1 25.2 42.7 19.8 15.3
45.5 45.7 56.7 47.7 27.3 43.8 40.4 38.7 52.5 61.9 50.7 37.5 39.7 37.9 33.3 46.3 30.2 35.2 23.4 47.4 36.5 55.0 28.6 50.7 50.0 31.3
*For a list of groups, please see Appendix 1-B. **N/C = Respondents did not indicate affiliate or chapter membership. Note: Each CAE respondent was able to select five technical skills from the provided list for each staff level.
The Institute of Internal Auditors Research Foundation
_______________________________________________ Chapter 7: Internal Audit Skills 303
Table 7-1-4-A Most Important Technical Skills for Audit Staff by Groups* CAE Respondents in Percentages Technical Skills
1
Data collection and analysis Financial analysis Forensic skills/fraud awareness Identifying types of controls (e.g., preventative, detective) Interviewing ISO/quality knowledge Negotiating Research skills Risk analysis Statistical sampling Total quality management Understanding the business Use of information technology
2
3
4
5
6
7
8
9
10
11
12
N/C**
78.8 72.8 78.4 77.9 79.4 78.1 80.7 77.4 75.0 66.7 85.5 87.5
66.4
37.0 27.1 31.3 33.7 33.9 27.0 49.1 34.6 42.5 19.0 46.4 37.5 21.9 13.6 24.6 22.1 25.5 23.4 21.1 13.9 30.0 16.7 23.2 12.5
29.0 18.3
58.6 61.7 73.1 38.4 32.1 37.2 59.6 48.1 42.5 45.2 53.6 62.5
38.9
62.1 1.6 4.6 47.0 19.8 26.0 1.1
62.3 62.5 14.4 0.0 11.6 0.0 18.8 0.0 21.7 25.0 39.1 25.0 5.8 0.0
47.3 13.7 3.8 34.3 28.2 27.5 3.8
47.3 45.7 54.5 64.0 29.1 54.7 36.8 33.1 40.0 69.0 55.1 50.0
45.8
44.7 45.7 46.3 70.9 66.7 42.3 62.3 59.7 72.5 45.2 53.6 75.0
45.8
58.0 2.5 8.6 42.0 33.3 23.4 1.2
70.9 0.7 8.21 21.6 40.3 23.9 3.7
27.9 46.5 9.3 41.8 25.6 39.5 20.9
64.2 15.1 14.5 51.5 27.3 36.9 5.4
64.2 4.4 10.2 48.9 24.8 25.5 2.2
44.7 13.1 5.2 39.8 43.0 39.5 6.1
56.8 9.4 9.0 39.8 34.2 36.1 5.3
32.5 7.5 15.0 40.0 42.5 37.5 7.5
59.5 23.8 4.8 19.0 50.0 7.1 0.0
*For a list of groups, please see Appendix 1-B. **N/C = Respondents did not indicate affiliate or chapter membership. Note: Each CAE respondent was able to select five technical skills from the provided list for each staff level.
The Institute of Internal Auditors Research Foundation
304 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
A Global Summary of the Common Body of Knowledge 2006
CONTENTS Chapter 8
Chapter 8: Internal Auditor Competencies .......................................................................... 305 Introduction......................................................................................................................... 305 Competencies...................................................................................................................... 307 Areas of Knowledge ........................................................................................................... 323 Summary ............................................................................................................................. 331 Appendix 8.......................................................................................................................... 332
Disclosure Copyright © 2007 by The Institute of Internal Auditors Research Foundation (IIARF), 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201. All rights reserved. Printed in the United States of America. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form by any means — electronic, mechanical, photocopying, recording, or otherwise — without prior written permission of the publisher. The IIARF publishes this document for informational and educational purposes. This document is intended to provide information, but is not a substitute for legal or accounting advice. The IIARF does not provide such advice and makes no warranty as to any legal or accounting results through its publication of this document. When legal or accounting issues arise, professional assistance should be sought and retained. The IIA’s International Professional Practices Framework for Internal Auditing (IPPF) comprises the full range of existing and developing practice guidance for the profession. The IPPF provides guidance to internal auditors globally and paves the way to world-class internal auditing. The mission of The IIA Research Foundation (IIARF) is to be the global leader in sponsoring, disseminating, and promoting research and knowledge resources to enhance the development and effectiveness of the internal auditing profession.
The Institute of Internal Auditors Research Foundation
______________________________________ Chapter 8: Internal Auditor Competencies 305
CHAPTER 8 INTERNAL AUDITOR COMPETENCIES
Introduction Internal auditors at all levels need to obtain and develop a range of competencies and knowledge that enable them to perform their work effectively and enable the internal audit activity (IAA) to function properly. This chapter summarizes the fundamental competencies and the areas of knowledge needed by practicing internal auditors today. Competencies range from generally applicable individual competencies, such as time management and presentation competencies, to abilities such as being able to work through an issue to find the root cause of a problem area. Internal auditors also must have different competencies to be successful at a given staff position within the IAA. This chapter addresses the range of internal audit competencies at the CAE, Audit Manager, Audit Senior/ Supervisor, and Audit Staff levels and areas of knowledge at all staff levels except CAE. Certain competencies and knowledge are essential for the success of an individual internal auditor, the audit process, and the overall success of the IAA. Standard 1210, Proficiency, states, “Internal auditors should possess the knowledge, skills, and other competencies needed to perform their individual responsibilities,” and Standard 1230, Continuing Professional Development, states, “Internal auditors should enhance their knowledge, skills, and other competencies through continuing professional development.” Internal auditors must continually update their competencies and knowledge to remain current. The importance of competencies is also highlighted as one of four principles in The IIA’s Code of Ethics. Internal auditors at all staff levels need to obtain and develop a range of competencies and abilities that enable them to perform their work effectively. These competencies range from generally applicable individual competencies to qualities that are specific to internal auditors. Since Practice Advisory 1210-1, Proficiency, requires that “The internal audit staff should collectively possess the knowledge and skills essential to the practice of the profession within the organization,” each individual internal auditor need not possess all competencies and abilities in each knowledge area. It is the responsibility of the CAE to insure that the IAA collectively possesses or have access to the needed competencies and abilities. When assigning staff to an audit, the CAE must consider whether they are qualified and competent in the areas being audited. This implies that different competencies and knowledge are appropriate for those in different staff levels in the IAA. An assessment of auditor abilities and competencies within the IAA should be completed annually to ensure the staff remains proficient and current, collectively and individually.
The Institute of Internal Auditors Research Foundation
306 A Global Summary of the Common Body of Knowledge 2006 ______________________
This chapter addresses respondents’ perception of the importance of a set of competencies and knowledge areas to their job performance at their staff level in the IAA. Respondents were also asked to determine those competencies that change in importance as one goes up the IAA hierarchy. Table 8-1 lists the competencies and knowledge areas developed from The IIA’s Standards, Practice Advisories, internal auditing literature, past CBOK studies, and the CBOK 2006 pilot study. As a guide for respondents, competencies were defined in the survey as “competencies essential to perform certain tasks.” Respondents could not amend or add to the list of competencies or knowledge areas provided in the survey.
Table 8-1 Competencies and Knowledge Areas Included in the Survey Competencies Ability to promote the internal audit activity within the organization Analytical (ability to work through an issue) Change management Communication Conceptual thinking Conflict resolution Critical thinking Foreign language skills Keeping up to date with professional changes in opinions, standards, and regulations Organization skills Presentation skills Problem identification and solution Project planning and management Report development Time management Training and developing staff Understanding complex information systems Writing skills
Knowledge Areas Accounting Auditing Business law and government regulation Business management Changes to professional standards Enterprise risk management Ethics Finance Fraud awareness
Governance Human resource management Information technology Internal auditing standards Managerial accounting Marketing Organization culture Organizational systems Strategy and business policy Technical knowledge for your industry
The Institute of Internal Auditors Research Foundation
______________________________________ Chapter 8: Internal Auditor Competencies 307
The number of respondents answering a specific question will often differ from the 9,366 total respondents in this study. This is due to the following reasons: • •
Not all of those that participated in the survey answered all of the questions asked. Results are shown and discussed only for those respondents who answered a particular survey question. Not all questions were asked of all respondents. o Some questions were asked only of CAEs (those in the highest position within the organization responsible for internal audit activities). o Some questions were asked only of Practitioners (all other internal auditors who are not CAEs). o Some questions were asked of both CAEs and Practitioners.
Some participants’ responses are presented according to the respondents’ position in the IAA. These more detailed summaries of results may be provided for the four categories of respondents: CAEs, Audit Managers, Audit Senior/Supervisor, and Audit Staff. When relevant, results are given for each of the 13 groups. The groups are explained in Chapter 1. For a list of groups, please refer to Appendix 1-B of the report. For example, Table 8-2 is the total of all respondents for that question with a related table 8-2-1 showing the responses by group. A table can have more than one related table, where the second related table would be Table 8-2-2. Additional related tables may be located in Appendix 8 at the end of this chapter. A table that is in the Appendix can be clearly identified by an “A” at the end of its number. For example, Table 8-31-A is located in Appendix 8.
Competencies CAE Respondents Chief audit executives (CAEs) were asked to identify the five most important competencies they need to possess in order to be successful as the leader of their IAA. They were also asked to identify the five most important competencies that Audit Manager, Audit Senior/Supervisor, and Audit Staff each need to perform their jobs. The results can be used to identify similarities among the CAEs’ responses. Successful completion of the IAA annual plan requires that the internal audit staff possess the proper competencies crucial for the nature and extent of the activities performed at various levels
The Institute of Internal Auditors Research Foundation
308 A Global Summary of the Common Body of Knowledge 2006 ______________________
of responsibility. Practice Advisory 2030-1, Resource Management, suggests that CAEs select “individuals who are qualified and competent regarding the areas being audited and in applying internal auditing skills.” From the eighteen competencies that were listed in this question, CAEs were asked to indicate the five most important for various professional staff levels in the IAA. Table 8-2 provides an overall view of the skills that CAEs commonly chose as important for those performing internal auditing activities at the CAE, Audit Manager, Audit Senior/Supervisor, and Audit Staff levels. Their responses are presented in percentages by frequency of response. High percentages in Table 8-2 indicate the competencies received strong common support from CAEs regarding the importance of these competencies.
Table 8-2 Most Important Competencies by Staff Level CAE Respondents (2,092 ) in Percentages
Ability to promote the internal audit activity within the organization Analytical (ability to work through an issue) Change management Communication Conceptual thinking Conflict resolution Critical thinking Foreign language skills Keeping up to date with professional changes in opinions, standards, and regulations Organization skills Presentation skills Problem identification and solution Project planning and management Report development Time management Training and developing staff Understanding complex information systems Writing skills
CAE
Audit Manager
Audit Senior/ Supervisor
Audit Staff
78.1
28.3
10.9
9.3
24.9 34.7 60.3 38.0 41.2 31.3 13.4 41.3
31.5 20.4 46.7 20.7 35.3 26.3 10.8 31.0
47.7 7.6 43.2 16.1 20.2 31.0 8.1 22.9
63.9 4.1 51.9 17.8 7.2 43.9 12.4 22.5
30.3 37.4 21.6 24.7 13.0 15.8 30.1 12.4 23.6
27.9 25.5 23.8 35.7 23.0 18.7 38.2 14.9 24.2
22.0 15.5 34.5 24.3 27.3 28.2 20.9 16.1 32.0
20.9 13.0 47.0 7.1 22.1 40.2 2.6 16.3 51.0
Note: Each CAE respondent was able to select the five most important competencies from the provided list for each staff level.
The Institute of Internal Auditors Research Foundation
______________________________________ Chapter 8: Internal Auditor Competencies 309
CAEs identified communication as highly important for all staff levels. This supports Practice Advisory 1210-1, Proficiency, which states, “Internal auditors should be skilled in oral and written communication.” Foreign language skills was the only competency identified as being of low importance for all staff levels. The other 16 competencies show changing relative importance when going up or down the staff levels of the IAA. This is in keeping with the intent of the Standards, which suggests that skills and competencies vary in importance among the staff of the IAA.
Important Competencies Identified by CAEs for Staff Levels As shown in Table 8-2, there is relative consistency in the identification of the most important competencies for the Audit Staff and the Audit Senior/Supervisor levels. This is not the case for the Audit Manager and CAE positions which have increasing oversight responsibility. Keeping current with professional changes is important for all members of the IAA. Standard 1230, Continuing Professional Development, states that internal auditors “...enhance their knowledge, skills, and other competencies through continuing professional development.” Despite the critical nature of the acquisition of knowledge for the success of the IAA as a whole, this competency was not commonly indicated by CAE respondents as one of the most important for any of the staff levels.
CAE When looking at Table 8-2, the two highest percentages for CAEs are the ability to promote the IAA within the organization (78.1%) and communication (60.3%). This is consistent with Standard 2000, Managing the Internal Audit Activity, which states that the CAE “...should effectively manage the internal audit activity to ensure it adds value to the organization.” Standard 2020, Communication and Approval, states, “The chief audit executive should communicate the internal audit activity’s plans…to senior management and to the board for review and approval.” Standard 2060, Reporting to the Board and Senior Management, states, “The chief audit executive should report periodically to the board and senior management on the internal audit activity’s purpose, authority, responsibility, and performance relative to its plan. Reporting should also include significant risk exposures and control issues, corporate governance issues, and other matters needed or requested by the board and senior management.”
The Institute of Internal Auditors Research Foundation
310 A Global Summary of the Common Body of Knowledge 2006 ______________________
The major role the CAE respondents identified for themselves is to communicate and promote the IAA to senior members of management and the board. CAE respondents commonly indicated the most important competencies that they should possess are: • • • • •
Ability to promote the IAA within the organization (78.1%). Communication (60.3%). Keeping up to date with professional changes in opinions, standards, and regulations (41.3%). Conflict resolution (41.2%). Conceptual thinking (38.0%).
While CAEs strongly support their perception of the most important competencies at their level, the majority of the respondents also show that a wide range of other competencies are valued. CAEs should also excel in presentation skills (37.4%) and change management (34.7%). CAEs did not identify time management (15.8%), foreign language skills (13.4%), report development (13.0%), and understanding complex information systems (12.4%) as important for someone in their position to possess.
Audit Manager CAE respondents identified the following competencies as most important for Audit Managers: • • • • • •
Communication (46.7%) Training and developing staff (38.2%) Project planning and management (35.7%) Conflict resolution (35.3%) Analytical (31.5%) Keeping up to date with professional changes in opinions, the Standards, and regulations (31.0%)
Communication skills are perceived by the CAE respondents as an essential part of the Audit Manager’s skills. Competencies that CAEs did not identify as critical for Audit Managers are change management (20.4%), time management (18.7%), understanding complex information systems (14.9%), and foreign language skills (10.8%).
The Institute of Internal Auditors Research Foundation
______________________________________ Chapter 8: Internal Auditor Competencies 311
At the Audit Manager level, some skills learned at lower levels are mastered. As indicated in Table 8-2, skills for which CAE respondents believe relative importance diminishes from Audit Staff to Audit Manager levels are: • • • •
Analytical (from 63.9% to 31.5%). Writing skills (from 51.0% to 24.2%). Problem identification and solution (from 47.0% to 23.8%). Time management (from 40.2% to 18.7%).
Comparing data related to Audit Managers with those of Audit Staff, skills that show a trend of increasing importance are: • • • •
Training and developing staff (2.6% to 38.2%). Project planning and management (7.1% to 35.7%). Conflict resolution (7.2% to 35.3%). Ability to promote the IAA within the organization (9.3% to 28.3%).
Audit Senior/Supervisor For the Audit Senior/Supervisor, CAEs commonly indicated that the most important competencies were: • • • • •
Analytical (47.7%). Communication (43.2%). Problem identification and solution (34.5%). Writing skills (32.0%). Critical thinking (31.0%).
Even though not commonly identified as one of the most important competencies for Audit Senior/ Supervisor, note that CAEs respondents gave higher percentages for report development (27.3%), project planning (24.3%), and training and developing staff (20.9%) for the Audit Senior/Supervisor level than for Audit Staff. Competencies that CAEs do not consider critical for Audit Senior/ Supervisor are presentation skills (15.5%), ability to promote the IAA (10.9%), foreign language skills (8.1%), and change management (7.6%).
The Institute of Internal Auditors Research Foundation
312 A Global Summary of the Common Body of Knowledge 2006 ______________________
Audit Staff In Table 8-2 the competency commonly indicated as the most important by CAEs for the Audit Staff is analytical (ability to work through an issue) (63.9%). This supports Standard 2320, Analysis and Evaluation, which states that internal auditors “base conclusions and engagement results on appropriate analyses and evaluations.” The CAE respondents indicated the following as the most important competencies for the Audit Staff level: • • • • •
Analytical (63.9%) Communication (51.9%) Writing skills (51.0%) Problem identification and solution (47.0%) Critical thinking (43.9%)
Competencies that CAEs indicate are not as critical for Audit Staff members to possess at this point in their internal auditing career are conflict resolution (7.2%), project planning and management (7.1%), change management (4.1%), and training and developing staff (2.6%).
CAE Respondents by Staff Level for Groups Tables 8-2-1 (CAE), 8-2-2 (Audit Manager), 8-2-3 (Audit Senior/Supervisor), and 8-2-4 (Audit Staff) show CAE respondents’ percentages for the five most important competencies for the 13 groups. Table 8-2-1 highlights the competencies CAEs value for their own job performance. Overwhelmingly, CAEs in all groups find it critically important to be able to promote the IAA within the organization and to have the ability to communicate in general. CAEs indicate variability in importance by group on their competencies in change management, conceptual thinking, foreign language skills, report development, and time management.
The Institute of Internal Auditors Research Foundation
The Institute of Internal Auditors Research Foundation 21.0 37.0 64.2 45.7 37.0 32.1 2.5 37.0
22.2 39.5 23.5 23.5 7.4 12.3 27.2 9.9
24.7
21.0 28.1 67.0 37.0 37.5 31.1 2.6 40.4
20.9 44.3 13.7 20.0 8.1 10.4 24.9 8.4
27.0
25.4
9.0
7.5 9.0 26.9
28.4
26.9 39.6 14.9
53.7 60.4 41.0 38.8 26.9 2.2 38.8
20.1
88.8
3
18.6
15.1
24.4 31.4 44.2
38.4
38.4 30.2 36.0
33.7 52.3 24.4 40.7 30.2 31.4 52.3
39.5
80.2
4
27.9
21.2
21.2 33.9 41.2
33.9
50.9 41.8 31.5
26.7 49.1 58.2 53.3 33.9 32.7 41.8
33.9
80.6
5
13.1
5.1
2.2 10.2 25.5
13.1
33.6 19.7 14.6
34.3 48.9 43.8 42.3 24.8 13.9 29.2
19.7
80.3
6
23.7
26.3
26.3 18.4 35.1
36.0
34.2 24.6 27.2
53.5 55.3 32.5 39.5 35.1 38.6 53.5
37.7
80.7
7
19.5
13.9
20.7 22.6 38.7
32.0
46.6 30.5 35.3
44.4 62.0 32.0 51.1 31.2 25.9 45.5
26.3
82.3
8
20.0
20.0
22.5 22.5 35.0
35.0
27.5 40.0 37.5
40.0 45.0 37.5 42.5 37.5 27.5 35.0
20.0
80.0
9
19.0
7.1
4.8 2.4 33.3
11.9
31.0 47.6 26.2
4.8 76.2 16.7 14.3 40.5 11.9 31.0
35.7
64.3
10
27.5
20.3
20.3 20.3 33.3
30.4
31.9 39.1 29.0
53.6 60.9 55.1 47.8 46.4 14.5 46.4
27.5
72.5
11
17.6
18.3
0.0
15.3 16.8 23.7
17.6
26.0 29.0 19.1
28.2 48.9 29.8 36.6 26.0 12.2 38.9
25.2
71.0
N/C**
12.5
25.0 0.0 12.5
0.0
25.0 37.5 12.5
37.5 37.5 25.0 75.0 12.5 0.0 50.0
0.0
75.0
12
*For a list of groups, please see Appendix 1-B. **N/C = Respondents did not indicate affiliate or chapter membership. Note: Each CAE respondent was able to select the five most important competencies from the provided list for each staff level.
84.0
75.1
Ability to promote the internal audit activity within the organization Analytical (ability to work through an issue) Change management Communication Conceptual thinking Conflict resolution Critical thinking Foreign language skills Keeping up to date with professional changes in opinions, standards, and regulations Organization skills Presentation skills Problem identification and solution Project planning and management Report development Time management Training and developing staff Understanding complex information systems Writing skills
2
1
Competencies
Table 8-2-1 Most Important Competencies for CAE by Groups* CAE Respondents in Percentage
______________________________________ Chapter 8: Internal Auditor Competencies 313
314 A Global Summary of the Common Body of Knowledge 2006 ______________________
In Table 8-2-2 for Audit Manager, CAE respondents selected communication, project planning and management, and training and developing staff as the most important skills for this staff level. While there is generally consistency among the CAE respondents within the groups about the importance of most of the competencies for Audit Manager, there are some outliers that place less weight on certain competencies. In group 10, CAEs’ percentage for training and staff development is only 14.3% while the next lowest value was 25.0% for CAEs in group 12. CAEs in six other groups have values of 40% or higher for training and staff development. CAEs in ten groups had percentages of 30% or more for project planning and management, but CAEs in groups 12 (12.5%) and 6 (21.2%) had far fewer CAEs selecting this competency as being important for Audit Manager. CAEs in group 2 (11.1%) had fewer respondents selecting change management as important than CAEs in groups 4 (50%) and 12 (62.5%).
The Institute of Internal Auditors Research Foundation
The Institute of Internal Auditors Research Foundation
32.1
30.9 11.1 53.1 32.1 23.5 18.5 2.5 25.9
19.8 21.0 24.7 39.5 28.4 16.0 48.1 14.8
25.9
27.8 14.7 48.5 31.6 23.4 16.2 1.7 26.1
23.3 23.9 18.8 36.1 22.7 13.7 40.2 11.6
29.1
2
23.6
1
26.1
15.7
25.4 11.2 48.5
35.1
26.9 31.3 26.1
20.9 56.7 35.8 29.9 19.4 0.7 35.8
33.6
39.6
3
17.4
18.6
20.9 32.6 47.7
43.0
53.5 30.2 29.1
50.0 58.1 57.0 26.7 24.4 29.1 40.7
45.3
33.7
4
19.4
14.5
23.0 30.3 30.3
40.0
40.6 25.5 26.7
21.8 39.4 38.8 26.1 25.5 20.0 31.5
36.4
23.6
5
12.4
8.8
13.1 10.2 32.1
21.2
24.8 19.0 13.9
14.6 37.2 28.5 25.5 24.1 10.2 25.5
23.4
26.3
6
24.6
28.1
30.7 28.1 41.2
36.8
23.7 26.3 28.1
29.8 41.2 36.8 32.5 25.4 24.6 45.6
39.5
40.4
7
20.7
17.3
28.2 24.8 31.2
38.0
32.3 25.2 33.5
27.1 44.4 39.5 28.2 26.3 24.1 38.0
31.2
31.2
8
15.0
12.5
15.0 22.5 35.0
45.0
32.5 20.0 25.0
25.0 32.5 42.5 30.0 30.0 17.5 32.5
17.5
32.5
9
23.8
9.5
4.8 4.8 14.3
31.0
14.3 23.8 23.8
14.3 50.0 14.3 31.0 4.8 9.5 26.2
38.1
28.6
10
30.4
21.7
26.1 31.9 52.2
33.3
33.3 47.8 33.3
21.7 53.6 47.8 34.8 30.4 15.9 36.2
44.9
29.0
11
20.6
22.1
0.0
19.8 21.4 32.8
31.3
29.0 28.2 25.2
22.1 42.7 36.6 27.5 20.6 16.8 29.8
33.6
29.0
N/C**
25.0
25.0 0.0 25.0
12.5
12.5 0.0 37.5
62.5 50.0 37.5 12.5 37.5 0.0 25.0
37.5
37.5
12
*For a list of groups, please see Appendix 1-B. **N/C = Respondents did not indicate affiliate or chapter membership. Note: Each CAE respondent was able to select the five most important competencies from the provided list for each staff level.
Ability to promote the internal audit activity within the organization Analytical (ability to work through an issue) Change management Communication Conflict resolution Critical thinking Conceptual thinking Foreign language skills Keeping up to date with professional changes in opinions, standards, and regulations Organization skills Presentation skills Problem identification and solution Project planning and management Report development Time management Training and developing staff Understanding complex information systems Writing skills
Competencies
Table 8-2-2 Most Important Competencies for Audit Manager by Groups* CAE Respondents in Percentages
______________________________________ Chapter 8: Internal Auditor Competencies 315
316 A Global Summary of the Common Body of Knowledge 2006 ______________________
Table 8-2-3 highlights the CAE respondents’ group results for Audit Senior/Supervisor. There is relative consistency among the CAEs’ selections of the most important and least important competencies for this staff level. CAEs in group 12 did not support the importance of change management, foreign language skills, presentation skills, or writing skills (00.0%). CAEs in group 4 consider project planning and management to be very important (40.7%), but only 9.1% CAEs in group 5 selected this competency to be one of the top five competencies. CAEs in group 3 believe that writing skills are important (41.0%), but CAEs in group 4 believe they are less significant for the Audit Senior/Supervisor (17.4%). CAEs in group 7 believe that keeping up to date with professional changes in opinions, standards, and regulations is fundamental (42.1%), but CAEs in group 10 believe that this element is not critical for the Audit Senior/Supervisor (14.3%).
The Institute of Internal Auditors Research Foundation
The Institute of Internal Auditors Research Foundation
8.6
51.9 4.9 43.2 14.8 22.2 11.1 1.2 16.0
18.5 13.6 37.0 29.6 23.5 30.9 24.7 14.8 32.1
46.2 4.8 44.6 17.5 31.5 12.8 1.7 14.5
24.1 10.3 31.4 26.6 25.3 25.3 22.2 11.4 36.5
2
8.1
1
41.0
17.2
35.8 38.8 25.4
31.3
17.9 14.2 42.5
2.2 51.5 20.1 20.9 10.4 1.5 21.6
56.7
16.4
3
17.4
20.9
23.3 40.7 38.4
40.7
29.1 29.1 52.3
25.6 53.5 32.6 25.6 25.6 20.9 36.0
57.0
23.3
4
26.1
18.2
24.2 24.8 13.3
9.1
16.4 15.2 33.3
10.3 40.6 17.0 30.3 13.9 12.1 27.9
43.0
6.7
5
29.2
20.4
14.6 23.4 11.7
24.1
21.9 18.2 27.7
5.8 38.7 21.9 38.0 21.2 11.7 25.5
51.8
5.8
6
31.6
21.1
40.4 28.9 29.8
21.9
23.7 22.8 36.8
15.8 37.7 28.1 36.8 19.3 14.0 42.1
51.8
18.4
7
26.7
21.1
37.6 31.6 13.9
20.3
21.1 20.3 34.2
9.0 32.0 22.9 37.2 22.2 20.7 33.8
44.0
9.0
8
22.5
22.5
27.5 35.0 27.5
20.0
20.0 17.5 37.5
17.5 42.5 25.0 27.5 27.5 17.5 37.5
47.5
22.5
9
23.8
4.8
19.0 9.5 11.9
14.3
9.5 14.3 33.3
7.1 42.9 14.3 33.3 7.1 7.1 14.3
54.8
14.3
10
39.1
23.2
27.5 44.9 24.6
30.4
30.4 30.4 46.4
10.1 59.4 29.0 21.7 21.7 10.1 27.5
49.3
15.9
11
17.6 29.0
0.0
23.7 23.7 18.3
19.8
19.1 16.8 32.1
5.3 45.0 16.8 29.8 18.3 8.4 19.1
39.7
16.0
N/C**
25.0
25.0 12.5 25.0
12.5
12.5 0.0 37.5
0.0 62.5 50.0 12.5 12.5 0.0 37.5
75.0
25.0
12
*For a list of groups, please see Appendix 1-B. **N/C = Respondents did not indicate affiliate or chapter membership. Note: Each CAE respondent was able to select the five most important competencies from the provided list for each staff level.
Ability to promote the internal audit activity within the organization Analytical (ability to work through an issue) Change management Communication Conflict resolution Critical thinking Conceptual thinking Foreign language skills Keeping up to date with professional changes in opinions, standards, and regulations Organization skills Presentation skills Problem identification and solution Project planning and management Report development Time management Training and developing staff Understanding complex information systems Writing skills
Competencies
Table 8-2-3 Most Important Competencies for Audit Senior/Supervisor by Groups* CAE Respondents in Percentages
______________________________________ Chapter 8: Internal Auditor Competencies 317
318 A Global Summary of the Common Body of Knowledge 2006 ______________________
Table 8-2-4 shows that for Audit Staff there are uniformly low percentages for training and developing staff, project planning and management, change management, and conflict resolution. CAE respondents consider analytical ability and communication to be by far the most important competencies for the Audit Staff in all groups. There is variability among the CAE respondents among some groups for some competencies. Foreign language skills vary from a low of 3.2% in group 1 to a high of 29.1% for group 4. Group 6 believes that critical thinking is very important for Audit Staff (58.4 %) while group 4 considers this much less important (19.8%). Keeping up to date with professional changes in opinions, standards, and regulations is considered vital by responding CAEs in group 7 (51.8%) and significantly less important for group 1 (10.4%). While responding CAEs in Group 4 believe that presentation skills are very important (50.0%) for Audit Staff, no CAEs in group 12 selected this competency as important. The range of percentages for responding CAEs for report development is 8.0% for group 6 to 59.3% for group 4.
The Institute of Internal Auditors Research Foundation
The Institute of Internal Auditors Research Foundation
7.4
67.9 1.2 53.1 14.8 2.5 38.3 3.7 17.3
16.0 9.9 59.3 11.1 17.3 50.6 0.0 9.9 55.6
68.4 2.6 58.1 13.7 5.9 47.4 3.2 10.4
33.3 7.1 51.5 7.2 13.4 46.2 1.1 9.6 53.7
2
6.6
1
58.2
11.9
17.9 58.2 1.5
11.2
13.4 10.4 52.2
1.5 61.9 9.0 6.7 34.3 5.2 25.4
70.9
16.4
3
47.7
34.9
59.3 50.0 11.6
9.3
18.6 50.0 51.2
10.5 45.3 29.1 11.6 19.8 29.1 38.4
41.9
10.5
4
57.0
20.0
26.7 25.5 3.0
4.8
6.7 16.4 41.8
6.7 61.2 13.9 12.7 39.4 21.8 30.9
66.1
4.8
5
45.3
24.8
8.0 29.9 1.5
5.1
13.9 6.6 44.5
4.4 46.0 19.7 9.5 58.4 23.4 27.7
65.7
8.0
6
54.4
24.6
30.7 29.8 3.5
7.0
15.8 16.7 39.5
8.8 41.2 30.7 7.9 45.6 14.9 51.8
59.6
15.8
7
46.2
19.9
36.5 35.3 4.1
6.0
12.4 15.0 37.6
6.4 30.1 29.3 7.9 49.2 27.8 30.8
57.5
9.0
8
42.5
30.0
37.5 35.0 5.0
5.0
17.5 15.0 47.5
7.5 57.5 25.0 10.0 30.0 22.5 37.5
70.0
27.5
9
38.1
14.3
19.0 11.9 2.4
9.5
2.4 23.8 42.9
2.4 57.1 11.9 2.4 50.0 9.5 23.8
71.4
9.5
10
53.6
18.8
23.2 42.0 5.8
5.8
21.7 15.9 47.8
1.4 58.0 18.8 7.2 33.3 14.5 20.3
59.4
13.0
11
37.5
25.0
37.5 50.0 0.0
0.0
0.0 0.0 25.0
0.0 62.5 25.0 12.5 37.5 12.5 12.5
50.0
25.0
12
*For a list of groups, please see Appendix 1-B. **N/C = Respondents did not indicate affiliate or chapter membership. Note: Each CAE respondent was able to select the five most important competencies from the provided list for each staff level.
Ability to promote the internal audit activity within the organization Analytical (ability to work through an issue) Change management Communication Conceptual thinking Conflict resolution Critical thinking Foreign language skills Keeping up to date with professional changes in opinions, standards, and regulations Organization skills Presentation skills Problem identification and solution Project planning and management Report development Time management Training and developing staff Understanding complex information systems Writing skills
Competencies
Table 8-2-4 Most Important Competencies for Audit Staff Members by Groups* CAE Respondents in Percentages
37.4
20.6
26.0 29.8 3.1
6.9
9.9 19.8 39.7
2.3 47.3 14.5 4.6 37.4 11.5 26.0
51.1
12.2
N/C**
______________________________________ Chapter 8: Internal Auditor Competencies 319
320 A Global Summary of the Common Body of Knowledge 2006 ______________________
Practitioner Respondents The Practitioners were asked to indicate the importance of each of the eighteen competencies to performing their jobs at their current position in their organization. The scale used to determine the level of importance was 1 (minimally important) to 5 (very important). Table 8-3 shows the mean responses by Practitioners for the eighteen competencies.
Table 8-3 Importance of Competencies to Perform Work Practitioner Respondents in Means* Competencies
Ability to promote the internal audit activity within the organization Analytical (ability to work through an issue) Change management Communication Conceptual thinking Conflict resolution Critical thinking Foreign language skills Keeping up to date with professional changes in opinions, standards, and regulations Organization skills Presentation skills Problem identification and solution Project planning and management Report development Time management Training and developing staff Understanding complex information systems Writing skills
Audit Manager
Audit Senior/ Supervisor
Audit Staff
4.32
4.15
4.11
4.52 4.03 4.61 4.33 4.27 4.48 2.59 4.05
4.53 3.89 4.59 4.29 4.24 4.43 2.54 4.01
4.45 3.72 4.54 4.25 4.13 4.36 2.66 4.02
4.15 4.13 4.50 4.13 4.31 4.26 4.06 3.79 4.49
4.13 4.03 4.48 4.02 4.27 4.25 3.74 3.73 4.47
4.13 4.02 4.44 3.84 4.19 4.21 3.56 3.65 4.39
*The mean is the average response to: 1 = minimally important to 5 = very important. Note: Not all respondents answered for all the competencies. Total number of respondents was between 4,693 and 4,735.
The Institute of Internal Auditors Research Foundation
______________________________________ Chapter 8: Internal Auditor Competencies 321
As indicated by only marginal differences in the means, Practitioners consider almost all of the competencies equally important across the positional levels in the IAA. The only categories which show some change between the Audit Staff level and the Audit Manager level are: • • • •
Ability to promote the IAA within the organization (4.11 to 4.32). Project planning and management (3.84 to 4.13). Change management (3.72 to 4.03). Training and developing staff (3.56 to 4.06).
The competency categories for all levels with the most means below 4.0 are: • • • • •
Foreign language skills (the lowest score of all categories analyzed with means between 2.54 and 2.66). Understanding complex information systems (second lowest mean for all levels but still somewhat important with means of 3.65 to 3.79). Training and developing staff (a mean higher than 4.0 only for the Audit Manager category). Change management (a mean higher than 4.0 only for the Audit Manager category). Project planning and management (a mean higher than 4.0 for the Audit Senior /Supervisor and Audit Manager categories).
Table 8-4 shows the ranking of the competency means for Practitioners. The consistent rankings among the Audit Manager, Audit Senior/Supervisor, and Audit Staff levels are striking. Practitioners indicate that many of the competencies are equally important across the hierarchical scale in the IAA with only marginal differences in the ranks. The results highlight some similarities with the responses of the CAE group. Communication is the most important for all professional levels. This is consistent with Standard 2420, Quality of Communication, which states, “Communications should be accurate, objective, clear, concise, constructive, complete, and timely.” This standard applies for all internal auditors. The foreign language skills competency is indicated by respondents as the least important for all Practitioners at all staff levels.
The Institute of Internal Auditors Research Foundation
322 A Global Summary of the Common Body of Knowledge 2006 ______________________
Table 8-4 Rankings of the Competencies by Staff Level Practitioner Respondents by Rank Competencies
Ability to promote the internal audit activity within the organization Analytical (ability to work through an issue) Change management Communication Conceptual thinking Conflict resolution Critical thinking Foreign language skills Keeping up to date with professional changes in opinions, standards, and regulations Organization skills Presentation skills Problem identification and solution Project planning and management Report development Time management Training and developing staff Understanding complex information systems Writing skills
Audit Manager
Audit Senior/ Supervisor
Audit Staff
7
10
11
2 16 1 6 9 5 18 15
2 15 1 6 9 5 18 14
2 15 1 6 9/10 5 18 12/13
11 12/13 3 12/13 8 10 14 17 4
11 12 3 13 7 8 16 17 4
9/10 12/13 3 14 8 7 17 16 4
Note: In some cases the rankings were tied. For example, rankings of conflict resolution and organization skills at the Audit Staff level were tied.
The Institute of Internal Auditors Research Foundation
______________________________________ Chapter 8: Internal Auditor Competencies 323
CAEs and Practitioners seem to approach the competencies differently. CAEs appear to be viewing competencies appropriate for a positional level from a department manager’s perspective, while Practitioners appear to view the need for a variety of competencies necessary for their success. For Audit Managers especially, the difference between the CAE and the Audit Manager responses is noticeable for the following competencies: training and development, project planning, writing skills, problem identification and solution, and keeping up to date with professional changes in opinions, standards, and regulations. The differences for the Audit Manager level may be reflective of the transition from more operational duties to managerial duties. (CAEs and Practitioners were asked to rank the same list of competencies but their methods differed. CAEs indicated the five most important competencies for each audit staff level, while Practitioners ranked each competency as it related to the competency’s importance for themselves to do their job.)
Practitioner Rankings by Groups In Appendix 8, Tables 8-3-1-A (Audit Manager), 8-3-2-A (Audit Senior/Supervisor), and 8-3-3-A (Audit Staff) show Practitioner responses for competencies broken out for the 13 groups. Foreign language skills are universally the lowest ranked competency. For all groups, analytical ability, communication, and problem identification and solution are the only abilities to receive means above 4.0 for all three staff levels. For the three staff levels, understanding complex information systems has a mean of more than 4.0 for only seven groups. In general after taking out the very high and very low outliers among the groups, the responses show the perception that many skills are important to the respondents regardless of where they reside. Considering the contents of The IIA’s Code of Ethics and the Standards, the uniformity of this perception among practitioners globally is very important. These tables indicate that the findings are relatively consistent between the groups for the three staff levels.
Areas of Knowledge Standard 1210, Proficiency states, “Internal auditors should possess the knowledge …needed to perform their individual responsibilities.” Practice Advisory 1210-1, Proficiency, states, “Proficiency means the ability to apply knowledge to situations likely to be encountered and to deal with them without extensive recourse to technical research and assistance.” This section looks at 19 areas of knowledge to determine which are important to internal auditors for the satisfactory performance of their job at staff positions in the IAA.
The Institute of Internal Auditors Research Foundation
324 A Global Summary of the Common Body of Knowledge 2006 ______________________
Certain areas of knowledge are emphasized in the Standards and expanded upon in the Practice Advisories: • • • • •
Attribute Standard 1210 – “Internal auditors should possess the knowledge, skills, and other competencies needed to perform their individual responsibilities.” Attribute Standard 1210.A1 – “The chief audit executive should obtain competent advice and assistance if the internal audit staff lacks the knowledge…needed to perform all or part of the engagement.” Practice Advisory 1210-1 – “An appreciation is required of the fundamentals of subjects such as accounting, economics, commercial law, taxation, finance, quantitative methods, and information technology.” Practice Advisory 1210-1 – “Proficiency in accounting principles and techniques is required of auditors who work extensively with financial records and reports.” Practice Advisory 1210-1 – “An understanding of management principles is required.”
The areas of knowledge for this question were identified by reviewing the Standards and Practice Advisories, internal auditing literature, past CBOK studies, and the current CBOK 2006 pilot study. Based on this review, nineteen areas of knowledge were identified as being important for internal auditors. The Practitioner Questionnaire asked respondents to indicate the importance of these nineteen areas of knowledge to perform their work at their current position in their organization on a scale of 1 (minimally important) to 5 (very important). Respondents were unable to amend or add to the list. Table 8-5 shows an analysis of the three professional levels Audit Manager, Audit Senior/Supervisor, and Audit Staff. Tables 8-5-1 (Audit Manager), 8-5-2 (Audit Senior/Supervisor), and 8-5-3 (Audit Staff) list the areas of knowledge in descending order by mean.
The Institute of Internal Auditors Research Foundation
______________________________________ Chapter 8: Internal Auditor Competencies 325
Table 8-5 Importance of Areas of Knowledge to Perform Work Practitioner Respondents in Means* Areas of Knowledge
Accounting Auditing Business law and government regulation Business management Changes to professional standards Enterprise risk management Ethics Finance Fraud awareness Governance Human resource management Information technology Internal auditing standards Managerial accounting Marketing Organization culture Organizational systems Strategy and business policy Technical knowledge for your industry
Audit Manager
Audit Senior/ Supervisor
Audit Staff
3.83 4.68 3.68 3.75 3.71 3.85 4.21 3.70 4.00 3.95 3.44 3.85 4.19 3.35 2.70 3.91 3.75 3.73 3.97
3.77 4.66 3.70 3.60 3.64 3.74 4.18 3.68 3.93 3.80 3.23 3.84 4.19 3.30 2.60 3.79 3.76 3.61 3.92
3.71 4.61 3.68 3.53 3.68 3.71 4.26 3.64 3.91 3.77 3.15 3.79 4.24 3.27 2.64 3.82 3.78 3.60 3.96
*The mean is the average response to: 1 = minimally important to 5 = very important. NOTE: Not all respondents answered for all the knowledge areas. Total number of respondents was between 4,711 and 4,751.
The means in Table 8-5 and the rankings in Table 8-6 indicate that knowledge of auditing is overwhelmingly ranked first for all Practitioner respondents (4.61 to 4.68 for the Audit Staff through Audit Manager). Ethics is ranked second (4.21 to 4.26) by all levels except for Audit Senior/ Supervisor (4.18, ranked 3). Areas of knowledge consistently ranked in the top five for all Practitioner respondents are internal auditing standards, which is ranked second or third by all staff levels, technical knowledge for your industry (3.92 to 3.97), and fraud awareness (3.91 to 4.00), which are ranked either fourth or fifth for all Practitioner respondents.
The Institute of Internal Auditors Research Foundation
326 A Global Summary of the Common Body of Knowledge 2006 ______________________
There is unanimity in the ranking of the least important areas of knowledge for all Practitioner respondents. Marketing at 19 is ranked the lowest (2.60 to 2.70), and human resource management (3.15 to 3.44) and managerial accounting (3.27 to 3.35) are ranked either 18 or 17 for all respondents. For the other areas of knowledge listed, Practitioner rankings vary.
Table 8-6 Importance of Areas of Knowledge to Perform Work Practitioner Respondents by Staff Level Areas of Knowledge
Accounting Auditing Business law and government regulation Business management Changes to professional standards Enterprise risk management Ethics Finance Fraud awareness Governance Human resource management Information technology Internal auditing standards Managerial accounting Marketing Organization culture Organizational systems Strategy and business policy Technical knowledge for your industry
Audit Manager
Audit Senior/ Supervisor
Audit Staff
10 1 16 11 14 8 2 15 4 6 17 9 3 18 19 7 12 13 5
9 1 12 16 14 11 3 13 4 7 18 6 2 17 19 8 10 15 5
10 1 12 16 13 11 2 14 5 9 18 7 3 17 19 6 8 15 4
The Institute of Internal Auditors Research Foundation
______________________________________ Chapter 8: Internal Auditor Competencies 327
Audit Manager Looking at Table 8-5-1, the five most important areas of knowledge that Audit Managers indicate they should possess are: 1. 2. 3. 4. 5.
Auditing (4.68). Ethics (4.21). Internal auditing standards (4.19). Fraud awareness (4.00). Technical knowledge for your industry (3.97).
Table 8-5-1 Importance of Areas of Knowledge to Perform Work as Audit Manager Practitioner Respondents in Means* Areas of Knowledge Auditing Ethics Internal auditing standards Fraud awareness Technical knowledge for your industry Governance Organization culture Enterprise risk management Information technology Accounting Business management Organizational systems Strategy and business policy Changes to professional standards Finance Business law and government regulation Human resource management Managerial accounting Marketing
Audit Manager 4.68 4.21 4.19 4.00 3.97 3.95 3.91 3.85 3.85 3.83 3.75 3.75 3.73 3.71 3.70 3.68 3.44 3.35 2.70
*The mean is the average response to: 1 = minimally important to 5 = very important.
Practitioners indicated that progression in hierarchical position in the IAA from Audit Staff to Audit Manager results in no significant change in areas of knowledge that are fundamental to internal The Institute of Internal Auditors Research Foundation
328 A Global Summary of the Common Body of Knowledge 2006 ______________________
auditors’ success. The focus on business management, enterprise risk management, and governance does gain more importance. Marginally less crucial are business law and government regulation, information technology, and organizational systems.
Audit Senior/Supervisor Table 8-5-2 reveals that Audit Seniors/Supervisors indicate that the five most important areas of knowledge fundamental to their job performance are: 1. 2. 3. 4. 5.
Auditing (4.66). Internal auditing standards (4.19). Ethics (4.18). Fraud awareness (3.93). Technical knowledge for your industry (3.92).
Table 8-5-2 Importance of Areas of Knowledge to Perform Work as Audit Senior/Supervisor Practitioner Respondents in Means* Areas of Knowledge Auditing Internal auditing standards Ethics Fraud awareness Technical knowledge for your industry Information technology Governance Organization culture Accounting Organizational systems Enterprise risk management Business law and government regulation Finance Changes to professional standards Strategy and business policy Business management Managerial accounting Human resource management Marketing
Audit Manager/Supervisor 4.66 4.19 4.18 3.93 3.92 3.84 3.80 3.79 3.77 3.76 3.74 3.70 3.68 3.64 3.61 3.60 3.30 3.23 2.60
*The mean is the average response to: 1 = minimally important to 5 = very important.
The Institute of Internal Auditors Research Foundation
______________________________________ Chapter 8: Internal Auditor Competencies 329
There is no area of knowledge that becomes more significant for this level than for the Audit Staff.
Audit Staff Table 8-5-3 shows the five most important areas of knowledge that the Audit Staff believes are fundamental for their job performance are: 1. 2. 3. 4. 5.
Auditing (4.61). Ethics (4.26). Internal auditing standards (4.24). Technical knowledge for your industry (3.96). Fraud awareness (3.91).
Table 8-5-3 Importance of Areas of Knowledge to Perform Work as Audit Staff Practitioner Respondents in Means* Areas of Knowledge Auditing Ethics Internal auditing standards Technical knowledge for your industry Fraud awareness Organization culture Information technology Organizational systems Governance Accounting Enterprise risk management Business law and government regulation Changes to professional standards Finance Strategy and business policy Business management Managerial accounting Human resource management Marketing
Audit Staff 4.61 4.26 4.24 3.96 3.91 3.82 3.79 3.78 3.77 3.71 3.71 3.68 3.68 3.64 3.60 3.53 3.27 3.15 2.64
*The mean is the average response to: 1 = minimally important to 5 = very important.
The Institute of Internal Auditors Research Foundation
330 A Global Summary of the Common Body of Knowledge 2006 ______________________
Group Means for Areas of Knowledge Tables 8-5-4-A (Audit Manager), 8-5-5-A (Audit Senior/Supervisor), and 8-5-6-A (Audit Staff) show Practitioner mean responses for areas of knowledge broken out for the 13 groups. When analyzed by groups there is evidence of a wide divergence of opinion for many knowledge areas. There is a high level of consistency once very high and low rated knowledge areas by individual groups are removed. For Audit Managers in Table 8-5-4-A, auditing receives the highest means. Internal auditing standards has means of 4.00 and above for all but one group and ethics is above 4.00 for all but two groups. Group means for the Audit Senior/Supervisor level in Table 8-5-5-A are very similar to those of the Audit Staff for the high and low ranking areas of knowledge. The other areas of knowledge means are relatively close together for most of the groups. For the Audit Staff (Table 8-5-6-A), auditing is critical for all groups with all means above 4.24. Ethics (9 groups) and internal auditing standards (8 groups) receive rankings above 4.0 for the majority of the groups. The low rankings continue to be low for human resource management, managerial accounting, and marketing. Group 12 was the only group whose means for enterprise risk management, ethics, organizational systems, and strategy and business policy are all 5.00, indicating the respondents in this group believe that these knowledge areas are of the highest importance for that group’s respondents.
The Institute of Internal Auditors Research Foundation
______________________________________ Chapter 8: Internal Auditor Competencies 331
Summary The results show that the CAEs and Practitioners consider communication as the most important competency for all members of the IAA. The CAE respondents believe that ability to promote the IAA within the organization is overwhelmingly the most important competency that the CAE should possess. The top two competencies deemed most important by the CAE for the Audit Staff and Audit Senior/Supervisor are analytical and communication. The CAEs’ responses indicate a difference among the competencies needed based on staff levels (Audit Staff, Audit Senior/ Supervisor, Audit Manager, CAE) while the Practitioner responses at each staff level generally indicate that for their current position the competencies are equally important. When viewing the importance of competencies across the array of hierarchical positions in the IAA from CAE to the Audit Staff, the ability to promote the IAA within the organization, change management, conflict resolution and training, and developing staff show a trend of increasing importance at higher staff levels. Problem identification, time management, and writing competencies noticeably decline in importance as an internal auditor advances to higher staff levels. Areas of knowledge important to the respondents’ job performance were only ranked by Practitioners and did not include CAEs in the rankings. They indicated that for all Practitioner levels, auditing is the most important knowledge area followed by ethics and internal auditing standards. Fraud awareness and technical knowledge of the respondents’ industry are the only other competencies with rankings in the top five for all Practitioner respondents. There are no noticeable differences based on comparisons of members of the audit staff and those at the Audit Senior/Supervisor level. At the manager level, enterprise risk management marginally increases in importance. There is an overall consistency of rankings of the knowledge areas by Practitioner respondents for all staff levels. When comparing the data for the 13 groups, differences relate to only a few competencies and knowledge areas.
The Institute of Internal Auditors Research Foundation
The Institute of Internal Auditors Research Foundation 4.36
4.60 4.09 4.72 4.19 4.47 4.45 1.62 3.70
4.07 4.17 4.52 4.11 4.50 4.37 3.98 4.09
4.60
4.58 4.06 4.70 4.32 4.57 4.41 1.77 3.91
4.21 4.15 4.52 4.28 4.35 4.33 4.03 3.71
4.56
2
4.20
1
4.59
3.77
4.35 4.43 4.15
4.09
4.14 4.16 4.55
4.22 4.69 4.38 4.50 4.40 2.02 4.16
4.54
4.46
3
3.79
3.54
3.87 3.77 3.86
3.74
3.62 4.00 4.36
3.56 4.28 4.05 3.79 3.77 3.38 3.87
4.28
4.18
4
4.58
3.70
4.36 4.29 4.00
4.06
4.08 4.05 4.45
3.77 4.49 4.29 4.42 4.38 3.65 4.08
4.50
4.41
5
4.36
3.75
3.64 3.82 3.81
3.81
3.93 3.88 4.45
3.77 4.43 3.95 4.41 4.34 3.61 4.02
4.56
4.29
6
4.53
4.25
4.52 4.39 4.44
4.23
4.35 4.16 4.53
4.34 4.62 4.48 4.48 4.35 3.90 4.48
4.66
4.75
7
*For a list of groups, please see Appendix 1-B. **The mean is the average response to: 1 = minimally important to 5 = very important. ***N/C = Respondents did not indicate affiliate or chapter membership.
Ability to promote the internal audit activity within the organization Analytical (ability to work through an issue) Change management Communication Conflict resolution Critical thinking Conceptual thinking Foreign language skills Keeping up to date with professional changes in opinions, standards, and regulations Organization skills Presentation skills Problem identification and solution Project planning and management Report development Time management Training and developing staff Understanding complex information systems Writing Skills
Competencies
4.67
4.61
4.31
4.33 4.50 4.39
4.33
4.39 4.50 4.89
4.33 4.53 4.56 4.72 4.72 4.00 4.56
4.72
4.83
9
3.68
4.30 4.17 4.06
3.90
4.20 4.11 4.49
3.94 4.51 4.21 4.39 4.05 3.59 4.15
4.32
4.33
8
4.33
3.75
4.25 3.81 3.60
4.00
3.94 4.25 4.44
3.81 4.50 3.88 4.44 4.38 3.69 4.33
4.50
4.06
10
4.52
3.90
4.38 4.44 4.00
4.13
4.00 4.28 4.42
3.96 4.54 4.21 4.40 4.33 3.00 4.10
4.37
4.14
11
4.92
4.33
4.67 4.83 4.50
4.42
4.33 4.50 4.58
4.42 4.75 4.58 4.92 4.50 3.25 4.50
4.67
4.83
12
Table 8-3-1-A Importance of Competencies to Perform Work for Audit Manager by Groups* Practitioner Respondents in Means**
APPENDIX 8
4.28
3.81
4.33 4.00 4.04
3.92
4.03 4.00 4.45
3.93 4.44 4.11 4.34 4.23 3.14 4.09
4.40
4.27
N/C***
332 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
4.08
4.71 3.89 4.79 4.39 4.16 4.53 1.55 3.71
4.26 3.97 4.66 4.08 4.47 4.37 3.68 3.61 4.55
4.58 3.95 4.67 4.39 4.31 4.53 1.81 3.86
4.23 4.11 4.51 4.17 4.28 4.34 3.65 3.64 4.53
2
4.06
1
4.57
3.98
4.43 4.43 3.82
4.04
4.14 3.93 4.56
4.09 4.72 4.26 4.33 4.45 1.90 4.18
4.57
4.24
3
3.90
3.67
4.02 3.78 3.71
3.76
3.48 3.94 4.24
3.76 4.48 3.80 4.18 3.88 3.36 4.22
4.36
4.28
4
4.59
3.55
4.24 4.19 3.77
3.91
4.10 4.04 4.52
3.70 4.56 4.38 4.36 4.34 3.46 4.06
4.56
4.18
5
4.41
3.71
3.41 3.66 3.28
3.43
3.83 3.76 4.34
3.41 4.32 4.32 3.72 4.43 3.66 4.04
4.57
4.15
6
4.58
4.09
4.56 4.41 4.16
4.07
4.33 4.04 4.50
4.24 4.56 4.31 4.35 4.52 3.61 4.40
4.60
4.48
7
*For a list of groups, please see Appendix 1-B. **The mean is the average response to: 1 = minimally important to 5 = very important. ***N/C = Respondents did not indicate affiliate or chapter membership.
Ability to promote the internal audit activity within the organization Analytical (ability to work through an issue) Change management Communication Conceptual thinking Conflict resolution Critical thinking Foreign language skills Keeping up to date with professional changes in opinions, standards, and regulations Organization skills Presentation skills Problem identification and solution Project planning and management Report development Time management Training and developing staff Understanding complex information systems Writing Skills
Competencies
4.29
3.65
4.38 4.14 3.79
3.80
4.01 3.99 4.41
3.76 4.36 4.05 4.08 4.27 3.29 4.05
4.29
4.04
8
4.32
3.95
4.50 3.90 3.41
3.86
3.73 3.95 4.14
3.68 4.14 4.05 4.00 4.24 3.36 3.73
4.55
4.36
9
4.36
3.68
4.00 3.80 3.56
4.20
3.71 4.12 4.56
3.36 4.58 4.08 3.76 4.40 3.68 4.17
4.56
4.24
10
4.41
3.79
4.26 4.35 3.79
4.03
3.74 4.03 4.45
3.82 4.52 4.24 4.09 4.35 2.88 3.97
4.50
4.09
11
4.29
3.43
4.83 4.57 4.29
4.00
4.57 4.00 5.00
3.43 4.86 4.71 4.00 4.43 2.43 4.00
5.00
4.71
12
4.33
3.90
4.20 4.14 3.94
3.91
4.11 3.89 4.44
3.79 4.53 4.19 4.23 4.33 3.22 4.16
4.42
4.28
N/C***
8-3-2-A Importance of Competencies to Perform Work for Audit Senior/Supervisor by Groups* Practitioner Respondents in Means**
______________________________________ Chapter 8: Internal Auditor Competencies 333
The Institute of Internal Auditors Research Foundation
4.17
4.17 3.83 4.42 4.25 4.00 4.42 1.50 4.00
4.42 3.92 4.58 3.42 4.33 4.33 3.25 3.33
4.17
4.53 3.75 4.65 4.39 4.20 4.54 1.90 3.82
4.28 4.01 4.45 3.96 4.21 4.39 3.35 3.51
4.49
2
4.01
1
4.46
3.81
4.38 4.45 3.43
3.89
4.22 3.97 4.53
3.85 4.74 4.29 4.26 4.44 2.27 4.30
4.49
4.33
3
3.90
3.81
4.10 4.13 3.99
3.89
3.86 4.13 4.57
3.70 4.56 4.09 4.27 3.93 3.36 4.34
4.53
4.30
4
4.54
3.69
3.99 4.11 3.56
3.81
4.04 4.07 4.45
3.60 4.45 4.27 4.02 4.16 3.60 4.28
4.54
4.11
5
4.24
3.51
3.72 3.69 3.30
3.49
3.84 3.80 4.31
3.20 4.40 4.04 3.76 4.36 3.33 3.89
4.30
3.89
6
4.58
4.06
4.84 4.52 4.10
3.84
4.29 4.19 4.68
4.29 4.77 4.55 4.58 4.68 3.48 4.55
4.77
4.42
7
*For a list of groups, please see Appendix 1-B. **The mean is the average response to: 1 = minimally important to 5 = very important. ***N/C = Respondents did not indicate affiliate or chapter membership.
Ability to promote the internal audit activity within the organization Analytical (ability to work through an issue) Change management Communication Conceptual thinking Conflict resolution Critical thinking Foreign language skills Keeping up to date with professional changes in opinions, standards, and regulations Organization skills Presentation skills Problem identification and solution Project planning and management Report development Time management Training and developing staff Understanding complex information systems Writing Skills
Competencies
4.24
3.53
4.17 4.02 3.80
3.75
4.08 4.12 4.41
3.61 4.30 3.96 3.90 4.15 3.21 3.99
4.16
3.99
8
4.23
3.92
4.46 4.54 4.23
4.15
4.31 4.15 4.62
4.00 4.38 4.31 4.23 4.23 4.00 4.38
4.38
4.62
9
4.24
3.56
3.84 3.52 3.16
3.56
3.63 3.84 4.05
3.16 4.28 3.92 3.36 4.48 3.48 3.52
4.29
3.88
10
4.41
3.35
3.88 3.82 3.47
3.59
3.71 3.82 4.18
3.59 4.00 3.82 3.94 3.94 2.29 3.76
4.12
3.82
11
Table 8-3-3-A Importance of Competencies to Perform Work for the Audit Staff by Groups* Practitioner Respondents in Means **
5.00
5.00
5.00 5.00 5.00
3.67
4.67 4.67 4.67
4.00 4.67 5.00 4.00 4.33 3.33 5.00
4.67
5.00
12
4.41
3.90
4.26 4.06 3.76
3.72
4.03 3.96 4.35
3.87 4.50 4.22 4.25 4.27 3.13 4.16
4.48
4.25
N/C***
334 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation 3.84 3.40 4.07 4.04 3.38 3.85 4.26 3.32 3.57 3.68 3.17 2.53 3.89 3.93 3.68 4.02
3.64 3.61 3.54 4.26 3.52 4.01 3.81 3.25 3.79 4.15 3.05 2.45 3.92 3.65 3.63 3.99
4.02
3.80 4.27 3.28 2.86 3.92 3.99 4.02
4.11 4.16 3.70 3.94 4.21 3.52
3.85 3.85
3.67 4.61 3.73
3
3.72
3.64 4.00 3.45 3.16 3.49 3.45 3.64
4.03 4.21 3.69 3.82 3.79 3.21
3.61 3.79
3.95 4.42 3.68
4
3.92
3.83 4.20 3.55 2.95 3.82 3.71 3.65
3.95 3.95 4.00 3.99 3.97 3.57
3.81 3.52
3.81 4.67 3.79
5
3.40
3.88 4.04 3.40 2.58 3.80 3.86 3.69
3.94 3.76 3.58 3.71 3.79 3.28
3.66 3.52
3.65 4.58 3.53
6
4.16
4.36 4.67 4.04 3.30 4.07 3.93 3.99
4.35 4.67 4.25 4.36 4.30 3.96
4.19 4.18
4.20 4.84 4.29
7
*For a list of groups, please see Appendix 1-B. **The mean is the average response to: 1 = minimally important to 5 = very important. ***N/C = Respondents did not indicate affiliate or chapter membership.
3.34 4.53 3.70
3.84 4.70 3.48
Accounting Auditing Business law and government regulation Business management Changes to professional standards Enterprise risk management Ethics Finance Fraud awareness Governance Human resource management Information technology Internal auditing standards Managerial accounting Marketing Organization culture Organizational systems Strategy and business policy Technical knowledge for your industry
2
1
Areas of Knowledge
4.03
3.74 4.05 3.53 2.61 3.94 3.61 3.57
4.00 4.09 3.71 3.90 3.97 3.59
3.67 3.59
3.67 4.68 3.69
8
4.44
4.44 4.72 4.17 3.67 4.22 4.33 4.33
4.44 4.56 4.44 4.33 4.17 3.94
3.94 4.17
4.44 4.89 4.17
9
3.50
3.94 4.06 3.31 2.40 3.50 3.75 4.06
4.20 4.38 3.63 3.81 4.25 3.63
4.06 3.63
3.44 4.88 4.00
10
4.00
4.06 4.29 3.69 2.92 3.81 3.77 3.83
3.98 4.09 4.11 4.13 4.09 3.55
3.85 4.02
4.17 4.69 4.06
11
4.33
4.42 4.67 4.00 3.58 4.42 4.40 4.50
4.33 4.50 4.08 4.17 4.17 3.75
4.27 4.33
4.25 4.92 4.42
12
Table 8-5-4-A Importance of Areas of Knowledge to Perform Work for Audit Manager by Groups* Practitioner Respondents in Means**
3.90
3.87 4.23 3.69 3.00 3.84 3.90 3.77
4.00 4.33 3.75 4.10 3.84 3.58
3.83 3.83
3.96 4.72 3.86
N/C***
______________________________________ Chapter 8: Internal Auditor Competencies 335
The Institute of Internal Auditors Research Foundation 3.68 3.50 3.79 4.11 3.49 3.82 4.08 3.42 3.71 4.16 3.08 2.37 4.03 4.03 3.84 3.92
3.58 3.60 3.51 4.30 3.58 3.95 3.76 3.08 3.78 4.22 3.13 2.41 3.80 3.70 3.57 3.97
3.99
3.86 4.26 3.22 2.68 3.96 4.15 3.89
3.86 4.10 3.71 3.95 4.16 3.41
3.63 3.76
3.45 4.73 3.77
3
4.20
4.08 4.00 3.69 3.16 3.62 3.63 3.88
4.10 4.06 3.88 3.94 3.63 3.31
3.71 3.92
3.94 4.53 3.79
4
3.73
3.57 4.15 3.41 2.68 3.54 3.68 3.42
3.82 3.95 3.97 3.90 3.61 3.26
3.54 3.52
3.78 4.56 3.79
5
3.50
3.88 3.93 3.16 2.29 3.51 3.67 3.51
3.93 3.78 3.26 3.64 3.57 3.05
3.49 3.46
3.53 4.42 3.51
6
4.08
4.22 4.55 3.92 3.23 4.09 3.90 3.89
4.16 4.62 4.04 4.27 4.06 3.70
3.94 4.06
4.20 4.80 4.16
7
*For a list of groups, please see Appendix 1-B. **The mean is the average response to: 1 = minimally important to 5 = very important. ***N/C = Respondents did not indicate affiliate or chapter membership.
3.55 4.76 3.71
3.77 4.67 3.55
Accounting Auditing Business law and government regulation Business management Changes to professional standards Enterprise risk management Ethics Finance Fraud awareness Governance Human resource management Information technology Internal auditing standards Managerial accounting Marketing Organization culture Organizational systems Strategy and business policy Technical knowledge for your industry
2
1
Areas of Knowledge
3.97
3.71 3.92 3.28 2.55 3.79 3.66 3.33
3.94 3.85 3.55 3.66 3.65 3.15
3.43 3.48
3.46 4.56 3.62
8
4.17 4.08 3.38 2.64 3.76 3.64 3.76
3.54
3.55
3.92 4.24 3.76 3.64 3.88 3.16
3.67 3.28
3.76 4.60 3.80
10
3.55 3.82 3.23 2.45 3.68 3.64 3.50
3.55 4.09 3.59 3.86 3.55 3.09
3.27 3.41
4.27 4.77 3.77
9
3.76
3.79 4.09 3.18 2.59 3.47 3.59 3.65
3.62 3.82 3.73 3.76 3.85 3.06
3.68 3.62
3.97 4.65 3.53
11
4.43
4.00 4.29 3.57 2.71 4.29 4.43 4.57
4.29 4.29 4.00 4.14 3.57 3.43
3.86 4.00
4.71 4.71 3.57
12
3.83
4.09 4.26 3.61 2.88 3.72 3.79 3.54
3.85 4.16 3.91 4.07 3.87 3.48
3.62 3.76
4.02 4.68 4.02
N/C***
Table 8-5-5-A Importance of Areas of Knowledge to Perform Work for Audit Senior/Supervisor by Groups* Practitioner Respondents in Means**
336 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation 3.25 3.75 3.42 4.42 3.42 3.67 3.92 3.17 3.58 4.00 2.92 2.25 4.08 3.92 3.50 4.00
3.46 3.65 3.42 4.40 3.54 3.95 3.73 2.95 3.69 4.29 3.05 2.44 3.83 3.71 3.51 3.98
4.13
3.88 4.52 3.24 2.66 3.94 4.16 4.10
3.96 4.29 3.89 3.93 4.16 3.18
3.56 4.02
3.56 4.75 3.76
3
4.21
3.97 4.16 3.96 3.24 3.74 3.68 3.91
4.17 4.31 4.09 4.17 3.80 3.46
3.87 4.04
4.06 4.56 4.09
4
3.83
3.96 4.37 3.55 2.86 3.59 3.72 3.43
4.06 4.06 3.93 3.71 3.72 3.38
3.59 3.73
3.85 4.72 3.56
5
3.02
3.42 3.80 3.02 2.16 3.58 3.69 3.41
3.80 3.77 3.18 3.53 3.53 2.80
3.44 3.11
3.36 4.24 3.31
6
4.23
4.35 4.68 3.74 3.27 4.13 4.10 4.32
4.03 4.55 4.03 4.45 4.13 3.65
4.03 4.00
4.10 4.90 4.03
7
*For a list of groups, please see Appendix 1-B. **The mean is the average response to: 1 = minimally important to 5 = very important. ***N/C = Respondents did not indicate affiliate or chapter membership.
3.17 4.75 3.75
3.71 4.62 3.58
Accounting Auditing Business law and government regulation Business management Changes to professional standards Enterprise risk management Ethics Finance Fraud awareness Governance Human resource management Information technology Internal auditing standards Managerial accounting Marketing Organization culture Organizational systems Strategy and business policy Technical knowledge for your industry
2
1
Areas of Knowledge
4.14
3.59 3.94 3.14 2.53 3.71 3.56 3.17
3.71 4.01 3.31 3.60 3.53 3.07
3.29 3.42
3.48 4.57 3.61
8
3.75
4.00 4.67 3.92 3.67 4.08 4.00 4.00
4.17 4.75 4.50 4.33 4.09 4.00
4.25 4.33
4.50 4.92 4.25
9
3.36
3.88 3.80 2.92 2.00 4.13 3.84 3.96
3.56 3.88 2.84 3.28 3.88 2.84
3.48 3.08
3.12 4.40 3.72
10
3.47
3.59 3.59 3.38 2.76 3.59 3.82 3.18
3.35 3.88 3.76 3.76 3.76 3.06
3.53 3.12
3.71 4.29 3.53
11
4.67
4.67 4.33 4.33 2.67 4.67 5.00 5.00
5.00 5.00 4.33 4.67 3.67 4.00
3.33 4.00
4.33 4.33 4.00
12
Table 8-5-6-A Importance of Areas of Knowledge to Perform Work for the Audit Staff by Groups* Practitioner Respondents in Means**
3.96
4.04 4.34 3.53 2.91 3.88 3.91 3.73
3.87 4.26 3.85 4.18 3.85 3.45
3.65 3.82
3.86 4.57 3.87
N/C***
______________________________________ Chapter 8: Internal Auditor Competencies 337
338 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
A Global Summary of the Common Body of Knowledge 2006
CONTENTS Chapter 9
Chapter 9: Emerging Roles of Internal Audit Activities ..................................................... 339 Introduction......................................................................................................................... 339 Years That the IAA and Organizations Have Existed ........................................................ 340 Changing Emphasis on Types of Audits............................................................................. 344 Emerging Roles in Organizations’ Activities ..................................................................... 346 Organizational Environment and Key Activities of the IAA.............................................. 352 Summary ............................................................................................................................. 357
Disclosure Copyright © 2007 by The Institute of Internal Auditors Research Foundation (IIARF), 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201. All rights reserved. Printed in the United States of America. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form by any means — electronic, mechanical, photocopying, recording, or otherwise — without prior written permission of the publisher. The IIARF publishes this document for informational and educational purposes. This document is intended to provide information, but is not a substitute for legal or accounting advice. The IIARF does not provide such advice and makes no warranty as to any legal or accounting results through its publication of this document. When legal or accounting issues arise, professional assistance should be sought and retained. The IIA’s International Professional Practices Framework for Internal Auditing (IPPF) comprises the full range of existing and developing practice guidance for the profession. The IPPF provides guidance to internal auditors globally and paves the way to world-class internal auditing. The mission of The IIA Research Foundation (IIARF) is to be the global leader in sponsoring, disseminating, and promoting research and knowledge resources to enhance the development and effectiveness of the internal auditing profession.
The Institute of Internal Auditors Research Foundation
____________________________ Chapter 9: Emerging Roles of Internal Audit Activities 339
CHAPTER 9 EMERGING ROLES OF INTERNAL AUDIT ACTIVITIES Introduction To examine the emerging role of the internal audit activity (IAA) in the organization, this chapter starts with a discussion of the length of time organizations have had IAAs and the number of years the organizations have been in existence. The next section reports on the general types of audits being performed currently by IAAs and the expected changes in emphasis over the next three years. Another section examines the range of special audit activities respondents’ IAAs perform now and how that is expected to change in the next three years. The last section looks at the respondents’ organizations and the IAA’s current role in the organization as well as how the organization’s environment and the IIA’s role will evolve over the next three years. The number of respondents answering a specific question will often differ from the 9,366 total respondents in this study. This is due to the following reasons: • •
Not all of those that participated in the survey answered all the questions asked. Results are shown and discussed only for those respondents who answered a particular survey question. Not all questions were asked of all respondents. o Some questions were asked only of CAEs (those in the highest position within the organization responsible for internal audit activities). o Some questions were asked only of Practitioners (all other internal auditors who are not CAEs). o Some questions were asked of both CAEs and Practitioners.
When relevant, results are given for each of the 13 groups. The groups are explained in Chapter 1. For a list of groups, please refer to Appendix 1-B of the report. Some tables have additional details. For example, Table 9-4 is the total of all respondents for that question with a related Table 9-4-1 showing the responses by group. A table can have more than one related table, where the second related table would be 9-4-2.
The Institute of Internal Auditors Research Foundation
340 A Global Summary of the Common Body of Knowledge 2006 ______________________
Years That the IAA and Organizations Have Existed Before looking at the roles and expected roles of the IAAs, one needs to gain a perspective of the length of time respondents’ organizations have had IAAs and the years their organizations have been in existence. Figure 9-1 lists the number of years the respondents’ IAAs have been in existence. The largest numbers of respondents work for IAAs that have been in existence for only 0-5 years (28.4%). Another 21% of the respondents work for IAAs that have been in existence for 6-10 years. This shows that many of the respondents’ IAAs (49.4%) are just starting to develop in their organizations. Only 13.8% of the respondents work in IAAs that have been in existence for 31 or more years.
Figure 9-1 Number of Years the IAA Has Existed in the Organization All Respondents (7,747) in Percentages 41+ Years 8.1% 0-5 Years 28.4%
31-40 Years 5.7%
21-30 Years 14.1%
6-10 Years 21.0%
11-20 Years 22.7%
The Institute of Internal Auditors Research Foundation
____________________________ Chapter 9: Emerging Roles of Internal Audit Activities 341
Table 9-1 provides the number of years respondent organizations have had IAAs by groups. The groups are listed on the inside back cover of this report. In group 5 respondents indicate that 60.5% of their IAAs are 0-5 years old and another 22.5% are 6-10 years old. Respondents in the other groups indicate between 20% - 33.9% of the IAAs are between 0-5 years old and an additional 16.1% - 33.1% indicate their IAAs are between 6-10 years old. A review of the countries in each group and historical events explain some of these differences since in some areas of the world, economies are more developed than others.
Table 9-1 Number of Years the IAA Has Existed by Groups* All Respondents in Percentages
Group
Respondents
More than 0-5 6-10 11-15 16-20 21-25 26-30 31-35 36-40 41-45 46-50 50 Years Years Years Years Years Years Years Years Years Years Years Total
1
3,025
23.8
16.1
10.9
12.6
9.2
8.9
3.1
4.8
.7
4.5
5.4
100.0
2
188
26.1
20.7
17.0
13.3
5.9
6.9
2.7
2.7
1.1
1.1
2.5
100.0
3
636
25.8
26.6
11.9
10.2
5.8
7.1
2.7
1.9
.5
4.2
3.3
100.0
4
347
25.6
33.1
15.9
13.3
3.2
3.5
1.2
2.0
.6
.8
.8
100.0
5
550
60.5
22.5
8.0
2.7
1.5
1.3
.0
1.1
.2
1.3
.9
100.0
6
423
23.6
18.0
10.4
7.6
8.0
11.6
3.1
2.6
.9
5.2
9.0
100.0
7
467
23.1
20.3
13.1
9.9
8.4
11.8
2.8
3.2
.6
2.6
4.2
100.0
8
910
32.7
25.3
14.3
11.1
5.5
3.7
1.9
1.3
.2
1.3
2.7
100.0
9
118
33.9
29.7
15.3
7.6
5.1
.8
.0
.0
.8
3.4
3.4
100.0
10
125
22.4
25.6
11.2
8.0
6.4
4.8
3.2
6.4
.0
3.2
8.8
100.0
11
226
28.8
24.3
11.9
10.2
5.8
8.4
1.3
4.0
.9
2.2
2.2
100.0
12
40
20.0
27.5
10.0
10.0
5.0
12.5
2.5
.0
7.5
2.5
2.5
100.0
N/C**
692
27.6
23.3
11.6
13.0
4.8
7.4
1.4
3.6
.6
3.3
3.4
100.0
Overall 7,747 Respondents in Category Overall Percent in Category
2,194
1,628
914
847
529
566
181
255
48
257
328
28.4
21.0
11.8
10.9
6.8
7.3
2.4
3.3
.6
3.3
4.2
*For a list of groups, please see Appendix 1-B. **N/C = Respondents did not indicate affiliate or chapter membership.
The Institute of Internal Auditors Research Foundation
100.0
342 A Global Summary of the Common Body of Knowledge 2006 ______________________
Figure 9-2 reports on how long respondents’ organizations have been in existence. A correlation test performed by the researchers showed a relationship between how long the organizations have been in existence and how long the organizations have had an IAA. It appears that older companies tend to have established IAAs longer than younger companies.
Figure 9-2 Number of Years Organizations Have Existed All Respondents (8,165) in Percentages
The Institute of Internal Auditors Research Foundation
____________________________ Chapter 9: Emerging Roles of Internal Audit Activities 343
Table 9-2 lists the length of time respondents’ organizations have been in existence by the 13 groups. Groups 1, 6, and 10 have a large number of respondents (54.5% - 59.2%) working in organizations that are more than 50 years old and only 11.2% - 13.4% with organizations that are 10 or less years old. While for respondents in groups 4, 5, and 11, greater than 24% of their organizations (24.1% - 29.4%) are 10 years old or less.
Table 9-2 Number of Years Organizations Have Existed by Groups* All Respondents in Percentages Group
1 2 3 4 5 6 7 8 9 10 11 12 N/C** Total/ Overall Respondents in Category Overall Percent in Category
Respondents
3,241 189 648 354 552 434 504 954 125 135 228 39 762 8,165
0-5 6-10 11-15 16-20 21-25 26-30 31-35 36-40 41-45 46-50 More Total Years Years Years Years Years Years Years Years Years Years t h a n 50 Years
4.4 8.5 8.3 11.6 12.0 4.8 6.0 11.3 8.0 6.7 11.4 5.1 8.7 590
7.2
6.8 4.7 11.1 3.7 13.1 9.3 17.8 9.9 17.4 24.8 8.5 6.0 14.1 10.3 10.6 7.0 9.6 7.2 6.7 3.7 12.7 10.1 10.3 7.7 14.3 9.4 856 648
10.5
7.9
4.8 3.9 6.3 3.7 5.9 5.4 12.7 3.4 6.7 2.2 2.5 1.8 5.0 4.0 6.2 3.6 13.6 11.2 4.4 3.0 11.0 8.3 10.3 5.1 7.9 3.5 496 321
6.1
3.9
5.0 6.9 5.1 9.0 3.1 4.4 6.7 5.8 3.2 3.7 6.1 15.4 6.2 442
3.7 4.2 3.1 5.9 2.2 2.5 5.0 2.5 7.2 5.2 5.7 10.3 3.1 299
4.8 2.6 5.2 5.1 3.1 3.7 3.4 4.8 1.6 1.5 6.1 10.3 3.3 355
1.7 2.1 1.4 4.0 1.1 .9 3.6 1.5 5.6 3.7 4.8 7.7 1.8 165
5.7 7.4 5.7 3.7 4.3 8.5 6.5 5.6 8.0 2.2 4.8 .0 5.4 461
54.5 43.5 37.5 16.9 23.1 56.4 35.4 41.1 24.8 59.2 18.8 17.8 36.4 3532
5.4
3.7
4.3
2.0
5.6
43.4 100.0
*For a list of affiliate groups, please see Appendix 1-B. **N/C = Respondents did not indicate affiliate or chapter membership.
The Institute of Internal Auditors Research Foundation
100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0
344 A Global Summary of the Common Body of Knowledge 2006 ______________________
Changing Emphasis on Types of Audits This section focuses on the anticipated change in demand for the general types of audits that will be performed by the IAA in the next three years. The definition of internal auditing in The IIA’s 1999 report, A Vision for the Future: Professional Practices Framework for Internal Auditing, acknowledges the importance of assurance services and consulting in the areas of risk management, governance, and controls. With this expansion of scope, it was expected that the audits performed by IAAs would include these three areas. In order to assess staffing needs, required competencies, and the skills necessary in the near future, the profession needs to anticipate changes in the demand for their services. Table 9-3 shows the estimates of all respondents to the question about whether they anticipate the general types of audits performed by their IAA will increase, decrease, or stay the same over the next three years.
Table 9-3 Anticipated Changes in Types of Audits to Be Performed Within the Next Three Years All Respondents in Percentages Activity
Risk management Governance Regulatory compliance Operational auditing Review of financial processes
Total Increase Responses 6,728 6,704 6,698 6,715 6,724
79.5 63.2 46.9 46.2 43.5
Decrease
Stay the Same
Total Percent
2.3 4.0 11.7 14.7 14.6
18.2 32.8 41.4 39.1 41.9
100.0 100.0 100.0 100.0 100.0
Respondents predict that the greatest increase in the types of audits performed in the next three years will be in risk management (79.5%) and governance (63.2%) audits. The projected increases for these types of audits will need to be reflected in the IAA’s internal audit plan, the resources allocated to the IAA, and in the audit staff’s competencies. For many of the respondents, regulatory compliance (46.9%), operational auditing (46.2%), and reviews of financial processes (43.5%) show material increases as well. Some respondents do anticipate that less time will be spent on operational audits (14.7%), the review of financial processes (14.6%), and regulatory compliance audits (11.7%).
The Institute of Internal Auditors Research Foundation
____________________________ Chapter 9: Emerging Roles of Internal Audit Activities 345
As IAAs around the world are evolving at different rates, this study also looked at the expected changes in the types of audits to be performed by IAAs by groups. Table 9-3-1 presents predicted increases in the types of audits for all respondents by group, Table 9-3-2 presents the decreases anticipated by group, and Table 9-3-3 shows predictions of no change by group. The respondents in all groups agreed that the performance of risk management and governance audits should increase the most in the next three years.
Table 9-3-1 Anticipated Changes in Types of Audits to Be Performed Within the Next Three Years - Increased Role All Respondents in Percentages Activity
1
Review of financial processes Risk management Governance Regulatory compliance Operational auditing
2
3
4
5
6
7
8
9
10
11
12 N/C**
45.0 30.0 44.0 41.2 48.0 35.9 44.5 37.2 55.9 40.9 47.2 70.6
46.0
74.5 55.9 46.4 47.9
80.7 63.9 51.1 50.1
75.0 67.0 46.0 48.0
84.0 76.0 50.0 45.0
88.5 72.2 40.8 51.9
83.6 61.0 41.2 44.6
77.2 64.5 44.6 44.7
89.0 75.9 54.7 44.5
82.6 64.6 47.2 38.3
87.9 79.4 52.2 59.1
79.1 52.6 25.0 30.7
83.9 77.2 49.2 45.8
100.0 85.3 64.7 67.7
*For a list of groups, please see Appendix 1-B. **N/C = Respondents did not indicate affiliate or chapter membership.
Table 9-3-2 Anticipated Changes in Types of Audits to Be Performed Within the Next Three Years - Decreased Role All Respondents in Percentages Activity
1
Review of financial processes Risk management Governance Regulatory compliance Operational auditing
2
3
4
5
6
7
8
9
10
11
10.1 21.0 16.0 21.4 21.0 17.9 17.7 19.1 15.1 20.9 15.7 1.7 5.0 3.0 3.7 2.0 2.0 10.4 13.0 12.0 12.3 14.0 18.0
12 N/C** 8.8
12.1
0.4 6.3 2.2 1.0 1.8 2.2 2.6 3.3 0.0 2.3 12.1 3.7 3.7 2.7 4.4 4.4 2.8 2.9 11.6 23.1 10.2 7.1 11.2 16.3 21.4 14.5 14.7 13.3 24.1 15.4 17.7 14.7 10.8 14.0 17.3 11.8
2.7 4.6 9.6 14.0
*For a list of groups, please see Appendix 1-B. **N/C = Respondents did not indicate affiliate or chapter membership.
The Institute of Internal Auditors Research Foundation
346 A Global Summary of the Common Body of Knowledge 2006 ______________________
Table 9-3-3 Anticipated Changes in Types of Audits to Be Performed Within the Next Three Years - Stay the Same All Respondents in Percentages Activity
1
Review of financial processes Risk management Governance Regulatory compliance Operational auditing
2
3
4
5
6
7
8
9
10
11
12 N/C**
44.9 49.0 40.0 37.5 31.1 46.2 37.8 43.7 29.0 38.7 37.1 20.6
41.9
23.8 40.4 43.2 39.8
16.6 31.6 39.3 35.9
20.0 30.0 41.0 39.0
14.0 22.0 38.0 37.0
11.2 25.6 47.6 34.8
10.2 26.9 35.8 31.3
20.6 31.8 45.2 39.9
10.1 20.4 38.2 37.8
15.7 9.9 18.3 12.8 0.0 32.8 16.3 43.0 20.0 11.8 41.6 31.5 53.6 36.3 20.6 47.0 30.1 55.3 36.9 20.6
*For a list of groups, please see Appendix 1-B. **N/C = Respondents did not indicate affiliate or chapter membership.
Emerging Roles in Organizations’ Activities To gain an understanding of what roles IAAs have and will have in various types of activities and functions performed within an organization, respondents were provided with a list of important tasks performed by organizations. They were asked to indicate if their IAA currently has a role in the area, if the IAA is likely to have a role in the next three years, or if it is unlikely for the IAA to have a role. Role was defined as being within the IAA’s scope of work. The list was developed from a review of internal auditing literature and the CBOK 2006 pilot survey. An overview of all responses is shown in Table 9-4. The respondents’ IAAs all do some work in the areas listed. The four highest ranked areas where respondents indicate that their IAAs currently perform audits are fraud prevention/detection (69%), risk management (66.6%), regulatory compliance assessment monitoring (64%), and corporate governance (52.2%). Areas where respondents’ IAAs currently have less of a role are emerging markets (11.5%), environmental sustainability (14%), and globalization (15.3%). For most of the audit areas that are not currently being audited, respondents indicated that 17.7% to 38.1% of their IAAs plan to do audit work in those areas over the next three years. Currently 23.6% have a role in corporate social responsibility and an additional 31.6% of the respondents are likely to have a role in the next three years. Areas where more than a third of the respondents indicate they are unlikely to be involved are executive compensation (45.4%), environmental sustainability (39.9%), emerging markets (39.5%), globalization (35.2%), and intellectual property and knowledge assessment (35.1%). The Institute of Internal Auditors Research Foundation
____________________________ Chapter 9: Emerging Roles of Internal Audit Activities 347
Table 9-4 Emerging Roles of the IAA - Total Responses in Percentages Roles
Total Currently Likely to Have Unlikely to Not Total Respon- Have a Role a Role Within Have a Role Applicable dents the Next 3 Years
Alignment of strategy and performance measures (e.g., Balanced Scorecard) Benchmarking Corporate governance Corporate social responsibility Develop training and education of organization personnel (e.g., internal controls, risk management, regulatory requirements) Disaster recovery Evidential issues Emerging markets Environmental sustainability Executive compensation Fraud prevention/detection Globalization Intellectual property and knowledge assessment IT management assessment Knowledge management systems development review Mergers and acquisitions Project management Provide training to the audit committee Regulatory compliance assessment monitoring Risk management Strategic frameworks
6,500
23.1
35.2
30.1
11.6
100.0
6,476 6,511 6,415
28.6 52.2 23.6
35.7 31.2 31.6
26.0 11.4 33.8
9.7 5.2 11.0
100.0 100.0 100.0
6,522
46.6
34.4
15.3
3.7
100.0
6,490 6,385 6,426 6,436 6,429 6,530 6,431 6,391
34.0 39.8 11.5 14.0 16.0 69.0 15.3 19.2
26.1 23.9 22.5 24.7 17.7 22.9 21.1 28.4
29.0 23.5 39.5 39.9 45.4 5.7 35.2 35.1
10.9 12.8 26.5 21.4 20.9 2.4 28.4 17.3
100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0
6,453 6,387
46.1 26.1
32.2 38.1
16.8 26.9
4.9 8.9
100.0 100.0
6,437 6,410 6,436
18.4 39.8 31.2
23.7 27.6 34.4
30.8 25.1 21.7
27.1 7.5 12.7
100.0 100.0 100.0
6,442
64.0
23.0
9.2
3.8
100.0
6,509 6,407
66.6 27.0
25.5 36.8
5.6 27.7
2.3 8.5
100.0 100.0
The Institute of Internal Auditors Research Foundation
348 A Global Summary of the Common Body of Knowledge 2006 ______________________
Tables 9-4-1 and 9-4-2 show the total results by group for the question about roles and work areas that respondent IAAs’ currently have or are likely to have in the next three years. The respondents’ group data shows many variations in the roles the IAAs currently have and are likely to have in three years. Approximately 80% of the groups’ respondents indicate that they are currently involved or will be involved in the next three years in corporate governance, fraud prevention, IT management assessment, regulatory compliance, and risk management. The group data indicates that approximately 50% to 59% of the IAAs have or will have a role in alignment of strategy and performance measures.
The Institute of Internal Auditors Research Foundation
____________________________ Chapter 9: Emerging Roles of Internal Audit Activities 349
Table 9-4-1 Emerging Roles of the IAA - Currently Have a Role by Groups* All Respondents in Percentages Roles
1
Alignment of strategy and performance measures (e.g., Balanced Scorecard) Benchmarking Corporate governance Corporate social responsibility Develop training and education of organization personnel (e.g., internal controls, risk management, regulatory requirements) Disaster recovery Evidential issues Emerging markets Environmental sustainability Executive compensation Fraud prevention/ detection Globalization Intellectual property and knowledge assessment IT management assessment Knowledge management systems development review Mergers and acquisitions Project management Provide training to the audit committee Regulatory compliance assessment monitoring Risk management Strategic frameworks
2
3
4
5
6
7
8
9
10
11
12 N/C**
22.8 19.1 32.6
11.6 17.6 16.6 34.4 22.7 18.9 26.4 28.2 25.7 22.0
30.6 26.6 34.9 56.5 70.7 75.2 26.4 15.5 30.7
16.0 26.6 22.2 26.3 26.8 35.2 29.1 33.0 36.4 25.6 25.7 37.6 47.2 47.4 52.9 40.0 48.2 60.7 62.9 35.7 15.4 15.2 11.1 31.6 22.7 25.3 17.4 20.2 30.3 20.7
48.7 44.6 51.0
40.5 39.8 30.5 52.5 50.8 41.1 31.8 50.6 64.7 42.5
45.2 41.3 47.8 40.8 36.3 41.5 11.9 10.4 15.0 13.1 9.3 20.6
17.7 18.9 21.6 24.6 20.3 29.2 43.6 35.6 55.2 35.3 5.9 8.0 10.1 13.1 11.1 12.9 11.8 7.9 18.6 13.4
19.8 9.8 17.2 75.1 71.7 73.4
8.2 13.1 7.4 18.2 11.6 11.1 19.8 14.5 21.2 14.3 52.7 56.9 64.7 69.2 64.8 72.8 65.8 63.2 82.9 60.7
14.4 7.7 18.1 22.3 18.7 24.7
13.4 12.9 12.5 29.0 12.9 15.6 23.9 19.0 14.7 15.2 10.6 16.6 10.7 23.2 14.9 16.7 24.1 17.5 14.3 14.7
48.7 47.8 48.0 31.4 27.6 34.2
26.0 37.2 45.0 62.7 46.8 42.7 51.8 36.9 48.6 37.9 12.4 18.5 20.6 28.4 16.8 26.7 23.6 23.1 17.6 21.4
20.6 12.7 19.9 44.4 45.3 50.4 40.2 29.4 39.5
8.2 12.1 19.1 23.8 20.0 23.3 14.5 12.7 8.6 13.5 32.0 30.2 40.6 36.2 33.4 28.1 42.2 30.5 41.2 31.7 16.1 15.1 13.2 31.7 26.8 19.1 24.8 23.1 31.4 23.3
63.9 64.8 58.4
61.4 60.8 67.2 70.3 75.7 56.7 54.5 55.2 57.1 57.1
69.5 76.9 79.6 29.2 29.1 39.0
46.4 57.7 62.7 67.7 68.8 56.0 67.9 67.1 76.5 52.9 15.2 20.5 13.5 39.8 19.2 22.4 31.2 22.4 47.1 25.3
26.4 40.0 10.0 12.4
22.7 24.5 15.5 18.2
*For a list of groups, please see Appendix 1-B. **N/C = Respondents did not indicate affiliate or chapter membership.
The Institute of Internal Auditors Research Foundation
29.3 34.5 11.5 11.5
37.1 56.3 12.5 17.6
21.4 38.5 12.1 17.3
350 A Global Summary of the Common Body of Knowledge 2006 ______________________
Table 9-4-2 Emerging Roles of the IAA - Likely to Have a Role in Next Three Years by Groups* All Respondents in Percentages Roles
1
Alignment of strategy and performance measures (e.g., Balanced Scorecard) Benchmarking Corporate governance Corporate social responsibility Develop training and education of organization personnel (e.g., internal controls, risk management, regulatory requirements) Disaster recovery Evidential issues Emerging markets Environmental sustainability Executive compensation Fraud prevention/ detection Globalization Intellectual property and knowledge assessment IT management assessment Knowledge management systems development review Mergers and acquisitions Project management Provide training to the audit committee Regulatory compliance assessment monitoring Risk management Strategic frameworks
2
3
4
5
6
7
8
9
10
11
12 N/C**
31.0 36.1 37.7 41.7 41.9 26.5 43.3 37.3
46.7 20.0 41.8 54.3 39.6
32.2 35.3 36.2 36.7 44.8 33.9 44.3 35.1 25.8 22.8 20.1 49.4 39.8 33.4 39.3 34.0 23.9 36.5 36.5 39.0 30.5 29.7 41.4 39.9
44.3 27.3 42.6 42.4 37.9 50.0 25.5 33.1 28.6 40.9 39.1 31.2 42.2 42.4 38.0
31.8 32.6 31.3 40.5 41.4 35.8 36.9 31.6
44.4 44.5 36.8 32.4 39.5
24.7 22.4 19.1 17.9
46.2 27.8 26.7 33.7
27.2 24.2 18.1 26.2
25.2 26.6 27.4 32.8
24.6 29.2 23.8 28.1
27.7 25.8 24.7 24.5
20.8 20.3 16.3 21.2
37.4 25.8 35.6 37.5
21.9 21.1 20.9 29.3
19.1 19.1 12.7 20.0
39.1 35.1 37.9 38.5
40.0 34.4 43.8 55.9
27.2 25.1 25.2 27.3
14.5 10.4 21.3 17.3 20.6 11.5 30.5 17.3 18.9 19.0 17.5 38.9 32.0 25.1 25.3 23.4
15.6 15.3 30.1 30.3 21.6 21.7 21.6 28.7 8.6 30.1
13.9 19.1 21.2 42.4 24.6 16.6 33.8 21.3 23.3 39.6 32.4 38.4 32.5 20.5 37.6 24.0
22.2 15.6 37.4 35.3 31.4 41.1 16.7 49.1 51.4 33.3
27.5 31.9 32.2 41.5 43.9 31.2 29.2 32.6 31.3 43.1 39.1 45.0 47.8 36.4 45.1 42.0
44.9 24.5 42.0 42.9 39.4 46.7 33.6 46.8 64.7 41.8
21.8 17.7 20.1 23.5 25.8 20.9 28.5 25.0 23.2 26.3 28.4 37.9 37.5 27.4 30.7 25.7 30.0 41.1 36.5 39.2 36.0 31.1 41.9 34.4
32.2 20.0 32.4 42.9 28.1 36.0 25.7 32.2 41.2 33.1 43.8 32.1 48.6 51.4 38.4
20.8 21.4 27.7 28.6 25.7 22.0 22.6 16.4
36.7 19.1 32.0 31.4 29.8
22.2 18.1 15.8 46.8 31.6 28.3 25.5 23.5 33.2 37.4 37.7 44.4 41.4 33.1 40.3 35.4
38.5 22.0 28.9 17.6 37.1 54.1 25.7 48.3 41.2 43.3
*For a list of groups, please see Appendix 1-B. **N/C = Respondents did not indicate affiliate or chapter membership.
The Institute of Internal Auditors Research Foundation
____________________________ Chapter 9: Emerging Roles of Internal Audit Activities 351
Table 9-4-3 summarizes the areas where respondents think the IAA would not have a role in the next three years. The areas that most groups agree that the IAA will not have a role in the foreseeable future are emerging markets, environmental sustainability, executive compensation, and intellectual property and knowledge assessment.
Table 9-4-3 Emerging Roles of the IAA – Not Likely to Have a Role in Next Three Years by Groups* All Respondents in Percentages Roles
1
Alignment of strategy and performance measures (e.g., Balanced Scorecard) Benchmarking Corporate governance Corporate social responsibility Develop training and education of organization personnel (e.g., internal controls, risk management, regulatory requirements) Disaster recovery Evidential issues Emerging markets Environmental sustainability Executive compensation Fraud prevention/detection Globalization Intellectual property and knowledge assessment IT management assessment Knowledge management systems development review Mergers and acquisitions Project management Provide training to the audit committee Regulatory compliance assessment monitoring Risk management Strategic frameworks
2
3
4
5
6
7
8
9
10
11
12 N/C**
34.7 34.4 24.2 31.3 25.1 41.9 12.2 28.9 18.9 41.8 22.0 11.4 26.3
28.5 31.5 23.4 35.5 17.3 33.3 16.2 26.6 11.4 34.5 18.8 3.0 22.9 12.9 6.0 3.4 20.8 13.8 13.5 6.9 8.3 6.7 12.7 3.9 5.7 15.3 38.7 38.1 26.5 33.6 36.7 46.2 19.0 25.1 26.4 45.9 30.6 21.2 29.2 16.0 19.0 15.0 13.3 14.3 28.5
25.4 25.4 44.0 46.5
29.9 28.6 48.9 49.2
23.2 21.3 33.3 31.7
40.0 26.2 45.7 38.3
28.2 18.4 32.4 33.3
41.8 31.8 43.5 46.8
7.8 13.6 10.0 18.2 10.9
23.6 10.3 30.4 26.5
38.4 22.7 37.5 35.2
19.8 21.1 43.3 38.2
50.0 45.5 41.8 50.9
0.0 14.3
25.9 11.4 29.3 19.5 3.1 21.3 35.1 25.0 31.1 37.4 11.8 30.9
49.1 59.6 44.1 45.5 41.4 50.1 30.0 44.7 47.8 46.8 41.6 30.3 37.1 4.0 7.1 7.0 6.1 7.6 8.4 3.3 7.9 4.3 12.6 4.0 5.7 6.2 37.7 42.6 32.9 29.0 30.0 40.1 24.9 36.9 46.7 37.6 34.5 35.3 29.7 36.7 31.3 30.7 36.5 29.8 44.9 24.5 40.4 28.9 50.0 24.0 14.3 34.0 19.5 17.6 15.9 22.5 11.0 18.8 3.8 15.4 9.0 20.9 17.0 28.4 23.8 22.1 28.7 22.7 34.0 19.6 30.3 22.2 34.5 24.3
2.9 16.8 8.8 25.4
29.6 30.4 30.4 40.8 28.3 36.8 27.2 32.1 28.9 36.4 39.9 25.7 28.6 26.0 22.3 18.7 20.2 21.7 27.9 24.0 31.4 22.5 25.7 30.5 5.9 22.7 20.1 25.0 19.2 27.5 23.0 32.8 13.6 23.7 22.5 25.7 22.0 11.4 22.4 11.0 12.1 11.4
8.9
8.2
7.6
3.8
4.0
4.4 19.1 11.6
6.2 3.3 3.4 4.9 6.6 7.9 2.5 5.5 3.3 10.1 3.5 30.1 25.8 19.0 29.2 25.2 45.2 12.9 33.4 17.6 37.6 20.7
*For a list of groups, please see Appendix 1-B. **N/C = Respondents did not indicate affiliate or chapter membership.
The Institute of Internal Auditors Research Foundation
2.9
8.4
0.0 6.8 2.9 21.5
352 A Global Summary of the Common Body of Knowledge 2006 ______________________
Organizational Environment and Key Activities of the IAA This final section of the chapter captures CAE and Audit Manager respondents’ agreement with statements about their organizations and their IAA’s role in the organization. The survey asked if a statement currently applies, is likely to apply within the next three years, or will not apply in the foreseeable future. As listed in Table 9-5, 61.2% of the respondents indicate that their countries currently have laws or regulations that require organizations to have an IAA and an additional 13.1% anticipate having such requirements in the next three years. Corporate governance codes are complied with in 67.7% of the organizations with 22.7% of the respondents’ organizations likely to comply with a corporate governance code in the next three years. In 70.5% of the respondents’ organizations, there is an internal control framework and 24.3% indicate that their organizations will have a framework in the next three years. Assurance audits receive more emphasis than consulting services in 71.5% of the organizations. The IAAs (64.3% currently, 25.3% more in three years) educate their organizations’ personnel about internal control, corporate governance, and compliance issues. Many IAAs (55.7% currently, 25.6% more in three years) have an important role in the integrity of their organizations’ financial reporting. Internal auditors anticipate having a growing advisory involvement in the development of strategy (28.9% currently, 32.7% in the next three years) while 30.3% noted they would not have an advisory role in strategy development in the foreseeable future. Providing training to audit committee members (34% currently, 32.3% in the next three years) is also anticipated to increase. Implementation of a knowledge management system is expected to escalate (25.6% currently, 43.9% in the next three years) while 20.6% indicate their organizations will not apply a knowledge management system in the foreseeable future.
The Institute of Internal Auditors Research Foundation
____________________________ Chapter 9: Emerging Roles of Internal Audit Activities 353
Table 9-5 How Statements Apply to Your Organization CAEs’ and Audit Managers’ Agreement with Statements in Percentages Statement
Number of Currently Likely to Will Not Not Total Respondents Applies Apply Apply in the Applicable Within the Foreseeable Next 3 Future Years
Internal auditing is required by law or regulation where the organization is based. Internal auditors in the organization have an advisory role in strategy development. The organization complies with a corporate governance code. The organization has implemented an internal control framework. The organization has implemented a knowledge management system. The internal audit activity has provided training to audit committee members. The internal audit activity assumes an important role in the integrity of financial reporting. The internal audit activity educates organization personnel about internal controls, corporate governance, and compliance issues. The internal audit activity places more emphasis on assurance than consulting services.
3,464
61.2
13.1
12.9
12.8
100.0
3,445
28.9
32.7
30.3
8.1
100.0
3,447
67.7
22.7
4.3
5.3
100.0
3,443
70.5
24.3
3.5
1.7
100.0
3,423
25.6
43.9
20.6
9.9
100.0
3,424
34.0
32.3
18.5
15.2
100.0
3,437
55.7
25.6
13.8
4.9
100.0
3,437
64.3
25.3
7.3
3.1
100.0
3,448
71.5
15.2
8.4
4.9
100.0
The Institute of Internal Auditors Research Foundation
354 A Global Summary of the Common Body of Knowledge 2006 ______________________
Tables 9-5-1 and 9-5-2 provide information by groups for CAE and Audit Manager respondents’ current agreement with these statements and the likelihood of application in the next three years. The group tables show that the majority (48.0% up to 84.2%) live in countries that have or likely will have laws and regulations in the next three years requiring organizations to have internal auditors. Most organizations within the groups have (49.1% to 78.8%) or likely will adopt (16.8% to 45.3%) an internal control framework in the next three years projecting coverage of over 90% of the respondents’ IAAs. Most respondents within the groups agree that the IAA does or will assume an important role in the integrity of financial reporting, educates organization personnel about internal controls, corporate governance and compliance issues, and places more emphasis on assurance than internal controls and consulting services. In most groups, the advisory role the IAA has in the organization’s strategy development (currently 17.5% - 39.5% with group 12 at 60%) will likely significantly increase in the next three years.
The Institute of Internal Auditors Research Foundation
1
2
3
4
5
Internal auditing is required 58.0 48.0 67.7 80.0 64.7 by law or regulation where the organization is based. Internal auditors in the 29.7 30.3 33.8 39.5 22.8 organization have an advisory role in strategy development. The organization complies 73.8 72.4 79.6 55.5 60.3 with a corporate governance code. The organization has 70.4 71.3 73.2 78.8 61.2 implemented an internal control framework. The organization has 22.9 27.9 32.4 30.5 25.2 implemented a knowledge management system. The internal audit activity 46.9 35.8 43.4 17.4 14.5 has provided training to audit committee members. The internal audit activity 64.1 62.3 58.4 42.4 39.5 assumes an important role in the integrity of financial reporting. The internal audit activity 73.1 68.0 71.3 47.1 50.2 educates organization personnel about internal controls, corporate governance, and compliance issues. The internal audit activity 75.2 72.4 81.6 65.0 60.9 places more emphasis on assurance than consulting services. *For a list of groups, please see Appendix 1-B. **N/C = Respondents did not indicate affiliate or chapter membership.
Statement 65.7
35.5
55.7
78.4
26.5
34.0
58.1
66.2
71.2
17.5
54.8
59.2
19.3
13.0
45.2
42.7
68.8
7
60.6
6
The Institute of Internal Auditors Research Foundation 67.1
62.9
46.7
24.0
26.2
77.5
66.9
22.9
62.4
8
58.2
45.5
54.7
21.2
46.3
65.5
53.7
37.0
52.7
9
62.3
43.4
39.6
20.8
25.0
49.1
54.7
20.8
54.7
10
69.3
65.8
62.8
21.9
33.9
77.9
71.9
33.9
66.4
11
12
78.9
60.0
50.0
15.0
26.3
63.2
55.0
60.0
84.2
Table 9-5-1 How Statements Currently Apply to Respondents’ Organizations by Groups* CAE and Audit Manager Agreement with Statements in Percentages
66.8
53.2
47.5
23.0
23.9
65.5
56.6
28.4
58.8
N/C**
____________________________ Chapter 9: Emerging Roles of Internal Audit Activities 355
1
2
3
4
5
Internal auditing is required by 9.6 16.3 13.1 13.3 15.1 law or regulation where the organization is based. Internal auditors in the 28.6 24.6 32.7 32.8 41.8 organization have an advisory role in strategy development. The organization complies 16.8 22.8 17.3 40.3 28.4 with a corporate governance code. The organization has 23.2 23.8 23.6 18.6 32.8 implemented an internal control framework. The organization has 37.4 49.2 49.6 47.5 49.1 implemented a knowledge management system. The internal audit activity 27.9 34.1 31.3 46.1 32.0 has provided training to audit committee members. The internal audit activity 20.9 19.7 27.4 37.3 29.4 assumes an important role in the integrity of financial reporting. The internal audit activity 20.1 23.8 20.9 35.5 32.3 educates organization personnel about internal controls, corporate governance, and compliance issues. The internal audit activity 11.9 19.5 9.9 28.3 20.6 places more emphasis on assurance than consulting services. *For a list of groups, please see Appendix 1-B. **N/C = Respondents did not indicate affiliate or chapter membership.
Statement 13.0
43.9
33.5
19.7
51.2
39.6
31.2
26.8
18.6
31.6
27.9
32.5
43.5
27.5
27.9
30.6
14.4
7
13.0
6
The Institute of Internal Auditors Research Foundation 12.6
26.6
30.5
30.2
45.3
20.2
22.8
33.8
15.4
8
29.1
43.6
34.0
51.9
44.4
27.3
44.4
44.4
32.7
9
22.6
30.2
18.9
30.2
46.2
45.3
24.5
17.0
11.3
10
21.1
26.3
27.4
48.2
47.0
16.8
21.1
42.6
15.5
11
15.8
35.0
40.0
75.0
63.2
31.6
40.0
35.0
10.5
12
21.8
34.7
26.2
38.7
53.2
29.5
29.2
36.7
20.8
N/C**
Table 9-5-2 How Statements are Likely to Apply to Respondents’ Organizations Within the Next 3 Years by Groups* CAE and Audit Manager Agreement with Statements in Percentages
356 A Global Summary of the Common Body of Knowledge 2006 ______________________
____________________________ Chapter 9: Emerging Roles of Internal Audit Activities 357
Summary Internal auditing has evolved significantly from its origins in the early 20th century. The results of CBOK demonstrate that internal auditing will continue to evolve in the future by incorporating new responsibilities and having an impact on more areas of the organization. It is especially interesting to note that respondents indicated their IAA’s responsibilities increasing in all of the major types of audits that are currently being performed, some by large amounts. For example, risk management is expected to increase 79.5% over the next three years. Furthermore, it does not appear that any of the current types of audits performed will decrease in any significant way over the next three years. As the profession evolves, emerging roles to monitor include alignment of strategy and performance measures, benchmarking, knowledge management, systems development review, and strategic frameworks. Each of these was indicated by respondents as having an increase of more than 35% over the next three years. Executive compensation stood out in the CBOK results as clearly showing that IAAs do not currently and most likely will not have a role in the future. Respondents indicate that 16% of IAAs currently have a role and 17.7% are likely to have a role in the next three years. This is compared with 45.4% of respondents who indicate that their IAA is unlikely to have a role in the next three years in this activity.
The Institute of Internal Auditors Research Foundation
358 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
A Global Summary of the Common Body of Knowledge 2006
CONTENTS Chapter 10
Chapter 10: Research Method and Literature Review ........................................................ 359 Research Method ................................................................................................................ 359 Project Teams ............................................................................................................... 359 Pilot Test and Literature Review.................................................................................. 361 CBOK 2006 Questionnaires ......................................................................................... 363 Clustering for Groups................................................................................................... 364 Literature Review................................................................................................................ 367 Introduction .................................................................................................................. 367 Prior IIA CBOK Studies............................................................................................... 367 North American Literature Review on Internal Auditing ............................................ 372 Summary ............................................................................................................................. 379 Asia Pacific Literature Review on Internal Auditing.......................................................... 380 European Literature Review on Internal Auditing.............................................................. 390 South African Literature Review on Internal Auditing ...................................................... 398 Appendix 10-A: Pre-scope Questionnaire for CBOK......................................................... 406 Appendix 10-B: Topical Areas That Are Addressed in Past and Current IIA CBOK Studies........................................................................................................ 418 Appendix 10-C: CBOK 2006 CAE and Practitioner Questionnaire................................... 421
Disclosure Copyright © 2007 by The Institute of Internal Auditors Research Foundation (IIARF), 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201. All rights reserved. Printed in the United States of America. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form by any means — electronic, mechanical, photocopying, recording, or otherwise — without prior written permission of the publisher. The IIARF publishes this document for informational and educational purposes. This document is intended to provide information, but is not a substitute for legal or accounting advice. The IIARF does not provide such advice and makes no warranty as to any legal or accounting results through its publication of this document. When legal or accounting issues arise, professional assistance should be sought and retained. The IIA’s International Professional Practices Framework for Internal Auditing (IPPF) comprises the full range of existing and developing practice guidance for the profession. The IPPF provides guidance to internal auditors globally and paves the way to world-class internal auditing. The mission of The IIA Research Foundation (IIARF) is to be the global leader in sponsoring, disseminating, and promoting research and knowledge resources to enhance the development and effectiveness of the internal auditing profession.
The Institute of Internal Auditors Research Foundation
_____________________________ Chapter 10: Research Method and Literature Review 359
CHAPTER 10 RESEARCH METHOD AND LITERATURE REVIEW This chapter reviews the research method used to gather the data for the Common Body of Knowledge (CBOK) 2006 study and provides a literature review prepared by each of the research teams listed below summarizing the past studies reviewed prior to preparing the CBOK questionnaires.
RESEARCH METHOD Project Teams The research team was comprised of three international teams that were selected from the responses to the CBOK request for proposals. Table 10-1 lists the members of the three CBOK 2006 teams. Based on the location of the selected research teams, the international affiliates and chapters were broken down into three broad geographical areas.
The Institute of Internal Auditors Research Foundation
360 A Global Summary of the Common Body of Knowledge 2006 ______________________
Table 10-1 Research Teams Teams
Lead Team • Priscilla A.Burnaby (Bentley College, United States) – Project Coordinator and Team Coordinator • Mohammad J. Abdolmohammadi (Bentley College, United States) • Susan Hass (Simmons College, United States) • Rob Melville (Cass Business School, England) – Team Coordinator • Marco Allegrini and Giuseppe D’Onza (University of Pisa, Italy) • Leen Paape (Erasmus University, Netherlands) • Gerrit Sarens (University of Ghent, Belgium) • Marinda M. Marais (University of South Africa) • Elmarie Sadler (University of South Africa) • Houdini Fourie (Tshwane University of Technology, South Africa) • Barry J. Cooper (Deakin University, Australia) – Team Coordinator • Philomena Leung (Deakin University, Australia)
General Areas of Responsibilities
North, Central, and South America and the Caribbean
Europe and Africa
Asia and Pacific
The Institute of Internal Auditors Research Foundation
_____________________________ Chapter 10: Research Method and Literature Review 361
Pilot Test and Literature Review1 The pre-scope questionnaire sent to practitioners for their input was developed after reviewing the Professional Practices Framework (The IIA, 2004) and performing a literature review of current internal auditing studies around the world. A summary of the literature review is included in the second part of this chapter. The objective of the pilot survey was to determine what practitioners believed should be included in the CBOK 2006 questionnaires. Based upon discussions with knowledgeable internal auditors, key stakeholders at The IIA, and the literature review, the following topics were selected for inclusion in the pilot survey: • • • • • • • • •
Audit methods, tools, and techniques Auditor skill sets Certification and professional development Emerging trends in internal auditing Evaluation of staff Internal auditing standards from the Professional Practices Framework Percentage of time spent on different types of audits in 2005 Role of the board of directors and audit committee Specific areas of knowledge required of internal auditors
To collect data from a small representative group of experienced internal auditors, the pre-scope questionnaire was sent to a number of internal auditors in various regions of the world by each of the three global teams. The respondents were asked to indicate which items listed on the prescope questionnaire should be included or excluded from the CBOK 2006 study. Each topic on the pilot questionnaire was followed by a request for the respondents to add related areas and questions that they thought should be included in the final questionnaire. Sixty-three responses were received from nine countries. Table 10-2 indicates the number of responses from each country. Appendix 10-A contains the pre-scope questionnaire and a summary of the responses, including the respondents’ suggestions for additional areas to be included in CBOK 2006. A majority of participants agreed with the inclusion in the study of most of the topics in the pre-scope questionnaire and provided insights into other topics that should be included. These areas were priorities for inclusion in the final CBOK questionnaires. 1
The CBOK review and the Team America’s literature review were published in a special CBOK 2006 issue of Managerial Auditing Journal (MAJ), Volume 21, Issue 8, in October 2006. With permission from the publisher of MAJ, this section uses portions of the following article: Abdolmohammadi, M.J., P.A. Burnaby, and S. Hass, “A review of prior common body of knowledge (CBOK) studies in internal auditing and an overview of the global CBOK 2006,” Managerial Auditing Journal 21 (8), 2006, pp. 811-821. Hass, S., M.J. Abdolmohammadi, and P.A. Burnaby, “The Americas literature review on internal auditing,” Managerial Auditing Journal 21 (8), 2006, pp. 835-844.
The Institute of Internal Auditors Research Foundation
362 A Global Summary of the Common Body of Knowledge 2006 ______________________
Table 10-2 Summary of Pilot Test Respondents by Countries Countries Asia Australia New Zealand Malaysia Europe Belgium France Italy South Africa U.K./Ireland USA Total
Respondents 11 5 2 9 2 6 1 13 14 63
To include current practices and explore emerging practices in the profession, CBOK 2006 incorporated several topics that were not included in prior CBOK studies. This was based on the literature review and the results of the pilot survey. Appendix 10-B lists topical areas covered in past CBOK studies and those that were covered in CBOK 2006. CBOK 2006 used The IIA’s International Standards for the Professional Practice of Internal Auditing (Standards) as of September 2006, the date of the study, as the basis for the focus of the study. The Standards contain the expanded scope in The IIA’s definition of internal auditing, which includes governance, risk management, and internal control engagements for the internal audit activity (IAA).
The Institute of Internal Auditors Research Foundation
_____________________________ Chapter 10: Research Method and Literature Review 363
CBOK 2006 Questionnaires Due to the need expressed by The IIA’s CBOK Steering Committee to limit the members’ response time to 40 minutes, it was decided to create three separate CBOK questionnaires as follows: 1. Affiliates: The IIA is fortunate to have numerous Affiliate organizations around the world that provide services to their geographic area in cooperation with IIA headquarters. This questionnaire asked affiliate leaders questions about regulatory and cultural differences affecting the application of ethics and the Standards in their area. One questionnaire was sent to each participating affiliate. 2. Chief Audit Executives (CAEs): The Standards define the CAE as the highest position within the organization responsible for the internal audit activity (IAA). Data on the status of the IAA within the organization, application of the Standards, skills needed at each staff level, and emerging audit roles were collected from CAEs worldwide. 3. Practitioners: For purposes of this study, Practitioners are all other internal auditors that are not CAEs. Data about the application of the Standards, how an audit is performed, skill sets needed, and the emerging roles of IAA were collected from internal auditors worldwide. The three detailed questionnaires developed by the CBOK 2006 teams were subjected to close scrutiny by The IIA CBOK 2006 Steering Committee. Once the final questions were selected, the questionnaires were reviewed by a statistical expert and a small group of internal auditors worldwide to ensure completeness and validity. Based on their comments, the final questionnaires were developed and translated from English into 16 languages (Spanish, French, German, Russian, Czech, Turkish, Simplified Chinese, Japanese, Traditional Chinese, Indonesian, Arabic, Polish, Bulgarian, Italian, Portuguese, and Swedish). In September 2006, the CAE and Practitioner questionnaires were distributed electronically to The IIA membership by participating affiliates, chapters, and United States members that allow The IIA to send them e-mails using the survey software Peruses. The Affiliate questionnaire was distributed by The IIA in December 2006. As some of the questions for the CAE and Practitioner questionnaires were the same, the questionnaires were combined for translation. Please see Appendix 10-C for the combined CAE and Practitioner questionnaire. A guide for which questions were asked of all participants or either the CAE or the Practitioner is provided in the first two pages of Appendix 10-C.
The Institute of Internal Auditors Research Foundation
364 A Global Summary of the Common Body of Knowledge 2006 ______________________
Number of Responses As of September 2006, The IIA had approximately 127,700 members. As listed in Table 10-3, the membership was made up of 143 chapters in the United States, 11 chapters in Canada, 9 chapters in the Caribbean, and 94 affiliates. The total number of responses to the CAE and Practitioner questionnaires was 15,028. After the responses that were deemed not usable were deleted from the database, 9,366 usable responses remained resulting in a 7.3% overall response rate. Due to some Affiliates not participating and some members who have opted not to receive e-mails from The IIA, the survey was sent to approximately 99,000 members resulting in an estimated 9.5% response rate. The respondents represent 91 countries as one of the participating countries has two affiliates.
Table 10-3 Number of Participating Chapters and Affiliates Area
U.S.A. Canada Caribbean IIA Affiliates
*Number of Chapters/Affiliates
1 or More Usable Responses from Chapters/Affiliates
143 11 9 94
133 11 7 83
Number of Affiliates that Returned CBOK Affiliate Questionnaire Not Applicable Not Applicable Not Applicable 46
*Tallied from The IIA’s Web site
Responses were determined to not be useable if the reply was empty or the respondent did not answer enough questions to be considered for inclusion. A total of 133 United States’ chapters, all of the Canadian chapters, and 7 of the Caribbean chapters participated in CBOK 2006. Eightythree affiliates had at least one usable CAE or Practitioner response. The number of respondents for the United States, Canada, and the Caribbean and for each participating affiliate is summarized in Appendix 1-B of Chapter 1 in this research report. Forty-six affiliates returned the CBOK Affiliate questionnaire by the January 15, 2007, cutoff date for inclusion (noted by a + sign in Appendix 1-B in Chapter 1).
Clustering for Groups As data was collected from numerous affiliates and chapters, a methodology was needed to combine them into groups for comparison of responses. Clustering literature was reviewed for plausible The Institute of Internal Auditors Research Foundation
_____________________________ Chapter 10: Research Method and Literature Review 365
ways to combine affiliates and chapters by cultural classification. Pioneer work for cultural classification was performed by Hofstede (1980), who argued that the four dimensions of Power Distance, Individualism, Masculinity, and Uncertainty Avoidance influence work environments. Based on these dimensions, Hofstede (1983) classified fifty countries into different cultural zones. In 2004, House et al. expanded Hofstede’s dimensions and the number of countries classified into cultural zones. House et al. (2004) used nine dimensions to classify 62 countries into various categories. Table 10-4 defines and lists the dimensions used by Hofstede (1983) and House et al. (2004).
Table 10-4 Cultural Classification Criteria No.
Criterion
1*
Uncertainty Avoidance
2*
3**
4** 5*** 6*** 7@
8@ 9@
Definition +
The extent to which members of an organization or society strive to avoid uncertainty by relying on established social norms, rituals, and bureaucratic practices. Power The degree to which members of an organization or society expect and agree Distance that power should be stratified and concentrated at higher levels of an organization or government. Institutional The degree to which organizational and societal institutional practices Collectivism encourage and reward collective distribution of resources and collective action. In-group The degree to which individuals express pride, loyalty, and cohesiveness in Collectivism their organizations or families. Gender The degree to which an organization or society minimizes gender role Egalitarianism differences while promoting gender equality. Assertiveness The degree to which individuals in organizations or societies are assertive, confrontational, and aggressive in social relationships. Future The degree to which individuals in organizations or societies engage in Orientation future-oriented behaviors such as planning, investing in the future, and delaying individual or collective gratification. Performance The degree to which an organization or society encourages and rewards Orientation group members for performance improvement and excellence. Human The degree to which individuals in organizations or societies encourage and Orientation reward individuals for being fair, altruistic, friendly, generous, caring, and kind to others.
+Definitions are from House and Javidan (2004, 11-13). *These two criteria are the same as those of Hofstede’s (1980). **These two criteria are based on Hofstede’s (1980) Individualism. ***These two criteria are based on Hofstede’s (1980) Masculinity. @ House et al. (2004) added these based on literature other than Hofstede (1980).
The Institute of Internal Auditors Research Foundation
366 A Global Summary of the Common Body of Knowledge 2006 ______________________
Since The IIA has affiliates in over 100 countries, the House et al. (2004) classification of 62 societies was insufficient for complete classification of the CBOK 2006 participants. By using additional information from the Central Intelligence Agency World Fact Book (2006), affiliate language, geographical location, and discussions with The IIA staff and leadership, the affiliates and chapters were classified into 12 groups. Respondents who did not indicate membership in a specific affiliate or chapter were clustered into a 13th group that was included in statistical summaries for the aggregate results but not in affiliate or chapter cultural cluster results. Please refer to Appendix 1-B of this report for the groups used for the analysis of responses for CBOK 2006.
The Institute of Internal Auditors Research Foundation
_____________________________ Chapter 10: Research Method and Literature Review 367
LITERATURE REVIEW Introduction The objective of the literature review for CBOK 2006 was to provide a summary of published articles, studies on special topics, and research projects about the practice of internal auditing around the world as determined by the research teams around the world. Each research team prepared a literature review for the countries in their area of the world.
Prior IIA CBOK Studies2 Overview The IIA has sponsored four prior CBOK studies. Appendix 10-C lists the topical areas covered in these studies and identifies topical areas covered in the CBOK 2006 study. The past four CBOK studies are summarized in the following section. Table 10-5 compares the number of participating countries and usable questionnaire responses used in each CBOK study.
Table 10-5 Comparison of CBOK’s Number of Countries and Number of Respondents CBOK Number
Year
Number of Countries
Number of Usable Respondents
I II III IV V
1972 1985 1991 1999 2006
1 2 2 21 91
75 340 1,163 136 9,366
2
The CBOK review and the Team America’s literature review were published in a special CBOK 2006 issue of Managerial Auditing Journal (MAJ), Volume 21, Issue 8, in October 2006. With permission from the publisher of MAJ, this section uses portions of the following article: Abdolmohammadi, M.J., P.A. Burnaby, and S. Hass, “A review of prior common body of knowledge (CBOK) studies in internal auditing and an overview of the global CBOK 2006,” Managerial Auditing Journal 21 (8), 2006, pp. 811-821. Hass, S., M.J. Abdolmohammadi, and P.A. Burnaby, “The Americas literature review on internal auditing,” Managerial Auditing Journal 21 (8), 2006, pp. 835-844.
The Institute of Internal Auditors Research Foundation
368 A Global Summary of the Common Body of Knowledge 2006 ______________________
CBOK I in 1972 The objective of CBOK I (Gobeil, 1972) was to define the CBOK for the profession of internal auditing. The survey was conducted only in the United States. The report was based on a sample of 100 internal auditors from which there were 75 responses. The questionnaires were distributed to The IIA’s international officers, directors, and the chairs and committee members of all international committees. It attempted to define and interpret three areas. The first area was to establish the knowledge that internal auditors should possess to be considered professionally proficient. The second area of interest was the knowledge required for candidates sitting for the Certified Internal Auditor (CIA) exam. The final area was the type of knowledge that should be the focus of continuing professional development and training. The study outlined three different levels of knowledge required in the three different subject matters (Gobeil, 1972), namely: •
•
•
Appreciation of the broad nature and fundamentals involved in, and an ability to recognize the existence of special features and problems in, various business transactions, and determination of what further study or research must be undertaken under various conditions. A sound appreciation of the broad aspects of practices and procedures and an awareness of the problems related to more detailed aspects thereof. It also included the ability to apply such broad knowledge to situations likely to be encouraged, to recognize the more detailed aspects which must be considered, and to carry out research and studies necessary to come to a reasonable solution. A sound understanding of principles, practices, and procedures and the ability to apply such knowledge to situations likely to be encountered in order to deal with all aspects without extensive recourse to technical research and assistance.
CBOK II in 1985 The objective of CBOK II (Barrett et al., 1985) was to establish the structure of the CBOK for practicing internal auditors. This study included responses from the United States and Canada. The researchers first reviewed how the medical, legal, military, religious, accounting, and auditing professions determined their CBOK. Then they conducted interviews with directors and managers of large international audit departments in Canada and the United States. Based on this background the researchers developed and distributed questionnaires to approximately 900 individuals of whom 340 returned usable responses.
The Institute of Internal Auditors Research Foundation
_____________________________ Chapter 10: Research Method and Literature Review 369
The researchers identified three key areas of CBOK: knowledge of relevant disciplines; skills needed to perform appropriate internal auditing tasks; and experiences necessary to be professionally qualified, proficient, and a competent internal auditor. Barrett et al. (1985) presented three broad conclusions. First, senior internal auditors should have a firm grasp of the core academic disciplines of auditing and computer systems and a working knowledge of communications and accounting. Second, at the bottom of the importance scale of knowledge is marketing. Finally, entry-level internal auditors are expected to possess as much knowledge but fewer skills as senior-level auditors, and senior-level (not entry-level) auditors are expected to become professionally certified.
CBOK III in 1991 Albrecht et al. (1992) sent questionnaires to internal auditors in Canada and the United States. Of the 1,247 returned questionnaires, 1,163 responses were usable. The research method used by the authors was the most elaborate of the CBOK studies to date. It included: • • • • •
Review of current internal audit literature. Interviews with content experts in the subject areas identified by the literature review. Development of the initial questionnaire. One-day meetings with selected groups of internal audit practitioners in various cities. Distribution of the CBOK questionnaire to practicing internal auditors and analysis of the data.
This study contributed to the literature in several significant ways. It identified the competencies and knowledge that was required for internal auditors to practice at varying levels of experience. It also identified the most appropriate setting (formal education, professional development seminars, or on-the-job experience) where the competency should be acquired. The researchers included the following in their findings: • • • •
The knowledge included in the CBOK The levels at which internal auditors should possess various knowledge elements of the CBOK The kind of knowledge that should be included on the CIA examination The kind of knowledge that should be included in professional development and training seminars for internal auditors
The authors found that a major demographic factor causing responses to the CBOK questionnaire to vary was the position level of the respondent. As auditors move from staff auditor to senior, to manager, and finally to director, there are changes in what the respondents perceived should be the required CBOK.
The Institute of Internal Auditors Research Foundation
370 A Global Summary of the Common Body of Knowledge 2006 ______________________
CFIA in 1999 (CBOK IV) The next CBOK project, known as the Competency Framework for Internal Auditing (CFIA), was undertaken by a group of researchers in Australia. The study resulted in the publication of five detailed monographs (see Birkett, et al., 1999). To summarize the large amount of information presented, The IIA published a short executive summary monograph (McIntosh, 1999). These studies surveyed five groups of participants and provided information about the changing nature of internal auditing from compliance to assurance, risk exposures, and control strategies. The scope of Birkett, et al.’s (1999) studies addressed the areas of the future of the internal audit profession, the value proposition of internal auditing, the critical competencies of internal auditors, global practices, and an assessment of these competencies. One of the interesting conclusions from this study was that the future will be driven by global organizational change, which would be accompanied by lower independence for internal auditors. The monographs also concluded that internal auditors must increasingly get involved with the assessment of risk and strategies for control. The authors proved to be correct as both of these issues have been addressed by the U.S. Sarbanes-Oxley Act of 2002.
Internal Auditing: The Global Landscape Birkett, et al. (1999) found that there were major difficulties in discussing the topic of internal auditing at a global level. They found that there was a lack of common meaning for terms like “internal control” and “compliance.” There were also differences in interpretation of “proper governance.” The surveyed countries agreed on the desired skills that an internal auditor should possess, including cognitive, behavioral, technical, analytic, appreciative, personal, interpersonal, and organizational skills. It was also important for internal auditors to have knowledge in specific areas such as information systems, finance, risk analysis, accounting, internal auditing, benchmarking techniques, and legal/regulatory systems. The respondents expressed concern that the certification requirements for the CIA designation were oriented toward North American practice. Major issues and concerns that would affect the profession in the future were identified as globalization, increased competition, rapid technological advancement, and changes in corporate governance.
Internal Auditing Knowledge: Global Perspectives The profession of internal auditing was also discussed at the global level. The internal auditor’s work environment was further analyzed by its context, factors of influence, key roles in the function, critical knowledge/expertise needed, and the evaluation of the auditing function. The key roles in the auditing function included audit management, project leader, internal auditor, management
The Institute of Internal Auditors Research Foundation
_____________________________ Chapter 10: Research Method and Literature Review 371
development trainee, specialist, and external consultant. A competent internal audit department must have knowledge of the organization, auditing tasks, technical applications, management processes, risk/control framework, and commercial viability. Developing competency within internal auditing was done through an improved recruiting process and implementation of training/development programs. The auditing function was then assessed based on the linkage between their activities and the value they provided. It was suspected that in the future, internal auditing would take on a more anticipatory/proactive role which brought up a discussion on auditors’ independence.
Competency: Best Practices and Competent Practitioners This monograph includes six units, 27 elements, and many sub-elements, which are assessed through best practices. The focus of the monograph was on internal auditor competencies (skills) and capabilities (potential for making judgment). The authors found that competency was the relationship between task performance and individual attributes such as knowledge, skills, and attitudes (McIntosh, 1999, p. 4). The authors argued for common terminology but admitted that this was not an easy task because there is no equivalent for certain terminology (e.g., compliance) in some countries. Competency was defined in terms of best practices that are subject to benchmarks. The authors defined competency standards in terms of units of set tasks needed to meet the fundamental requirements of performing the audit. Elements of competency are subsets of tasks such as understanding organizational objectives/strategies, processes and capabilities, and the contextual dynamics affecting its functioning and sub-elements such as “identify/clarify the organization’s objectives.” The authors listed six units of competency: 1. 2. 3. 4. 5. 6.
U1: Understanding risk U2: Understanding adequacy of control strategies U3: Improve risk management and control U4: Provide ongoing assurance to organizations U5: Manage the IA function U6: Manage the dynamic context that affect the work of the function
The Future of Internal Auditing: A Delphi Study Birkett, et al. (1999) conducted a study that captured the opinions of 136 internal auditing experts representing 21 countries. The study focused on topics of importance to the future of the profession, key tasks performed, drivers of change, skills/knowledge required, and assessment criteria. The results indicated that the profession was gradually moving toward a focus on alignment with
The Institute of Internal Auditors Research Foundation
372 A Global Summary of the Common Body of Knowledge 2006 ______________________
organizational needs and how to create value for the organization. Drivers such as globalization, competition, increasing expectations/demands from stakeholders, legal perspectives, and technology were changing the context of internal auditing work. With the changes that the profession was facing, auditors needed to be knowledgeable and aware of the importance of evaluating risk exposures. The assessment of the auditing function could be assessed internally according to the organization’s value proposition or externally relative to best practices.
Assessing Competency in Internal Auditing: Structures and Methodologies In this study, the authors provided four performance criteria: qualitative outcomes such as accuracy, critical process variables such as holistic review, evidence and performance such as relevant documents, and consulting and timing. The authors stated that the different designations of auditor levels are trainee, team leader, manager, and director. Other designations included junior, senior, manager, and director. Internal auditors can also be called consultant, managing consultant, and vice president of audit.
North American Literature Review on Internal Auditing Overview The literature reviewed indicates that the role of the IAA has grown significantly over the years and given the significant change factors organizations are facing, such as the regulatory environment and new technologies, it is likely to be subjected to more significant changes in the future. The literature is fairly extensive in its investigation of the internal auditor’s role in various corporate governance issues. An extensive literature review by Gramling, et al. (2004) investigated the increasing role of the IAA in corporate governance. Due to the recent review of this topic provided by Gramling, et al. (2004), that literature is not reviewed in detail in this chapter. The focus of this literature review is primarily on the external environment that is causing change in the organization and the resulting expanded scope of audits required of the IAA.
The Professional Practices Framework of 2004 The most recent study undertaken by The IIA to determine the nature of the changes in internal auditing and the need to update the definition and standards of the profession was in 1999. Based on this study The IIA published a report titled, A Vision for the Future: Professional Practices Framework for Internal Auditing (The IIA, 1999). The report had the following objectives:
The Institute of Internal Auditors Research Foundation
_____________________________ Chapter 10: Research Method and Literature Review 373
• • •
Revise the definition of internal auditing Produce a new framework Improve existing processes of standards-setting and guidance development through better coordination and leveraging of The IIA’s volunteer committees
This report resulted in changes to the definition of internal auditing, The IIA’s Code of Ethics, and The IIA’s Standards. As seen below, the new definition of internal auditing expands the scope of internal auditing into corporate governance and risk management (The IIA, 2004): Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. This is The IIA’s most proactive and comprehensive definition of internal auditing. It acknowledges the changing role of internal auditing in organizations, the need for a comprehensive and adaptable framework, and the ever-increasing value that the IAA contributes to contemporary organizations of differing sizes and types. As late as the beginning of the twenty-first century, the evolutionary practice of internal auditing resulted in developing internal audit best practices and adding value to the organization and its stakeholders by understanding the link between internal audit and organizational goals. Before the enactment of Sarbanes-Oxley, internal audit services were focusing on detection, not prevention. Internal auditors were moving from a confrontational approach to partnering with management and moving from a controls approach to a risk-based approach. They were also focusing on consulting services (Roth, 2002). Chapman and Anderson (2002) argue that the inclusion of assurance and consulting services in the new definition of internal auditing results in internal auditing becoming a proactive, consumerfocused activity concerned with the important issues of control, risk management, and governance. The definition specifically states the internal audit activity (IAA) is designed to add value and improve an organization’s operations (The IIA, 2002). The Standards indicate examples of assurance engagements as financial, performance, compliance, system security, and diligence audits. Examples of consulting activities include conducting internal control training, providing advice to management about the control concerns in new systems, drafting policies, and participating in quality teams. In addition, assurance services include financial auditing, performance auditing, and quick response auditing, and consulting services includes assessment
The Institute of Internal Auditors Research Foundation
374 A Global Summary of the Common Body of Knowledge 2006 ______________________
services, facilitation services, and remediation services (Anderson, 2003). These are all valueadded activities and contribute to organizational success and strategic achievement. This was reflected in the revised Professional Practices Framework which recognized that the IAA needed to support and promote a broad range of value-adding activities (RGTF, 1999). This also allowed for the recognition of the practice of internal auditing as evolutionary in the competitive marketplace (Krogstad, et al., 1999). The next sections include more focused discussion of the factors that significantly impact the future of the IAA.
Regulations Prior to the need for compliance with the requirements of Sarbanes-Oxley in the United States and similar laws in other countries, the emphasis of the IAA in the late 1990s was more a consultative partner with management (Roth and Espersen, 2003). Internal auditors also performed reviews of controls over operational systems. In responding to regulatory and technological change factors, organizations are evolving in their need for different types of internal audit involvement. The Sarbanes-Oxley Act (2002) legislation in the United States resulted in extensive regulatory requirements for a more effective and better documented system of internal controls over financial reporting in publicly listed companies. The IAA is in an advantageous position to help organizations comply with these requirements and is being called upon by companies to do much of the work in documenting and testing key internal controls over financial reporting. The new regulatory requirements have increased the IAA’s participation in the development of control documentation and compliance auditing over financial reporting that was often left in the past to external auditors. Sarbanes-Oxley legislation in the United States required the creation of the Public Accounting Oversight Board in 2004 (PCAOB, 2004). PCAOB was created to reform the auditing of internal control systems and financial reporting systems. The major objectives of the PCAOB are to enhance reliable financial reporting and to restore investor confidence after the business scandals and accounting failures of early 2000s. Faced with the regulatory requirements of Sarbanes-Oxley, many organizations turned to their IAAs for help. Internal auditor involvement was primarily compliance work surrounding the adequacy of key controls to aid in the increased reporting and governance requirements for publicly held companies. Although Sarbanes-Oxley work primarily emphasized control compliance, it also required internal auditors to provide consulting activities such as control system design.
Sarbanes-Oxley Changes Audit Coverage The shift of the IAA to a compliance focus is a result of a regulatory regime imposed by the requirements of Sarbanes-Oxley (2002) and the PCAOB (2004). Also influential were the changes
The Institute of Internal Auditors Research Foundation
_____________________________ Chapter 10: Research Method and Literature Review 375
in governance requirements that various stock exchanges implemented (Gray, 2004). Although the resulting involvement in responding to regulatory requirements is still deemed value-added work, it is a different trend than was evolving before the business scandals at the beginning of the century in such areas as governance and risk assessment. An outcome of the current regulatory climate in the United States is that many IAA resources are spent on Sarbanes-Oxley compliance assurance work. A survey of audit managers undertaken in the third quarter of 2005 indicated that Sarbanes-Oxley (2002) first-year compliance efforts utilized 50% or more of internal audit (PwC, 2006). In the resource constrained paradigm within which the IAA operates, this emphasis means that resources must be diverted from operational audits and consulting activities to increase Sarbanes-Oxley assurance services. This is a challenging resource allocation problem for the IAA, where strong leadership and analytical skills as well as the ability to manage projects more efficiently and effectively are required. Also needed are effective communication and negotiation skills to interact with various stakeholders. When diverting resources, leaders of the IAA must be certain that they have a thorough understanding of how their work contributes value and links to strategy execution and achievement. The assurance work emphasis necessitated by regulatory requirements could also result in a negative reputation effect. For example, IAA stakeholders may develop a negative perception that is reverting back to the stereotypes of compliance duties in earlier periods. Gray (2004) argues that the image of internal auditors may be regressing to that of “police” as they identify negative findings in their assessment and tests of internal controls. This is a serious reputation issue that the IAA must address. Internal auditors must understand when this is happening and neutralize or eliminate such negative perceptions if they are to be effective in their assurance and consulting activities, relationship with key stakeholders, and in their role as supporter of organizational success. Ignoring such perceptions can result in reduced effectiveness of the IAA in its assurance and consulting activities and with stakeholders. Finally, an outcome of the expanding regulatory requirements is that internal auditors work closely with internal management and external auditors. Critics question whether this might damage the objectivity of the IAA (Krell, 2005). Since independence and objectivity are the cornerstones of the definition of internal auditing, there is a need for development of holistic models in which the IAA can maintain its objectivity and independence despite the close working relationships with internal management and external auditors. To do so may require internal auditors to use effective interpersonal skills such as relationship management and team building, concepts that are widely researched and discussed in management science.
The Institute of Internal Auditors Research Foundation
376 A Global Summary of the Common Body of Knowledge 2006 ______________________
Risk Assessment A recent survey shows that regulatory requirements diverted internal audit resources from other important internal audit activities such as risk-based audits to assurance work (PwC, 2005A). Failure to address key strategic and operational risks as well as compliance risk in an annual audit program undermines the effectiveness of the IAA. It diminishes its strategic value to key stakeholders and exposes the enterprise to greater operational and financial risks in the future. Balancing all risks that an organization faces is imperative to the success of the IAA and the organization as a whole (Krell, 2005). Internal auditors must not only be able to assess risks in their larger organizations, they must also be able to complete complex risk analyses in their own IAA. Being able to self-evaluate is important to the success of the IAA. To accomplish this, internal auditors need to possess increasing levels of critical thinking, analysis, decision making, and logic. These are among the skills included in the CBOK 2006 study.
Increased Demands on the IAA Balancing the complex, competing demands of stakeholder needs with limited IAA resources also requires effective management by the chief audit executive (CAE) (PwC, 2006). To be perceived to add value, the internal audit activity must strategically align with the needs and priorities of all of its key stakeholders, including the audit committee, executive management, and external auditors. Communicating the needs of the audit function, both orally and in writing, to key stakeholders is critical to successfully maximizing resources. Effective risk analysis, time management, and prioritization of tasks are important skills for internal auditors to ensure effective utilization of scarce resources. The increased demand for the IAA services places strain on many departments’ limited time budgets resulting in outsourcing and/or co-sourcing of activities. Rittenberg and Covaleski (1997) argue that outsourcing would be viable for functions that are not unique. For areas with specialized needs or competencies, outsourcing may be a viable alternative. Outsourcing reduces the demand for a scarce resource but requires management of external contract workers and their employers. CAEs must ensure that their management of internal audit staff is a transferable skill that can be used for the management of external co-sourcing relationships.
The Institute of Internal Auditors Research Foundation
_____________________________ Chapter 10: Research Method and Literature Review 377
Information Technology The information technology (IT) used by companies is becoming increasingly more complex. The IAA must embrace technology, understand it, and be able to effectively audit the processes and use it as an audit tool. Internal auditors will have to provide increased assurance by providing IT control assessment within the system of internal controls. If IT controls are selected and implemented properly on the basis of the risks they are designed to manage, then a methodology to continuously monitor IT control effectiveness and validity could provide the assurances needed (Le Grand, 2005). Knowledge of IT controls, IT auditing techniques, and the current trends in IT enhances understanding and efficient utilization of IAA resource. While the complexity of IT makes auditing more challenging, it also provides an opportunity to streamline internal audit activities by designing and utilizing continuous IT controls. This can relieve some of the stress of limited IAA resources that were noted previously. The use of continuous auditing may reduce the need for detailed annual reviews that have been typical in the past. Continuous auditing gives internal auditors the ability to monitor key business systems for both anomalies at the transaction level and for data-driven indicators of control deficiencies and emerging risk. This can also be incorporated into other aspects of the audit process (Coderre, 2005). Under continuous auditing, technology is an enabler, but must be initiated and managed by the IAA (Warren, 2003). Continuous auditing should not be confused with continuous monitoring, which may be management driven (COSO, 2004). Computer-assisted audit tools (CAATs) can also expand audit coverage when there are finite resources. Maintenance of existing resource levels while expanding the scope of continuous monitoring and reporting of organizational effectiveness can be accomplished by utilization of automated testing capabilities. Effectively enhancing the extent of audit coverage would reduce the risks that arise with constrained resource allocation (PwC, 2005B). Training for computer skills for the internal audit staff would ensure IT expertise as an alternative to traditional manual audit techniques.
Risk-based Internal Auditing The IIA’s Standards require the establishment of risk-based plans to determine that the priorities of the IAA are consistent with organizational goals. For example, the risk of noncompliance with the regulatory requirements of Sarbanes-Oxley and other laws is a risk to the organization that should be assessed along with other risks when finalizing audit plans. Sarbanes-Oxley requires management’s development and monitoring of procedures and controls for making their required attestation regarding the adequacy of internal controls over financial reporting.
The Institute of Internal Auditors Research Foundation
378 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Standards require that internal audit activities evaluate and contribute to the improvement of the organization’s risk management, control, and governance processes through consulting and assurance activities. Thus, after the first few years of compliance, the role of internal auditing activity for Sarbanes-Oxley compliance should be one of support through consulting and assurance activities as outlined in the Standards (The IIA, 2004). This should allow the IAA to go back to a broader scope of services and provide more consulting than assurance services. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) released Enterprise Risk Management - Integrated Framework to help businesses respond to enterprise risk management issues in their own organizations (COSO, 2004). The COSO definition of internal control differs a bit from The IIA’s definition but the two are substantively similar enough that they seek to accomplish the same purpose. Since assessing the effectiveness of risk management is core to the globally accepted definition of internal auditing, the role of internal auditors must be clearly defined by organizations to ensure that they do not set the risk appetite, impose risk management processes, or make decisions about risk responses. These are the duties of management. The IAA must not be accountable for risk management decisions for the organization (The IIA, 2005). The IAA must be objective and independent if it is to perform its value-added duties and continue to contribute efficiently and effectively to corporate success. The current emerging business trend appears to be that the business environment challenges many organizations to simultaneously strengthen their internal controls and sustain compliance with Sarbanes-Oxley while also operating efficiently. After the first year of material compliance costs, organizations are faced with trying to reduce these costs. A top down risk-based approach to cost cutting may help companies cut costs while identifying the most effective and efficient controls needed to both achieve compliance and reduce efforts (Deloitte, 2006). If this impacts the internal audit activity in the future, concern about objectivity, independence, and risk may occur but must instantly be mitigated. By working independently and organizing the audit plan to focus on the needs identified in a risk-based assessment in conjunction with discussion with key stakeholders, the IAA will be able to perform objective and independent audits.
Objectivity Internal audit’s role is critical in assurance audits because it provides objective assurance (PwC, 2005B). The assurance function of internal audit has always been perceived as an independent and continuing appraisal of an organization’s internal control system, providing appropriate assurance that the systems were adequate, effective, and could be relied upon (The IIA, 2002). This is important because the internal control system comprises the entire network of systems established in an organization to provide reasonable assurance that organizational objectives will be achieved with particular reference to risk; effective operations; economical and efficient use of resources;
The Institute of Internal Auditors Research Foundation
_____________________________ Chapter 10: Research Method and Literature Review 379
compliance with procedures, laws, and regulations; safeguarding against loss, including fraud; and the integrity and reliability of information and data (PwC, 2006). If auditors are to succeed in this environment, they must be comfortable with governance, fraud, and ethical audits as they perform an objective evaluation of the control environment. New regulation has elevated internal auditing and moved it to the forefront of executive consciousness and corporate governance. Internal auditors are now being viewed as the “go-to” group and management is more receptive to changes and recognition of those individuals who help minimize the negative consequences of disruption caused by the new regulations (Gray, 2004). Objectivity and professionalism are necessary for effective internal audit services. A change in the traditional services offered leads to an increase in the risks related to objectivity and independence. Managing these risks requires auditors to be competent, have integrity, and to use due care when performing their duties. Training and education provide the foundation for the objectivity needed for auditor competence and adherence to moral values avoids the perception of deception (Mutchler, 2001).
Strategic Perspective Due to the demands for increased corporate governance by external stakeholders, management has been demanding a more tangible explanation of value-added contributions from various functions (Zoellick, 2005). To be perceived to add value, the IAA must strategically align with the needs and priorities of its key stakeholders, including the audit committee, executive management, and external auditors. Strategic implementation has become increasingly important as organizations must compete with other, often more nimble, entities. Therefore, value for internal auditors may be defined as supporting the execution of strategy and those that lead its implementation (Simons, 2000). To achieve this goal, foundational knowledge for internal auditors includes an understanding of the business, the competitive nature of the industry, and the linkages of all functional and operational areas in the company. The importance of academic training in foundational business subjects and a focus on the functions and skills learned in upper-level management courses appear critical for today’s new auditors. Without such knowledge, misunderstanding the strategic orientation of stakeholders could impact perceived value added by and the success of the IAA.
Summary The main message from this literature review is that understanding how internal audit activities create value in an organization is of critical importance. Also important is the recognition that the contemporary IAA is positioned to strategically align its goals with those of its many stakeholders, and yet must remain independent and objective. Another important message from this review is that the IAA must position itself to be actively involved with risk assessment, control, and governance.
The Institute of Internal Auditors Research Foundation
380 A Global Summary of the Common Body of Knowledge 2006 ______________________
Given the regulatory requirements in the United States that have absorbed approximately 50 percent of the IAA’s limited resources, resource allocation has become a key activity of the IAA. Internal auditors need to take full advantage of new technologies such as continuous auditing and software innovations in IAA department management. The IAA must use its limited resources to support key activities and organizational needs. Strategic alignment requires that the internal audit function posture itself as vital to a rigorous, sustainable organizational vision of responsiveness to both internal and external needs. Enterprise risk assessment, and the subsequent allocation of resources to provide assurance about the adequacy of the control environment to key stakeholders, is a daunting task. Audits for all scope areas require a broad set of specialized skills.
Asia Pacific Literature Review on Internal Auditing3 Overview Most available literature relates to Australia, New Zealand, China, Malaysia, Singapore, and Hong Kong. The approach in this literature review is to review the Asia Pacific developments in approximate chronological order rather than country by country.
Early 1980s The first known empirical study on the role of internal auditing in the Asia Pacific region was that undertaken by Cooper and Craig (1983). This seminal research on internal auditing in Australia found a number of issues that were of concern to the profession. It was found that there were a number of misconceptions about what internal auditors were doing and what their chief executive officers (CEOs) perceived was being done, and in fact there were expectations by the CEOs that internal auditors could do more than the traditional financial auditing work mainly being done at the time. There was nevertheless strong support for internal audit by CEOs and at the time it was seen as offering long-term career prospects. However, the profession in Australia in the early 1980s suffered from an image problem, it did not have a strong professional body to represent its interests as it has now, and there were no generally accepted professional qualifications recognized as necessary to practice as an internal auditor. This study was undertaken before the development of modern internal auditing.
3 The Asia Pacific literature review was published in a special CBOK 2006 issue of Managerial Auditing Journal (MAJ), Volume 21, Issue 8, in October 2006. With permission from the publisher of MAJ, this section uses portions of the following article: Cooper, B.J., P. Leung, and G. Wong, “The Asia Pacific literature review on internal auditing,” Managerial Auditing Journal 21 (8), 2006, pp. 822-834.
The Institute of Internal Auditors Research Foundation
_____________________________ Chapter 10: Research Method and Literature Review 381
Early 1990s Cooper’s et al. (1989) Hong Kong study surveyed both CEOs and internal audit managers with respective reasonable response rates of 25.8% and 23.1% in a survey of 485 organizations. At the time, this was a very good response rate from business people as the culture in Hong Kong is not generally conducive to responding to surveys. The Hong Kong study was aimed at determining the (then) current state of internal audit practice in Hong Kong, the level of professionalism evident in internal audit departments, and their training needs. The majority of CEOs (45.6%) saw the main role of internal auditing as being an independent appraisal of the internal control system; 21.6% perceived internal auditing’s main role as an independent review of the efficient operation of the organization; and 19.2% were more concerned with proper safeguarding of assets and preventing and detecting fraud and error. From the perspective of internal audit managers, they saw their main role in financial auditing (including internal control reviews), representing up to 50% of the activity in 94% of the internal audit departments responding to the survey. The other major activity was the audit of operational areas to improve operational efficiency, in line with the expectations of the CEOs as noted above. This study also found that only a minority of internal audit managers were members of The IIA and that on-the-job training was mainly relied upon to develop internal audit skills. During 1992, Cooper, et al. (1994) sent a major survey to the internal audit profession in Australia. He mailed questionnaires to CEOs and internal audit managers of a wide range of organizations in both the private and public sectors. The research aimed to provide a profile of internal auditing in Australia in the 1990s. It also addressed a number of issues, including attitudes and recognition; professionalism; role and scope of internal audit work; career opportunities; education and training; and the future role of internal auditing. A total of 687 organizations were surveyed with separate surveys being sent to CEOs and internal audit managers, with usable response rates of 31.0% and 30.9% respectively. Although the overall view was a positive one in terms of attitudes and recognition, there was some confusion between perceptions by CEOs and the reality as seen by the internal audit managers. Findings included: •
The perceived high profile of internal auditing as reported by the CEOs was not necessarily borne out by their understanding of the audit process; for example, their strong support for the “mechanical” aspects of the process rather than a more management-oriented role for internal auditing.
The Institute of Internal Auditors Research Foundation
382 A Global Summary of the Common Body of Knowledge 2006 ______________________
• • • • • • •
Reporting levels were generally less than ideal and the confusion between perceived status and the reality of the situation was further reinforced by internal audit managers’ views on how their role was seen by clients, particularly with respect to a perceived policing function. The survey did uncover some concerns over the number of internal audit managers who are not members of The IIA and confusion about the value of the existing internal audit qualifications such as the CIA designation. Regarding the role and scope of internal auditing, the CEOs appeared to place the greatest emphasis on the audit of financial areas, and yet most internal auditors were by then concentrating on operational areas. There was general overall support for education and training, but there was apparent confusion among internal audit managers as to whether internal auditing is a training ground or a career position. 85 percent of them agreed that management usually implemented audit recommendations. 80 percent agreed that there was adequate feedback from management on audit recommendations. 85 percent agreed (including 24 percent strongly agreeing) that the internal audit activity would become increasingly important to management in the future.
The Mid-1990s In 1996, the first study on benchmarking internal auditing in the region was published by Cooper, Leung, and Mathews (1996). The three countries compared were Australia, Malaysia, and Hong Kong. The paper was based on the aforementioned studies of Australia in 1992, Hong Kong in 1989, and a study by Mathews, Cooper, and Leung in Malaysia in 1994, which was based on a comparable methodology to the Australian and Hong Kong studies. These comparative studies showed that CEOs in Malaysia were very positive in their perceptions of internal auditing as were CEOs in Australia. The perceptions were less positive with CEOs in Hong Kong. CEOs’ understanding of internal audit activities in Malaysia and Australia appeared to set positive benchmarks, with Malaysian CEOs particularly positive in their view of internal auditing as an independent review of the efficient operation of the organization. However, the CEOs in Hong Kong were more concerned with internal audit resources being devoted to appraisal of internal control, which is reinforced by their views of internal auditing being more exploitative and authoritative than consultative. An important benchmark is ensuring that audit recommendations are well thought through and useful for management and this will normally be evidenced by the extent to which management takes notice of, and implements, internal audit findings. In this comparative study, 79.6% of Australian
The Institute of Internal Auditors Research Foundation
_____________________________ Chapter 10: Research Method and Literature Review 383
internal audit managers agreed (with 19.1 % strongly agreeing) that CEOs recognize their accomplishments, compared with 80.1% in Malaysia and 83.3% in Hong Kong (although in this case, only 13.6% strongly agreed). With respect to the implementation of internal audit recommendations by management, 85.5% of internal audit managers in Australia were in agreement, compared with 84.4% in Malaysia and 84.9% in Hong Kong. With regard to the adequacy of feedback from management on audit findings and recommendations, more than 75% of internal audit managers in all countries were positive on this issue.
The Late 1990s In 1997, a special edition on internal auditing in China was published by Managerial Auditing Journal, with papers by a number of practitioners and academics. Although none of the papers presented empirical data, they did provide an insight into internal audit practice in China at the time. It is important to understand that the internal audit activity in China is an agent of the State, unlike in Western countries. Tang, Chow, and Cooper (2000) provide a background on how internal auditing operates in China in their book Accounting and Finance in China - A Review of Current Practice. In 1983, the State Council in China established the Audit Administration of the Peoples Republic of China (AAPRC) to supervise all auditing activities in the republic, and in 1988 issued the Regulation on Audit of the People’s Republic of China, the first comprehensive statute on state audit, which dictated that state auditing, internal auditing, and public auditing are all to be guided by the AAPRC. In 1994, the Eighth National People’s Congress adopted the Audit Law of the People’s Republic of China, which provided for an audit organizational framework consisting of government audit institutions (departments), internal audit institutions, and public audit institutions set up at various levels with varying degrees of authority. Under the system in China, the designated scope of work carried out by internal audit institutions includes the audit of financial revenues and expenditures; the audit of economic contracts; the audit of construction projects; and the audit of internal control. An additional audit area is the audit of economic responsibility, which ensures that management assumes its economic responsibilities, including the maintenance of assets, observance of economic laws and regulations, and fulfillment of operational budgets. Cai (1997) agrees with the categorization of internal audit roles as noted by Tang, Chow, and Cooper (2000), but observes that as the socialist economy continues to develop in China, it is the latter role of the audit of economic responsibility that is assuming major importance. As the economy develops, different challenges will face internal auditing, and as management and state ownership separate in formerly State-owned enterprises, the role of internal auditing to help management make the transition and still protect the interests of the State will become more important. Wang
The Institute of Internal Auditors Research Foundation
384 A Global Summary of the Common Body of Knowledge 2006 ______________________
(1997) also points out that with the development of the market economy, enterprises need to improve internal control systems, management and production technology, and reduce production costs; therefore, market competition requires the strengthening of internal auditing. In addition, the Chinese have a practice called “guanxi” in business. In the Chinese language, “guanxi” is the term for a personal relationship. It refers to the networks of informal relationships and exchanges of favors that dominate all business and social activities that occur throughout China (Lovett, et al., 1999; Lou, 1997). Guanxi works on the basic, unspoken word. Individuals seek to meet their guanxi responsibilities, and failure to do so results in damaged prestige. In China, business people first strive to build personal relationships with a potential customer and, once admitted to the clan/guanxi family, business follows. Thus, trust must be established before business may be conducted. Guanxi is nurtured by the exchange of gifts and favors. However, such gifts strike ethical nerves in Western society as gifts are contrary to at least the spirit if not the letter of the laws such as Sarbanes-Oxley and make it hard to follow internal auditing standards.
2000 Onward A major study has been undertaken in New Zealand by Van Peursem (2004) on internal auditors’ role and authority. In this study, internal auditors were asked to come to a view on whether functions they perform in connection with internal audit engagements are essential, and to what degree they feel they enjoy the authority over, and independence from, management that we might expect of a professional. The research constituted a survey of New Zealand auditors, all of whom were members of the New Zealand affiliate of The IIA. A very high response rate of 73% was achieved over the original and follow-up survey. The study found that characteristics of a “true” profession exist but did not dominate. Significantly, and as subgroups, Van Peursem (2004) also observed that public practice and experienced auditors may enjoy greater influence over management, and accountancytrained auditors may enjoy greater status owing to the “mystique” of their activities emanating from their membership of well-known accountancy professional bodies. Van Peursem (2004) also notes that Cooper et al. (1996) identified a potential issue in confusion between expectations that internal auditors will both independently evaluate management’s effectiveness, and also aid management. More recent observations by Glascock (2002) and McCall (2002) have expressed similar concerns. Van Peursem (2004) also concludes that a key issue is that internal auditors will assume whatever position is in the best interests of their employer and be reluctant to counter management, irrespective of the consequences, which is potentially damaging in terms of image for the internal audit profession.
The Institute of Internal Auditors Research Foundation
_____________________________ Chapter 10: Research Method and Literature Review 385
In a follow-up study in New Zealand, Van Peursem (2005) examined the role of the New Zealand internal auditor and conceptualized on the auditor’s influence over that role. The fundamental question is how an effective internal auditor can overcome the tension of working with management to improve performance, while also remaining sufficiently distant from management in order to report on their performance. The research found that there are three concepts characteristic of those who best balanced their role: the internal auditor’s external professional status; the presence of a formal and informal communication network; and the internal auditors’ place in determining their own role. Informing these concepts is the auditor’s ability to manage ambiguity. This was a qualitative study using a multiple case-based approach in which the researcher made observations, examined documents, and interviewed senior internal auditors in six New Zealand organizations. In a Singaporean study reported by Goodwin and Yeo (2001), factors that may impact on the independence and objectivity of internal auditing were investigated. In particular, the researchers considered the relationship of internal auditors and the audit committee and the use of the internal audit activity as a management training ground, in terms of the potential effect on the independence and objectivity of internal auditing. A survey of chief internal auditors found a strong relationship between internal auditing and the audit committee, particularly where the committee was comprised solely of independent directors. Chief internal auditors were generally found to have regular and private access to the audit committee and this was supported by the regulatory framework in Singapore, which provided support for the independence and objectivity of internal auditors. The use of internal auditing as a management training ground was also found to be widespread. It was also more common where an audit committee existed and where the organization was a larger entity. This existence of an audit committee minimized any negative impact on independence and objectivity of the internal audit activity in situations where internal auditing was used as a management training ground. A study undertaken by Goodwin (2004) explored similarities and differences between public sector internal auditing and its counterpart in the private sector. Features examined include organizational status, outsourcing, using internal auditing as a “tour of duty” function, audit activities, and relationships with the external auditor. The study is based on a survey of chief internal auditors in organizations in Australia and New Zealand. Results suggest that there are differences in status between the internal audit activity in the two sectors, with public sector internal auditors generally reporting to a higher level in the organization. While a similar amount of work is outsourced, public sector organizations are more likely than those in the private sector to outsource to the external auditor. There is little difference between internal audit activities and interactions with external audit in the two sectors. However, private sector internal auditing is perceived to lead to a greater reduction in external audit fees compared to that in the public sector.
The Institute of Internal Auditors Research Foundation
386 A Global Summary of the Common Body of Knowledge 2006 ______________________
Goodwin-Stewart and Kent (2006) explored the voluntary use of internal auditing by Australian publicly listed companies and sought to identify factors that lead listed companies to have an internal audit activity. The study predicted that internal audit use is associated with factors related to risk management, strong internal controls, and strong corporate governance. To test the predictions, the study combined data from a survey of listed companies with information from corporate annual reports. The results indicate that only one-third of the sample companies use internal auditing. While size appears to be the dominant driver, there was also a strong association between internal auditing and the level of commitment to risk management. However, the study found only weak support for an association between the use of internal auditing and strong corporate governance. The study indicates that a large proportion of Australian listed companies do not use internal auditing and many of those firms that do have only one or two internal audit staff, a finding supported by research by Leung, Cooper, and Robertson (2004). The implications of these findings for sound corporate governance are serious, as it has been suggested that it is difficult for audit committees to be effective without the support of internal auditing. It would appear that there is considerable scope for strengthening the relationship between internal auditing, audit committees, and external auditors. Leung et al. (2004) researched the role of internal auditing in corporate governance and management in Australia. The specific objectives of the research were to identify the accountability structures and internal audit objectives of organizations; determine the nature and extent of internal audit practice; determine the management and governance relationships of chief audit executives (CAEs) within organizations; assess the application of the redefined internal audit activity; identify financial reporting risks and governance issues encountered by internal auditors; assess the effectiveness of internal auditing’s role in management accountability in a world actively concerned with corporate governance issues; and recommend improvements in internal auditing. The researchers used a two-pronged approach to ascertain information pertinent to the objectives. First, the total population of CAEs in Australia was surveyed using an e-mail survey. The population total, based mainly on membership of The Institute of Internal Auditors – Australia, was 397 and a 21.4% response rate yielded 85 usable responses. Second, eighteen CAEs were interviewed to gain a deeper insight into issues that internal audit faces in Australia. To minimize any selection bias, an additional seven senior business representatives from listed companies and the governmental sectors, including regulatory bodies, were also interviewed. This Australian study found that CAEs were generally very positive about the performance of the internal audit activity. They see themselves as a key part of the management team, and that they can influence decisions, maintain a sufficient level of objectivity, integrity, and competence in their jobs, and are able to provide good support for their own staff. They view the culture and support of management as a key factor in ensuring the effectiveness of their role.
The Institute of Internal Auditors Research Foundation
_____________________________ Chapter 10: Research Method and Literature Review 387
A high percentage of respondents indicated that they perceived management recognized their role in enhancing good corporate governance and that management appeared to take an interest in their work. On the other hand, there were views expressed that they should have a greater role in the organization’s governance processes, although some were concerned that they did not have sufficient resources to discharge such additional work effectively. Many were also unsure about how they should actually go about making an effective contribution to the improvement of corporate governance in their organizations. What this Australian study indicates is that despite the universal concerns about the need to enhance good corporate governance and the contribution that the internal auditing profession can make, the internal auditor’s role in contributing to the process cannot be taken for granted. Ernst & Young et al. (2005) undertook a benchmarking study of internal audit services in the communications and entertainment sectors in both Australia and New Zealand. The study found that 63% of respondents indicated they had entered into a co-sourcing relationship with an external party and 13% had completely outsourced their internal audit function. With regard to reporting relationships, 72% report primarily to the chair of the audit committee and 62% have increased the size of their internal audit activities in the prior 12 months. With respect to corporate governance, 63% of respondents are involved in providing assurance or monitoring compliance with the Australian Stock Exchange (ASX) Corporate Governance Principles. Fadzil et al. (2005) undertook a study in Malaysia to determine whether the internal audit department of the companies listed on the Bursa Malaysia (Malaysian Stock Exchange) comply with the Standards and whether compliance with the Standards affects the quality of the internal control system of the company. It was found that management of the internal audit department, professional proficiency, objectivity, and review processes significantly influence the monitoring aspect of the internal control system. The scope and performance of audit work significantly influences the information and communication aspects of the internal control system, while performance of audit work, professional proficiency, and objectivity significantly influence the control environment aspect of the internal control system. The study also shows that management of the internal audit department, performance of audit work, the audit program, and audit reporting significantly influence the risk assessment aspect of the internal control system. Lastly, performance of audit work and audit reporting significantly influences the control activities aspect of the internal control system. A study in Malaysia by Ali, et al. (2004) looked at internal auditing in the state and local governments of Malaysia. Based on a series of semi-structured interviews, the authors found that only a minority of local governments in Malaysia have an internal audit activity. The presence of quite a small
The Institute of Internal Auditors Research Foundation
388 A Global Summary of the Common Body of Knowledge 2006 ______________________
number of local governments with internal auditing may be due to the fact that in at least two states, the internal audit activity of their local government departments is conducted by the internal audit departments or units attached to the two state governments. There is no comfort, however, for such an arrangement – though it is certainly better than having no internal audit done at all at the local government level. This is because internal auditing in so many of the state governments and their statutory bodies is operating with numerous limitations. The severest problems are concerned with a shortage of audit staff and staff lacking in audit competencies. In many organizations, the non-audit personnel and top management are generally unsupportive of internal auditing. Another study in Malaysia by Ernst & Young (2004) was undertaken to develop an understanding of the practice of internal auditing following the tightening of regulations and the increasing importance of risk management and corporate governance practices in Malaysia. The survey was given to participants of The IIA Malaysia’s National Conference held in September 2004 in Kuala Lumpur. Responses were received from 292 out of more than 600 participants. A total of 87% of the respondents stated that the primary function of internal auditing is to provide assurance of internal control and risk management processes and systems. The secondary role of the internal audit activity is focused on three areas, namely, operational reviews (32%), efficiency of operations/ cost savings (20%), and risk management (11%). The majority of respondents indicated having staff levels ranging from less than 5 to 25, although 50% of the respondents indicated that the size of internal auditing has increased in the past 12 months. The increase in the number of internal audit staff could be the result of the rising importance of corporate governance in Malaysia. Respondents reported that more than half of the internal audit staff are qualified auditors (53%), complemented by staff with a commercial background (26%) and information technology specialists (12%). Most of the respondents (in excess of 70%) indicated that their methodology commonly included risk assessment, control evaluation, and process analysis. However, about 13% and 15% of the respondents respectively reported not having a risk assessment and control evaluation process. Only 30% of respondents reported internal auditing having commissioned an independent review. Of the 30% of respondents who indicated that a review had been conducted, 46% indicated that the review was conducted by peer companies while 44% engaged a professional services firm. Ernst & Young (2005) also conducted a survey of internal auditing in Australia and New Zealand of the Australian Stock Exchange’s (ASX) top 200 companies in Australia and the top 100 listed companies in New Zealand and received 173 responses. The aim of the survey was to further the understanding of how internal audit activities in both the public and private sectors are continuing to evolve to meet ever-increasing demands and expectations. In total, 39% of respondents increased the size of their internal audit activities over the previous 12 months and 78% of internal audit activities now report to either the audit committee chair or the CEO. Just 54% of internal audit
The Institute of Internal Auditors Research Foundation
_____________________________ Chapter 10: Research Method and Literature Review 389
staff have a financial background, suggesting that internal audit teams are increasingly undertaking non-financial reviews and recruiting more commercial and other specialist skills; 77% of respondents have at least part of their internal audit conducted by an external party, mostly due to the need for specialist skills. Over half the organizations surveyed have changed the coverage of internal auditing to help support the ASX Principles of Good Corporate Governance. These internal audit teams are undertaking more detailed controls testing and increasing their focus on providing assurance around risk management frameworks to underpin compliance with the principles. In New Zealand, 76% of private sector respondents have audit committees that satisfy the requirements of the updated New Zealand Stock Exchange Listing Rules. In both countries, 84% of internal audit activities are basing their annual audit plan on generally accepted risk management principles. Carey et al. (2006) undertook a study to investigate the determinants of internal audit outsourcing using survey data on 99 companies listed on the Australian Stock Exchange. It was noted that 54.5% of companies fully rely on an in-house internal audit activity, with the others outsourcing all or some of their internal audit activities. Outsourcing is associated with perceived cost savings and the technical competence of the provider. However, it was also observed that 75% of those companies outsourcing did so to their external auditor, which may have implications for perceptions about the independence of the external auditor.
Summary The above provides a summary of the trend and literature covering internal auditing in the Asia Pacific region from the seminal work by Cooper and Craig in 1983 until the most recently reported studies in the academic and professional literature. In reviewing the above literature, a few observations can be noted: • •
•
While internal auditing has been strongly supported by management, including the CEOs, conclusive consensus as to the role of internal auditors has not yet emerged. The function of internal auditors has changed from a more financially oriented role into one that focuses on internal controls and risk assessment through the last two decades. CEOs have generally perceived internal auditing as having a financial function, while internal auditors moved their emphasis into systems and risks. There was, and still is, confusion regarding the independence of internal auditors. This is made more complex by the definition of internal auditing which encompasses both the expectations of the consulting role and the assurance role. Internal auditors are uncertain as to how to balance independence in both roles.
The Institute of Internal Auditors Research Foundation
390 A Global Summary of the Common Body of Knowledge 2006 ______________________
• • •
•
During the 1990s, the increasing use of international accounting firms in consulting and assurance engagements overshadowed the internal audit function. The U.S. Sarbanes-Oxley Act of 2002 added the dimension of internal financial reporting assurance expected of internal auditors and audit committees. With the apparent lack of a structured approach to the body of knowledge, a clearly defined role, and an apparent lack of status underpinned by a rigorous generally accepted professional program (the CIA program has had limited uptake in Asia Pacific), internal auditing has suffered from lack of prominence in Asia Pacific. The Common Body of Knowledge 2006 study is timely and highly significant in shaping the internal auditing profession in Asia Pacific in the years to come.
European Literature Review on Internal Auditing4 Overview This section summarizes the major studies addressing internal auditing and related corporate governance issues in Europe and is drawn from work carried out by authors from Belgium, Italy, the Netherlands, and the United Kingdom. Physically, Europe can be described as a continent that contains approximately 45 separate nations ranging in size from the smallest states in the world to among the largest. Politically and economically, there is a diversity that includes former centralized economies (former USSR states such as Russia and Ukraine), economies where state intervention is active (France), and free market capitalist economies (such as the U.K.). There is also a range of developmental status from post-industrial through to agrarian-based. Culturally, Europeans speak more than 200 different languages (with many states being as a minimum bilingual and trilingual). Given that each state also has its own legal system and business traditions it is not surprising that there can be no “one size fits all” code of corporate governance. The following is a summary of the major European studies on internal auditing.
4
The European literature review was published in a special CBOK 2006 issue of Managerial Auditing Journal (MAJ), Volume 21, Issue 8, in October 2006. With permission from the publisher of MAJ, this section uses portions of the following article: Allegrini, M., G. D’Onza, L. Paape, R. Melville, and G. Sarens, “The European literature review on internal auditing,” Managerial Auditing Journal 21(8), 2006a, pp. 845-853.
The Institute of Internal Auditors Research Foundation
_____________________________ Chapter 10: Research Method and Literature Review 391
Institut Français de l’Audit et du Contrôle Internes (2005) This French study followed up a previous version in 2002 that was conducted in conjunction with Ernst & Young. The survey was sent to 508 chief audit executives (CAEs), with a response rate of 37%. Both the private and public sectors were included. Statistics include detailed descriptive results illustrated with charts and tables completed with results from interviews with the six major CAEs. By conducting this survey, Institut Français de l’Audit et du Contrôle Internes (IFACI) wanted to assess the recent evolution in internal auditing in France, investigate the impact of new laws and regulations, and assess the future of internal auditing. Major findings are discussed below.
Internal Audit Role in Corporate Governance The independence and objectivity of internal auditors are guaranteed by their double reporting lines to top management and the audit committee. About 50% of the internal audit departments in this study have a formal meeting with their top management every quarter, whereas 40% of the CAEs have private meetings with the head of the audit committee. The audit committee is primarily interested in the internal audit activities and mainly the implementation of their recommendations. More than half of the internal audit departments are involved with activities related to corporate governance.
Internal Audit: Still Strongly Focused on Assurance Assurance engagements are still dominant, representing 73% of the working agenda of internal auditors. These engagements mainly deal with the evaluation of internal controls, as well as compliance audits. With respect to consulting engagements, internal auditors give advice and participate in specific projects or working teams.
Internal Audit’s Role in the Implementation of New Laws and Regulations It is interesting to see that internal auditors play a key role in implementing laws such as the “Loi de Sécurité Financière” and Sarbanes-Oxley. More than two-thirds of the internal audit departments have developed a project on internal control reporting and 74% have dedicated a part of their working time on the implementation of Sarbanes-Oxley. These two laws have slightly changed internal audit’s work in that it has become more risk-based. In those companies that have to comply with Sarbanes-Oxley, internal auditors currently spend more time on the evaluation of financial controls and regularly conduct financial audits.
The Institute of Internal Auditors Research Foundation
392 A Global Summary of the Common Body of Knowledge 2006 ______________________
Internal Auditors as Credible, Objective, and Professional Partners A large majority (82%) of the internal audit departments have an internal audit charter, formally approved by top management and the audit committee. In order to guarantee their objectivity, most of the internal auditors adhere to the Code of Ethics defined by the profession. Even when the internal audit plan is strongly influenced by specific requests from top management and the audit committee, the internal audit plan is, in a majority of the cases, also based on a risk assessment. It was observed that a significant number of CAEs have difficulty finding people with the right competencies. This is one of the main reasons why internal audit is calling more and more for expertise coming from other internal departments or from external providers.
Internal Audit has Sufficient Financial and Human Resources On average, companies have 2.85 internal auditors for every 1,000 employees, with large differences between sectors. In a majority of the companies, the internal audit budget remains stable, whereas in 42% of the companies, the internal audit budget increased. About 25% of the internal audit departments have existed for less than five years and 74% of the departments have less than 10 internal auditors. The profile of an internal auditor did not change during the last three years.
IIA Belgium (2006) IIA Belgium carried out a survey of its members from November 2005 until March 2006. This survey was strongly inspired by the IFACI study in France. Internal audit departments in 260 Belgian private companies were contacted. The response rate was 31%, which is quite good for a first general survey about internal auditing in Belgium. The survey addressed issues with respect to the internal audit department, the internal audit activities, risk management and the role of internal auditing, the relationship with stakeholders, and the future evolution of internal auditing. The survey illustrates that, in Belgium, internal auditing is still a relatively young profession. The main findings are illustrated below.
Internal Audit Department Review In terms of age of the internal audit department, more than 50% were created less than 5 years ago. Most internal auditors have working experience in finance, operations, or external audit. Internal auditors’ education level is at least at the bachelor’s degree level. On average, internal auditors remain in internal auditing for less than four years (53% of the respondents). The recruitment channel for internal auditors is equally spread between internal and external sources. CAEs have
The Institute of Internal Auditors Research Foundation
_____________________________ Chapter 10: Research Method and Literature Review 393
a relatively short experience in audit, with 64% of the CAEs having less than 10 years experience in audit. Only 37% of the internal audit departments observed are conducting satisfaction surveys with their auditees. Networking is important for internal auditors as more than 80% have regular contacts with colleagues from other companies.
Internal Audit Activities Integrated and operational audit represent globally more than 50% of the activities of the responding internal audit departments. Consulting activities remain low (on average 12% of the annual working time), but a majority of the responding internal audit departments expected an increase in consulting activities in the next two years. An internal audit charter is used in more than 90% of the cases. On average, 65% of the internal audit plan is based on a risk analysis, but discrepancies have been observed by sector. In 42% of the cases, the yearly internal audit plan is adapted more than twice a year to take new requirements and priorities into consideration. On average, 65% of the recommendations are implemented within one year after the audit. In general, 61% of the responding internal audit departments do not use outsourcing or co-sourcing today, but they expect to use, to some extent, more external service providers in the future.
Role of Internal Auditing in Risk Management Seventy percent of the respondents’ organizations have set up a risk measurement process. It is also remarkable to notice that in a lot of companies, not everyone knows the policies and procedures he or she has to follow. Gaps are observed by sector in terms of risk management practices. On average, 29% of the respondents’ IAAs are responsible for the risk management process for their organizations.
Relationship with Stakeholders Seventy-four percent of the CAEs report functionally to the audit committee. In 74% of the internal audit departments reviewed the audit committee is in charge of dismissing the CAE, and in 51% of the cases the audit committee approves the internal audit budget. In second position, it is the CEO who dismisses the CAE (44%) or approves the budget (49%). Some deviations have been observed by sector. It is interesting to see that the relationship with the audit committee is positively perceived by most responding internal audit departments. Furthermore, there are exchanges between internal audit and external audit (audit reports and audit planning). However, the relationship is less intensive in the other direction. Overall, the responding internal audit departments are satisfied with their
The Institute of Internal Auditors Research Foundation
394 A Global Summary of the Common Body of Knowledge 2006 ______________________
interaction with the CEO. Although CAEs are generally satisfied about their interaction with the CFO, this relationship is less intensive than the one with the CEO.
Challenges for Internal Auditing The relationship with the audit committee and the board of directors needs to be reinforced and the assurance provided by internal auditing should become the best independent and objective assessment in terms of risk management, internal controls, and corporate governance. The activities of internal auditors will be adapted to the new requirements and evolve with the new legislation and the new challenges of the organization. The profile of the internal auditor is evolving in order to meet the broader scope of activities. The profession still needs to become more recognized within the companies. Moreover, internal auditors need to aspire to a longer career in internal auditing.
Sarens and De Beelde (2006) This study addressed internal auditors’ perception about their role in risk management, and compared United States (US) and Belgian companies. The purpose of the study was to describe and compare in a qualitative way how internal auditors perceive their current role in risk management within U.S. and Belgian companies, and was based on ten case studies (interviews with CAEs and analysis of relevant documents). In the Belgian cases, internal auditors’ focus on acute shortcomings in the risk management system creates opportunities to demonstrate their value. Internal auditors are playing a pioneering role in the creation of a higher level of risk and control awareness and a more formalized risk management system. In the U.S. cases, internal auditors’ objective evaluations and opinions are a valuable input for the new internal control review and disclosure requirements of Sarbanes-Oxley. In Belgium, the internal auditing profession is actually in a kind of “transition phase.” In order to survive this phase, internal auditors need to assume a “teaching role” vis-à-vis the different management levels to make them aware of their responsibilities in risk management. After this transition period, internal auditors will be able to focus more on their core activities.
Arena and Azzone (2006) This study explores the relationship between enterprise risk management (ERM) and internal auditing. Particularly, this study analyzed internal auditing’s role with respect to ERM systems and the integration of ERM and internal audit activities. The results are based on multiple case studies applying semi-structured interviews.
The Institute of Internal Auditors Research Foundation
_____________________________ Chapter 10: Research Method and Literature Review 395
The results show a high diversity in risk management systems with respect to the actual adoption of an integrated risk management system, the techniques that companies apply to identify risks, and the methodologies applied for risk assessment. Internal auditors mainly provide assurance on the ERM process, and in some cases they support the implementation and management of the process. In half the cases, they found a partial integration between ERM and internal audit activities. More specifically, this integration concerns the comparison of risk maps made by managers and those made by internal auditors, the integration of evidence that arises from self-assessment to support the internal audit plan, and the incorporation of the ERM process in the internal audit reports.
Allegrini and D’Onza (2003) Based on a survey of the top 100 companies listed on the Italian stock exchange, this study investigates internal auditing and risk assessment practices in large Italian companies. The analysis of the survey answers indicates the existence of three different approaches to internal auditing in the Italian context. Some companies (25%) have a small internal audit department that carries out traditional assurance activities. The internal auditor is still perceived as an inspector. These companies do not integrate the COSO methodology into their audit process, and have a control system entirely based on hard variables. The annual audit planning generally follows an audit-cycle approach. This model is often found in smaller companies. In most companies (67%) internal auditors are providing some contributions to the risk management process and are trying to incorporate the COSO model in the internal control policies and procedures as well as in the audit process. In this context, internal auditors perform mainly operational audits and make use of risk assessment findings in planning the annual schedule of audits (macro level). In planning the individual audits, they generally start from the recognition of significant risks inherent to the activity in order to limit or expand the test of controls. The internal audit department of financial institutions generally follows this model. Moreover, it is possible to identify a few large companies (8%) in which the internal audit unit is also focused on consulting activities. Internal auditors attempt to add value through a more active support to risk management at different levels and to align internal audit objectives with the strategic goals of the organization. This group includes the “early pioneers” in control and risk self-assessment (CRSA) projects, insofar as they try to strengthen the accountability at all levels of management for risk and control. They focus their work on significant risks, and they are trying to adopt a collaborative approach with line management. A risk-based approach is applied both at the macro and the micro levels so that we can assume they are embracing the risk paradigm as suggested by Selim and McNamee (1998). Furthermore, internal auditors focus on monitoring activities and soft controls.
The Institute of Internal Auditors Research Foundation
396 A Global Summary of the Common Body of Knowledge 2006 ______________________
The survey results also show that, in Italy, control and risk self-assessment may be considered in a “start-up phase,” since it is possible to identify a few “early pioneers” implementing self-assessment throughout their entire organization. Some other companies claim to have started applying CRSA only in a few business areas while others reveal their willingness to introduce it within the next few years.
Tettamanzi (2003) This study, based on a questionnaire sent to 150 private companies, describes the historical evolution, current state, and prospects for future developments of internal audit practices in Italy and the United Kingdom. Tettamanzi found that the percentage of time spent on financial auditing is lower than the other types of activities (like compliance or operational reviews). In Italy, as well as the U.K., it was found that if internal auditing has existed for a period of time, its activities mainly focus on operational and management auditing. If the internal audit unit has been recently set up, they mainly focus on financial auditing. Nevertheless, the relevance of financial auditing was higher in the past. Currently, more resources have been devoted to operational and management audit and this will increase in the future. The study also reveals that in the U.K., many companies have introduced an internal audit department to comply with the Cadbury Code. Similarly, in Italy, the Preda Code has determined the introduction and improvement of internal auditing in listed companies.
Arena, Azzone, Casati, and Mello (2004) This study is based on a survey within 365 private Italian companies and investigates the existence and characteristics of an internal audit activity and the activities performed. It was found that 74% of the responding companies have introduced an internal audit activity. The existence of an internal audit activity differs between industries and can be linked with the company size. For those companies that did not have an internal audit activity at that time, 30% had intentions to introduce one in the future. However, 50% are not willing to introduce an internal audit activity in the future, whereas 20% have removed their internal audit activity. More than 50% of the internal audit departments in this study have less than five internal auditors. With respect to the internal audit agenda, they found that operational audits, compliance audits, and the monitoring of the internal control system are the most prevalent activities.
The Institute of Internal Auditors Research Foundation
_____________________________ Chapter 10: Research Method and Literature Review 397
Allegrini and Bandettini (2006) This study replicated an earlier study by Selim and Woodward (2004) in the U.K. and Ireland and focuses on internal audit and consulting assignments. The questionnaire was adapted to the Italian context and sent to the members of the Italian Institute of Internal Auditors. The results reveal that the new definition of internal auditing changed consistently the percentage of time allocated to consulting assignments, which moved from 7% to 26%. The perceptions regarding internal auditors’ involvement in consulting activities are positive or very positive in 73% of the responding companies. It is interesting to see that 69% of the respondents indicate that they perform consulting assignment regarding the Law number 231 (issued in 2001), which requires companies to set up a structured internal control system. More than half of the respondents (53%) declared to work on consulting assignments regarding corporate governance and risk management.
Other Studies on Internal Auditing that Address European Issues Rittenberg and Covaleski (1999) addressed outsourcing of internal auditing services in a government environment and provided insight into the methods and reasons for outsourcing. Melville (1999) addressed the current state of the art of control self-assessment (CSA) practice in the U.K. The overview was based on a survey of the top 50 companies listed on the FTSE, while the other two elements were based on structured interviews. The conclusions drawn were that CSA is widely seen as a beneficial practice, although it may not be repeated after the first exercise. Hopkins (1997) discussed the fundamental differences in perceptions of internal audit quality between providers of internal audit services and their prospective clients. The study was based on the U.K. public sector. Selim and Yiannakis (2001) addressed the various levels and methods of outsourcing in private and public sector organizations and discussed the various levels of success. Melville (2003) undertook a study based on an international survey of internal auditors, of which European responses were approximately 12% of the sample. The results showed that internal auditors were highly geared toward making a contribution to strategic management, especially where a balanced scorecard type of system was used. Selim, et al. (2003) found that based on a survey of six countries, internal auditors already play a key role in the mergers and acquisitions process, though it was also found that they would prefer this role to be further developed. Paape, Scheffe, and Snoep (2003) reviewed a survey carried out by the European Confederation of Institutes of Internal Auditing (ECIIA). While the authors were
The Institute of Internal Auditors Research Foundation
398 A Global Summary of the Common Body of Knowledge 2006 ______________________
unsure about the rigor of their research (due to problems with distribution of the questionnaires rather than a fundamental flaw in methodology), it is clear that there is a wide variety of internal audit responses to corporate governance issues.
South African Literature Review on Internal Auditing5 Twenty years ago internal auditing in South Africa was not well known as a profession. In South Africa, a number of factors contributed to the changes, development, and growth of the country’s internal auditing profession. During the past five years, there were three major contributors to the large unexpected growth of the profession in South Africa. The first was the reports of the King commission on corporate governance (King I: 1994 and King II: 2002). The second was the Public Finance Management Act (SA 1999. Section 38), which made it a legal requirement for all forms of public organizations to have an internal audit activity in line with the Standards. As internal auditing is a relative new profession in South Africa, limited formal research publications were found on internal auditing within the country. The following briefly discusses the various research publications found about internal auditing in South Africa.
Communication Skills During his research, Fourie (2006) attempted to find answers to two research questions. The first was whether tertiary institutions (universities) in South Africa teach sufficient communication skills to enable aspiring internal auditors to perform their internal audit assignments professionally. The second question was whether internal auditors in practice regard themselves as having sufficient communication skills in order to conduct their internal audit assignments professionally. The results of the study revealed that universities in South Africa do not teach adequate communication skills to aspiring internal auditors. The respondents indicated that they do not possess adequate communication skills to professionally conduct their internal audit engagements.
New Standards Address Challenges Faced by the Profession Coetzee & du Bruyn (2001) investigated the limitations of the previous Standards and the changes in the new Standards. They found that change in auditing required by the new Standards was
5
South Africa’s literature review was written by Houdini Fourie of the Tshwane University of Technology, South Africa and Elmarie Sadler of University of South Africa.
The Institute of Internal Auditors Research Foundation
_____________________________ Chapter 10: Research Method and Literature Review 399
difficult to analyze because the new Standards were to be used in conjunction with the previous Standards at the time of the paper’s publication. Coetzee & Du Bruyn are of the opinion that the new Standards successfully address the challenges faced by internal auditors in the profession.
Effectiveness of Public Service Audit Committees The question for this research was the effectiveness of public service audit committees in improving accountability in the South African public service as perceived by the independent external auditors of government (Van der Nest, 2007). Van der Nest stated that “the audit committee is a key accountability instrument, playing a crucial role in the financial management and control environments of public corporations.” Audit committees are increasingly regarded as integral to modern control structures and governance practices in both the private sector and public service. The establishment of audit committees is recognized as best practice with respect to good corporate governance. The establishment of audit committees is legislated in the financial management legislation in South Africa.
Importance of Quality Control In her study, Marais (2003) investigated the importance of quality control within internal audit activities as prescribed by the Standards and guidelines of The IIA. The study also attempted to determine to what extent these Standards and guidelines are applied in internal audit activities in South Africa. The study concluded that quality control is not adequately applied within all IAAs in South Africa. Compliance with the Standards that were implemented during January 2002 should help to improve the situation. Marais further concluded that The IIA should take action to motivate IAAs to exercise quality control according to the Standards.
Compliance with Good Practice and Legal Requirements by Audit Committees In his paper, Van der Nest (2005) evaluated the compliance with good practice and legal requirements by audit committees in South Africa’s government departments. The performance in four of the audit committees’ important areas of responsibility was also measured. The initial general observation by Van der Nest was that there is sufficient compliance with the legal framework within which the South African public sector audit committees function. A further observation was that there is general compliance with good practice for audit committees in the South African public sector. According to Van der Nest, evidence shows that “…there is a preoccupation with control issues and internal audit reports.” Van der Nest is concerned about the
The Institute of Internal Auditors Research Foundation
400 A Global Summary of the Common Body of Knowledge 2006 ______________________
absence or lack of other critical issues that should be addressed by audit committees, including risk management, processes, financial reporting, and corporate governance.
Summary The literature indicates many changes in the activities performed by internal auditors over the past 30 years. The increasing complexity of business transactions, a more dynamic regulatory environment, and significant advances in information technology are developments that have resulted in opportunities and challenges for internal auditors. One of the objectives of CBOK 2006 was to gather information on the current state of internal auditing around the world to determine the current state of the art for the practice of internal auditing to add to the growing literature and study of the internal auditing profession.
References 1. Abdolmohammadi, M.J., P.A. Burnaby, and S. Hass, “A review of prior common body of knowledge (CBOK) studies in internal auditing and an overview of the global CBOK 2006,” Managerial Auditing Journal 21 (8), 2006, pp. 811-821. 2. Albrecht, W.S, J.D. Stice, and K.D. Stocks, A Common Body of Knowledge for the Practice of Internal Auditing (Altamonte Springs, Florida: The Institute of Internal Auditors Research Foundation), 1992. 3. Ali, A.M., S.Z. Saidin, M.Z. Ghazali, M.S. Rahim, M.H. Sahdan, A. Ali, and A. Ahmi, Internal Audit in the State and Local governments of Malaysia, Working Paper, Universiti Utara Malaysia, 2004. 4. Allegrini, M., and E. Bandettini, Internal Auditing And Consulting Assignments In Italy: An Empirical Research, Fourth European Conference on Internal Audit and Corporate Governance, 2006b. 5. Allegrini, M., and G. D’Onza, “Internal Auditing and Risk Assessment in Large Italian Companies: an Empirical Survey,” International Journal of Auditing 7 (3), 2003, pp. 191-208. 6. Allegrini, M., G. D’Onza, L. Paape, R. Melville, and G. Sarens, “The European literature review on internal auditing,” Managerial Auditing Journal 21(8), 2006a, pp. 845-853. 7. Anderson, U., “Assurance and Consulting Services,” In Research Opportunities in Internal Auditing, Ch. 4, Bailey, A.D., A.A. Gramling, and S. Ramamoori (eds.) (Altamonte Springs, FL: The Institute of Internal Auditors Research Foundation), 2003. 8. Arena, M., and G. Azzone, “Internal Audit in Large Italian Companies: adoption, development and evolution,” Fourth European Academic Conference on Internal Audit and Corporate Governance, 2006. 9. Arena, M., G. Azzone, P. Casati, and F. Mello, Rapporto di ricerca, Italian Institute of Internal Auditors, 2004. The Institute of Internal Auditors Research Foundation
_____________________________ Chapter 10: Research Method and Literature Review 401
10. Barrett, M.J., G.W. Lee, S.P. Roy, and L. Verastigu, A Common Body of Knowledge for Internal Auditors: A Research Study (Altamonte Springs, FL: The Institute of Internal Auditors), 1985. 11. Birkett, W.P., M.R. Barbera, B.S. Leithhead, M. Lower, and P.J. Roebuck, Internal Auditing: The Global Landscape (Altamonte Springs, FL: The Institute of Internal Auditors), 1999a. 12. Birkett, W.P., M.R. Barbera, B.S. Leithhead, M. Lower, and P.J. Roebuck, Internal Auditing Knowledge: Global Perspectives (Altamonte Springs, FL: The Institute of Internal Auditors), 1999b. 13. Birkett, W.P., M.R. Barbera, B.S. Leithhead, M. Lower, and P. J. Roebuck, Competency: Best Practices and Competent Practitioners (Altamonte Springs, FL: The Institute of Internal Auditors), 1999c. 14. Birkett, W.P., M.R. Barbera, B.S. Leithhead, M. Lower, and P.J. Roebuck, The Future of Internal Auditing: A Delphi Study (Altamonte Springs, FL: The Institute of Internal Auditors), 1999d. 15. Birkett, W.P., M.R. Barbera, B.S. Leithhead, M. Lower, and P.J. Roebuck, Assessing Competency in Internal Auditing: Structures and Methodologies (Altamonte Springs, FL: The Institute of Internal Auditors), 1999e. 16. Burnaby, P.A., S. Hass and M.J. Abdolmohammadi, “A survey of internal auditors to establish the scope of the common body of knowledge study in 2006,” Managerial Auditing Journal 21 8, 2006, pp. 854-868. 17. Cai, C., “Internal audit under the socialist market economy system,” Managerial Auditing Journal 12 (4/5), 1997, pp. 210-213. 18. Carey, P., N. Subramanaim, and K. Ching, “Internal audit outsourcing in Australia,” Accounting and Finance 46 (1), 2006, pp. 11-30. 19. CIA World FactBook, https://www.cia.gov/cia/publications/factbook/fields/2145.html, 2006. 20. Chapman, C., and U. Anderson, Implementing the Professional Practices Framework (Altamonte Springs, FL: The Institute of Internal Auditors Research Foundation) 2002. 21. Coderre, D., Continuous Auditing: Implications for Assurance, Monitoring, and Risk Assessment (Altamonte Springs, FL: The Institute of Internal Auditors Research Foundation), 2005. 22. Coetzee, G.P., and Du Bruyn, “The relationship between the new IIA standards and the internal auditing profession,” Meditari 9(6), 2001, pp. 1-79. 23. Cooper, B.J., and J. Craig, A Profile of Internal Audit in Australia (Melbourne: Royal Melbourne Institute of Technology), 1983. 24. Cooper, B.J., P. Leung, and C. Mathews, “Benchmarking – a comparison of internal audit in Australia, Malaysia and Hong Kong,” Managerial Auditing Journal 11 (1), 1996, pp. 23-19. 25. Cooper, B.J., P. Leung, and C. Mathews, “Internal Audit: An Australian Profile,” Managerial Auditing Journal 9 (3), 1994, pp. 13-19.
The Institute of Internal Auditors Research Foundation
402 A Global Summary of the Common Body of Knowledge 2006 ______________________
26. Cooper, B.J., P. Leung, and G. Chau, A Survey of Internal Auditing in Hong Kong (Hong Kong: Department of Accountancy, Hong Kong Polytechnic), 1989. 27. Cooper, B.J., P. Leung, and G. Wong, “The Asia Pacific literature review on internal auditing,” Managerial Auditing Journal 21 (8), 2006, pp. 822-834. 28. COSO, Enterprise Risk Management – Integrated Framework Executive Summary (The Committee of Sponsoring Organizations of the Treadway Commission), 2004. 29. Deloitte & Touche, Lean and Balanced – How to Cut Costs Without Compromising Compliance, Deloitte & Touche, 2006. 30. Ernst & Young, Internal Audit in Malaysia, Kuala Lumpur, (Malaysia), Ernst & Young, 2004. 31. Ernst & Young and IIA New Zealand and Australia, Trends in Australian and New Zealand Auditing Second Annual Benchmarking Survey 2005, Ernst & Young and IIA New Zealand and Australia, 2005. 32. Fadzil, F.H., H. Haron, and M. Jantan, “Internal auditing practices and internal control system,” Managerial Auditing Journal 20 (8), 2005, pp. 844-866. 33. Fourie, H., Internal auditing and communication: a South African perspective, M. Tech dissertation, Pretoria, Tshwane University of Technology, 2006. 34. Glascock, K.L., “Auditees or clients?” Internal Auditor, 59 (4), 2002, pp. 84-85. 35. Gobeil, R.E., “The Common Body of Knowledge of Internal Auditors,” The Internal Auditor, November/December 1972, pp. 20-29. 36. Goodwin, J., “A comparison of internal audit in the private and public sectors,” Managerial Auditing Journal 19 (5), 2004, pp. 640-650. 37. Goodwin, J., and Y.T. Yeo, “Two factors affecting internal audit independence and objectivity: evidence from Singapore,” International Journal of Auditing 5, 2001, pp.107-125. 38. Goodwin-Stewart, J., and P. Kent, “The use of internal audit by Australian companies,” Managerial Auditing Journal 21 (1), 2006, pp. 81-101. 39. Gramling, A.A., M.J. Maletta, A. Schneider, and B.K. Church, “The Role of the Internal Audit Activity in Corporate Governance: A Synthesis of the Extant Internal Auditing Literature and Directions for Future Research,” Journal of Accounting Literature 23, 2004, pp. 194-244. 40. Gray, G., Changing Internal Audit Practices in the New Paradigm: The Sarbanes-Oxley Environment (Altamonte Springs, FL: The Institute of Internal Auditors), 2004. 41. Hass, S., M.J. Abdolmohammadi, and P.A. Burnaby, “The Americas literature review on internal auditing,” Managerial Auditing Journal 21 (8), 2006, pp. 835-844. 42. Hofstede, G., Culture’s consequences: International differences in work-related values (London, UK: Sage), 1980. 43. Hofstede, G., “Dimensions of National Culture in Fifty Countries and Three Regions,” in J.B. Deregowski, S. Dziurawiec, and R.C. Annis (Eds.), Explications in Cross-Cultural Psychology, Swets and Zeitling, 1983.
The Institute of Internal Auditors Research Foundation
_____________________________ Chapter 10: Research Method and Literature Review 403
44. Hopkins, R., “The nature of audit quality - a conflict of paradigms? An empirical study of internal audit quality throughout the United Kingdom Public Sector,” International Journal of Auditing 1 (2), 1997, pp. 117-133. 45. House, R.J., P.J. Hanges, M. Javidan, P.W. Dorfman, and V. Gupta (Eds), Culture, Leadership, and Organizations: The GLOBE Study of 62 Societies (Thousand Oaks, CA: Sage Publications), 2004. 46. IFACI (Institute de L’Audit Interne), Resultat de l’enquete sur la pratique de l’audit interne en France en 2005 (The Institute of Internal Auditors France), 2005. 47. IIABEL (The Institute of Internal Auditors Belgium), Internal audit in Belgium: the shaping of internal audit today and the future expectations – survey results (The Institute of Internal Auditors Belgium), www.iiabel.be. 48. King Committee on Corporate Governance, King report on corporate governance for South Africa, Institute of Directors, 1994. 49. King Committee on Corporate Governance, King report on corporate governance for South Africa, Institute of Directors, 2002. 50. Krell, E., “Is Sarbanes-Oxley Compromising Internal Audit?” Business Finance, August, 2005. 51. Krogstad, J., A.J. Ridley, and L.E. Rittenberg, “Where We’re Going,” Internal Auditor. October 1999. 52. Le Grand, C.H., Information Technology Controls (Altamonte Springs, FL: The Institute of Internal Auditors Research Foundation), 2005. 53. Leung, P., B.J. Cooper, and P. Robertson, The Role of Internal Audit in Corporate Governance and Management (Melbourne: RMIT Publishing), 2004. 54. Lou, Y., “Guanxi: principles, philosophies, and implications,” Human Systems Management 16 (1), 1997, pp. 43-51. 55. Lovett, S., L.C. Simmons, and R. Kali, “Guanxi versus the market: ethics and efficiency,” Journal of International Business Studies 30 (2), 1999, pp. 231-47. 56. Marais, M., Quality control within internal audit functions and the application thereof in South Africa, M. Comm. Dissertation, Pretoria, University of South Africa, 2003. 57. McCall, S.M., “The auditor as consultant,” Internal Auditor 59 (6), 2002, pp. 35-39. 58. McIntosh, E.R., Competency Framework for Internal Auditing: An Overview (Altamonte Springs, FL: The Institute of Internal Auditors Research Foundation), 1999. 59. Melville, R., “Control self assessment in the 1990s: the UK perspective,” International Journal of Auditing 3 (3), 1999, pp. 191-206. 60. Melville, R., “The Contribution Internal Auditors Make to Strategic Management,” International Journal of Auditing 7 (3), 2003, pp. 209-222. 61. Mutchler, J., Independence and Objectivity: A Framework for Internal Auditors (Altamonte Springs, FL: The Institute of Internal Auditors Research Foundation), 2001.
The Institute of Internal Auditors Research Foundation
404 A Global Summary of the Common Body of Knowledge 2006 ______________________
62. Paape, L., J. Scheffe, and P. Snoep, “The Relationship between the Internal Audit Activity and Corporate Governance in the EU - a Survey,” International Journal of Auditing 7 (3), 2003, pp. 247-262. 63. PCAOB (Public Company Accounting Oversight Board), Auditing Standard No. 2: An Audit of Internal Controls over Financial Reporting Performed in Conjunction with an Audit of Financial Statements, (Washington, DC: Public Company Accounting Oversight Board), 2004. 64. PricewaterhouseCoopers LLP, “Internal Audit Global Best Practices: #2 in a series,” The Internal Audit Newsletter, 2005A, pp.5-6. 65. PricewaterhouseCoopers LLP, “How Computer Assisted Audit Tools Can Be Used in a Fiduciary Audit Environment,” The Internal Audit Newsletter, 2005B, pp. 2-3. 66. PricewaterhouseCoopers LLP, PricewaterhouseCoopers’ State of the Internal Audit Profession: Internal Audit Post Sarbanes-Oxley (New York), 2006. 67. RGTF (Report of the Guidance Task Force to The IIA’s Board of Directors), A Vision for the Future: Professional Practices Framework for Internal Auditing (Altamonte Springs, FL: The Institute of Internal Auditors Research Foundation), 1999. 68. Rittenberg, L., and M. Covaleski, “Outsourcing the internal audit activity: the British government experience with market testing,” International Journal of Auditing 3 (3), 1999, pp. 225-235. 69. Rittenberg, L.E., and B.J.Covaleski, The Outsourcing Dilemma: What’s Best for Internal Auditing (Altamonte Springs, FL: The Institute of Internal Auditors Research Foundation), 1997. 70. Roth, J., Adding Value: Seven Roads to Success (Altamonte Springs, FL: The Institute of Internal Auditors Research Foundation), 2002. 71. Roth, J., and D. Espersen, Internal Audit’s Role in Corporate Governance: SarbanesOxley Compliance (Altamonte Springs, FL: The Institute of Internal Auditors Research Foundation), 2003. 72. Sarens, G., and I. De Beelde, “Internal Auditors’ Perception about Their Role in Risk Management: A Comparison Between US and Belgian Companies,” Managerial Auditing Journal 21 (1), 2006, pp. 63-80. 73. Selim, G., and A. Yiannakas, “Outsourcing the Internal Audit Activity: A Survey of the UK Public and Private Sectors,” International Journal of Auditing 5 (1), 2001, pp. 213-226. 74. Selim, G., and D. McNamee, Risk Management: Changing the Internal Auditor’s Paradigm, (Altamonte Springs, FL: The Institute of Internal Auditors Research Foundation), 1998. 75. Selim, G., and S. Woodward, “Internal Auditing and Consulting Practice: UK and Ireland Survey,” British Academy of Management Annual Conference (UK: University of St. Andrews), 2004. 76. Selim, G., S. Sudarsanam, and M. Lavine, “The Role of Internal Auditors in Mergers, Acquisitions and Divestitures: An International Study,” International Journal of Auditing 7 (3), 2003, pp. 223-246.
The Institute of Internal Auditors Research Foundation
_____________________________ Chapter 10: Research Method and Literature Review 405
77. Simons, R., Performance Measurement & Control Systems for Implementing Strategy (Upper Saddle River, NJ: Prentice Hall), 2000. 78. South Africa, The Public Finance Management Act, Act 1 of 1999, Pretoria, Government Printers, 1999. 79. U.S. Sarbanes Oxley Act of 2002 (One Hundred Seventh Congress of the United States of America, HR 3763), 2002. 80. Tang, Y.W., L. Chow, and B.J. Cooper, Accounting and Finance in China – A Review of Current Practice, 4th, Sweet and Maxwell Asia, (Hong Kong), 2000. 81. Tettamanzi, P., “Internal auditing: evoluzione storica, stato dell’arte e tendenze di sviluppo: Italia e Regno unito a confronto,” Egea, 2003. 82. The Institute of Internal Auditors, A Vision for the Future: The Professional Practices Framework for Internal Auditing (Altamonte Springs, FL: The Institute of Internal Auditors Research Foundation), 1999. 83. The Institute of Internal Auditors, The Professional Practices Framework (Altamonte Springs, FL: The Institute of Internal Auditors Research Foundation), 2002. 84. The Institute of Internal Auditors, The Professional Practices Framework (Altamonte Springs, FL: The Institute of Internal Auditors Research Foundation), 2005. 85. The Institute of Internal Auditors, The IIA Research Foundation Request for Proposal (Altamonte Springs, FL: The Institute of Internal Auditors Research Foundation), 2005. 86. Van der Nest, D.P., Audit committees in government departments: an internal audit perspective, The South African Journal of Accountability and Audit Research 6, 2005, pp. 75-83. 87. Van der Nest, D.P., Audit committees and accountability in the South African public service, D. Tech dissertation, Pretoria, Tshwane University of Technology, 2007. 88. Van Peursem, K.A., “Conversations with internal auditors - The power of ambiguity,” Managerial Auditing Journal 20 (5), 2005, pp. 489-512. 89. Van Peursem, K.A., “Internal auditors’ role and authority - New Zealand evidence,” Managerial Auditing Journal 19 (3), 2004, pp. 378-393. 90. Wang, X., “Development trends and future prospects of internal audit,” Managerial Auditing Journal 12 (4/5),1997, pp. 200-204. 91. Warren, J.D., and X.L. Parker, Continuous Auditing: Potential for Internal Auditors (Altamonte Springs, FL: The Institute of Internal Auditors), 2003. 92. Zoellick, B., and T. Frank, Governance, Risk Management, and Compliance: An Operational Approach (The Compliance Consortium), 2005.
The Institute of Internal Auditors Research Foundation
406 A Global Summary of the Common Body of Knowledge 2006 ______________________
APPENDIX 10-A
Pre-scope Questionnaire for CBOK Do you agree that the global CBOK scope should include the following: Demographics for respondents and companies. Percentage of time spent on different types of audit (scope) in 2005: • Operational • Financial (include work with external auditor) • Governance (ethics, control framework, Sarbanes-Oxley, linkage of strategy, and company performance) o The role of internal auditing in organizational governance • Consulting • Enterprise risk management (ERM) Need more specification • Fraud investigations (forensic accounting/auditing) • Work done by consultants (outsourcing) • Other: • Belgium o Procedures development o Benchmark analyses (meant to steer company decisions and action plans for performance improvement) o Role of internal audit in project management o IT audit (!) o Direct operational responsibilities (even limited) • U.K. Ireland o Work done by consultants (co-sourcing) o Assurance work • U.S. o I think the work spent with the external auditor should be its own classification o With respect to Sarbanes Oxley, the governance component should be separate from the work done in an advisory capacity (i.e., monitoring separate from management documentation, testing, and assessment) o Outsourced work may be better defined as subject matter expertise required versus outsourced internal auditing (i.e., is the internal audit activity outsourced or complemented?) o Compliance (non-Sarbanes-Oxley)
The Institute of Internal Auditors Research Foundation
Yes 53
No 7
60 58 61
2 2 1
60 59 59 57
3 3 3 5
_____________________________ Chapter 10: Research Method and Literature Review 407
Percentage of time spent on different types of audit (scope) in 2005: (Cont.) o Regulatory o Technology o Audit of IT function • Asia o IT audit o Probity auditing o Information technology audit o Ad hoc/special audit • Italy o Compliance programs for the prevention of corporate crime: risk assessment, compliance audit, monitoring, compliance programs updating. • South Africa o Integrated assurance services (audits that combine financial, operational, ICT, and governance).
Yes
No
Adherence to the International Standards for the Professional Practice of Internal Auditing (Standards) (The IIA, 2004): • 1000 Purpose, Authority, and Responsibility o Charter outlining nature of assurance and consulting services • 1100 Independence and Objectivity o Reporting structure administratively and functionally o Support of upper management o Support of the audit committee • 1200 Proficiency and Due Professional Care o Level of education required of entry-level auditors o Certifications o Skills required of each audit position • 1230 Continuing Professional Development - number of hours required • 1300 Quality Assurance and Improvement Program o How often internal quality review is performed o How often external quality review is performed • 2000 Managing the Internal Audit Department o CAE - rotating or permanent position o Written policies and procedures o Staff rotation policy
Yes
No
62
1
61
1
62
0
53 59
5 4
58
5
The Institute of Internal Auditors Research Foundation
408 A Global Summary of the Common Body of Knowledge 2006 ______________________
Adherence to the International Standards for the Professional Practice of Internal Auditing (Standards) (The IIA, 2004): • 2010 Planning o Percentage of audit budget spent on planning activities • 2210 Engagement Objectives o Set audit objectives during the planning stages of the audit • 2240 Engagement Work Program o % of audit programs written specifically for each engagement o % of audit programs from prior audits o % of purchased audit programs • 2400 Communicating Results o A written audit report is prepared for what percent of engagements o Audit report includes a grade or score for the audit process • 2500 Monitoring Progress o Follow-up procedures are performed on what % of audits o Audit department has the support of upper management to ensure improvements are made by auditee • Other: Belgium o Follow-up on implementation of critical recommendations o Calculation/estimation of “return” of audit work (through implementation of audit recommendations or through audit review as such on e.g., double payments: savings achieved; double disbursements prevented or corrected; etc.) • U.K. Ireland o Adherence to the International Standards for the Professional Practice of Internal Auditing (Standards) (The IIA) o Adherence to national or sectoral standards, based on the standards o Adherence to national or sectoral standards, not based on the standards • U.S. o Determination of IA as either a cost center or profit center o Calculation of cost savings and/or opportunity income gained arising from internal audit recommendations as part of reporting (estimation) and monitoring (actual).
The Institute of Internal Auditors Research Foundation
Yes
No
56
7
58
5
56
7
62
1
62
1
_____________________________ Chapter 10: Research Method and Literature Review 409
Specific areas of knowledge required of internal auditors: • Traditional business school topics (finance, operations, accounting, marketing) • Business terminology • Technology • Financial reporting • Costing methods/managerial accounting • Economic theories • Accounting standards • Auditing standards • Other: • Belgium o Language skills (2 x mentioned) o IT knowledge and skills (company ERP package) (2 x mentioned) • U.K. Ireland o Internal auditing standards o Statistics and analytical techniques o General management • U.S. o Should there be more in the way of operational and compliance auditing? The above categories seem traditional and exclusive to the operational and compliance COSO components o Should technology be more specific as to systems etc- should there be some additional requirements as to ERM, ERP, etc.? o Should there be more in the “Other” areas such as forensics, fraud, money laundering, etc. o Statistical analyses, Six-sigma, etc. o Regulatory o Various industries o Fraud o Regulation relevant to the industry • Asia o Record keeping electronic o Risk management practices • Italy o Statistics o New legislation (SOX, D.Lgs 231/01) • South Africa o Legislation The Institute of Internal Auditors Research Foundation
Yes 52
No 11
45 57 50 45 25 49 54
16 6 12 17 35 14 8
410 A Global Summary of the Common Body of Knowledge 2006 ______________________
Role of the board of directors and audit committee: • How often the CAE reports to the audit committee • Board’s role in governance issues • Audit committee/board role in review of annual audit plan • Other: • Belgium o Board’s role in the definition of “risk” as used by the internal auditor in his risk assessment o Audit committee support for internal audit activity, internal audit recommendations • U.S. o Directors Loan Committee & Trust Committee interaction o Board appointment of CAE, salary determination, etc. o Administrative chain of command o AC structure and experience o Reporting relationships, agendas • Asia o Induction program for AC members o Board review of IA performance • Italy o Audit committee/board role in budget definition
Yes 60 57 59
Evaluation of staff: • Questionnaire at end of audit by client • Staff evaluated at end of each audit • Other: • Belgium o Staff evaluations mid-year and year-end: rotation/career opportunities inside the company or audit staff o Evaluation of the overall internal audit activity • U.S. o Staff evaluation at certain minimum hours if audit is long term? o Other internal audit quality metrics and measurements o Core competency development o Goal achievement (results) o Performance evaluation (annual or more frequent). • Asia o Preference for annual survey of branch performance • South Africa o Ethics
Yes No 53 10 55 8
The Institute of Internal Auditors Research Foundation
No 2 5 3
_____________________________ Chapter 10: Research Method and Literature Review 411
Emerging trends in internal auditing: • Laws requiring companies to have an internal audit activity • Internal auditors in advisory role for strategy development • Implemented an internal control framework (COSO, COSO-ERM, Cadbury, or CoCo) • Utilize self-directed, integrated work teams. • Involved in corporate directives to introduce ERP - Enterprise Resource Planning software such as SAP, Oracle, Peoplesoft, BAAN, and JD Edwards • Implement computer library (Web or CD-ROM) for audit reports, workpapers, and reference materials • Implement knowledge management systems • Work with management to develop ERM system • Provide training to audit committee • Share audit programs with “Other” companies’ internal audit departments • Introduce improvements in cycle time • Utilize groupware such as Lotus Notes • Review electronic commerce applications • Utilize CAATs • Develop intranet site to educate company personnel about internal controls, risk management, Sarbanes-Oxley requirements, etc. • Other: • Belgium o Provide control awareness trainings to managers (new recruited managers: as part of company introduction program; newly promoted managers - individually; newly acquired company management team; etc.) o Implementing total quality related frameworks (e.g., EFQM) • U.K. Ireland o Refocused internal audit on role of providing objective assurance in context of organization's overall assurance framework o Introducing full risk-based internal auditing • U.S. o Analytical (audit) reviews o Is there a need to address independence if internal audit is used to “introduce erp,” implement knowledge systems and develop ermhow to audit? o Regulatory o Attorney client privilege work
The Institute of Internal Auditors Research Foundation
Yes No 56 7 50 11 57 4 48 45
14 16
55
7
49 52 47 53 44 36 43 56 55
13 11 14 8 19 26 19 6 7
412 A Global Summary of the Common Body of Knowledge 2006 ______________________
Emerging trends in internal auditing: (Cont.) • Asia o Audit time recording system of allocation of audit hours • Italy o Supporting internal control system definition in BPR projects o Web-based training for personnel according to D.Lgs 231/01 requirements
Yes
No
Certification: • Need for certification exams for audit managers and CAEs above CIA certificate. Already part of the “adherence to Standards”? • Other: • Belgium o Need for a CIA more oriented toward non-profit organizations • U.K. Ireland o Need for specific qualification or certification for internal auditors o Need for certification for practicing internal auditors • U.S. o Certifications for seniors (level below mgrs) o Skills needed - CISA, CFE, etc. • Asia o Specialized internal auditing certifications CGAP for public sector, CFSA for financial services auditor • Italy o CPA, ACFE, CSA
Yes 45
No 17
Salaries: • Entry-level salary at each audit position • How internal audit salaries compare with managers at similar levels in the organization • Other: • U.K. Ireland o How internal audit salaries for those with internal audit qualifications compare • U.S. o Does IA have possibility to rotate to another position within the company? How often does it happen? What is the average time IA stays within the IA function? o Staff levels to include bonus and option programs
Yes 42 45
No 18 16
The Institute of Internal Auditors Research Foundation
_____________________________ Chapter 10: Research Method and Literature Review 413
Salaries: (Cont.) o Mobility within the organization - how many transfers to the departments, functions? o Changes too often and varies globally o Incentive compensation - bonuses, stock options • Asia o Essential criteria for CAEs and staff, i.e., degree • Italy o Other benefits
Yes
No
Audit Methods, Tools, and Techniques: • ACL, Idea, SAS • Control self-assessment • Continuous auditing • Electronic workpapers • Sampling • Data mining • Whistle-blowing hot line • Comparisons of performance measures to targets in entity’s objectives • Flowchart software • Other: • Belgium o Generic office IT tools/groupware • U.S. o Outsourcing of highly technical/specialized reviews o Lotus Notes o Issue tracking repositories o Intranet portals o Knowledge management • Asia o PowerPoint presentations for audit • Italy o Process Modeling Software o Risk assessment (No: control risk self-assessment) • South Africa o Include ERM, benchmarking, QAR, the IA process - procedures, e.g., compliance, substantive and analytical - Refer PA 2320
Yes 59 57 52 58 59 54 49 52 46
No 3 6 11 3 4 8 13 9 15
The Institute of Internal Auditors Research Foundation
414 A Global Summary of the Common Body of Knowledge 2006 ______________________
Auditee Skill Set (at each level): • Organization • Interpersonal • Writing • Critical thinking • Ability to do root cause analysis • Negotiation • Conflict resolution • Interview • Other: • Belgium o IT skills (knowledge of company ERP capabilities and control features + use of system to prepare projects and substantiate findings) o Synthesis: know how to extract just that information that is necessary to put context around a finding and recommendation • U.K. Ireland o Influencing o Presentation of complex results • U.S. o Computer skills o Foreign languages o Strategic agility o Facilitation o Consensus building o Teamwork • Asia o Communication o Time management o Judgment o Business acumen • Italy o Corporate crime, fraud • France o Courage
The Institute of Internal Auditors Research Foundation
Yes 56 57 57 56 53 56 57 57
No 7 6 5 7 9 7 6 5
_____________________________ Chapter 10: Research Method and Literature Review 415
Other: Please list “Other” topics that you would like to include in the survey: Yes • Belgium o Interaction between internal and external audit o Co-sourcing/outsourcing o Auditor’s career: recruitment into internal audit and/or internal move “in”/career path with internal audit and/or internal move “out”/external move “out” • U.K. Ireland o Knowledge areas are too narrow: should include governance, ethics, ethnographic methods o Involvement in corporate social responsibility o Benchmarking regarding I.A. size (i.e., no. of employees, mixture of qualified and non-qualified staff, types of qualification of I.A. staff, etc.) • U.S. o How is the internal audit plan developed, on the basis of what information (scoping using risk assessment, particular needs of BU, fraud investigation, what is the % of each component)? o What is the duration of the audit plan (1 year, 3 years, etc.)? How often is it revised? o Whom does the IA report to (audit committee, CEO, CFO, etc…are they independent? o How is the IA founded: special budget, re-invoiced to BU, etc…? What is the budget? o What are the yearly training expenses? o Does IA use any indicator to measure its performance? If yes, what are they? o The views expressed are solely my own and do not necessarily reflect to the position of Fidelity Investments or its associates o Trend toward outsourcing/partnering o Resource management and planning o Internal audit department structure and geographic locations o Global focus o Reporting relationship of CAE to board/audit committee, CEO, CFO, “Other” o Frequency of private meeting of CAE and board/audit committee chair/committee - never, once per year, etc. o Asset size of company/annual sales o Number of internal auditors
The Institute of Internal Auditors Research Foundation
No
416 A Global Summary of the Common Body of Knowledge 2006 ______________________
Other: Please list “Other” topics that you would like to include in the survey: (Cont.) o Annual audit department salaries & benefits o Public/private/other org. o Core competency framework o Soft skill development o Training and development o Career pathing o Knowledge management • Asia o Will 1312 review be completed by Jan 1, 2007 o Probity auditing o Project management o Standardization of audit reports o Freedom of information/privacy concerns o Performance indicators for internal audit o Standardization of ranking audit o Balanced scorecards for internal audit o Disclosure and confidentiality principles for internal audit o International auditing standards (Global) o Globalization of auditing profession o Academic qualifications for internal audit in tertiary institutions o Career planning for internal audit o Marketing of the internal audit activity o “Recognized Professional Association” o Benchmarking of internal audit o Introduce CAE within organization for signoff on internal controls o Ratio of internal audit cost vs. external audit cost o Boardroom skills o Personnel management skills o Managerial skills o Split information required for financial audit between financial control work and supporting/interacting on external audit work o Emerging new technology and trends in business that impact audit o New business organizational formations that affect audit capability
The Institute of Internal Auditors Research Foundation
Yes
No
_____________________________ Chapter 10: Research Method and Literature Review 417
Other: Please list “Other” topics that you would like to include in the survey: (Cont.) • Italy o Information about staff and outsourcing o Role of the Collegio sindacale − The relationship between the collegio sindacale and the internal audit unit (collegio sindacale is a specific body of the Italian corporate governance system). The features involves in this relationship could concern: ∗ The support of the collegio sindacale to the internal audit independence. ∗ The review of the audit plan. ∗ The communication of audit results to the collegio sindacale. ∗ Other. o Planning and priority setting o Role of the collegio sindacale in the Italian corporate governance system and the relationship with the internal audit department. • France o How do IA, MA, compliance, quality control, and “Other” control functions fit together? o What are the job positions in internal auditing? o How can we go from one position to another? o How to be prepared to get out of the audit department to disseminate the control culture. • South Africa o Environmental auditing o QAR o ISO standards relating to internal auditing, e.g., ISO 14000, etc.
The Institute of Internal Auditors Research Foundation
Yes
No
418 A Global Summary of the Common Body of Knowledge 2006 ______________________
APPENDIX 10-B Topical Areas That Are Addressed in Past and Current IIA CBOK Studies Gabeil (1972) Accounting Auditing
Barrett et al. (1985) Accounting* Auditing
Albrecht et al. (1991) Accounting** Auditing
Birkett et al. (1999) Accounting Auditing
Communications
Communications
Communications Competency Assessment, Benchmark, Competency Standards Compliance/ Government Corporate Governance
Behavioral Sciences Communications
Government
Computers Basis Computers & Systems
Computer & Information Systems
Computers & Information Systems
Data Gathering & Delivery
Computers & Information Systems
Data Warehousing
CBOK (2006) Accounting*** Auditing@ Audit Committee/ Oversight Committee Audit Plan Behavioral Skills/ Technical Skills/Competencies Communications Benchmarks/Quality Assessment
Compliance/ Regulations Corporate Governance Computer Software Used in the Audit Information Technology Consulting/Advisory Services Data Mining
*Specifies as financial, management, and government accounting **Specifies as financial and managerial accounting ***Financial and managerial accounting as well as specialized accounting appropriate for the type of organization
The Institute of Internal Auditors Research Foundation
_____________________________ Chapter 10: Research Method and Literature Review 419
Topical Areas That Are Addressed in Past and Current IIA CBOK Studies (Cont.) Gabeil (1972) Economics
External Relations Finance & Control
Barrett et al. (1985)
Finance
Albrecht et al. (1991) Economics Ethics
Birkett et al. (1999) Economics Ethics Expertise (Experience, Knowledge, Skills)
Finance
Finance
Finance
Forensic Accounting/ Auditing
Forensic Accounting/ Auditing Fraud Emerging Issues
Fraud
International Legal Aspects of Business Secretarial & Legal Management and the Management Functions
Legal Aspects of Business
Management
Future of the Profession and Influencing Factors IA Staff Position in Organizations Internal Auditor’s Work Environment, Context, Population, and Scope of Work International/culture Legal Aspects (Commercial and Regulatory Law)
Management
The Institute of Internal Auditors Research Foundation
CBOK (2006) Ethics/Ethics Audits Expertise (Experience, Knowledge, Skills)
IAA Position in the Organization Internal Auditor’s Work Environment, Context, Population, and Scope of Work International/ Globalization/Culture Legal Regulations
Management
420 A Global Summary of the Common Body of Knowledge 2006 ______________________
Topical Areas That Are Addressed in Past and Current IIA CBOK Studies (Cont.) Gabeil (1972) Marketing
Barrett et al. (1985) Marketing & Distribution Organizations
Albrecht et al. (1991) Marketing
Organizational Behavior
Birkett et al. (1999) Marketing
Organizational Behavior
CBOK (2006) Marketing Organizations/ Industries Organizational Behavior Outsourcing/ Co-sourcing the Audit/Audit Function
Personnel Administration Professional Qualification, Education, Development, Training
Professional Qualifications, Education, Development, Training
Need for a Global Validated Framework (Common Language, Global Profession of Internal Auditing) Quantitative Methods & Statistics R&D Audit
Professional Practices Framework
Reasoning Risk Management and Control/Internal Control Role of the CAE Taxes
Production
Quantitative Methods
Statistics
Quantitative Methods & Statistics
Reasoning
Reasoning
Reasoning Risk Control/ Internal Control
Taxes
Taxes
Research & Development
The Institute of Internal Auditors Research Foundation
Statistics
_____________________________ Chapter 10: Research Method and Literature Review 421
APPENDIX 10-C CBOK 2006 CAE AND PRACTITIONER QUESTIONNAIRE
Note: This is the final English questionnaire. On the next two pages is a summary of which questions were on just the CAE questionnaire, just the Practitioner questionnaire, or on both. The IIA combined the two questionnaires as some of the questions appeared on both questionnaires. The Institute of Internal Auditors Research Foundation COMMON BODY OF KNOWLEDGE (CBOK) 2006 Chief Audit Executive (CAE) or Service Provider Equivalent, Head of Internal Audit Activity, Engagement Leader, or Service Provider Principal
Welcome to the Common Body of Knowledge (CBOK) 2006! You are about to participate in one of the most important projects ever undertaken by The IIA Research Foundation. CBOK will help Understand, Guide, and Shape the future of Internal Auditing! Your participation will ensure this project is a success. We anticipate that this survey will take approximately 40 minutes of your valuable time. All of your answers will be strictly confidential and will not be associated with your personal information or organization information. Please answer the questions honestly. Please complete the survey in one session. If you have any technical problems or questions, please send an e-mail to
[email protected]. At the end of the survey you will be given the opportunity to enter an optional drawing for twentyfive US$200 VISA Gift Cards.
The Institute of Internal Auditors Research Foundation
422 A Global Summary of the Common Body of Knowledge 2006 ______________________
Questions for CAE and Practitioner (Per Word file version) Question Number Part I 1a 1b 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17a 17b 18 19 20 21 22a 22b 22c 22d 23 24
Question Description Personal/Background Information How long member Affiliate/Chapter Age Level of Education Academic Major Organization Position Professional Qualification Total Professional Experience Total Years as CAE, GA, TAP, VP Reporting Status Training hours over last 36 months Training hours over last 12 months Type of organization you work in Classification of the industry you offer internal audit services Organization Size - (total employees, assets, revenue) Area Served How long has your organization existed? Does organization have an Internal Audit Activity (IAA)? How long has the IAA existed? Organization Documents Who is involved in appointing the CAE? Who evaluates CAE’s performance Is there an Audit Committee? Number of Audit Committee meetings Number of Audit Committee meeting invitations Number of Audit Committee meetings attended Meet Audit Committee in addition to regular meetings? Have appropriate access to Audit Committee? How is value added by IAA measured?
Both CAE Practitioner
* * * * * * * * * * * * * * * * * * * *
The Institute of Internal Auditors Research Foundation
* * * * * * * * *
_____________________________ Chapter 10: Research Method and Literature Review 423
Question Number 25a 25b 26a 26b 26c 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50
Question Description How many times is the audit plan updated? How do you establish audit plan Provide IA services to external organizations? External Organizations that receive IA services Do you agree with the statements below? Number of Staff in IAA Incentives to hire IA professionals Methods to fill staff vacancies Methods to compensate for missing skills Percentage of activities out or co-sourced Will budget for out/co-sourced activities change? Number of Members who have Certifications Need additional certification beyond CIA? Method of staff evaluation Frequency of training Use IIA’s Int’l Standards in whole or part? Guidance from International standard Adequate? Standard of Professional Practices Framework adequate? Reasons for not using The IIA’s Int’l Standards IAs have quality assessment and improvement program? When was last formal internal quality assessment? When was last formal internal quality assessment? Activities performed as part of IAA quality assessment Who performs following activities/audits? Percentage time spent on the following activities Resolution of major differences Who reports auditing findings to management Who monitors corrective actions? How much is IA going to use the following audit tools?
Both CAE Practitioner * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
The Institute of Internal Auditors Research Foundation
424 A Global Summary of the Common Body of Knowledge 2006 ______________________
Question Number 51 52 53 51a 52a 53a 53b 54 55 56
Question Description Behavioral skills for staff Technical skills for staff Competencies for staff Important behavioral skills Important technical skills Important competencies Importance of certain knowledge Will changes in the IAA scope occur? Roles of IAA Indicate whether statements apply to organization
Both CAE Practitioner * * * * * * * * * *
I. Personal/Background Information Note: Background information will be used anonymously for aggregate data analysis. No individual information will be revealed in research reports. 1a. How long have you been a member of The IIA? 1-5 years 6-10 years 11 years or more I am not a member of The IIA (Skip to question 2.) 1b. Please select your IIA Affiliate or if you are located in North America or the Caribbean, please select your Chapter. Affiliate: _______________ Chapter: ________________ 2. Your age: _________ 3. Your highest level of formal education (not certification) completed: Secondary/High School Education Bachelors/Diploma in Business Bachelors/Diploma in fields other than Business Masters/Graduate Degree/Diploma in Business Masters/Graduate Diploma in fields other than Business Doctoral Degree Other The Institute of Internal Auditors Research Foundation
_____________________________ Chapter 10: Research Method and Literature Review 425
4. Your academic major(s): (Please mark all that apply.) Accounting Arts or Humanities Auditing Computer Science Economics Engineering Finance General Business/Management Information Systems Internal Auditing Law Mathematics/Statistics Science or Technical Field Other No degree 5. Your position in the organization: Chief Audit Executive/General Auditor/Top Audit Position/Vice President - Audit/ Service Provider Equivalent Internal Audit Management/Service Provider Management Internal Audit Senior or Supervisor/Service Provider Senior or Supervisor Internal Audit Staff/Service Provider Staff Support Staff (administration, secretarial, and clerical) Other 6. Your professional qualification(s): (Please mark all that apply.) Internal Auditing (such as CIA/MIIA/PIIA) Information Systems Auditing (such as CISA/QiCA/CISM) Government Auditing/Finance (such as CIPFA/CGAP/CGFM) Control Self-Assessment (such as CCSA) Public Accounting/Chartered Accountancy (such as CA/CPA /ACCA/ACA) Management/General Accounting (such as CMA/CIMA/CGA) Accounting - technician level (such as CAT/AAT) Fraud Examination (such as CFE) Financial Services Auditing (such as CFSA/CIDA/CBA) Fellowship (such as FCA/FCCA/FCMA) Certified Financial Analyst (such as CFA) Other
The Institute of Internal Auditors Research Foundation
426 A Global Summary of the Common Body of Knowledge 2006 ______________________
7. Specify your total years of professional experience using the following categories: (Use whole numbers.) Service Years in Years in Years in Years in Provider Private Publicly/ Govern- Not-forCompany Listed mental Profit Company a. Accounting b. Engineering c. External (Independent) Auditing d. Finance e. Information Technology f. Internal Auditing g. Management h. Other Professional Experience
_____
_____
_____
_____
______
_____
_____
_____
_____
______
_____ _____ _____
_____ _____ _____
_____ _____ _____
_____ _____ _____
______ ______ ______
_____
_____
_____
_____
______
Total Professional Experience _____
_____
_____
_____
______
8. How many total years have you been the Chief Audit Executive/General Auditor/Top Audit Position/Vice President - Audit/Service Provider equivalent at your current organization and previous organizations you have worked for? Years: __________ 9. Your reporting status in your organization is: Staff position reporting to a manager Managerial position reporting to executive management/high-level government official Officer position reporting to the executive management/high-level government official Independent position reporting to the audit committee of the board/oversight board Other 10. On average, how many hours of formal training have you received over the last 36 month period or while you have been in the Internal Audit Activity if less than three years? Training includes, but is not limited to seminars, conferences, workshops, and in-house information sessions provided by either your organization or another organization. Hours: ____________ 11. How many hours of training over a 12-month period are required by law/statute where you work? Hours: ____________ The Institute of Internal Auditors Research Foundation
_____________________________ Chapter 10: Research Method and Literature Review 427
II. Your Organization Note: Organization information will be used anonymously for aggregate data analysis. No individual organization information will be revealed. 12. The type of organization for which you currently work: Service Provider/Consultant Publicly Traded (Listed) Company Privately Held (Non-listed) Company Public Sector/Government Not-for-Profit Organization Other 13. The broad industry classification(s) of the organization for which you work or provide internal audit services: (Please mark all that apply.) Agricultural/Forestry Banking/Financial Services/Credit Union Building and Construction Communication/Telecommunication Consumer Goods Education Financial, Accounting, and/or Business Services Healthcare Hospitality/Leisure/Tourism Insurance Manufacturing Mining and Oil Non-Professional Services Pharmaceutical/Chemical Professional Services Real Estate Retail/Wholesale Technology Trade Services Transport and Logistics Utilities Other
The Institute of Internal Auditors Research Foundation
428 A Global Summary of the Common Body of Knowledge 2006 ______________________
14. Size of the entire organization for which you work as of December 31, 2005 or the end of the last fiscal year: (Please use whole numbers and no abbreviations: use 1,000,000 not 1M.) Total Employees (Full-time Equivalent): Employees: ___________________ Total Assets (U.S. Dollar Equivalent): Assets: _______________________ Total Revenue or Budget if Government or Not-for-Profit (U.S. Dollar Equivalent) Revenue: _____________________ 15. Is your organization: Local State/Provincial Regional National International/Multinational 16. How long has your organization been in existence? Years: _________________ III. Internal Audit Activity 17a. Does your organization have an Internal Audit Activity or provide Internal Audit services? Yes No (Skip to question 18.) 17b. If yes, for how long? (Please use whole numbers only.) Years: 18. Which of the following documents exist in your organization? (Please mark all that apply.) Corporate Governance Code Long-term Strategic Plan for the Organization Audit Oversight/Committee Charter Internal Audit Charter Mission Statement for the Internal Audit Activity Internal Audit Operating Manual/Policy Statement
The Institute of Internal Auditors Research Foundation
_____________________________ Chapter 10: Research Method and Literature Review 429
Corporate Ethics Policy/Code of Ethics/Code of Conduct Annual Internal Audit Plan/Rolling Audit Plan/Quarterly Audit Plan Long-term Audit Plan (longer than 1 year) Internal Audit Risk Assessment (to determine what areas to audit)
19. Who is involved in appointing the Chief Audit Executive/General Auditor/Top Audit Position/ Vice President - Audit/Service Provider equivalent? (Please mark all that apply.) Chairperson of the Board Chief Executive Officer Audit Committee/Oversight Committee/Committee Chairperson Chief Financial Officer Another person reporting to CFO Other 20. Who evaluates your performance? (Please mark all that apply.) Board of Directors Chairperson of the Board Chief Executive Officer Audit Committee/Oversight Committee/Committee Chairperson Senior Management Auditee/Client at the end of audit Supervisor periodically Peers/Subordinates periodically Not evaluated 21. Is there an Audit Committee/Oversight Committee or equivalent in your organization? Yes No (Skip to question 24.) 22a. Number of Audit Committee/Oversight Committee meetings held in the last fiscal year: Number: _______________ 22b. Number of Audit Committee/Oversight Committee meetings you were invited to attend (entirely or in part) during the last fiscal year: Number: ______________ 22c. Number of Audit Committee/Oversight Committee meetings you attended (entirely or in part) during the last fiscal year: Number: ______________
The Institute of Internal Auditors Research Foundation
430 A Global Summary of the Common Body of Knowledge 2006 ______________________
22d. Do you meet with the Audit Committee/Oversight Committee/Chairperson in addition to the regularly scheduled meetings? Yes No 23. Do you believe that you have appropriate access to the Audit Committee/Oversight Committee? Yes No 24. How does your organization measure the value added by the Internal Audit Activity? (Please mark all that apply.) Customer/Auditee surveys from audited departments Recommendations accepted/implemented Cost savings and improvements from recommendations implemented Number of management requests for internal audit assurance or consulting projects Reliance by external auditors on the Internal Audit Activity Budget to actual audit hours Cycle time from entrance conference to draft report Number of major audit findings Other No formal measurement of value added 25a. How frequently do you update the audit plan? Multiple times per year Every year Every two years More than every two years No audit plan (Skip to question 26.) 25b. How do you establish your audit plan? (Please mark all that apply.) Use of a risk-based methodology Consult previous years audit plan Consultation with divisional or business heads Requests from management Audit Committee/Oversight Committee requests Compliance/regulatory requirements Requests from or consultation with external auditors Other 26a. Are you currently a service provider of internal audit services to external organizations? Yes No (Skip to question 27.) The Institute of Internal Auditors Research Foundation
_____________________________ Chapter 10: Research Method and Literature Review 431
26b. What is the number of external organizations to which you provide internal audit services? Number: ________________ Note: If you have identified yourself as a provider of internal audit services to external organizations, whenever you see the phrase “Internal Audit Activity” please answer the question based on your experiences as a service provider, not as an internal auditor for your organization. 26c. Please indicate your agreement with the following statements as they relate to your current organization or organizations that you audit. 1 = Strongly Disagree, 2 = Disagree, 3 = Neutral, 4 = Agree, 5 = Strongly Agree ____ a. Your Internal Audit Activity is an independent objective assurance and consulting activity. ____ b. Your Internal Audit Activity adds value. ____ c. Internal Audit brings a systematic approach to evaluate the effectiveness of risk management. ____ d. Your Internal Audit Activity brings a systematic approach to evaluate the effectiveness of internal controls. ____ e. Your Internal Audit Activity brings a systematic approach to evaluate the effectiveness of governance processes. ____ f. Your Internal Audit Activity proactively examines important financial matters, risks, and internal controls. ____ g. Your Internal Audit Activity is an integral part of the governance process by providing reliable information to management. ____ h. The way our Internal Audit Activity adds value to the governance process is through direct access to the Audit Committee. ____ i. Your Internal Audit Activity has sufficient status in the organization to be effective. ____ j. Independence is a key factor for your Internal Audit Activity to add value. ____ k. Objectivity is a key factor for your Internal Audit Activity to add value. ____ l. Your Internal Audit Activity is credible within your organization. ____ m. Compliance with The IIA’s International Standards for the Professional Practice of Internal Auditing is a key factor for your Internal Audit Activity to add value to the governance process. ____ n. Compliance with The IIA’s Code of Ethics is a key factor for your Internal Audit Activity to add value to the governance process.
The Institute of Internal Auditors Research Foundation
432 A Global Summary of the Common Body of Knowledge 2006 ______________________
IV. Staffing 27. How many staff are in your Internal Audit Activity? Temporary or co-sourced staff should be included to the nearest full-time equivalent. Full-time
Part-time
CAE/General Auditor/Top Audit Position/Service Provider Equivalent/Vice President - Audit
______
____
Internal Audit Managers
______
____
Internal Audit Supervisors
______
____
Internal Audit Staff
______
____
External Auditors (co-sourced)
______
____
Contract Audit Staff (co-sourced)
______
____
Support Staff (Administrative, Secretarial, and Clerical)
______
____
Other
______
____
28. Is your organization currently offering any special incentives to hire internal audit professionals? (Please mark all that apply.) Relocation expenses Signing bonus Stock options Accelerated raises Vehicle provided by the organization Transportation allowance Other 29. What methods do you use to make up for staff vacancies? (Please mark all that apply.) Facilitate Control Self-assessments in place of audits Reduce areas of coverage Increased use of audit software
The Institute of Internal Auditors Research Foundation
_____________________________ Chapter 10: Research Method and Literature Review 433
Borrowing staff from other departments Co-sourcing from internal audit service providers
No vacancies Other
30. What methods is your organization employing to compensate for missing skill sets (e.g., IT audit, statistical analysis)? (Please mark all that apply.) Reduce areas of coverage More reliance on audit software Borrowing staff from other departments Co-sourcing/outsourcing No missing skill sets Other 31. What percentage of your Internal Audit Activity activities are currently outsourced / cosourced? No outsourcing/co-sourcing 0-10 % 11-20% 21-30% 31-40% 41-50% 51-60% 61-70% 71-80% 81-90% 91-100% 32. Do you anticipate that your budget for outsourced/co-sourced activities will change in the next three years? Increase Decrease Remain the same
The Institute of Internal Auditors Research Foundation
434 A Global Summary of the Common Body of Knowledge 2006 ______________________
33. How many members of the Internal Audit Activity hold the following certifications? If a staff member has more than one certification, include them in all applicable categories. Number Internal Auditing (such as CIA/MIIA/PIIA) Information Systems Auditing (such as CISA/QiCA/CISM) Government Auditing/Finance (such as CIPFA/CGAP/CGFM) Control Self-Assessment (such as CCSA) Public Accounting/Chartered Accountancy (such as CA/CPA/ACCA/ACA) Management/General Accounting (such as CMA/CIMA/CGA) Accounting - technician level (such as CAT/AAT) Fraud Examination (such as CFE) Financial Services Auditing (such as CFSA/CIDA/CBA) Fellowship (such as FCA/FCCA/FCMA) Certified Financial Analyst (such as CFA) Other 34. Do you see a need for additional certification beyond the CIA for audit managers and CAEs? a. Need for additional certification exams for audit managers Yes b. Need for additional certification exams for CAEs No 35. What method of staff evaluation do you use? (Please mark all that apply.) By supervisor periodically Customer/auditee feedback Peers/subordinates periodically Other
The Institute of Internal Auditors Research Foundation
_____________________________ Chapter 10: Research Method and Literature Review 435
36. How frequently do you and your staff receive the following types of training? More frequently than annually Annually Less frequently than annually As needed Never a. Standards and professional practices
___________________________________
b. Basic/advanced technology
___________________________________
c. Anti-fraud techniques
___________________________________
d. Ethics training
___________________________________
e. Communication skills
___________________________________
f.
___________________________________
Team-building skills
V. Internal Auditing Standards 37. Does your organization use The IIA’s International Standards for the Professional Practice of Internal Auditing in whole or in part? If you are a service provider do you use The IIA's International Standards for the Professional Practice of Internal Auditing in whole or in part for your audits of your clients? Yes No (Skip to question 40.)
The Institute of Internal Auditors Research Foundation
436 A Global Summary of the Common Body of Knowledge 2006 ______________________
38. If your Internal Audit Activity follows any of The IIA’s International Standards for the Professional Practice of Internal Auditing, please indicate if the guidance provided by these standards is adequate for your Internal Audit Activity and if you believe your organization complies with the Standards. [provide links to all below]
Guidance is Adequate
Your Organization is in Compliance
Yes No Do not use I do not know
AS 1000 - Purpose, Authority, and Responsibility AS 1100 - Independence and Objectivity AS 1200 - Proficiency and Due Professional Care AS 1300 - Quality Assurance and Improvement PS 2000 - Managing the Internal Audit Activity PS 2100 - Nature of Work PS 2200 - Engagement Planning PS 2300 - Performing the Engagement PS 2400 - Communicating Results PS 2500 - Monitoring Progress PS 2600 - Resolution of Management’s Acceptance of Risks
The Institute of Internal Auditors Research Foundation
Yes, full compliance Yes, partial compliance No, not in compliance I do not know
_____________________________ Chapter 10: Research Method and Literature Review 437
39. If your Internal Audit Activity uses any of the Practice Advisories provided by The IIA in the International Professional Practices Framework, indicate if they are adequate for your Internal Audit Activity. If your organization does not use any of the Practice Advisories, skip to question 40. [provide links to all below]
Guidance is Adequate Yes No Do Not Use
AS 1000 - Purpose, Authority, and Responsibility AS 1100 - Independence and Objectivity AS 1200 - Proficiency and Due Professional Care AS 1300 - Quality Assurance and Improvement PS 2000 - Managing the Internal Audit Activity PS 2100 - Nature of Work PS 2200 - Engagement Planning PS 2300 - Performing the Engagement PS 2400 - Communicating Results PS 2500 - Monitoring Progress PS 2600 - Resolution of Management’s Acceptance of Risks
The Institute of Internal Auditors Research Foundation
438 A Global Summary of the Common Body of Knowledge 2006 ______________________
40. What are the reasons for not using The IIA’s International Standards for the Professional Practice of Internal Auditing, in whole or in part? (Please mark all that apply.) Skip to question 41 if your organization is in full compliance with The IIA’s International Standards for the Professional Practice of Internal Auditing. Standards or Practice Advisories are too complex Not appropriate for small organizations Too costly to comply Too time consuming Superseded by local/government regulations or standards Not appropriate for my industry Compliance not supported by management/board Not perceived as adding value by management/board Inadequate Internal Audit Activity staff Compliance not expected in my country Other Please explain: _______________________________________________________ 41. Does your Internal Audit Activity have a quality assessment and improvement program in place in accordance with The IIA’s International Standards for the Professional Practice of Internal Auditing Standard 1300? Yes, currently in place To be put in place within the next twelve months No plans to put in place in the next twelve months Your quality assurance program is not in accordance with Standard 1300 I do not know 42. When was your Internal Audit Activity last subject to a formal internal quality assessment, periodic or ongoing, in accordance with The IIA’s International Standards for the Professional Practice of Internal Auditing Standard 1311 on internal assessments? Scheduled to be completed prior to January 1, 2007, but not yet completed Within the last 12 months 1-3 years ago 4-5 years ago More than 5 years ago Never The internal review was not done in accordance with Standard 1311 I do not know
The Institute of Internal Auditors Research Foundation
_____________________________ Chapter 10: Research Method and Literature Review 439
43. When was your Internal Audit Activity last subject to a formal external quality assessment in accordance with The IIA International Standards for the Professional Practice of Internal Auditing Standard 1312 on external assessments? Scheduled to be completed prior to January 1, 2007, but not yet completed Within the last 12 months 1-3 years ago 4-5 years ago More than 5 years ago Never The external review was not done in accordance with Standard 1312 I do not know 44. For your Internal Audit Activity, which of the following activities are performed as part of your internal audit quality assessment and improvement program? (Please mark all that apply.) Verification that the Internal Audit Activity is in compliance with The IIA’s International Standards for the Professional Practice of Internal Auditing Compliance with non-IIA standards or codes Internal audit professionals are in compliance with The IIA’s Code of Ethics Checklists/manuals to provide assurance that proper audit processes are followed Engagement supervision Feedback from audit customers at the end of an audit Reviews by other members of the Internal Audit Activity Review by external party I do not know Not applicable
The Institute of Internal Auditors Research Foundation
440 A Global Summary of the Common Body of Knowledge 2006 ______________________
VI. Audit Activities 45. Please indicate who performs the following activities and/or audits: (Please mark all that apply.) Internal Audit Activity Other department in the organization Co-sourced Outsourced Not Performed a. Administrative (audit plan, assign tasks) b. Business viability assessments c. Compliance with company privacy policies d. Compliance with corporate governance and regulatory code requirements e. Control framework monitoring and development f.
Corporate takeovers/mergers
g. Enterprise risk management h. Ethics audits i.
External audit assistance
j.
Health, safety, and environment
k. Financial auditing l.
Information risk assessment
The Institute of Internal Auditors Research Foundation
_____________________________ Chapter 10: Research Method and Literature Review 441
m. Information technology department assessment n. Internal auditing o. Internal control testing/systems evaluation p. Investigations of fraud and irregularities q. Linkage of strategy and company performance r.
Management effectiveness review/audit
s. Operational audits t.
Project management
u. Quality assessment of internal audit activity v. Quality/ISO audits w. Resource management and controls x. Security issues y. Social and sustainability audits z. Special projects aa. Technical competency training for auditors
The Institute of Internal Auditors Research Foundation
442 A Global Summary of the Common Body of Knowledge 2006 ______________________
46. Please estimate the percentage of time spent by the Internal Audit Activity on each of the following activities for the most recent fiscal year: 3 Years Ago
Currently
3 Years From Now
a. Compliance audits (laws, regulations, and policy
______
______
______
b. Consulting/Advisory
______
______
______
c. Financial process audits (including assistance to the external auditor)
______
______
______
d. Fraud investigations (forensic accounting/auditing)
______
______
______
e. Governance (ethics, control framework, regulatory, linkage of strategy and company performance)
______
______
______
f.
______
______
______
g. Operational
______
______
______
h. Management audits
______
______
______
i.
______
______
______
______
______
______
Information technology audits
Other
Total should add to 100% in each column
The Institute of Internal Auditors Research Foundation
_____________________________ Chapter 10: Research Method and Literature Review 443
47. If major differences arise around audit issues (audit results versus policy or between auditor and auditee/client), when are they resolved?
Never Rarely Sometimes Usually Always
During planning During audit fieldwork During audit reporting After audit report is issued Never 48. After the release of an audit report in the organization, who has the primary responsibility for reporting findings to senior management? Auditee/client Chief Audit Executive/General Auditor/Top Audit Position/Vice President - Audit/Service Provider equivalent Internal auditor manager Both internal audit manager and auditee/client Both Chief Audit Executive and auditee/client Other No formal reporting of results 49. After the release of an audit report with findings that need corrective action, who has the primary responsibility to monitor that corrective action has been taken? Auditee/client Internal auditor Both internal audit and auditee/client No formal follow-up Other
The Institute of Internal Auditors Research Foundation
444 A Global Summary of the Common Body of Knowledge 2006 ______________________
VII. Tools, Skills, and Competencies 50. Indicate the extent the Internal Audit Activity uses or plans to use the following audit tools / techniques on an audit engagement: 1 = Not Used, 2 = Moderately Used, 3 = Average Use, 4 = Very Much Used, 5 = Extensively Used
Currently Used
1 2 3 4 5
a. Analytical review b. Balanced scorecard or similar framework c. Benchmarking d. Computer Assisted Audit Techniques e. Continuous/real-time auditing f.
Control Self-assessment
g. Data mining h. Electronic workpapers i.
Flowchart software
j.
Other electronic communication (e.g., Internet, e-mail)
k. Process mapping application l.
Process modeling software
The Institute of Internal Auditors Research Foundation
Plan to use in the next 3 years 1 2 3 4 5
_____________________________ Chapter 10: Research Method and Literature Review 445
m. Risk-based audit planning n. Statistical sampling o. The IIA’s Quality Assessment Review tools p. Total quality management techniques 51. Please mark the five most important of the following behavioral skills for each professional staff level to perform their work. (Behavioral skills are actions towards others measured by commonly accepted standards and management of one’s own actions). Staff
Supervisor Management
Head of Audit Activity
a.
Confidentiality
b.
Facilitating
c.
Governance and ethics sensitivity
d.
Interpersonal skills
e.
Leadership
f.
Objectivity
g.
Relationship building
h.
Staff management
i.
Team building
j.
Team player
k.
Working independently
l.
Work well with all levels of management
The Institute of Internal Auditors Research Foundation
446 A Global Summary of the Common Body of Knowledge 2006 ______________________
52. Please mark the five most important of the following technical skills for each level of professional staff to perform their work. (Technical skills are using terminology or subject matter in a particular field) Staff
Supervisor Management
Head of Audit Activity
a.
Data collection and analysis
b.
Financial analysis
c.
Forensic skills/Fraud awareness
d.
Identifying types of controls (e.g., preventative, detective)
e.
Interviewing
f.
ISO/quality knowledge
g.
Negotiating
h.
Research skills
i.
Risk analysis
j.
Statistical sampling
k.
Total Quality Management
l.
Understanding business
m.
Use of information technology
The Institute of Internal Auditors Research Foundation
_____________________________ Chapter 10: Research Method and Literature Review 447
53. Please mark the five most important of the following competencies for each level of professional rank to perform their work. (Competencies are skills essential to perform certain tasks). Staff
Supervisor Management
Head of Audit Activity
a. Ability to promote the Internal Audit Activity within the organization
b. Analytical (ability to work through an issue)
c. Change management
d. Communication
e. Conflict resolution
f.
Critical thinking
g. Conceptual thinking
h. Foreign language skills
i.
Keeping up to date with professional changes in opinions, standards and regulations
j.
Organization skills
k. Presentation skills
l.
Problem identification and solution
The Institute of Internal Auditors Research Foundation
448 A Global Summary of the Common Body of Knowledge 2006 ______________________
Staff
Supervisor Management
Head of Audit Activity
m. Project planning and management
n. Report development
o. Time management
p. Training and developing staff
q. Understanding complex information systems
r.
Writing skills
51a. Please indicate the importance of the following behavioral skills for you to perform your work at your position in the organization. (Behavioral skills are actions towards others measured by commonly accepted standards and management of one's own actions). Rank from 1 (minimally important) to 5 (very important) ___ a. Confidentiality ___ b. Facilitating ___ c. Governance and ethics sensitivity ___ d. Interpersonal skills ___ e. Leadership ___ f.
Objectivity
___ g. Relationship building ___ h. Staff management
The Institute of Internal Auditors Research Foundation
_____________________________ Chapter 10: Research Method and Literature Review 449
___ i.
Team building
___ j.
Team player
___ k. Working independently ___ l.
Work well with all levels of management
52a. Please indicate the importance of the following technical skills for you to perform your work at your position in the organization (Technical skills means using terminology or subject matter in a particular field). Rank from 1 (minimally important) to 5 (very important) ___ a. Data collection and analysis ___ b. Financial analysis ___ c. Forensic skills/Fraud awareness ___ d. Identifying types of controls (e.g., preventative, detective) ___ e. Interviewing ___ f.
ISO/quality knowledge
___ g. Negotiating ___ h. Research skills ___ i.
Risk analysis
___ j.
Statistical sampling
___ k. Total Quality Management ___ l.
Understanding business
___ m. Use of information technology
The Institute of Internal Auditors Research Foundation
450 A Global Summary of the Common Body of Knowledge 2006 ______________________
53a. Please indicate the importance of the following competencies for you to perform your work at your position in the organization (Competencies are skills essential to perform certain tasks). Rank from 1 (minimally important) to 5 (very important) ___ a. Ability to promote the Internal Audit Activity within the organization ___ b. Analytical (ability to work through an issue) ___ c. Change management ___ d. Communication ___ e. Conflict resolution ___ f.
Critical thinking
___ g. Conceptual thinking ___ h. Foreign language skills ___ i.
Keeping up to date with professional changes in opinions, standards, and regulations
___ j.
Organization skills
___ k. Presentation skills ___ l.
Problem identification and solution
___ m. Project planning and management ___ n. Report development ___ o. Time management ___ p. Training and developing staff ___ q. Understanding complex information systems ___ r.
Writing skills The Institute of Internal Auditors Research Foundation
_____________________________ Chapter 10: Research Method and Literature Review 451
53b. How important are the following areas of knowledge for satisfactory performance of your job at your position in the organization? Rank from 1 (minimally important) to 5 (very important) ___ a. Accounting ___ b. Auditing ___ c. Business law and government regulation ___ d. Business management ___ e. Changes to professional standards ___ f.
Enterprise risk management
___ g. Ethics ___ h. Finance ___ i.
Fraud awareness
___ j.
Governance
___ k. Human resource management ___ l.
Internal auditing standards
___ m. Information technology ___ n. Managerial accounting ___ o. Marketing ___ p. Organization culture ___ q. Organizational systems
The Institute of Internal Auditors Research Foundation
452 A Global Summary of the Common Body of Knowledge 2006 ______________________
___ r.
Strategy and business policy
___ s. Technical knowledge for your industry VIII. Emerging Issues 54. Do you perceive likely changes in the role of the Internal Audit Activity in the organization over the next 3 years? Increase Decrease Stay the same a. Review of financial processes b. Risk management c. Governance d. Regulatory compliance e. Operational auditing 55. Please identify the roles that the Internal Audit Activity currently has in your organization or will have in the next 3 years. Role means that it is within the scope of your work. Currently have a role Likely to have a role within the next 3 years Unlikely to have a role Not applicable a. Alignment of strategy and performance measures (e.g., Balanced Scorecard) b. Benchmarking c. Corporate governance d. Corporate social responsibility The Institute of Internal Auditors Research Foundation
_____________________________ Chapter 10: Research Method and Literature Review 453
e. Develop training and education of organization personnel (e.g., internal controls, risk management, regulatory requirements) f.
Disaster recovery
g. Evidential issues h. Emerging markets i.
Environmental sustainability
j.
Executive compensation
k. Fraud prevention/detection l.
Globalization
m. Intellectual property and knowledge assessment n. IT management assessment o. Knowledge management systems development review p. Mergers and acquisitions q. Project management r.
Provide training to the audit committee
s. Regulatory compliance assessment monitoring t.
Risk management
u. Strategic frameworks
The Institute of Internal Auditors Research Foundation
454 A Global Summary of the Common Body of Knowledge 2006 ______________________
56. Please indicate if the following statements apply to your organization now, in the next 3 years or will not apply in the foreseeable future. Currently Apply Likely to Apply Within the Next 3 Years Will Not Apply in the Foreseeable Future Not Applicable a. Internal auditing is required by law or regulation where the organization is based. b. Internal auditors in the organization have an advisory role in strategy development. c. The organization complies with a corporate governance code. d. The organization has implemented an internal control framework. e. The organization has implemented a knowledge management system. f.
The Internal Audit Activity has provided training to audit committee members.
g. The Internal Audit Activity assumes an important role in the integrity of financial reporting. h. The Internal Audit Activity educates organization personnel about internal controls, corporate governance, and compliance issues. i.
The Internal Audit Activity places more emphasis on assurance than consulting services.
The Institute of Internal Auditors Research Foundation
_______________________ The William G. Bishop III, CIA, Memorial Fund Contributors 455
THE WILLIAM G. BISHOP III, CIA, MEMORIAL FUND CONTRIBUTORS DIAMOND LEVEL Association of Certified Fraud Examiners The Institute of Internal Auditors (IIA) IIA Baltimore IIA Dallas IIA New York IIA Washington, DC EMERALD LEVEL The Bishop Family Jane Lee and William L. Taylor Thomas J. Warga, CIA JCPenney Company Inc. Jefferson Wells International Inc. Protiviti Inc IIA Central Illinois IIA Central Penn IIA Houston RUBY LEVEL Robert Antoine, CIA Dennis K. Beran, CIA, CCSA John J. Fernandes, CIA, CCSA John J. Flaherty, CIA Jean-Pierre Garitte, CIA, CCSA Eric Hespenheide Al Holzinger Bruce Meikle Patricia K. Miller, CIA Sandra L. Pundmann
Sridhar Ramamoorti, Ph.D., CIA, CPA, CFE, CFSA, CGAP Anthony J. Ridley, CIA C. Wayne Rose, CIA Richard M. Serafini, CIA, CFSA American Institute of Certified Public Accountants (AICPA) Asian Confederation of Institute of Internal Auditors (ACIIA) Association of Healthcare Internal Auditors Fannie Mae Microsoft Corporation IIA Ak-Sar-Ben IIA Albany IIA Austin IIA Australia IIA Birmingham (AL) IIA Green Mountain (VT) IIA Los Angeles IIA Milwaukee IIA Montreal IIA Nashville IIA New Zealand IIA North Jersey IIA Norway IIA Orange County (CA) IIA Phoenix IIA Southern New England IIA United Kingdom and Ireland IIA Vancouver IIA Wichita
The Institute of Internal Auditors Research Foundation
456 A Global Summary of the Common Body of Knowledge 2006 ______________________
FRIEND LEVEL Urton L. Anderson, Ph.D., CIA, CCSA Audley L. Bell, CIA Andrew J. Dahle, CIA Stephen D. Goepfert, CIA Timothy R. Holmes Howard J. Johnson, CIA Carman Lapointe-Young, CIA, CCSA John M. Polarinakis, CIA Ralph E. Purpur Larry E. Rittenberg, Ph.D., CIA Roderick M. Winters, CIA Association of Credit Union Internal Auditors (ACUIA) MIS Training Institute Salt River Project IIA Baltimore IIA Central Florida IIA Central Iowa IIA Central Kentucky IIA Detroit IIA Greater Boston IIA Indianapolis IIA Kansas City IIA Long Island IIA Madison IIA Malaysia IIA Miami IIA Ocean State (RI) IIA Salem (OR) IIA Saskatchewan IIA St. Louis IIA Sweden IIA Tallahassee IIA Tidewater IIA Tulsa IIA Twin Cities IIA Westchester Fairfield IIA Winnipeg
DONOR LEVEL Ronald W. Acker, CIA Bruce Alan Adamec, CIA Augusto Baeta Thomas J. Beirne Joanna Berens Lucia B. Bishop Sten Bjelke, CIA LeRoy E. Bookal, CIA Katy Brown Robert Bullen Judith K. Burke, CCSA Richard F. Chambers, CIA, CCSA, CGAP Nicolette Creatore Prof. Mortimer Dittenhofer, CIA William J. Duane, CIA, CFSA Edward M. Dudley, CIA Charles B. Eldridge Ivy N. Estes Robert A. Ferst, CIA Robert B. Foster Hal A. Garyn, CIA Kimberly Parker Gavaletz, CIA Gaston L. Gianni, Jr., CGAP Audrey A. Gramling, CIA Trish Harris Rudy Hernandez, Jr., CIA Glenn P. Hoffman, CIA, CFSA John Gregory Hutsell Cynthia Huysman Steven Earl Jameson, CIA, CCSA, CFSA Thomas A. Johnson, CIA Wendy W. Kerins, CIA Donald E. Kirkendall, CIA Joel F. Kramer Kevin Kuntz Daniel B. Langer, CIA, CCSA Susan B. Lione, CIA, CCSA, CFSA, CGAP Philip B. Livingston
The Institute of Internal Auditors Research Foundation
_______________________ The William G. Bishop III, CIA, Memorial Fund Contributors 457
Melani P. Lovik, CIA Marjorie A. Maguire-Krupp, CFSA Stacy M. Mantzaris, CIA, CCSA, CGAP Carlo L. Mastropaolo Dorick V. Mauro Jill E. Mayhew, CIA Sam Michael McCall, CIA Robert N. McDonald, CIA Betty L. McPhilimy, CIA Guenther Meggeneder T. Fred Miller James A. Molzahn Perry Glen Moore, CIA Wayne G. Moore, CIA Kevin M. Morrissey D. Richard Moyer, CIA Jane F. Mutchler Donald J. Nelson, CIA Frank M. O’Brien, CIA Amy B. Owen Paula W. Parker, CIA Dolores C. Pasto-Ziobro, CIA Basil H. Pflumm, CIA Jarred and Shannon Pittman David Polansky Robert B. Powell Charity A. Prentice, CIA, CCSA, CGAP Walter D. Pugh Michael S. Raphael, CIA Richard K. Robinson Anastasia Rodriguez Ford, CIA H. David Rosenstein James P. Roth, Ph.D., CIA, CCSA Charles T. Saunders, Jr., CIA, CCSA Mitchell James Smith Paul J. Sobel, CIA Donald E. Sparks Peteris Strazdins, CIA Margaret G. Summers
Johanna S. Swauger, CIA, CCSA, CFSA Deborah L. Sword Deborah Wheless Tanju, CIA David A. Tenney, CIA Archie R. Thomas, CIA Bena G. Tinsley, CIA Bonnie L. Ulmer Dallal Helen Van Hoeck, CIA Curtis C. Verschoor, CIA Dominique Vincenti, CIA H.C. Warner, CIA John K. Watsen, CIA Billy G. Weathers Scott D. White, CIA, CFSA Douglas E. Ziegenfuss, Ph.D., CIA, CCSA Michael A. Zowine American International Group Association of College and University Auditors (ACUA) Board of Environmental, Health & Safety Auditor Certifications (BEAC) JPA International Inc. Junior Achievement of Central Florida Kraus-Manning Inc. Majestic Star Casino Memphis Blues Rugby Club Office Depot Inc. Omni Hotels Corporation Paisley Consultants/CARDdecisions Inc. PBD Worldwide Fulfillment Services Inc. Shenandoah Group Simon Operation Services Inc. IIA Atlanta IIA Calgary IIA Central Virginia IIA Chattanooga Area IIA Chicago IIA Chinese Taiwán IIA Coastal Georgia
The Institute of Internal Auditors Research Foundation
458 A Global Summary of the Common Body of Knowledge 2006 ______________________
IIA Downeast Maine IIA Edmonton IIA El Paso IIA Granite State (NH) IIA Lansing (MI) IIA Las Vegas IIA Monroe
IIA Ozarks IIA Rochester IIA Santa Fe IIA Sioux Falls IIA Spokane IIA Tucson IIA U.S. Pacific
THE IIA RESEARCH FOUNDATION CHAIRMAN’S CIRCLE Cargill Inc. Chevron Deloitte & Touche LLP Ernst & Young LLP ExxonMobil Corporation JCPenney Company Lockheed Martin Corporation Microsoft Corporation PricewaterhouseCoopers LLP Protiviti Inc. Raytheon Company David A. Richards, CIA Paul J. Sobel, CIA Rod and Donna Winters
The Institute of Internal Auditors Research Foundation
_________________________________ The IIA Research Foundation Board of Trustees 459
The IIA Research Foundation Board of Trustees President Roderick M. Winters, CIA, CPA Microsoft Corporation Vice President - Strategy Eric J. Hespenheide, CPA Deloitte & Touche LLP
Treasurer Stephen W. Minder, CIA Archer Daniels Midland Company
Vice President - Research Robert B. Foster, CFE Fidelity Investments
Secretary Oliver Ray Whittington, Ph.D., CIA DePaul University
Vice President - Development Dennis K. Beran, CIA, CCSA, CPA, CFE JCPenney Company, Inc. Members Mark Hamill Protiviti Inc.
Gregory C. Redmond Chevron Corporation
Michael A. Herzog Ernst & Young LLP
Paul J. Sobel, CIA, CPA Mirant Corporation
Robert B. Hirth, CPA, CA Protiviti Inc.
Jay R. Taylor, CIA General Motors Corporation
Howard J. Johnson, CIA, CPA.
William L. Taylor, CPA, CGFM
Michael Lickteig, CIA, CCSA Susan J. Komen Breast Cancer Foundation
Donald E. Tidrick, Ph.D., CIA Northern Illinois University
Marjorie A. Maguire-Krupp American International Group
Susan D. Ulrey KPMG LLP
Wayne G. Moore, CIA, CPA
Anton B. van Wyk, CIA, CFA PricewaterhouseCoopers LLP
Johannes (Hans) Nieuwlands NUON Sridhar Ramamoorti, Ph.D., CIA, CPA, CFE, CFSA, CGAP Grant Thornton Chicago
Shi Xian Nanjing Audit University Douglas Ziegenfuss, Ph.D., CIA, CCSA Old Dominion University
The Institute of Internal Auditors Research Foundation
460 A Global Summary of the Common Body of Knowledge 2006 ______________________
The IIA Research Foundation Board of Research and Education Advisors
Chairman Robert B. Foster, CFE, Fidelity Investments
Vice Chairman Susan D. Ulrey, KPMG LLP
Members George R. Aldhizer III, Ph.D., CIA, Wake Forest University Lalbahadur Balkaran, CIA, FCMA, KPMG LLP Kevin W. Barthold, CPA, CISA, San Antonio Credit Union Edmund Beemer, Hudson Thomas J. Beirne, CFSA, CPA, CBA, Protiviti Inc. Audley L. Bell, CIA, CPA, CFE, CISA, Habitat for Humanity International Iva Cerna, CIA, Zentiva a.s. Thomas J. Clooney, CCSA, CPA, CBA, CSP, KPMG LLP Kathryn Constantopoulos, Deloitte & Touche LLP Jean Coroller, Ernst & Young LLP Mary Christine Dobrovich, Jeffersonwells International Helen Dozois, CIA, Burger King Corporation Susan Page Driver, CIA, CPA, CISA, Comptroller of Public Accounts Donald A. Espersen, CIA, CBA, despersen & associates Gareth Evans, MIIA, United Kingdom Philip E. Flora, CIA, CCSA, CFE, CISA, Texas Guaranteed Student Loan John M. Furka, CPA, Brown Brothers Harriman & Co. John C. Gazlay, CPA, CCP, Freddie Mac Dan B. Gould, CIA, JCPenney Company, Inc. Peter M. Hughes, Ph.D., CIA, CPA, CFE, Orange County
Ronald W. Lackland, University of Central England Richard B. Lanza, CPA, Cash Recovery Partners LLC David J. MacCabe, CIA, CGAP, Teacher Retirement System of Texas Gary J. Mann, Ph.D., CPA, University of Texas at El Paso Trevor B. Martin, National Oilwell Varco Gary R. McGuire, CIA, CPA, Lennox International Inc. John D. McLaughlin, Smart and Associates LLP Steven S. Mezzio, CIA, CCSA, CFSA, CPA, CISSP, CBA, Resource Connection Anna Rebecca Nicodemus, CIA, CPA, CFE, Belo Corporation Claire Beth Nilsen, CFSA, CRCM, CFE, CRP, Yardville National Bank Jacob Nuss, Israel Aircraft Industries Ltd. Daniel Pantera, The Methodist Hospital Mark R. Radde, CIA, CPA, Buffets Inc. M. Rajeshwaran, EID Parry India Ltd. Alan Reinstein, Ph.D., CPA, PBA, Wayne State University David G. Royal, Texas Department of Insurance Mark L. Salamasick, CIA, CISA, CDP, CSP, University of Texas at Dallas Jesus Antonio Serrano Nava, CIA, Banco Azteca Katherine E. Sidway, Ernst & Young LLP James G. Swearingen, CPA, Weber State University
The Institute of Internal Auditors Research Foundation