2011 Emerging Trends and Leading Practices...51.3% 362 More than usual 31.3% 221 Extensive 8.2% 58 Not Answered 1 Mean 3.361 Valid Responses 706 Total Responses 707 9: Which of the

2011 Emerging Trends and Leading Practices

1 Copyright © 2011 The Institute of Internal Auditors

Emerging Trends and Leading Practices 2011

North American Respondents

Executive Summary Report

Number of Responses Analyzed: 707

Total number of responses collected Globally: 1,377

1: From 2010 to 2011, the staffing levels of my internal audit function:

Response Chart Frequency Count

Increased, by what % (below) 18.2% 129

Decreased, by what % (below) 12.6% 89

Stayed the same 69.2% 489

Valid Responses 707

Total Responses 707

Increased by: Count Decreased by: Count

1–5% 22 1–5% 12

6–10% 26 6–10% 19

11–15% 11 11–15% 10

16–20% 17 16–20% 12

21–30% 18 21–30% 12

31–40% 12 31–40% 8

41–50% 12 41–50% 15

More than 50% 7 More than 50% 1


2: From 2010 to 2011, the budget of my internal audit function:


Increased, by what percentage (see below)

31.3% 221

Decreased, by what percentage (see below)

19.0% 134

Stayed the same 49.7% 351

Not Answered 1

Valid Responses 706

Total Responses 707

Increased by: Count Decreased by: Count

1–5% 95 1–5% 31

6–10% 50 6–10% 38

11–15% 15 11–15% 13

16–20% 19 16–20% 12

21–30% 13 21–30% 10

31–40% 10 31–40% 4

41–50% 3 41–50% 11

More than 50% 7 More than 50% 2


3: How would you rate the collective knowledge of your organization’s business by your internal audit staff: (Respondents could only choose a single response)


Inadequate 0.4% 3

Limited/developing 15.6% 110

Adequate 36.8% 260

Above average 35.7% 252

Extensive 11.5% 81

Not Answered 1

Mean 3.422

Valid Responses 706

Total Responses 707

4: Which of the following staffing strategies do you employ to acquire and maintain knowledge of the business by your staff: (Choose all that apply)


Rotational program in which

experienced professionals from the business rotate into

internal auditing on an

ongoing basis

15.6% 110

Active recruitment of

experienced professionals with industry experience or

knowledge

42.4% 300

Co-sourcing relationship with a third-party provider to

leverage industry experience

33.5% 237

Internal development of

existing personnel 85.1% 602

Other, please explain (see

Appendix A): 11.6% 82

I do not consider acquisition of business/industry

knowledge to be a priority

0.8% 6

Valid Responses 707

Total Responses 707


5: Which of the following strategies do you employ to enhance and maintain knowledge of the business within your staff: (Choose all that apply)


Partnering inexperienced staff with more experienced or seasoned staff on

engagements warranting knowledge of

the business

66.5% 470

Hosting regular all-staff training events

to learn from company executives, business unit leaders, and others

31.0% 219

The CAE participates in one or more

industry focused CAE groups, roundtables, or events

53.5% 378

The CAE frequently, but informally,

benchmarks and networks with CAEs of peer companies in the industry

46.5% 329

Staff receive training focused on

industry risks or issues that may warrant internal audit coverage

66.6% 471

Internal audit staff subscribe to

industry periodicals or other

literature to stay current on risks or issues that may warrant internal

audit coverage

73.8% 522

Internal auditing or the company has

deployed an extensive knowledge

management framework that is drawn upon to acquire, enhance, and maintain

knowledge of the business

20.5% 145

Other, please explain (see Appendix B) 6.2% 44

Valid Responses 707

Total Responses 707


6: If surveyed today on how well internal auditing is meeting their needs and expectations, executive management in my company would probably rate their overall satisfaction as: (Respondents could only choose a single response)


Unacceptable 0.4% 3

Poor 2.3% 16

Acceptable 27.4% 194

Good 57.0% 403

Outstanding 12.9% 91

Mean 3.796

Valid Responses 707

Total Responses 707

7: If surveyed today on how well internal auditing is meeting its needs and expectations, my audit committee would probably rate its overall satisfaction as: (Respondents could only choose a single response)


Unacceptable 0.1% 1

Poor 0.7% 5

Acceptable 18.1% 127

Good 56.3% 395

Outstanding 24.8% 174

Not Answered 5

Mean 4.048

Valid Responses 702

Total Responses 707


8: Over the past year, how much have the needs and expectations of management and the audit committee driven change in the focus or coverage of your internal audit function? (Respondents could only choose a single response)


No influence 2.4% 17

Minimal 6.8% 48

There has been some influence, but no more than usual

51.3% 362

More than usual 31.3% 221

Extensive 8.2% 58

Not Answered 1

Mean 3.361

Valid Responses 706

Total Responses 707

9: Which of the following strategies do you employ in assessing the needs and expectations of your stakeholders? (Choose all that apply)


Formal surveys of key stakeholders to assess expectations and internal

auditing’s performance against them

40.3% 285

Regular formal meetings with key

stakeholders to assess their expectations

and internal auditing’s performance against them

59.5% 421

Discussions with the full executive leadership/management team of my

company in the same room to assess their collective expectations and internal

auditing’s performance against them.

28.6% 202

Ongoing informal discussions with the chairman of the audit committee

to assess his/her expectations and internal auditing’s performance

against them

69.3% 490

Discussions with the full audit committee to assess their collective expectations and

internal auditing’s performance against them

56.0% 396

Other, please explain (See Appendix C): 14.1% 100

Valid Responses 707

Total Responses 707


10: In what areas is technology leveraged for ongoing internal audit activities and what tools are used? (Technology used)

Yes No Total Mean

Risk assessment activities

Count 419 259 678 1.382

% by Row 61.8% 38.2% 100.0%

Audit planning Count 425 253 678 1.373

% by Row 62.7% 37.3% 100.0%

Control analysis Count 329 329 658 1.500

% by Row 50.0% 50.0% 100.0%

Data analysis Count 528 133 661 1.201

% by Row 79.9% 20.1% 100.0%

Substantive

testing Count 446 213 659 1.323

% by Row 67.7% 32.3% 100.0%

Workpaper management

Count 485 190 675 1.281

% by Row 71.9% 28.1% 100.0%

Reporting Count 410 255 665 1.383

% by Row 61.7% 38.3% 100.0%

Managing findings

and issues Count 469 199 668 1.298

% by Row 70.2% 29.8% 100.0%

Performance

management for

internal auditing

Count 273 396 669 1.592

% by Row 40.8% 59.2% 100.0%

Communication Count 371 295 666 1.443

% by Row 55.7% 44.3% 100.0%

Continuous audit

activities Count 280 382 662 1.577

% by Row 42.3% 57.7% 100.0%

Total Count 4435 2904 7339 N/A

% by Row 60.4% 39.6% 100.0%


10: In what areas is technology leveraged for ongoing internal audit activities and what tools are used? (Type of tool used, if applicable)

Data analysis

GRC system

Security monitoring

Audit management

Other Total

Risk assessment

activities Count 227 67 40 203 113 707

% by

Row 32.1% 9.5% 5.7% 28.7% 16.0% 100.0%

Audit planning Count 211 44 23 280 107 707

% by

Row 29.8% 6.2% 3.3% 39.6% 15.1% 100.0%

Control analysis Count 174 70 59 160 91 707

% by

Row 24.6% 9.9% 8.3% 22.6% 12.9% 100.0%

Data analysis Count 457 24 39 88 87 707

% by

Row 64.6% 3.4% 5.5% 12.4% 12.3% 100.0%

Substantive testing Count 303 38 48 159 105 707

% by

Row 42.9% 5.4% 6.8% 22.5% 14.9% 100.0%

Workpaper management

Count 61 56 14 329 150 707

% by Row

8.6% 7.9% 2.0% 46.5% 21.2% 100.0%

Reporting Count 53 36 15 253 179 707

% by

Row 7.5% 5.1% 2.1% 35.8% 25.3% 100.0%

Managing findings

and issues Count 73 52 15 278 192 707

% by Row

10.3% 7.4% 2.1% 39.3% 27.2% 100.0%

Performance management for

internal auditing

Count 66 17 9 149 155 707

% by Row

9.3% 2.4% 1.3% 21.1% 21.9% 100.0%

Communication Count 39 26 15 162 225 707

% by

Row 5.5% 3.7% 2.1% 22.9% 31.8% 100.0%

Continuous audit

activities Count 217 23 32 86 85 707

% by

Row 30.7% 3.3% 4.5% 12.2% 12.0% 100.0%


11: For the following tools that you use, please identify whether these tools are commercially available, internally developed, a combination of the two, or not used, and rank your satisfaction with each of them.

(Source)

Commercially available

Internally developed

Combination of commercially available and internally developed

Not used Total

Data analysis tools

Count 388 76 112 70 646

% by Row 60.1% 11.8% 17.3% 10.8% 100.0%

GRC systems Count 122 47 21 350 540

% by Row 22.6% 8.7% 3.9% 64.8% 100.0%

Security

monitoring tools

Count 134 59 53 287 533

% by Row 25.1% 11.1% 9.9% 53.8% 100.0%

Audit

management tools

Count 274 129 68 132 603

% by Row 45.4% 21.4% 11.3% 21.9% 100.0%

Other tools Count 183 103 73 153 512

% by Row 35.7% 20.1% 14.3% 29.9% 100.0%

Total Count 1101 414 327 992 2834

% by Row 38.8% 14.6% 11.5% 35.0% 100.0%

(Level of Satisfaction)

Not satisfied at all

Needs improvement

Satisfied Extremely satisfied

Total Mean

Data analysis

tools

Count 4 127 375 53 559 2.853

% by Row 0.7% 22.7% 67.1% 9.5% 100.0%

GRC systems Count 20 66 111 15 212 2.571

% by Row 9.4% 31.1% 52.4% 7.1% 100.0%

Security monitoring tools

Count 19 61 160 15 255 2.671

% by Row 7.5% 23.9% 62.7% 5.9% 100.0%

Audit

management

tools

Count 16 126 264 52 458 2.769

% by Row 3.5% 27.5% 57.6% 11.4% 100.0%

Other tools Count 9 87 238 23 357 2.770

% by Row 2.5% 24.4% 66.7% 6.4% 100.0%

Total Count 68 467 1148 158 1841 N/A

% by Row 3.7% 25.4% 62.4% 8.6% 100.0%


12: For 2011 audit activities, please indicate whether the focus of your internal audit plan has changed for the following since 2010:

Increased No change Decreased Total

Financial risks Count 196 437 31 664

% by Row 29.5% 65.8% 4.7% 100.0%

Financial reporting controls testing

Count 87 480 113 680

% by Row 12.8% 70.6% 16.6% 100.0%

Operational risks Count 395 286 17 698

% by Row 56.6% 41.0% 2.4% 100.0%

Compliance risks Count 395 289 15 699

% by Row 56.5% 41.3% 2.1% 100.0%

Credit risks Count 106 539 48 693

% by Row 15.3% 77.8% 6.9% 100.0%

Fraud risks Count 308 382 8 698

% by Row 44.1% 54.7% 1.1% 100.0%

Catastrophic/disaster

recovery risks

Count 125 539 33 697

% by Row 17.9% 77.3% 4.7% 100.0%

Crisis management Count 84 578 34 696

% by Row 12.1% 83.0% 4.9% 100.0%

Effectiveness of risk management

Count 291 389 19 699

% by Row 41.6% 55.7% 2.7% 100.0%

Cost/expense reduction or

containment

Count 212 452 36 700

% by Row 30.3% 64.6% 5.1% 100.0%

Reputational risks Count 177 507 18 702

% by Row 25.2% 72.2% 2.6% 100.0%

Mergers and acquisitions Count 120 503 59 682

% by Row 17.6% 73.8% 8.7% 100.0%

Total Count 2496 5381 431 8308

% by Row 30.0% 64.8% 5.2% 100.0%

12a: If there is a notable area not listed in question 12, please list it here and indicate whether it has increased or decreased in focus, or stayed the same. SEE APPENDIX D


13: Rate the following attributes in terms of importance and level of performance for your internal audit function: (Importance)

Not important at all

Somewhat important

Important Very important

Extremely important

Total Mean

Effectively managing stakeholder

relationships

Count 5 44 161 264 224 698 3.943

% by

Row 0.7% 6.3% 23.1% 37.8% 32.1% 100.0%

Effectively meeting stakeholder

expectations

Count 5 22 166 296 208 697 3.976

% by

Row 0.7% 3.2% 23.8% 42.5% 29.8% 100.0%

Effectively leveraging

technology

Count 24 138 253 210 66 691 3.226

% by Row

3.5% 20.0% 36.6% 30.4% 9.6% 100.0%

Promoting customer service focus

Count 17 123 221 235 95 691 3.388

% by Row

2.5% 17.8% 32.0% 34.0% 13.7% 100.0%

Conformance with The

IIA's Standards

Count 24 106 204 195 148 677 3.498

% by

Row 3.5% 15.7% 30.1% 28.8% 21.9% 100.0%

Risk methodology that

focuses on critical risks

Count 3 30 131 313 208 685 4.012

% by

Row 0.4% 4.4% 19.1% 45.7% 30.4% 100.0%

Value proposition of

internal auditing that

is well documented and communicated

Count 33 139 230 204 81 687 3.234

% by

Row 4.8% 20.2% 33.5% 29.7% 11.8% 100.0%

Internal audit plan that is aligned with the

organization’s strategic

plan

Count 13 48 172 279 181 693 3.818

% by

Row 1.9% 6.9% 24.8% 40.3% 26.1% 100.0%

Continuous improvement and

innovation

Count 12 96 240 253 90 691 3.453

% by

Row 1.7% 13.9% 34.7% 36.6% 13.0% 100.0%

Appropriate talent pool

Count 9 44 170 294 168 685 3.829

% by

Row 1.3% 6.4% 24.8% 42.9% 24.5% 100.0%

Cost-effective and efficient operations

Count 8 79 278 252 76 693 3.446

% by Row

1.2% 11.4% 40.1% 36.4% 11.0% 100.0%

Alignment of risk, control, and

compliance functions

Count 14 81 218 272 109 694 3.549

% by

Row 2.0% 11.7% 31.4% 39.2% 15.7% 100.0%

Total Count 167 950 2444 3067 1654 8282 N/A

% by Row

2.0% 11.5% 29.5% 37.0% 20.0% 100.0%


(See Appendix E for alternative analysis of the data in question 13)

13: Rate the following attributes in terms of importance and level of performance for your internal audit function: (Level of Performance)

Inadequate Limited/ developing

Adequate Above average

Exceptional Total Mean

Effectively managing

stakeholder relationships

Count 8 50 302 289 37 686 3.433

% by Row

1.2% 7.3% 44.0% 42.1% 5.4% 100.0%


expectations

Count 9 58 296 293 29 685 3.401

% by Row

1.3% 8.5% 43.2% 42.8% 4.2% 100.0%

Effectively leveraging technology

Count 58 255 270 80 15 678 2.615

% by

Row 8.6% 37.6% 39.8% 11.8% 2.2% 100.0%


Count 5 98 335 199 40 677 3.253

% by

Row 0.7% 14.5% 49.5% 29.4% 5.9% 100.0%

Conformance with The IIA's Standards

Count 14 89 327 191 53 674 3.267

% by

Row 2.1% 13.2% 48.5% 28.3% 7.9% 100.0%



Count 12 120 271 237 38 678 3.249

% by

Row 1.8% 17.7% 40.0% 35.0% 5.6% 100.0%

Value proposition of internal auditing that is

well documented and communicated

Count 40 186 308 124 18 676 2.843

% by

Row 5.9% 27.5% 45.6% 18.3% 2.7% 100.0%

Internal audit plan that

is aligned with the organization’s strategic

plan

Count 14 113 293 218 44 682 3.242

% by Row

2.1% 16.6% 43.0% 32.0% 6.5% 100.0%

Continuous

improvement and innovation

Count 21 173 306 153 29 682 2.994

% by

Row 3.1% 25.4% 44.9% 22.4% 4.3% 100.0%

Appropriate talent pool Count 36 132 312 178 19 677 3.018

% by Row

5.3% 19.5% 46.1% 26.3% 2.8% 100.0%

Cost-effective and

efficient operations

Count 13 77 366 186 41 683 3.242

% by

Row 1.9% 11.3% 53.6% 27.2% 6.0% 100.0%

Alignment of risk, control, and

compliance functions

Count 28 155 316 154 27 680 2.996

% by

Row 4.1% 22.8% 46.5% 22.6% 4.0% 100.0%

Total Count 258 1506 3702 2302 390 8158 N/A

% by Row

3.2% 18.5% 45.4% 28.2% 4.8% 100.0%


14: What do you feel are the top three risks that are or will impact your organization in 2011, and how is internal auditing positioned to assess and help the organization mitigate these risks? (Positioning)

Not positioned at all

Somewhat positioned

Well positioned Total Mean

Risk 1 Count 79 331 217 627 2.220

% by Row

12.6% 52.8% 34.6% 100.0%

Risk 2 Count 58 342 207 607 2.245

% by

Row 9.6% 56.3% 34.1% 100.0%

Risk 3 Count 88 327 155 570 2.118

% by Row

15.4% 57.4% 27.2% 100.0%

Total Count 225 1000 579 1804 N/A

% by Row

12.5% 55.4% 32.1% 100.0%

14-1: List of top risks, and how internal auditing is positioned to assess and help the organization mitigate these risks: (Respondents were limited to brief text responses)

RISK Not positioned at all Somewhat positioned Well positioned Total

Specific risks yet to be analyzed

Responses


15: For each of the following, indicate the extent to which your internal audit staff collectively possesses the required skills to address needed coverage: (Extent of Skills)

Significantly lacking

Inadequate Adequate Expert level

Not required

Total Mean

Business and industry-

specific knowledge

Count 2 36 428 228 1 695 3.273

% by

Row 0.3% 5.2% 61.6% 32.8% 0.1% 100.0%

IT (general) Count 20 137 361 164 14 696 3.022

% by Row

2.9% 19.7% 51.9% 23.6% 2.0% 100.0%

Data mining and analytics

Count 34 241 322 86 10 693 2.707

% by

Row 4.9% 34.8% 46.5% 12.4% 1.4% 100.0%

Cybersecurity

and privacy Count 48 221 317 70 40 696 2.760

% by

Row 6.9% 31.8% 45.5% 10.1% 5.7% 100.0%

Risk

management Count 1 50 458 181 5 695 3.200

% by Row

0.1% 7.2% 65.9% 26.0% 0.7% 100.0%

Fraud auditing Count 8 107 423 153 6 697 3.060

% by

Row 1.1% 15.4% 60.7% 22.0% 0.9% 100.0%

Forensics and

investigations Count 33 179 317 111 54 694 2.963

% by

Row 4.8% 25.8% 45.7% 16.0% 7.8% 100.0%

Quality control (e.g., Six

Sigma, ISO)

Count 49 215 265 37 129 695 2.974

% by

Row 7.1% 30.9% 38.1% 5.3% 18.6% 100.0%

Strategic initiatives and

programs

Count 8 127 451 76 29 691 2.987

% by

Row 1.2% 18.4% 65.3% 11.0% 4.2% 100.0%

Interviewing Count 3 47 478 157 8 693 3.173

% by Row

0.4% 6.8% 69.0% 22.7% 1.2% 100.0%

Total Count 206 1360 3820 1263 296 6945 N/A

% by Row

3.0% 19.6% 55.0% 18.2% 4.3% 100.0%


15a: If there is any other area not mentioned above, please list it and indicate the extent to which your internal audit staff collectively possesses the required skills to address needed coverage: (Extent of Skills)


Inadequate Adequate Expert level Total Mean

Area 1: Count 2 17 26 16 61 2.918

% by Row

3.3% 27.9% 42.6% 26.2% 100.0%

Area 2: Count 2 9 18 9 38 2.895

% by

Row 5.3% 23.7% 47.4% 23.7% 100.0%

Area 3: Count 2 6 4 4 16 2.625

% by Row

12.5% 37.5% 25.0% 25.0% 100.0%

Total Count 6 32 48 29 115 N/A

% by Row

5.2% 27.8% 41.7% 25.2% 100.0%

15a-1: For areas not mentioned above, please list them and indicate the extent to which your internal audit staff collectively possesses the required skills to address needed coverage: (Respondents were limited to brief text responses)


Inadequate Adequate Expert level Total

Specific areas yet to be analyzed

Total Responses


16: What skill sets are you actively recruiting for, or anticipating recruiting for, in your internal audit function this year? (Choose all that apply)


Business and industry-specific knowledge 44.0% 311

IT (general) 44.6% 315

Data mining and analytics 37.9% 268

Cybersecurity and privacy 11.7% 83

Risk management 20.2% 143

Risk assessment activities 20.5% 145

Report writing 19.4% 137

Fraud auditing 16.3% 115

Forensics and investigations 11.7% 83

Quality control (e.g., Six Sigma, ISO) 10.5% 74

Strategic initiatives and programs 9.9% 70

Interviewing 8.9% 63

Other, please specify (See Appendix F): 17.4% 123

Valid Responses 707

Total Responses 707

17: In addition to traditional roles and responsibilities, internal auditing is also primarily responsible for: (Choose all that apply) Response Chart Frequency Count

Risk management 33.1% 234

Ethics investigations 37.5% 265

Managing corporate hotline 28.6% 202

Financial reporting controls compliance (e.g., the U.S. Sarbanes-Oxley Act)

39.9% 282

Regulatory compliance (general) 28.6% 202

IT security 11.3% 80

Fraud investigations 57.1% 404

Compliance with anti-bribery legislation 12.9% 91

None of the above 14.6% 103

Other, please specify (see Appendix G): 8.8% 62

Valid Responses 707

Total Responses 707


18: What is the size of your internal audit function (calculated in total full-time equivalents)? (Respondents could only choose a single response)


1–2 16.4% 116

3–6 34.3% 242

7–15 22.7% 160

16–20 7.6% 54

21–30 6.9% 49

More than 30 12.0% 85

Not Answered 1

Valid Responses 706

Total Responses 707

19: Select the annual revenue range that best fits your organization: (Respondents could only choose a single response)


Less than USD 10 million 6.0% 42

USD 10 million to less than

USD 50 million 6.6% 46

USD 50 million to less than USD 100 million

4.4% 31

USD 100 million to less than USD 500 million

18.5% 130

USD 500 million to less than USD 1 billion

17.7% 124

USD 1 billion to less than

USD 10 billion 33.7% 236

USD 10 billion or more 13.1% 92

Not Answered 6

Valid Responses 701

Total Responses 707


20: What best describes your title or is equivalent to your current position or role within your organization? (Respondents could only choose a single response)


Chief audit executive

(CAE) 64.2% 453

Internal audit director or

manager who is direct report

to CAE

22.2% 157

Other internal audit manager

or supervisor 7.2% 51

Internal audit staff with 3 or

more years of internal audit experience

2.8% 20

Internal audit staff with less

than 3 years of internal audit experience

1.3% 9

Other, please specify: 2.3% 16

Not Answered 1

Valid Responses 706

Total Responses 707

20-1: If not listed above, what best describes your title or is equivalent to your current position or role within your organization?

Response

Owner

business consultant and trainer of auditors

Security Manager

All staff are senior auditors. I have over 25 years experience.

Consultant (4 responses)

Staff/Consultant

VP operations

Audit Committee Chair

Director of KM

Audit Manager

Director of KM

Chief Risk Officer

past CEA of 9+ years

VP Internal Audit - Direct Report to CAE

Responses 16


21: Which category best describes your organization's primary industry?


Aerospace and defense 0.7% 5

Agriculture/forestry/fisheries 0.4% 3

Communication/telecommunication

services 1.4% 10

Construction/engineering/architecture 1.4% 10

Consulting services 1.4% 10

Consumer packaged goods 1.9% 13

Distribution 1.0% 7

Educational services 5.6% 39

Energy/oil and gas 3.0% 21

Financial services/banking/real

estate 19.4% 136

Gaming/lotteries 1.4% 10

Health services 6.8% 48

Hospitality/entertainment/restaurant 2.1% 15

Insurance carriers/agents 6.7% 47

Local government 5.0% 35

National/federal government 2.1% 15

Manufacturing 10.5% 74

Mining 0.6% 4

Nonprofit sector 3.1% 22

Pharmaceuticals 1.6% 11

Public accounting/accounting services 0.6% 4

State/provincial government 3.6% 25

Technology 4.0% 28

Transportation 1.7% 12

Utilities 4.3% 30

Wholesale/retail 5.4% 38

Other 4.3% 30

Not Answered 5

Valid Responses 702

Total Responses 707


22: Is your organization listed as: (Respondents could only choose a single response)


Fortune 100 5.6% 39

Fortune 250 3.9% 27

Fortune 500 10.8% 75

Fortune 1000 6.5% 45

Global 2000 2.7% 19

None of the above 70.5% 491

Not Answered 11

Valid Responses 696

Total Responses 707

23: Please select the geographic region in which you work. (For a list of countries in each region, click here.) (Respondents could only choose a single response)


Africa 0.0% 0

Asia 0.0% 0

Europe 0.0% 0

Latin America and the Caribbean

0.0% 0

North America 100.0% 707

Oceania (includes Australia,

New Zealand, Micronesia, Melanesia, and Polynesia)

0.0% 0

Valid Responses 707

Total Responses 707

http://www.theiia.org/download.cfm?file=27442

http://www.theiia.org/download.cfm?file=27442


(The following 202 respondents are from the non-North American versions of the survey, which was made available globally; the North American version of the survey did not present these next 3 questions)

24: In which country or territory do you work? (Respondents could only choose a single response)


United States 90.0% 180

Canada 7.5% 15

Mexico 1.0% 2

South Korea 0.5% 1

Venezuela 0.5% 1

Valid Responses 200

Total Responses 202

24a: Other country: Respondents to this question had also selected a country in question 24, indicating these are additional

countries in which they work. (Respondents were limited to brief text responses)


Other Responses 100.0% 9

Valid Responses 9

Total Responses 9

25: Please select your Institute: (Respondents could only choose a single response)


North American chapter in

the U.S., Canada, or

Caribbean

97.4% 187

IIA MEXICO (204) 0.5% 1

IIA UNITED KINGDOM & IRELAND (21)

0.5% 1

IIA VENEZUELA (290) 0.5% 1

None 1.0% 2

Not Answered 10

Valid Responses 192

Total Responses 202


Appendix A 4-1: What other staffing strategies do you employ to acquire and maintain knowledge of the business by your staff: Response

Active Knowledge Management program in IA

Active liaison program where auditor interacts with management. They stay abreast of what is happening in the industry, competitors, and detailed knowledge of our business.

Active recuritement with Co-sourcing

Active roles in North American lottery-related organizations

Broad and deep relationships with business partners

Brown Bag Lunches with Company subject matter experts, participation in industry groups (COPAS)

Close SOX testing with Business Unit people

Student/recent graduate pipeline (4 responses)

college recruiting - internal audit specialization programs

internship through local university

New college grads hired and trained and then placed into operations

student interns

consulting, sitting on committees, participating in planning, etc.

Continuing Education support

Daily briefings by me from Executive level meetings that I attend

Entrenamientos privado afueara de la oficina.

Exposure over time via audits

Extensive Training

External development (offsite training) (7 responses)

e.g., seminars, workshops, conferences

Fully outsourcing certain audit projects to bring in expertise that I cannot afford nor do I need on staff on a consistent basis.

gain knowledge through interaction with company personnel, brown bag session, and industry related educational opportunities

guest auditor program (4 responses); comments include:

functional area guest auditors

guest auditors from within the business and IA participation in business initiatives

Hire a potential candidate and train him or her internally

Hire external if internal not available, when, hiring.

Hiring qualified candidates from within the business (3 responses); comments include:

Recruitment from the business

I keep the staff informed of district level initiatives, objectives, and changes in the strategic plans through training and having them review documents

I would employ all 4 of the options listed in the survey (a staffing plan was developed in 2007); unfortunately it is currently being blocked by the CFO and the audit committee is not "actively" aware of the situation and, more importantly, the impact.

In house training and interviews with business personnel

industry specific certifications

internal availability of existing staff


Internal Orientation/Training

Internship from the business, but not a regular rotation

learn it thru industry groups etc

learning from other more experienced people in the organization

Low Turnover in audit staff (4 responses); comments include:

Retaining experienced internal audit staff - about half currently have over tens years of experience

lucky to have tenured staff

meet with inhouse subject matter experts as needed

networking and knowledge sharing

Specific training of new hires (2 responses) comments include:

New staff members work two to four weeks with the different levels of personnel and management to learn the industry, processes, roles, etc.

One man shop (3 responses)

ongoing visits with operating depts

participate on ISO Audits and audit of operating metrics

Participating on project teams for key strategic initiatives (i.e. new markets, new products, etc)

Performance of audits in many areas of business.

practice area relationships at many levels (IA interaction with business leaders)

professional development,pursue other professional designations;board service w/other professionals;professional periodicals;regularly attend staff meetings

Project-specific rotation from outside the IA staff

Quarterly lunch and learn by leaders in different business areas

Read literature on various business and operational aspects; not just auditing

regular speakers from the businesses at our training sessions

Review of internal product and financial presentations

Ride-along programs

rotating audit assignments in different operational areas

Rotational program for IT audit only

secondment of operational staff for specific short term audits

small size of company (less than 200 employees) helps; regular attendance in select core business status monitoring meetings helps.

Some auditors have industry knowledge

Subject Matter Expert Program (3 response); comments include:

Subject Matter Expert Program internal to IA

subject matter expert designation within dept and coordination with Corporate leaders.

Toda la plantilla, de manera ordinaria es considerada para evaluar todos los procesos sujetos a nuestro alcance.

trainings

walk throughs of business units prior to audits

We are in the process of restructuring to bring in a more technology focused staff.

We do a top-down operational risk assessment of each major business, meaning we document processes, risks, and controls that are operational/non-financial reporting. We acquire knowledge through the audit of key processes.

We have our internal audit staff actively participate in both our annual and quarterly enterprise risk assessment


activities, which helps them not only assess risks but also gain/maintain knowledge of our business.

working on a formal rotation plan now, but to date it has been very informal.

Responses 82

Back Appendix B

5-1: What other strategies do you employ to enhance and maintain knowledge of the business within your staff:

A knowledge warehouse has been established to share information.

Actively explore opportunities to work with Business Units on Continuous Improvement projects

Aggressive meeting schedule with key business leaders.

All directors (5) speak and are involved in national committees

Attendance at conferences by staff

Audit managers, directors and executives participate in each business/function's operational reviews and leadership meetings

audit staff participation in cross-functional committee projects.

Interaction with business management:

continuous interaction with management. Formal quarterly discussions with executive.

IA interaction with internal business leaders and groups

Staff networking with business unit leaders

COSOURCING ARRANGEMENT

exposure through projects

extensive interaction w/Management on operational audits

external training (3 responses); comments include:

such as IIA programs

professional seminars - webinars

GRC Requirements Management practice discipline from our vendor RuleSphere International

Having staff assist external auditors/consultants in financial, SAS 70, IT, fraud, and physical and IT security audits and consulting projects.

IA participating in company sponsored training, coordinating with senior leadership, and performing a variety of audits.

IA Staff engage in Job shadowing/Ride-along experiences within the business

Internal Audit is developing an extensive knowledge management framework of the business

Internal Training Programs (2 responses); comments include:

internal training available to all staff at the company

Learnin while on assignments

Membership in Professional Organization and CPE

Ninguno, la función de auditoría interna tiene un presupuesto muy limitado.

Not sure what you mean by industry standards - does that mean internal audit or the sector that we are in?

Obtaining certifications


OTJ training with engineers filling the rotational positions to learn the project execution side of the business & associated risks

Providing inexperienced staff the opportunity to sit with various business units to gain an understanding of their function and their processes and controls.

Quarterly training

Rotation through different staff assignments to expand business exposure.

Se desarrollo un programa interno de actualización para la plantilla de auditores

SME Program

special Community of Practicemeetings within our industry group

Staff individually pursues areas of interest and shares with the balance of the staff

This is a 1-person shop. I attend IIA and industry audit events (National Retail Federation), webinars, and read periodicals.

Use training available in the organization but outside Internal Audit, both formal and informal (the latter from subject matter experts in the business)

variety of designations strongly encouraged

web based training on regulatory compliance

When we do the top-down operational risk assessment, we work closely with management to make sure we understand the process and have identified the right risks and controls.

work with management of areas under audit to understand their processes, risks and controls, they sign the RCM prepared by IA staff

Responses 42

Back

Appendix C 9: Which of the following strategies do you employ in assessing the needs and expectations of your stakeholders? (Choose all that apply) adding other roles resulting from staff shortages, so communication is as needed and if critical

annual evaluation survey of key constituents

attending operational reviews, strategic dialogue sessions, etc.

benchmarking and QAR

CAE attends various bank committee meetings and informal meetings with management ongoing

CAE takes senior mgmt members out to lunch periodically and informally discusses internal audit's performance vs their expectations

Company-wide internal satisfaction surveys, performance evaluations

cross-functional GRC requirements management

Discussion with mgt during creation of Audit Plan

Discussions with Audit Committee members individually

Discussions with regional- and plant-level management for feedback on our performance, and to identify areas of risk.

discussions with senior management, discussions with internal audit staff


Discussions with the full board in regards to how best to support the Board in its key risk oversight role.

due to the open meetings regulation I cannot meet with the audit committee or chair. I have limited exposure to them unless I am issuing an audit report or having my annual evaluation and providing periodic status reports to them

ERM

Externally led meetings with senior leaders to collect feedback

Formal discussions with the audit committee as we are subject to the Brown Act (sunshine law - California)

formal meetings w/stakeholders - just not regular - perhaps annually

frequent communication from AC Chair

frequent contact with executive management and the audit committee; annual discussions with directors, audit committee, executive team during risk assessment process

Individual meetings with Exec Leadership on an on-going basis for feedback and risk management

Informal communications/feedback from key stakeholders; formal Q&A during annual planning.

Informal discussion and/or meetings (31 responses); comments include

with the senior leadership team

with clients and senior managers

with key stakeholders to assess their expectations & IA's performance against them

with executive management and Audit Committee - nothing in writing

with executives and operational stakeholders

with executives regarding performance and areas where IA can assist

with executive team to discuss how IA is doing.

with management and with auditees

with senior mgmt; discussions with immediate VP

with various employees throughout the year.

with key stakeholders to understand their business and where our testing should focus

with key stakeholders; ongoing participation in management meetings

Informal ongoing individual discussions with most stakeholders

Informal lunch with stakeholders to discuss expectations and explore changes in their business line.

Interviews with key stakeholders as part of comprehensive annual risk assessment.

Keep up with current news items to update risks

Meet Quarterly with Executive Committee To Reveiw IA Activities and Planned Activities; 360 feedback from customers;

Meet with Controller Only

Meetings w/non-exec chair, ceo and audit committee chair

Meetings with CAO to evaluate audit actvities

meets with individual stakeholders due to lack of support by superintendent

Monthly discussions with the CEO

Monthly Meeting with Full Board of Trustees

Most feedback is delivered by CFO. Audit Committee Chairman works through CFO and has minimal direct communications with CAE.

ongoing interaction with all levels of business leaders

Ongoing meetings with senior management

Participation in strategic planning

perform risk assessment.

periodic discussions with external auditors and regulators


periodic feedback from audit committee

periodic meeting with senior management

Post Audit Performance Evaluations/surveys (2 responses)

Pre-planning meeting with Stakeholder and Follow up meetings after audit

QAR (5 responses); comments include:

QAR Results which included extensive interviews with Sr. Mgmt. and Audit Committee Members - Feedback was very positive

QAR: internal review of CAE performance

input from QAR every 5 years

Quarterly discussions with the Audit Committee Chair to assess her expectations

Quarterly formal meetings with Compliance Committee to discuss IA, SOX, and Legal issues

Regular correspondence and meetings with CEO and Business Unit leaders

Regular formal and informal meetings with key members of the executive team to discuss internal audit expectations and emerging risks that may impact the audit plan.

regular formal meetings with the direct reports of our senior leadership team to assess their expectations and our performance

Review with auditee Director after each audit

risk assessment

Self Assessment questionnaires, Self Assessed Risk analysis

Senior Staff and Regional Team Meetings

senior staff meetings, informal meetings w/staff

Separate meetings with members of senior management, not all together in one room.

survey completed by stakeholders after each audit, semi-annual survey of stakeholders (not just execs)

The CEO and CFO, within the past year, made concerted efforts to eliminate the need to communicate with internal audit. The utilized the BOD's lack of awareness to effectively limit and eliminate standard, non-threatening communication with the ac & ia

There is no coherent strategy.

Trending Audit Committee Requests

Use of ERM committee to identify and recommend expectations

Use of the company's ERM findings and periodic meeting with the CFO

We are in the process of launching these strategies.

We do not have an Audit Committee; discuss Board expectations with CFO

We don't have an audit committee. However, I send updates quarterly to management and seek their input.

We have discussions with Senior executives of each of our companies separately

We have the annual planning meetings as well as regular updates in the course of our audits. We also participate on the project teams for key company initiatives.

Yearly individual discussion with members of the audit committee

평가모델이 없음

Responses 101

Back


Appendix D 12a: If there is a notable area not listed in question 12, please list it here and indicate whether it has increased or decreased in focus, or stayed the same. Although we have increased compliance, financial, and operational risks, my staff has been reduced from three auditors to one plus an audit assistant and myself. I need to scope audits without process reviews and focus more on testing of transactions which is not optimal but is the reality of working for a school district. Education funding at the federal level may impact us $60+ million dollars

Anti-Money Laundering has decreased in Focus

BCP Increase

Company went private at the end of 2010 - impacting SOX, financial controls, and internal controls work areas.

Construction risk

Construction Risk of Mega Projects

Corporate Social Responsibility increased on focus

Customer experience/satisfaction risks

Department is relatively new (start-up) so understandably in a growth stage

Dispositions and discontinued business lines

Emerging Risks (change management, attraction & retention, outsourcing)

ERM - increased

ERM and Capital Allocation. More focus on modeling systems and data quality

Ethical behaviors and investigations - increased

examination of ISO audits to determine how we can utilize the results as part of our ERM and Audit Risk analsis.

Government oversight – increased (3 responses)

Healthcare - Quality Risk, Care Delivery System Innovation, Physician Integration,

Human capital and employment practices risks--increased

Information Security

Information Technology - Decreased

Information Technology - Decreased (due to budget reduction)

IT/Information Systems risks: increasing

IT and technology risks – increased

Technology/IT – increased

IT Security – Increased

Technology Risks – Increased

Technology risk enabling strategic initiatives—increased

Technology risks, increased and Emerging markets risk, increased

Technology/Information Security Risks, including those of Social Media -- increased in focus.

Increase in Network & Application Security Audit Coverage including emerging IT risks such as social media.

IT Security - increased.

IT risks – increased

IT has an increased focus for us this year. Although that could be considered operational.

IT risk - new clinical enterprise system being implemented.

IT risks - successful implementation of major systems or upgrades

IT will increase

Information Technology (IT) general controls -- increased focus.


Data reliability and integrity; increased in focus

Data Security risks increased.

Monitoring of application system development efforts (increased)

IT risks

IT risks: no change

IT system security

Insertion of formalized detailed risk assessment and management methodology.

Internal audits involvement in GRC is increasing.

International (Country) Risk

Investment risks

Key executive retiring in 2011.

Major system implementation and related business process improvements: increased in focus.

Management staffing risks have increased.

Much more emphasis on Mergers & Acquisitions.

operational improvement projects - increased

Physical security focus increased

Political risks

Regulatory compliance from healthcare changes is a huge focus for the coming 2012-13 time period.

regulatory focus heightened for banking industry

Regulatory Risk (Dodd-Frank legislation) - Increased

Revenue Cycle - Increased

Revenue Enhancement

Riesgo Tributario-Ha aumentado.

sarbanes oxley does not apply

Sr Mgt and the Audit Committee asked for a specific limited scope of every function (65) within the next 18 months. The focus is on specific internal controls and fraud risks. We are a fairly new audit shop (6 years total)

Strategic Risk

Strategic Risk - Increased. (3 responses); comments include:

strategic risks - we now include a review of strategic risk in each audit

Strategic risk involvement.

System Implementation Participation - Increased

Emerging markets risk, increased

The Board interest and engagement in enterprise risk governance and management (Which was high before) continues to increase.

There is an increased operational risk based on the optempo of the military and the affect unemployment has on society.

We are not concerned with Sarbanese Oxley as our organization is a Public School Board

We completed a material acquisition which has inherently increased our SOX focus and compliance focus.

We've increased our work around auditing third party relationships and out-sourced operations.

Responses 31

Back


Appendix E 13: Rate the following attributes in terms of importance and level of performance for your internal audit function:


Somewhat important


Extremely important

Total

Effectively managing stakeholder

relationships

Count 5 44 161 264 224 698

% by

Row 0.7% 6.3% 23.1% 37.8% 32.1% 100.0%



Exceptional Total

Count 8 50 302 289 37 686

% by Row 1.2% 7.3% 44.0% 42.1% 5.4% 100.0%


Somewhat important


Extremely important

Total


expectations

Count 5 22 166 296 208 697

% by Row 0.7% 3.2% 23.8% 42.5% 29.8% 100.0%



Exceptional Total

Count 9 58 296 293 29 685

% by Row 1.3% 8.5% 43.2% 42.8% 4.2% 100.0%


Somewhat important


Extremely important

Total

Effectively

leveraging technology

Count 24 138 253 210 66 691

% by Row 3.5% 20.0% 36.6% 30.4% 9.6% 100.0%



Exceptional Total

Count 58 255 270 80 15 678

% by Row 8.6% 37.6% 39.8% 11.8% 2.2% 100.0%


Somewhat important


Extremely important

Total


Count 17 123 221 235 95 691

% by Row

2.5% 17.8% 32.0% 34.0% 13.7% 100.0%



Exceptional Total

Count 5 98 335 199 40 677

% by Row 0.7% 14.5% 49.5% 29.4% 5.9% 100.0%


13 continued:

Rate the following attributes in terms of importance and level of performance for your internal audit function:


Somewhat important


Extremely important

Total

Conformance with The IIA's Standards

Count 24 106 204 195 148 677

% by Row

3.5% 15.7% 30.1% 28.8% 21.9% 100.0%



Exceptional Total

Count 14 89 327 191 53 674

% by Row 2.1% 13.2% 48.5% 28.3% 7.9% 100.0%


Somewhat important


Extremely important

Total



Count 3 30 131 313 208 685

% by Row

0.4% 4.4% 19.1% 45.7% 30.4% 100.0%



Exceptional Total

Count 12 120 271 237 38 678

% by Row 1.8% 17.7% 40.0% 35.0% 5.6% 100.0%


Somewhat important


Extremely important

Total

Value proposition of

internal auditing that is well documented

and communicated

Count 33 139 230 204 81 687

% by Row

4.8% 20.2% 33.5% 29.7% 11.8% 100.0%



Exceptional Total

Count 40 186 308 124 18 676

% by Row 5.9% 27.5% 45.6% 18.3% 2.7% 100.0%


Somewhat important


Extremely important

Total

Internal audit plan that is aligned with the

organization’s strategic plan

Count 13 48 172 279 181 693

% by

Row 1.9% 6.9% 24.8% 40.3% 26.1% 100.0%



Exceptional Total

Count 14 113 293 218 44 682

% by Row 2.1% 16.6% 43.0% 32.0% 6.5% 100.0%


13 continued:

Rate the following attributes in terms of importance and level of performance for your internal audit function:


Somewhat important


Extremely important

Total

Continuous

improvement and

innovation

Count 12 96 240 253 90 691

% by Row

1.7% 13.9% 34.7% 36.6% 13.0% 100.0%



Exceptional Total

Count 21 173 306 153 29 682

% by Row 3.1% 25.4% 44.9% 22.4% 4.3% 100.0%


Somewhat important


Extremely important

Total

Appropriate talent pool

Count 9 44 170 294 168 685

% by

Row 1.3% 6.4% 24.8% 42.9% 24.5% 100.0%



Exceptional Total

Count 36 132 312 178 19 677

% by Row 5.3% 19.5% 46.1% 26.3% 2.8% 100.0%


Somewhat important


Extremely important

Total

Cost-effective and efficient operations

Count 8 79 278 252 76 693

% by Row

1.2% 11.4% 40.1% 36.4% 11.0% 100.0%



Exceptional Total

Count 13 77 366 186 41 683

% by Row 1.9% 11.3% 53.6% 27.2% 6.0% 100.0%


Somewhat important


Extremely important

Total

Alignment of risk,

control, and compliance functions

Count 14 81 218 272 109 694

% by

Row 2.0% 11.7% 31.4% 39.2% 15.7% 100.0%



Exceptional Total

Count 28 155 316 154 27 680

% by Row 4.1% 22.8% 46.5% 22.6% 4.0% 100.0%

Back


Appendix F 16-1: What other skill sets are you actively recruiting for, or anticipating recruiting for, in your internal audit function this year? ability to practically apply IIA standards customized for our business needs, and department development skills

Accounting/Internal Controls Assessment

analytical skills

basic audit skills

Basic auditing skills (proj mgmt, workpapers)

basic internal auditing skills

Big firm 2-4 yrs (brings foundational skills)

business acumen - tough but fair

Clinical expertise - healthcare

Clinical, RN, etc to convert to IA

Compliance (3 responses)

Construction

Construction / Development

contracts and construction

core operations experience from the business

co-sourcing if approved for transportation, food service and maintenance operations

CPA with known audit abilities

Environmental

ethnicity

External auditing

Finance - CPA

Financial / Communication

financial accounting

Financial audit

Financial controls

Financial reporting (3 responses)

Financial/SOX

Foreign language skills (7 responses); comments include:

language / cultural skills for Europe & China

MANDARIN SPEAKER

Fraud done in another Dept managed by GA

Governance, Risk & Compliance

Governmental Contract Experience


GRC requirements management

Internal Audit experience

Internal auditing

Internal controls knowledge

International audit presence

IT (non-general)

Leadership Skills (3 responses)

looks for CA only

Manufacturing experience

No specific skill set. recruit bright and ambitious professionals

None/not recruiting (47 responses); comments include:

Not recruiting this year

None ... full staff

not anticipating any turnover

Not recruiting. No money.

Recruiting on hold, but business knowledge, analytical skills, investigation skills would all be considered important

I don't have the budget for it this year but if I do have the opportunity I would want to hire someone to assist with auditing of financial reporting, ERM and corporate ethics.

Operational Auditing (3 responses)

other core competencies - initiative, accounting coursework

people management

Professional qualifications, e.g. CPA, CIA, etc.

Professionalism

Program Evaluation

Project management (2 responses)

Regulatory Compliance/knowledge (3 responses)

safety, health & environment

Strategic Auditing

technical accounting skills

time and project management skills

Top talent to rotate out of IA into other areas

We hire consultants with functional expertise for each project.

well rounded in Financial, Contract and IT auditing

written communication skills

구매부문

Responses 125

Back


Appendix G 17-1: What else is internal auditing also primarily responsible for?

Response

AML Compliance- money laundering

Annual Single Audit Coordination

Assisting the Compliance Dept by performing audits

Bank Secrecy / Patriot Act

BSA,OFAC IML, GLB

Business Continuity Planning

Business Licenses

CAE process owner ERM, but currently no auditing of Risk Mgmt processes. Also utilize auditors to test FCPA, but responsibility lies with legal

Change Management (should be in IT Area), but is isn't - with approval form AC (2 responses)

Completing the PCI review

Compliance Audits

Compliance Testing (testing compliance with all company policies and procedures one by one)

conflict of interest process and manage the relationship with all parent organizations (financials, club documentation, and training on district policies, and IRS regulations

Construction

corporate compliance program

Corporate Secretary

Corporate Security

Defining risk reporting standard terms and educating Governance

Disaster recovery

disclosure committee

environmental compliance auditing

Environmental Risks

ERM coordinator

External Audit substantive audit support

Facilitating the annual and quarterly enterprise risk assessment process

FDICIA Control Testing

FDICIA, Model Audit Rule Program

Financial Reporting

Global testing of/for FCPA compliance (but Legal owns compliance/training)

GRC program office set-up and technology tool enablement for the program office team

incident management, vendor viability assessments, sas 70 coordination

Insurance


Intellectual Property

Loss Prevention (2 responses)

Management has primary responsibility for these roles

Model Audit rule, testing of all of the above

Operational and compliance auditing

Participate with ethics and security on investigations

performs compliance, operational, and financial audits

Policies

policies & procedures, standards

POLICY DEVELOPMENT

Policy Portal, Brand Protection

Providing Support for SOX: Risk Management: Investigations;

Quality Assurance

records retention

Regulatory Compliance Audits (2 responses)

Sarbanes-Oxley Management Testing

support ethics, fraud and fcpa investigations

SOX testing

SOX testing (not responsible for other SOX areas) (3 responses)

Support government regulations, especially reg/statute changes

Tax audits

Title 31 (BSA Regulations)

we partner with Business Conduct Officer on ethics investigations, fraud allegations, etc.

While not "responsible for", IA assists with Risk Mgmt, Investigations, Regulatory Compliance and Fraud

working with Audit Committee

Responses 61

Back

Documents

2011 Emerging Trends and Leading Practices...51.3% 362 More than usual 31.3% 221 Extensive 8.2% 58 Not Answered 1 Mean 3.361 Valid Responses 706 Total Responses 707 9: Which of the